This week in ransomware: SQL injection bugs, FBI Ranzy warnings, Russian attacks on a gun rights advocacy group, and more
Posted by: GuidePoint Security
Published 11/3/21, 9:00am
There’s no rest for the weary (or wicked) when it comes to ransomware, as organizations continue to battle attacks and ransomware gangs continue their unbridled assaults. Highlights from last week’s ransomware threats and attacks include:
Billing software zero day
Ransomware operators are exploiting a known SQL injection bug in the BillQuick billing and invoicing software. Tracked as CVE-2021-42258, the vulnerability enables threat actors to easily gain access using login requests containing invalid characters in the username field. Industry researchers are advising that the vulnerability has already been used to hack into an engineering firm to implement a ransomware attack. The ransomware operators behind the attacks are unidentified. Additional zero-day vulnerabilities being tracked with this software include: CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, and CVE-2021-42742. The software company is currently working to address security concerns.
FBI warning: 30 US companies attacked by Ranzy ransomware
Last week, the FBI issued a Flash alert, advising companies that cybercriminals have been using the Ranzy Locker ransomware to target businesses in the United States. As of July 2021, more than 30 US businesses had been compromised. Brute force attacks targeting remote desktop protocol (RDP) appear to be the preferred infiltration method of choice. However, recently victims have also reported the attackers using phishing and leveraging Microsoft Exchange Server vulnerabilities. While the ransomware operators remain unknown at this time, the FBI is reporting that the ransom note contains language similar to notes used in the past by the AKO and ThunderX gangs, who may have rebranded under Ranzy Locker.
Cybercriminals holding systems at gunpoint: Russian-speaking ransomware attackers target well-known gun rights group
News broke last week that a well-known US-based gun rights advocacy group had suffered a ransomware attack at the hands of a Russian-speaking criminal gang known as Grief. The threat actors have already released a number of documents belonging to the group and are threatening to release more if the ransom is not paid. The Grief gang is believed to be affiliated with the ransomware group Evil Corp. Industry experts are pointing out that Evil Corp has been sanctioned by the US government, and any organization caught financially supporting the group through ransom payment could be at risk of violating US sanctions.
Major dairy company knocked offline by ransomware
A multi-billion-dollar dairy and foods company had plants and distribution centers knocked offline by a ransomware attack last week. The attack began on a Friday and lasted through the weekend, preventing plants and distribution centers from accessing key corporate systems. As a result of the attack, milk transporters were forced to reroute deliveries to different distribution locations, disrupting the entire milk supply chain. News reports place the ransom demand at $2.5 million. This is yet another in a line of several attacks against the food and agricultural sector. In September, the FBI issued a warning that ransomware attacks against this sector were likely. In its warning, the FBI indicated that ransomware groups were intentionally trying to “disrupt operations, cause financial loss, and negatively impact the food supply chain.”
Ransomware gangs poisoning victims
Industry researchers announced last week the discovery of two ransomware campaigns involving SEO poisoning. Linked to either the REvil ransomware gang or the SolarMarker backdoor, the attacks involve injecting keywords on websites to increase the search engine optimization (SEO) ranking for the website. Users tend to assume that websites that appear higher in search engine listings are legitimate and safe. When users click on the search-engine-delivered link, they’re redirected through a series of multiple sites that ultimately drop the malicious ransomware payload. The attack appears to leverage a WordPress plugin vulnerability. This isn’t the first time threat actors have used the SEO poisoning technique. Back in June, Microsoft announced it was tracking SEO poisoning attacks infecting victims with a remote access trojan (RAT).
Next Steps
Ransomware is a significant threat that isn’t going away anytime soon. Organizations are reminded that a ransom payment does not guarantee file recovery. The FBI and law enforcement strongly discourage victims from paying a ransom. The FBI also urges victims to report ransomware incidents to your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). Additional ransomware mitigation steps include:
- Regularly backup all data on air gapped, password-protected systems offline.
- Implement multifactor authentication (MFA).
- Apply the principle of least privilege.
- Periodically review network access for all employees and delete old or inactive accounts.
- Regularly review logs and engage in other types of system scanning for indications of unauthorized access or modifications.
- Segment networks for better management.
- Regularly update security software on all systems, and enable real time detection.
- Update/patch all systems and software quickly.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
GuidePoint Security