CYBERSECURITY NEWS V. 18.01 – Microsoft Patch Tuesday, Decryptor for DarkSide, Joker’s Stash closing, Nvidia patches

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

Google reports on sophisticated malware campaign against Android and Windows users

Google has published a report on a sophisticated campaign targeting Android and Windows users. The attacks were carried out via two servers that delivered different exploit chains to targets using the watering hole technique. Both servers exploited vulnerabilities in Google Chrome to gain a foothold on victims' devices. After that, the attackers would deploy an exploit at the OS level to control the device.

The exploit chains were a combination of zero-day vulnerabilities and other flaws already fixed by the developers. They include CVE-2020-6418 – TurboFan Chrome Vulnerability; CVE-2020-0938 – Windows Font Vulnerability; CVE-2020-1020 – Windows Font Vulnerability; CVE-2020-1027 – Windows CSRSS vulnerability.

Google has not yet released any details about the attackers or the victims.

Microsoft patches 83 vulnerabilities, including Defender 0-day

This Patch Tuesday brought fixes for 83 vulnerabilities in Microsoft products, 10 of which were classified as critical. Patches were released for Windows, Edge browser, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, Visual Studio, SQL Server, Microsoft Malware Protection Engine, .NET Core, .NET Repository, ASP .NET, and Azure.

The most critical is a zero-day vulnerability in Microsoft Defender, which has already been exploited by hackers. CVE-2021-1647 is an RCE in the Malware Protection Engine (mpengine.dll) that allowed attackers to execute arbitrary code on a vulnerable system by merely making the victim open a malicious document. According to Microsoft, this exploitation technique is not applicable in all cases, and the exploit is still at the PoC stage. Updates will be installed automatically, and no user action is required.

Decryptor for DarkSide ransomware released

Experts from the Romanian antivirus company Bitdefender have released a free decryptor for files affected by the Darkside ransomware. It is available for download on the official Bitdefender website.

DarkSide is distributed as ransomware as a service (RaaS). It first became known on underground cybercrime forums in August 2020. DarkSide operators make money by encrypting sensitive files on compromised systems and stealing valuable information. DarkSide operators demanded up to millions of dollars in ransoms from victims to restore files and prevent data leaks.

Nvidia patches high severity vulnerabilities

Nvidia has released security updates for Windows and Linux GPU drivers and additional flaws affecting the NVIDIA Virtual GPU control software (vGPU). The vulnerabilities expose Windows and Linux systems to denial of service, privilege escalation, data tampering, and information disclosure attacks.

The most severe vulnerability (CVE - 2021-1051) targets the Nvidia GPU display driver. This kernel mode layer vulnerability could cause a denial of service and privilege escalation.

Another high-severity vulnerability (CVE - 2021-1052) is also found in the kernel mode layer, potentially allowing an attacker to gain access to APIs, which in turn could cause a denial of service, privilege escalation, and unauthorized access to personal data.

Nvidia has already released updates and recommends downloading and installing them on your system now.

SolarLeaks sells data allegedly stolen in SolarWinds hack

SolarLeaks lists data for sale reportedly stolen in a cyberattack on the SolarWinds' supply chain.

In December 2020, unknown actors attacked SolarWinds and implemented a malicious update for its Orion software to infect its users' networks. The victims included giants like Microsoft, Cisco, FireEye, and many US government agencies, including the State Department and the National Nuclear Security Administration.

Now the solarleaks [.] net website has been launched, selling data stolen from Microsoft, Cisco, FireEye, and SolarWinds. Microsoft source codes and repositories are up for sale for $ 600,000. The attackers are also selling the source codes of several Cisco products, including its internal vulnerability tracker. According to Cisco, there is no evidence that the attackers stole their source codes. The site sells the tools of the FireEye Red Team and the FireEye for $ 50,000. For $ 1 million, the buyer could access all the leaked data.

The solarleaks.net domain is registered through NJALLA, a well-known registrar that is popular with hackers. WHOIS returns "You can get no info" for that domain.

Windows 10 bug that corrupts file system

A critical zero-day vulnerability in Windows 10 can corrupt the NTFS file system with a one-line command. The bug affects Windows 10 1803 and later versions of the OS, including the latest Windows 10 20H2.

No administrator rights are required to exploit this vulnerability. It is enough to execute a specific command in Windows 10 to damage the NTFS file system, and the OS will display the BSOD. Jonas Lykkegaard first reported the problem back in 2020, but it has remained unpatched. According to him, the damage when a specific path is accessed. It is unclear why this results in file system corruption, and Jonas could not analyze the problem.

Microsoft is expected to fix this bug in a future update. The company has not commented on this issue yet.

Joker's Stash to close on February 15

Joker's Stash, the largest darknet marketplace for compromised payment data, will close on February 15, 2021. The site's operator said on a Russian cybercriminal forum that "it's time for us to leave forever" and "we will never ever open again."

Recently, the volume of data published on Joker's Stash has dropped significantly, and users began to complain about its low quality. In October 2020, the site was also affected by its operator's long absence, who was hospitalized with COVID-19. Joker's Stash has been operating since October 7, 2014. The site administrator has stated that he intends to erase all servers and backups when they stop working next month.

"We are also want to wish all young and mature ones cyber-gangsters not to lose themselves in the pursuit of easy money (sic) … Remember, that even all the money in the world will never make you happy and that all the most truly valuable things in this life are free," JokerStash concluded his farewell message.