Cybersecurity Digest #26: 31/05/2021 – 11/06/2021

Cybersecurity News

  • PuzzleMaker attacks exploit Windows zero-day, Chrome vulnerabilities. According to Kaspersky, a wave of “highly targeted attacks” on several organizations was traced that utilized a chain of zero-day exploits in the Google Chrome browser and Microsoft Windows systems over April 14 and 15, 2021. The attackers have been named PuzzleMaker. The first exploit in the chain, while not confirmed, appears to be CVE-2021-21224, a V8 type confusion vulnerability in the Google Chrome browser prior to 90.0.4430.85.
  • Malicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month. Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of a new guide for cyber threat intelligence analysts on the use of the MITRE ATT&CK framework. The goal of the 20-page Best Practices for MITRE ATT&CK Mapping guide is to help analysts map attacker behaviors to the relevant ATT&CK techniques, both from cybersecurity reports and raw data.
  • Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28. The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year.
  • Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents. Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook.
  • Trend Micro experts have discovered a vulnerability in macOS rooted in the Core Virtual Machine Server (CVMServer). The vulnerability, labeled CVE-2021-30724, is triggered by an integer overflow leading to an out-of-bounds memory access, from which point privilege escalation can be attained. It affects devices running older versions of macOS Big Sur 11.4, iOS 14.6, and iPadOS 14.6.

Cybersecurity Blog Posts

  • Craig Hinkley suggests taking a closer look at the aspects that will constitute the future of application security. Now, IT executives and organizations are thinking about the need to integrate security into the development process, the priority of a solutions-based program (rather than a tools-based one), the pipeline of security talent and the cultural transformation around security and IT teams.
  • Tom Emmons in his article told about the rapid resurgence of DDoS extortion that didn’t take long. He highlights the latest threats to the scene and explains what organizations need to do now to prepare.
  • Corey O’Connord told how to communicate the identity security imperative to the board of directors. She encourages to communicate with confidence and suggests to use the list of FAQ to guide the board room discussions and help articulate why Identity Security really matters now.

Research and analytics

  • Ransomware will cost its victims more around $265 billion (USD) annually by 2031, Cybersecurity Ventures predicts, with a new attack every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities. The dollar figure is based on 30 percent year-over-year growth in damage costs over the next 10 years.
  • Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknown backdoor on victim’s machines. Their investigation shows the operation was carried out by what we believe is a Chinese APT group that has been testing and refining the tools in its arsenal for at least 3 years.
  • Galvanize has surveyed 105 GRC professionals, plus 108 non-GRC professionals who work in a related department, in the United States and Canada. While over half (53%) said that their organizations now perceive them as being more valuable: 58% have seen their workloads increase, 62% have seen growth in the scope of their roles, 62% find that gaps in time, technology, or human resources prevent their organizations from executing their plans.
  • ClubCISO Information Security Maturity Report-Executive Summary 2021 provides an overview of the challenges facing today’s CISOs. Learn more about the factors impacting CISOs’ performance and the hot topics on their radars.
  • Sophos offered 5,400 IT managers to share their experiences and future plans for The IT Security Team Report: 2021 and Beyond. This report reveals how the pandemic affected IT security teams, including the impact on cybersecurity workload, response time, morale, and ability to develop new skills. It also explains how organizations expect to deliver IT security over the next two and five years.
  • ESET has released its T1 2021 Threat Report, summarizing key statistics from ESET detection systems and highlighting notable examples of ESET’s cybersecurity research, including exclusive, previously unpublished updates on current threats. The featured story recounts ESET Research’s discovery of multiple advanced persistent threat (APT) groups exploiting a vulnerability chain affecting Microsoft Exchange Server.
  • The 2021 Hong Kong Encryption Trends Study, the most comprehensive encryption survey in the industry, highlights how organisations in Hong Kong are managing encryption strategies and data security threats across multiple clouds. The results are clear: organisations are expanding their use of encryption technologies into areas such as the cloud and containers as they focus on protecting customer data and

Major Cyber Incidents

  • European Company Ardagh Group has been hit by a cyberattack recently and is said to be on road to recovery. A source from the Glass and Metal-based packaging giant said that the attack was of a malware variant, but failed to acknowledge it as a ransomware attack as the investigation was still going on the issue.
  • Global meatpacker JBS USA has paid $11 million in Bitcoin to cyberattackers that encrypted its files and disrupted operations in the US and Australia with ransomware, the company has said. JBS said it made the decision to pay the attackers in consultation with third-party cybersecurity experts “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
  • What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.
  • The Steamship Authority, Massachusetts’ largest ferry service, was hit by a ransomware attack which led to ticketing and reservation disruptions. There is no impact to the safety of vessel operations, as the issue does not affect radar or GPS functionality. Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process.
  • Japanese conglomerate Fujifilm announced that it is suffering from a ransomware attack. In a statement, the company said it was investigating unauthorized access to its servers and had no choice but to shut down its network.
  • Content delivery network (CDN) Fastly has explained its major outage, which knocked out many of the world’s top websites, from Amazon to ZDNet. The breadth of the outage demonstrated once again how CDNs, which bring content to end users from globally distributed points of presence (POPs), can also be a single point of failure.
  • Taiwan-based leading memory and storage manufacturer ADATA says that a ransomware attack forced it to take systems offline after hitting its network in late May. ADATA did not provide information on the ransomware operation behind the incident or any ransom demands. However, Ragnar Locker says that they have allegedly stolen 1.5TB of sensitive data from ADATA’s network before deploying the ransomware payloads.
  • Navistar International Corporation, a US-based maker of trucks and military vehicles, says that unknown attackers have stolen data from its network following a cybersecurity incident discovered on May 20, 2021. The company disclosed the attack in an 8-K report filed with the Securities and Exchange Commission (SEC).
  • The Spanish Ministry of Labor and Social Economy is working on restoring services after being hit by a cyberattack. The Spanish Servicio Público de Empleo Estatal (SEPE) — a government agency part of MITES that was hit by ransomware in March— says that it was not affected by the cyberattack.