Ransomware attacks continued their charge across the United States, with several high-profile incidents last week, including one that shut down operations at JBS Foods. On the vulnerability front, researchers discovered a WordPress plugin under active attack. In addition, Chinese nation-state threat actors appear to have hacked the New York City Metropolitan Transit Authority (NYC MTA) using the recently disclosed Pulse Secure VPN zero-day. And in malware news, a new intermediate-stage malware is being used by Russian hacking groups in a spear-phishing campaign, and the Necro-Python malware has been upgraded to support additional exploits and cryptomining.

• Ransomware Rampage: JBS Foods & Massachusetts Ferry Service Targeted; Epsilon Red on the Hunt.
• Bugs Continue to Swarm: WordPress Zero-day; Transportation Authorities a Target of Pulse Vulnerability
• This Week in Malware: SkinnyBoy and Necro Python
• Final Words

Ransomware Rampage: JBS Foods & Massachusetts Ferry Service Targeted; Epsilon Red on the Hunt.

What You Need to Know

The world’s largest producer of beef, JBS Foods, shut down last week due to a ransomware attack by the Russian-based cybercrime group REvil. The Steamship Authority of Massachusetts ferry service also fell victim to a ransomware attack last week. And a new type of ransomware known as Epsilon Red is on the hunt for vulnerable Microsoft Exchange servers.

Summary

JBS Foods

With the United States still reeling from the recent Colonial Pipeline attack, this week businesses and consumers were treated to yet another massive ransomware attack affecting the supply chain, this time on the world’s largest beef producer, JBS Foods. With offices around the world and operations in 190 countries, the food services company was forced to shut down operations globally on May 31^st. The REvil/Sodinokibi ransomware gang based out of Russia was attributed to the attack. Fortunately, JBS Foods was able to get its systems back online within a week, sooner than expected, due to the fact that its backup servers were untouched in the incident. The company has stated that the REvil criminals did not access any of the company’s core systems.

REvil—Not Afraid to be Called Terrorists

As JBS Foods restarted operations, a “spokesperson” for the criminal gang REvil was busy opining on the JBS Foods attack. In an interview posted on a Russian channel known as OSINT, a representative of the criminal gang claims that the JBS Foods attack was originally targeted at a Brazilian company and that it wasn’t afraid of being labeled a terrorist organization. The criminals further claim that it had previously restricted the number of attacks on U.S.-based entities, but because the U.S. government was now putting pressure on the Russian government to cease harboring cybercriminals, REvil would reinitiate attacks on US businesses. There is irony in this statement, of course, as it only seems to validate U.S. government assertions that the Russian government is, in part, responsible for the wave of cybercrime coming out of Russia. If REvil had nothing to do with the Russian government, then the various posturing and statements on the part of the Biden and Putin administrations would have no impact.

Massachusetts Ferry Service

Ransomware delayed travelers attempting to visit or leave Martha’s Vineyard or Nantucket last week. According to a Steamship Authority of Massachusetts statement, the ransomware attack forced a disruption to services. Although the ferry service continued to be operational, both the credit card processing and online and telephone reservations systems appeared to be disrupted. The Steamship Authority indicated that the attack did not jeopardize the safety of the vessels, and radar and GPS functionality were unaffected. As of June 4^th, the Authority was still working with officials to analyze and mitigate the attack.  

Epsilon Red Ransomware Targeting Microsoft Exchange Servers 

Another new ransomware threat, attributed to REvil, surfaced last week. Known as Epsilon Red, the ransomware strain is designed to encrypt files on a target system. The ransomware is written in the Go programming language and deployed on the back of PowerShell scripts, with a focus on exploiting flaws in Microsoft Exchange servers. Attacks appear to be targeted at the US hospitality sector. According to researchers, the ‘Epsilon Red’ name was coined by the criminals themselves and seems to be a reference to an obscure X-Men/Marvel comics “Russian super-soldier” enemy character. 

Next Steps

Ransomware isn’t going anywhere anytime soon, and no organization is immune. Organizations that believe they may be victims of ransomware are urged to work with a professional ransomware investigation and response team to perform a thorough examination and analysis and determine the best course of action to restore files and systems. To protect from ransomware, organizations are urged to apply best practices that include data backups and regular updates and patching, as well as endpoint protection and email security. Businesses are also encouraged to work with experts in security to facilitate an ongoing and strong security posture.

Bugs Continue to Swarm: WordPress Zero-day; Transportation Authorities a Target of Pulse Vulnerability

What You Need to Know

The almost daily announcements of critical zero-days and unpatched vulnerabilities make the cicada swarms currently blanketing portions of the east coast seem minor in comparison. This week, organizations learned of a critical WordPress zero-day being actively exploited. And Chinese hackers leveraged the recently disclosed Pulse Secure VPN vulnerability to hack the New York City transportation authority. 

Summary

WordPress Plugin Zero Day

A WordPress plugin, known as Fancy Designer and deployed on almost 17,000 websites, was the focus of a critical zero-day exploit last week. A successful breach enables remote code execution and full site takeover. Developers released a patch on June 2^nd. 

New York City Transit Authority Hacked

Researchers announced that the New York City Metropolitan Transit Authority (NYC MTA) was hacked last week using a Pulse Secure VPN vulnerability disclosed at the end of May. Fortunately, it appears that the hackers did not gain access to data or jeopardize the systems used for fleet operations due to quick actions on the part of NYC MTA, which included working with a professional security incident response firm. The recently announced Pulse Secure VPN vulnerabilities include CVE-2021-22908, CVE-2021-22893, CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243.

Next Steps

GuidePoint Security advises businesses to work with a vulnerability management as a service (VMaaS) provider to help manage the constant onslaught of vulnerabilities and zero-days. Another way to understand and identify vulnerabilities in an enterprise system is through penetration testing. Regarding the WordPress zero-day, an updated and patched version of the Fancy Designer plugin is available on the developer’s website. 

This Week in Malware: SkinnyBoy and Necro Python

What You Need to Know

Researchers have discovered a new malware strain known as SkinnyBoy attacking military and government institutions. And upgrades have been made to Python-based malware known as Necro.

Summary

SkinnyBoy Malware

A new type of malware known as ‘SkinnyBoy’, attributed to the Russian hacking group APT28 (also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm), has been discovered attacking military and government institutions in Europe and possibly the United States as well. Delivered via a spearphishing campaign and attached word document, the malware is designed for the intermediate stage of an attack and focuses primarily on collecting information on the victim and retrieving the next-stage payload from the command and control (C2) server. The email lure includes a message which invites the recipient to attend a scientific conference.

Necro-Python Malware

Researchers have discovered that upgrades to the Python-based Necro malware—a self-replicating, polymorphic bot also known as FreakOut or N3Cr0m0rPh—include different C2 communications and the addition of new exploits targeting vulnerabilities in VMware, SCO OpenServer, Vesta Control Panel, and Windows Server Message Block (SMB). (The SMB vulnerabilities are also known as EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145)). The Necro malware has been used in the past for distributed denial-of-service (DDoS) attacks and remote access trojan (RAT) capabilities, as well as Monero cryptomining.

Next Steps

In addition to updating and patching vulnerabilities, to prevent malware attacks, businesses are advised to work with a professional security team to devise an appropriate security architecture to support their organization. Security components should include data security and email security, as well as network and endpoint security. 

Final Words

In response to the continued ransomware attacks that threaten U.S. organizations, last week, the Biden Administration and Department of Justice issued guidance on combating the damage being done by these attacks. In a memo issued by U.S. Deputy Attorney General Lisa Monaco, she emphasized the importance of enhanced internal government tracking to improve focus, coordination, and investigation into cybercriminals providing support to or engaging in ransomware distribution or digital extortion.

The Biden Administration is also calling on businesses to do more to implement some cybersecurity best practices that include:

• Data backup and restoration processes
• Immediate system, hardware, and software updates and patching
• Creation and testing of incident response plans
• The use of third-party penetration testing firms to analyze the effectiveness of a business’s security
• The use of network segmentation

While the Biden Administration continues its diplomatic pressure on Moscow to stop harboring and tacitly (or actively) supporting cybercriminals, authorities are also looking at other ways to disrupt cybercriminal activities, including tracking and tracing the flow of cryptocurrency and passing legislation to make it illegal to pay a ransom. There are also indicators that insurance companies that currently offer ‘ransomware insurance’ may soon cease to offer this option, effectively cutting off a guaranteed payment method for ransomware operators.

Whether these tactics will work remains to be seen. And unfortunately, the clock is ticking when it comes to governments and authorities getting a handle on the cybercriminal hacking spree currently underway. While the attacks on the Florida water treatment plan, Colonial Pipeline and JBS Foods did not end up creating any major long-term safety or supply impacts, for many cybersecurity professionals these incidents came as no surprise and are just a taste of what could potentially be the future for U.S. businesses and consumers. 

The time to act is now. There can be no bigger priority than cybersecurity if governments and organizations want to ensure the safety, health, and security of their businesses and citizens.