Internet Storm Center Spotlight


Title: Kaseya supply chain attack affecting hundreds of companies

Description: Attackers are actively exploiting the Kaseya VSA endpoint monitoring software to conduct a widespread supply chain attack targeting a number of Managed Service Providers (MSPs), according to multiple reports. Organizations usually use Kaseya VSA to perform centralized orchestration of systems in customer environments. Attackers first infected victims via a malicious automatic update to the software, eventually delivering the REvil/Sodinokibi ransomware. Once active in victim environments, the ransomware encrypts the contents of systems on the network, causing widespread operational disruptions to a variety of organizations that use this software. REvil operates using a ransomware-as-a-service (RaaS) model, with affiliates leveraging a variety of tactics, techniques and procedures (TTPs) to infect victims and coerce them into paying to regain access to systems and data that are affected by the ransomware. In many cases, backup servers are also targeted during network-based ransomware attacks highlighting the importance of a regularly tested offline backup and recovery strategy. A text-based README is written into various directories on the system and functions as a ransom note.




Cisco Secure Endpoint signatures: Gen:Variant.Graftor.952042, W32.D55F983C99-100.SBX.TG, W32.File.MalParent, W32.RetroDetected

ClamAV signatures: Win.Dropper.REvil-9875493-0, Win.Ransomware.REvil-9875494-0

Cloud IOCs: W32.PingPredicatedDel.ioc, W32.DisableRealtimeMonitoring.ioc, W32.CertutilDecodedExecutableFile.ioc, W32.CertUtilCopy.ioc

Snort SID: 57879

Title: Babuk ransomware code leaks into the wild

Description: A threat actor is using leaked code from the Babuk ransomware to carry out its own attacks. Security researchers discovered last week that Babuk’s ransomware builder tool was uploaded to VirusTotal. Any threat actor could take the code and modify the enclosed ransom note to include their own contact information, and then run the build executable to create customized ransomware encryptors and decryptors that target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices. This new actor intentionally misspells Babuk in its ransom note, and only requests $210 for its ransom payment, versus Babuk’s usual millions. Babuk was most recently known for targeting the Washington, D.C. police department.


Internet Storm Center Entries

The Kaseya supply chain ransomware attack may affect up to 1,500 organizations. Kaseya shut down the compromised program within an hour of detecting it.

The operators behind the attack on Kaseya are demanding a $70 million ransom payment in the form of Bitcoin in exchange for a decryptor tool that will allegedly return victims’ files to them.

Insurance brokerages that offer cyberinsurance policies are starting to revamp their approach to ransomware; the companies have paid out large claims and some of them have been hit with ransomware themselves.

Google removed nine malicious apps from its Play Store that were spotted stealing Facebook credentials, but not before being downloaded a combined 5.9 million times.

Microsoft is warning customers that attackers are actively exploiting the so-called “PrintNightmare” vulnerabilities in its print spooler service.

The Fancy Bear APT, suspected of being behind the SolarWinds supply chain attack, is also reportedly orchestrating brute-force password attacks all over the internet.

Hackers exploited a zero-day vulnerability to perform factory resets on Western Digital My Book Live storage devices. The company is expected to release data recovery services soon.

Windows 11’s security specs will likely prevent many Windows 10 users from upgrading due to the new OS’s hardware requirements.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-34527

Title: Windows Print Spooler Remote Code Execution Vulnerability

Vendor: Windows

Description: The vulnerability allows remote code execution by a standard Microsoft Active Domain user by exploiting vulnerabilities in the print spooler process used by all Microsoft operating systems.

CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-26078

Title: XSS Vulnerability in Jira

Vendor: Atlassian

Description: The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

CVSS v3.0 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

ID: CVE-2020-3580

Title: XSS Vulnerability in Cisco Adaptive Security Appliance Software

Vendor: Cisco

Description: Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

CVSS v3.1 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

ID: CVE-2009-2265

Title: Unauthorized Directory Traversal Vulnerability in FCKeditor

Vendor: FCKEditor

Description: Multiple directory traversal vulnerabilities in FCKeditor before allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.

Prevalent Malware Files


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8


Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736


Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b


Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a


Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 5807b6aed9040d1a605be638604177226d9eaed0cb260c45cef23abe6ed03fdf

MD5: 1c573e6d61b111dedd8ad2e936710cef


Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:5807b6aed9.in03.Talos