Cybersecurity Week in Review: 4/05/21
Posted by: GuidePoint Security
This week we highlight a variety of ongoing and large-scale threats, including massive data leaks related to Facebook and LinkedIn and ongoing attacks targeting vulnerabilities in SAP applications. We also discuss a malware threat focused on the frequently used communication platforms Slack and Discord, and we once again wrap up a busy week in ransomware with almost a dozen new high-profile ransomware attacks and news stories.
Facebook and LinkedIn Members Victimized by Cybercriminals
One of the big stories last week involved the announcement that data from 553 million Facebook accounts was discovered on a cybercrime forum for free. While the information appears to be from a 2019 Facebook hack, the availability of highly personal data, such as Facebook IDs, full names, location, gender, birthdates, relationship status and employer, could be dangerous to victims in social engineering scams and hacking. Facebook members can visit haveIbeenpwned.com to determine if their accounts are among those stolen and posted in dark web forums. More on the Facebook story is available here, here and here.
And in another data leak story, researchers discovered data from over 500 million LinkedIn users being sold online, with 2 million records leaked as a ‘free sample’ proof of concept. The complete set of data is being sold for a four-digit bitcoin sum. It is unclear whether the data is newly scraped from LinkedIn or an aggregate of previously stolen data. More on this story is available here and here.
And in another LinkedIn threat, a group dubbed the Golden Chickens (yes, really) is delivering a file-less backdoor trojan called “more eggs” (no, we’re not kidding) through a targeted spear phishing campaign pretending to be a job offer. The campaign appears to target LinkedIn members with high-level positions and matches the name of the malicious file to the victim’s current job title to encourage the victim to open the file. More_eggs is also available as a malware-as-a-service. The Golden Chickens threat group seems to only cater to a select group of criminals, including the FIN6 financial threat gang and the Evilnum and Cobalt groups. While the jokes associated with this group’s name and malware abound (free range, anyone?), this malware should not be dismissed and is being described by security researchers as a dangerous threat to businesses.
Work Collaboration Platforms Targeted with Malware
Researchers have discovered that threat actors are actively infiltrating workflow, collaboration and communications tools like Slack and Discord to deliver info-stealers, remote access trojans (RATs) and ransomware. It seems multiple different collaboration platforms are being targeted with the given platform’s chat application used to trick users into opening malicious attachments. Once the user clicks on the malicious link, the payload can be easily delivered in a compressed format, via the content delivery network (CDN) and over encrypted HTTPS, which further helps to obfuscate the file. These attacks are also being conducted in multiple languages, including English, Spanish, French, German, and Portuguese. Researchers have also discovered ransomware delivered via tools like the Discord API.
To mitigate this threat, researchers are recommending that companies apply least privilege and other security precautions. More on the threats targeting collaboration tools can be found here and here.
Old SAP Vulnerabilities Targeting Enterprises
Once again, businesses are reminded of the dangers of unpatched vulnerabilities. Last week it emerged that threat actors worldwide were actively targeting critical vulnerabilities in unpatched SAP applications. In a joint SAP/threat intelligence report, two of the flaws (CVE-2020-6287 and CVE-2020-6207) are rated on the Common Vulnerability Scoring System (CVSS) as a 10—the highest severity score possible. Other dangerous vulnerabilities are listed as CVE-2018-2380, CVE-2016-9563, CVE-2016-3976, and CVE-2010-5326. Over 400,000 organizations worldwide use SAP applications. While the report indicated that SAP was not aware of any direct customer-related breaches, it did cite at least 1,500 SAP application attack attempts between June 2020 and March 2021, of which at least 300 were successful.
SAP further stated that while it issues bug fixes monthly, companies were ignoring the fixes, leaving them unpatched for months and years. The company also pointed out that threat actors were already exploiting the vulnerability within 72 hours of issuing a patch. Online SAP applications were often exploited in less than three hours.
Like the SolarWinds breach and the recent Microsoft Exchange attack, the supply chain implications for an SAP exploit are tremendous. According to the report, an estimated 92% of all Forbes Global 2000 companies have standardized on SAP enterprise apps and “77% of the world’s transactional revenue touches an SAP system.” The report further points out that organizations using SAP include the “vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense, manufacturing and many more critical industries.”
Researchers say the attacks are brute-forcing high-privilege SAP user accounts, in addition to exploiting the known bugs. The complexity of many of the attacks leads security researchers to conclude that the threat actors possess “advanced domain knowledge of SAP applications” as well as “access to the manufacturer’s patches…”
SAP and its security firm are working closely with the U.S. Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) as well as Germany’s Federal Office for Information Security (BSI) to advise businesses to take immediate action and apply SAP patches.
Attacks on SAP vulnerabilities are originating from countries around the world, including Hong Kong, Singapore, Sweden, Taiwan, the United States, Vietnam, Yemen, India, and Japan.
SAP is recommending that companies immediately apply all appropriate SAP security patches, perform a compromise assessment and forensic investigation of at-risk environments, and a review of SAP security configurations.
Ransomware Roundup: Clop, Cring, Conti and REvil, plus more
Malware shuts down vehicle testing in eight states
Early in the week, news broke that some form of malware was preventing vehicle emissions in eight states. The malware seems to have attacked a vehicle emissions testing platform operated by Applus Technologies. A week later, it appears some state testing facilities are still non-operational. While the company did not confirm a ransomware attack, many cybersecurity professionals believe ransomware to be the most likely cause of the system failure. More on this ongoing story is available here and here.
Ransomware gangs emailing victims of data theft
Cybercriminals are attempting to put pressure on ransomware victims to pay up by emailing the victim’s customers. Security researcher Brian Krebs reported last week that ransomware gangs have started to email the personal accounts of individuals whose data was stolen during attacks. He cites a particular attack on an Atlanta-based retail gasoline convenience store company, with 650 outlets in 12 states. The targeted victims appeared to have given the company their name and email address as part of a rewards program.
Cybercriminals demand $40 million from Florida school district
Broward County Public Schools learned the hard way there is no honor among thieves. Conti gang cybercriminals managed to infiltrate the district’s computer systems with ransomware and demanded $40 million in payment. When the astounded public school district said no, the Conti gang shut down negotiations and published the negotiations chat. According to district officials, this amount is one of the highest ever demanded of a public school system.
More university data leaked online thanks to ransomware
Data from multiple schools appeared online last week thanks to a ransomware attack related to Accellion File Transfer Appliance (FTA) software vulnerabilities. Last month several other universities were victims of the same group. The attacks are linked to both the Clop ransomware gang and the FIN11 cybercrime group.
Global cosmetic and pharmaceutical laboratory hit with $25 million ransomware attack
A leading global cosmetic and pharmaceutical company with 10,000 laboratories located worldwide, was hit with a REvil ransomware attack involving a $25 million dollar ransomware payment. If no contact had be made by a certain time, the ransom doubled to $50 million. To contain the spread of the attack, the company said they had to temporarily halt production activities.
REvil getting more dangerous
Security researchers are warning organizations that the REvil ransomware has just gotten a little more dangerous. Changes to the ransomware now allow cybercriminals to automate file encryption in Safe Mode after changing the Windows password. Researchers believe the changes will make detection more difficult, in addition to shutting down backup software, database servers, or mail services.
US-based manufacturer of network connectivity devices hacked by likely ransomware attack
Last week a US manufacturer of routers, firewalls, switches, cabling, and connecters announced that attackers likely gained access to sensitive employee, dependent, and spouse health information during a November 2020 cyberattack. While the company has not disclosed the nature of the 2020 attack, researchers believe it was related to ransomware.
Final Words
When a company the size of SAP takes the proactive step to issue a report stating that their unpatched applications are vulnerable, under active attack, and a far-too-large percentage of the SAP customers have ignored the patches, then you know that something serious is going on. In the wake of the SolarWinds and Microsoft Exchange global attacks, which leverage vulnerabilities not unlike those described by SAP, you have to give SAP credit for their preemptive and comprehensive report on the severity of the bugs and supply chain risks associated with unpatched application vulnerabilities.
Yet, this scenario also gets one to thinking—why is it so hard for business to patch known vulnerabilities? As SAP points out, countless businesses in critical industries, including pharmaceutical, critical infrastructure and utility companies, food distributors, defense, and manufacturing operate SAP applications. So, the impetus to patch should be there, yet more often than not, security fixes are ignored.
While it is easy on some level to chalk the failure to patch up to a belief on the part of businesses that an attack ‘won’t-happen-to-me’, the bigger issue is likely related to a combination of the cybersecurity skills gap (companies can’t find or can’t afford to hire skilled cybersecurity professionals), as well as disconnects between the operations and infrastructure teams and the rest of the organization.
Unfortunately, security and operations teams often work on an island. However security is the job of every employee and one thing to consider is leveraging other teams, such as marketing and HR, to help communicate the importance of patching and the necessity of short-term system downtime for the bigger, greater good. Getting the right people and right teams involved in security can make a big difference to the safety of an organization.
Additional patch management best practices include:
- Applying patches promptly and according to patch release cycles.
- Running regularly scheduled vulnerability scans.
- In addition to scan reports, conducting additional research on potential application or system vulnerabilities.
- Prioritizing patching to the highest risk applications.
- Not limiting patching to only high-profile applications, like Microsoft.
- Clearly defining the team responsible for patch management and making sure they’re adequately staffed.
- Testing the patches before deployment.
- Granting the patch management team the right levels of authority to get the work done.
As massively large-scale breaches go global in this day and age, getting the whole company involved in cybersecurity is more important than ever.
GuidePoint Security