Search This Blog

Showing posts with label CISA. Show all posts

LockBit 3.0 Ransomware: Inside the Million Dollar Cyberthreat

US government organizations have recently published a joint cybersecurity advisory stating the indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) linked with the malicious LockBit 3.0 ransomware. 

The alert comes through the FBI, the CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC). 

"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said. Since the emergence of LockBit ransomware in 2019, the threat actors have invested in particular technical aids in order to develop and finely enhance its malware, issuing two significant updates, ie. Launching LockBit 2.0 in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also termed LockBit Red and LockBit Black, respectively. 

"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode[…]If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware," according to the alert. 

 Additionally, the ransomware is made to only infect computers whose language preferences do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). 

The ransomware is also designed to only infect devices whose language choices do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). The victim’s network is being accessed through remote protocol (RDP) exploitation, drive-by compromise, phishing campaigns, exploiting valid accounts, and weaponizing of public-facing applications. 

Before starting the encryption procedure, the malware first attempts to create persistence, increase privileges, perform lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies. 

"LockBit affiliates have been observed using various freeware and open source tools during their intrusions[…]These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration," the agencies said. 

One of the prime attributes of the attacks is the use of custom exfiltration tool, known as StealBit, authorized by the LockBit group to affiliates for double extortion reasons. 

The LockBit ransomware strain has been employed against at least 1,000 victims globally, according to a November report from the US Department of Justice, earning the organization over $100 million in illegal revenues. 

The Upsurge in LokBit Incidents 

Dragons, an industrial cybersecurity reported earlier this year that LockBit ransomware was the one responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022m in an account of 40 such incidents. For a fact, a majority of food and beverage and manufacturing sectors were impacted due to these attacks. 

In its recent report, the FBI’s Internet Crime Complaint Center (IC3) ranked LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants targeting the infrastructure sector in 2022. 

Despite LockBit's prolific attack campaign, the ransomware gang was suffered a severe setback in late September 2022 when a dissatisfied developer of LockBit revealed the building code for LockBit 3.0, sparking concerns that other criminal actors would use the situation and produce their own variations. 

The advisory comes months after antivirus company Avast offered a free decryptor in January 2023, at a time when the BianLian ransomware organization has switched its emphasis from encrypting its victims' files to straightforward data-theft extortion attempts. 

In a similar development, Kaspersky has released a free decryptor to assist victims whose data has been encrypted by a ransomware variant based on the Conti source code that emerged after Russia's incursion of Ukraine last year caused internal strife among the core members. 

"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."

Cybersecurity Experts are Scarce for Companies and SMBs


In 2023, more than half of small and midsized businesses (SMBs) intend to increase their expenditures on cybersecurity — which is a positive development since six out of ten firms (61%) do not have cybersecurity staff, about half (47%) do not have incident response plans, and 40% do not conduct formal awareness training on cybersecurity. 

A study by Huntress of IT professionals at small and medium-sized businesses with 250 to 2,000 employees published on March 15 indicates that although many of the respondent organizations have deployed a range of cybersecurity products, they found that they are not the only ones. Even though they tend to ignore basic defensive measures (email security (86%), endpoint protection (79%), and network protection (73%), the US Cybersecurity and Infrastructure Security Agency (CISA) recommended recently that workers supplement their password security with two-factor or multiple-factor authentication as a means of strengthening their password security.  

As a result of their lack of preparation, understaffing, and/or under-resourcing, a majority of these companies feel unprepared or under-resourced to respond to evolving threats. Many of these businesses face difficulties obtaining cybersecurity insurance coverage and ensuring their employees are properly trained on security issues. According to Huntress' report, several midsize companies know multiple cybersecurity layers are necessary. However, there are significant gaps in the tools and planning processes used by these businesses. 

Additionally, a full third of the respondents (34%) said they are unaware of advanced threats and do not believe they could detect them. 

According to Roger Koehler, CISO at Huntress, a substantial percentage of individuals are unaware that their identities have been targeted. For these organizations to remain protected, visibility is of the utmost importance. This is because malicious actors can spend weeks or even months sitting in their networks, gaining footholds, and gathering information to perform their attacks. 

According to the Huntress study, 14% of respondents in this business segment confirmed having experienced an attack within the last year. There was also 10% of IT professionals unsure whether there had been a cyberattack during the survey period. In the United States, there are about 6 million companies between the ages of 250 and 2000 that employ 250 to 2,000 people. Those numbers add up pretty quickly. 

Cyber Spending is Expected to Increase 

It was interesting to read that Huntress also found that 49% of organizations are planning to spend more money on cybersecurity in the upcoming year. This is to meet the staggering need for increased knowledge and preparedness in the cybersecurity arena. A proactive approach to cybersecurity on the part of such a large number of small and medium-sized businesses is encouraging, Koehler says, rather than simply reacting to attacks as they occur. As a result, the biggest challenge in spending that budget will be finding the right employees within the organization. 

"It seems that middle-sized businesses are not just waiting for an attack to occur and subsequently reacting to them, but are investing in preventative measures so that these attacks can be prevented before they ever take place," Koehler says. As well as having the right people on your team, midsize businesses could benefit from having the right people to deal with attacks.  It is estimated that there are 700,000 cybersecurity jobs available as of the end of last fall, which is an increase of 43% from the end of 2021. Finding cybersecurity professionals in high demand is becoming increasingly difficult with the increase in burnout and dissatisfaction among cyber professionals. 

Managed cybersecurity services will experience significant growth in the coming years, thanks to the combination of stronger budgets and a stronger market for talented cybersecurity professionals. An analysis by McKinsey published in October concluded that this is the case. Consultants for the company believe that managed security service providers will be able to capture the majority of market share, as well as security-and-operations management projects.

According to McKinsey's analysis, over the next two years, its forecasted shift of allocated security spending to internal compared to third-party services is expected to increase across all segments of the market. Whenever talent is an issue, companies will need to turn to outsourced services when it comes to achieving strong security results, as long as talent remains a challenge. 

Threat Actors Hack US Federal Agency Using Telerik Bug to Steal Data

In a joint security advisory on Wednesday, CISA reported that the threat actors have exploited a three-year-old Progress Telerik UI flaw in order to compromise a server at a federal civilian executive branch agency. 

An unidentified federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server was compromised by a number of threat actors, including an advanced persistent threat (APT). The advisory, which includes in-depth technical information and indicators of the breach, was created by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). 

Apparently, a critical.NET deserialization flaw in the Progress Telerik UI for ASP.NET AJAX component allowed hackers to compromise a Microsoft Internet Information Services (IIS) web server used by a U.S. government agency last year. 

As per the advisory, the threat actors acquired access to the servers between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unidentified FCEB agency’s network. To acquire remote code execution, at least two threat actors (among them the Vietnamese XE Group) accessed the unpatched server. 

According to CISA, the central vulnerability was linked with the Telerik UI flaw on the IIS server – CVE-2017-11357 and CVE-2017-11317 – However, the forensic investigation was unable to conclusively verify which of the two was utilized, or even whether they were. 

The agency's instance was version 2013.2.717; the advisory stated that builds prior to version 2020.1.114 are vulnerable to CVE-2019-18935. "Though the agency's vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan[…]This may be the case for many software installations, as file paths widely vary depending on the organization and installation method," the advisory noted. 

Similar to the 2017 Equifax hack, it was caused in part by a vulnerability assessment for a severe Apache Struts flaw that overlooked an earlier system that was subsequently infiltrated by threat actors. 

CISA, the FBI, and MS-ISAC advised companies to use central log collection and monitoring. Moreover, it has been recommended to implement process monitoring in order to gain "visibility into file system and application process activity." The advisory also included a CISA-developed YARA rule for CVE-2019-18935. 

Progress CISO Richard Barretto wrote in an email to TechTarget Editorial "the security of our customers is one of our highest priorities, and we continue to distribute periodic reminders on the importance of implementing patches and applying software upgrades," he also included a link to Progress' knowledge base's specific article about the problem. 

"As we do with all critical vulnerabilities found in our products, we issued notification and remediation guidance to our customers in 2019 when the vulnerability was discovered[…]Due to the severity of the vulnerability, we provided technical support as needed to all customers regardless of their license status," he added.  

Cybersecurity and the Cloud in Modern Times


Due to the advent of remote work, most companies - even those in heritage industries - have had to adopt SaaS (software as a service) and other cloud tools to remain competitive and agile in the market. Several modern cloud-based platforms, including Zoom, Slack, and Salesforce have become critical to the effective collaboration of knowledge workers from their homes, which will allow them to work more efficiently. In the last few years, public cloud hosting providers like Amazon Web Services, Microsoft Azure, and Google Cloud have seen phenomenal growth and success. This is a consequence of this tailwind. As per Gartner's predictions, by 2022, $178 billion will be spent on cloud providers, up from $141 billion in 2021. 

The shift to the cloud has led to lots of challenges when it comes to cybersecurity, although public cloud providers have made it easy to use modern software tools. Cloud-first security represents a paradigm shift from traditional, on-premise security in the modern day. Before this change, customers had complete control over their environments and security. They hosted their applications in their own data centers and were responsible for controlling the environment. Customers operated their network in a "walled castle" - where they controlled and secured the network and applications themselves. 

Nevertheless, when customers consume public cloud services, they are obligated to share responsibility for security with the cloud service providers as a shared responsibility. 

If your company stores data in a cloud data center provided by Amazon Web Services, you will be responsible for configuring and managing your cybersecurity policies. This is part of your compliance program. The customer is responsible for monitoring security breaches regardless of whether they have complete control over the data in the Amazon Web Services data center. As a result, when customers adopt public clouds, they no longer have full control over their security in terms of what they do with their data. A major barrier to adopting the cloud is concern about security, which is often among the most common. 

In addition, it is more difficult to secure cloud environments than traditional environments. As a result of today's cloud computing architecture, many cloud service providers utilize what is known as microservices, a design that allows each component of an application (for example, a search bar, a recommendation page, a billing page, etc.) to be created independently. On-premise systems can support as many as ten times the amount of workloads (for example, virtual machines, servers, containers, microservices) that the cloud can support. As a result of this fragmentation and complexity, there is a tendency for access control issues to develop, as well as a higher chance of developer errors - such as leaving a sensitive password in an AWS database. This information can be exposed to the public. Simply put, there is a wider and more complex attack surface area in the cloud than there is in local computing environments. 

Embrace the cloud-first era of cybersecurity

There are not just complexities associated with the cloud, but there has also been an inversion from a top-down to a bottom-up sales model, leading to security buying decisions being made not by CISOs or CISMs, but rather by developers (Chief Information and Security Officers). 

Two reasons have contributed to this happening. Due to the cloud, applications can be developed more efficiently. Therefore, the importance of cybersecurity has become a part of the development process rather than just an afterthought in the past few years. Responsibility for creating code and product releases was traditionally assigned to developers, while the team that works with the CISO is in charge of the cybersecurity aspect. As a result, the responsibilities of each party were split. It has become so easy to update code or to release product updates every day or every week in modern companies due to the cloud. This has made it much easier for them to do so. It's common nowadays for our favorite apps to update themselves frequently. For instance Netflix, Amazon, and Uber, but not so long ago, this wasn't the norm. We had to manually patch them to get them to run smoothly. With the increased frequency of deploying revised code, cybersecurity has become a problem that developers now have to care about because of the increased frequency of application development. 

In the second place, the early adopters and the power users of the cloud are primarily digital start-ups and medium-sized businesses, which are more decentralized in their decision-making processes. Traditionally, CISOs at large enterprises have played an active role in making security decisions about the organization. A CISO, acting as the chief executive officer of the company, makes purchasing decisions on behalf of the rest of the organization. This was after rigorous proof of concept, negotiation, and cost-benefit processes. The different techniques used by start-ups and mid-scale customers to make security buying decisions are very different, and many often, they leave security decision-making to their developer team. 

As a result of this revolutionary top-down sales model, cybersecurity software is about to be built and sold in a completely different way. Developing a sales model that is suitable for developers is different from one designed for CISOs. There is no doubt that developers prefer self-serve features - they often like to try and offer their products to their customers before they have to purchase them. To achieve this goal, we need to build a self-serve and freemium sales model, so we can attract a large number of inbound, free users at the top of the funnel and build a customer base around them. In comparison with the traditional sales model used by security incumbents, this model is completely different, as the incumbents have hired huge sales teams that are responsible for outbound selling large deals to their CIOs in a sales-led approach.

DPRK Uses Unfixed Zimbra Devices for Spying on Researchers

State-sponsored hackers exploit unpatched Zimbra devices

A recent series of compromises that exploited unpatched Zimbra devices was an operation sponsored by the North Korean government and aimed to steal intelligence from a collection of private and public medical and energy sector researchers. 

Analysts with W labs in a new report explained that due to an overlap in techniques, and thanks to a mess up by one of the threat actors, they attributed the recent series of cyber incidents against unpatched Zimbra devices to the Lazarus group, a well-known cybercriminal group sponsored by the North Korean government. 

A joint report by NSA and Central Security service said "DPRK cyber actors have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains. The actors intend to conceal their affiliation and then exploit common vulnerabilities and exposures (CVE) in order to gain access and escalate privileges on targeted networks to perform ransomware activities. Recently observed CVEs include remote code execution in the Apache Log4j software library (also known as "Log4Shell") and remote code execution in various SonicWall appliances."

Lazarus ran a campaign using unpatched Zimbra devices

Lazarus ran this campaign and other likewise intelligence-gathering operations till the end of 2022. The experts have named the campaign "No pineapple" after an error message created by the malware during their investigation. The threat actors quietly stole around 100GB of data, without running any destructive cyber campaign or disrupting information.

Security teams running unpatched, Internet-connected Zimbra Collaboration Suite (ZCS) can assume they are compromised and should take immediate detection and response action. 

A recent security alert by CISA flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. 

The cyber attacks lead to remote code execution (RCE) and access to the Zimbra platform. 

Unfixed Zimbra devices can affect sensitive info

The results can be quite dangerous when it comes to protecting sensitive info and shielding email-based follow-on threats. ZCS is a suite of business communication services that consists of an email server and a Web client for accessing messages via the cloud. 

CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) strongly suggest administrators and users apply the guidelines in the recommendations of the cybersecurity advisory to defend their organization's systems against malicious cyber operations. 

"NSA and the other authoring agencies urge all critical infrastructure entities and organizations, including the Healthcare and Public Health (HPH) Sector, and the Department of Defense and Defense Industrial Base, to apply the mitigations listed in this advisory," said NSA

Critical Manufacturing Organizations Face Significant Risk of Cyber Attacks

Recent years have seen an alarming increase in the number of cyberattacks against critical infrastructure, many of which involved ransomware. Particularly in terms of cyber resilience, the industrial industry appears to be falling behind. 


Research by SecurityScorecard shows that the vast majority of the Global 2000 Forbes list's essential manufacturing organizations have high-severity vulnerabilities in their systems that have not been patched. 

  • Over 75% of manufacturing organizations have high-severity vulnerabilities in their systems that have not been patched. 
  • In 2022, early 40% of manufacturing companies reported malware infections, which is a considerable percentage. 
  • Around half of the critical manufacturing organizations, i.e. 48% obtained low-security ratings. The platform considers a number of important risk criteria, including DNS health, IP reputation, network security, web application security, leaked information, hacker chatter, endpoint security, and patching schedule. 
  • Unpatched high-severity vulnerabilities increased by 38% in the critical industrial sector year over year, and 37% of companies experienced malware infestations. 

Underlining the Trend 

  • Last week, CISA published numerous advisories cautioning the ICS industry of critical security flaws impacting products from organizations like GE Digital, Mitsubishi Electric, and Contec. 
  • Another advisory advised against flawed products from Sewio, Siemens, Sauter Controls, and InHand Networks. 

Advisories and Reports Underlining the Trend

CISA last week published multiple advisories warning the ICS industry of critical security vulnerabilities impacting products from GE Digital, Mitsubishi Electric, and Contec. Another advisory warned against flawed products from Sewio, Siemens, Sauter Controls, and InHand Networks.

Researchers from Trend Micro identified the Agenda ransomware group developing a new version of their ransomware in Rust, during the same month. The ransomware group has been targeting manufacturing and IT sectors in multiple different countries and made off with $550 million in earnings. 

The rising cases of cyberattacks against critical infrastructure have made it necessary for policymakers and business professionals to have an in-depth understanding of the security measures in place for their manufacturing environment. It is being advised to strive for a more collaborative and integrated approach to cybersecurity resilience, that would bring together the public and commercial sectors to safeguard critical infrastructure all across the world.  

NSA, CISA Concerns Over Security Risks Against 5G Network Slicing

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidelines regarding cybersecurity threats pertaining to 5G network slicing. 

The document illustrates how a network slice is “an end-to-end logical network that provides specific network capabilities and characteristics to fit a user’s needs.” 

While numerous network slices operate on a single physical network, the guidelines clarify that each network slice user is only authenticated for one specific network region, allowing for data and security isolation. 

“This type of architecture heavily relies on a Network-as-a-Service (NaaS) model, combining Infrastructure-as-a-Service with network and security services, which enhances the operational efficiency and resiliency of the 5G infrastructure […] Within a 5G architecture, the plan is to deliver the whole NaaS so that different customer segments can be efficiently supported,” reads the guideline.

According to the report, "network slicing enables operators to incorporate various network characteristics or components, possibly from different operators, to offer particular applications or services for 5G consumers. Although effective for delivering services, 5G network slicing throws a wide net of threats, including possible weak points in standards and regulations, the supply chain, and other areas."

"Although network slicing is not solely unique to 5G, it is a critical component because 5G specifications call for network slicing as a fundamental component and therefore require network operators to adopt security practices that can mitigate threats like those described in this paper, DoS, MitM attacks, and configuration attacks," the report states. 

Due to these cyber threats, the NSA and CISA have stated that maintaining and monitoring a network slice is essential for identifying and thwarting cyberattacks. 

“For more robust security, network operators should consider techniques, as referenced in this paper, such as zero trust, multi-layer security, cross-domain solutions, post-quantum cryptography, and isolation,” both agencies concluded. 

The NSA, along with CISA, has appointed members and experts from public and private sectors in order to address security concerns pertaining to 5G slicing. This resulting 5G network slicing cybersecurity report looks forward to its architecture, how it will aid in emerging technologies, such as autonomous vehicles, and guidelines on how to secure it.  

Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet

After CISA published a report in April 2021, cautioning online users regarding the exploitations of Pulse Connect secure vulnerabilities, researchers at cybersecurity firm, Censys, found that 4,460 Pulse Connect Secure hosts out of 30,266 appliances exposed to the internet are void of security patches.

Pulse Connect Secure

Regarded as the most extensively used SSL VPN solution, Pulse Connect Secure offers remote and mobile customers secure access to business resources. Additionally, the Ivanti portfolio added the VPN appliance to its lineup in the year 2020, after acquiring Pulse Secure. 

Pulse Secure appliances are as well a distinguished choice for both cyber criminals and state-backed threat actors. Government agencies, in regard to this, have sent out several advisories in order to warn users of the ongoing exploitation of these products’ unpatched vulnerability. 

Censys Study on Pulse Connect Secure

As per the report published by Censys, six vulnerabilities, including a critical-severity file write vulnerability that may be used to execute arbitrary code with root capabilities, are still unpatched in about 3,500 of the affected appliances. 

“In total, Censys has found 30,266 Pulse Connect Secure hosts running on the internet […] One of the easiest ways to find these running using Censys is to search for a specific URI that can be found in the HTTP response body of a Pulse Connect Secure web service,” reads the post published by Censys. 

In addition to this, Censys found that more than 1,800 of the vulnerable hosts are not yet equipped with patches for three severe security flaws that Pulse Secure resolved in May 2021, despite being warned two weeks back of the flaws (CVE-2021-22893, CVSS score of 10) that were being exploited in the attack. 

Censys also discovered hundreds of Pulse Connect Secure appliances that were still affected by other severe vulnerabilities including CVE-2018-5299 (CVSS score of 9.8), CVE-2018-6320 (CVSS score of 9.8), CVE-2019-11510 (CVSS score of 10), and CVE-2019-11540 (CVSS score of 9.8). 

According to the Censys report’s Breakdown by Country (top 20), with 8,575 hosts, the United States has the largest overall number of Pulse Connect installations, however, just 12% of those hosts lack security fixes. While with 3,000 hosts (700 vulnerable), Japan holds the second position, followed by UK and Germany, both with slightly over 1,700 hosts (155 and 134 vulnerable, respectively).  

FBI & CISA Alert: Ransomware Gang Attacked Over 100 Organization and Made Over $60 Million

CISA and FBI says ransomware attacks on the rise

A joint Cybersecurity Advisory (CSA) #StopRansomware: Cuba Ransomware from CISA and FBI warns that a ransomware gang has attacked more than 100 organizations across the world and received more than $60 million in ransom payments. The latest CSA alerts that there's a surge in ransom demands and organizations Cybersecurity Advisory attacked by the Cuba ransomware group. 

As per the warning, Cuba ransomware attacks target healthcare, critical infrastructure, financial services, government services, technology, etc. The CSA says that despite the name, the gang doesn't have any association with the country of Cuba. The FBI alerts that the ransomware group has attacked over 100 targets across the world and have asked more than $145 Million in ransom payments, getting $60 million in extortion payments. 

Key updates from the FBI and CISA include:

  • FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba ransomware actors.
  • Since spring 2022, Cuba ransomware actors have expanded their TTPs.
  • Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.

The group indulges in double extortion attacks, not only encrypting data and demanding ransom payments, but also making threats to leak data stolen from the target, if he fails to pay the ransom (demanded in Bitcoins). 

New Ransomware Techniques used by Threat Actors 

This is the second CSA warning from CISA and FBI about Cuba ransomware, the first one came in December 2021. The new warning comes due to a sudden increase in the number of cyberattacks and also because threat actors have increased to make the attacks more sophisticated so that it can't be detected and difficult to stop. 

These techniques include abusing a vulnerability in Windows Common Log File System (CLFS) driver (CVE-2022-24521) to retrieve system tokens and enable privileges while deploying a PowerShell script to find out service accounts for getting better access to high-level system controls. 

Cuba Ransomware behind attacks

Cuba ransomware attacks were also found attacking Zerologon, a flaw in Microsoft Windows authentication protocol Netlogon (CVE-2020-1472) to get domain administrative rights. Zerologon was found in September 2020 and was termed as "unacceptable risk" during that time, however, after two years, threat actors are still able to abuse it. 

The techniques that Cuba ransomware uses to get digital access to the victim's system include exploiting known flaws in commercial software, phishing campaigns, exploiting stolen user data and passwords, and abusing genuine Remote Desktop Protocol (RDP) applications. 

Once the threat actor gains access, he installs Hancitor, a malware payload that lets him easily get back access and launch operations on exploited networks, which in the end is used to drop and launch the ransomware payload. 

"FBI and CISA encourage network defenders to review the joint CSA and to apply the included mitigations. See for additional guidance on ransomware protection, detection, and response," says the CSA.

US Government Contemplates on Launching Cyber Insurance Program to Help Private Insurance Firms


As cyberattacks continue to surge at a rapid pace, the US government is mulling over the creation of counterproductive incentives to help private insurance firms cover some of the costs related to catastrophic cyber incidents under the federal cyber insurance program. 

Last month, the Treasury Department and Cybersecurity and Infrastructure Security Agency (CISA) asked the representatives of multiple organizations to contemplate the requirement of a cyber insurance program and, if so, how such a program should be enforced across the country. 

Earlier this year in June, the Government Accountability Office (GAO) published a report advising Federal Insurance Office (FIO) and CISA to conduct a joint assessment to examine the federal government’s role in cyber insurance. 

The move comes after multiple private insurers were spooked by the possibility of having to cover such large losses and backed out of the market by excluding some of the most high-level cyberattacks from being covered by insurance policies. Currently, the U.S. government does not have a federally backed cyber insurance program to deal with destructive cyberattacks. 

“I think what you’re seeing is the government sort of thinking about this from their side … if they should be doing more to help companies that are hit and, if so, how should they define what the thresholds are. They’re clearly evaluating that and trying to think carefully about it right now,” stated Josephine Wolff, an associate professor of cybersecurity policy at the Tufts University Fletcher School. 

The rapid surge in cyber incidents 

Cyber attacks, specifically ransomware, have disrupted critical services and businesses globally, including schools, government offices, hospitals, emergency services, transportation, energy, and food firms. Reported ransomware payments in the United States reached over $590 million in 2021, compared to a total of $416 million in 2020. Just this summer, ransomware attacks rose 47 percent from June to July, according to a report published by cybersecurity firm NCC Group. 

According to the most recent IBM Cost of a Data Breach report, each public sector incident costs $2.07 million on average. 

The cyberattack on the Colonial Pipeline that took a 5,500-mile-long fuel transporting operation offline had a spillover effect on the wider economy. The pipeline operator paid a ransom of $4.4 million to the hackers — despite advice from law enforcement agencies that ransom demands should always be rejected. 

According to the FBI and many other agencies, paying ransoms encourages attackers to launch further cyber attacks. Some suggestions for organizations from the FBI include: 

• Keep all operating systems and software up to date 
• Enforce a user training program and phishing exercises 
• Employ strong, unique passwords for all accounts with password logins 
• Enable multi-factor authentication (MFA) for as many services as possible 
• Maintain offline (i.e., physically separate) backups of data, and examine backup and restoration frequently 
• Ensure all backup data is encrypted and immutable

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

HomeLand Justice: Government of Albania attacked by Iranian Cyber Threat Actors


The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity advisory on the recent cyber operations held by the Iranian state cyber actors against the Government of Albania in July and September. 

The advisory provides a detailed timeline pertaining to activities that were detected, from the initial software access to the execution of encryption and wiper attacks. The information also included the files that the actors used for the attacks. 
The hackers, referred to as HomeLand Justice, who are state-sponsored Iranian advanced persistent threat (ATP) actors, attempted to paralyse public services, delete and steal governmental data, and disrupted the government’s websites and services, wreaking havoc and panic on the state.  
As per the agencies, the threat actors had the access to the Albanian government servers for 14 months before executing the cyber attacks that included the execution of encryption and wiper attacks. 
A series of cyberattacks was then launched by the threat actors, on July 17th, 2022, after conducting lateral movements, network reconnaissance, and credential harvesting from the Albanian government network, leaving an anti-Mujahideen E- Khalq (MEK) messages on the desktops.  
After the network defenders detected and begin responding to the ransomware activities, HomeLand Justice employed a new family ransomware ROADSWEEP, along with a variant of wiper malware, ZEROCLEAR. 
While claiming to have carried out these cyber attacks, on July 23rd, HomeLand Justice took to social media, demonstrating a repeated pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the information they want to be leaked. It was followed by the release of information in a .zip file or video of a screen recording with the documents. 
The cyber actors launched another thread of cyberattacks in September against the Albanian government, using similar TTPs and malware as the attacks made in July. The attacks were possibly done in retaliation for public attribution of the previous attack and severed diplomatic ties between the Albanian and Iranian governments. 
Although Albania lacks an efficient cyber defense, it is a member of NATO which can be confirmed by Appathurai's statement, “You can be sure of NATO’s continued political and practical support.” Thus, apparently, NATO will be supporting Albania with the incident to deal with immediate challenges and long-term requirements.

CISA’s vulnerabilities in KEV: Federal Agencies Have to Fix Them


CISA has included 6 vulnerabilities to its “Known Exploited Vulnerabilities Catalog” and has ordered the federal agencies to patch them with the help of vendor’s instructions. 

The CISA, U.S.-based cybersecurity and infrastructure security agency has given a deadline of 6th October to the government agencies to fix the security flaws that surfaced between 2010 and 2022. CISA has instructed the federal agencies to fix the newly added security vulnerabilities as per the directive. 

Exploiting the majority of the vulnerabilities that have been added to the list, gives cyber attackers local privilege escalation or admin-level access to the system, whereas the two of them permit to execution of a malicious code remotely, known as Remote Code Execution. 

These vulnerabilities that were found between the stretch of 2010 and 2022 comprise the most that were identified in 2013 and were engineered as spyware  especially for getting into the social media accounts of android users by using Tizi malware. 

The list of security flaws discovered in 2013 includes: 

  • CVE-2013-6282: it gives local privilege escalation and is used for rooting android devices.
  • CVE-2013-2597: it gives local privilege escalation and is used for overflow in Code Aurora audio driver.
  • CVE-2013-2596: it gives local privilege escalation and deals with Linux kernel integer overflow.
  • CVE-2013-2094: it gives local privilege escalation and manages Linux kernel privilege escalation. 

The CISA also added the oldest bug in KEV which was disclosed in 2010; this was the bug held responsible for spreading the Stuxnet worm, which caused a slowdown in the country’s development in the field of nuclear weapons by destroying the machines at the Natanz Uranium Enrichment Plant. 

The bug found in 2010 was named CVE-2010-2568,  it allows remote access to inject malicious code into the system. The latest security issue added to the vulnerability list was identified a month ago. It was also the only security flaw found this year. The cyber attackers exploited it and affected Trend Micro Apex One and Apex one as services. The recently identified bug was CVE-2022-40139, it was described as an improper validation issue. 

The list of all of the vulnerabilities is available publically on the official website of known exploited vulnerabilities. The directive from November 2021, “Binding operational directive 22-01”, legally states, that resolving all the vulnerabilities added by CISA and making them 'Known Exploited Vulnerabilities' is the responsibility of all federal civilian agencies to regulate a secure environment.

CISA, Microsoft Warn of Rise in Cyber-attacks From Iran

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft witnessed a massive surge of Iranian state-sponsored cyberattacks against IT services firms. In the wake of the findings, the tech giant and the eminent law enforcement body sent out alerts regarding the same. 

In 2020, the cyberattacks from state-sponsored Iranian threat actors on IT services firms were virtually non-existent, however, in 2022 the cybercrimes exceeded to 1,500, said Microsoft. 

"Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks," Microsoft added. 

According to the report, the group was tracked as Phosphorus (aka Charming Kitten or APT35), compromising IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain access. 

Additionally, the organizations believed that an advanced persistent threat (APT) group sponsored by the Iranian government was using known vulnerabilities in both Microsoft Exchange and Fortinet to attack both government and private sector networks. 

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia," reads the report.  

Nation-state operators with nexus to Iran are becoming more advanced and familiar with cyberattacks to generate revenue, they are also engaging in persistent social engineering campaigns and aggressive brute force attacks. 

Researchers from Microsoft Threat Intelligence Center (MSTIC) revealed that “these ransomware deployments were launched in waves every six to eight weeks on average.” 

"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health sector, as well as Australian organizations," CISA said. 

As per the findings, the hackers systematically target prominent IT services firms worldwide including nations like the USA, the UK, United Arab Emirates, India, and so on. Microsoft further added that these attacks are examples of how nation-state actors are increasingly targeting supply chains as an indirect approach to fulfill their real motives.

Apple Offers iOS Update to Fix Vulnerabilities

Apple has patched a vulnerability that was potentially used by hackers in its iOS 12 upgrade for older iPhone and iPad models. The vulnerability was discovered by an anonymous researcher, who has received acknowledgment.

The flaw, identified as CVE-2022-32893 (CVSS score: 8.8), affects WebKit and is an out-of-bounds write problem that could result in arbitrary code execution when processing maliciously created web content, according to a document released by the firm on Wednesday.

A security vulnerability found in the platform affects users of Google Chrome, Mozilla Firefox, and Microsoft Edge as well because WebKit powers Safari and every other third-party browser accessible for iOS and iPadOS.

The security patch fixes a Safari vulnerability that might have allowed unauthorized access for users to parse maliciously created web content and execute arbitrary code. With enhanced bounds checking, the developers appear to have found a solution. Apple stated that they are already aware of a report that claims the problem may have been intentionally exploited.

Several older Apple devices, including the iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch, are compatible with the 275 MB update published to fix the vulnerability.

12.5.6, build 16H71, is the most recent version of the software. It appears to close the security flaw that the business recently fixed in the iOS 15.6.1 release, listed as CVE-2022-32893. 

After fixing two bugs in iOS 15.6.1, iPadOS 15.6.1, macOS 12.5.1, and Safari 15.6.1 as part of updates released on August 18, 2022, the iPhone manufacturer has released a new round of patches. 

The Cybersecurity and Infrastructure Security Agency (CISA), which discovered the significant bug and gave it a CVSS rating of 8.8, also identified it and published a warning about it last month.

Although specifics about the assaults' nature are unknown, Apple confirmed in a boilerplate statement that it was aware that this problem may have been actively exploited.

On September 7, Apple will also unveil the iPhone 14 series and iOS 16. Unfortunately, iOS 16 will not be made available to users of iPhone 8. Furthermore, older iOS device owners are urged to update as soon as possible to reduce security risks.

CISA Updates its Database With 10 New Actively Exploited Vulnerabilities


A high-severity security vulnerability impacting industrial automation software from Delta Electronics was among 10 new actively exploited vulnerabilities that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed in its Known Exploited Vulnerabilities (KEV) Database on Friday.

FCEB agencies are required to address the vulnerabilities by the deadline in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, in order to safeguard their networks from attacks that take advantage of the flaws in the catalog.

Private firms should analyze the Catalog and fix any infrastructure weaknesses, according to experts.

The problem, which has a CVSS score of 7.8, affects DOPSoft 2 versions 2.00.07 and earlier. It is listed as CVE-2021-38406. A successful exploit of the issue could result in the execution of arbitrary code.

Delta Electronics DOPSoft 2's incorrect input validation causes an out-of-bounds write that permits code execution, according to a CISA notice. "Delta Electronics DOPSoft 2 lacks sufficient validation of user-supplied data when parsing specified project files," the alert stated.

Notably, CVE-2021-38406 was first made public as part of an industrial control systems (ICS) advisory that was released in September 2021.

It is crucial to emphasize that the impacted product is no longer being produced and that there are no security updates available to solve the problem. On September 15, 2022, Federal Civilian Executive Branch (FCEB) organizations must abide by the directive.

The nature of the attacks that take advantage of the security issue is not well known, but a recent analysis by Palo Alto Networks Unit 42 identified instances of in-the-wild assaults that took place between February and April 2022.

The development supports the idea that attackers are becoming more adept at using newly reported vulnerabilities as soon as they are made public, which encourages indiscriminate and opportunistic scanning attempts that intend to benefit from postponed patching.

Web shells, crypto miners, botnets, remote access trojans (RATs), initial access brokers (IABs), and ransomware are frequently used in a precise order for the exploitation of these assaults.

CVE-2021-31010 (CVSS score: 7.5), an unpatched hole in Apple's Core Telephony component that could be used to get around sandbox constraints, is another high-severity flaw added to the KEV Catalog. In September 2021, the tech giant corrected the flaw.

The IT giant appears to have quietly updated its advisory on May 25, 2022, to add the vulnerability and clarify that it had actually been utilized in attacks, even though there were no signs that the hole was being exploited at the time.

The iPhone manufacturer said that it was aware of a claim that this flaw might have been extensively exploited at the time of release. Citizen Lab and Google Project Zero were credited with making the finding. 

Another noteworthy aspect of the September update is the patching of CVE-2021-30858 and CVE-2021-30860, both of which were used by NSO Group, the company behind the Pegasus spyware, to circumvent the security measures of the operating systems.

This suggests that CVE-2021-31010 may have been linked to the previously described two issues as part of an attack chain to get past the sandbox and execute arbitrary code.

HHS Alerts Healthcare Workers on Karakurt Ransomware Group

A new wave of cyber attacks from the Karakurt ransomware gang are reported to healthcare providers. The warning came months after CISA and FBI disclosed operational technical data on the group, along with evidence of infiltration and mock ransom notes.

A dentistry practice, an assisted care facility, a supplier, and a hospital were all impacted by the attacks. The healthcare industry should continue to be on high alert and keep an eye out for any signs of compromise, experts assert. 

According to HC3, Karakurt's "massive cyberbullying efforts against victims to disgrace them are what is most alarming."

Karakurt has been seen buying stolen login details or acquiring access to users who have already been hacked through third-party intrusion broker networks in order to access victim machines.

Fortinet FortiGate SSL VPN appliances, Log4Shell, old Microsoft Windows Server instances, and outdated SonicWall SSL VPN appliances are just a few examples of the intrusion flaws the organization is known to use to get initial access.

HHS Alert 

Karakurt first emerged in late 2021, according to a warning from the Department of Health and Human Services Cybersecurity Coordination Center (HC3), they are likely connected to the Conti ransomware organization, either through a working relationship or as a side company.

Given that the Conti ransomware organization has successfully attacked more than 16 healthcare providers since early 2021, federal agencies have long issued warnings about the risk attached to the sector.

Similar to other ransomware groups, the Karakurt actors claim data theft and threaten to sell it on the dark web or make it available to the general public if their demands are not met. The ransoms range from $25,000 to $13,000,000 in Bitcoin, and the timeframes are frequently set to expire just one week after the fraudsters make contact.

According to open-source reports, Karakurt threat actors typically conduct scanning, reconnaissance, and collecting on their targets for roughly two months. The organization then makes an attempt to acquire access to documents that include private data, including Social Security numbers, medical record numbers, medical history, and information about treatments. The gang retains the data and threatens its victims until they pay, as is customary with ransomware.

The recent Karakurt campaign against Methodist McKinney Hospital in early July provided evidence of this. The actors threatened to make the allegedly stolen material available, but Methodist McKinney instead alerted patients of the incident and the ongoing inquiry into the potential data theft.

CISA Adds One Known Exploited Vulnerability to Catalog

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed in its findings that they have discovered a high-severity vulnerability in the Zimbra email. Based on the evidence of active exploitation, the new vulnerability has now been added to its Known Exploited Vulnerabilities Catalog. 

As of present, researchers are investigating CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could allow the execution of arbitrary Memcached commands and theft of important data. 

These kinds of Vulnerabilities are very frequent and are oftenly seen, as per the data these vulnerabilities pose a higher risk to the federal enterprise. 

“Zimbra Collaboration (ZCS) allows an attacker to inject Memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries”, CISA added. 

The attack first was reported by SonarSource in June, with patches released by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1. 

Before Installing Patch 9.0.0 Patch 24.1, users are recommended to consider the following: 

• Patches are accumulative. 
• Zimlet patches remove existing Zimlets and redeploy the patched Zimlet. 
• Before applying the patch, a full backup should be performed. 
• There is no automated roll-back. 
• Before using ZCS CLI commands Switch to Zimbra user. 
• Must note that you will not be able to revert to the previous ZCS release after you upgrade to the patch.  
• Understand that the installation process has been upgraded. Additional steps to install Zimbra-common-core-libs, Zimbra-common-core-jar and Zimbra-mbox-store-libs packages have been included for this patch release. 

“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria”, CISA further told.

Zero-day Exploitable Bug in Atlassian Confluence


Researchers are alerting the public that an important Atlassian Confluence vulnerability that was published last week is currently being aggressively exploited. 

Researchers claim that Confluence Server 7.18.0 is affected by the significant unauthorized, remote code execution vulnerability CVE-2022-26134, and they believe that both Confluence Server and Data Center versions 7.4.0 are at risk.

Atlassian advises clients to disable access to their servers using one of two methods because there are no updates available:
  • Preventing access to the internet for Confluence Server and Data Center instances.
  • Confluence Server and Data Center instances can be disabled.
The hard-coded details were published on Twitter after the real-world exploitation, which prompted the Australian software business to give it the top priority in its patching schedule.

It's important to remember that the flaw only manifests itself when the Questions for Confluence app is turned on. However, since the created account is not automatically deleted after the Questions for Confluence program has been uninstalled, doing so does not fix the problem.

Federal organizations must stop all internet access to Confluence servers by June 3. The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its 'Known Exploited Vulnerabilities Catalog' and ordered federal entities to comply.

The development also occurs in the wake of Palo Alto Networks' discovery that threat actors begin looking for weak endpoints within 15 minutes following the public announcement of a new security defect in its 2022 Unit 42 Incident Response Report.

CISA Issues Warning Regarding Active Exploitation of 'PwnKit' Linux Security Bug


Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added a Linux vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalog and issued a warning regarding active exploitation of the flaw in cyber attacks. 

The vulnerability tracked as CVE-2021-4034 (CVSS score: 7.8), first identified earlier this year in January by the American company Qualys, impacts Polkit, a feature designed for managing system-wide privileges in Unix-like operating systems. Polkit is manufactured by Red Hat, but it’s also employed by other Linux distributions. 

PwnKit, a memory corruption issue, if successfully exploited, might cause pkexec to run arbitrary code, and allow an unprivileged hacker administrative right on the target device to exploit the host. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, nearly 13 years. 

The security bug has been identified to impact the products of multiple major firms. Juniper Networks, Moxa, IBM, VMware, Siemens, and others have published advisories to elaborate on the impact of CVE-2021-4034. 

Security researchers have been warned that the threat of malicious exploitation of PwnKit is high since proof-of-concept (PoC) exploits have been available and exploitation is not difficult. 

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog — also known as the agency’s “Must Patch” list — and ordered federal agencies to remediate all the newly listed vulnerabilities by July 18, while private firms have been requested to leverage the flaw catalog to improve their patching and vulnerability management processes.

Security experts noted that while exploitation of CVE-2021-4034 should leave traces in log files, it’s also possible to abuse the vulnerability without leaving such traces. 

In addition to the PwnKit vulnerability, CISA has added seven other flaws to its catalog, including an exploited Mitel VoIP zero-day flaw in ransomware assaults (CVE-2022-29499) and five iOS vulnerabilities (CVE-2020-3837, CVE-2019-8605, CVE-2018-4344, CVE-2020-9907 and CVE-2021-30983) that were recently unearthed as having been exploited by the Italian spyware firm RCS Lab.

CVE-2021-30533, a security vulnerability in web browsers based on Chromium, is also listed in the catalog. This flaw was exploited by a malvertising hacker going by the moniker Yosec in order to deploy malicious payloads.