Security News > 2022 > February

The numerous law enforcement operations leading to the arrests and takedown of ransomware operations in 2021 have forced threat actors to narrow their targeting scope and maximize the efficiency of their operations. Most of the notorious Ransomware-as-a-Service gangs continue their operations even after the law enforcement authorities have arrested key members but have refined their tactics for maximum impact.

February 2022 Patch Tuesday forecast: A rough start for 2022January 2022 Patch Tuesday was a rough one for Microsoft - and us. Samba bug may allow code execution as root on Linux machines, NAS devicesA critical vulnerability in Samba, a widely used open source implementation of the Server Message Block networking protocol, could allow attackers to execute arbitrary code as root on affected Samba installations.

The Black Cat ransomware gang, also known as ALPHV, has confirmed they are former members of the notorious BlackMatter/DarkSide ransomware operation. While the ransomware gang calls themselves ALPHV, security researcher MalwareHunterTeam named the ransomware BlackCat after the image of a black cat used on every victim's Tor payment page.

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday published an Industrial Controls Systems Advisory warning of multiple vulnerabilities in the Airspan Networks Mimosa equipment that could be abused to gain remote code execution, create a denial-of-service condition, and obtain sensitive information. "Successful exploitation of these vulnerabilities could allow an attacker to gain user data and other sensitive data, compromise Mimosa's AWS cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices," CISA said in the alert.

A now-patched security vulnerability in Apple iOS that was previously found to be exploited by Israeli company NSO Group was also separately weaponized by a different surveillance vendor named QuaDream to hack into the company's devices. The zero-click exploit in question is FORCEDENTRY, a flaw in iMessage that could be leveraged to circumvent iOS security protections and install spyware that allowed attackers to scoop up a wealth of information such as contacts, emails, files, messages, and photos, as well as access to the phone's camera and microphone.

What is an incident in the world of cybersecurity? NIST provides the following definition: "A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices." Examples of cybersecurity incident are a phishing attempt, a brute-force attack against a service the company runs and a compromise of a server. These teams also vary a lot in their staffing, the smallest CSIRTs structures being made of a couple of people, some even only being involved part-time, to structures made of dozens of employees with a capability to deal with incidents 24/7.The 6 steps to successful security incident handling.

Later this year, Microsoft is planning to launch the first big update for Windows 11. The update is reportedly codenamed "Sun Valley 2," and it is expected to ship with a new Task Manager, improvements to Start Menu and Taskbar, and more.

The Federal Bureau of Investigation has released technical details and indicators of compromise associated with LockBit ransomware attacks in a new flash alert published this Friday. Two years later, in June 2021, LockBit announced the LockBit 2.0 RaaS on their data leak site after ransomware actors were banned from posting on cybercrime forums [1, 2]. With the relaunch, the ransomware gang redesigned Tor sites and overhauled the malware, adding more advanced features, including the automatic encryption of devices across Windows domains via Active Directory group policies.

Critical infrastructure suffered ransomware attacks, with threat actors targeting an oil petrol distributor and oil terminals in major ports in different attacks. Oil terminals in major ports disclosed that they too suffered ransomware attacks.

Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability. The likely reason for disabling the protocol altogether is to protect all Windows customers, including those who haven't yet installed the December security updates or applied the workarounds.