Search This Blog

Showing posts with label Security Risk. Show all posts

Five Eyes Agencies Warn Managed Service Providers of Cyber Attacks

 

The Five Eyes alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand, and Canada last week published a joint advisory warning of threats targeting managed service providers (MSPs) and their customers. 

The advisory recommends customers of MSPs in the member nations on how to guard sensitive details and reassess security posture and contractual agreements with their service providers based on individual risk tolerance. MSPs are a prime target for cybercriminals and nation-state actors–because attacking an MSP can lead to additional downstream victims (as we witnessed with Kaseya and the SolarWinds assaults.)

"As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA) stated. 

"We know that MSPs that are vulnerable to exploitation significantly increase downstream risks to the businesses and organizations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain," she added. 

The alert is the result of a collaborative effort among the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation in the U.S.; the National Cyber Security Centers in the United Kingdom and New Zealand; the Australian Cyber Security Center; and the Canadian Center for Cyber Security. 

Mitigation tips 

In the advisory issued on the second day of the NCSC's Cyber UK conference, where several senior figures from the cybersecurity agencies have met to discuss the issue of global cyber threats, the authorities recommend that MSP customers ensure that their MSPs implement the following measures and controls: 

• To counter initial assault, enhance the security of vulnerable devices, protect internet-facing services and defend against brute-force and phishing attacks. 
• Improve monitoring and logging processes for the delivery infrastructure activities used to provide services to the customer. 
• Enable multifactor authentication across all customer services and products. 
• Periodically erase obsolete accounts and infrastructure and apply updates to the infrastructure whenever available and necessary. 
• Develop incident response and recovery plans. 
• Understand and proactively manage supply chain risk. 
• Adopt transparent processes and, at the same time, manage account authentication and authorization.

German Firms Targeted by Malicious NPM Packages

 

JFrog researchers have uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults. 

"Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers said in a new report. 

According to the DevOps company, the evidence discovered suggests it is either the work of a sophisticated hacker or a "very aggressive" penetration test. Four maintainers— bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm— have been associated with all the rogue packages; most of the packages have been taken down from the repository.

The finding points out that the hackers are trying to copy legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker. Some of the package names are distinct, which makes it likely that the adversary managed to trace the libraries hosted in the companies’ internal repositories to launch a dependency confusion attack. 

The findings are based on a report from Snyk late last month that detailed one of the malicious packages, "gxm-reference-web-auth-server," noting that the malware is targeting an unknown firm that has the same package in their private registry.

"The attacker(s) likely had information about the existence of such a package in the company's private registry," the Snyk security research team said. According to researchers at Reversing Labs, who independently examined the hacks, the rogue modules uploaded to NPM featured elevated version numbers than their private counterparts to force the modules onto target environments.

"The targeted private packages for the transportation and logistics firm had versions 0.5.69 and 4.0.48, while the malicious, public versions were identically named, but used versions 0.5.70 and 4.0.49," the cybersecurity firm explained. 

Calling the implant an "in-house development," JFrog pointed out that the malware contains two components, a dropper that sends information about the infected machine to a remote telemetry server before decrypting and executing a JavaScript backdoor. The backdoor, while lacking a persistence mechanism, is designed to receive and execute commands sent from a hard-coded command-and-control server, evaluate arbitrary JavaScript code, and upload files back to the server. 

Earlier this week, a German penetration testing company named Code White has owned up to uploading the malicious packages in question, adding it was an attempt to "mimic realistic threat actors for dedicated clients."

Analyzing the New Black Basta Ransomware

 

Black Basta, a new ransomware group has been highly active since April 2022 and has already breached a dozen companies worldwide. The list of victims includes the American Dental Association and German wind turbine giant Deutsche Windtechnik. 

Modus operandi of Black Basta 

While Black Basta assaults are relatively new, some information on their methodology has been made public. The data encryptor employed by ransomware requires administrator privileges to execute, otherwise, it is harmless. 

To launch the encryption executable, the ransomware targets a legitimate Windows service. After execution, the ransomware erases shadow copies from the compromised system using vssadmin.exe. This action removes the Windows backup so that after encryption victim cannot revert the system to its previous state. 

Subsequently, Black Basta drops two files: dlaksjdoiwq.jpg and fkdjsadasd.ico in the user Temp folder. The second file is a custom icon for all files with the “.basta” extension. The icon is assigned by designing and setting a new registry key “HKEY_CLASSES_ROOT\.basta\DefaultIcon”. 

The persistence technique of the Black Basta ransomware is executed by “stealing” an existing service name, deleting the service, and then creating a new service named ‘FAX. Before the encryption routine begins, the ransomware checks the boot options using GetSystemMetrics() API and then adds HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax entry in the registry to start the FAX service in safe mode. 

After completing all the customizations, the ransomware sets up the operating system to boot in safe mode using bcedit.exechecks. Due to the reboot mode change, the PC will reboot in safe mode with the ‘Fax’ service running. This service will then execute the ransomware again, but this time for the purpose of encryption. 

 Methodologies Identical to Conti group 

Researchers at MalwareHunterTeam attribute the Black Basta ransomware to the team behind Conti ransomware. This assumption is based on similarities between their leak sites, their payment sites, and the way their “support” employees talk and behave. 

Lawrence Abrams of BleepingComputer also mentioned that the threat actors behind Black Basta seem like they are exerting a lot of effort to avoid any resemblance to their previous identity. 

To prevent Black Basta ransomware from further encryptions, it must be eliminated from the operating system. Unfortunately, removal will not restore already compromised data. The sole solution is recovering it from a backup if one was created beforehand and is stored elsewhere. 

Additionally, to avoid permanent data loss, researchers recommend keeping backups in multiple different locations (e.g., remote servers, unplugged storage devices, etc.

Misconfiguration Identified in Google Cloud Platform

 

A misconfiguration discovered in the Google Cloud Platform could allow threat actors to gain complete control over virtual devices by exploiting legitimate features in the system, researchers at Mitiga, a Cloud Incident Response firm, stated. 

Mitiga uncovered a misconfiguration several months ago while examining Google Cloud Platform’s Compute Engine (GCP), specifically virtual machine (VM) services. The Cloud incident response vendor identified a misconfiguration that allowed attackers to send and receive data from the VM and possibly secure complete control over the system. However, Mitiga emphasizes that this is not a security loophole, or system error – it’s described as a “dangerous functionality”. 

Mitiga notes that malicious actors could use a compromised metadata API, named “getSerialPortOutput”, which is used for the purpose of tracking and reading serial port keys. The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux. 

"We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw," Andrew Johnston, principal consultant at Mitiga, stated. 

After reporting the findings to Google, the company agreed that misconfiguration could be exploited to bypass firewall settings. Mitiga proposed two changes to the getSerialPortOutput function by Google, including restricting its use to only higher-tiered permission roles and allowing organizations to disable any additions or alterations of VM metadata at runtime. 

Additionally, the company advised Google to revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs. However, Google disagreed with a majority of the recommendations. 

"After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method," Johnston wrote in the report.

Attackers are Employing Multiple Malwares to Target Ukrainian System

 

Amid Russia-Ukraine war, cybersecurity experts have witnessed a sudden increase in the number of wiper malware deployments. Since February 24, Ukrainian security experts have unearthed at least seven new types of malwares employed by attackers to target Ukraine: AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. 

Earlier this week, AT&T cybersecurity published a blogpost detailing the different types of wiper malware which we have covered below. 

WhisperKill 

On the night of January 14, anonymous hackers attempted to secure access to and deface the websites of more than 70 Ukrainian government agencies, according to Ukraine’s security service. The malware successfully defaced 22 websites and severely damaged six. 

How it operates: The malware downloads a payload that wipes the Master Boot Record (MBR), then downloads a malicious file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the compromised devices. 

HermeticWiper 

A month after, on February 23rd 2022, ESET Research discovered a new Wiper called HermeticWiper being used against hundreds of Ukrainian systems. The hackers then used a shell company to issue a certificate that allows bypassing detection capabilities, such as Microsoft Defender SmartScreen and built-in browser protections. 

The malware collects all the data it wants to delete to maximize the impact of the wiping, it uses the EaseUS Partition Master driver to overwrite the selected parts of the disk with random data.

IsaacWiper 

A day after the initial assault with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before. 

This wiper malware iterates through the filesystem, enumerates files and overwrites them. The behavior is similar to ransomware activity, but in this case, there is no decryption key. Once the data has been overwritten, it is lost. 

AcidRain 

On March 15, a new strain of wiper malware called AcidRain was discovered by researchers at SentinelLabs. AcidRain wiper was used in an attack against the Viasat KA-SAT satellite broadband service provider. 

The attacker gained access to the management infrastructure of the provider to deploy AcidRain on KA-SAT modems used in Ukraine. The wiper employed was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from devices. 

CaddyWiper 

The first version of CaddyWiper was unearthed by ESET researchers on March 14 when it was used against a Ukrainian bank. Then it was employed again during the attack on the Ukrainian energy company on April 12. 

The Wiper overwrites files on the computer with null byte characters, making them unrecoverable. This malware can be executed with or without administrator privilege. In both cases, it causes lethal damage to the target machine. 

DoubleZero 

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Dubbed DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. 

The wiper erases files in two ways: by overwriting them with zero blocks of 4096 bytes (FileStream.Write method) or using NtFileOpen, NtFsControlFile API calls (code: FSCTL_SET_ZERO_DATA). 

To prevent further assaults, researchers recommended keeping systems up to date and sharing knowledge regarding cybersecurity. In addition, attacks can be avoided by having periodic backup copies of key infrastructure available.

One in Three Mid-Market UK Organizations Suffered from Attacker Outages in 2021

 

A third of mid-market UK organizations hit by cyberattacks in 2021 suffered breakdowns that knocked them offline for more than a day, a new research from cybersecurity firm Censornet revealed.

The survey discloses that more than one in five (21%) were forced to pay attackers to put an end to the attack, with the average pay-out amounting to £144,000 and 7% handing over more than £500,000. As a result, the primary demand for cybersecurity in 2022 was to see security vendors open up traditionally closed point products to enable an automated response to cyberattacks.

The report, which surveyed 200 IT decision-makers across the UK, covering ten different industries, found that ransomware was particularly problematic, as more workers work from home.

“For the UK mid-market, the cybersecurity situation is serious. The financial and reputational cost of cybercrime is rising, putting more pressure on overwhelmed professionals, who are tackling hundreds of alerts a day from siloed point products,” said Ed Macnair, CEO at Censornet. Organizations must work smarter, not harder. Only when security systems work seamlessly together, faster than humanly possible, will we see the needle begin to move in the right direction.”

Nearly half of mid-market organizations participating in the survey said they hadn’t purchased cybersecurity products specifically manufactured to guard against threats for hybrid and remote workers. As a result, 76% of organizations said they plan to invest in a cloud-based security platform that allows their security products to autonomously share security event data to better protect their organization. 

In response to the challenges that organizations are facing, respondents indicated a clear need for fundamental change in the way cybersecurity is designed and run over the next year. 46% want security vendors to open up traditionally closed point products to enable an automated response to cyber threats.

Last week, Slovak cybersecurity firm ESET published a separate report revealing that London has the highest cybercrime rate in the UK, with 5,258 reports in total followed by the West Midlands at 1,242. Cumbria was the area with the lowest cybercrime, with only 174 reports, followed by Cleveland 194 and Dyfed-Powys 213. 

In its report, ESET researchers discovered an overall decline of 2.97% in cybercrime in 2021. The most common form of cybercrime for 2021 was social media and email hacking, which accounted for 53.1% of reports. This was followed by computer viruses, which accounted for 28% of reports.