Cyber Round-up for 15th January
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The FBI have recently been investigating a wave of ransomware attacks, known as Egregor. Reports from the agency state that more than 150 organisations have already been compromised all over the world, including Barnes & Noble Bookseller, retailer Kmart, and video game company Ubisoft. This ransomware spreads through phishing emails and malicious attachments but has also been seen infecting machines through RDP and VPNs. Unfortunately, paying the ransom was not always a way out, as many company’s files were not recovered as promised. There are many actors involved in these attacks, and they do not appear to be slowing down; we will provide updates on the situation when more details are released.
The FBI’s report on the Egregor ransomware can be found here.
Ransomware gangs are constantly changing their tactics and evolving, and a lot of them are suddenly changing their approach to the users they target. One group, using the Clop ransomware, has been seen targeting machines used by those in executive positions. These computers are more likely to contain sensitive data than that of a standard user, meaning the company will be more desperate to get it back. This new tactic is not thought to be widely used at the moment but is becoming increasingly popular. We expect to see more groups adopt this method in the near future, since it appears to have a big impact for the few who use it.
Ubiquiti have announced that the identified unauthorised access to their IT systems and have provided details on the incident in a statement on their website. The firm has said that there is no indication of unauthorised activity on any user’s accounts, but they cannot say for certain that account details were not accessed. As a precaution, Ubiquiti have advised all users to change their passwords, since the potentially exposed info included email addresses, names, and one-way encrypted passwords. We also strongly advise that you enable two-factor authentication; this ensures that your account is secure, even if your password is stolen.
A stealthy malware operation has been active in the wild for over five years; infecting macOS systems and mining cryptocurrencies from them. The malware, known as OSAMiner, was being distributed in pirated software, with League of Legends and MS Office for Mac being the most common. This operation primarily targets users in Chinese/Asia-Pacific communities and has reportedly evolved over the last few months; the malware appears to be running three consecutive run-only AppleScripts, which are downloaded with the pirated software installer. The source code for these scripts are not human-readable, making analysis especially hard for researchers. Despite these struggles, SentinelOne researcher, Phil Stokes, has published “the full-chain of this attack, along with indicators of compromise”.
Stokes’ detailed report can be found here.
On Tuesday, Mimecast issued a statement on a “sophisticated threat actor” who stole a digital certificate, used by some customers to securely connect products to Microsoft 365. This incident was discovered when Mimecast received a breach notification from Microsoft. The stolen certificate is used by around 10% of the company’s customers, with only a small percentage of these being targeted. All customers have been advised to terminate their existing connection with M365 and establish a new one to ensure they are not at risk. The breach could have allowed the attacker to perform man-in-the-middle attacks, steal sensitive information and intercept email traffic, so we strongly recommend following this advice as soon as possible.
You can read Mimecast’s statement here on their website.
Vulnerabilities & Updates
CISA have released a summary of vulnerabilities that have emerged in the last week. The data comes from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and includes a number of high severity remote code execution and SQL injection flaws, as well as many more medium and low vulnerabilities. The entries in this summary provide additional details for each flaw, as well as patch details, if any have been released.
The first batch of security updates for 2021 has arrived for Adobe and Microsoft. Starting with Adobe, seven flaws were patched, including uncontrolled search path element and server-side request forgery vulnerabilities. All of the flaws addressed in these patches were not under active attack at time of release. As for the Microsoft patches, there were 83 total bugs addressed, multiple privilege escalation and remote code execution vulnerabilities, 10 of which are rated critical. A remote code execution vulnerability in Microsoft Defender is listed as being under active attack. We advise all users to apply the latest updates as soon as possible.
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #124 – 15th January 2021
Why not follow us on social media:
Ironshare – Security Simplified