Microsoft has fixed a critical remote execution security vulnerability, identified as CVE-202140444. This flaw was exploited by hackers, beginning on August 18th (2021). Although only ten exploits have been made of this flaw to date, it is possible that there will be more.
All exploits of this flaw have been found to have been based on maliciously created Word documents. All of them led to the installation of Cobalt Strike Beacon loaders.
One of the targeted networks contained beacons that could communicate with infrastructure used in various cybercrime campaigns. These include ransomware that is human-operated.
Two other attacks have been identified so far that delivered BazaLoader and Trickbot payloads. Microsoft observed a huge spike in exploitation attempts from multiple threat actors including some affiliated with ransomware-as-a-service operations.
Microsoft will monitor the situation but the bottom line is that this flaw has been fixed. Computer researchers independently confirmed that the exploit is not working after applying the September 2021 security patch.
Hackers around the world are always looking for weaknesses in systems and exploit them. If your system is at high risk, you are at great risk. It is better to escape danger as soon as you can. Integrated Technology Systems can lower your risk with a complete system analysis.
Microsoft offers a way around if you're unable to or unwilling apply the patch. This includes disabling ActiveX controls through group policy and previewing within Windows Explorer. Microsoft deserves praises for their quick response and ability to find a solution for those who are unable to fix the problem.
Hackers behind REvil Ransomware Are Back Online
After successfully attacking Kaseya's computer, the ransomware developers behind REvil went dark. Their "Happy Blog", mysteriously went offline.
It is not known if the group sought refuge in order to avoid international condemnation of their attack. This could have been due to law enforcement agencies taking action. At this point, we don't know all the facts.
Many blame President Biden for Putin's silence following their conversation. Biden asked Putin about ransomware attacks that originated from Russian soil.
Kaseya is a global IT solution company headquartered in Ireland. Over a thousand small to medium-sized businesses Kaseya supports were affected by the REvil attack. The pressure that temporarily took the hacking group offline seems to have subsided. The hacking group is back. Emsisoft Security and Recorded Future both confirmed that most of the infrastructure has been restored to operational order.
Ransomware expert Allan Liska had these words of praise for the group:
They had to let law enforcement cool down. They don't have the infrastructure necessary to support researchers and law enforcement. They will be in trouble with all law enforcement agencies around the globe, except Russia.
I also want to mention that I have checked all code repositories, such as Malware Bazaar or VirusTotal and found no new samples. I doubt they have launched any new ransomware attacks.
BlackFog CEO Darren Williams said that he was not surprised at the group's reemergence. REvil is the most well-known ransomware variant in 2021. Due to high demand from hackers around the world, it would have been almost impossible for the group to not be found and kept off-line.
REvil is back and it's only going to take a few more days before REvil attacks begin anew.
We read about a new ransomware attack almost everyday. Do you lose sleep at night thinking about your company and wondering if you could be next? Integrated Technology Systems can give you back your peace of mind. Call us today for a complete assessment of your network.