Cybersecurity Week in Review: 05/03/21
Posted by: GuidePoint Security
Bugs and vulnerabilities continue to dominate the news, with fresh reports last week of zero days and critical security issues on Apple devices, Dell computers and Exim email servers. On the malware front, we highlight the discovery of several new malware strains and updates to the Buer dropper malware. We also review how cybercriminals continue to threaten lives and infrastructure through attacks on a hospital system and U.S. infrastructure.
- Call the Exterminator—Bugs, Vulnerabilities and Flaws
- This Week in Malware
- Ransomware: U.S. Lives & Infrastructure Under Attack
- Final Words
Call the Exterminator: Bugs, vulnerabilities and flaws on Apple devices, Dell computers and Exim email servers.
What You Need to Know
Last week Apple released patches for several critical and actively exploited zero-days located in their iOS Webkit engine, which were being used to attack iPhones, iPads, iPods, macOS and Apple Watch devices. In addition, Dell Computers released fixes for multiple critical privilege escalation vulnerabilities that had been undetected since 2009. And a series of critical vulnerabilities were discovered in Exim email servers which could potentially lead to arbitrary code execution and root privilege access.
Summary
Apple unexpectedly issued patches last week for several critical bugs in the iOS Webkit engine, a browser rendering engine required for use by Safari and other third-party iOS web browsers. The vulnerabilities are considered particularly dangerous since they allow remote code execution (RCE) which could enable threat actors to control devices remotely. It appears that threat actors were already actively exploiting these vulnerabilities, which affected macOS Big Sur prior to version 11.3.1, iOS prior to version 14.5.1, iOS prior to version 12.5.3, iPadOS prior to version 14.5.1 and watchOS prior to version 7.4.1. The bugs are tracked as CVE-2021-30661, CVE-2021-30663, CVE-2021-30666 and CVE-2021-30665.
Hundreds of millions of Dell computing devices are at risk from threat actors. Last week Dell Computers issued patches for five critical security issues present in the systems since 2009 but only recently discovered. Tracked collectively as CVE-2021-21551, the bugs are found in Dell’s DBUtil BIOS driver (desktop, laptop, notebook and tablet software) and could give threat actors the ability to access driver functions and execute malicious code. Despite the age of the bugs, researchers do not believe that have yet been leveraged by cybercriminals.
Vulnerabilities discovered on the Exim Mail Transfer Agent (MTA) can give threat actors the ability to engage in remote attacks and gain root privileges. Almost 60% of all MTAs worldwide use Exim, with the majority in the United States. Of the twenty-one vulnerabilities discovered, eleven are local vulnerabilities and ten could be remotely exploited. At the time of this writing, researchers were not aware of any exploitation of the Exim vulnerabilities in the wild.
Next Steps
- Apple—Apple device users are being advised to update operating software on affected systems and devices immediately. The Cybersecurity & Infrastructure Security Agency (CISA) is also advising users to review the recent Apple security updates.
- Dell—Updates have been released to mitigate the security issues related to the Dell dbutil_2_3.sys driver. Dell has provided remediation details on their website.
- Exim—Exim has released a security update for the recently discovered vulnerabilities. CISA is advising EXIM users to apply any required updates, details of which are available on the Exim 4.94.2 update page.
This Week in Malware: Buer gets “Rust” update, Pingback malware uses ICMP, and a malware gang is targeting US businesses with three new malware strains.
What You Need to Know
Researchers announced the discovery of a new Buer variant last week written in the Rust programming language. A new malware dubbed Pingback is using Internet Control Message Protocol (ICMP) to communicate. And researchers announced the discovery of three never-before-seen malware strains used in a campaign earlier in the year.
Summary
A new variant of the malware dubbed ‘Buer’ written in the Rust programming language has been discovered. Called ‘RustyBuer’, the malware is distributed via fake emails that appear to originate with a major shipping company. While the emails are also arriving containing Buer malware written in the C programming language, researchers find the use of the Rust programming language to be particularly interesting because it is both easy to use and appears to enable the malware to better evade detection. As a first-stage downloader, RustyBuer is used to gain access to the system and then facilitate a second-stage drop of a Cobalt Strike beacon for further infiltration. Researchers estimate that approximately 200 organizations have been affected by the malware.
Last week security researchers detected another new malware strain that uses Internet Control Message Protocol (ICMP) to communicate with its bots. Dubbed ‘Pingback’ because of its use of ICMP (which is also used by the well-known ‘Ping’ command), the malware can evade detection and, once installed, facilitate the execution of arbitrary commands through remote attack. While the use of ICMP tunneling is important to IP diagnostics and performance, security researchers point out that it can also be used to scan and map an infiltrated network environment.
Researchers announced the discovery of three new malware strains last week, purportedly actively targeting organizations in December 2020. The malware—called Doubledrag, Doubledrop and Doubleback—was delivered via a highly targeted spear-phishing campaign, with customized email subject lines. The threat actors behind the campaign—called UNC2529—used extensive obfuscation and fileless malware to avoid detection and deliver a backdoor on targeted systems. The emails also went to great lengths to seem legitimate, often appearing to come from customers and clients familiar to the targets. While researchers do not know the full purpose of the malware, they advise that the techniques are consistent with financially motivated goals.
Next Steps
As always, organizations are advised to remind employees not to click links in unsolicited emails. The reasons behind phishing attacks can vary, and businesses are urged to educate employees on phishing and how to detect it. To protect from phishing attacks, businesses should use some form of email security, as well as other security technologies.
Ransomware: Lives & Infrastructure Under Attack: Cybercriminals attack major health system and largest US fuel pipeline.
What You Need to Know
In major news last week, threat actors used ransomware to shut down activities at a major healthcare system forcing four regional hospitals to stop delivering critical health services. And another ransomware attack on the largest U.S. fuel pipeline halted the delivery of 45% of the east coast’s fuel supply.
Summary
Critically ill stroke and heart attack patients arriving in emergency rooms at four hospitals belonging to a major San Diego-based healthcare system were reportedly diverted to other hospitals due to a ransomware attack that shut down operations. Patient appointments and care at the hospital facilities were also delayed, and access to the online public portal was temporarily suspended. Media reports suggest that medical personnel were forced to rely on what limited paper records were available to provide treatment. While details on the ransomware attack are limited, reports suggest that email servers were primarily affected.
And in other major news, a ransomware attack on the 5,500-mile, Alabama-based Colonial pipeline caused the company to temporarily halt all pipeline operations. The pipeline reportedly delivers 100 million gallons of fuel to customers along the east coast, from Texas to New York. The criminals behind the attack are believed to be the DarkSide ransomware gang. Researchers have noted that the DarkSide gang has a history of avoiding attacks on individuals and businesses located in countries that speak Russian, Kazakh and Ukrainian, while heavily targeting English-speaking countries. As a result of the attack, on Sunday, May 9, the Federal Motor Carrier Safety Administration issued an emergency declaration allowing transport drivers to work more hours. As of Monday, May 10, four main fuel lines were still non-functioning.
Next Steps
Ransomware attacks continue to rise. Businesses are urged to patch bugs and vulnerabilities immediately, as well as engaging a vulnerability management service. If organizations believe they have been a victim of a ransomware attack, they are urged to work with a professional ransomware investigation and response team.
Final Words
For months now, experts have been alarmed at the growing rate of ransomware attacks against U.S. corporations, public service entities such as schools and local governments, health care systems and critical infrastructure. Sadly, the combination of necessary and sometimes life-saving services and large operating budgets are too much of an enticement for criminals, making it doubtful that there will be a shift in targets anytime soon.
As ransomware tactics, techniques and procedures (TTPs) continue to evolve, practicing good security hygiene and ensuring an organization has the most up-to-date cybersecurity technology can help. But ultimately, stopping ransomware criminals will take much more of a concerted effort. The new Ransomware Task Force—a coalition of international experts in industry, government, law enforcement and civil society—has developed a framework for combatting the ransomware threat. And the Cybersecurity & Infrastructure Security Agency (CISA) has developed a one-stop Ransomware Guidance and Resources website for news and updates, including alerts and training.
But clearly, there needs to be more and it needs to happen fast. The SolarWinds attack, as well as continued attacks on hospitals and last week’s significant attack on the largest U.S. pipeline, suggest that the U.S. is already behind the curve when it comes to meaningful investment in cyber and digital infrastructure. Last week, the U.S. Congressional Committee on Homeland Security convened hearings on Responding to Ransomware: Exploring Solutions to a Cybersecurity Crisis to explore the financial issues facing smaller government entities when it comes to security and protection. Witnesses to the hearings included industry experts, state government officials and former CISA director Chris Krebs. Consistent messages included improved policy and enhanced funding to support state and local government improvement in digital infrastructure.
Ransomware attacks aren’t just a business threat. They’re a national security threat and a threat to human life. And the consequences of doing nothing or too little could be devastating to the United States.
GuidePoint Security