Cyber Weekly Digest - Week #29
In this week’s Cyber Weekly Digest we dive into the most interesting cyber security stories, including how one of the most notorious ransomware gang REvil’s sites mysteriously went offline on Tuesday and a data breach affecting the fashion retailer Guess’s customers. Keep reading to stay up to date with the biggest cyber security stories from across the globe.
This week Guess, the fashion retailer, confirmed they had become the victim of a ransomware attack in which customer data had been stolen. After an investigation it is believed that attackers gained access to the fashion retailer’s systems in February this year. Although Guess has not provided information on the identify of the threat actor, it was reported that the DarkSide ransomware gang had listed the retailer on their data leak site in April. At the time DarkSide claimed to have stolen over 200 GB worth of files from Guess’ network before attempting to encrypt their systems.
All of REvil’s Dark Web sites slipped offline as of 1:00 am Tuesday morning. REvil is one of the biggest ransomware groups currently, who uses their sites to negotiate ransoms, leak data and receive payments from its victims. However, it is unclear why REvil’s sites went offline. Some argue that law enforcement was involved as the sites went offline just days after President Biden demanded that President Putin takes action on ransomware gangs. REvil’s most recent victims include Kaseya and their MSP customers which affected 1,500 businesses.
SolarWinds released a security patch for a zero-day vulnerability in the Serv-U FTP servers this week, the flaw would allow remote code execution when SSH is enabled. The vulnerability was disclosed by Microsoft who also observed that a threat actor had already exploited it to execute commands on vulnerable devices. It has been revealed that the group behind the attacks was the China-based group DEV-0322, who has previously targeted entities in the US Defence Industrial Base Sector and software companies.
SonicWall customers running unpatched Secure Mobile Access 100 series and Secure Remote Access products have been warned of an imminent ransomware campaign using stolen credentials. SonicWall is urging customers to update their firmware, turn on multi-factor authentication or to disconnect appliances that are past end-of-life status and cannot be updated. This is the fourth time in which SonicWall devices have been used as an attack vector, including the recent discovery that remote access vulnerabilities in the SonicWall SRA 4600 VPN appliances were being exploited in ransomware attacks targeting corporate networks worldwide.
This week Microsoft released it’s July Patch Tuesday which included thirteen “critical” and four actively exploited vulnerabilities. One of the critical flaws patched this month included the PrintNightmare Print Spooler flaw which affected most versions of Windows. This month’s Patch Tuesday also included patches for six vulnerabilities in Exchange Server, which has been increasingly targeted by attackers all year.