Cybersecurity Week in Review: 3/22/21
Posted by: GuidePoint Security
In this week’s articles, we feature a ransomware roundup, as several organizations throughout the United States were hit with significant ransomware attacks, including some believed to be the result of vulnerabilities on Microsoft Exchange servers. We also highlight an updated threat, known as “Purple Fox”, which targets previously infected Windows systems with enhanced worm capabilities.
Ransomware Roundup: REvil, Phoenix, Clop, Hades and Black Kingdom Wreaking Havoc
Last week was busy for criminal ransomware operators, with ransoms hitting record highs. At least five different ransomware types impacted businesses worldwide, including several targeted attacks on US banks, insurance companies, and universities.
Laptop Manufacturer Ransom Doubling from $50 million to $100 million
A major computer laptop manufacturer was hit with a $50 million, double-extortion REvil attack last week—the highest recorded ransom demand to date. According to reports, the company was initially offered a 20% discount on the ransom if the funds were transferred in the form of Monero cryptocurrency by March 17. When the company apparently refused to accede to criminal demands, the ransom purportedly doubled to $100 million. In addition to decrypting the files and deleting the exfiltrated documents from criminal systems, the REvil group has also offered to provide the computer manufacturer with a vulnerability report if they pay the $100 million. Security experts believe the attack may have occurred due to Microsoft Exchange server vulnerabilities; however, this has not been verified directly by the organization.
Russian-based “Evil Corp.” Criminals Behind Attack on US Insurance Company
The systems of a US-based insurance company were significantly impacted in an attack last week by a new ransomware known as Phoenix CryptoLocker, linked to the Russian-based Evil Corp hacking group. The attack (which has been confirmed by the victim) began on March 21 and has been described as “sophisticated.” Over 15,000 devices have been encrypted, including computers of employees working remotely while logged into the company’s VPN during the attack. The company has stated that it has disconnected systems from its network and is engaging with employees to find workarounds. The company has also alerted law enforcement and is working with a forensics investigator to determine the incident’s scope and impact.
Clop Ransomware Gang Targeting Banks and Universities
A regional bank based in Michigan reported that it lost customer social security numbers, names, and home addresses in an attack attributed to the Clop ransomware gang, likely due to vulnerabilities in the Accellion FTA file-sharing appliance. It appears that the criminals may have tried to up the $10-million-bitcoin ante against the bank by directly contacting affected customers, as well as journalists, and then posting breach details on their website. While the ransomware attack appears to have happened in late January, the bank only released details on the breach to the public in mid-March.
The Clop gang is also believed to be responsible for the loss of student data and grades in another ransomware attack on two large US universities. In this attack (also believed to be related to Accellion vulnerabilities), stolen data includes current and prospective student PII, student financial documents, student health and clinical data, and research data. The Clop gang began publishing screenshots of sensitive student data last week.
Hades Ransomware Targeting US Businesses
Security intelligence groups are reporting that an unknown cybercriminal gang may now be distributing “Hades” ransomware in a campaign targeting three US companies working in the transportation, consumer products, and manufacturing sectors. It appears the ransomware operators target remote desktop protocols or virtual private networks and then use tools such as Cobalt Strike to gain persistence within the network. Like other ransomware, Hades uses the double-extortion method by decrypting files and threatening to release information unless payment is made. The Hades ransomware has been linked to both the Russian-based Evil Corp criminals and the REvil ransomware gang. However, at the moment, security professionals are unable to confirm that either group is behind this current Hades ransomware attack.
Black Kingdom Attempting Rudimentary Reign Over Microsoft Exchange Servers
Not to be outdone by its criminal rivals, another ransomware operation called Black Kingdom is targeting vulnerable Microsoft Exchange servers. Delivered via a webshell distributed over Tor, the threat is targeting the remote code execution (RCE) vulnerability. Security professionals are calling the ransomware rudimentary and unsophisticated. Victims are located in the United States and Canada, as well as Europe, Israel and Australia. The criminals are demanding $10,000 in bitcoin; however, it appears that few companies have made payments to the bitcoin address provided.
Purple Fox Malware Targeting Windows with Enhanced Capabilities
A variant of the Purple Fox malware is making the rounds, leveraging its enhanced worm capabilities to target Windows machines.
Older versions of Purple Fox relied on exploit kits and phishing emails to propagate. Security researchers now believe the malware is spread through port scanning and SMB password brute force, as well as phishing.
Purple Fox also includes a rootkit capable of enabling the threat actors to hide malware on the target machine. Once the rootkit has been deployed and the device rebooted, the malware renames its DLL payload to the same name as the Windows system DLL. The malware then configures to launch on system start. Infected systems then propagate using the same worm-like behavior.
Over the last ten months, researchers have observed Purple Fox attacks intensifying, with almost 100,000 attacks and 600% more infections. It is believed that approximately 2,000 servers have been compromised by Purple Fox botnet operators.
Indicators of compromise (IoCs) and other information on the Purple Fox malware are available in this GitHub repository.
Final Words
Attacks targeting vulnerabilities in Accellion FTA appliances and Microsoft Exchange servers continue to make news headlines. And it appears that some of the attacks are due to the victim’s failure to mitigate known vulnerabilities quickly.
In the case of the recently announced Microsoft Exchange flaws, a Cybernews.com report found that as of March 23, more than 62,000 MS Exchange servers worldwide remained unpatched and potentially vulnerable—with the greatest number of vulnerable systems located in the United States.
The importance of patching can’t be emphasized strongly enough. Recognizing the severity of the problem and the security challenges faced by many small businesses, Microsoft has gone so far as to issue a one-click Exchange On-premises Mitigation Tool (EOMT) to help customers that do not have dedicated security resources apply fixes to the Exchange vulnerabilities.
Keeping your business, employees, and customers safe in a digital environment isn’t just about cybersecurity. It’s also about cyber-resilience. Cyber-resilience means recognizing the critical nature of both the recovery and response efforts when vulnerabilities are discovered and after attacks happen. It includes threat protection, adaptability, durability and recoverability.
In an evolving threat landscape, with a daily barrage of advanced persistent threats and newly discovered system and appliance flaws and vulnerabilities, a cyber-resilience strategy can help organizations withstand the impact of cybercrime.
GuidePoint Security