Baddies take “go big or go home” to heart

Let’s go big this week…everyone else is! We have some big security news on vulnerabilities, phishing, and ransomware. Here’s what’s been going on in the world:

• Largest ever Patch Tuesday
• Phishing aims high at US presidential candidates
• Ransomware authors organize under Maze Cartel
• Zorab doubles your ransomware demands

Largest Patch Tuesday EVER

Really. It’s the largest ever. Microsoft released 129 vulnerabilities this month, up from 111 last month. Of these vulnerabilities, they categorized 11 as “critical,” and 109 as “important.”

Here’s a breakdown of where the vulnerabilities exist:

• Microsoft Windows: 41
• Windows Kernel: 14
• SharePoint: 12
• Microsoft Graphics Component: 9
• Microsoft Scripting Engine: 7

Let’s review a few of these.

CVE-2020-1281 is a remote code execution vulnerability in Microsoft’s Object Linking & Embedding (OLE). Microsoft’s CVSS (Common Vulnerability Scoring System) score for this vulnerability is 7.8. On a scale of 1-10, 10 is the most severe.

It’s similar to CVE-2017-0199, which has been widely used by many threat actors, including the Lazarus Group (aka APT38) and Helix Kitten (aka APT34). Windows 7 through 10 and Windows Server 2008 through 2019 are vulnerable.

CVE-2020-1181 is a remote code execution vulnerability in Microsoft SharePoint unsafe ASP.Net web controls. SharePoint 2010 through 2019 is vulnerable, but exploitation requires user authentication.

Microsoft Excel has two remote code execution vulnerabilities this month, CVE-2020-1225 and CVE-2020-1226. If a vulnerable user opens a specially crafted document, the attacker gains access at the same privilege level as the victim.

Malspam and maldocs are a common delivery method for threat actors. We expect to see these vulnerabilities used in upcoming campaigns.

Watch out for thumb drives, as CVE-2020-1299 is a remote code execution vulnerability in the way Microsoft processes .LNK files. The victim must open a removable drive or a remote drive share containing the malicious .LNK file. Windows 7 through 10 and Windows Server 2008 through Windows Server 2019 are vulnerable.

There was concern about a similar vulnerability, CVE-2020-0684, in March 2020, but we haven’t heard about it being exploited yet.

Phishers aim for presidential fish

Google Threat Analysis Group (TAG) warned that two Advanced Persistent Threat (APT) groups from China and Iran deployed phishing attacks against the campaign staff of US presidential candidates, primarily Joe Biden and Donald Trump.

• APT31, also known as Zirconium, is a Chinese-state group that targeted Biden’s campaign staff.
• APT35, also known as Charming Kitten, is an Iranian-state group that targeted Trump’s campaign through phishing attacks.

Google TAG confirmed that the attacks against Biden and Trump were unsuccessful.

According to the spokesperson for the Biden campaign, they’re prepared against phishing attacks and ensure that the campaign’s assets are secured.

A representative for the Trump campaign also confirmed that they are aware of the attacks, but declined to discuss any precautions.

According to ZDNet researchers, the purpose of these attacks remains unclear. It’s unknown whether the Chinese and Iranian hackers are looking for information that they can publicly abuse, or if the groups are looking to observe how campaigns are going and to gather information for future political decisions.

DoppelPaymer joins Maze Cartel; hits Florence, AL

Twelve days after investigative reporter Brian Krebs alerted Florence, Alabama, about hackers infiltrating their systems, the city was crippled by DoppelPaymer ransomware.

Government employees responded to the warning, but efforts were insufficient to prevent the June 5th ransomware outbreak.

Additionally, hackers say they’ve exfiltrated city data. Exfiltrating and leaking data is a new strategy for ransomware operators to improve their win/loss ratio.

DoppelPaymer is demanding $300k to decrypt the files and not leak the city’s data. City officials say they intend to pay in hopes of keeping the personal data of their citizens off of the internet.

Recently, the DoppelPaymer group has linked up with the Maze Ransomware Cartel. The Maze Cartel provides leaking infrastructure for other ransomware operators that are interested in leaking but not in hosting the leaks or maintaining a leak site.

The Maze Cartel currently represents Maze Ransomware, DoppelPaymer Ransomware, and LockBit ransomware.

Zorab doubles your ransom demands

A ransomware variant, dubbed “Zorab,” was identified using the Djvu ransomware to double-encrypt a victim’s infected files.

The Zorab ransomware masquerades as a free ransomware decryption tool; however, it’s actually ransomware itself that encrypts all of the victim’s already encrypted data with the Djvu ransomware.

Once the users enter their information into the phony decryptor and click on “Start Scan,” the program will extract another executable, called “crab.exe,” and encrypt the already encrypted files. Zorab leaves a ransom note with instructions on how to retrieve compromised files along with an email address, “zorab28@protonmail[.]com,” for victims to contact and acquire the decryption tool.

Security researcher Michael Gillespie is still analyzing Zorab.

Rather than downloading free ransomware decryption tools, we recommend organizations contact an incident response company.

Stay safe and keep it Perchy.
- Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Universities take a course in ransomware