Cyber Security News — Past 24 hours | 27.05.2021
JSWorm: A Notorious Ransomware
The ransomware threat environment has been shifting over the last few years. Following the major ransomware outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, many ransomware actors have switched to the covert yet the lucrative strategy of «big-game hunting.» The news of ransomware triggering a service interruption at a multinational enterprise has become commonplace.
Since the discovery of JSWorm ransomware in 2019, numerous variants have gained popularity under various names such as Nemty, Nefilim, Offwhite, and others. JSWorm is typically transmitted via spam email attachments.
The malware also leaves a ransom note, JSWORM-DECRYPT.html, instructing victims to contact criminals via the NIGER1253@COCK.LI email address if they want their data back. Since JSWorm belongs to a well-known ransomware family, it’s possible that the encryption will be permanent.
Although JSWorm ransomware does not encrypt system files, it does modify your system in other ways. The public RaaS was closed in the first half of 2020, and the operators turned to big-game hunting. An initial intrusion was discovered thanks to the use of weak server-side applications and insecure RDP access.
The files are encrypted with a 256-bit key using a custom modification of the Blowfish cypher.
Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks
Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer’s integrated development environment .
The vulnerable extensions could be exploited to run arbitrary code on a developer’s system remotely, in what could ultimately pave the way for supply chain attacks.
VS Code is used by 14 million active users, making it a huge attack surface.
The attack scenarios devised by Synk bank on the possibility that the installed extensions could be abused as a vector for supply chain attacks by exploiting weaknesses in the plugins to break into a developer system effectively. Lastly, an extension named Rainbow Fart was ascertained to have a zip slip vulnerability, which allows an adversary to overwrite arbitrary files on a victim’s machine and gain remote code execution. In an attack formulated by the researchers, a specially-crafted ZIP file was sent over an «import-voice-package» endpoint used by the plugin and written to a location that’s outside of the working directory of the extension.
Multiple Bluetooth Vulnerabilities Allowed Spoofing Legit Devices — Update Now
The Carnegie Mellon University has recently shared an advisory highlighting some newly discovered Bluetooth security bugs. As revealed, these vulnerabilities affecting the Bluetooth technology could allow MiTM attacks. In brief, the researchers from Agence nationale de la sécurité des systèmes d’information found as much as six different vulnerabilities in Bluetooth. These bugs typically affected the Bluetooth Core Specification and Mesh Profile Specification.
Upon discovering the bugs, the researchers informed the relevant vendors, particularly the vulnerable ones, about the matter. According to the advisory, vendors with vulnerable devices include Android Open Source Project, Cisco, Cradlepoint, Intel, Microchip Technology, RedHat, and Sierra Wireless. Whereas, some of the prominent vendors that remained unaffected include F5 Networks Inc., Check Point, McAfee, VMware, Zyxel, and more. Besides, the advisory also lists a long list of vendors about whom the impact remains unknown. As for the users, they should ensure downloading the latest updates from their vendors to receive the patches as and when released.
M1RACLES, the unpatchable bug that impacts new Apple M1 chips
Software engineer Hector Martin from Asahi Linux has discovered a vulnerability in the new Apple M1 chips, tracked as CVE-2021–30747, that was named M1RACLES.
The expert pointed out that the issue can only be fixed with a redesign of the circuits, but the good news is that the severity of the vulnerability is very low and doesn’t pose a major security risk because there are other side channels to leak data.
The flaw stems from the fact that the Arm system register encoded as s3_5_c15_c10_1 contains two bits that can be read and written at EL0 from all cores simultaneously.
«Honestly, I would expect advertising companies to try to abuse this kind of thing for cross-app tracking, more than criminals. Apple could catch them if they tried, though, for App Store apps .» continues the report.
Martin reported the issue to Apple, but at the time of this writing, it is not clear if they plan to review the design of the M1 chips to fix it.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT