Weekly Cybersecurity Briefing - March 15, 2023
Access Point Consulting
Assess, design, and implement your cybersecurity strategy. Peace of mind starts here.
Ransomware, Malware & Phishing
AT&T alerts 9 million customers of data breach after vendor hack
Analysis: AT&T are in the process of notifying roughly 9 million customers that some of their information was exposed after a marketing vendor was hacked back in January. It has been announced that Customer Proprietary Network Information from customer wireless accounts was exposed, including customer first names, wireless account numbers, wireless phone numbers, and email addresses. The information reportedly did not contain credit card information, Social Security numbers, account passwords, or other sensitive personal information.
AT&T are recommending that customers toggle off their Customer Proprietary Network Information data sharing on their accounts. This will reduce exposure risks in the future if AT&T uses it for third-party vendor marketing purposes.
It is important to never use your business or corporate emails for any personal accounts to limit risk and exposure. Even though no sensitive personal or financial information such as Social Security number or credit card information was accessed, we also recommended that you reset your AT&T account password and add the extra security password made available by AT&T to your account.
Emotet malware attacks return after three-month break
Analysis: The Emotet malware operation has returned, spamming malicious emails after a three-month break and rebuilding its network, attempting to infect devices worldwide.
Emotet is a well-known malware that is distributed through email, containing malicious Word and Excel documents as attachments. When users open the documents and macros are enabled, the malware DLL will be downloaded and loaded into memory. Eventually, the malware will steal the victim’s emails and contacts for use in future Emotet campaigns; alternatively, it will download additional payloads like Cobalt Strike or other malware leading to ransomware attacks.
The usual method of attack initially focused on reply-chain emails, however, with this attack threat actors are utilizing fake invoices in their emails. Attached to the email are pretend invoices with ZIP archives containing infected Word documents. When downloaded, Emotet will be saved to a randomly-named folder under %LocalAppData% and launched using regsvr32.exe. The new changes to the malware operation may not last long, as Microsoft has disabled macros by default in Microsoft Office documents downloaded from the internet.
Given this change, we recommend that you and your threat hunting program stay actively aware of all threat actors and their profiles in case their tactics, techniques, and procedures change. It is also essential that your organization focus on security training for your employees, including how to recognize a phishing email; this includes checking for spelling mistakes and hovering over links and sender addresses. It is also important to teach how to properly report a phishing email, not act hastily, and stop and think whether or not you were expecting such an email.
Ransomware Attacks Have Entered a ‘Heinous’ New Phase. With victims refusing to pay, cybercriminal gangs are now releasing stolen photos of cancer patients and sensitive student records.
Analysis: A physician practice in Lackawanna County, Pennsylvania — an extension of the Lehigh Valley Health Network (LVHN) — has recently been targeted by the Russia-based BlackCat ransomware group. LVHN refused to pay the ransom demand put on them as their patient photo system — a system related to radiation oncology treatment — was targeted. After a few weeks of not receiving the ransom payment, BlackCat had threatened to publish data stolen from the system on their Web Blog, at which point they followed through with their threat and released three screenshots of cancer patients receiving radiation treatment, as well as several documents including sensitive patient information. We are continuing to see new tactics, techniques, and procedures from threat groups who continue to show they will do whatever it takes to be successful in their attack, especially as targets continue to not pay ransom. To be clear, LVHN was right to not pay the ransom to BlackCat, as it likely would not have changed the outcome and would only incentivize future attacks on the organization.
Access Point recommends that you have a strong and well-tested incident response policy, procedure, and runbook to ensure that you are well prepared should your organization ever be the target of an attack. It is also important that you have frequent backups, segregated networks to ensure multiple layers of defense, and ensure that MFA is switched on should attackers successfully make it through those layers. Education is also essential to ensuring you are prepared for such attacks, including training and frequently testing your employes so they are aware of the risk that they can pose to the company.
Medusa ransomware gang picks up steam as it targets companies worldwide
Analysis: A ransomware operation known as Medusa has been more active in recent months and is currently being seen targeting companies worldwide. The group is believed to be operating out of Russia and has exploited numerous vulnerabilities in unpatched software, while also carrying out phishing/spear-phising tactics to trick employees into installing malware. They have also been seen using “watering hole attacks” to target websites frequented by employees of a target organization, compromising those websites with malware to infect employees’ devices. Once they’ve successfully gained access, the group encrypts the company’s files and demands a ransom payment in exchange for the decryption key. Recent successful targets include several large companies, including an oil and gas company in Brazil and a manufacturer in Italy.
Threat groups are constantly evolving their arsenal to go undetected. It is important that all software be kept up to date, MFA be used for all corporate accounts, and that important files are regularly backed up. In addition, you should have regular security awareness training for all employees, as well as a threat hunting program that is regularly searching your environment for possible breaches if attackers evade detection. This includes actively hunting for any indicators of compromise associated to the group such as hashes, malicious IPs, email addresses, etc.
领英推荐
Security researchers targeted with new malware via job offers on LinkedIn
Analysis: A malware campaign dubbed “Fake Jobs” sends messages to researchers that appear to be from recruiters offering positions related to their field. The messages contain a malicious link that installs a backdoor Trojan on the researcher’s device. The malware allows the attacker to gain remote access to the device and steal sensitive information. There is speculation that the campaign is likely the work of nation-state backed hackers (possibly from North Korea) to gain access to sensitive research and development data.
Access Point recommends that users exercise caution when clinking any links in messages from unknown sources. Always verify communications before acting upon them.
New UNC2970 Espionage Campaign Targets Media and Tech Companies
Analysis: An espionage campaign named UNC2970 has been targeting media and tech companies globally. According to threat researchers, the campaign is likely to be state-sponsored (again, likely from North Korea) due to the level of sophistication and funding required. The attackers are using phishing emails with malicious attachments to gain access to target networks. The malicious attachments are designed to look like legitimate documents such as HR files or PDFs. Once access to the target network is gained, custom malware and tools are moved laterally to exfiltrate sensitive data. The malware used in the campaign can steal passwords, capture screenshots, and collect information about the infected system. It is believed that the campaign has been active since at least 2021, with many of the victims being in the United States or Europe. UNC2970 has also targeted companies in Asia and the Middle East.
Access Point recommends that your company employ strong security measures regarding email, and to have a threat hunting team in place to constantly monitor networks for unusual activity.
Vulnerabilities
Microsoft Patches 80 Security Vulnerabilities, Warns of Outlook Zero-Day Exploitation
Analysis: Of the over 80 security vulnerabilities remediated with the latest Microsoft patches released on Tuesday, the report highlights CVE-2023-23397 and CVE-2023-24880 as the two most critical vulnerabilities acknowledged this week. The first critical vulnerability (CVE-2023-23397) has been exploited in the wild and allows a threat actor to access a user’s Net-NTLMv2 hash which could be used as the basis of an NTLM Relay attack against another service to authenticate as the user. It was also acknowledged by Microsoft that CVE-2023-23397 could be exploited before an email is viewed in the Preview Pane; all an attacker would need is a carefully-crafted email to trigger automatically when it is retrieved and processed by the email server.
The second vulnerability (CVE-2023-24880) is also being exploited in the wild; it is used by threat actors to bypass Microsoft’s SmartScreen security feature. The SmartScreen technology was implemented by Microsoft to aid in protecting users from phishing and social engineering malware downloads.
CISA warns of actively exploited Plex bug after LastPass breach
Analysis: The Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged a three-year-old remote code execution (RCE) vulnerability (CVE-2020-5741) by adding it to its catalog of security flaws exploited in attacks. The vulnerability in the Plex Media Server allows attackers who have admin privileges to remotely execute arbitrary Python code in low-complexity attacks. These attacks do not require user interaction. An advisory was issued with the release of Plex Media Server 1.19.3 by the Plex Security Team in May 2020, in which they claim that threat actors with "admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code.” After gaining access to the server’s Plex account, an attacker would need to set the server data directory to overlap with the content location for a library on which Camera Upload was enabled.
The exploitation of this vulnerability was used to get access to a senior DevOps engineer’s computer to install a keylogger. After installing said keylogger, the attackers needed to wait a year or two and eventually gained access to the engineer’s credentials and LastPass corporate vault.
In addition to CVE-2020-5741, CISA added a critical severity vulnerability tracked as CVE-2021-39144 to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2021-39144 is a vulnerability in VMware’s Cloud Foundation.
Access Point recommends that users and organizations patch these bugs as soon as possible to protect themselves from these active attacks.
New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access
Analysis: Last week, Fortinet addressed 15 security flaws with their latest updates. The most critical vulnerability addressed with these security updates is tracked as CVE-2023-25610 and can be exploited to allow a remote unauthenticated threat actor to execute arbitrary code and/or perform a DoS on the GUI via specifically crafted requests. These kinds of vulnerabilities are called underflow bugs or buffer underruns. The report explains that these bugs occur when the input data is shorter than the reserved space. This causes unpredictable behavior, leakage of sensitive data from memory, and/or memory corruption that could be weaponized to induce a crash or execute arbitrary code.
Although these vulnerabilities are not currently being exploited in the wild, Access Point recommends that users apply the patches and update their software. Fixes are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0; FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10; and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.