A Week in Security: REvil Extortion, RDP Stolen Credentials, Geico Breach, and Chrome Exploits

As we approach the weekend, let us look back at this past week at the top cyber security news.  This week in cyber security, REvil attempted to extort Apple using their stolen data.  Additionally, UAS leaked 1.3 million Windows RDP logins for sale on their marketplace.  Also in other news, Geico suffered a data breach that exposed some of their customers’ sensitive data and Google rushed to fix several zero-day exploits in Chrome.

 

REvil Attempts to Extort Apple

Early in the week, the threat group REvil, known for their successful ransomware campaigns and living up to their threats, successfully stole Apple’s blueprints to products planned for future release.  In order to prevent leaking blueprints on their site, REvil demands $50 million from Apple by May 1.

To exfiltrate the blueprints and data, REvil targeted Quanta.  As a Global Fortune 500 electronic manufacturer, Apple uses Quanta to manufacture some of their products such as Apple Watches and Macbook Airs and Pros.  REvil successfully stole the blueprints from Quanta when they successfully implanted ransomware onto the Quanta servers.  Originally, to decrypt their systems and retrieve the files back, REvil demanded $50 million by April 27, or else the amount doubles to $100 million.

Quanta refused to pay REvil’s demands; therefore, REvil proceeded to leak some of the blueprints and schematics of devices to the public prior to Apple’s Spring Loaded event.  Now, REvil demands $50 million from Apple.

 

1.3 Million Windows Stolen and Posted for Sale

A cyber-criminal marketplace known as Ultimate Anonymity Services (UAS) posted 1.3 million (1,379,609 to be exact) Windows Remote Desktop Protocol (RDP) logins for sale.  Malicious actors can access UAS and obtain information such as leaked social security numbers, SOCKS proxies, as well as RDP login information.  UAS even provides customer support and offers help to its customers to maintain access to the systems they purchased access to.

Furthermore, in an analysis of the 1.3 million leaked RDP credentials, here are some of the top discoveries:

 

Top 10 Login Names:

  1. Administrator
  2. Admin
  3. User
  4. Test
  5. Scanner
  6. Scan
  7. Guest
  8. IME_ADMIN
  9. User1
  10. Administrador

 

Top 10 Passwords:

  1. 123456
  2. 123
  3. P@ssw0rd
  4. 1234
  5. Password1
  6. 1
  7. Password
  8. 12345
  9. admin
  10. ffff-ffc0M456x

 

Top 10 Countries:

  1. United States
  2. China
  3. Brazil
  4. Germany
  5. India
  6. United Kingdom
  7. France
  8. Spain
  9. Canada
  10. Hong Kong

Additionally, RDPwned released a helpful tool to allow people to check if their systems or RDP login credentials have been leaked.

 

Geico Data Breach

As the second largest car insurance company in the United States, Geico handles sensitive data for over 17 million people and their policies.  With such a large user base and the immense amount of sensitive data, Geico is a prime target for any attacker.

Geico stated that for over a month, from January 21, 2021 to March 1, 2021, malicious threat actors exploited online sales portals to access Geico’s policy holders’ driver’s license numbers.

Additionally, Geico stated that they believe these threat actors will use these numbers to commit fraud and identity theft.  With the driver’s license numbers, the attackers can apply for unemployment benefits and commit other forms of fraud in the policy holders’ names.

As a result of the data breach, Geico immediately took action to secure their website and are currently implementing further security safeguards.

 

Google Fixes Zero-Day Exploits

On April 20th, 2021, Google released Chrome version 90.0.4430.85 to fix a zero-day exploit and other high-severity vulnerabilities.  However, the zero-day exploit is a proof-of-concept (PoC) exploit being tracked as CVE-2021-21224. Furthermore, This vulnerability can be exploited alongside other security bugs to escape the Chromium Sandbox, a security safeguard that blocks exploits from remote code execution and  exfiltrating files on systems.  When the attacker avoids the sandbox, code can be executed on the victim’s system.  A day after Google released Chrome version 89.0.4389.128, a tweet publicly exposed the CVE-2021-21224 vulnerability.  Obviously, Google was extremely quick to release a patch.  Additionally, the patch also included fixes for:

  • CVE-2021-21222: A heap buffer overflow in V8
  • CVE-2021-21223: A integer overflow in Mojo
  • CVE-2021-21225: A out of bounds memory access in V8
  • CVE-2021-21226: For use after free in navigation

 

 

As this week comes to an end, have a safe and secure weekend!

Cyber Protection Group