Weekly Intel Report - December 7, 2022
Threatscape analysis that keeps you two steps ahead of the bad guys.
Ransomware, Malware & Phishing
Multiple government departments in New Zealand affected by ransomware attack on IT provider
Recommendation: Mercury IT, a widely used MSP (Managed Service Provider) in New Zealand, is being impacted by a cyberattack on their third-party IT support, that may have disrupted dozens of organizations in the country including several government and public authorities.
Some of the companies impacted by this attack include BusinessNZ, Accuro, Optometrists and Dispensing Opticians Board of New Zealand, the Chiropractic Board, the Podiatrists Board, the New Zealand Psychologists Board; the Dietitians Board, and the Physiotherapy Board of New Zealand.
In public statements, The Ministry of Justice and Health New Zealand states that roughly 8,000 records are inaccessible while 5,000 cardiac records were stolen by this malicious ransomware attack. No information has come out on the attack vector or group responsible for this attack. However, this comes weeks after the Medibank attack in which hackers gained access to data on 9.7 million customers.
APT recommends that organizations review their incident response and disaster recovery procedures to ensure they are prepared to respond to a ransomware attack. Perform data-backups at regular intervals, ensure all call trees are up to date, and if possible, perform a tabletop exercise to test current readiness levels.
Your business is only as strong as its weakest link. In the healthcare industry, that weak link is often a vendor or third-party provider.
For a limited time, Access Point is offering companies an initial assessment on two of their third-party vendors, at no cost and without committment.
Russian hacking group spoofed Microsoft login page of US Military supplier
Recommendation: Researchers from Recorded Future have uncovered a campaign dating back to July perpetrated by a hacking group with close ties to Russia, known as SEABORGIUM (also known as Callisto, CODLDRIVER, and TA46). The group is known for executing tactics and techniques to further the Russian state and hurt critical infrastructure.
SEABORGIUM has mainly been focused on attacking NATO countries; however, both Google and Microsoft have published reports in recent months on SEABORIUM’s expanding phishing operations. Most of their current work is centered on “phishing and credential theft” leveraging phishing emails that contain malicious PDF or DOC files with malicious links hosted on Google Drive or Microsoft OneDrive. Researchers also found 38 registered domains used by the group since January, most of which are registered with NameCheap, Porkbun, REG.RU, and regway.
APT recommends that your team conduct security awareness trainings with staff, referencing the latest phishing tactics and defense techniques. Also be sure to monitor for anomalous internet connections to domains registered using the aforementioned services.
Open source ransomware toolkit Cyptonite turns into accidental wiper malware
Recommendation: A new open-source ransomware toolkit, Cryptonite (not to be confused with the Chaos ransomware variant, also named Cryptonite), is available for download by anyone with the skills to deploy it (as opposed to being available for sale on the criminal underground). The Python toolkit was hosted on GitHub by an actor named CYBERDEVILZ that has since been taken down, but its use in the wild steadily increased since its debut in November.
Additional research has discovered its design is not particularly robust and that simplicity makes it prone to locking files without the option to decrypt if the program crashes or is closed while in operation. This only increases the threat level, as the clientele most likely to leverage the toolkit will not have the necessary skillsets to avoid accidentally making files fully unrecoverable since the ransomware is not the IP of a particular group and is configurable.
APT recommends reviewing relevant IOCs associated with the toolkit that are unlikely to be changed when in use by threat actors, such as installation of PyInstaller in randomly named folders in a victim’s Windows Temp folder, or the use of NGrok as a reverse proxy service if not legitimately used in the environment.
Cyberattack shuts down French hospital
Recommendation: French Health Ministry authorities were forced to shut down operations and transfer critically ill patients from the Andre Mignot hospital in Versailles following a weekend cyberattack. Minister Francois Braun said the hospital along with others in the area had been fending off regular ransomware attacks along with many other hospitals in the area.
Operations continue to be halted, but the hospital is still trying its best to accept patients that are emergency walk-ins and is refusing to pay the $10 million ransom. Attribution and method of intrusion are still unknown at this time, but an investigation through the prosecutor’s office in Paris is on-going. Ransomware is a threat to all companies in any industry vertical.
APT recommends organizations review incident response and disaster recovery procedures and ensure they are prepared to respond to a ransomware attack. Perform data-backups at regular intervals, ensure all call trees are up to date and, if possible, perform a tabletop exercise to test current readiness levels.
Lastpass suffers another security breach; exposed some customers information
Recommendation: Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information. The breach resulted in an unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access "certain elements of our customers' information." The August 2022 security event targeted its development environment, leading to the theft of some of its source code and technical information.
In September, LastPass revealed the threat actor had access for four days. The scope of the breach remains unknown as of yet, and it's not clear if both LastPass and GoTo customers are impacted. The users’ passwords, however, weren't compromised.
APT recommends that companies leveraging the LastPass password manager update all passwords stored using the service out of an abundance of caution.
Australia passes bill to fine companies up to $50 million for data breaches
Recommendation: The Australian government has passed a bill that increases the penalty for companies that fall victim to serious or repeated breaches. Maximum fines have been bumped up from the current AU$2.22 million to AU$50 million, 30% of an entity's adjusted turnover in the relevant period, or three times the value of any benefit obtained through the misuse of information — whichever is greater.
While referencing the recent Medibank and Optus security breaches, Attorney-General Mark Dreyfus said in a statement, "These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business." The legislation, called the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, also bestows more powers to the Australian Information Commissioner to address security breaches.
APT recommends that companies remain alert to changing government regulations around cybersecurity incidents and response. As a fellow Five Eyes country, the United States can expect similar changes as other members such as the UK passed similar measures last month.
Vulnerabilities
Security researchers have uncovered a stack-based buffer overflow vulnerability in the FreeBSD ping service.
Recommendation: A stack-based buffer overflow vulnerability has been found in the ping service of FreeBSD, which could allow a remote attacker to execute arbitrary code on a targeted machine. The issue is assigned the identifier CVE-2022-23093 and impacts all supported versions of the operating system. Luckily the ping process runs in a sandbox environment, so it is contained and segregated from the remaining components of the OS. OPNsense has also released a patch to address the issue and a handful of other related issues.
Yet another Google Chrome update has been released to address an actively exploited zero-day vulnerability.
Recommendation: Google has released Chrome 69.0.3468.0, an out-of-band security update to patch a new actively exploited zero-day flaw in its web browser. The critical remote code execution vulnerability, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine and is currently believed to be under active exploitation in the wild targeting Windows 7 users.
APT recommends updating the browser to its latest version as soon as possible.
As your technology needs grow, so too do your vulnerabilities. See why a maturity assessment is right for your business.
The Quarkus Java framework has a critical security vulnerability that could allow remote code execution. This can be exploited by a malicious actor without any privileges.
Recommendation: The vulnerability, tracked as CVE-2022-4116, is in the Dev UI config editor. The issue only impacts users who run the open-source software and find themselves misled to a website with malicious JavaScript coding that is made to install or execute arbitrary payloads. Luckily, this only impacts Dev mode, but the impact is still relevant.
APT recommends that impacted users upgrade to versions 2.14.2 and 2.13.5.Final to avoid succumbing to the vulnerability. Users can also move non-application endpoints to a random root path as an alternative workaround.
A new report from Bitdefender researchers details how hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions.
Recommendation: In BYOF attacks, attackers create a malicious filesystem on their own devices containing a standard set of tools used to conduct attacks. They then use PRoot to mount the filesystem from their device and access the tools from Linux servers that have been infected with malware. This allows the attacker to quickly change between different toolsets, as well as disguising their identity by not leaving artifacts of tool usage on the server itself.
APT recommends that all endpoints are fully patched and up to date. Since this commonly occurs on compromised machines, ensuring that machines are up to date will help prevent any compromise from occurring and reduces the risk of attacks like this happening.
Interested to see how companies in Australia will re-evaluate their cyber security with this new government fine...