Cybersecurity Digest #35: 04/10/2021 – 15/10/2021

Cybersecurity news

  • Telegram bot SMSRanger helps cybercriminals steal one-time passwords. Attackers use a bot to send automatic messages to people, allegedly on behalf of a bank, PayPal, etc.Cybercriminals have armed themselves with a new, simplified attack tool based on scripts from the Telegram messenger that allows them to create bots to steal credentials with a one-time password, intercept control of user accounts and steal bank funds.
  • Victims of ransomware attacks in USA would be required to report payments to their hackers within 48 hours under a proposal from Democratic Senator Elizabeth Warren and Democratic Representative Deborah Ross.
  • U.S. National Security Agency warned organizations and companies about a new TLS attack called Application Layer Protocol Content Confusion Attack (ALPACA). The NSA has urged organizations to follow technical guidelines and protect servers from scenarios where attackers can access and decrypt encrypted web traffic.
  • Microsoft specialists released data on the attack, which the corporation called the most powerful in history. According to them, the DDoS attack was recorded back in August 2021. It was directed against a large European company that is a client of the Microsoft Azure cloud service. In total, the attack lasted about ten minutes, and the peak traffic level reached 2.4 Tbps.
  • Microsoft October Patch Tuesday Addresses 4 Zero-Day Vulnerabilities. With October Patch Tuesday, Microsoft has fixed 71 different vulnerabilities, including some zero-day bugs. Multiple Zero-Day Vulnerabilities Fixed One of the major security bugs receiving fixes this month includes a privilege escalation vulnerability in the Windows kernel.
  • Code hosting platform GitHub has revoked weak SSH authentication keys that were generated via the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicated SSH keys. As an added precautionary measure, the Microsoft-owned company also said it’s building safeguards to prevent vulnerable versions of GitKraken from adding newly generated weak keys.
  • Operators of an unknown ransomware gang are using a Python script to encrypt virtual machines hosted on VMware ESXi servers. While the Python programming language is not commonly used in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.

Cybersecurity Blog Posts

  • Justin Kohler wrote how to convince the C-suite to buy in to active directory security. Major enterprises with large Active Directory environments are especially vulnerable because they tend to have a high volume of misconfigurations and over-privileged users that attackers can take advantage of.
  • Spending money you hadn’t budgeted to hire experts to clean up an unexpected mess is at the bottom of every manager’s wish list, but in the case of a cyber attack as damaging as ransomware, turning incident response over to a pro may be the best thing you can do. Chad Kime offered to examine 5 key reasons to hire a ransomware recovery expert.
  • Ransomware as a service (RaaS) is a business model designed for criminals, by criminals that lowers the technical barrier for entry into cybercrime. Jeff White have listed a few areas that are good jumping-off points to start conversations about defense in-depth strategies against RaaS.
  • In any enterprise, building stakeholder trust and confidence is an important part of moving important initiatives forward. The security team is not exempt from this responsibility, and the effectiveness and success of a security team is highly correlated to its ability to build trust and confidence among its stakeholders. Joshua Goldfarb provided 7 smart ways a security team can win stakeholder trust.

Research and analytics

  • Kaspersky Lab specialists published the research of new FinFisher spyware version, also known as FinSpy and Wingbird. Apart from the Trojanized installers, they also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in the article for the first time.
  • Microsoft Threat Intelligence Center (MSTIC) experts introduced in-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that MSTIC refers to as FoggyWeb. NOBELIUM employs multiple tactics to pursue credential theft with the objective of gaining admin-level access to Active Directory Federation Services (AD FS) servers.
  • According to Check Point Research, there are 40% more attacks weekly on organizations in 2021 compared to what they witnessed in 2020. Globally in 2021, 1 out of every 61 organizations is being impacted by ransomware each week. Since January 2020 till present, September 2021 has the highest number of attacks – this is more than double the number of attacks weekly when compared to the lowest point in March 2020. Education/Research is the most targeted sector globally
  • ESET researchers have discovered a previously unknown malware family that utilises custom and well-designed modules, targeting operating systems running Linux. Modules used by this malware family, which ESET dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server. The location of the C&C server and the countries from which the samples were uploaded to VirusTotal might indicate that its targets include Southeast Asia.
  • The Qualys research team has thoroughly studied the major ransomware attacks in the last five years and determined that these attacks used about 110 CVEs. Many of the ransomware-related CVEs have had patches available for years, with an average of five years since the date the patch was first available.
  • New research by V-key shows that most apps used for mobile authentication have serious vulnerabilities, even if hardware security is used. V-Key has discovered a general flaw (named the “Trust Gap”) in these apps’ architectural design which hackers can exploit using malware to illegally obtain a target’s authenticator keys.
  • Check Point Research reported that Trickbot is the most prevalent malware while remote access trojan, njRAT has entered the top ten for the first time, taking the place of Phorpiex which is no longer active.  Since the Emotet takedown in January, the Trickbot trojan has gained popularity.
  • In 2020, 186 ransomware attacks on US businesses resulted in the theft and/or misuse of over 7 million individual records. Comparitech estimated that these attacks cost businesses almost $21 billion in downtime alone. Their investigation revealed that the average business lost 9 days to downtime and around two-and-a-half months to investigations in 2020. Over the last few years, ransomware attacks on businesses have increased at an exponential rate – a 245% increase from 2019 to 2020.

Major Cyber Incidents

  • Syniverse handles billions of text messages a year, and hackers had unauthorized access to its system for years. A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.
  • Twitch source code, business data, gamer payouts leaked in massive hack. An unknown hacker has leaked the entirety of Twitch’s source code among a 128 GB trove of data released this week. Twitch says no passwords or login credentials leaked in massive breach.
  • FIN12 hits healthcare with quick and focused ransomware attacks. While most ransomware actors spend time on the victim network looking for important data to steal, one group favors quick malware deployment against sensitive, high-value targets. It can take less than two days for the FIN12 gang to execute on the target network a file-encrypting payload – most of the time Ryuk ransomware.
  • The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation told Reuters. The hacks were widely publicized after their discovery late last year, and American officials have blamed Russia’s SVR foreign intelligence service, which denies the activity.
  • Ransomware gangs are shocked to find out that cyber crooks will scam other criminals if they can. Cyber criminals using a ransomware-as-a-service scheme have been spotted complaining that the group they rent the malware from could be using a hidden backdoor to grab ransom payments for themselves.
  • Suspected Chinese hackers behind attacks on ten Israeli hospitals. A joint announcement from the Ministry of Health and the National Cyber Directorate in Israel describes a spike in ransomware attacks that targeted the systems of nine health institutes in the country.