Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, malware including Ransomware and DDoS, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Lazarus Group hacker exploiting Dell driver vulnerability to deploy Rootkit on targeted computers 

Lazurus Group, a North Korean hacker group, have been deploying a Windows rootkit by exploiting a Dell driver vulnerability. This attack is part of the threat-actors campaign Operation In(ter)ception, which is set to target aerospace and defence industries.

Research into the activity by ESET researcher Peter Kálnai has uncovered the campaign began in 2021 with spear-phishing emails impersonating online retail giant Amazon with emails containing malicious documents, which targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium.

With a multitude of attacks taking place since then, research has shown that the attack was a rootkit module that exploited a Dell driver flaw to gain the ability to read and write to kernel memory, the issue, tracked as CVE-2021-21551, relates to a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys. This exposure disables the monitoring of all security solutions on compromised machines.

Researcher Kálnai said, “The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way.”

Demonstrates how the Lazurus Group and other threat actors are constantly developing new techniques despite the pressure from law enforcement and the research community. It is important to train your staff on how to spot phishing attempts and what to do with them.

Click here to find out how to protect your business and employees from phishing attempts.

Renowned Italian luxury sports car manufacturer Ferrari falls victim to a ransomware attack 

This week’s reports show well-known luxury sports car brand Ferrari fell victim to a ransomware attack leading to 7GB of its internal documents being leaked to the public. Although the car manufacturer pointed out there is no evidence this was, in fact, a ransomware attack nor a breach of the company’s system and is working tirelessly to uncover how these documents were leaked so that appropriate action can be taken. 

However, it was reported as a cyber attack due to the website Red Hot Cyber stating ransomware gang, RansomEXX, claimed responsibility for the breach of 6.99GB, which includes internal documents, datasheets, and repair manuals. 

Overall, how these documents were sourced is still unclear, but we know that the scale of ransomware attacks has grown drastically recently, from high-end brands to public service organisations. The objective of these attacks is to block access to data or threaten to publish sensitive data unless the victim pays the ransom. 

A new zero-day exploit called ProxyNotShell takes advantage of the Microsoft Server-Side Request Forgery vulnerability 

Nicknamed ProxyNotShell is a new exploit that is used to take advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. This new zero-day attack method is similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities – CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 – to permit a remote actor to execute arbitrary code. ProxyNotShell was first recorded on September 19 CVE-2022-41082 the attack vector being targeted at Microsoft’s Exchange Servers. 

Successful exploitation of the flaws could lead to access to the victim’s systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network. Giving the ability to spread malicious code and exfiltrate data from varies shares.

With the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, the attacker can remotely trigger CVE-2022-41082 to execute commands remotely.

Update: Microsoft has updated its mitigation measures for these zero-day flaws, and a fix for this will be yet released

The temporary solution has been made available, and Neuways is acting accordingly.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.