Microsoft's PrintNightmare Patch Fails to Fully Fix the Problem

Kaseya knew about the flaw exploited by REvil attackers in April, Biden says he will deliver a ransomware response to Putin, Threat actors are using Kaseya ransomware attack for malspam, much more

Check out my latest column in CSO, which addresses how President Biden might get Russian President Putin to the table to solve the ransomware problem.

Researchers say that an emergency patch Microsoft issued on Tuesday fails to fully fix the critical security vulnerability known as PrintNightmare in all supported versions of Windows.

Microsoft published an out-of-band fix on Tuesday, saying the update “fully addresses the public vulnerability.” But researchers Benjamin Delpy published a video showing how exploits could bypass the patch and demonstrated the update fails to fix vulnerable systems that use certain settings for a feature called point and print, making it easier for network users to obtain the printer drivers they need. Despite the incomplete nature of the patch, it still provides meaningful protection against many types of attacks that exploit the PrintNightmare vulnerability. (Dan Goodin / Ars Technica)

Related: Spyware newsQualys BlogSecurity News | Tech TimesHeimdal Security BlogZDNet SecuritygHacksThe Hacker NewsSecurity AffairsInfosecurity MagazineSecurity AffairsiTnews - SecuritySecurity - ComputingThe Straits Times Tech Newsxda-developersThe Hill: CybersecurityTom's HardwareBleeping ComputerSC MagazineTODAYonlineBusiness InsiderHow-To GeekNewsBytes AppThe SunThe SunPetriLifehackerCRNTrusted ReviewsNeowinArs TechnicaNewsBytes AppPC WorldBleeping ComputerSC MagazineHow-To GeekThe Register - SecurityiTnews - SecurityReddit - cybersecurityDark ReadingKomando.comMSPoweruserTenable Blog, Krebs on Security

Victor Gevers, chairman of the Dutch Institute for Vulnerability Disclosure, said that his organization discovered the flaw that allowed the REvil ransomware gang to launch a supply chain attack against software provider Kaseya. Gevers also said his organization informed Kaseya of the problem on April 6.

Gevers said the flaw reported by his group was one of seven vulnerabilities the group reported to Kaseya concerning its software. He said Kaseya responded with urgency once it was notified of the vulnerabilities and quickly issued two patches, one in April and another in May, that addressed some of the security issues. (Dustin Volz and Robert McMillan / Wall Street Journal)

Related: The Hill: Cybersecurity, Silicon RepublicThe Register - SecurityDataBreachToday.com, CSIRT

Following a meeting of top cybersecurity advisors in the Situation Room of the White House, President Biden said that he “will deliver” a response to President Vladimir Putin of Russia for the wave of ransomware attacks hitting American companies.

Separately, Biden also said late Wednesday that he was awaiting a report from the F.B.I. about whether the Republican National Committee was deliberately targeted by Russian state actors. (Nicole Perlroth and David Sanger / The New York Times)

Related: Raw StoryDevdiscourse News DeskDevdiscourse News DeskCBSNews.com, Associated Press TechnologyCourthouse News ServiceThe Hill: CybersecuritySoftpedia NewsNew York Daily NewsThe Independent, The IndependentVanity FairDaily MailVox, AP Top News, BBC News

Researchers at Malwarebytes say that scammers are sending malspam messages with both a URL and a file that purports to be a Microsoft update of the Kaseya VSA vulnerability.

When victims click on the link, or “SecurityUpdates.exe,” the scammers drop Cobalt Strike payloads disguised as Kaseya VSA security updates on them to exfiltrate data. Cobalt Strike is a legitimate penetration testing tool and threat emulation software sometimes used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems. (Sergiu Gatlan / Bleeping Computer)

Related: TechradarComputerWeekly: IT securityMSSP Alert, SecurityWeek, SC MagazineMondaq.ComTechradarGraham CluleyDataBreaches.netCNN.comGadgets NowTelecomlive.comDaily MailGadgets NowPanda SecurityAxiosDataBreachToday.comHeimdal Security BlogNDTV Gadgets360.comVentureBeatprotothemanews.comTechSpotThe RegisterCRNThe RegisterTech XploreMiami HeraldThe Guardian, Threatpost, Cyberscoop

Although not news to cybersecurity veterans, researchers at Trustwave issued a report saying that the computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages.

The Putin regime generally protects Russian criminal hackers if they manage to avoid hitting Russian-speaking targets. (Ken Dilanian / NBC News)

Related: The Hill, Trustwave

Researchers at Lookout Security say that scammers tricked at least 93,000 people into buying 172 fake Android cryptocurrency mining applications.

The applications are tracked as two separate families dubbed BitScam (83,800 installs) and CloudScam (9,600 installs) and were advertised by the cybercriminals to victims as providing cloud cryptocurrency mining services. Twenty-five of the apps were available in the Google Play Store. (Sergiu Gatlan / Bleeping Computer)

Related: Tom's GuideCyberscoopSecurity News | Tech TimesInfosecurity MagazineThreatpost, Lookout

According to Seqrite, Quick Heal’s threat intelligence team, a cyber-espionage group called SideCopy has been observed targeting Indian targets with government and military-related lures in a broad campaign to infect victims with malware.

Cisco Talos, however, has issued a report saying that the group did not retreat or stop its operations after its attacks and tooling were exposed last year. SideCopy operators have shown the ability to develop new malware from scratch, indicating that the group is gaining experience and becoming more sophisticated in their attacks. (Catalin Cimpanu / The Record)

Related: Slashdot, The Register - SecurityThe Hacker News, Segrite, Cisco Talos

The NSW Department of Education in Australia has suffered a cyberattack just days before the school term resumes, and students in Greater Sydney are forced to rely on remote learning.

The attack poses particular challenges coming on the same day the NSW government confirmed students in lockdown areas would learn online until at least July 19 in response to the state’s Covid-19 outbreak. (Justin Hendry / IT News)

Related: ZDNet SecurityARNThe South AfricanThe Mandarin

SoftBank Group announced it is leading a $235 million Series C investment round in Israeli facial recognition company AnyVision Interactive Technologies.

Other investors in the round include Eldridge, with previous investors also participating, including Robert Bosch GmbH, Qualcomm Ventures, and Lightspeed. (Parmy Olson / Wall Street Journal)

Related: The Times of IsraelIngrid Lunden – TechCrunch, Algemeiner.comAiThorityMalay Mail - AllFinSMEsNoCamelsAiThority, PYMNTs.com

No-code software fraudulent activity monitoring start-up Unit21 has landed $34 million in a Series B venture funding round.

Tiger Global Management led the round with ICONIQ Capital and existing backers Gradient Ventures (Google’s AI venture fund), A.Capital and South Park Commons are also participating. (Mary Ann Azevedo / TechCrunch)

Related: Silicon Valley Business Journal

Semgrep open-source project-based security-focused code analysis service r2c closed a $27 million Series B venture funding round.

Felicis led the round, which the company said was a pre-emptive deal. Prior investors firms Redpoint and Sequoia also participated in the fundraising event. (Alex Wilhelm / TechCrunch)

Related: r2c

Encrypted data analysis start-up Opaque has raised $9.5 million in a seed funding round.

The round was led by Intel Capital, with contributions from Race Capital, The House Fund, and FactoryHQ. (Kyle Wiggers / Venture Beat)

Related: TechCrunch, Business Wire

Cardiff-based crypto security startup Coincover raised $9.2 million in a Series A funding round.

London’s Element Ventures led the round. DRW Venture Capital, CMT Digital, Avon Ventures, Valor Equity Partners, FinTech Collective, Susquehanna Private Equity Investments, LLLP, Volt Capital, and the founding investors, Insurtech Gateway Fund and Development Bank of Wales, also participated in the round.  (Shubham Sharma / UK Tech News)

Related: The Block Crypto

Cybersecurity firm Sophos Group has acquired Linux attack protection startup Capsule8 Inc. for an undisclosed price.

Sophos says it plans to integrate Capsule8 technology into its Adaptive Cybersecurity Ecosystem, providing robust and lightweight Linux server and cloud container security within this open platform. (Duncan Riley / Silicon Angle) \

Related: Dark Reading: Threat Intelligence, Security WeekMSSP AlertARNMSSP Alert

Photo by Ashkan Forouzani on Unsplash