Weekly Threat Report - 5th July 2019
Sodinokibi ransomware exploits Windows vulnerability
A ransomware strain named Sodinokibi (also Sodin or REvil) is exploiting a vulnerability patched by Windows last year.
Microsoft issued a patch for the vulnerability, a privilege escalation flaw known as CVE-2018-8453, back in October 2018.
Unusually, the former zero-day has been spotted alongside ransomware, rather than other forms of malware. Security researchers have suggested that Sodinokibi is being distributed via a ransomware-as-a-service (RaaS) scheme, rather than being directly distributed by its creator.
Applying security updates (patching) is one of the most important things you can do to improve security. Advice on how to protect your organisation from ransomware can be found on the NCSC website.
Following NCSC’s guidance on Mitigating Malware could also help prevent ransomware/malware infection.
Cirque du Soleil app reported to be vulnerable
An application for the Cirque du Soleil show, Toruk – The First Flight, is reportedly vulnerable due to a lack of focus on security according to a blog post from researchers at ESET.
The show, which had its final night in London on June 30th, encouraged users to download the app so they could enhance their evening with content such as backstage videos and images.
The app also synchronised devices with the performance so users could experience audio-visual effects based on their seat location.
However, the app reportedly suffers from a lack of authentication. Using the app would allow operators to issue a series of commands to devices via the open port 6161, but the lack of authentication could have also allowed others on the same public Wi-Fi network the same level of access. The ESET blog post reported that others could ‘scan the network for the IP addresses of devices with an open port 6161, and then send their own admin-style commands to those devices.’
Statistics pulled from Google Play showed that the app had been downloaded more than 100,000 times but it has now been removed from marketplaces.
Cirque du Soleil commented: “Cirque du Soleil has not yet received any notification from its users that they have been potentially affected by the vulnerability issues of the TORUK mobile application.”
Users that have the app still downloaded are still vulnerable so should uninstall it as soon as possible.
Ensuring your device’s security when downloading apps can be a bit of a juggling act for users. The Cirque du Soleil app was available from an official application store, but the NCSC would still encourage users to only download apps from these official stores because issues and vulnerabilities are more likely to be found and resolved. You should also be aware of what you’re allowing an app access to on your device (for example, your camera, contacts etc) and make a judgement call based on whether you are comfortable with that.
Lastly, we would encourage users to always install the latest software and app updates to keep devices as secure as possible.
National Cyber Security Centre Threat Reports