Cyber Intelligence Briefing: 12 March 2021

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.

• Microsoft Exchange servers under attack: APTs pile in on Exchange ProxyLogon vulnerabilities.  
• Airline supply chain breach: Data of 580,000+ frequent flyer customers compromised. 
• Smile! You’re on camera: Hackers access over 150,000 CCTV cameras in Verkada breach. 
• Up in flames: OVH data centres destroyed by fire. Numerous customers impacted.  
• Ransomware round-up: REvil updates modus operandi. Governments and hospitals under attack. 
• Phishing latest: New phishing campaign leverages Google reCAPTCHA. 
• Get your patch on! Microsoft’s Patch Tuesday addresses 89 new vulnerabilities. 

Microsoft Exchange servers under attack 

• Besides the Chinese actor HAFNIUM, at least 10 APTs are reportedly hunting for unpatched Exchange servers.^[1] The list of victims continues to grow, while 46,000 servers are still vulnerable.^[2]

• What to do now:  1) Patch and continue to track Microsoft’s continuing Exchange server security updates;^[3] 2) Scan: Microsoft has updated its MSERT tool to find web shells from Exchange server attacks;^[4] 3) Investigate: If you find signs the vulnerabilities were exploited, conduct a forensic investigation. 

So what? Time critical patching and scanning for indicators of compromise has never been more important. Read S-RM’s additional advice on Exchange ProxyLogon vulnerabilities.    

Airline’s supply chain breach takes off  

• SITA, an IT provider for around 400 companies in the airline industry, suffered a coordinated supply chain attack. The adversaries compromised frequent flyer data belonging to over 580,000 passengers. However, no passwords, email addresses, or credit card information was compromised.^[5]  
• Singapore Airlines was also impacted, despite not being a SITA customer. The airline shared a restricted set of data to facilitate membership tier status verification. 

So what? Organisations should leverage vendor risk management programs to confirm suppliers have  essential security controls in place.   

Smile! You’re on camera 

• A hacker group used leaked admin credentials to access over 150,000 live surveillance feeds owned by security camera company Verkada.^[6] The hackers found a username and password for a “Super Admin” account publicly exposed on the internet, allowing them root access to the cameras. 
• The group have access to complete video archives of Verkada’s customers, as well as live feeds. Locations using these affected cameras include prisons, hospitals, schools, and a Tesla supplier’s production site.^[7] 

So what? Organisations should thoroughly review the security of IoT devices and the implications if such devices are breached. 

OVH datacentres go up in flames 

• OVH, a cloud computing company, suffered a fire at its Strasbourg facility on Wednesday, destroying one datacentre and damaging another.^[8] Although not damaged in the fire, two further datacentres were also taken offline. 
• Numerous organisations have been affected, with the incident rendering many OVH customers’ web services inaccessible.^[9] Some customers have even experienced a complete loss of data, with no prospect of recovery.   

So what? Even the most advanced cyber security can’t protect organisations from physical incidents like this. The event underscores the importance of regular backups that are tested and stored securely.    

Ransomware round-up 

• REvil ransomware group announce plan to leverage DOS attacks and VOIP calls to victim’s business partners and journalists. The group plans to use both tactics to exert additional pressure on its victims to pay a ransom.^[10]  
• Ryuk ransomware hits Spanish government agency for labour, affecting 700 offices nationwide.^[11] The Spanish government has extended benefits applications while systems are out of service. We reported on Ryuk last week. 
• Third French hospital in four weeks suffers ransomware attack.^[12] The hospital’s system to monitor medicine supplies is impacted and comes at a crucial time in France’s COVID-19 vaccination rollout.  

So what? Update your ransomware plans and playbooks to now include DOS attacks and phone calls to your affiliates. Ransomware remains a top threat transcending across sectors.   

Phishing campaign leverages Google reCAPTCHA  

• A new phishing campaign aims to steal Microsoft Office 365 credentials.^[13] A fake Google reCAPTCHA and personalised Microsoft login page are leveraged to trick victims into disclosing their corporate credentials.  
• Over 2,500 phishing emails have been detected in this campaign, predominantly targeting senior business leaders in the banking and IT sector. 

So what? Phishing campaigns will continue to leverage ‘legitimate’ systems to deceive victims. Train your employees on how to identify personalised phishing attempts.   

Patch Tuesday!  

• Microsoft released patches for 89 vulnerabilities, 14 of which are marked as ‘critical’.^[14] Five of these (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 and CVE-2021-26411) are being actively exploited in the wild.  
• Two Windows 10 updates – KB5000802 and KB50000808 – are reportedly causing systems to crash when attempting to print.^[15] If affected, uninstall these two updates to alleviate the issue. 

So what? Install the patches as soon as possible and look out for printing-related issues.  

References:

[1] Exchange servers under siege from at least 10 APT groups, We Live Security by ESET, 10 March 2021. 

[2] More than 46,000 Exchange servers still unpatched, Recorded Future, 9 March 2021. 

[3] Released: March 2021 Exchange Server security Updates, Exchange Team Blog.

[4] MSERT tool now find web shells from Exchange Server attacks, BleepingComputer, 7 March 2021.

[5] SITA Supply Chain Breach Hits Multiple Airlines, ZDNet, 5 March 2021.

[6] Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals, Bloomberg, 9 March 2021. 

[7] Tesla says Shanghai factory not hacked after breach of Verkada surveillance cameras, Reuters, 9 March 2021.

[8] Fire at Our Strasbourg Site, OVHcloud, 10 March 2021.  

[9] OVH data center burns down knocking major sites offline, Bleeping Computer, 10 March 2021. 

[10] Ransomware gang plans to call victim's business partners about attacks, BleepingComputer, 6 March 2021. 

[11] Ryuk ransomware hits 700 Spanish government labor agency offices, BleepingComputer, 10 March 2021. 

[12] Third French Hospital hit by cyberattack, Security Week, 9 March 2021.

[13] Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords, Threat Post, 8 March 2021. 

[14] Microsoft Patch Tuesday Updates Fix 14 Critical Bugs, Threat Post, 9 March 2021.

[15] Windows 10 crashes when printing due to Microsoft March updates, BleepingComputer, 10 March 2021.