The alert comes through the FBI, the CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC). 

"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said. Since the emergence of LockBit ransomware in 2019, the threat actors have invested in particular technical aids in order to develop and finely enhance its malware, issuing two significant updates, ie. Launching LockBit 2.0 in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also termed LockBit Red and LockBit Black, respectively. 

"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode[…]If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware," according to the alert. 

 Additionally, the ransomware is made to only infect computers whose language preferences do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). 

The ransomware is also designed to only infect devices whose language choices do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). The victim’s network is being accessed through remote protocol (RDP) exploitation, drive-by compromise, phishing campaigns, exploiting valid accounts, and weaponizing of public-facing applications. 

Before starting the encryption procedure, the malware first attempts to create persistence, increase privileges, perform lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies. 

"LockBit affiliates have been observed using various freeware and open source tools during their intrusions[…]These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration," the agencies said. 

One of the prime attributes of the attacks is the use of custom exfiltration tool, known as StealBit, authorized by the LockBit group to affiliates for double extortion reasons. 

The LockBit ransomware strain has been employed against at least 1,000 victims globally, according to a November report from the US Department of Justice, earning the organization over $100 million in illegal revenues. 

The Upsurge in LokBit Incidents 

Dragons, an industrial cybersecurity reported earlier this year that LockBit ransomware was the one responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022m in an account of 40 such incidents. For a fact, a majority of food and beverage and manufacturing sectors were impacted due to these attacks. 

In its recent report, the FBI’s Internet Crime Complaint Center (IC3) ranked LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants targeting the infrastructure sector in 2022. 

Despite LockBit's prolific attack campaign, the ransomware gang was suffered a severe setback in late September 2022 when a dissatisfied developer of LockBit revealed the building code for LockBit 3.0, sparking concerns that other criminal actors would use the situation and produce their own variations. 

The advisory comes months after antivirus company Avast offered a free decryptor in January 2023, at a time when the BianLian ransomware organization has switched its emphasis from encrypting its victims' files to straightforward data-theft extortion attempts. 

In a similar development, Kaspersky has released a free decryptor to assist victims whose data has been encrypted by a ransomware variant based on the Conti source code that emerged after Russia's incursion of Ukraine last year caused internal strife among the core members. 

"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."

An unidentified federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server was compromised by a number of threat actors, including an advanced persistent threat (APT). The advisory, which includes in-depth technical information and indicators of the breach, was created by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). 

Apparently, a critical.NET deserialization flaw in the Progress Telerik UI for ASP.NET AJAX component allowed hackers to compromise a Microsoft Internet Information Services (IIS) web server used by a U.S. government agency last year. 

As per the advisory, the threat actors acquired access to the servers between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unidentified FCEB agency’s network. To acquire remote code execution, at least two threat actors (among them the Vietnamese XE Group) accessed the unpatched server. 

According to CISA, the central vulnerability was linked with the Telerik UI flaw on the IIS server – CVE-2017-11357 and CVE-2017-11317 – However, the forensic investigation was unable to conclusively verify which of the two was utilized, or even whether they were. 

The agency's instance was version 2013.2.717; the advisory stated that builds prior to version 2020.1.114 are vulnerable to CVE-2019-18935. "Though the agency's vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan[…]This may be the case for many software installations, as file paths widely vary depending on the organization and installation method," the advisory noted. 

Similar to the 2017 Equifax hack, it was caused in part by a vulnerability assessment for a severe Apache Struts flaw that overlooked an earlier system that was subsequently infiltrated by threat actors. 

CISA, the FBI, and MS-ISAC advised companies to use central log collection and monitoring. Moreover, it has been recommended to implement process monitoring in order to gain "visibility into file system and application process activity." The advisory also included a CISA-developed YARA rule for CVE-2019-18935. 

Progress CISO Richard Barretto wrote in an email to TechTarget Editorial "the security of our customers is one of our highest priorities, and we continue to distribute periodic reminders on the importance of implementing patches and applying software upgrades," he also included a link to Progress' knowledge base's specific article about the problem. 

"As we do with all critical vulnerabilities found in our products, we issued notification and remediation guidance to our customers in 2019 when the vulnerability was discovered[…]Due to the severity of the vulnerability, we provided technical support as needed to all customers regardless of their license status," he added.  

State-sponsored hackers exploit unpatched Zimbra devices

A recent series of compromises that exploited unpatched Zimbra devices was an operation sponsored by the North Korean government and aimed to steal intelligence from a collection of private and public medical and energy sector researchers. 

Analysts with W labs in a new report explained that due to an overlap in techniques, and thanks to a mess up by one of the threat actors, they attributed the recent series of cyber incidents against unpatched Zimbra devices to the Lazarus group, a well-known cybercriminal group sponsored by the North Korean government. 

A joint report by NSA and Central Security service said "DPRK cyber actors have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains. The actors intend to conceal their affiliation and then exploit common vulnerabilities and exposures (CVE) in order to gain access and escalate privileges on targeted networks to perform ransomware activities. Recently observed CVEs include remote code execution in the Apache Log4j software library (also known as "Log4Shell") and remote code execution in various SonicWall appliances."

Lazarus ran a campaign using unpatched Zimbra devices

Lazarus ran this campaign and other likewise intelligence-gathering operations till the end of 2022. The experts have named the campaign "No pineapple" after an error message created by the malware during their investigation. The threat actors quietly stole around 100GB of data, without running any destructive cyber campaign or disrupting information.

Security teams running unpatched, Internet-connected Zimbra Collaboration Suite (ZCS) can assume they are compromised and should take immediate detection and response action. 

A recent security alert by CISA flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. 

The cyber attacks lead to remote code execution (RCE) and access to the Zimbra platform. 

Unfixed Zimbra devices can affect sensitive info

The results can be quite dangerous when it comes to protecting sensitive info and shielding email-based follow-on threats. ZCS is a suite of business communication services that consists of an email server and a Web client for accessing messages via the cloud. 

CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) strongly suggest administrators and users apply the guidelines in the recommendations of the cybersecurity advisory to defend their organization's systems against malicious cyber operations. 

"NSA and the other authoring agencies urge all critical infrastructure entities and organizations, including the Healthcare and Public Health (HPH) Sector, and the Department of Defense and Defense Industrial Base, to apply the mitigations listed in this advisory," said NSA

Statistics 

Research by SecurityScorecard shows that the vast majority of the Global 2000 Forbes list's essential manufacturing organizations have high-severity vulnerabilities in their systems that have not been patched. 

• Over 75% of manufacturing organizations have high-severity vulnerabilities in their systems that have not been patched. 

• In 2022, early 40% of manufacturing companies reported malware infections, which is a considerable percentage. 

• Around half of the critical manufacturing organizations, i.e. 48% obtained low-security ratings. The platform considers a number of important risk criteria, including DNS health, IP reputation, network security, web application security, leaked information, hacker chatter, endpoint security, and patching schedule. 

• Unpatched high-severity vulnerabilities increased by 38% in the critical industrial sector year over year, and 37% of companies experienced malware infestations. 

Underlining the Trend 

• Last week, CISA published numerous advisories cautioning the ICS industry of critical security flaws impacting products from organizations like GE Digital, Mitsubishi Electric, and Contec. 

• Another advisory advised against flawed products from Sewio, Siemens, Sauter Controls, and InHand Networks. 

Advisories and Reports Underlining the Trend

CISA last week published multiple advisories warning the ICS industry of critical security vulnerabilities impacting products from GE Digital, Mitsubishi Electric, and Contec. Another advisory warned against flawed products from Sewio, Siemens, Sauter Controls, and InHand Networks.

Researchers from Trend Micro identified the Agenda ransomware group developing a new version of their ransomware in Rust, during the same month. The ransomware group has been targeting manufacturing and IT sectors in multiple different countries and made off with $550 million in earnings. 

The rising cases of cyberattacks against critical infrastructure have made it necessary for policymakers and business professionals to have an in-depth understanding of the security measures in place for their manufacturing environment. It is being advised to strive for a more collaborative and integrated approach to cybersecurity resilience, that would bring together the public and commercial sectors to safeguard critical infrastructure all across the world.  

The document illustrates how a network slice is “an end-to-end logical network that provides specific network capabilities and characteristics to fit a user’s needs.” 

While numerous network slices operate on a single physical network, the guidelines clarify that each network slice user is only authenticated for one specific network region, allowing for data and security isolation. 

“This type of architecture heavily relies on a Network-as-a-Service (NaaS) model, combining Infrastructure-as-a-Service with network and security services, which enhances the operational efficiency and resiliency of the 5G infrastructure […] Within a 5G architecture, the plan is to deliver the whole NaaS so that different customer segments can be efficiently supported,” reads the guideline.

According to the report, "network slicing enables operators to incorporate various network characteristics or components, possibly from different operators, to offer particular applications or services for 5G consumers. Although effective for delivering services, 5G network slicing throws a wide net of threats, including possible weak points in standards and regulations, the supply chain, and other areas."

"Although network slicing is not solely unique to 5G, it is a critical component because 5G specifications call for network slicing as a fundamental component and therefore require network operators to adopt security practices that can mitigate threats like those described in this paper, DoS, MitM attacks, and configuration attacks," the report states. 

Due to these cyber threats, the NSA and CISA have stated that maintaining and monitoring a network slice is essential for identifying and thwarting cyberattacks. 

“For more robust security, network operators should consider techniques, as referenced in this paper, such as zero trust, multi-layer security, cross-domain solutions, post-quantum cryptography, and isolation,” both agencies concluded. 

The NSA, along with CISA, has appointed members and experts from public and private sectors in order to address security concerns pertaining to 5G slicing. This resulting 5G network slicing cybersecurity report looks forward to its architecture, how it will aid in emerging technologies, such as autonomous vehicles, and guidelines on how to secure it.  

Pulse Connect Secure

Regarded as the most extensively used SSL VPN solution, Pulse Connect Secure offers remote and mobile customers secure access to business resources. Additionally, the Ivanti portfolio added the VPN appliance to its lineup in the year 2020, after acquiring Pulse Secure. 

Pulse Secure appliances are as well a distinguished choice for both cyber criminals and state-backed threat actors. Government agencies, in regard to this, have sent out several advisories in order to warn users of the ongoing exploitation of these products’ unpatched vulnerability. 

Censys Study on Pulse Connect Secure

As per the report published by Censys, six vulnerabilities, including a critical-severity file write vulnerability that may be used to execute arbitrary code with root capabilities, are still unpatched in about 3,500 of the affected appliances. 

“In total, Censys has found 30,266 Pulse Connect Secure hosts running on the internet […] One of the easiest ways to find these running using Censys is to search for a specific URI that can be found in the HTTP response body of a Pulse Connect Secure web service,” reads the post published by Censys. 

In addition to this, Censys found that more than 1,800 of the vulnerable hosts are not yet equipped with patches for three severe security flaws that Pulse Secure resolved in May 2021, despite being warned two weeks back of the flaws (CVE-2021-22893, CVSS score of 10) that were being exploited in the attack. 

Censys also discovered hundreds of Pulse Connect Secure appliances that were still affected by other severe vulnerabilities including CVE-2018-5299 (CVSS score of 9.8), CVE-2018-6320 (CVSS score of 9.8), CVE-2019-11510 (CVSS score of 10), and CVE-2019-11540 (CVSS score of 9.8). 

According to the Censys report’s Breakdown by Country (top 20), with 8,575 hosts, the United States has the largest overall number of Pulse Connect installations, however, just 12% of those hosts lack security fixes. While with 3,000 hosts (700 vulnerable), Japan holds the second position, followed by UK and Germany, both with slightly over 1,700 hosts (155 and 134 vulnerable, respectively).  

CISA and FBI says ransomware attacks on the rise

A joint Cybersecurity Advisory (CSA) #StopRansomware: Cuba Ransomware from CISA and FBI warns that a ransomware gang has attacked more than 100 organizations across the world and received more than $60 million in ransom payments. The latest CSA alerts that there's a surge in ransom demands and organizations Cybersecurity Advisory attacked by the Cuba ransomware group. 

As per the warning, Cuba ransomware attacks target healthcare, critical infrastructure, financial services, government services, technology, etc. The CSA says that despite the name, the gang doesn't have any association with the country of Cuba. The FBI alerts that the ransomware group has attacked over 100 targets across the world and have asked more than $145 Million in ransom payments, getting $60 million in extortion payments. 

Key updates from the FBI and CISA include:

• FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba ransomware actors.
• Since spring 2022, Cuba ransomware actors have expanded their TTPs.
• Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.

The group indulges in double extortion attacks, not only encrypting data and demanding ransom payments, but also making threats to leak data stolen from the target, if he fails to pay the ransom (demanded in Bitcoins). 

New Ransomware Techniques used by Threat Actors 

This is the second CSA warning from CISA and FBI about Cuba ransomware, the first one came in December 2021. The new warning comes due to a sudden increase in the number of cyberattacks and also because threat actors have increased to make the attacks more sophisticated so that it can't be detected and difficult to stop. 

These techniques include abusing a vulnerability in Windows Common Log File System (CLFS) driver (CVE-2022-24521) to retrieve system tokens and enable privileges while deploying a PowerShell script to find out service accounts for getting better access to high-level system controls. 

Cuba Ransomware behind attacks

Cuba ransomware attacks were also found attacking Zerologon, a flaw in Microsoft Windows authentication protocol Netlogon (CVE-2020-1472) to get domain administrative rights. Zerologon was found in September 2020 and was termed as "unacceptable risk" during that time, however, after two years, threat actors are still able to abuse it. 

The techniques that Cuba ransomware uses to get digital access to the victim's system include exploiting known flaws in commercial software, phishing campaigns, exploiting stolen user data and passwords, and abusing genuine Remote Desktop Protocol (RDP) applications. 

Once the threat actor gains access, he installs Hancitor, a malware payload that lets him easily get back access and launch operations on exploited networks, which in the end is used to drop and launch the ransomware payload. 

"FBI and CISA encourage network defenders to review the joint CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response," says the CSA.