Cybersecurity Week in Review: 05/24/21
Posted by: GuidePoint Security
Challenges with vulnerabilities and zero-days continued last week with updates and patches related to Apple and Pulse Secure VPN products. Researchers also announced the discovery of vulnerabilities in PDF documents. Ransomware continued to affect businesses, with Zeppelin ransomware and BazaLoader (a loader that facilitates ransomware) making an appearance. A well-known US-based audio company also announced that it had become the latest ransomware victim with the disclosure of a breach. In addition, cybersecurity researchers announced the disruption of a malvertising network and that Russian-government-backed hackers responsible for the Solar Winds attack were hard at work with another malicious campaign.
- Patch Management: Apple, Pulse and PDF Vulnerabilities
- This Week in Ransomware: Zeppelin, BazaLoader and Bose
- In Other News: Creative Malvertising and Russian Bears Getting Cozy Again
- Final Words
Patch Management: Apple, Pulse and PDF Vulnerabilities
What You Need to Know
Apple and Ivanti (the company behind Pulse Secure VPN products) published updates and security advisories last week related to severe vulnerabilities. Researchers also announced the discovery of vulnerabilities in PDF documents that make certified documents vulnerable to manipulation.
Summary
Apple issued a security update last week for multiple vulnerabilities discovered in iOS, macOS, tvOS, and watchOS, as well as for the Safari browser. The company indicated that all bugs may have been actively exploited. One bug specifically (CVE-2021-30713) was confirmed being actively exploited in macOS Big Sur by the XCSSET spyware to evade macOS privacy protections by leveraging screen capture permissions from already installed legitimate applications, such as Zoom, Discord, Slack and others.
Maker of Pulse Secure VPN, Ivanti published an advisory for a ‘high severity’ vulnerability that could enable remote code execution. The bug—CVE-2021-22908—could enable a threat actor to execute code as a user with root privileges. In added Pulse Secure VPN complications, security researchers also announced last week that Chinese-based cybercriminals were heavily targeting other unpatched flaws in Pulse Connect Secure VPN products. In particular, four new malware tools have been discovered targeting known a major vulnerability CVE-2021-22893, as well as other known flaws CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243.
Last week, researchers in Germany announced the discovery of two security flaws that affect the certified signature component of PDF documents. The attack scenario—which is hypothetical—involves manipulating the PDF certification process to enable additional document alteration.
Next Steps
Both the Apple and Pulse Secure Connect VPN security flaws are considered to be severe and should be patched immediately. More information can be found via alerts issued by the Cybersecurity & Infrastructure Security Agency (CISA) here (Apple) and here (Pulse).
This Week in Ransomware: Zepplin, BazaLoader and Bose
What You Need to Know
The Zeppelin ransomware operators appear to have become active again after a period of inactivity. The ransomware loader known as BazaLoader has been discovered posing as a movie streaming service. And the audio company Bose announced last week that ransomware had breached their systems, but the company had successfully recovered systems without paying the ransom.
Summary
According to security researchers, the gang behind the Zeppelin (also known as Buran) ransomware as a service (RaaS) resumed operations last week. The RaaS group appears to be active on Russian-speaking hacker forums, recently promoting an update that advises that the criminals offer a “loyal approach for each subscriber, the conditions are negotiable…” Unlike other RaaS services, Zeppelin operators work closely with each individual customer (instead of simply selling access to the malware). The Zeppelin gang also appears to only encrypt data and not leak it.
In a rather unusual case of cybercriminals going to great lengths to get you to download malware, cybercriminals are taking advantage of the increase in the number of individuals streaming movies by creating a fake movie streaming service they call BravoMovies, which actually installs the BazaLoader trojan onto systems. BazaLoader has been used to distribute ransomware attacks, including Ryuk and Conti. Researchers note that the threat actors built a rather elaborate website to make it appear legitimate, complete with fake movie advertisements and multiple information pages. (Although once again, English grammar is not a strong area for cybercriminals, with mistakes like “Subscribtion” found in large text on the website’s supposed Subscription page.)
In other ransomware news, a well-known US-based audio company disclosed a data breach last week as a result of a ransomware attack. External security experts working with Bose were able to restore systems without the necessity of a ransom payment. The company says that the breach impacted only a very small number of employees and that there was no disruption to business. Researchers have also confirmed that there is no indication of leaked data on the dark web. Bose has stated that they continue to monitor the situation.
Next Steps
Ransomware continues to be a pervasive threat to organizations. Many companies falsely assume that the only solution is to pay the ransom. Organizations that believe they may be victims of ransomware are urged to work with a professional ransomware investigation and response team to perform a thorough examination and analysis and determine the best course of action to restore files and systems.
In Other News: Creative Malvertising and Russian Bears Getting Cozy Again.
What You Need to Know
The desktop application AnyDesk is being targeted with a malicious ad campaign that appears during Google searches, and Russian-state-sponsored threat actors behind the Solar Winds attack are hard at work once again targeting research institutions, non-governmental organizations (NGOs), think tanks, consultants, and government agencies.
Summary
Cybercriminals are leveraging Google search results to deliver higher-ranked malicious advertisements for the remote desktop application AnyDesk, used by more than 300 million worldwide. According to researchers, at least 40% of the victims that clicked the link began installation of the malware—a PowerShell script designed to collect and exfiltrate system data. Security researchers indicate that they have alerted Google to the campaign, and Google is said to have immediately pulled the malicious advertisement.
Russian-government-backed cybercriminals are once again targeting at least 150 government entities and other institutions. Last week, researchers at Microsoft announced the discovery of a spear-phishing campaign by the group Cozy Bear (also known as APT29, The Dukes, and Nobelium), with ties to the Russian Foreign Intelligence Service (SVR). The group is best known for a series of attacks over the last few years, including a 2015 spear-phishing attack against the Pentagon email system, a 2016 attack on the Democratic National Committee, and the notorious and highly damaging SUNBURST/SolarWinds malware supply chain attack in 2020. The current attack leverages Constant Contact, a legitimate mass-emailing service, and involves malicious emails which appear to originate with the United States Agency for International Development (USAID). The campaign is believed to use four different new types of malware, an HTML attachment called EnvyScout, a downloader called BoomBox, another loader known as NativeZone and a shellcode downloader and launcher called VaporRage. Once the malicious attachment is opened, a software attack is triggered which enables remote access to the victim’s device. As of the end of last week, Microsoft has indicated that it was not seeing a large number of compromised systems or organizations and that it intends to notify targeted organizations.
Next Steps
Security professionals encourage businesses to continually remind employees to not click links or attachments in unsolicited emails. To protect from email attacks, businesses should use some form of email security, as well as other security technologies.
Final Words
As ransomware continues to devastate US businesses, many cybersecurity professionals are hailing the previously mentioned audio company for doing exactly what a business should do in the event of a cyberattack. Not only did the company openly disclose the breach to the New Hampshire Attorney General, they immediately engaged external security experts to help restore systems and conduct a forensic analysis. The company also publicly described the measures they took following the attack, which included:
- Enhancing endpoint protection.
- Enhancing system and network monitoring and logging to identify further actions taken by the ransomware threat actor as well as future attacks.
- Requiring new passwords for all end users and privileged users.
- Generating new access keys for all service accounts.
Unlike other recently devastating ransomware attacks–such as Colonial Pipeline, which involved a ransom payment in excess of $4 million–the company has stated that they were able to recover their systems without having to pay a ransom. They also stated that only six employees’ data was stolen, and they could find no evidence that any stolen data had been leaked, although they continue to monitor the situation.
When a ransomware attack happens, it is easy to panic and assume that the only way to prevent leaks and recover system access and files is to pay the ransom. This is not only an incorrect but also dangerous misconception. Research suggests that less than 10% of the organizations that pay the ransom end up retrieving all of their stolen data. Less than 30% of the victims get half of their data back. If cybercriminals do provide a decryption key after the ransom is paid, many companies find that the keys don’t work or work extremely slowly. And even after the attack is over, businesses may still suffer, since it is entirely possible that systems have been infected with other backdoors to enable future attacks.
While there is no silver bullet to prevent ransomware attacks, businesses can take steps to protect themselves, such as endpoint security, data protection services, security operations and incident response and email security.
As cliché as it sounds, the old chestnut “an ounce of prevention is worth a pound of cure” really does apply when it comes to cyberattacks.
GuidePoint Security