Cybersecurity News: LokiLocker Ransomware, Instagram Phishing Attack and New CISA Warnings


CISA adds 15 known exploited vulnerabilities to its catalog, and BlackBerry researchers warn of a new ransomware-as-a-service family.

BlackBerry security researchers have identified a new family of ransomware as a service that targets Windows systems. Picture: BlackBerry

There’s never a dull moment in the world of cybersecurity, but this week has been busier than most. In addition to dealing with threats designed to take advantage of the war in Ukraine, businesses and governments face new attacks from new and existing vulnerabilities on many fronts. Security researchers and the Cybersecurity and Infrastructure Security Agency (CISA) shared new information about these threats this week. Here is a recap and recommendations on how to defend against these attacks.

The list of known exploited vulnerabilities grows

CISA added 15 new vulnerabilities to its catalog of known exploited vulnerabilities this week to draw attention to vulnerabilities that bad actors are actively exploiting. These vulnerabilities are a frequent attack vector for malicious cyber attackers and pose a significant risk to governments and private businesses.

Greg Fitzgerald, co-founder of Sevco Security, said it’s encouraging to see the government update the list, but these changes won’t protect against exploits within IT assets they’ve abandoned or forgotten about.

“Most enterprises have IT asset inventories that do not reflect their entire attack surface, which in modern enterprises extends beyond the network to include the cloud, personal devices, workers remotely as well as anything onsite,” he said. “Until organizations can start working from a complete and accurate inventory of IT assets, attackers will still be able to find a way in.”

SEE: BlackCat is the newest ransomware group you should follow

The new risks are:

  • SonicWall SonicOS Buffer Overflow Vulnerability
  • Microsoft Windows UPnP Service Privilege Escalation Vulnerability
  • Microsoft Windows Privilege Escalation Vulnerability
  • Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability
  • Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
  • Microsoft Windows AppXSVC Privilege Escalation Vulnerability
  • Microsoft Task Scheduler Privilege Escalation Vulnerability
  • Microsoft Windows AppXSVC Privilege Escalation Vulnerability
  • Microsoft Windows AppXSVC Privilege Escalation Vulnerability
  • Microsoft Windows Privilege Escalation Vulnerability
  • Microsoft Win32k Privilege Escalation Vulnerability
  • Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
  • Microsoft Windows Kernel Privilege Escalation Vulnerability
  • Microsoft Win32k Memory Corruption Vulnerability
  • Microsoft Win32k Privilege Escalation Vulnerability

CISA has an email newsletter that announces new additions to the list.

Malicious actors use misconfigured MFA to steal files

CISA also warned this week of an exploit that takes advantage of default MFA protocols and a known vulnerability. The agency reported that Russian-sponsored hackers used a misconfigured account in May 2021 at a non-governmental organization to enroll a new device for MFA and gain access to the group’s network. The next step was to use the PrintNightmare vulnerability to execute arbitrary code with system privileges. This vulnerability uses a critical weakness in the Windows Print Spooler. The criminals used Cisco’s Duo MFA to access the NGO’s cloud and email accounts to steal documents.

Garret Grajek, CEO of YouAttest, said this attack shows that MFA is not the cure for identity exposure issues.

“It shows that the flaw is not in the MFA itself, but in the practices and procedures surrounding the deployment,” Grajek said. “That’s why the cyberworld is pushing for new ideas and practices like stronger identity governance, knowing who has what devices, monitoring identity changes, and zero trust.”

YouAttest is an access review engine designed to provide governance and auditing functionality for Okta deployments.

Rajiv Pimplaskar, CEO of Dispersive Holdings, said typical VPNs or Zero Trust network access solutions stop at the network level and are unable to withstand a targeted onslaught of nation-state actors who can penetrate the network. protocol stack with advanced attacks.

“Companies and governments should look to advanced cyber defense techniques such as managed attribution and distributed VPNs with data payload dispersal to present a much tougher target to bad actors,” Pimplaskar said.

Dispersive provides a private and secure virtual network for cloud, branch offices, mobile devices and embedded IoT that distributes data across multiple streams.

CISA recommends that organizations take these steps to prevent this type of attack:

  • Apply MFA authentication and review configuration policies to protect against failed login and re-enrollment scenarios.
  • Ensure that inactive accounts are consistently disabled across Active Directory and MFA systems.
  • Patch all systems and prioritize patches for known exploited vulnerabilities.

BlackBerry announces new ransomware family

BlackBerry confirmed this week that LokiLocker has been detected in enterprise environments and has traced the start of the ransomware to Trojan brute-force verification hacking tools for popular consumer services. This is a new ransomware-as-a-service family that includes a false flag tactic. BlackBerry researchers report that the new attack vector targets English speakers and Windows machines. The malware is written in .NET and protected with NET Guard with an additional virtualization plugin called KoiVM, according to the BlackBerry report.

This ransomware was originally distributed in brute-checker hacking tools including PayPal BruteChecker, Spotify BruteChecker, PiaVPN Brute Checker by ACTEAM and FPSN Checker by Angeal. The software encrypts files and includes an optional “delete feature” that automatically deletes files if the target does not pay the ransom before the deadline. BlackBerry researchers believe that LokiLocker is distributed by around 30 affiliates, including some associated with Iranian hackers.

Armorblox describes IG phishing attacks

Security experts have long warned that using work credentials for personal accounts is a bad idea. Armorblox described a new attack this week who benefits from people who make this mistake. This threat includes an email allegedly sent by Instagram support and notifies the recipient that it has been reported for violating copyright laws. The sender warns that the recipient only has 24 hours to respond.

Recipients who click on links in the email land on a page designed to collect login credentials. Armorblox researchers note that the bad actor methodically used Meta and Instagram logos and branding to make the malicious page look real. The attack targeted a major life insurance company in the United States, according to the attack blog post.

Armorblox specializes in defending against business email compromise.


Comments are closed.