Cyber Security Weekly Briefing May 15-20

May 21, 2021

​​​​​​​QNAP Security Advisory

QNAP has issued two security advisories to alert its clients about:

  • The detection of recent eCh0raix ransomware attacks targeting its Network Attached Storage (NAS) devices. The firm is urging clients to protect themselves from such attacks immediately by using stronger passwords, enabling IP access protection to prevent brute force attacks, and avoiding the use of default ports 443 and 8080. This alert comes just a few weeks after security researchers already warned about the detection of AgeLocker (aka Qlocker) ransomware attacks against their devices.
  • The active exploitation of a 0-day vulnerability in Roon Server, specifically affecting Roon Labs in Roon Server 2021-02-01 and earlier versions. QNAP recommends disabling Roon Server and not exposing the NAS to the internet to protect against these attacks until a security update is released.

More details: https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/

​​​​​​Bizarro banking trojan extends to Europe

Security researchers have identified new campaigns of the Brazilian banking trojan known as Bizarro in several European countries such as Spain, France, Portugal and Italy. As usual with Brazilian trojans, it is distributed via spam campaigns that force the download of a ZIP file from a compromised website, with infrastructure identified in AWS, WordPress or Azure, both for hosting the initial malicious files and for hosting the C2 files. It is a stealer that collects information about the infected computer, the session, the antivirus used or browser data. Once in the browser, the malware causes the closing of open sessions in digital banking services in the browser to force the user to re-enter credentials in order to capture them. In addition, it has other capabilities typical of this type of trojan such as mouse and keyboard hijacking, resolving two-factor authentication (2FA), logging keystrokes, sending fake system messages, or inducing the installation of malicious applications, among others.

Learn more: https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/

Four Android vulnerabilities exploited in the wild

Android has updated information regarding four vulnerabilities fixed on 3 May in its May security bulletin. It has specifically changed the information related to their exploitation and claims that they could currently be exploited. Two of the vulnerabilities, identified as CVE-2021-1905 and CVE-2021-1906, affect Qualcomm GPU drivers, while the other two, CVE-2021-28663 and CVE-2021-28664, affect Mali Arm GPU drivers. According to Google's Project Zero team, all four vulnerabilities were being exploited by attackers even before the patches were released and could have been used in targeted attacks.

More info: https://twitter.com/maddiestone/status/139500434699624

​​​​​​​New double encryption trend with multiple ransomware variants

A new trend has recently come to light, which has been analysed by Emsisoft researchers, in which malicious actors are reportedly using multiple ransomware variants to double-encrypt their victims' data, with the aim of complicating possible recovery and increasing the chances of obtaining a ransom. It is worth mentioning that this is not double extortion but double encryption, where the same operators decide to use different ransomware variants in the same attack. In the analysis, we have observed attacks using REvil and Netwalker together, as well as attacks using MedusaLocker together with GlobeImposter. In some cases, a sample was shared through the portal of one group when the encrypted files had been sent through the portal of the other group, so it is even possible that the operators of the different families are working together. It has also been observed that sometimes data is encrypted first with one ransomware and then re-encrypted with the second one, while in others, part of the system is encrypted with one variant and part with another. This new trend is in addition to others observed recently, such as the triple extortion method, which, in addition to encrypting data and threatening to make it public, contacting clients or third parties who may be affected by the attack to ask them for a ransom, with the same objective of increasing financial gain.

All the details: https://blog.emsisoft.com/en/38554/psa-threat-actors-now-double-encrypting-data-with-multiple-ransomware-strains/

STRRAT malware distribution campaign

Microsoft's security team reports the detection of a new mass email distribution campaign of the latest version of the STRRAT malware. The attackers are reportedly making use of previously compromised email accounts to send the messages, which contain an attached image pretending to be a PDF attachment. When clicking on the image to open the supposed document, the image downloads the STRRAT malware. The first detections of this family date back to 2020. It is a malware programmed in Java and has a diverse range of functionalities, from stealing credentials from different email clients, logging keystrokes, executing arbitrary commands, or the ability to install the open-source tool RDWrap to gain remote access via RDP sessions, among others. It is also worth mentioning the "rw-encrypt" function, which only adds the extension “. crimson" to the files, without modifying their content. In other words, the user could think that the files are encrypted, as happens in ransomware attacks, since the extension has been changed to “. crimson" and the user cannot open them; however, it would be enough to restore the original extension to be able to recover the information. Microsoft has published advanced search queries to facilitate the identification of indicators and malicious behavior related to STRRAT.

More: https://twitter.com/MsftSecIntel/status/1395138347601854465