BACKGROUND:
BlackBerry has publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability. The vulnerability has left 200 million cars, along with critical hospital and factory equipment, vulnerable. CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>“QNX is the operating system of choice for embedded systems and is very widely deployed where real-time guarantees are needed in computing such as medical devices, robotics, cars, etc. This should be at the top of the list for patching and in the meantime, networks reachable from QNX devices should be extensively monitoring from a detection and response perspective to disrupt attacker kill chains. Attackers who are already inside the network may auction off their initial access to more sophisticated third parties who exploit this CVE.” </p>
<p>\"Researchers from Heimdal Security have <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUSjIxzpHtbBqNiB-2B4CjkUN-2F9vPVrx6tyWH0yImbeljOR5yVDdyx3hybjwbZ5pyTLZRLbjhEkIQ3qSO39r44TtjK4H0igLHPWcGBgHYqpQ8BNwWtd_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2Bxha3qUat2wQT-2FB8xknC8uMoJiwG-2BzMq1rAVEde6kciardxEovwCm8v-2BG3xmMTrUvC04DAMfxcotss9y8PovN-2FkXS00OEFEZcQRXKIbUUofnKdFXv9i7Fy3kOBRf85TJHS9LbYTpeX-2BROqnxl9sjSC1-2FcnVZZk3BT3x6Gw3NIa697wjVa-2BTLo8OTzCMVtq9dnFfs0mTPoruXfl3U53xpjGPV3v1DoblYa9GIM4KEtPu1wh\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUSjIxzpHtbBqNiB-2B4CjkUN-2F9vPVrx6tyWH0yImbeljOR5yVDdyx3hybjwbZ5pyTLZRLbjhEkIQ3qSO39r44TtjK4H0igLHPWcGBgHYqpQ8BNwWtd_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2Bxha3qUat2wQT-2FB8xknC8uMoJiwG-2BzMq1rAVEde6kciardxEovwCm8v-2BG3xmMTrUvC04DAMfxcotss9y8PovN-2FkXS00OEFEZcQRXKIbUUofnKdFXv9i7Fy3kOBRf85TJHS9LbYTpeX-2BROqnxl9sjSC1-2FcnVZZk3BT3x6Gw3NIa697wjVa-2BTLo8OTzCMVtq9dnFfs0mTPoruXfl3U53xpjGPV3v1DoblYa9GIM4KEtPu1wh&source=gmail&ust=1629545403277000&usg=AFQjCNE_kgWD58ocJ5CzRPVNjaD1CSp4-g\">uncovered</a> a new ransomware strain named “DeepBlueMagic” which deletes Volume Shadow copy for Windows, making recovery nearly impossible without a decryption key. The malware was observed by Heimdal on an encryption tool from Jetico called BestCrypt Volume Encryption to start encryption on all drives, except the primary system drive (“C:\\”), on an infected Windows Server 2012 R2 system.\"</p>
<p>“Ransomware actors are always looking at new methods to gain leverage to blackmail. The original leverage was just business downtime from drive encryption but currently it is common for attackers to do double extortion to exfiltrate data as well as encrypt. They can exfiltrate and sell data, name and shame the victim, or just disrupt their business like what can happen with this type of attack. Using deeper disk interfaces is an interesting addition to their toolkit of attacks which may help them from a disruption point of view.”</p>
<p>Researchers at Tencent have <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUWOYQC-2FYA4R1GdxgfLoJuFDcqi-2FfJcGj9qYkXPNfnvYshKvCrI5HpU37suf-2F3rPWqQ-3D-3D2D6o_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2Bxha3qUat2wQT-2FB8xknC8uMoJiwG-2BzMq1rAVEde6kciardxEovwCm8v-2BG3xmMTrUvC04DAMfxcotss9y8PovN-2FkXT51Bjviu6aX2YHfzDT9SsS7bxLCLxUdGY-2FVko5NgpbxyZkHvjRt-2BcNg0fm7E4i5P3IwmRqgbqwSp-2Fku-2BO01JScetpK4uVB7hcIvRF94JLuUnx-2BxKM54-2FfljZrXuI3lQeHZSPZgybso5jn3IfpeD78f\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUWOYQC-2FYA4R1GdxgfLoJuFDcqi-2FfJcGj9qYkXPNfnvYshKvCrI5HpU37suf-2F3rPWqQ-3D-3D2D6o_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2Bxha3qUat2wQT-2FB8xknC8uMoJiwG-2BzMq1rAVEde6kciardxEovwCm8v-2BG3xmMTrUvC04DAMfxcotss9y8PovN-2FkXT51Bjviu6aX2YHfzDT9SsS7bxLCLxUdGY-2FVko5NgpbxyZkHvjRt-2BcNg0fm7E4i5P3IwmRqgbqwSp-2Fku-2BO01JScetpK4uVB7hcIvRF94JLuUnx-2BxKM54-2FfljZrXuI3lQeHZSPZgybso5jn3IfpeD78f&source=gmail&ust=1629545403277000&usg=AFQjCNGIxOjMTCzKLdw_ABx6E0d1sHHDag\">identified</a> a malware which exploits unpatched Windows and Linux servers. HolesWarm, the botnet cryptominer, has already compromised 1,000-plus clouds since June and is being referred to as the “King of Vulnerability Exploitation”. The malware has leveraged more than 20 known vulnerabilities in Linux and Windows servers, and Tencent has warned that both government and enterprise should mitigate known vulnerabilities as soon as possible to prevent from falling prey to the next HolesWarm attack.\"</p>