In this week’s digest we explore another week filled of ransomware attacks, data breaches and vulnerability patches. Find out about why ransomware operations are re-branding and the latest zero-day vulnerability patched by Apple. Keep reading to stay up to date on the latest cyber security stories from around the world.
Since May, the DopplePaymer ransomware operation has been inactive, however it is now believed that they have rebranded under the name Grief. Researchers found that the two shared the same encrypted file format and used the same distribution channel, the Dridex botnet. Researchers also found that the Grief ransom note dropped on infected systems pointed to the DoppelPaymer portal. The similarities between Grief and DoppelPaymer are so similar that a connection between the two is impossible to ignore. A ransomware gang rebranding may not be a measure to erase their tracks, but instead to avoid any government sanctions that would prevent victims from paying the ransom.
On Monday Apple patched another zero-day flaw found in both its iOS and macOS platforms which is being actively exploited in the wild and could allow attackers to take over an affected system. The memory-corruption flaw is found in the IOMobileFrameBuffer extension which exists in both iOS and macOS. Apple has released three updates to patch the vulnerability on each of the platforms.
This week, Northern Ireland's Department of Health temporarily suspended their COVIDCert online vaccination certification service following a data incident. COVIDCert enables fully vaccinated individuals based in Northern Ireland to obtain a digital certificate confirming their COVID-19 vaccination status. A limited number of users were potentially exposed to data of other users, leading the Department of Health to halt their services. The Northern Irish Department of Health is working on resolving the issue and an update is expected to follow soon.
Researchers have discovered a vulnerability in the Windows operating system which could allow attackers to stage a NTLM relay attack and completely take over a Windows domain. The flaw, named "PetitPotam," was discovered by a researcher who noted that the flaw works by forcing "Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function". By forcing the targeted computer to initiate an authentication procedure and share its hashed passwords via NTLM, the PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services to seize control of the entire domain. PetitPotam marks the third major Windows security issue disclosed over the past month after following the PrintNightmare and SeriousSAM vulnerabilities.
Threat actors were able to compromise an email marketing account belonging to the Chipotle food chain and used it to send out phishing emails, luring recipients to malicious links. The campaign sent out at least 120 malicious emails over three days from the Mailgun account used by Chipotle. Most of the messages directed users to credential-harvesting sites which impersonated services from a financial business and Microsoft, a small number of messages included malicious attachments. Sending emails through a legitimate email domain makes the phishing emails significantly more believable, the same tactic used by Nobelium group in the SolarWinds supply-chain attack.