Security News > 2022 > April

REvil ransomware's servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year. It is unclear who is behind the new REvil-connected operation but the new leak site lists a large catalog of victims from past REvil attacks plus two new ones.

A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon. From there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data, ultimately deploying the file-encrypting payload. The details come from security and analytics company Varonis, who was called in to investigate a ransomware attack on one of its customers.

Java versions 15 to 18 contain a flaw in its ECDSA signature validation that makes it trivial for miscreants to digitally sign files and other data as if they were legit organizations. Java 15-18 ECDSA doesn't sanity check that the random x coordinate and signature proof are nonzero; a signature validates any message.

Google Project Zero called 2021 a "Record year for in-the-wild 0-days," as 58 security vulnerabilities were detected and disclosed during the course of the year. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher Maddie Stone said.

Identity and access management provider Okta on Tuesday said it concluded its probe into the breach of a third-party vendor in late January 2022 by the LAPSUS$ extortionist gang. Stating that the "Impact of the incident was significantly less than the maximum potential impact" the company had previously shared last month, Okta said the intrusion impacted only two customer tenants, down from 366 as was initially assumed.

The US Federal Bureau of Investigation warned Food and Agriculture sector organizations today of an increased risk that ransomware gangs "May be more likely" to attack them during the harvest and planting seasons. While ransomware groups regularly target the US agriculture sector, the FBI noted that the number of attacks against such entities during such critical seasons stands out.

We're focusing on just one of those Java bugs, officially known as CVE-2022-21449, but jokingly dubbed the Psychic Signatures in Java bug by researcher Neil Madden, who uncovered it and disclosed it responsibly to Oracle in November 2021. According to Madden, these vital preliminary checks were accidentally omitted back in the era of Java 15, when the C++ cryptographic code in the official Java runtime was rewritten in Java itself.

"Given recent intelligence indicating that the Russian government is exploring options for potential cyberattacks against U.S. critical infrastructure, CISA along with our interagency and international partners are putting out this advisory to highlight the demonstrated threat and capability of Russian state-sponsored and Russian aligned cybercrime groups," added CISA Director Jen Easterly. The Five Eyes cybersecurity agencies recommends measures critical infrastructure orgs should take to harden their defenses and protect their information technology and operational technology networks against Russian state-sponsored and criminal cyber threats, including ransomware, destructive malware, DDoS attacks, and cyber espionage.

Identity and access management firm Okta says an investigation into the January Lapsus$ breach concluded the incident's impact was significantly smaller than expected. Okta admitted last month it made a mistake delaying the disclosure of a January breach from the Lapsus$ data extortion group, an error caused by the company not being aware of the extent of the incident and its impact on customers.

On overwhelming number of security teams believe their email security systems to be ineffective against the most serious inbound threats, including ransomware. "Security team managers are most concerned that current email security solutions do not block serious inbound threats, which requires time for response and remediation by the security team before dangerous threats are triggered by users," according to the report, released Wednesday.