Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

More Ransomware Gangs Targeting Vulnerable Exchange Servers

More ransomware operators are targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March. The four zero-day bugs had been targeted in live attacks well before patches were released for them on March 2. While, the number of unpatched Exchange installations has dropped significantly, from roughly 80,000 on 14th March to fewer than 30,000 on 22nd March, the news isn’t good for those who still haven’t patched their versions of Microsoft Exchange.

Microsoft said: “More than 92% of known worldwide Exchange IPs have now been patched or mitigated – we continue to work with our customers and partners to mitigate the vulnerabilities.”

The number of attacks targeting the still-vulnerable servers hasn’t diminished. DoejoCrypt, also known as DearCry, was the first ransomware family to target the Exchange vulnerabilities more than two weeks ago, before the Black Kingdom/Pydomer ransomware recently joined the fray, according to Microsoft.

Known to be targeting publicly disclosed vulnerabilities, including Pulse Secure VPN flaws, Pydomer operators were observed mass scanning and attempting to compromise unpatched Exchange servers. The webshell dropped by the gang was observed on over 1,500 servers, but ransomware hadn’t yet been deployed on all of them. However, it’s likely that the adversaries would attempt to monetise the obtained unauthorised access in a different manner.

On systems where the ransomware was deployed, a “non-encryption extortion strategy” was adopted, with the attackers only dropping a ransom note to inform victims of their demands. Microsoft said: “The note should be taken seriously if encountered, as the attackers will have full access to systems and are likely able to exfiltrate data.”

Within the past few weeks, another adversary to have joined the Exchange party was the gang behind the Lemon Duck cryptocurrency botnet, which employed “a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks,” but relied on various exploit styles in others.

“The Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner,” Microsoft explains.

The possibility that attacks targeting Exchange servers may continue to impact organisations even after patches have been applied, through the use of stolen credentials, or persistent access. Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates.

Ragnarok Ransomware Hits Boggi Milano Menswear

Neu Cyber Threats

The Ragnarok ransomware gang has struck again. In the latest wave of attacks, Ragnarok has exfiltrated 40 gigabytes of data from the luxury Italian men’s clothing line, Boggi Milano, including HR and salary details.

Monitoring of the Dark Web has found that the files leaked by Ragnarok include found payroll files, payment PDFs, vouchers, tax documents and more. The attack proves that any kind of business in any industry can be targeted by cyber criminals in 2021; if cyber criminals sense a weakness they will test it as they continue to take advantage of businesses for financial gain.

In this specific case, the ransom issued by Ragnarok has not yet been disclosed, but the figure is usually in the region of thousands of pounds, and while Boggi Milano’s website is still up and running, the fashion brand is working with Italian authorities regarding the crime.

Although the impact on the operation of the business appears to be small, the loss of roughly 40GB of data, potentially including that of customers and employees, can be significant. Fines from data breaches which include this type of data can be significant, and as a global organisation, fines could be imposed from several territories whose citizens have been affected.

According to researchers, ransomware attacks have spiked by 350% in just three years. By implementing a BCDR plan, with integrated solutions that back up confidential company data, as well as Phishing Awareness Training to prevent data breaches in the first instance, a company is covering its back in more ways than one. By talking to an expert Managed Service Provider, such as Neuways, a business can help secure their futures. Call Neuways on 01283 753 333 or email hello@neuways.com to discuss preventative measures.

LinkedIn Spear-Phishing Campaign Targets Job Hunters

A threat group called Golden Chickens has been targeting professionals on LinkedIn through a spear-phishing campaign, which sends victims fake job offers. The phishing emails try to trick a victim into clicking on a malicious ZIP file, by picking up the victim’s current job title and adding the word ‘position’ at the end, which makes it appear like a legitimate offer. Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.

Once downloaded, this backdoor can fetch additional malware and provide access to the victim’s system. Not only are LinkedIn users being targeted by the Golden Chickens group, but they are also selling more_eggs, as malware-as-a-service to other cyber criminals, who use it to gain a foothold in victim’s systems to install other types of malware, including banking malware, credential stealers and ransomware, or just to exfiltrate data.

This isn’t the first use of more_eggs by cyber criminals, though. Groups including FIN6, Cobalt Group and Evilnum have each used the more_eggs malware as a service for their own purposes. Financial threat gang FIN6 used the malware to target e-commerce businesses in 2019, while other attackers used it to breach several industries, such as retail, entertainment and pharmaceutical companies’ online payments systems.

With this specific LinkedIn attack, rather than attack someone who is unemployed, it is thought that the goal of the campaign is to dupe people who are employed and have access to sensitive company data. It could give cyber criminals intel on infiltrating a future network, with current remote working practices meaning that many personal and work devices are co-existing on the same shared network.

Neuways advises all LinkedIn users to be wary of spear-phishing scams and consider any approaches they receive out of the blue, regarding job vacancies.

Akamai Sees Largest DDoS Extortion Attack Known to Date

Distributed denial of service (DDoS) attacks are growing larger in volume and they have become more targeted and increasingly persistent. While recently observed attacks haven’t reached the magnitude of the largest DDoS attacks of all-time, a web security services company have seen three of the largest attacks they ever encountered. The company, Akamai, have said that the increased number of larger volumetric DDoS attacks is the new norm – since the beginning of 2021, they have observed more attacks peaking at over 50 Gbps than during the entirety of 2019.

The largest of these attacks was 800+ Gbps, with others coming in at 824 Gbps and 812 Gbps, all during the same day, on 24th February. A further attack of 594 Gbps was seen on 5th March.

Furthermore, Akamai has noted that the DDoS attackers are beginning to expand their reach across global regions and industries, with the number of targeted businesses now being 57% higher than during the same point in 2020. Unsurprisingly, threat actors are looking for new means to bypass defences and cripple their target’s resources, including the use of new attack vectors, such as the recently observed Datagram Congestion Control Protocol (DCCP), or protocol 33. Attacks leveraging this vector are volumetric in nature and are meant to bypass defences.

The end result is that 2021 DDoS campaigns are more targeted and persistent. Several of these attacks have seen the IP addresses of two specific customers targeted, with the onslaught of attacks lasting for several days. The end result is the disruption of back-end environments, and costly downtime coming into play to disrupt business operations even further. If this year continues as it has begun, an overall increase in the number of DDoS attacks is expected to be accompanied by a spike in large DDoS attacks of more than 50 Gbps, with organisations in different industries likely being targeted.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.