HOT
PUBLISHED BY VLADIMIR UNTERFINGHER QUICK READ

Patch Tuesday August 2022 – Microsoft Fixes 21 Vulnerabilities, Including a Zero-Day Bug

Zero-Day Exploited Allowed Remote Code Execution without Authentication

As part of the August’s Patch Tuesday, Microsoft has released fixes for 21 common vulnerabilities. The list also includes a fix for a zero-day bug that was first identified in December 2020. Per Microsoft’s evaluation, the vulnerability required no authentication and could have been remotely exploited.

Patch Tuesday August Roundup

Not much to report on the patching front; per its usual monthly routine, Microsoft delivered several improvements and fixes to the Chromium-base browser engine. To name a few, we have fixes for issues such as Heap buffer overflow in pdf, Use-after-free in Offline, Insufficient validation of untrusted input in Internals, Use-after-free in Extensions API, and, of course, Side-channel information leakage in Keyboard input.

This month’s highlight is definitely CVE-2021-42276 aka the Chakra Scripting Engine Memory Corruption Vulnerability. Microsoft’s zero-day hit has quite an interesting history; it was discovered in 2020, cataloged in 2021, and received a fix in August 2022. The issue affected both Edge and web browsers that used the ChakraCore engine.

CVE-2021-42276 was traced back to a defective Chakra Scripting Engine memory buffer. If successfully exploited, the issue would’ve allowed a threat actor to read and write information to any memory location. Why is the Chakra Scripting Engine Memory Corruption vulnerability considered a zero-day threat? Per Microsoft’s evaluation, the vulnerability could have been exploited regardless of the authentication level, meaning that the threat actor doesn’t require elevated privileges in order to leverage the issue. CVE-2021-42776 was labeled as fixed. The full list of fixes can be found below.

Release Date
CVE Number
CVE Title
Aug 5, 2022
CVE-2022-35796
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Aug 5, 2022
CVE-2022-33649
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Aug 5, 2022
CVE-2022-33636
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Aug 5, 2022
CVE-2022-2624
Chromium: CVE-2022-2624 Heap buffer overflow in PDF
Aug 5, 2022
CVE-2022-2623
Chromium: CVE-2022-2623 Use after free in Offline
Aug 5, 2022
CVE-2022-2622
Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing
Aug 5, 2022
CVE-2022-2621
Chromium: CVE-2022-2621 Use after free in Extensions
Aug 5, 2022
CVE-2022-2619
Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings
Aug 5, 2022
CVE-2022-2618
Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals
Aug 5, 2022
CVE-2022-2617
Chromium: CVE-2022-2617 Use after free in Extensions API
Aug 5, 2022
CVE-2022-2616
Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API
Aug 5, 2022
CVE-2022-2615
Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies
Aug 5, 2022
CVE-2022-2614
Chromium: CVE-2022-2614 Use after free in Sign-In Flow
Aug 5, 2022
CVE-2022-2612
Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input
Aug 5, 2022
CVE-2022-2611
Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API
Aug 5, 2022
CVE-2022-2610
Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch
Aug 5, 2022
CVE-2022-2606
Chromium: CVE-2022-2606 Use after free in Managed devices API
Aug 5, 2022
CVE-2022-2605
Chromium: CVE-2022-2605 Out of bounds read in Dawn
Aug 5, 2022
CVE-2022-2604
Chromium: CVE-2022-2604 Use after free in Safe Browsing
Aug 5, 2022
CVE-2022-2603
Chromium: CVE-2022-2603 Use after free in Omnibox
Nov 9, 2021
CVE-2021-42279
Chakra Scripting Engine Memory Corruption Vulnerability

Additional Cybersecurity Advice

Well, this concludes the August edition of Patch Tuesday. Hope it was to your taste, and, before I scoot, here is a couple of cybersec advice.

  • Automated patch deployment. If you’re planning on staying ahead of your attackers, automatic patching & patch management is the solution. Heimdal™ Security’s Patch & Asset Management will ensure that all your apps are up to speed, regardless of OS or type of improvement-carrying package you’re going to deploy.
  • Phishing. Please do yourself a favor and stay away from suspicious emails.
  • Prioritize security updates. While scribbling your patch deployment battle plan, do make sure that you prioritize security-related updates or patches over quality updates.

Additional resources:

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Concept photo of DNS security by Heimdal
HOT
PUBLISHED BY ALINA GEORGIANA PETCU INTERMEDIATE READ

DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

All you need to find out about DNS security. Ways to secure your company-owned DNS server.
HOT
PUBLISHED BY VLADIMIR UNTERFINGHER QUICK READ

Threat Hunting Journal – June 2022 Edition

Heimdal™ Security Monthly Malware Roundup
POLL OF THE MONTH
What is the number one cybersecurity skill that any Security Department will need?
RECENT
PUBLISHED BY VLADIMIR UNTERFINGHER 2022.08.12

The Most Relevant Ransomware Statistics and Facts of 2022

Q1, Q2, and Q3 in Ransomware Stats and Facts

The state of ransomware remains, more or less, unchanged; my choice of words would be unchallenged. For the past couple of years, we have witnessed a steady increase in ransomware attacks – a 13% YoY (Year-over-Year) increase according to a Verizon Business study. The frequency has also increased (or decreased, depending on your point of view); a study by DataProt suggests that every 11 seconds an organization gets hit by a ransomware attack. Certainly not the wow factor we were looking for, but do keep in mind that the staple for 2019 was 14 to 1 (i.e., every 14 seconds an organization gets hit by a ransomware attack). As you probably guessed, this article is dedicated to the most (business) relevant ransomware statistics of 2022. Enjoy!

A nota bene before we kick this off. This article will be split into two sections – the first one will be a quick recap of the most important ransomware happenings in Q1, Q2, and Q3, while the second section will be dedicated to stats, studies, and, of course, recommendations. That being said, let’s see how 2022 went so far in terms of ransomware attacks.


Q1 in Ransomware


January 2022 Attacks

Delta Electronics

On the 18th of January, Delta Electronics, an important contractor for companies such as Tesla and Apple, suffered a ransomware attack. The investigation revealed that the attacker or attackers targeted non-critical systems. Though the details were a bit blurry, some sources stated that Delta Electronics might have been more severe than the company let on. Conti, the ransomware in question, managed to knock out and encrypt around 1,500 Delta servers and 15K endpoints. The attackers asked for $15 million in exchange for the decryption keys and even offered an ‘early-bird’ discount.

FinalSite

In early January, FinalSite got hit unknown ransomware. The SaaS, which provides CMS, hosting, and design services to various institutions including K-12 school districts, was assaulted by tons of support tickets from K-12 customers complaining about inaccessible web resources. According to the incident report, all websites hosted by FinalSite went offline due to “performance and technical-related issues”. In reality, the company was hit by a ransomware attack that prevented access to said resources.

QNAP Systems

In late January, Taiwanese company QNAP Systems made headlines after many of its NAS customers reported that they were no longer able to access their devices. The investigation revealed that the devices got encrypted by DeadBolt Ransomware. QNAP has yet to disclose how many NASs were affected during this attack. As for the ransoming part, the attackers demanded the Bitcoin equivalent of $1.1K in exchange for the decryption key.

February 2022 Attacks

Microsoft Exchange

Back in February, Mandiant discovered that a new and improved version of Cuba Ransomware was ransacking Microsoft Exchange servers. The malware used cutting-edge tools such as Cobalt Strike Beacon, NetSupport, BURNTCIGAR, WEDGECU, and the BUGHATCH custom downloader.

Mizuno

Around the same time, Mandiant was blowing the whistle on Cuba’s appetite for MS Exchange servers, another big fish was getting pummeled by ransomware. During an over-the-weekend ransomware raid, Mizuno Corporation lost phone lines and experienced order delays.

Puma

In early February, Puma experienced a data breach due to a ransomware attack. Nothing too spectacular, unless you factor in the fact that Kronos was, partly, responsible for Puma’s data breach. Back in 2021, Kronos got KOed by a ransomware attack and because, at that time, Puma and Kronos worked together, Puma got breached as well.

March 2022 Attacks

Shutterfly

Back in March, Shutterfly spilled the beans about the data breach that occurred in December 2020. According to the company’s statement, during the Conti ransomware attack, multiple company-owned servers and endpoints got encrypted. The APT behind the attack also managed to steal sensitive data and files.

Samsung

In late March, a threat group managed to infiltrate Samsung and leaked 190GB worth of data. The investigation revealed that the same group was behind the NVIDIA incident that occurred a week earlier.

NVIDIA

Prior to the attack on Samsung, threat group Lapsu$$ breached NVIDIA and managed to steal 1TB worth of GPU specs and at least 20GB worth of documents.


Q2 in Ransomware


April 2022 Attacks

Nordex SE

After being hit by a ransomware attack in late March, European company Nordex SE decided to shut down all systems to limit the spreading of Conti ransomware.

Zegna

Around the same Nordex was purging Conti from its systems, Ermenegildo Zegna Group found itself in the same predicament; forensics revealed that the luxury menswear brand and subsidiaries were attacked by RansomEXX APT. The attack completely disrupted the company’s systems.

May 2022 Attacks

SpiceJet

Low-cost airline company SpiceJet got spiked back in May by ransomware that caused its systems to crash. As a result, most of the flights got canceled.

CPS (Chicago Public Schools)

Chicago Public Schools, the second largest US schooling district, announced back in May that the data of over 500,000 students had been leaked as a result of an undisclosed ransomware attack that took place in December 2021.

June 2022 Attacks

Flagstar Bank

In June, Flagstar Bank publicly announced that due to a ransomware attack that occurred in December, the data of 1.5 million customers got leaked.

Microsoft Exchange Encore

Cuba wasn’t the only ransomware used to target unpatched Microsoft Exchange servers.  Microsoft’s June research revealed that BlackCat has also been employed for the same purpose.


Q3 in Ransomware


July 2022 Attacks

Macmillan

Esteemed publishing house Macmillan got hit by a ransomware attack in early July. Although nothing was taken – or added – the attack forced Macmillan Publishing to take its systems offline for a couple of days.

Professional Finance Company Inc. (PFC)

During the same month, PFC went public about the ransomware attack and subsequent data breach. The latter affected at least 600 of its customers.

August 2022 Attacks

Cisco

And because we simply cannot go by without talking about the elephant in the room, Cisco recently announced that its infrastructure was breached by the Yanluowang ransomware gang. The ensuing investigation revealed that nothing was taken nor leaked.

Creos Luxembourg S.A.

BlackCat also has a penchant for non-Microsoft-related assets. Back in July, it went after Creos Luxembourg. The company went public in early August. No data was leaked, but some of its online assets were taken offline for a couple of days, pending an internal investigation.

2022 Ransomware Statistics

And now, for the moment everybody’s been waiting for – the most relevant ransomware statistics and studies of 2022. So, without further ado, let’s get started.

  1. Phishing is the most popular distribution vector, followed by spearphishing, and human error. (Statista)
  2. Ransomware creators can rake up to $1 billion per year. (University of Surry)
  3. Companies tend to spend at least $10 billion per year on security training. (Kaspersky)
  4. Roughly 8% of consumers will report ransomware-related cybercrimes to authorities and only 6.5% of them will actually pay the ransom. (Stanford University)
  5. 67% of Canadian and German institutions report having the means to deal with ransomware attacks. In the US, only 37% of responders said that they possess the means to counter ransomware attacks. (Malwarebytes)
  6. 14 US critical sectors have been subjected to intense ransomware attacks. (Cybersecurity & Infrastructure Security Agency).
  7. FBI identified 2000+ ransomware attacks from January to July.
  8. It takes a company 22 days on average to recover after a ransomware attack.
  9. 20% of organizations and institutions have experienced ransomware attacks after switching to remote working.
  10. 65% of companies that paid the ransom got their data back (Sophos)
  11. 1,211 ransomware variants are being created each day. (SonicWall)
  12. It takes ransomware 43 minutes to encrypt 55GB of data. (Splunk)
  13. Data exfiltration occurs in 84% of ransomware attacks.
  14. Cobalt Strike Beacon was used in 32% of US ransomware attacks in Q1 2022 (Trellix)
  15. The most targeted global business sector was Telecom. It accounted for 53% of ransomware attacks. (Trellix)
  16. CMD was the most used ransomware tool, accounting for 14% of ransomware attacks (Trellix)
  17. 95% of data breaches can be traced back to human error. (World Economic Forum)
  18. 1 out of 40 organizations will be hit by ransomware. (CheckPoint)
  19. In Q2 2022, Education and Research is the most targeted sector – 53%. (CheckPoint)
  20. The average cost of a data breach due to ransomware attack is $4.3 million. (IBM)

How to Protect Your Assets against Ransomware

On the defender’s side, extra precautions are mandated. For starters, avoid downloading content from suspicious web pages, don’t open email attachments from senders outside of your emailing list, and don’t follow any links that might be enclosed in these emails. On top of that, ensure that your AV’s up to date, and consider deploying a ransomware encryption protection solution. Heimdal™ Security’s Ransomware Encryption Protection solution that actively seeks malicious encryption attempts and stops them before they encrypt your files.

If you liked this article, make sure you follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

RECENT
PUBLISHED BY CEZARINA DINU 2022.08.12

UK NHS Hit with Ransomware Attack

Service Recovery from the Attack Could Take a Month.
RECENT
PUBLISHED BY CEZARINA DINU 2022.08.11

Cisco Confirms Cyberattack

Cisco acknowledged being targeted by the Yanluowang ransomware gang in May, but claimed the hackers were unable to obtain important information or have an impact on the business.
7-eleven cyberattack cover Heimdal security blog
RECENT
PUBLISHED BY ANTONIA DIN 2022.08.09

A Cyberattack Forced the Shutdown of 7-Eleven Stores in Denmark

What’s the Current Status of the Incident?