Nuclear Weapons Contractor Attack & Kubernetes Malware: Cybersecurity Week in Review—06/07/21
Posted by: GuidePoint Security
Ransomware threats continued to plague U.S. organizations with notable attacks on U.S. government contractors, including one working with the Nuclear Security Administration. Malware threats also continue unabated, with two new unique threats targeting systems. Adobe, Microsoft and Google all issued patches last week, including several for zero-days. And, the FBI is warning small businesses of targeted business email compromise (BEC) attacks.
- Ransomware Roundup: Attacks on Nuclear Weapons Contractor and U.S. House Email Vendor; New Ransomware Group ‘Prometheus’
- This Week in Malware: Kubernetes Attacks and Malware Stealing from Billions of Computing Devices
- Patching Practices: Critical Patches Issued for Microsoft, Adobe and Google Android Products
- FBI Warnings: Business Email Compromise Scammers Hard at Work
- Final Words
Ransomware Roundup: Attacks on Nuclear Weapons Contractor and U.S. House Email Vendor; New Ransomware Group ‘Prometheus’
What You Need to Know
A contractor for the Nuclear Security Administration (U.S. Department of Energy) confirmed a ransomware attack by the gang known as REvil. Another ransomware attack hit a government contractor supporting email operations for the U.S. House of Representatives. And a new ransomware gang known as Prometheus has emerged with claims that it has breached organizations around the world, including some in the U.S.
Summary
Ransomware Attack on U.S. Nuclear Weapons Contractor
The ransomware gang known as REvil or Sodinokibi appears to be behind a ransomware attack against a small, veteran-owned, U.S. nuclear weapons contractor. In a statement posted to its leak site, REvil stated that since the business did not take the appropriate security precautions, they claimed the right “to forward all of the relevant documentation and data to military agencies of our choice.” Sol Oriens, the nuclear weapons contractor, confirmed the attack last week, indicating that some data had been stolen. However, it does not believe the stolen data includes any classified or critical information related to U.S. security. There is no information on whether Sol Orien paid the ransom. REvil is the same criminal gang that targeted the largest global beef producer, JBS Foods.
U.S. House Email Vendor Targeted with Ransomware
In another ransomware attack on a U.S. contractor, a vendor that manages email for members of the U.S. House of Representatives known as iConstituent suffered a ransomware attack. As a result of the attack, at least 60 House offices from both parties were unable to access iConstituent services. State and local offices also using the iConstituent service appear to be affected. The type of ransomware used has not been disclosed. It also does not appear that any data belonging to offices within the U.S. House of Representatives was affected.
Prometheus Ransomware Group Attacking U.S. Organizations
A new ransomware group dubbed Prometheus by security researchers claims to have attacked and breached more than 30 organizations located around the world, including some in the United States. The organizations under attack operate in government, health care, energy, manufacturing, logistics, consulting, agriculture, insurance, legal and financial services. Security researchers warn that Prometheus’s targets include entities that, if breached, could present serious, national concerns. The group claims to be affiliated with REvil/Sodinokibi, responsible for the recent attack on JFB Foods. Prometheus is described as highly opportunistic and ruthless, with their site hosting everything from leaked emails and documents to databases and highly sensitive personally identifiable victim information.
Next Steps
Ransomware attacks continue to threaten business security. With criminal gangs willing to target almost any organization, it is critical for businesses to step up their security. The use of multi-factor authentication and zero trust principles are highly advised. Best practices also include data backups and regular updates and patching, as well as endpoint protection and email security. Businesses that are a victim of a ransomware attack are urged to work with a professional ransomware investigation and response team to perform a thorough analysis and determine the best course of action to restore files and systems.
This Week in Malware: Kubernetes Attacks and Malware Stealing from Billions of Computing Devices
What You Need to Know
Windows containers are under attack from a new type of malware and a new unnamed, custom malware is stealing data from billions of data points.
Summary
New “Siloscape” Malware Attacking Windows Containers
Malware that appears to have been active for at least a year is attacking Windows containers to compromise Kubernetes clusters with the objective of creating a backdoor for future attacks. Dubbed Siloscape, the heavily obfuscated malware targets known vulnerabilities in cloud applications, including web servers. Once the application or server is compromised, the malware conducts code execution on the Kubernetes node. The malware then looks for credentials that will enable its spread to other nodes. Spyware, supply chain, cryptomining and denial of service (DOS) attacks are several threat scenarios believed to be associated with Siloscape and other similar container-focused threats.
Custom Malware Stealing from Billions of Data Points
Researchers have announced that a yet-unnamed malware is responsible for stealing at least 1.2 terabytes of data from 3.2 million Windows computers. The theft is reported to include 2 billion web login cookies (of which 400 million were still active), 1 million images and 6.6 million files. The malware has also captured 26 million credentials from sites that include Facebook, Twitter, Amazon and Gmail. The trojan-like malware is believed to spread via illegal copies of downloaded software, including illegal versions of Adobe Photoshop 2018. According to researchers, the malware is also capable of photographing the user if the device has a webcam and then assigning an identifier to the device, suggesting that stolen data could be linked to a particular system or person.
Next Steps
Windows Containers—Security professionals are advising that Windows containers are not appropriate tools for applications that need to be secured since they are not designed for this purpose. They are also advising that appropriate security be placed on Kubernetes clusters. Since the Siloscape malware appears to be targeting known vulnerabilities, updates and patching are also imperative. Cloud security is also a critical recommendation for any organization working with cloud services.
Other Malware—With regards to other types of malware, including the recently discovered custom malware that has stolen 1.2 terabytes of data, cybersecurity practitioners advise to regularly patch and update systems, as well as work with a professional security team. Security professionals can help businesses create a security architecture specifically designed to needs, with such services as cloud security, data security, email security and endpoint security.
Patching Practices: Critical Patches Issued for Microsoft, Adobe and Google Android Products
What You Need to Know
The June security bulletins were issued last week and with them came fixes for numerous bugs in Microsoft, Adobe and Google Android products, including several updates related to critical vulnerabilities and zero days.
Summary
Microsoft June Patch Tuesday Includes Zero Days
Microsoft’s June ‘Patch Tuesday’ included fixes for fifty flaws and seven zero-day vulnerabilities. Five of the bugs were classified as ‘Critical.’ Of the seven zero-day vulnerabilities (listed below), two (CVE-2021-31955 and CVE-2021-31956) have been used in recent Windows attacks by a group named PuzzleMaker. Security researchers discovered that PuzzleMaker engaged in highly targeted attacks in which a Chrome zero-day exploit chain was used to achieve remote code execution in Windows. The two Windows vulnerabilities were then chained together to elevate Windows privileges on the compromised device. The attack chain consists of a stager, dropper, service and remote shell. Once the final phase of the attack chain is complete, the threat actors can download and upload files, create processes, sleep for specific amounts of time and delete the shell from the system.
The seven Microsoft vulnerabilities are as follows:
- CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
- CVE-2021-31201: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
- CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability
- CVE-2021-31956: Windows NTFS Elevation of Privilege Vulnerability
- CVE-2021-33739: Microsoft DWM Core Library Elevation of Privilege Vulnerability
- CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability
Updates to 41 Vulnerabilities in Adobe Products
In an unusually large release last week, Adobe issued security updates for 41 vulnerabilities found in 10 of its products, including Photoshop, Acrobat and Reader and the Creative Cloud Desktop Application. While there is no indication of zero-day vulnerabilities, the company is advising its customers to update to the latest versions immediately since it is believed that threat actors may soon target the bugs.
Google Issues Security Bulletins for More than 90 Vulnerabilities
Google’s June update focused on more than 90 vulnerabilities in Android and Pixel devices, including a critical bug (CVE-2021-0507) related to remote code execution. Google stated that this particular bug was its most severe and could enable “a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.” Other vulnerabilities include one that could enable the execution of arbitrary code and bypass user interaction requirements to gain additional permissions. Google also issued a security bulletin for its Pixel device, with four vulnerabilities rated as high severity and the remaining as moderate. These high severity Pixel bugs could enable privilege escalation.
Next Steps
The sheer volume of vulnerabilities and zero-days released on a monthly basis can be a daunting task to manage. To alleviate concerns related to unpatched bugs, GuidePoint Security advises businesses to work with a vulnerability management as a service (VMaaS) provider. Organizations are also advised to check the update announcements and security bulletins that are regularly issued by software and hardware vendors, including those issued by Microsoft, Adobe and Google.
- Microsoft—Microsoft advised immediate updates. Information on the vulnerabilities can be found on Microsoft’s Security Update Guide.
- Adobe—Security updates for Adobe products can be found on Adobe’s Security Incident Response Team web page.
- Google—Information on security updates for Google devices can be found on the Android Security Bulletin—June 2021 and in the Pixel Update Bulletin—June 2021.
FBI Warnings: Business Email Compromise Scammers Hard at Work
What You Need to Know
The FBI has issued a bulletin to private sector companies warning of business email compromise (BEC) attacks.
Summary
The FBI is warning of increased BEC attacks spoofing construction companies and targeting a variety of private-sector firms. The incidents appear to be related to attacks that began in March 2021. By collecting information on the construction companies using public online services, such as local and state government data portals and construction industry data aggregators, the cybercriminals then impersonate the construction company with targeted victims in a multitude of industry sectors. The emails request changes to direct deposit account or automated clearinghouse (ACH) information, with the new accounts belonging to the criminals. Hundreds of thousands of dollars have been lost to date. The FBI warns that these emails are sophisticated in their social engineering techniques and include spoofing the construction firms’ logos, graphics and legitimate websites.
Next Steps
Business email compromise (BEC) is a type of phishing attack that leverages social engineering to make a fake email appear legitimate. Preventative measures against phishing include phishing awareness training and email security solutions.
Final Words
During the last few weeks, leaders in Congress have been holding hearings to better understand the impact that recent ransomware attacks have had on businesses, industry, critical infrastructure and the country. Congress members and government cyber specialists appear focused on the fact that voluntary standards and market forces do not appear to serve as an encouragement for businesses to improve their cybersecurity acumen. This has led to discussions around increased government regulation and monitoring, defining ‘critical infrastructure,’ and banning cryptocurrency as a form of ransom payment.
Unfortunately, one topic that doesn’t appear to be on the table is why cybercriminals find it so easy to deliver ransomware and other types of malware in the first place. Since the answer to that question relates, in part, to an overall scarcity of skilled cybersecurity professionals available to actually prevent and mitigate attacks, it is distressing that elected officials and government cyber professionals are failing to address this critical cybersecurity skills gap.
A recent survey of 5,000 IT professionals found that more than 80% believed that the ability to find and retain skilled staff was a “major” or the “single biggest” challenge in their IT security delivery. In another recent study, more than 70% of the respondents believed that their organization had been impacted by the cybersecurity skills shortage. The reasons for the gap are many and include unnecessary barriers around degree requirements, training costs and lack of career development information and opportunities.
Studies show that the demand in the cybersecurity industry is expected to triple through 2022. However, the number of skilled staff needed to meet this demand remains relatively flat. The cybersecurity skills gap is real—and while regulation may perhaps be necessary to stop the cybercrime epidemic, no amount of regulation and monitoring is going to fully solve the problem unless there are skilled professionals available to actually meet the regulatory requirements.
As industry and government finally begin to wake up to the seriousness of cyberthreats, it is critical that all parties—elected officials, government cyber experts and industry professionals understand that regulation will only succeed if there are skilled staff available to actually do the work.