Young boy playing with his plastic animals at home

Medusa Ransomware

Summary: The Medusa ransomware operation has been around since 2021. However, in 2023, its operators launched a blog titled “Medusa Blog” which contains information of victims who refuse to pay ransom. It is unrelated to the Medusa Mirai botnet, the Medusa Android malware, and Medusa Locker. Unlike many of the similarly named “Medusa” ransomware families, this specific Medusa ransomware only exists on Windows with no known variants.

Upon the execution of the program, the ransomware will kill several processes and encrypt all files in the system and replace them with an encrypted “.MEDUSA” extension. Each folder will also hold a “!!!READ_ME_MEDUSA!!!.txt” file. The launch of the “Medusa Blog” on the Tor network allows victims to interact with the operators of the malware. The “Secure Chat” that the blog provides gives users options to delay the data release, to delete their data, or to download the data. Each of these options were set at different prices to give users options on what to do with their data. These choices could allow for the wealthier users to pay a higher price or to extort the poorer victims by making them purchase the delay option of the files until finances can be gathered.

Why is it important: Although there are many ransomware families and operations out in the world, the Medusa malware is new in that there are no known weaknesses. Currently, companies have specific keys for certain ransomware to help users avoid paying the expensive ransom. However, no such key exists yet for the Medusa ransomware. More impactfully, this ransomware can prove itself as a long-term incident for the target in that it allows secure chats and payment options to force victims into becoming a recurring source of income. This Medusa ransomware is thus dangerous in that without a known weakness, the financial damage it can cause could be high.

Western Digital Network Breach

Summary: Western Digital announced on April 03, 2023, that a major security incident occurred where an unauthorized third party managed to gain access to internal systems. The threat actor gained access to certain data from the company’s systems. However, the nature and scope of the data has not yet been determined.

Although the breach notification did not initially specify which services were taken down, several services were interrupted the same day. These services include: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, SanDisk Ixpand Wireless Charger. However, on April 07, 2023, the company posted a feature named Local Access to allow users access to files locally stored on their Western Digital devices via a web browser connected to the device’s Dashboard.

Why it matters: Western Digital is one of the largest hardware storage makers in the world. Their personal storage devices and their cloud solutions are used to hold personal data for users. Although the nature of the incident has not yet been defined, the interruption of the services indicates that those services are likely vulnerable. A data breach that affects user’s devices could easily lead to unauthorized access to the users’ data. Personal data from users’ own storage could possibly include Personal Identifiable Information, Personal Health Information, and other sensitive information that are protected under different laws. Western Digital’s action to take down the services upon the discovery of the breach was a temporary work around to protect not only their systems but also the privacy of their user’s data.

Close up low angle view of a man working from home on a laptop computer sitting at a desk surfing the internet

Hand taking receipt from pos terminal

NCR’s Aloha POS Outage

Summary: The POS software manufacturer NCR announced that their Aloha POS system suffered an outage after a BlackCat ransomware attack. Aloha POS is a product that is commonly used in restaurants and has been experiencing an outage since April 12, 2023. The outage has had a global effect for the users of NCR’s Aloha products. This outage have prevented users from successfully using the software to operate their business regularly.

Not only did the ransomware cause an outage of NCR’s Aloha POS system, but a post on BlackCat’s leak site suggests that the ransomware gang gained access to customer networks. The post read:

During four days of silence and removal of any mention of ransomware on reddit, NCR representatives went into a chat room to find out what data had been stolen. After receiving information that NCR data had not been stolen, but accessed their customers’ networks, they decided to make a press release. We are forced to take action regarding NCR customers. If you become our victim you know who to thank.

However, in contradiction to the BlackCat post, NCR announced that the outage was from one data center. In an update posted by NCR, the data center does not actually process any customer data.

Why it matters: Although companies should be familiar with ransomware, this type of attack still poses major risks, not only for the company but for the customers as well. In the event of a data breach, it is important for companies, particularly those with European customers to inform them of the data breach as per GDPR Article 33. More importantly, it is because of incidents such as this that companies should prioritize implementing data-at-rest encryption. Data-at-rest encryption encrypts the data in databases to prevent malicious actors from accessing the actual contents of the database. Despite NCR’s claim that the customer data was not accessed, it is important for every company to implement data-at-rest encryption to prevent attackers from easily extracting information from the database. What is most important is that data-at-rest encryption affects the whole database upon its first implementation and will continue to remain encrypted until it is removed. This defensive practice should be undertaken by all companies to help protect their own data as well as their customers’.

Google Chrome Zero-Day Actively Being Exploited

Summary: This new vulnerability, identified on April 13th as CVE-2023-2033, is currently being exploited by adversaries that allows attackers to exploit the bug remotely by executing arbitrary code. This results in browser crashes by reading the writing memory outside of buffer boundaries. These types of vulnerabilities are part of Chrome’s V8 JavaScript engine, but also affect every browser based on Chromium. Google released an emergency update to their browser and highly encouraged every user to immediately update to the latest version (112.0.5615.138 or later). As this vulnerability affects other browsers based on Google’s Chromium Project (like Microsoft Edge), it is recommended that users immediately update to the latest version of those affected browsers as well.

The bug was reported by Clement Lecigne of Google’s Threat Analysis Group (TAG), whose primary goal is to defend Google customers from state-sponsored attacks. Although type confusion flaws would generally allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices.

Why it matters: Google has confirmed that this vulnerability is actively being exploited by adversaries, but as analysis is ongoing, very little information about how adversaries are executing these attacks has been shared. Currently, the only method to prevent these attacks from occurring is by updating browsers to the latest version. As many browsers check weekly for the latest version, it may be necessary for users to manually update their browsers or from IT Admins forcing the update through their organization’s software update platform (such as Active Directory or Windows Update).

HTTP Blue Button. More Buttons Like that is in My Folio.

Apple Issues Emergency Fix for Spyware-Style Zero-Days

Summary: These latest vulnerabilities affect iPhone 8 and later, iPad Air 3rd Generation and later, iPad and iPad Mini 5th Generation, all models of iPad Pro, and Mac OS Ventura and are being tracked as CVE-2023-28205 and CVE-2023-28206. “Two different bugs are addressed in these updates. Importantly, both vulnerabilities are described not only as leading to “arbitrary code execution,” but also as ‘actively exploited,’ making them zero-day holes,” states Paul Ducklin, a security researcher at Sophos.

The vulnerability designated as CVE-2023-28205 affects the WebKit browser and allows for the execution of arbitrary code from maliciously created web content. “Apple’s own Safari browser uses WebKit, making it directly vulnerable to WebKit bugs. Additionally, Apple’s App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices,” Ducklin said.

The vulnerability designated CVE-2023-28206 contains an out-of-bounds write flaw that allows for the execution of arbitrary code from any iOS application with kernel privileges.  “This bug allows a booby-trapped local app to inject its own rogue code right into the operating system kernel itself,” Ducklin said. “Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves.”

Why it matters: As all browsers on Apple’s mobile devices use WebKit, it is imperative that users update their browsers immediately. For the iOS vulnerability, attackers can combine a remote browser bug with a local kernel vulnerability and sidestep the App Store, which means an attacker can exploit an app without a user needing to download it from a third-party location. As these bugs are highly critical, Apple is urging all of its customers to update their affected devices.

Security Tip of the Month – Potentially Unwanted Programs

Summary: Potentially unwanted programs or applications (PUPs or PUAs) are defined as “applications installed in a mobile device or a computer that may pose high risk or have untoward impact on user security and/or privacy.” These applications are either preinstalled by the device manufacturer or are inadvertently installed by users without their consent. The latter can happen for several reasons but are typically installed as bundled software with something the user wants.

Many of these applications may be benign, but they run in the background consuming resources which may, over time, reduce the responsiveness of the device, and can be an annoyance with pop-up advertisements. The most nefarious of these can monitor user input or steal credentials, or other sensitive information, from a user’s system without their knowledge. Despite their purpose, all PUPs have something in common: their purpose is to hide in a user’s system and make it difficult to remove them.

Why it matters: PUPs steal device resources and have the potential to steal valuable information as well. PUPs are specifically designed to sneak their way onto devices without user consent, and they can be developed by legitimate as well as nefarious persons or organizations. It is important for users to be wary when installing new software and looking for pre-checked boxes to prevent the installation of unknown software that is bundled with desired software. Avoiding “default” or “express” installation of applications can aid users in spotting unwanted software, especially when downloading applications from the internet. Antivirus software is also highly recommended to be installed and updated frequently to detect the presence of installed PUPs as well as prevent their installation in the first place.

A pile of cardboard boxes ready for moving house