Microsoft Warns of New Zero-Day Exploited in Real-World Attacks

German government reportedly bought NSO Pegasus spyware, Howard University cancels classes due to ransomware attack, REvil gang's servers come alive again, NZ orgs hit with DDoS attacks again, more

Microsoft’s security team issued an alert earlier today to warn about a new Internet Explorer zero-day (CVE-2021-40444) abused in real-world attacks that impacts Microsoft MHTML, also known as Trident, the Internet Explorer browser engine.

Although previously used in the defunct Internet Explorer browsers, MHTML is also used in Office applications to render web-hosted content inside Word, Excel, or PowerPoint documents. Details about the attacks discovered by Mandiant and EXPMON are not available. Microsoft plans to issue a patch next week; companies can disable ActiveX rendering to prevent CVE-2021-140444 exploitation. (Catalin Cimpanu / The Record)

Related: Security WeekBleeping Computer, IT NewsgHacksInfosecurity MagazineGBHackers On Security, The Hacker NewsThe Register - SecurityHelp Net Security, Microsoft

Highlighting the possibility that Western democracies, and not just despotic regimes, might be surveilling citizens with Pegasus spyware from notorious vendor NSO, the German Federal Criminal Police Office (BKA) bought Pegasus spyware from the Israeli firm in 2019, German newspaper Die Zeit, as well as daily Süddeutsche Zeitung and public broadcasters NDR and WDR, reported.

Sources say that the German government informed the Interior Committee of the Bundestag of the purchase in a closed-door session. Although the details are unclear, the version purchased by the BKA had certain functions blocked to prevent abuse, security circles told the paper. (Deutsche Welle)

Related: The Times of IsraelHaaretz.comSecurity WeekJerusalem Post

Howard University canceled online, and hybrid classes for Tuesday and Wednesday after a ransomware attack disrupted internet service across its Washington, DC campus. However, all in-person undergraduate, graduate, professional, and clinical experiential courses will resume as scheduled on Wednesday.

Howard University officials and leading cyber experts are trying to assess what has been compromised in the attack. (April Ryan / The Grio)

Related: WJLAWashington Post, TechCrunch, DCist, The Hill: CybersecurityKTENCNN.comTechCrunchThe Crime Report, Howard University, The Daily Beast, NBC News Top StoriesGovernmentCyber.comNewsweekZDNet Security, UPI.comDaily MailRT USACNETSlashdotWUSACBS BaltimoreNew York Times

Follow Us on Twitter

The dark web servers for the REvil ransomware gang, also known as Sodinokibi, suddenly turned on after a two-month absence. The gang’s Tor servers and infrastructure were shut down following their July ransomware attack on the Kaseya VSA remote management software, which provoked a stiff response from the Biden administration.

Kaseya later mysteriously received a ransomware key, which the company shared with the FBI. The gang’s data leak site is currently functional, although its Tor negotiation site does not appear to be fully operational yet. (Lawrence Abrams / Bleeping Computer)

Related: ZDNet SecurityThe Record, Bloomberg, Security Affairs, Infosecurity Magazine

For the second time this week, a DDoS attack has taken down several major New Zealand organizations’ websites, including Kiwibank, ANZ, NZ Post, and MetService. It has also slowed down the website of New Zealand police.

The Government's Computer Emergency Response Team (CERT NZ) issued a statement saying that "We are limited in any public comment we will make as we are aware that malicious cyber actors can follow what is reported publicly, and may change their behavior based on media reporting of their activity.” (Tamsyn Parker / New Zealand Herald)

Related: ETTelecom.comReutersRNZ News - News

As part of a recent wave of attacks exploiting an authentication bypass and command injection bug in Atlassian’s Confluence server, the developers of the Jenkins server, a widely used open-source automation system, said they suffered a security breach after hackers gained access to one of their internal servers and deployed a cryptocurrency miner.

The developers immediately took the affected server offline while investigating the potential impact. The Jenkins team says they have no reason to believe that any Jenkins releases, plugins, or source code were affected. (Catalin Cimpanu / The Record)

Related: ThreatpostZDNet SecurityBleeping ComputerThe Daily SwigLifarsTenable Blog, Jenkins, Security Week

Forthcoming feature specialist WABetaInfo says that WhatsApp will give users the option to adjust the visibility of their "Last Seen" status on a contact-by-contact basis.

WhatsApp's current setting options are limited to "Everyone," "My Contacts," and "Nobody," with no way to make exceptions for individual contacts. The new features will allow users to select specific contacts. (Tim Hardwick / MacRumors)

Related: PocketnowAndroid CentralNDTV Gadgets360.comCult of MaciPhone HacksAppleInsiderxda-developers9to5GoogleAndroid AuthorityThe Tribune IndiaEngadgetgHacksWCCFtechiPhone HacksBig News NetworkRedmond PieGizchina.comiMoreBusiness InsiderE Hacking NewsExplicaRaw StoryProPublica, WABetaInfo

Three new draft guidance documents on zero-trust that are part of the Biden administration’s push to improve the nation’s cybersecurity emerged yesterday.

The documents include the federal zero trust strategy from the Office of Management and Budget and a zero-trust maturity model and cloud security technical reference architecture from the Cybersecurity and Infrastructure Security Agency, stem from Biden’s wide-ranging executive order issued earlier this year and aim to provide a roadmap and resources required to sustain a multi-year push towards zero trust.  OMB and CISA are seeking comments on all the documents. (Chris Riotta / FCW)

Related: MeritalkHomeland Security Today, ZeroTrust.cyber.gov

Researchers at ESET say that they discovered a year-long mobile espionage campaign against the Kurdish ethnic group to deploy two Android backdoors that masquerade as legitimate apps.

The attacks, which have been active since at least March 2020, leveraged as many as six dedicated Facebook profiles that claimed to offer tech and pro-Kurd content. Two were aimed at Android users, while the other four appeared to provide news for the Kurdish supporters. All six profiles have since been taken down. (Ravie Lakshmanan / The Hacker News)

Related: Future FiveSecurity Brief, We Live Security

Photo by Tadas Sar on Unsplash