The Good
A few new developments occured this week in the saga that is REvil ransomware. First off, REvil appears to have reactivated its infrastructure and has renewed its attacks, so far on a slightly smaller scale. New victims are appearing on their blog, and affiliates have resurfaced in specific underground forums in an effort to save some face and assure the world that they are kind and gentle cybercriminals.
However, the good news is that this week we also saw the release of a “master decrypter” for previous REvil victims.
The decrypter was the fruit of a joint collaboration between Bitdefender and “trusted law enforcement partners’. While it won’t help victims of the latest wave of REvil attacks, it does provide a simple and effective way for those who were hit prior to REvil’s recent hiatus after the Kaseya and other high profile attacks to recover previously encrypted assets. As a reminder, SentinelOne Singularity will prevent REvil ransomware attacks as well as the associated TTPs.
The Bad
This was a particularly colorful week with regards to Apple and their emergency patch for a set of security vulnerabilities that enabled the deployment and use of NSO Group spyware. At the heart of these matters is an exploit dubbed FORCEDENTRY, which takes advantage of a vulnerability in Apple’s Core Graphics framework.
What makes FORCEDENTRY so worrisome for users is that it does not require any user interaction to exploit, and since CoreGraphics is common to all Apple’s OS platforms, it can be leveraged against Apple’s iOS, iPadOS, watchOS, and macOS devices. Needless to say, the potentially exposed population is quite large and diverse. The flaw was originally reported by the Citizen Lab, who discovered it during an investigation into an iOS device belonging to a Saudi activist. The device had been infected by the NSO Group’s Pegasus spyware.
The bug was assigned CVE-2021-30860, and an emergency patch was released on September 13, 2021. It is believed that this flaw has been actively used against high-profile targets in the activist world as early as June 2020. Specially-crafted PDF documents can be used to deliver the exploit to targets, and it is simply the act of the receiving the PDF that leads to the infection. A truly scary zero-click exploit.
Apple has released updates to address this and other issues. However, users of older systems be aware: on the Mac, only Catalina and Big Sur have been patched for this vulnerability, so the almost 20% of Mac users still running macOS Mojave and earlier are out of luck. iPhone users require iOS 14.8 or later to receive the fix, while watchOS needs to be running 7.6.2 or higher.
The Ugly
This week, three agents tied to “Project Raven” admitted to working against the United States government at the direction of the United Arab Emirates.
Under a deal designed to avoid prosecution, the three operatives were held to admit to working as spies for the U.A.E and ultimately violating U.S. laws, including the selling of military secrets and technology. As part of “Project Raven”, the individuals were responsible for multiple intrusions into networks within the borders of the United States. In addition, they located and stole “sophisticated cyber intrusion tools” without the obviously required permission. These individuals were all considered lone “mercenaries” or “hackers-for-hire”.
While the full outcome is yet to be determined, the deal they struck appears to require the agents to pay a sum of $1.69 million dollars and to relinquish all security clearance privileges in the United States.
On another note, this week SentinelLabs disclosed details around CVE-2021-3437, an HP OMEN Gaming Hub Escalation of Privilege and Denial of Service vulnerability in HP OMEN PCs. This high-severity flaw affects millions of HP devices and can be exploited to achieve kernel-level privileges, potentially offering full control of the targeted host. While gaming PCs aren’t usually found on the enterprise network, a vulnerable device in the home could be just as harmful to work when so many of us are connecting our company devices to our home networks these days.