Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities
Ransomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems.
Stack Overflow Teams
While Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions.
CrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.
Prevent Data Breaches
Vice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.
Specifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw to pivot to multiple systems across the environment and extract credentials from the victim.
«Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,» the researchers said.
Hackers Actively Searching for Unpatched Microsoft Exchange Servers
Threat actors are actively carrying out opportunistic scanning and exploitation of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.
The remote code execution flaws have been collectively dubbed «ProxyShell.» At least 30,000 machines are affected by the vulnerabilities, according to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.
«Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,» NCC Group’s Richard Warren tweeted, noting that one of the intrusions resulted in the deployment of a «C# aspx webshell in the /aspnet_client/ directory».
The vulnerabilities came to light after Microsoft spilled the beans on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.
Since then, the Windows maker has fixed six more flaws in its mail server component, two of which are called ProxyOracle, which enables an adversary to recover the user’s password in plaintext format.
Originally demonstrated at the Pwn2Own hacking competition this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the Black Hat USA 2021 and DEF CON security conferences last week.
Why Is There A Surge In Ransomware Attacks?
The U.S. is presently combating two pandemics — coronavirus and ransomware attacks. Both have partially shut down parts of the economy.
A few years back, cybercriminals played psychological games before getting bank passwords and using their technical know-how to steal money from people’s accounts.
Are cyber attacks getting a higher profile or actually rising?
The answer to both questions is yes. Ransomware is becoming more common because it is straightforward to execute. Hackers use software to poke around security holes or by tricking network users using phishing scam tactics like sending malware that seem to come from a trusted source.
Impact of ransomware on business
We already know how ransomware can have devastating effects on businesses, large or small. But it pays to be reminded time and again because even enterprises can become victims. Cybercriminals continue to exploit vulnerabilities in network security systems.
Preventing ransomware infection
Working with a cybersecurity firm that provides the best security system that fits a business’ current and future needs is one of your primary options.
Staying vigilant is another way to thwart infection. If your systems are slowing down for no apparent reason, disconnect from the internet and shut it down.
Ransomware attacks are rampant, due to their ease and profitability.
Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection
Microsoft has disclosed details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials.
Stack Overflow Teams
Microsoft likened the attachment to a «jigsaw puzzle,» noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled together. The company did not identify the hackers behind the operation.
Prevent Ransomware Attacks
The campaign is said to have undergone 10 iterations since its discovery in July 2020, with the adversary periodically switching up its encoding methods to mask the malicious nature of the HTML attachment and the different attack segments contained within the file.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT