Bitdefender screwed up by publicly revealing ‘DarkSide’ ransomware vulnerability

Original Source Here


Bitdefender screwed up by publicly revealing ‘DarkSide’ ransomware vulnerability

Thanks to the antivirus company, the Russian-based hackers were able to fix the flaw and unleashed a string of attacks

Just in case, you don’t recognize the ‘DarkSide’ ransomware, the notorious group of hackers was behind the high-profile cyberattack on the Colonial pipeline recently. Ironically enough, all of these damaging cybersecurity incidents could have been avoided, had it not been the public declaration of the antivirus company Bitdefender — who first identified a flaw in the ransomware that the gang was using to infect systems.

As reported, back on January 11, the antivirus company declared publicly that it had found a flaw in the ransomware being used by the ‘DarkSide to freeze computer networks of dozens of businesses in the US and Europe. It went on to say that companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

Unfortunately, this glorified declaration turned out to be a costly mistake. Two other researchers, Fabian Wosar and Michael Gillespie had already noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. This gave DarkSide to fix the vulnerability, as they said:

“Special thanks to BitDefender for helping fix our issues, This will make us even better.”

As it turned out, they were not bluffing — unleashing a string of attacks. Last month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the U.S East Coast. Needless to say, a major crisis could have been easily averted by discretely using the tool to restore the affected systems. I am hopeful, many of us learned a lesson: Public declaration is not always the right approach in these scenarios.

In a post on the dark web, DarkSide thanked Bitdefender for identifying a flaw in the gang’s ransomware. (Highlight added by ProPublica)

Moving beyond the headline story, let review some of the other cybersecurity incidents & issues that have been reported recently.

XSS Vulnerability

Discovered by Bishop Fox security consultants, A cross-site scripting (XSS) vulnerability has been found in a WYSIWYG editor used by at least 30,000 websites. The vulnerability affects Froala version 3.2.6 and earlier — a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML-rich text editor for developers and content creators, used by use by approximately 30,000 web domains.

According to security researchers, the WYSIWYG editor contains a security flaw in its HTML sanitization parsing protocol, allowing attackers to bypass existing XSS protections. The vulnerability can be triggered by inserting a JavaScript payload in an HTML event handler within specific HTML and MathML tags, which will cause the parser to mutate the payload into JavaScript commands.

Bypassing Microsoft’s AMSI anti-malware

AMSI is a vendor-agnostic interface designed to integrate anti-malware products on a Windows machine and better protect end-users, supporting features including scan request correlation and content source URL/IP reputation checks. As reported by Sophos, a recent investigation revealed techniques used to either avoid or disable AMSI — from living-off-the-land tactics to file ess attacks.

High-level overview of the Necro bot and its functionality — Image Credit: Image: Cisco Talos

Morphing Malicious Bot

Employing automated tools to deploy malware infections is nothing new for hackers. A sophisticated bot can do a lot of damage on behalf of the attacker. As revealed by threat intelligence provider Cisco Talos, a bot dubbed as Necro Python, goes after Windows or Linux by exploiting security vulnerabilities in the operating system or an installed application.

Necro uses a Java-based downloader to infect computers initially. The malware is deployed through a Python interpreter and a malicious script along with executable files created using the Python app program pyinstaller. Though revealed earlier this year, the latest version of the nefarious bot has gotten new powers — one of which is code morphing, where script code can morph into a different form after every iteration.

Stay informed with the content that matters — Join my mailing list


Trending AI/ML Article Identified & Digested via Granola by Ramsey Elbasheer; a Machine-Driven RSS Bot

%d bloggers like this: