Cyber Round-up for 28th August
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The first half of 2020 saw its fair share of ransomware attacks, especially in the enterprise sector. All ransomware groups have their own way of doing things, but there are some intrusion methods that are incredibly popular among them. As you may have expected, Remote Desktop Protocol tops the list as the most common attack vector, with a new method that emerged this year following it. VPN appliances have risen in popularity and become the second most used intrusion vector for ransomware groups. Since summer of 2019, researchers have discovered a number of high risk vulnerabilities in VPN appliances, which over time tempted ransomware groups to change up their methods and switch their focus to targets like Citrix network gateways and Pulse Secure VPN, which have become their new favourite targets. If you haven’t updated these devices yet, or blocked access to RDP services from the internet, its time to get this done!
ArmorBlox has detected a credential phishing attack that uses a site hosted on Box. The phishing email claims to be a legitimate third-party vendor and contains a link to a ‘secure document’. After compromising a vendor account, the attacker stands up a zero-day domain to begin their credential phishing for future attacks. They then use the vendor account to distribute fake emails to several users. Upon clicking the link in the email, the user is directed to a file containing a link to the site hosted on box; this then leads to a fake Office365 login portal. This is a very elaborate phishing scheme that we suggest you keep an eye out for. More details included in the article on ArmorBlox.
NZX was taken offline for two days following multiple distributed denial-of-service attack that started this Tuesday. The attacks resulted in trading having to be halted on both days. Cyber-Security firm, CertNZ released an alert back in November 2019, warning that emails were being sent around threatening a DDoS attack if a ransom was not payed; it is believed that the group behind this was the Russian hackers, Fancy Bear. Until now, this threat was not acted on. No further information has been disclosed regarding the attack, but the company is now back to operating at full capacity.
Graphic Resource Company, Freepik, has recently revealed that they have been involved in a serious data breach. The breach enabled hackers to steal the personal data of 8.3 million Freepik and Flaticon users. The target of the attack was the Flaticon website, which was left vulnerable to SQL injection. This breach was quite significant, with the platform having 18 million unique users per month and 100 million monthly downloads. Of the 8.3 million affected users, 4.5 million had their email addresses stolen, with the rest having password hashes stolen as well. Freepik prompted their users to change their passwords via email; other than this, no action was taken.
Conti ransomware has emerged as the successor to the infamous Ryuk; as well as the standard extortion that we see with ransomware groups like this, Conti has released a data leak site, which they use to threaten their victims. The site, Conti.News, is a very new strategy that the group is implementing, despite having already operated successfully since the summer. This new attack strategy is now a part of their ransom notes, which warns that the victim’s data will be published online if no ransom is paid. There is currently samples of confidential data of 26 victims available on the site.
Vulnerabilities & Updates
A new memory leak vulnerability has been discovered in the OpenSSL library, that could allow an attacker to access confidential data such as private keys and account credentials. A proof of concept has already been released for this flaw, and it has already been seen exploited in the wild. Despite receiving a CVSS v2 score of 5.0, the nature of the vulnerability means it has been marked as CRITICAL. As always, we urge you to apply the latest patch as soon as possible to ensure you are protected.
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #106 – 28th August 2020
Why not follow us on social media:
Ironshare – Security Simplified