Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts
News Roundup for July 2021

News Roundup for July 2021

Cyber Security News

Well that is it. We have survived the first half of 2021. If we were into a movie, this is where the half way cut scene would be. 

We have now had our new website up and running for a month and we are continuing to develop it. Release R.006 went live over the weekend with the first release of some of our tools.

What is in R.006?

Well, we have our breach search function available, for free. If you want to check if your email address or your domain name has been listed in any data-breaches of users names and passwords, then the breach search is a simple way to quickly check.

Secure is back online after a few weeks of downtime. What happened? During routine testing we identified a previously unknown vulnerability in a very common php library. It was serious enough that after two weeks of solid work by our CEO, we have a zero-day exploit that gave a remote code execution. The creators of the library were informed and while we await their responses, we migrated to a new, fresher platform. No more WordPress for us.

Cyber Security News

Welcome to the Cyber Security News roundup. Here are some of the more important "cyber" things that have happened this month that could be affected you.

ChaChi, It's not Tea

The newly dubbed "ChaChi" RAT (named after two of its components, Chashell and Chisel) is active against educational and healthcare organisations within the UK. It is being distributed as a "drive-by" download and in phishing campaigns. 

ChaChi is a powerful tool in the hands of malicious actors who are targeting industries notoriously susceptible to cyberattacks. It provides remote access into targetted organisations and used for the initial phases of ransomware attacks and continued access.

Risk Register:

Probability: Rare (1/5) in general business. Probable (4/5) is education and health.

Impact: Major (4/5)

Action: Ensure all endpoints have up to date protection enabled. Advise users to be wary of phishing attacks and not to click unknown or unexpected links. Ensure offline backups are run at least weekly.

 

Microsoft Support Agent Hack

The SolarWinds team have not stopped. They are back. This time they have been busy access businesses worldwide through a broader phishing campaign that netted them a support agent at Microsoft and provided access to multiple organisations.

Customers whose account the intruder retrieved information have been alerted. Microsoft stated: "A sophisticated nation-state associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions."

Risk Register:

Probability: Rare (1/5)

Impact: Major (4/5)

Action: Continual monitoring of the traffic in and out of the network, especially ports using SSL encrypted traffic and support tools. Look to block traffic to and from countries that you would not expect to see connections.

 

Microsoft shoves our Malware.

A bit of a clickbaity title, but it's true. On Friday 25th, Microsoft admitted it had signed malicious third-party driver code submitted for certification through its Windows Hardware Compatibility Program.

The driver in question focused on computer game players in China. I can almost hear the tin foil brigade getting out their pens already. The Malware distributed was rootkit grade software. Once installed on a Windows PC, it circumvents region-based restrictions and snoop on players to steal account credentials. It is a remote keylogger/key monitor.

Microsoft said that at some point, they would share additional details about how it is "refining our partner access policies, validation and the signing process to enhance our protections further."

Peter says: "It is challenging to defend against this type of attack because, in some places, you have to trust the software writers. It would be near impossible to review and security test windows updates and drivers independently."

Risk Register:

Probability: Possible (3/5)

Impact: Major (4/5)

Action: Continual monitoring of the traffic in and out of the network, especially ports using SSL encrypted traffic. Look to block traffic to and from countries that you would not expect to see connections.

 

Dell BIOS flaws

Dell has 129 models of consumer and business laptops, desktops, and tablets, including devices that use Microsoft's new Secured-core PC protections affected by a critical security vulnerability in the Dell firmware.

Dell made patches for at least four documented CVEs credited to Eclypsium researchers Mickey Shkatov and Jesse Michael. They found the problems in the BIOSConnect feature within Dell Client BIOS. 

The vulnerabilities enable an attacker to execute code in the pre-boot environment remotely. They can alter the initial state of an operating system which could result in remote access.

Dell confirmed and patched three additional issues identified by Eclypsium, including a buffer overflow bug in Dell BIOSConnec that could allow an authenticated malicious admin user with local access to the system to run arbitrary code and bypass UEFI restrictions.

Risk Register:

Probability: Possible (3/5)

Impact: Major (4/5)

Action: Continual monitoring of the traffic in and out of the network, especially ports using SSL encrypted traffic. Look to block traffic to and from countries that you would not expect to see connections.

 

Breaches and More Breaches

McDonald's claims there was no interruption to operations following a data breach amid a concerning string of cyberattacks aimed at high-profile targets. 

"While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed by the attackers, some of which contained personal data," McDonald's Corporation said in a press conference.

Their investigation found the attackers accessed customer personal data in Korea and Taiwan. Later studies showed files of US employees were accessed by the attackers. 

Meat-packing giant JBS said earlier this month that it paid the Bitcoin ransom to the hackers that penetrated its system after falling victim to a ransomware attack.

Colonial Pipeline CEO Joseph Blount was interviewed by lawmakers about the ransomware attack on his company that led to a multi-day shutdown of a major East Coast fuel pipeline. Colonial Pipeline paid the ransom to the hackers, though the Justice Department later announced it had seized millions back from the criminal group behind the attack.

 

Sign up to our newsletter

Keep up to date with the latest cyber security news and updates with our newsletter