LokiLocker ransomware
BlackBerry security researchers have identified a new ransomware-as-a-service family that targets Windows systems. Image: BlackBerry

There’s never a dull moment in the world of cybersecurity but this week was busier than most. In addition to dealing with threats designed to take advantage of the war in Ukraine, companies and governments face fresh attacks from new and existing vulnerabilities on many fronts. Security researchers and the Cybersecurity and Infrastructure Security Agency (CISA) shared new information this week about these threats. Here’s a recap and recommendations about how to defend against these attacks.

Known Exploited Vulnerabilities list grows

CISA added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog this week to draw attention to vulnerabilities bad actors are actively exploiting. These vulnerabilities are a frequent attack vector for malicious cyber attackers and pose significant risk to governments and private companies.

Greg Fitzgerald, co-founder of Sevco Security, said it’s encouraging to see the government update the list but these changes won’t protect against exploits within the IT assets they’ve abandoned or forgotten about.

”Most enterprises have IT asset inventories that do not reflect their entire attack surface, which in modern enterprises extends beyond the network to include cloud, personal devices, remote workers as well as all things on premise,” he said. “Until organizations can start working from a comprehensive and accurate IT asset inventory, attackers will always be able to find a way in.”

SEE: BlackCat is the newest ransomware group you should be tracking

The new risks are:

  • SonicWall SonicOS Buffer Overflow Vulnerability
  • Microsoft Windows UPnP Service Privilege Escalation Vulnerability
  • Microsoft Windows Privilege Escalation Vulnerability
  • Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability
  • Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
  • Microsoft Windows AppXSVC Privilege Escalation Vulnerability
  • Microsoft Task Scheduler Privilege Escalation Vulnerability
  • Microsoft Windows AppXSVC Privilege Escalation Vulnerability
  • Microsoft Windows AppXSVC Privilege Escalation Vulnerability
  • Microsoft Windows Privilege Escalation Vulnerability
  • Microsoft Win32k Privilege Escalation Vulnerability
  • Microsoft Windows Transaction Manager Privilege Escalation Vulnerability
  • Microsoft Windows Kernel Privilege Escalation Vulnerability
  • Microsoft Win32k Memory Corruption Vulnerability
  • Microsoft Win32k Privilege Escalation Vulnerability

CISA has a bulletin email that announces new additions to the list.

Bad actors use misconfigured MFA to steal files

CISA also warned this week about an exploit that takes advantage of default MFA protocols and a known vulnerability. The agency reported that Russian sponsored hackers used a misconfigured account in May 2021 at a non-governmental organization to enroll a new device for MFA and access the group’s network. The next step was to use the PrintNightmare vulnerability to run arbitrary code with system privileges. This vulnerability uses a critical Windows Print Spooler weakness. The bad actors used Cisco’s Duo MFA to gain access to the NGO’s cloud and email accounts to steal documents.

Garret Grajek, CEO of YouAttest, said that this attack shows that MFA is not the cure for identity exposure issues.

“It shows that the flaw is not within the MFA itself, but in the practices and procedures around the deployment,” Grajek said. “This is why the cyber world is pushing for new ideas and practices like stronger identity governance, knowing who has what devices, monitoring changes in identity and zero trust.”

YouAttest is an access review engine built that provides governance and audit capabilities for Okta deployments.

Rajiv Pimplaskar, CEO of Dispersive Holdings, said typical VPNs or zero trust network access solutions stop at the network level and are unable to withstand a targeted assault from nation state actors who can penetrate the protocol stack with advanced attacks.

“Corporations and governments alike should look at advanced cyber defense techniques like managed attribution and distributed VPNs with data payload dispersion to present a much harder target to bad actors,” Pimplaskar said.

Dispersive provides private and secure virtual networking for cloud, branch, mobile device and embedded IoT that splits data across multiple streams.

CISA recommends that organizations take these steps to avoid this kind of attack:

  • Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
  • Patch all systems and prioritize patching for known exploited vulnerabilities.

BlackBerry announces new ransomware family

BlackBerry confirmed this week that LokiLocker has been detected in enterprise environments and traced the start of the ransomware to trojanized brute-checker hacking tools for popular consumer services. This is a new ransomware-as-a-service family that includes a false flag tactic. BlackBerry researchers report that the new attack vector targets English speakers and Windows machines. The malware is written in .NET and protected with NET Guard with an additional virtualization plugin called KoiVM, according to the BlackBerry report.

This ransomware was initially distributed inside brute-checker hacking tools including PayPal BruteChecker, Spotify BruteChecker, PiaVPN Brute Checker by ACTEAM and FPSN Checker by Angeal. The software encrypts files and includes an optional “wiper functionality” that deletes files automatically if the target doesn’t pay the ransom by the deadline. BlackBerry researchers believe LokiLocker is being distributed by about 30 affiliates, including some associated with Iranian hackers.

Armorblox describes IG phishing attacks

Security experts have long warned that using work credentials for personal accounts is a bad idea. Armorblox described a new attack this week that takes advantage of people who make this mistake. This threat includes an email supposedly sent from Instagram support and warns the recipient that he or she has been reported for a violation of copyright laws. The sender warns that the recipient has only 24 hours to respond.

Recipients who click on the links in the email land on a page designed to harvest log-in credentials. Armorblox researchers note that the bad actor has methodically used Meta and Instagram logos and branding to make the malicious page look real. The attack targeted a prominent life insurance company in the U.S., according to the blog post about the attack.

Armorblox specializes in defending against business email compromise.