Cybersecurity Week in Review: 04/26/21
Posted by: GuidePoint Security
This week we take a look at continuing supply chain attacks, including a significant password manager hack and an attack on a cancer treatment software vendor. We also highlight continuing ransomware threats and several new malware strains.
Supply Chain Attacks Continue: Password Manager Service, Cancer Radiation Treatment Software Vendor, and More.
What You Need to Know
Organizations continue to deal with the effects of supply chain attacks. Several Fortune 500 appear to be among those organizations which may have downloaded malware via a compromised enterprise password manager service. Attacks on Elekta, a software vendor supplying oncology radiation systems, affected patient services at several cancer treatment facilities in the United States. Researchers have discovered a new bug in a PHP package manager that could allow attackers to backdoor every PHP package and engage in supply chain attacks. In addition, U.S. security and law enforcement agencies have issued another warning that the Russian foreign intelligence service (SVR) is planning additional attacks against U.S.-based and other organizations worldwide .
Summary
Last week, Click Studios, makers of Passwordstate, an enterprise password manager, alerted customers that threat actors had compromised their application’s update functionality, potentially enabling the download of a “malformed Password_upgrade.zip file”. Once deployed the malware (called Moserpass) collects system info and Passwordstate data. The Passwordstate software is used by almost 30,000 companies worldwide, including several Fortune 500 companies, across verticals that include government, defense, banking, healthcare, education, and manufacturing. Click Studios has been working with customers over email to provide them with a hotfix. However, in an added complication, several victims posted copies of the Click Media customer emails on social media. Threat actors then used this information to create phishing emails, replicating the legitimate Click Studios email communications to deliver updated Moserpass malware to those customers. Only those Passwordstate customers who updated the software between April 20, 2021 8:33 PM UTC and April 22, 2021 0:30 AM UTC appear to be affected.
An attack on the cancer care software company Elekta has impacted more than 40 U.S. health facilities ability to provide oncology treatment services. Affected health systems report that they are being required to take all radiation equipment offline—sometimes for as long as a week—and reschedule patient cancer treatment appointments. Representatives of Elekta have indicated that all affected customers have been notified and that they are working with cyber and law enforcement agencies, including the FBI to conduct an investigation and mitigate damage.
The PHP tool Composer recently issued an update to address a critical vulnerability (CVE-2021-29472) that could potentially enable threat actors to backdoor PHP packages and engage in supply chain attacks. Researchers report that the bug relates to problems in package source download URLs and improper sanitization of URLs for or repositories in root composer.json files.
And, in a final note, the U.S. Federal Bureau of Investigation (FBI), the U.S. Department of Homeland Security (DHS), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning last week of continued coordinated attacks by the Russian Foreign Intelligence Service (SVR) against U.S. and foreign organizations. The SVR (also known as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium) are responsible for the recent SolarWinds/Orion supply chain attacks, which targeted government networks, think tanks, and information technology companies.
The tactics, techniques, and procedures (TTPs) of SVR cyberattacks include:
- Password spraying,
- Leveraging zero-day vulnerabilities
- Use of the WELLMESS malware
- Tradecraft similarities of SolarWinds-enabled intrusions.
This updated alert reminds organizations that the SVR continues to update their techniques to avoid detection.
Next Steps
In a continuing effort to help businesses defend against supply chain attacks, last week CISA and the National Institute of Standards and Technology (NIST) issued a joint document called Defending Against Software Supply Chain Attacks.
With regards to the specific attacks mentioned above:
- Affected Click Studios customers are being advised to reset all stored passwords, including credentials for Internet-exposed systems, internal infrastructure, and all remaining credentials. Click Studios is also strongly advising customers not to post any information regarding the breach on social media to avoid potential phishing and malware attacks by threat actors that are currently monitoring social media sources.
- Healthcare organizations continue to be particularly vulnerable to supply chain attacks, making vendor risk management services incredibly important.
- PHP Composer users are advised to update the software immediately.
This Week in Ransomware: Attacks on D.C. Police Department, QNAP and Office 365.
What You Need to Know
Ransomware threats continued unabated last week. The notorious Babuk gang targeted the Washington, D.C. police, multiple ransomware campaigns focused on QNAP devices, and attacks on unpatched SharePoint vulnerabilities ramped up.
Summary
The Babuk ransomware gang announced it had stolen more than 250 gigabytes of data from the Washington D.C. Metropolitan Police Department (MPDC). Based on screenshots issued by the Babuk gang, the stolen data includes disciplinary records, operations files, documents on gang activities, mug shots, and personnel details. The criminals also pointed out that one of the files they were able to steal contains information related to arrests made during the January 6, 2021 attack on the U.S. Capitol Building. The criminals have stated that the MPDC has three days to begin negotiations or they will begin to release data to the public and contact individuals associated with the stolen files. In a further strange twist last week, the Babuk gang announced that the attack on the MPDC was their last and they would cease operations, instead making their malware source code available for others to use.
QNAP network-attached storage (NAS) devices continue to be the target of two global ransomware attacks known as Qlocker and Agelocker. The attacks stem from a recently disclosed vulnerability (CVE-2021-28799) in the QNAP hardware, with threat actors scanning for Internet-connected QNAP devices to exploit. The bugs enable criminals to remotely execute the 7zip utility to password protect files on the victims’ NAS devices. Researchers believe that the ransomware gang made $260,000 in just five days through this remote encryption exploit.
Unpatched SharePoint servers are also currently being targeted with a ransomware campaign. The campaign—known as either Hello or WickrMe—involves the high severity 2019 SharePoint vulnerability (CVE-2019-0604), which is used to gain access to the victim’s systems. Once inside the victim’s system, the threat actors then use Cobalt Strike to access the domain controller and launch a ransomware attack.
Next Steps
Unpatched vulnerabilities continue to be a primary source for ransomware and other malware threats. Businesses are urged to patch bugs the moment a fix is issued by the software or hardware vendor. Organizations should also consider vulnerability management as a service (VMAAS) to help quickly close vulnerability gaps. If a ransomware attack is successful, organizations should consider working with experts in ransomware investigation and response.
Users of QNAP devices are strongly encouraged to update the QTS or QUts hero and all installed applications to the latest version.
New Malware Threats: Banking Trojan “FluBot,” New Linux Malware and Cryptomining.
What You Need to Know
If ransomware and attacks by the Russian government weren’t already enough, organizations are also coping with several new strains of malware. Researchers are warning that “Flubot” may soon begin affecting Android devices in the United States. Researchers discovered a new Linux malware that had been backdooring systems for years. And several cryptomining campaigns are causing headaches for Exchange servers, as well as vulnerable Windows and Linux enterprise servers.
Summary
An Android banking malware known as FluBot may soon be making its way from Europe to the United States. The English-language campaign is currently targeting phones in the United Kingdom. However, researchers point out that malicious SMS messages are now being sent to U.S. Android users, likely via contact lists on infected devices. The FluBot infection starts with a fake SMS message and link from a delivery service. When the user clicks on the link, they’re prompted to download an app with the fake delivery service’s logo. The malware is encrypted within the mobile application. Once on the device, the banking trojan aims to hijack credentials and steal contact lists, calls, and notifications.
A new Linux malware that apparently had been undetected for three years is harvesting sensitive information from infected devices. The malware—called RotaJakiro—targets Linux X64 machines and encrypts communications channels using ZLIB compression and AES, XOR, ROTATE encryption. The malware’s malicious functions include file and plugin management, exfiltrating data, and reporting device information. Researchers also believe that malware has a relationship with the Torii Botnet, since they appear to reuse a number of the same commands.
A cybercriminal gang based in Russia referred to as “Prometei” is targeting unpatched Exchange servers in the U.S., U.K, Germany, France, Spain, Italy, and other countries with Monero cryptomining malware. While the current goal of the malicious campaign appears to be the installation of the cryptominers on corporate networks, researchers warn that the malware gives the threat actors control over infected machines. In addition to attacks by Prometei, researchers also spotted another Monero cryptomining malware last week attacking vulnerable Windows and Linux enterprise services. The botnet—known as Sysrv-hello—has been recently upgraded to use a single binary for both mining and auto-spreading malware to other devices.
Next Steps
In addition to regularly patching vulnerabilities, cybersecurity professionals advise businesses to protect from malware through vulnerability management, email security and endpoint security technologies. Regarding the Linux RotaJakiro malware, researchers are requesting that the cybersecurity community share any information that is available on how RotaJakiro is spread, as well as its purpose and target.
Final Words
These days, hardly an hour goes by without the announcement of some new threat, recently discovered vulnerabilities, or an attack on hospitals or schools. Let’s face it. This constant influx of bad news can get downright depressing.
Fortunately, last week businesses and cybersecurity professionals had the opportunity to express a brief collective sigh of relief with two major positive announcements.
First, law enforcement officials pushed an uninstall of the notorious botnet Emotet from machines worldwide. The ‘update’ file, called EmotetLoader.dllsent removed the Emotet malware from infected devices, deleted the autorun registry key, and terminated the process. While cybersecurity professionals caution that Emotet may reappear in the future, experts are hopeful that the botnet has been rendered completely inoperable. And in related news, the FBI has shared four million email addresses used by Emotet with the website Have I Been Pwned, run by cybersecurity researcher Troy Hunt, to give victims the opportunity to check whether they were affected by the Emotet botnet.
And there was more good news with release of an 81-page report by the Ransomware Task Force, a coalition of 60 security experts from the world’s top technology firms, including Amazon, FireEye, and Microsoft, as well as representatives of the Department of Justice and Europol. The report called upon government and industry leaders to disrupt the ransomware business model through 48 actions outlined in the document. With ransomware fast becoming one of the most frequent and dangerous types of cyberattacks, these recommendations were welcomed by members of the cybersecurity community.
While countless cybercrime and nation-state attack challenges remain, as these two pieces of good news demonstrate, technology experts are making headway and giving the hardworking security folks operating on the ground something to cheer about for a change.
GuidePoint Security