Cybersecurity Digest #44: 21/02/2022 – 04/03/2022

Cybersecurity news

• The Cube ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLD DRAWN. However, the ransomware is more commonly known as Cuba.
• A notification from the U.S. Cybersecurity Infrastructure and Security Agency warns that threat actors are exploiting vulnerabilities in the Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services. The agency is asking federal agencies to patch any Zabbix servers against security issues tracked as CVE-2022-23131 and CVE-2022-23134, to avoid “significant risk” from malicious cyber actors.
• US and UK cybersecurity and law enforcement agencies today shared information on new malware deployed by the Iranian-backed MuddyWatter hacking group in attacks targeting critical infrastructure worldwide.
• The cybersecurity researchers at ZeroFox Intelligence have recently discovered a new Golang-based botnet which is dubbed Kraken. This new botnet is under active development and exploited by the threat actors to deploy backdoor to steal sensitive data from the Windows hosts.
• A group of academics from the North Carolina State University and Dokuz Eylul University have demonstrated what they say is the “first side-channel attack” on homomorphic encryption that could be exploited to leak data as the encryption process is underway.
• Avast has released a decryptor for the HermeticRansom ransomware strain used in targeted attacks against Ukrainian systems over the past ten days. The decryptor is offered as a free-to-download tool from Avast’s website and can help Ukrainians restore their data quickly and reliably.
• Data collected from more than 200,000 network-connected medical infusion pumps used to deliver medication and fluids to patients shows that 75% of them are running with known security issues that attackers could exploit.
• The TeaBot banking trojan was spotted once again in Google Play Store where it posed as a QR code app and spread to more than 10,000 devices. According to a report from Cleafy, an online fraud management and prevention company, these applications are acting as droppers. They are submitted without malicious code and request minimal permissions, which makes it hard for Google’s reviewers to spot anything shady.

Cybersecurity Blog Posts

• “If you’re not measuring something, you can’t manage it”, – CIS experts explained how configuration assessments help improve cyber defenses.
• Kasey Cross and Paul Kaspian discussed the role of SOC in creating a zero-trust enterprise. Although SOC is an important element of Zero Trust, organizations should think about how to implement innovations such as automation, analytics and machine learning to increase its effectiveness.
• Anton Chuvakin released the third post on the XDR topic. His journey to XDR clarity has led him back to SIEM, SOAR and EDR. Specifically, one vision of XDR is that of consolidation married to simplification. Or, as he said, XDR as an integrated platform of minimized components.

Research and analytics

• Code42 Software published 2022 Data Exposure Report. They surveyed 700 respondents – senior business leaders, senior cybersecurity leaders and cybersecurity practitioners – from US companies with 500 or more employees from a range of public and private sectors. As a result, it was found out that cybersecurity teams face unprecedented challenges when it comes to protecting confidential corporate data.
• Neustar Security Services released Cyber Threats & Trends Report: Defending Against A New Cybercrime Economy. The company stated that it had fixed an unprecedented number of carpet-bombing attacks in 2021. Neustar mitigated a 1.3 Tbps attack in November 2021. While the timing of this attack may have been a coincidence, the fact is that it occurred during the beginning of the holiday season.
• Ivanti released Ransomware Spotlight Year End 2021 Report. They identified 32 new families in 2021, clocking a 25.6% increase in the overall family count. With 157 ransomware families exploiting the 288 vulnerabilities, ransomware groups are poised to wage rampant attacks in the coming years.
• Fortinet presented the semi-annual FortiGuard Labs Global Threat Landscape Report. Threat analytics for the second half of 2021 shows an increase in automation and the speed of attacks, demonstrating more advanced and persistent cybercrime strategies that are becoming more destructive and unpredictable.
• Proofpoint released annual report 2021 State of the Phish. It examines in detail the awareness of users about phishing, vulnerability and resilience. The report shows that attackers were more active in 2021 than in 2020, with 78% of organizations facing email-based ransomware attacks, and 77% with corporate email compromise attacks.
• According to report by The Brainy Insights global security and vulnerability management market is expected to reach USD 15.86 billion by 2030, at a CAGR of 9% from 2021 to 2030. Defending against a continuous information security breach is a challenge for businesses of all sizes. Security professionals are projected to remain ahead of the threats by using technology, policies, and procedures to secure sensitive data and prevent incoming attacks, resulting in market growth.
• Researchers from the Institute of Applied Artificial Intelligence at Deakin University and the University of Wollongong claim that many of the approaches to protecting against Trojan attacks lag behind the pace of development of attack methods. In their study, the experts proposed two new methods of protection – Variational Input Filtering and Adversarial Input Filtering. Both methods are designed to examine a filter that can detect all Trojans in the model’s input data at runtime.
• A team of researchers from the US State University of Pennsylvania and Zhejiang and Shandong Universities in China studied the susceptibility to deepfakes of some of the world’s largest face-based authentication systems. As the results of the study showed, most systems are vulnerable to developing new forms of deepfakes.
• Cryptocurrency usage is growing faster than ever before. Across all cryptocurrencies tracked by Chainalysis, total transaction volume grew to $15.8 trillion in 2021, up 567% from 2020’s totals. Such data is provided by analysts of the blockchain platform Chainalysis in The 2022 Crypto Crime Report. Given that roaring adoption, it’s no surprise that more cybercriminals are using cryptocurrency. But the fact that the increase in illicit transaction volume was just 79% — nearly an order of magnitude lower than overall adoption — might be the biggest surprise of all.

Major Cyber Incidents

• More than 71,000 employee credentials were stolen and some of them leaked online following a data breach suffered by US chipmaker giant NVIDIA. The stolen data contains email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.
• Axis Communications, The Swedish manufacturer of network cameras, access control systems, and surveillance network appliances suffered a cyberattack forcing it to shut down all systems to limit the impact.
• The Lapsus$ data extortion group leaked a huge collection of confidential data they claim to be from Samsung Electronics, the South Korean giant consumer electronics company. The leak comes less than a week after Lapsus$ released a 20GB document archive from 1TB of data stolen from NVIDIA GPU designer.
• The biggest story for the last time is the massive data leak from the Conti ransomware operation, including over 160,000 internal messages between members and source code for the ransomware and TrickBot operation.
• Romania’s Rompetrol gas station network has been hit by a ransomware attack. A subsidiary of KMG International, Rompetrol announced today that it is dealing with a “complex cyberattack” that forced it to shut down its websites and the Fill&Go service at gas stations.