Cybersecurity Digest #31: 09/08/2021 – 20/08/2021

Cybersecurity news

• The universal decryption key for REvil’s attack on Kaseya’s customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key.
• A new Android Trojan has been identified by cybersecurity firm Zimperium, which released a report explaining how the malware has been able to hit more than 10,000 victims in 144 countries. The trojan, named FlyTrap by Zimperium researchers, has been able to spread through “social media hijacking, third-party app stores, and sideloaded applications” since March.
• Suspects in the Netherlands, Romania and Ireland arrested following coordinated investigation run by Europol into organised online crime, which sold fictional goods to victims. A sophisticated fraud scheme using compromised emails and advance-payment fraud has been uncovered by authorities.
• A critical vulnerability has been disclosed in hardware random number generators used in billions of Internet of Things (IoT) devices whereby it fails to properly generate random numbers, thus undermining their security and putting them at risk of attacks.
• Microsoft 365 Defender Threat Intelligence Team reported that attackers use Morse code and other encryption methods in evasive phishing campaign. Cybercriminals attempt to change tactics as fast as security and protection technologies do.
• Emsisoft has released a decryptor for the SynAck Ransomware, allowing victims to decrypt their encrypted files for free. The SynAck ransomware gang launched its operation in 2017 but rebranded as the El_Cometa gang in 2021.

Cybersecurity Blog Posts

• Ondrej Kubovič from ESET security community explained how ransomware has become one of the top cyberthreats of the day and how to avoid becoming the next victim.
• David Zomaya shared best practices for web form security to provide the usability benefits of web forms while limiting the security risks. The post will be useful for WordPress administrators and web developers.
• Threatpost experts gave some advice how to reduce Exchange server downtime in case of a disaster. It’s important to maintain backups and implement best practices for Exchange servers that can help restore the Exchange server when a disaster strikes with minimal impact and downtime.
• Lily Hay Newman claims that AI wrote better phishing emails than humans in a recent test. WIRED researchers found that tools like OpenAI’s GPT-3 helped craft devilishly effective spearphishing messages.

Research and Analytics

• 2021 Unit 42 Ransomware Threat Report performed by Palo Alto experts exposes the latest ransomware threats and provides unprecedented visibility into how these threats exploited business vulnerabilities in 2020. The average ransom paid for organizations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase.
• VmWare specialists performed 2021 Global Incident Response Threat Report to show how to build resilient, cyber-vigilant incident response teams, while also taking a deeper look at the increasingly sophisticated threats facing organizations today. Respondents indicate that targeted victims now experience integrity and destructive attacks more than 50 % of the time. Cybercriminals are achieving this through emerging techniques, such as the manipulation of time stamps, or Chronos attacks, which nearly 60 % of respondents have observed.
• Mandiant researchers from FireYye disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency that affects millions of IoT devices that use the ThroughTek “Kalay” network.
• Reflective amplification attacks are a powerful tool in the arsenal of a DDoS attacker, but to date have almost exclusively targeted UDP-based protocols. USENIX experts demonstrated that non-trivial TCP-based amplification is possible and can be orders of magnitude more effective than well-known UDP-based amplification. By taking advantage of TCP-noncompliance in network middleboxes, they showed that attackers can induce middleboxes to respond and amplify network traffic.
• Secureworks have published Ransomware Report 2021 Vol. 1 – a compilation of recent ransomware information and guidance from the Secureworks experts. You will learn how to prepare for a cyber incident response, via a use case, how to prevent the three most common ransomware attack vectors and how to use risk-based vulnerability management to prevent ransomware.
• Trend Micro teamed up with the Ponemon Institute to investigate the level of cyber risk across organizations and create a Cyber Risk Index (CRI). Their findings show that global businesses have a very high chance of being affected by a cyberattack likelihood of a data breach of customer data in the next 12 months is 80%.
• KELA analyzed IABs’ activities over the last year, when their role became increasingly more popular in the cybercrime underground, and summarized 5 major trends that were observed throughout their analysis. The research includes an in-depth analysis of Initial Access Brokers and their activity for a full year from July 1, 2020 to June, 30 2021.

Major Cyber Incidents

• A threat actor is promoting a new criminal carding marketplace by releasing one million credit cards stolen between 2018 and 2019 on hacking forums. These credit cards were stolen through point-of-sale malware, magecart attacks on websites, and information stealing trojans.
• Taiwanese motherboard maker Gigabyte has been hit by the RansomEXX ransomware gang, who threaten to publish 112GB of stolen data unless a ransom is paid. The attack forced the company to shut down systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website.
• A bug on Ford Motor Company’s website allowed for accessing sensitive systems and obtaining proprietary data, such as customer databases, employee records, internal tickets, etc. The data exposure stemmed from a misconfigured instance of Pega Infinity customer engagement system running on Ford’s servers.
• T-Mobile has released an update on the recent claims that a hacker gained access to the names, addresses, PIN numbers, social security numbers and more of millions of T-Mobile customers. While initially denying the hacker’s claims that they had the information of 100 million T-Mobile customers, the telecom giant admitted that more than eight million customers had their information lost in the cyberattack.
• In a bulletin posted on its site, healthcare facility network Memorial Health System, based in West Virginia and Ohio, USA, said it was beginning the process of recovery and restoration after being hit with a ransomware attack earlier in the week. The network reported that it experienced an “information technology security incident” that caused it to suspend all online access across its 64 clinics.
• Tokio Marine Holdings, a multinational insurance holding company in Japan, announced this week that its Singapore branch, Tokio Marine Insurance Singapore (TMiS), suffered a ransomware attack. TMiS isolated the network immediately after detecting it and informed the local government agencies.