Cyber Round-up for 25th February
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The NCSC have posted an advisory to warn that the hacker group Sandworm has been found to be behind the creation of the malware labelled Cyclops Blink. The malware, which has been active since 2019, but is suspected to be a replacement for the previous malware the hacker group created called VPNFilter. Cyclops Blink is aimed at businesses and organisations using WatchGuard Devices however it’s thought to be capable of compiling in other architectures and firmware. The malware’s modular framework is designed to allow the hacker group to install and execute files on the device, as well as implementing new modules with additional capabilities for the hackers to utilise.
If you are running WatchGuard firewalls it is highly recommended to review the advisory, follow the guidance and remediate any issues found immediately. The analysis report can be found here.
Hive ransomware has been around since June 2021 and has been aimed at infecting both organisations and individuals. The ransomware uses a variety of different infection methods such as email, vulnerable RDP servers and compromised VPN credentials to install itself on a device. In the fight against cyber criminals, security researchers have found that Hive has a flaw in its encryption algorithm allowing for the recovery of a decryption key. They stated, “We were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis.”
With the ongoing relations between Russia and Ukraine, Russia is expected to launch complex cyber-attacks against Ukraine’s key infrastructure. The EU’s Cyber Rapid Response Teams have reported providing aid to Ukraine through the use of best practice principles and incident response.
An inquiry into the use of wiper malware against the IRIB in January has found the use of custom backdoors and scripts. The attack against the broadcaster was “a targeted attack” disrupting the broadcasting of radio and television while also discrediting the current leader of Iran. During the attack, propaganda of the opposing organisation, the MKO, was shown to viewers. The wiper malware managed to clear files, drives and the master boot record of the devices infected.
Construction companies are usually a high-value target for cyber criminals due to the sensitive information they hold and their lack of security measures. With the UK’s push to improve cyber security nationwide the NSCS is giving guidance to help secure the construction sector. The advice being given is aimed at preventative measures those businesses should take to secure their hardware and sensitive information from hackers and increase knowledge about common cyber-attacks such as phishing and ransomware.
Expeditors, a logistics and freight shipping company, has reportedly been hit by a cyber-attack. The $10 billion business has been forced to shut down global operations due to the attack. There has been no official statement from Expeditors as to the type of cyber-attack but anonymous sources say it was due to a ransomware attack. There is no period reported of when the business will resume its operations but has said they will continue to be until they can securely reboot from backups.
Vulnerabilities & Updates
A new vulnerability found in the WordPress plugin UpdraftPlus has put 3 million websites at risk. The plugin is aimed at providing admins a means of backing up installations including user credentials. The vulnerability allowed security tokens to be leaked allowing a hacker the means of authentication and therefore access to the backups containing usernames, hashed passwords and other sensitive information. Due to its critical nature, all instances of UpdraftPlus have been automatically updated by WordPress themselves, to the newest version, protecting customers against this vulnerability.
And that’s it for this weeks round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #180 – 25th February 2022
Why not follow us on social media: