Printnightmare Rce with Patch

BRAINTRACE

THREAT ADVISORY REPORT

JULY 15, 2021

TABLE OF CONTENTS BACKGROUND ...... 2 WESTERN DIGITAL USERS HIT BY ANOTHER ZERO-DAY EXPLOIT...... 2 RANSOMWARE GANG HADES EXPANDS ITS VICTIMS ...... 2 KASEYA WARNS OF FAKE SECURITY UPDATES ...... 3 SAGE X3 VULNERABILITIES COULD IMPACT MANY ORGANIZATIONS SEVERELY ...... 4 TRICKBOT RECEIVES MAN-IN-THE-BROWSER (MITB) CAPABILITIES WHICH COULD LEAD TO A WAVE OF BANKING FRAUD ATTACKS ...... 5 UPDATE POWERSHELL TO PREVENT ATTACK ...... 5 HACKERS NOW USE BENIGN OFFICE DOCUMENTS TO DYNAMICALLY DOWNLOAD AND CREATE MACROS IN EXCEL FILES AND DISABLE MACRO SECURITY WARNINGS...... 6 WAGO DEVICES OPEN THE DOOR TO REMOTE ATTACK...... 6 MICROSOFT FAILS TO MITIGATE PRINTNIGHTMARE RCE WITH PATCH ...... 7 NORTH KOREAN APT TARGETING JOB SEEKERS WITH MALWARE ...... 8 SONICWALL’S NET WORK SECURITY MANAGER PATCHES COMMAND INJECTION VULNERABILITY ...... 8 NINE ANDROID APPS CAUGHT HARVESTING USERS' FACEBOOK CREDENTIALS ...... 9 MAGECART HACKERS TARGET E-COMMERCE WEBSITES ...... 10 PRIVILEGE ESCALATION VULNERABILITIES FOUND IN CISCO’S BPA AND WSA APPLIANCES...... 11 REVIL RANSOMWARE VARIANT TARGETING LINUX OS ...... 11 COBALT STRIKE DISGUISED AS A FAKE KASEYA VSA SECURITY UPDATE ...... 12 PRINTNIGHTMARE - PRINT SPOOLER VULNERABILITY ...... 13 JAVASCRIPT RTE NODE.JS RECEIVES PATCHES ...... 14 POWER OF HUMAN RISK MANAGEMENT OVER SECURITY AWARENESS TRAINING ...... 14 QNAP'S NETWORK ATTACHED STORAGES PATCHES CRITICAL VULNERABILITIES ...... 15 DR HEX ENGAGED IN CYBERCRIMES GOT ARRESTED ...... 16 CRYPTOGRAPHIC VULNERABILITY IN KASPERSKY PASSWORD MANAGER PATCHED ...... 16 .NET UNDER ATTACK DUE TO NUGET PACKAGES VULNERABILITIES ...... 17 CRITICAL VULNERABILITIES IN PHILIPS CLINICAL COLLABORATION PLATFORM PORTAL ...... 18 EMAIL FATIGUE OPENS DOORS FOR CYBERCRIMINALS ...... 20 ZLOADER HAS A NEW WAY OF INFECTION...... 21

BRAINTRACE.COM CONFIDENTIAL 1

BACKGROUND This report was created to update our clients on up-and-coming vulnerabilities and exploits that our security experts have discovered. Our team works diligently on researching threats and vulnerabilities to provide you with a safer network. If you have any questions, do not hesitate to contact us.

WESTERN DIGITAL USERS HIT BY ANOTHER ZERO-DAY EXPLOIT. Western Digital NAS users on the old My Cloud 3 OS are being hit by another zero-day exploit, which could allow an attacker to plant persistent access via a backdoor on their NAS devices.

Affected Systems ◾ Western Digital NAS devices running OS 3.

Vulnerability Overview Users of Western Digital’s NAS devices running on older, and no longer supported, My Cloud OS 3 are at risk of a remote code execution attack (RCE) that would allow attackers to plant a backdoor in the NAS device for persistent access. Western Digital has stated however, that their update to My Cloud OS 3, My Cloud OS 5, has remediated this issue. The problem is getting users to update their OS 3 devices to OS 5, as certain popular features and functionality has been broken due to this update. This bug was found by security researchers Radek Domanski and Pedro Ribeiro and they have also created their own patch for this issue, albeit with one caveat, the patch must be reinstalled every time the device is rebooted. It is also highly likely that Western Digital knew about the bug months before they ended support for the OS.

Recommendation The recommendation is to move old Western Digital Digital NAS devices that run with the older My Cloud 3 and is no longer supported by Western Digital, to the newer My Cloud 5.

Patch URL Follow vendor instructions at: https://www.westerndigital.com/support/productsecurity/wdc-21004- recommended-upgrade-to-mycloud-os-5.

Reference https://threatpost.com/rce-0-day-western-digital-users/167547/

RANSOMWARE GANG HADES EXPANDS ITS VICTIMS Hades ransomware group has began targeted billion dollar industries and has now claimed several more victims. They have expanded into consumer goods, services, insurance, manufacturing and distribution industry sectors. The group does not seem to have any affiliations with other groups and are apparently working independently.

BRAINTRACE.COM CONFIDENTIAL 2

Affected Systems ◾ All Systems

Vulnerability Overview The group uses a Phoenix Cryptolocker variant, which is another type of ransomware in order to avoid any type of attribution claim or link to their group. The group also uses VPN, SocGoulish malware and PSexec in order to accomplish lateral movement. Mimikatz is used for their credential access and Advanced IP scanner for reconnaissance. In addition to ransomware, the group also targets the destruction of cloud backups and snapshots once they achieve access.

Recommendation Recommended that users have their operating systems and security software up to date.

Reference https://cyware.com/news/hades-ransomware-gang-claims-more-victims-while-experts-look-for- clues-0176057a

KASEYA WARNS OF FAKE SECURITY UPDATES Victims of the Kaseya Incident may receive emails regarding updating Kaseya. These are in fact false and are malicious. There is a phishing campaign attempt going on that Kaseya is warning there customers about in which malicious actors are reaching out in spamming emails that contain embedded in the email malicious attachments and/or links.

Affected Systems ◾ The affected systems include the 1,500 direct and downstream customers of Kaseya.

Vulnerability Overview A malspam campaign of emails targeting Kaseya customers trying to abuse the Kaseya ransomware crisis was first discovered by Malwarebytes Threat Intelligence. The campaign is attacking releasing CobaltStrikes within email attachments named “SecurityUpdates.exe” Not only will the email contain this attachment, but it will also contain another link pretending to be a security update possibly from Microsoft to patch the Kaseya vulnerability. These attackers are trying to send out as many Cobal Strike beacons so that they will be able to back door systems and be able to steal sensitive information and possibly deliver even more malware. Kaseya has not released a fix for the VSA zero-day and customers may feel the need to instantly click on the first sign of protection they are given.

Recommendation The patch recommendation for this flaw is to not click or download any attachments claiming to be an advisory from Kaseya. Kaseya will never send an update within an email containing links or attachments.

BRAINTRACE.COM CONFIDENTIAL 3

Reference https://www.bleepingcomputer.com/news/security/kaseya-warns-of-phishing-campaign-pushing- fake-security-updates/

SAGE X3 VULNERABILITIES COULD IMPACT MANY ORGANIZATIONS SEVERELY An attacker can use Sage X3 vulnerabilities to target multiple organizations by using different methods in order to compromise the network and take full control of the system.

Affected Systems ◾ Sage X3 Version 9 ◾ Sage X3 Version 11 ◾ Sage X3 Version 12 ◾ Sage X3 HR ◾ Payroll Version 9

Vulnerability Overview Sage X3 is a type of accounting software used worldwide, victims of multiple vulnerabilities which expose many businesses to attack have been found thus far. These issues create a big challenge for Sage to deal with for its customers. The vulnerabilities CVE-2020-7388 and CVE-2020-7387 are now public; CVE-2020-7388 is described as unauthenticated command execution bypass by spoofing s remote administration service. CVE-2020-7387 is described as exposure of sensitive information to an unauthorized user in a path installation. An attacker can use another method by combining those two vulnerabilities to send malicious code and compromise the machine to ultimately take control over it.

Sage was able to release patches to fix these vulnerabilities: -Sage X3 Version 9 (Syracuse 9.22.7.2) -Sage X3 HR & Payroll Version 9 (Syracuse 9.24.1.3) -Sage X3 Version 11 (Syracuse 11.25.2.6) -Sage X3 Version 12 (Syracuse 12.10.2.8)

Recommendation Secure VPN Connection.

Reference https://www.securityweek.com/sage-x3-vulnerabilities-can-pose-serious-risk-organizations

BRAINTRACE.COM CONFIDENTIAL 4

TRICKBOT RECEIVES MAN-IN-THE-BROWSER (MITB) CAPABILITIES WHICH COULD LEAD TO A WAVE OF BANKING FRAUD ATTACKS TrickBot is a sophisticated and modular malware used for stealing credentials. it has had MiTB capabilities added to it which may allow it to steal credentials from unsuspecting users through their home computers.

Affected Systems ◾ Web Browsers

Vulnerability Overview TrickBot, a modular malware that is commonly used to steal credentials and employ secondary ransomware has just received MiTB capabilities, allowing it to modify web browser requests. It can do this through the help of Zeus-style webinject configs, which provides an additional way to dynamically modify web requests. The Zeus style injection proxies’ traffic through a local SOCKS server, where the attacker can capture stolen credentials. To reduce the indication that their browser has been compromised, this module creates a self-signed TLS certificate and inserts it into the certificate store then hooks “CertVerifyCertificateChainPolicy” and “CertGetCertificateChain” in order to prevent any certificate errors from appearing to the victim’s machine.

Recommendation The recommendation is to keep your systems and applications up-to-date with the latest patches, and to educate users on common security threats and/or proper operation security and procedures.

Reference https://threatpost.com/trickbot-banking-trojan-module/167521/

UPDATE POWERSHELL TO PREVENT ATTACK Microsoft request Azure users to update PowerShell versions 7.0 and 7.1, in order to avoid any potential attacks on the application.

Affected Systems ◾ PowerShell 7.0 and 7.1

Vulnerability Overview To protect against any attack, Microsoft encourages Azure users with affected versions of PowerShell to update to the new version 7.0.6 or 7.1.3. They confirmed they were able to patch the vulnerability CVE-2021-26701, but the issue remains in .NET 5 and .NET Core. However experts believe that the flaw will be difficult to exploit by any Cybercriminal. Windows PowerShell 5.1 is not affected by this issue.

BRAINTRACE.COM CONFIDENTIAL 5

Recommendation It is recommended to install the new PowerShell version as soon as possible to update from: -Version 7.0 to 7.0.6 -Version 7.1 to 7.1.3

Reference https://www.securityweek.com/microsoft-tells-azure-users-update-powershell-patch-vulnerability

HACKERS NOW USE BENIGN OFFICE DOCUMENTS TO DYNAMICALLY DOWNLOAD AND CREATE MACROS IN EXCEL FILES AND DISABLE MACRO SECURITY WARNINGS. Hackers now are witnessed using benign Mircrosoft Office documents to dynamically download and create macros in Excel files to disable macro security warnings before downloading and executing Zloader payload in a “live off the land” attack.

Affected Systems ◾ Microsoft Office Suite with macros enabled.

Vulnerability Overview Hackers now use benign Office documents to dynamically download malicious DLLs, such as Zloader; however, to do this macros must already be enabled on the user’s machine. The attack starts when a user downloads and opens a seemingly benign Microsoft Office document; a password-protected Microsoft Excel file downloads from a remote server. After the Excel file has downloads, the VBA macros present in the Office document read the cell contents and creates a new VBA in the Excel file as functions. The Word document suppresses macro warning messages by setting the policy in the registry to “Disable Excel Macro Warning” and then calls the macro it has created in the Excel file and downloads the Zloader payload which executes with rundll32.exe.

Recommendation Ensure that macros are disabled across all systems in your network.

Reference https://thehackernews.com/2021/07/hackers-use-new-trick-to-disable-macro.html

WAGO DEVICES OPEN THE DOOR TO REMOTE ATTACK An attacker has been able to use a remote code execution to get access & control over WAGO devices, which allows for compromise to a system of industrial automation.

Affected Systems ◾ WAGO devices PFC100/200

BRAINTRACE.COM CONFIDENTIAL 6

Vulnerability Overview Industrial firms were affected by remote attacks where the attacker targeted WAGO devices PFC100/200 and took control by sending some random code data. Once the WAGO devices were compromised, they were able to impact the industrial automation remotely. To prevent attack, WAGO patched these vulnerability CVE-2021-34566 and CVE-2021-34567 because an attacker can utilize them to get access to the operational technology and network.

Recommendation IBM Security; FORTINET; F-Secure; Paloalto Network; CYBERX, VERVE.

Patch URL https://www.icscybersecurityconference.com/

Reference https://www.securityweek.com/vulnerabilities-wago-devices-expose-industrial-firms-remote- attacks

MICROSOFT FAILS TO MITIGATE PRINTNIGHTMARE RCE WITH PATCH Microsoft has introduced an emergency hotfix for the PrintNightmare vulnerability; however Hong Kong security researchers have also found that this fix could be bypassed in certain situations.

Affected Systems ◾ Windows 10 version 1607 ◾ Windows Server 2012 ◾ Windows Server 2016

Vulnerability Overview Microsoft released an emergency out-of-band patch to remediate the PrintNightmare RCE vulnerability; however while this patch has enforced administrative privileges to install unsigned printer drivers, the patch has only rectified the RCE via SMB and RPC variants of this vulnerability. This patch did not remediate the Local Privilege Escalation (LPE) variant. Attackers would be able to achieve a local privilege escalation and remote code execution through the LPE variant, though in order to achieve this, “Point and Print Restrictions” must be enabled and subsequently would allow attackers to install malicious printer drivers.

Recommendation Microsoft recommends stopping and disabling the Print Spooler service; an alternative would be to limit printer driver installation privileges to known, trusted administrative accounts. This can be configured by setting the “RestrictDriverInstallationToAdministrators” registry value from 0 to 1.

Patch URL Patch from Microsoft does not fully remediate the vulnerability.

BRAINTRACE.COM CONFIDENTIAL 7

Reference https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html

NORTH KOREAN APT TARGETING JOB SEEKERS WITH MALWARE A North Korean advanced persistent threat group known as Lazarus has been targeting potential job seekers. They have been impersonating large companies like Airbus, General Motors and Rheinmetall to lure victims into downloading email attachments filled with malicious software.

Affected Systems ◾ All User Accounts

Vulnerability Overview The malicious files related to these particular attacks are Rheinmetall_job_requirements.doc, General_motors_cars.doc and Airbus_job_opportunity_confidential.doc. These three documents open connections to a compromised domain where a command-and-control server utilizing different methods resides. In order to evade detection, the files rename to Cerutil, which is a command-line program in Microsoft Docs, the payload of Rheinmetall_job_requirements.doc and General_motors_cars.doc uses Mavinject.exe, which is a legitimated Windows program, to inject code into running processes in order to connect to the command-and-control server. However, Airbus_job_opportunity_confidential.doc uses a different technique. It uses explorer.exe to execute the payload. Once the payload has been delivered, it waits three seconds to create a .inf file. Depending on whether the file creation is successful or not, it will continue to open the connection to the command-and-control server then delete any temporary files it created to remove evidence of its actions.

Recommendation Recommended that users be wary of suspicious emails that contain documents sharing the names of the mentioned files.

Reference https://threatpost.com/lazarus-engineers-malicious-docs/167647/

SONICWALL’S NET WORK SECURITY MANAGER PATCHES COMMAND INJECTION VULNERABILITY The command injection vulnerability exists on-premises versions of SonicWall’s NSM and not the SaaS versions of their products. A malicious user could exploit this vulnerability to inject OS commands, in order to gain access to the platform’s features, its underlying operating system, and the devices it manages.

Affected Systems ◾ SonicWall Network Security Manager 2.2.0-R10

BRAINTRACE.COM CONFIDENTIAL 8

Vulnerability Overview The vulnerability, which is tracked as CVE-2021-20026, can be exploited using specially crafted HTTP requests. This is due to bad filtering of input information and because data is sent directly to the operating system. An attacker would need to get authenticated and from there could gain root access to the operating system. Even an attacker with minimal privileges could use this vulnerability and gain escalated privileges leading to the compromised device.

Recommendation Recommended that users update to versions 2.2.1-R6 or higher.

Reference https://www.securityweek.com/researcher-describes-potential-impact-recently-patched-sonicwall- nsm-flaw

NINE ANDROID APPS CAUGHT HARVESTING USERS' FACEBOOK CREDENTIALS Google removed at least nine Android applications that had over 5.8 million downloads on the Play Store after the applications were found to be stealthily harvesting victims’ Facebook login credentials.

Affected Systems ◾ Facebook Users

Vulnerability Overview The Android applications were fully functional and designed to masked malicious intent forging as photo-editing, astrology, and fitness applications to trick potential victims into logging into their Facebook accounts and exfiltrate passwords entered using a JavaScript code from a threat actor- controlled server.

List of malicious application are as follows: -PIP Photo -Processing Photo -Rubbish Cleaner -Horoscope Daily -Inwell Fitness -App Lock Keep -Lockit Master -Horoscope Pi -App Lock Manager

Users are prompted to enter their Facebook accounts credentials to access applications’ functions and disable in-app advertisements. Ads presented on the applications were legit ads that trick Android users

BRAINTRACE.COM CONFIDENTIAL 9

to follow the required actions. Web researchers warned that this type of attack could have been expanded to trick users to enter their credentials on the login page of any legitimate websites to steal credentials from different web services.

Recommendation It is recommended to install applications from known and trusted developers only, be cautious for permissions requested by the apps, and review reviews before installing applications.

Reference https://thehackernews.com/2021/07/android-apps-with-58-million-installs.html

MAGECART HACKERS TARGET E-COMMERCE WEBSITES The Magecart group of hackers is using malware code with comment blocks for stealing credit card information and imbedding it inside images and other files. The name "Magecart" covers a minimum of seven different groups, Megacart groups are knows for targeting e-commerce websites. This proves to us that malicious actors are continuously developing new ways on how to escape detection. Some of the affected websites are British Airways, Ticketmaster, and many more.

Affected Systems ◾ E-commerce Websites

Vulnerability Overview Used images can be downloaded with a simple GET request. Malicious actors use JavaScript skimmers for their activity and sell gathered information on the black market afterwards. Hackers are trying to collect victim's payment card details in a real time, while they are entering it on the compromised website. Information is further being saved in a sheet file . css. Hacker's would use GET request to downloaded it as many times they want to. These cybercrime where known for using malicious PHP web shells for obtaining remote access on previously compromised server. This type of malware will be registered on the victim's side as favicon ( Magento.png).

Recommendation Some of the recommendations to better protect your systems from this type of attacks include updating regularly owned websites, using complex passwords, securing workstations, and applying firewalls that will contribute to future prevention.

Patch URL https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business

Reference https://thehackernews.com/2021/07/magecart-hackers-hide-stolen-credit.html

BRAINTRACE.COM CONFIDENTIAL 10

PRIVILEGE ESCALATION VULNERABILITIES FOUND IN CISCO’S BPA AND WSA APPLIANCES. Vulnerabilities were found in Cisco’s BPA and WSA appliances that allow attackers to run unauthorized code, steal sensitive information from log files, install malware and disrupt operations, as well as perform cross-site scripting attacks and HTML injections.

Affected Systems ◾ Cisco WSA virtual and hardware-based iterations of the appliances, in releases 11.8 and earlier, 12.0 and 12.5. ◾ Cisco BPA releases earlier than Release 3.1

Vulnerability Overview Critical privilege escalation vulnerabilities were found in certain versions of Cisco’s Business Process Automation application (BPA) and Web Security Appliance (WSA) appliances. The CVEs for Cisco’s BPA appliances are CVE-2021-1574 and CVE-2021-1576. Both vulnerabilities are due to an improper privilege enforcement, with CVE-2021-1574 potentially allowing attackers with user credentials to run unauthorized commands and code and CVE-2021-1576 potentially allowing attackers with credentials to steal sensitive logging information and use that to impersonate a user; however, this vulnerability is only while a user has an active session open.

CVE-2021-1359 affects Cisco’s WSA appliance and is due to improper XML input validation by the web interface. To exploit this vulnerability, an attacker would have to upload a maliciously crafted XML configuration file to the configuration management of the Cisco AsyncOS, and then upon a successful exploitation, would allow an attacker to execute unauthorized code on AsyncOS and elevate their privileges to root, then providing them administrative access to the device. This vulnerability affects both virtual and hardware versions of this appliance.

Recommendation Recommendation is to update affected systems ASAP with patches downloaded directly from Cisco and SHA-256 hashes generated and verified before applying.

Reference https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1576 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1574 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1359

REVIL RANSOMWARE VARIANT TARGETING LINUX OS Threat actors that are behind a number of high-profile cyber attacks, are now affecting the Linux operating system as well. The modified varient of REvil is specify targeting VMware’s ESXi Virtual

BRAINTRACE.COM CONFIDENTIAL 11

Machine and network attached storage (NAS) that run on Linux machines. Researchers have classified this move as unusual, as REvil has been known to target Windows OS.

Affected Systems ◾ Linux

Vulnerability Overview The new REvil version for Linus has similar characteristics as the Windows version. The reason why ESXi is the target is multiple virtual machines (VMs) can share the same hard drive storage on the hypervisor ESXi. This feature also allows the possibility of threat actors compromising centralized virtual hard drives resulting in the disruption of the VMs that shared on the same hard drive. The REvil Ransomware also appears to be targeting NAS devices, which are also used for storage , to encrypt and compromise the data stored on it. The ransomware uses ELF64 executables which is also used on the Windows version of REvil.

Once the REvil ransomware is on the system it lists and terminates all running ESXi VMs via a esxcli command line tool. The ransomware performs this in silent mode to avoid detection and debugging without stopping a targeted VM. The ransomware will then begin to encrypt all the files found on the system using a created 64 bytes XOR key.

Recommendation It recommended to have strong security practices and look for indicators of compromise on the network.

Reference https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version

COBALT STRIKE DISGUISED AS A FAKE KASEYA VSA SECURITY UPDATE A new spam campaign has been targeting potential victims of the ongoing Kaseya cyber attack and distributing Cobalt Strike payloads that are disguised as fake Kaseya VSA security updates. It appears the end goal of the campaign is to collect and exfiltrate sensitive data or to drop more malware onto the system.

Affected Systems ◾ All Systems

Vulnerability Overview The malware spam campaign sends out malicious emails that contains a downloadable attachment (that is malicious) named SecurityUpdates[.]exe to the target. The email contains a link that is embedded to look like an official Microsoft patch for the Kaseya VSA zero-day exploit. This email also contains a deadline for the fake patch to be downloaded, in an attempt to give the targeted victim a sense of urgency to download the attachment. The payload download pages are designed to look trustworthy by using the target company's logo and graphics. Once the attachment is downloaded or

BRAINTRACE.COM CONFIDENTIAL 12

the link is clicked on, Cobalt Strike begins the run on the system. This allows for the threat actors behind the campaign to gain remote access to the system and it's data.

Recommendation It is recommended to be aware of phishing emails and not click on any attachments or links that come from an unexpected or unknown email.

Reference https://www.bleepingcomputer.com/news/security/fake-kaseya-vsa-security-update-backdoors- networks-with-cobalt-strike/

PRINTNIGHTMARE - PRINT SPOOLER VULNERABILITY The PrintNightmare Print Spooler vulnerability was raised from being a ‘Low’ to ‘Critical’ vulnerability this week due to a Proof of Concept published on GitHub. Bad actors can leverage this vulnerability and potentially gain access to Domain Controllers.

Affected Systems ◾ Microsoft Workstations

Vulnerability Overview Print Spooler is one of Microsoft’s oldest services that has had minimal maintenance updates since it first came out. By default, every Microsoft workstations, which include servers and endpoints have Print Spooler enabled.

The PrintNightmare exploits continue even after Microsoft released a patch in June. The patch was not enough to stop the vulnerability exploits so malicious bad actors could still leverage the Print Spooler and connect to it remotely and gain access to the network.

After an attacker gains limited access to a network and connects to the Print Spooler with the kernel access, said attacker can then use Print Spooler to gain access to the operating system, launch remote code execution, and eventually exploit the Domain Controller.

Recommendation To mitigate the PrintNightMare vulnerability, disable the Print Spooler service on every server and non- printing workstations.

Vulnerability detections and mitigations can be found from the links below. https://www.splunk.com/en_us/blog/security/i-pity-the-spool-detecting-printnightmare-cve-2021- 34527.html https://www.kb.cert.org/vuls/id/383432

BRAINTRACE.COM CONFIDENTIAL 13

Reference https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html

JAVASCRIPT RTE NODE.JS RECEIVES PATCHES Node.js is a JavaScript platform used to test scripts and other related functions within the ubiquitous programming language. Recently, the test script received an update to plug several vulnerabilities in its code.

Affected Systems ◾ Node.js

Vulnerability Overview The most dangerous of these bugs, CVE-2021-27290, rated as a "high" vulnerability issue affects the npm upgrade component in the environment. Attackers could conduct a denial of service (DOS) attack that could bring down the environment, unfortunately however details were few pertaining to this vulnerability.

Further bugs, CVE-2021-22918, CVE-2021-22921, and CVE-2021-273362, also received patches. These exploits range from secondary DoS attacks to privilege escalation exploits.

Recommendation It's suggested to update to mitigate these issues. Testing prior to deployment is always recommended.

Patch URL https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

Reference https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

POWER OF HUMAN RISK MANAGEMENT OVER SECURITY AWARENESS TRAINING Since Human -related data breaches are increasing everyday, security awareness training is failing to prevent against cyber threats.

Affected Systems ◾ All Systems

Vulnerability Overview Human cyber risk is becoming an even bigger concern for businesses. Security awareness training is lacking with its attempts to keep up with those new breaches, because the training does not always

BRAINTRACE.COM CONFIDENTIAL 14

meet the requirements to prevent from attack and does not help employees to improve their security behavior. During security awareness training, most employees focus on the grade but not the actual learning. Human Risk Management is the best tool with sufficient and accurate security measure to help to solidify the network security of any business against any human cyber-attack. Usecure called automated human risk management provides a better security decision for everyone and protect your workforce at human level.

Recommendation Recommendations are to practive frequent and effective employee training, in order to better inform on potential threats that continue to grow.

Reference https://thehackernews.com/2021/07/security-awareness-training-is-broken.html

QNAP'S NETWORK ATTACHED STORAGES PATCHES CRITICAL VULNERABILITIES QNAP addressed issues dealing with their network attached storage devices. Specifically, their HBS 3 Hybrid Backup Sync device. The vulnerabilities, which are tracked as CVE-2021-28809, allows an attacker to escalate privileges, execute commands remotely, and read information stored on the device without permission. QNAP patched another vulnerability, which is tracked as CVE-2021-28799, that allows attackers of the same device to upload ransomware.

Affected Systems ◾ HBS 3 Hybrid Backup Sync

Vulnerability Overview The first flaw, CVE-2021-28809, to HBS 3 Hybrid Backup Sync device is an improper authorization vulnerability due to buggy software that allows remote attackers access to the device without any type of authorization. The second flaw, CVE-2021-28799, allows for a backdoor account due to another improper authorization vulnerability that allows the attackers to encrypt the data on the device. The attackers would move the victim’s data into password protected zip files and demand payment for its release.

Recommendation Recommended that users have their HBS 3 Hybrid Backup Sync devices fully up to date to receive the patch that removes the two mentioned vulnerabilities.

Patch URL https://www.qnap.com/en-us/security-advisory/QSA-21-19

BRAINTRACE.COM CONFIDENTIAL 15

Reference https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bug-in-nas-backup-disaster- recovery-app/

DR HEX ENGAGED IN CYBERCRIMES GOT ARRESTED Authorities along with Interpol have seized a bad actor who is engaged in cybercrime activities for several years attacking telecom companies, banks, and corporations in France with malware as part of phishing and credit card fraud campaigns.

Affected Systems ◾ Telecom Companies ◾ Major Banks ◾ Corporations in France

Vulnerability Overview According to Group-IB, the two-year investigation has resulted in the seize of Dr Hex, a Moroccan hacker who has been active since 2009 and is engaged in numerous numbers of cybercrime activities, which include phishing, malware attacks, fraud, defacing, and carding.

The attacks are arranged using phishing collection tools, including a spoof web page that steals banking entities and afterward sending phishing emails imitating the targeted corporations, and prompting recipients for login credentials on the fake website. After a credential is entered, it will be redirected to the bad actor’s email.

Dr Hex is also suspected of promoting Zombi Bot, which concluded 814 exploits, which include 72 private ones, a brute force, web shell, backdoor scanners that can carry out DDoS attacks.

Recommendation To protect your accounts from being hacked, it is recommended to use multi-factor authentication and not to open any suspicious email.

Reference https://thehackernews.com/2021/07/interpol-arrests-hacker-in-morocco-who.html

CRYPTOGRAPHIC VULNERABILITY IN KASPERSKY PASSWORD MANAGER PATCHED A major cryptographic vulnerability discovered in June 2019 regarding the Kaspersky Password Manager has been revealed to only have been completely patched as of April 2021, as the mobile version remained unpatched in addition. The vulnerability stems from the Password Generator associated with the Kaspersky's password manager. According to the researchers leading the

BRAINTRACE.COM CONFIDENTIAL 16

investigation, every password generated while the vulnerability was unpatched could have been brute forced.

Affected Systems ◾ Passwords created with Kaspersky's password generator prior to April 2021.

Vulnerability Overview Although the vulnerability was publicly patched in October 2020, the mobile version of the Kaspersky Password Manager was still vulnerable due to cryptographic weaknesses. The major flaw in Kaspersky's cryptographic shortcomings were due to their single source of entropy in the password generation process at the current time. This meant that users who attempted to generate a password at the same time (within seconds of eachother) were suggested the same password.

Recommendation Ensure all versions of Kaspersky Password Manager are fully updated to the latest version and that all passwords are regenerated using the updated version.

Reference https://portswigger.net/daily-swig/kaspersky-password-manager-nbsp-lambasted-for-multiple- cryptographic-flaws

.NET UNDER ATTACK DUE TO NUGET PACKAGES VULNERABILITIES Severe vulnerabilities have been discovered during the recent analysis of the packages hosted on the NuGet repository, many of those vulnerabilities have a high level of severity. The repository is used by Microsoft for the .NET platform, and the function of NuGet is package management which allows shared computer code.

Affected Systems ◾ .NET

Vulnerability Overview The new research done by Zanki shows that there are a few medium and high level threats for the .NET platform. These vulnerabilities are located in some of the software components hosted on NuGet. There are several programs used to provide networks functionality and compression, some of those programs are 7Zip and WinSCP.

It has been discovered that the users because of using WinSCP 5.11.2 are exposed to the vulnerability. The flaw allows the attackers to remotely execute arbitrary commands.

Recommendation It is recommended to update WinSCP to the newest version. It is important to always increase awareness of software development risks and to pay close attention to code quality issues.

BRAINTRACE.COM CONFIDENTIAL 17

Reference https://thehackernews.com/2021/07/dozens-of-vulnerable-nuget-packages.html?&web_view=true

CRITICAL VULNERABILITIES IN PHILIPS CLINICAL COLLABORATION PLATFORM PORTAL A multitude of flaws have been revealed in the Philips Clinical Collaboration Platform Portal, or more commonly known as Vue PACS. In the worst-case scenario, a malicious user could use these vulnerabilities in order to completely take over that target system and offer the user access to collect or modify data, gain system access, execute code, or install unauthorized software.

Affected Systems ◾ VUE Picture Archiving and Communication Systems versions 12.2.x.x and below. ◾ Vue MyVue versions 12.2.x.x and below. ◾ Vue Speech versions 12.2.x.x and below. ◾ Vue Motion versions 12.2.1.5 and below.

Vulnerability Overview Four of these vulnerabilities, which are tracked as CVE-2020-1938, CVE-2018-12326, CVE-2018- 11218, CVE-2020-4670, and CVE-2018-8014, deal with improper input data validation. CVE-2021- 33020 is a flaw that deals with the use of cryptographic keys that are expired, which gives malicious users more time to crack the key. CVE-2021-33018 deals with the use of a broken cryptographic algorithm. CVE-2015-9251 allows for a cross-site scripting attack because it lets user-controllable input through. CVE-2021-33024 involves the systems inability to appropriately store and protect authentication credentials. CVE-2018-8014 deals with the improper initialization of resources. Finally, CVE-2021-27501, deals with improper coding standards that could exacerbate the previous vulnerabilities.

Recommendation Recommended that users update to the most recent versions of the affected software. The patches that have been released do not cover all vulnerabilities, so it is further recommended that users keep the system devices inaccessible to the internet and separate them from critical system as well as use virtual private networks for remote use.

Reference https://thehackernews.com/2021/07/critical-flaws-reported-in-philips-vue.html

EMAIL FATIGUE OPENS DOORS FOR CYBERCRIMINALS Business data is being shared more than ever by email. Users can sometimes receive more than hundreds of emails a day and become so overwhelmed and burnt out that they will click on links within a malicious email and not even realize it. With all this skyrocketing volume it is no wonder why 94% of malware is delivered by email.

BRAINTRACE.COM CONFIDENTIAL 18

Affected Systems ◾ The affected system is the fatigued email user whom may end up clicking on the wrong thing within their email.

Vulnerability Overview Those spam emails that most still get may seem “old school” to some, but cybercriminals are still using them for their malicious purposes. With phishing accounting for more than 80% of the reported security events, users are needing to be more aware of their received emails now more than ever. The emails that one may receive asking them to “unsubscribe” from the mailing list could be a phishing tactic to verify if that email is even valid in the first place. A great example that many are familiar with is the infamous “SolarWinds Attack.” The group Nobelium used phishing attacks to drop backdoor malware on 150 different organizations. Other phishing attacks include Five Rivers Health Centers in Ohio, as well as Her Majesty’s Revenue and Customs in which over 10,000 phishing scams were investigated that exploited fears of the coronavirus. There are times that many users will not know that they are infected when it happens for the infection will lay dormant or will go undetected gathering valuable and sensitive information. Given how successful phishing emails have been and continue to be for attackers, the likelihood of email phishing slowing down is highly unlikely. Users need to strengthen their email defense in multiple layers and hopefully we can slow down the infection rates as time goes on.

Recommendation Some of the best recommendations include continuous user education, advanced anti-malware protection with a multilayer approach, and an incident response plan to mitigate the damage/recover as soon as possible. Continuing to use an anti-spam engine, anti-spoofing technology, antivirus software for emails, as well as detection to prevent advanced attacks such as APT and zero days are great recommendations as well.

Reference https://www.bleepingcomputer.com/news/security/email-fatigue-among-users-opens-doors-for- cybercriminals/

ZLOADER HAS A NEW WAY OF INFECTION. A new way of infection for Zloader has been discovered by McAfee. The initial file, which is used to download Zloader, doesn't contain any malicious code. However that file is typically sent to a potential victim in a phishing email. Zloader is used by threat actors to steal sensitive information. The attackers main goal is to get access to banking login credentials.

Affected Systems ◾ Microsoft Word ◾ Excel

BRAINTRACE.COM CONFIDENTIAL 19

Vulnerability Overview The cybercriminals would start their attack by sending an email that contains a Word document. If the victim reads that phishing email and opens the attachment, Excel file will be downloaded. That Excel file is protected with a password and is read by the initial file (the Word document). The Word document then writes them into Excel files as macros.

After the above actions are done, Zloader will then be downloaded and executed.

Indicators of Compromise of Zloader are following:

Hashes: ◾ 210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eaf ◾ c55a25514c0d860980e5f13b138ae846b36a783a0fdb52041e3a8c6a22c6f5e2

URLs: ◾ hxxp://heavenlygem.com/11.php ◾ hxxp://heavenlygem.com/22.php?5PH8Z

Recommendation It is highly recommended to keep the execution of macros for Microsoft Office files disabled. Another recommendation is to avoid following unknown links provided in phishing emails.

Reference https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection- technique/?web_view=true

BRAINTRACE.COM CONFIDENTIAL 20