Neu Cyber Threats – 3rd June 2021
Criminals behind SolarWinds strike again
The group of cyber criminals behind the infamous SolarWinds incident in early 2021, have struck again.
Microsoft’s Threat Intelligence Centre began tracking this latest campaign in late January 2021 when it was in the reconnaissance stage. The Centre observed it evolving over a series of waves demonstrating significant experimentation. Recently, though researchers observed an escalation as the threat group began masquerading as an organisation to distribute emails, which included malicious URLs, using a legitimate mass-messaging service – with a wide variety of businesses targeted.
As well as the widely disruptive SolarWinds incident earlier in the year, the group is also behind the Sunburst backdoor, Teardrop malware and GoldMax malware. In the past, the group has targeted a range of businesses, including IT service providers, health technology and telecommunications providers, among others. The targets in the latest attack are 3,000 individual accounts across more than 150 organisations, with a common theme being a pattern of using unique infrastructure and tooling for each target, which increases their ability to remain undetected for a longer period of time.
During the SolarWinds attack, the cyber criminals infected targets by pushing out a custom Sunburst backdoor via trojan product updates to nearly 18,000 organisations around the world. In this way, the attack remained undetected until December, giving attacker’s time to pick and choose which organisations to further penetrate and result in a sprawling cyberespionage campaign that significantly affected the operations of many businesses. There are key differences between that attack and this latest campaign, which researchers attributed to changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents.
Microsoft’s Centre observed the cyber criminals changing tactics several times over the course of its latest campaign. After initial reconnaissance, the group mounted a series of spear-phishing campaigns with similar intent: to compromise systems through an HTML file attached to the email. Alterations to both the email and the HTML document and the way it infects victims’ machines were made during this time. This enabled the group to execute further malicious objectives, such as lateral movement, data exfiltration and delivery of additional malware.
Neuways recommends being aware of the potential threats of phishing campaigns to businesses. It’s important that employees, the effective gate-keepers to their businesses, stay wary of any emails they receive from unknown sources. Any type of communication that encourages immediate action, an opening of a URL or attached file, could be what a cyber criminal needs to exploit a business’ network through the downloading of malware.
Skype for Business to shut down in July
Microsoft have announced that Skype for Business will be closing on July 31 2021. The news means that any current users of Skype for Business will need to consider transferring over to a new communications platform, as in less than two months it will be unavailable.
Skype for Business users will be looking for a new communications tool to move their operations to, and the natural successor is Microsoft Teams. Teams has become indispensable for many businesses during the COVID-19 pandemic and a gem for Microsoft. It has ensured communication can remain uninterrupted as businesses transition from office to remote working.
Teams offers businesses easy ways to communicate with colleagues, customers and suppliers through video and audio calls. The video calls, in particular, have become an important way for departments within businesses to stay connected and familiar with one another, during the extended break from face-to-face contact during the last year.
The most useful aspect of Microsoft Teams is its ability to connect with the rest of the Microsoft suite of applications. The connection with Microsoft’s Voice over Internet Protocol (VoIP) platform, Business Voice gives businesses a fully unified communication platform, allowing a business’ colleagues to stay in sync with one another.
In addition, Teams works seamlessly with Outlook, giving users the ability to arrange and attend video meetings with colleagues, suppliers and customers. The ability to distribute Word documents and statistics from Business Central, allows colleagues to share information with meeting participants with ease.
If you have any further questions about the shutting down of Skype for Business and transitioning to Microsoft Teams, get in touch with Neuways’ technical team on 01283 753 333 or via firstname.lastname@example.org.
Apple hit by more security woes
Apple has patched a critical bug in macOS that could be exploited to take screenshots of a user’s computer and capture images of their activity within applications or on video conferences without the person knowing. The vulnerability is one of a whole range that Apple have faced this year with macOS’ Big Sur firmware.
Researchers have discovered the XCSSET spyware was using the vulnerability, specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions. Apple so far has not provided specific details about the origin of the vulnerability.
The flaw works by bypassing the Transparency Consent and Control (TCC) framework, which controls what resources Apple applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings.
It was noticed that XCSSET used two zero-day flaws to do its dirty work—one in Data Vault that allowed it to bypass macOS’ System Integrity Protection (SIP) feature; and one in Safari for WebKit Development that allowed universal cross-site scripting (UXSS). A third zero-day flaw can also be added to the list of those the spyware can exploit which described in detail how the spyware takes advantage of the bug to bypass the TCC.
Apple’s latest security issue comes hot on the heels of an Apple executive calling the amount of malware on the Mac platform, “unacceptable” last Wednesday, while earlier in May 2021, Apple released a quartet of unscheduled updates for iOS, macOS, and watchOS, to secure flaws spotted in its WebKit browser engine. A week before, Apple patched a zero-day vulnerability in its MacOS that could bypass critical anti-malware capabilities which a variant of the Shlayer adware dropper had been exploiting for several months.
Neuways advises Apple users to ensure any security patches are updated as soon as they are issued. This will protect your Apple devices against the latest threats cyber criminals are using to try and affect users, and ultimately avoid ransoms of thousands of pounds being sent to your business.
Insight into ransomware presents a huge economy
The economy of ransomware has been identified by researchers, and the results are eye-opening for businesses and organisations who are the target for devious cyber criminals. Ransomware is not just any type of malware – it’s central to a sophisticated, flourishing underground economy that has all the conventions of legitimate commerce systems. Made up of major malware developers, affiliates and channel partners, the community provides adjacent services, such as selling network access and ransomware-as-a-service (RaaS). Cyber criminals even have their own PRs that put out press releases and maintain their “brands”, as well as customer service operations – to deal with victims calling and responding to their scams.
The general ransomware economy is well-developed and complex, with cyber criminals supplying different services to one another. For instance, ‘botmasters’ offer access to already-compromised devices, while software developers improve malware. Others specialise in providing network access via backdoor vulnerabilities – with access often sold in eBay-style auctions, sometimes for as low as £35. The attackers who create the initial compromise are either botnet owners who work on wide-reaching campaigns and sell access to victim machines in bulk, or hackers who are constantly on the lookout for publicly disclosed software vulnerabilities to exploit as soon as they are announced and before patches are distributed.
At the heart of the economy is the fact that ransomware operators often adopt affiliates, to whom they provide RaaS offerings. Affiliates can be seen as channel partners of the underground who are responsible for ransomware distribution to end-user victims. They can pocket between 60-80% of the ransom, with the rest going to the operators and authors’ wallets. RaaS operations carefully select their affiliate partners, with requirements that vary from technical expertise to the ability to prove they have roots in Russia or the former Soviet states! This last criteria is usually to avoid infiltration of affiliate programs by western law-enforcement services and by cyber-threat researchers.
On the Dark Web, ransomware samples and builders go for anywhere between £200 to £3,000, with ransomware-as-a-service able to be rented from just £80 for a year – which clearly shows just how accessible ransomware and malware is to ‘wannabe’ cyber criminals.
Backlash against operators can sometimes happen. For instance, it was recently revealed that cybercriminals who have worked as affiliates with ransomware group DarkSide, responsible for the Colonial Pipeline attack, are having a tough time getting paid for their work now that the group has had its operations interrupted; so, they’re turning to admins of the group’s Dark Web criminal forum to sort things out in what researchers call a “shady version of the People’s Court.”
Also, when a criminal software developer builds a new strand of ransomware, the person will often first share the project for free with a select few other trusted community members. The idea is to enable reputable criminals to provide feedback and validate the new piece of malware – after which the malware has effectively been peer reviewed and tweaked accordingly, the developer will advertise it publicly.
However, things aren’t looking rosy for ransomware operators in the future, as a coalition of 60 global entities has proposed a sweeping plan to create a ransomware task force, to hunt down and disrupt ransomware gangs by going after their financial operations.
With the cost of ransoms doubling over the past year, Neuways advises businesses to take ransomware seriously: it has proven to be a very real and dangerous threat for businesses all around the world. Not only is it the cost of a potential ransom, but the cost of downtime and businesses not being able to be continually operational.
BCDR policies help business to survive cyber attack
A response from audio specialist Bose shows the power of Business Continuity and Disaster Recovery plans. Despite a recent ransomware attack, Bose has remained relatively unaffected, as its BCDR practices sprung into action to protect it. A ransom was issued by cyber criminals, but Bose declined to pay and instead was able to regain control of its environment.
By its technical team initiating incident-response protocols to contain the incident, it meant that the company were able to escape unharmed from a cyber attack – something that can’t be said for many businesses over the last 12 months.
As is the case with many modern ransomware attacks, cyber attackers tried to steal company data to ratchet up the pressure on the victim to pay the ransom. While the cyber criminals were able to access HR files for six former employees, it was not determined whether the data was successfully stolen or not.
Dark Web monitoring has also been utilised to decipher whether any of Bose’s data is being sold, but none have been found to date.
During and after the attack, Bose said that it implemented the following BCDR measures:
- Enhanced malware/ransomware protection on endpoints and servers to further enhance its protection against future malware/ransomware attacks
- Performed detailed forensics analysis on impacted server to analyse the impact of the malware/ransomware
- Blocked malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt
- Enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks
- Blocked newly identified malicious sites and IPs linked to this threat actor on external firewalls to prevent potential exfiltration
- Changed passwords for all end users and privileged users
- Access keys for all service accounts
It’s unclear which ransomware gang hit Bose, but the process of exfiltrating information under cover of the ransomware attack itself is increasingly common. This so-called “double-extortion” approach has given way to a new wrinkle called “triple extortion,” where criminals encrypt files, steal data and also steal the data of partners and suppliers of the victim company – as they attempt to make as much money as possible from each ransomware hit. Neuways applaud Bose’s quick actions and would encourage any business to ensure it has a Business Continuity and Disaster Recovery plan in place. By having protocols in place that kick into action as soon as any kind of downtime is incurred, businesses are protecting themselves for the long-term – a cyber attack could, otherwise, mean a lot of monetary, as well as reputational, damage.