Cybersecurity Digest #33: 06/09/2021 – 17/09/2021

Cybersecurity news

• A team of researchers have devised a new method for protecting SSDs from ransomware attacks. It can detect ransomware, stop it in its tracks, and even recover stolen data in a matter of seconds. The cost should only be a minor increase in the SSD’s latency. SSD-Insider works by recognizing certain patters in SSD activity that are known to indicate ransomware.
• Cybercriminals recreate Cobalt Strike in Linux. The new malware strain has gone unnoticed by detection tools. A re-implementation of Cobalt Strike has been “written from scratch” to attack Linux systems. Dubbed Vermilion Strike, Intezer said that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions.
• The dark web servers for the REvil ransomware operation have suddenly turned back on after an almost two-month absence. It is unclear if this marks their ransomware gang’s return or the servers being turned on by law enforcement.The REvil ransomware gang, aka Sodinokibi, used a zero-day vulnerability in the Kaseya VSA remote management software to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their business customers.
• A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted interminable integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool redressed it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.
• A free master decryptor for the REvil ransomware operation has been released, allowing all victims encrypted before the gang disappeared to recover their files for free. The REvil master decryptor was created by cybersecurity firm Bitdefender in collaboration with a trusted law enforcement partner.

Cybersecurity Blog Posts

• AirEye’s research team in collaboration with the Computer Science faculty at the Technion – Israel Institute of Technology have found a vulnerability, dubbed SSID Stripping, which causes a network name – aka SSID – to appear differently in the device’s List of Networks than its actual network name. The SSID Stripping vulnerability affects all major software platforms – Microsoft Windows, Apple iOS and macOS, Android and Ubuntu.
• Phil Muncaster wrote in ESET blog what is a cyberattack surface and how to reduce it. He offered to iscover the best ways to mitigate organization’s attack surface, in order to maximize cybersecurity.
• Alex Restrepo, Virtual Data Center Solutions at Veritas Technologies, described top steps for ransomware recovery and preparation, and explained how to prepare for another one in the future.
• Tony Lauro, director of security technology and strategy at Akamai, discussed human fraud and how to disrupt account takeovers in the exploitation phase of an attack.

Research and Analytics

• According to Kaspersky ICS CERT Threat landscape for industrial automation systems for H1 2021, during the first half of 2021 the percentage of attacked ICS computers was 33.8%, which was 0.4 percentage points higher than in H2 2020. The percentage of ICS computers on which threats were blocked decreased in all monitored industries. This was especially noticeable in the oil and gas (36.5%) and building automation (40.3%) sectors.
• At the end of July 2021 Avast experts conducted research into open Firebase instances. They found about 180,300 Firebase addresses in their systems and approximately 19,300 of those Firebase DBs, 10.7% of the tested DBs were open, exposing the data to unauthenticated users.
• According to Barracuda Top Threats and Trends report, bots made up 64% of internet traffic over the first six months of 2021. From their sample set, most of the bot traffic was coming in from the two large public clouds — AWS and Microsoft Azure — in roughly equal measure.
• CyberNews researchers identified more than 2 million web servers worldwide still running on outdated and vulnerable versions of Microsoft Internet Information Services software. These legacy versions are no longer supported by Microsoft, which makes millions of web servers easy targets for threat actors and cybercriminals.
• The first Linux version of ChaChi, a Golang based DNS tunneling backdoor, was recently observed on VirusTotal. The malware is configured to use domains associated with ransomware actors known as PYSA, aka Menipoza Ransomware Gang. Lacework researchers assess with moderate confidence this sample represents the PYSA actor expanding into targeting Linux hosts with ChaChi backdoor.
• 2021 Midyear Cybersecurity Report by TrendMicro showed that over 7.3 million ransomware threats were detected in the first six months of 2021, which is almost half the number of detections were found in the same period in 2020. In terms of targeted industries, ransomware actors focused on many of the same sectors as last year. The most affected organizations were in banking, government, and manufacturing.
• One out of every two on-premises databases globally has at least one vulnerability, finds a new study from Imperva Research Labs spanning 27,000 on-prem databases, based on insights from a proprietary database scanning service introduced by Imperva Innovation five years ago. With nearly half of all databases globally (46%) containing a vulnerability and the average number of Common Vulnerabilities and Exposures (CVEs) per database standing at 26, it’s clear that businesses are ignoring one of the basic tenets of data security which is to patch and update databases as soon and often as possible.

Major Cyber Incidents

• A cyber attack on Russian tech giant Yandex’s servers in August and September was the largest known distributed denial-of-service attack in the history of the internet. The DDoS attack, in which hackers try to flood a network with unusually high volumes of data traffic in order to paralyse it when it can no longer cope with the scale of data requested, began in August and reached a record level on September 5. Yandex experts did manage to repel a record attack of nearly 22 million requests per second.
• The hacker, calling himself SangKancil, claims to have stolen the identity of an estimated 7 million Israeli citizens by hacking into the base of the CITY4U website, with which municipalities and local councils cooperate. Among the stolen data are identity cards, driver’s licenses, tax returns, a notice of fines, certificates of payments for education, water, parking and other documents.
• A cyberattack temporarily disrupted the work of ANZ, New Zealand’s largest bank, and a number of other financial institutions, as well as the country’s national postal service. According to ANZ on Twitter, the cyberattack caused some services to stop working, in particular online banking and the goMoney app. The problem also affected the state-owned bank Kiwibank, which said it was working to restore access to its application, Internet banking, telephone banking and website.
• Jenkins, a leading open source automation server, announced on that its deprecated Confluence service was successfully attacked through the Confluence CVE-2021-26084 exploit – something that US Cybercom warned of in a notice last week. Every account password has been reset and the Jenkins infrastructure team has permanently disabled the Confluence service. The team has also rotated privileged credentials and taken measures to reduce the scope of access across their infrastructure.
• A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks.
• Hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization. The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web.