Cybersecurity Digest #37: 1/11/2021 – 12/11/2021

Cybersecurity news

  • The Federal Bureau of Investigation (FBI) warns that ransomware gangs are targeting companies involved in “time-sensitive financial events” such as corporate mergers and acquisitions to make it easier to extort their victims. In a private industry notification published on Monday, the FBI said ransomware operators would use the financial information collected before attacks as leverage to force victims to comply with ransom demands.
  • The BlackMatter ransomware operation, which came to prominence earlier this year following the demise of the DarkSide ransomware gang, is allegedly shutting down due to “pressure from the authorities.” The group announced plans to shut down in a message posted on its ransomware-as-a-service (RaaS) portal, where other criminal groups typically register in order to get access to the BlackMatter ransomware strain.
  • Academic researchers have released details about a new attack method they call “Trojan Source” that allows injecting vulnerabilities into the source code of a software project in a way that human reviewers can’t detect. The researchers showed that one way this can be achieved is by using Unicode controls for bidirectional text (e.g. LRI -left-to-right isolate, and RLI -right-to-left isolate) to dictate the direction in which the content is displayed. This method is now tracked as CVE-2021-42574.
  • Popular npm library ‘coa’ was hijacked with malicious code injected into it, ephemerally impacting React pipelines around the world. The ‘coa’ library, short for Command-Option-Argument, receives about 9 million weekly downloads on npm, and is used by almost 5 million open source repositories on GitHub.
  • CISA issued a new directive that forces federal civilian agencies to remediate at least 306 vulnerabilities commonly exploited during attacks. CISA officials emphasized that the catalog was focused on vulnerabilities they said were “causing harm now” but would also be used as a running list of prioritized vulnerabilities based on their evolving understanding of adversary activity.
  • A Zero-Day vulnerability has been identified by the Massachusetts-based cybersecurity firm Randori in Palo Alto Networks firewalls using GlobalProtect VPN. This Zero-Day flaw could be exploited by an unauthorized attacker to execute arbitrary code remotely on vulnerable devices with superuser privileges. This Zero-Day bug was tracked as CVE-2021-3064 scored 9.8 on the CVSS and affects the PAN-OS 8.1 and earlier than PAN-OS 8.1.17.
  • The US announced a $10 million (€8.6 million) reward for information to help find leaders of the high-profile ransomware group DarkSide. In addition to the bounty on the leaders, the State Department is also offering up to $5 million for information that arrests or convicts anyone, in any country, attempting to participate in a DarkSide ransomware incident.

Cybersecurity Blog Posts

  • Phil Muncaster highlighted passwordless authentication theme and explained how to understand that your company is ready to move beyond passwords. Despite eye-catching benefits, uptake in both business-to-consumer (B2C) and business-to-business (B2B) environments has not been as strong as one might have expected.
  • Cybersecurity leaders must come to the table with a powerful, yet succinct, reporting framework and dataset to build a compelling case and continuously justify their programs. But this requires a shift in perspective — because you can’t see the forest if you’re stuck in the trees. James Creamer explained why reporting cybersecurity business impact is about seeing the forest from the trees.
  • While not flashy, cryptographic processing is foundational and critical for data confidentiality, integrity, and authentication. Ryan Smith from Futurex provided six trends of cryptography in the limelight.
  • As a follow-up to the first part of the blog series dedicated ICS Threat Hunting: “They’re Shootin’ at the Lights!”, Dean Parsons published the second article. The author identified several critical and targeted ICS assets to protect and related data sources for those assets, focused on aspects of threat intel to use for a hunt and built a threat hunt package template to prepare for executing the actual hunt.

Research and analytics

  • According to Kaspersky DDoS attacks in Q3 2021 Report, 40.80% of DDoS attacks were directed at US-based resources and the resources themselves accounted for 42.13% of all unique targets. Q3 has beaten every record in terms of daily number of DDoS attacks: on August 18, we observed 8,825 attacks, with over five thousand on August 21 and 22.
  • According to ESET Threat Report T2 2021 between May and August 2021, 55 billion new brute-force attacks against public-facing RDP services were detected (+104% compared to T1 2021), representing a significant acceleration compared to the 27 billion attacks (+60% compared to T3 2020) seen over the first four months of 2021.
  • Palo Alto researchers revealed that targeted attack campaign against ManageEngine ADSelfService Plus delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Palo Alto Networks customers are protected against this campaign already.
  • Imperva experts have released this year’s The State of Security within eCommerce report, which takes a deep dive into 12 months of data collected from their global network — including over 360 million web application attacks across trillions of HTTP requests. With this 2021 report, you’ll gain valuable insights into the nature and impact of attacks targeting your organization, helping on the frontlines of website security.
  • Sophos 2022 Threat Report highlighted interrelated threats targeting an interdependent world. The report iconsists of five parts, covering the ransomware epidemic and its aftermath, trends in common malware targeting Windows computers, malware on mobile platforms, security threats to infrastructure, and a section on artificial intelligence and how this is applicable to information security practices.
  • Get a comprehensive view of today’s threat landscape and the biggest cyber risks facing organizations today. From Nokia Threat Intelligence Report 2021 you’ll discover about: mobile device malware infections in 5G, supply chain attacks and IoT botnet activity, infection rates in fixed residential networks during work from home times. Threats are becoming more severe, with banking Trojans becoming more common. These include Android malware such as FluBot, TeaBot and Cerberus.
  • According to Ivanti Ransomware Index Update Q3 2021 the number of vulnerabilities associated with ransomware has increased from 266 to 278in Q3 2021. There has been a 4.5% increase in trending vulnerabilities that are being actively exploited to mount attacks, taking the total count to 140.The total count of older vulnerabilities associated with ransomware is now 258, which is a whopping 92.4% of all vulnerabilities tied to ransomware.
  • Crime in England and Wales Survey estimates for the year ending June 2021 compared with the year ending June 2019 show: 85% increase in computer misuse incidents, driven entirely by an increase in “unauthorised access to personal information, including hacking”.

Major Cyber Incidents

  • Ransomware attacked Toronto’s public transportation authorities. The incident affected the internal systems of TTC, in particular the mail server and the TTC Vision communication system for drivers. The ransomware attack disrupted Toronto’s public transit department and shut down
  • The BlackShadow hacking group attacked the Israeli hosting provider Cyberserve to steal client databases and disrupt the company’s services. Hackers extorted the hosting company and its customers by demanding $1 million in cryptocurrency not to leak stolen data. The deadline for this extortion demand was set for 48 hours, starting on Saturday, but the actors almost immediately leaked a sample of 1,000 records to prove their point.
  • Cybercriminals from India have attacked military units and defense contractors in China, according to the specialists of the Chinese state information security company Antiy Labs. The attackers used phishing emails to trick victims into downloading files and logging into a fake email system. When the victim entered the password, the site sent it to the hackers.
  • The Canadian province of Newfoundland and Labrador has suffered a cyberattack that has led to severe disruption to healthcare providers and hospitals. The attack caused regional health systems to shut down their networks and cancel thousands of medical appointments. This outage affected health systems in Central Health, Eastern Health, Western Health, and the Labrador-Grenfell Regional Health authorities.
  • Robinhood announced that it’s popular app has suffered a breach, exposing millions of email addresses, names and more. The company was quick to say that no Social Security numbers, bank account numbers, or debit card numbers were exposed. But they admitted that about 7 million people had some amount of information leaked in the attack. The customers affected have been emailed.
  • MediaMarkt, a large electronics and home appliance retailer, was cyberattacked using ransomware Hive, which shut down its IT systems and prevented stores in Germany and the Netherlands from operating normally. For the recovery of encrypted files, the ransomware demanded $ 240 million from MediaMarkt.