Cyber Round-up

Cyber Round-up for 19th November

Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Advancement of Ransomware Extortion Schemes

The evolution of ransomware has been a constant over the last few years, with its latest development introducing some new technology that allows attackers to “explore new dimensions”.

 A popular tactic in modern ransomware attacks is double extortion, in which the attacker threatens to leak the victim’s data online if a ransom is not paid; this means that not only is your data encrypted, but it will also be made publicly accessible if you choose not to pay the threat actors. This puts victims in a difficult situation, because even if they can recover their own data, they are still at risk if they ignore the ransom.

This is becoming even more advanced now with what is known as a quadruple extortion (stolen data, locked files, denial of resources and threatening third parties).


Attackers Leverage Domain Fronting and Leaked Cobalt Strike Tool

The Cisco Talos threat intelligence team recently discovered that malicious actors were using a leaked version of the Cobalt Strike tool, which was originally designed as for legitimate remote access. These attackers are also incorporating domain fronting techniques into their campaigns too. This is a DNS-based filtering technique to hide traffic behind legitimate reputable domains.

More details on the evolution of this attack, and how it works, can be found here.


Magecart Attacks Still Devastating Organisations

Magecart attacks exploit vulnerabilities within a third-party software vendor, content management system or domain function in order to secretly inject JavaScript code. This code skims details entered into a payment portal which is sent to a command-and-control server. These details can be used for fraudulent purchases or move the victims fund into the attacker’s account. Organisations are still trying to combat Magecart attacks on their payment portals, however they are difficult to manage due to third party programs having unknown vulnerabilities that keep getting exploited.


Emotet Malware Seen Back In The Wild

After 10 months of silence Emotet malware has been recorded infecting devices on the internet once again. Emotet was shut down after an international coordinated operation which disrupted its infrastructure making it unable to run command-and-control servers to send commands to infected devices. So far 9 new command-and-control servers have been found to be linked to the Emotet malware and it has been said that the newest string of infections don’t appear to be a test, rather a full-fledged campaign to infect machines via the use of dangerous emails.


FBI Emails Servers Hacked

The FBI has been under attack recently from an unknown source, the attackers have managed to compromise one of the FBI’s public ticketing and alerting system email servers and initiated an email spam campaign. The emails contain a warning about a fake cyberattack that was taking place and caused the FBI to be flooded with emails and calls from confused organisations. The email was attempting to blame Vinny Troia, the founder of NightLion Security, as the perpetrator of a sophisticated attack. The server has since been taken offline and analysed for evidence.


Vulnerabilities & Updates

Intel Processor Flaw Exposes Encryption Keys

A newly discovered vulnerability affecting Intel processors could reportedly allow an attacker to gain elevated privileges. This flaw has been given a CVSS score of 7.1 out of 10, making it a high severity vulnerability, however it does require the attacker to have physical access to the hardware; exploitation of this flaw could lead to the exposure of private encryption keys. It is worth noting that this vulnerability is only exploitable in the event that your device is stolen, however we still advise applying the necessary patches as soon as possible.


Cybercriminals Selling Zero-Days as ‘Exploit-as-a-service’

Cybercriminals are exploring new ventures in the form of an exploit-as-a-service model, in which they are allowing customers to rent zero-day exploits to use in their own attacks. Because of the severity of zero-days, this scheme could prove to become very profitable for cybercriminals, with some discussions reportedly reaching a $10 million agreement. This is a relatively new idea and so there is not much evidence to work with, but there is some skepticism around whether the bad guys would be willing to burn a zero-day in this way – time will tell.


And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.

Stay Safe, Secure and Healthy!

Edition #167 – 19th November 2021

Why not follow us on social media:

Ironshare – Security Simplified