Is the real big one round the corner...

Dear members of the security community as Google would put it,

We have seen REvil ransomware group now attacking more and more dastardly. They seem to have enormous funds in bitcoins to get their hands on the very high ranking not yet known vulnerabilities, that others have been sitting on for years not known even to the knowledge of the community.

What was it that Kaspersky detected, what it’s av wasn’t supposed to flag and let forces turn a sour eye on them?

Many a question, no or very little anwers. World Economic Forum specialists warning now for the big one to come or better say being “in the pipeline” to deregulate the very core of Interweb’s infrastructure.

Ransomware attacking concerns and firms may influence also stock=markets (ransomeware gangs publish insights into their potential victims, as they operate like enterpreneurs). It also may drive prices up, as concerns or industries seek to compensate millions and millions in bitcoin losses. Sometimes even insiders from MS wonder what will be the crux of the next attack, they did not see coming. Be aware of your updates (e.g. on coming July 8th).

These are dangerous digital times to live in folks, keep avast at your side (or would it be site)?
Forewarned is forearmed, the proverb goes,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Here’s more on that same topic, https://youtu.be/KIkSVxUJ0H0
Biden had promised to make this a priority.

Its about time Governments got serious about this and have the funds seized from the bitcoin accounts as the proceeds of crime. After all in order for the ransom to be paid the account has to be given, that is the start of the financial trail.

  1. I wonder if Avast would have detected and prevented Kaseya and/or SolarWinds?
  2. How does one trust any software anymore considering the exploits we have seen? I’m sure I read somewhere that SolarWinds was digitally signed.
  3. What would be the best setting for Avast antivirus to protect against this?
  4. Would default settings be ok? A whitelist doesn’t appear to be the answer.

edit: removed some info.

Hi Charyb,

DLL-hijacking is very much of an issue here.

Microsoft Defender
To execute the attack the attackers used a vulnerable version of Microsoft Defender, according reports by Sophos AV’s Mark Loman.
That specific version is vulnerable to side-loading, in which malicious code can be loaded into a dll-file, when positioned correctly. Attackers often position such a dll-file often inside the directory of the accompanying executable. When the executable is being run also the malicious dll-file will be laoded. All part of a process called dll-hijacking.

As soon as such a dll-file has been loaded into memory, the malware will rid itself from the hard disk. Then the executable and compromitted Microsoft Defender file will encrypt hard disk, external disks and network disks. All this will be performed by a Microsoft Signed application that securitycontrols will more often then not trust and will allow to run.

An opponent that is able to perform such cybercriminal operations is a tremendous opponent.
Be afraid, folks, be very afraid, see where Big Tech security through obscurity may lead us.
The Cybercrime Twilight zone, real insecurity may be out there somewhere…

pol

Where did it mention MS Defender? Can you share the link?

About 1/3 of the way down in this article mentions Windows Defender.
Independence Day: REvil uses supply chain exploit to attack hundreds of businesses – Sophos News

https://twitter.com/markloman/status/1411035534554808331?s=20

Thanks. :slight_smile:

But whenever old vulnerable customer portals are left to be abused online,
we haven’t achieved the more secure situation we are after.
Not by a long way. Sometimes I also feel like preaching for the choir.
Interwebz a dangerous place to be sometimes.

Read for instance: https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/
Re: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2862
which has led to a world-wide ransomware attack,

polonus