Printer Vulnerability CVE-2021-3438, China Attacks Microsoft, Pulse Secure VPN Cyberattack, Pegasus Spyware Compromised, Kaseya Ransomware Decryption Key

1.  A 16-year-old Printer Vulnerability CVE-2021-3438 (CVSS score: 8.8) Impacts Millions of Infrastructures

• A 16-year-old vulnerability was discovered in popular corporate printers that allow hackers to gain administrative rights to perform several activities on systems, including the ability to install rogue programs, view, change, encrypt or wipe data.
• This critical vulnerability is prevalent in HP, Samsung, and Xerox printer software, impacting hundreds of millions of users worldwide.
• According to security experts, the vulnerability is automatically installed with the printer driver software and gets loaded by Windows Operating Systems (WinOS) during each system reboot.

Expert Commentary: While threat actors are yet to exploit this vulnerability in the wild, all affected manufacturers (HP and Xerox) have provided security patches for the said vulnerability. Unfortunately, millions of devices could still be at risk due to inadequate security hygiene that exit, thus causing prolonged time-to-remediate as the average time-to-patch security vulnerabilities in the corporate world is about 90 days. All in all, having a robust patching lifecycle is the perfect remedy against this prolonged vulnerability. Learn More

2.  The U.S. and Its Allies Accuse China of a Major Cyberattack Against Microsoft’s Infrastructure

• In joint official statements, the United States, European Union, United Kingdom, Australia, Canada, New Zealand, Japan, and NATO officially condemned the Chinese Ministry of State Security’s involvement in global malicious cyberattacks.
• The United States and its allies are focused on calling China to order because of their frequent collaboration with state-sponsored advanced persistent threat (APT) actors, especially in cyber-related extortions, crypto-jacking, and other ransomware attacks.
• As the U.S. Department of Justice continues to indict Chinese nationals accused of working with Chinese intelligence agencies to compromise U.S. critical infrastructures, the White House publicly blamed the Chinese government for its official role in facilitating the attack on Microsoft’s Exchange servers earlier this year.

Expert Commentary: Although no sanctions against China have been levied, the U.S. government has shown acute concern about China’s strategic and destabilizing activities in cyberspace. Therefore, issuing a joint public condemnation is the first step to calling out China’s reckless behavior, especially against national security interests worldwide. Furthermore, as organizations continue to combat the effects of frequent ransomware attacks, it is clear that Western world powers will continue to use both diplomatic and military resources to fight systematic cyber-sabotage against critical infrastructures.

Learn More

3. Threat Actors Deploy Concerted Attacks Against Pulse Secure VPN Infrastructures

• According to the Cybersecurity and Infrastructure Security Agency (CISA), threat actors recently released 13 malware against Pulse Secure virtual private network (VPN) infrastructures. CISA security researchers discovered each malware dropping multiple corrupted files on targeted systems to gain initial access via backdoors.
• The corrupted files displayed the ability to circumvent and modify VPN functionalities, harvest credentials, monitor incoming web requests, and execute remote control-and-command (C2) capabilities to achieve privileged access and persistence on a compromised system.
• Although CISA has not officially attributed the dozens of VPN compromises to any attacker, security experts in the private sector have attributed the concerted infrastructure compromise to at least two cyber threat groups within origin in China.

Expert Commentary: During the early days of the pandemic, most organizations relied on remote tools to facilitate their business operations. As such, threat actors took advantage of poor security hygiene to compromise VPN infrastructures used by public and private organizations. In this particular incident, security experts have discovered that the attacker is gaining a persistent foothold on compromised systems and using Linux command-line utility to delete event logs that forensic experts could use to map malicious activities. In today’s threat landscape, it is clear that attackers rely on remote tools to execute far-reaching malicious actions against critical infrastructures.

Learn More

4.  NSO’s Pegasus Spyware Compromises Innocent Victims

• Digital forensic experts at Amnesty International discovered that a sophisticated spyware tool, Pegasus, was used to facilitate a global surveillance effort to monitor the mobile devices of human rights activities, journalists, lawyers, chief executives, and even heads of state.
• Pegasus spyware tool was designed with remote access capabilities to extract user data, including conversation harvesting, geolocation triangulation, call recording, and manipulation of mobile device camera and microphone functionalities.
• Developed by the NSO group, Pegasus spyware was initially developed for governments to track and monitor local and global threats to national security. However, the spyware’s ability to break through both Android and iOS security infrastructure made it a weapon against innocent parties, including religious leaders and everyday citizens.

Expert Commentary: NSO group is an organization made up of some of the most gifted computer security experts globally, some of whom were ex-cybercriminals and national cyber intelligence experts. These security experts are tasked with gathering threat intelligence on technologies used across the globe, including mass communications tools like Facebook, Whatsapp, iPhone, etc. In 2019, Facebook sued the NSO group for the illegal sale and deployment of a Whatsapp zero-day vulnerability affecting over 1,400 devices owned by journalists, activities, government staff, and other political dissidents. Therefore, it is no surprise that the NSO group’s Pegasus spyware is currently making headlines for its role in cyberespionage and privacy compromises.

Learn More

5.  A Week Later, Kaseya Obtains the Master Key to Decrypt Systems Affected By Ransomware

• A week ago, Kaseya’s VSA tool suffered a significant security breach, which allowed REvil ransomware attackers to infect critical customers, including Managed Service Providers (MSPs). About a week later, Kasey announced they had secured an effective decryptor actively being used to help decrypt systems impacted by the ransomware.
• Kaseya obtained the decryptor tool from a trusted third party, whose identity is unknown due to confidentiality reasons. Nevertheless, the obtained decryptor will provide relief for up to 1,500 victims of the Russian-linked ransomware attack.
• While the threat actors behind the Kaseya VSA ransomware attack appear to have vanished, it is unclear whether Kaseya paid the $70 million ransom demand to retrieve the decryptor.

Expert Commentary: The U.S. government is focused on dismantling ransomware threat actor activities. Therefore, its fight against cybercriminal activities indicates interest in cyber-offensive measures against state-sponsored ransomware actors. Although President Biden has tried tackling ransomware operations via diplomatic channels, security experts predict that such a method could backfire and embolden other ransomware groups. While Kaseya customers enjoy the newly obtained decryptor, the ultimate defense against ransomware attacks is robust, automated system patching and security hygiene education.

Learn More