The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- A bad week for the bad guys. Several ransomware groups under pressure from law enforcement.
- MediaMarkt ransomware attack. Hive initially demands a USD 240 million ransom.
- The insider threat. Survey reveals organisations are lacking visibility into employee activity.
- Active campaign. Alleged state-sponsored hackers are targeting vulnerable Zoho password management software.
- Chatex sanctioned. The US sanctions the cryptocurrency exchange for facilitating cybercrime.
- Patch Tuesday. Microsoft’s November Patch Tuesday and CISA cracks down on vulnerabilities.
1. A bad week for the bad guys
- The US Department of Justice has announced the arrest of an alleged member of the REvil ransomware group. Authorities have also seized USD 6.1 million in cryptocurrency owned by another REvil affiliate, who has been indicted although is yet to be arrested.
- The BlackMatter ransomware group has announced it is shutting down its operations due to pressure from law enforcement authorities.
- The US State Department has offered a USD 10 million reward for information leading to the identification or location of leaders of the DarkSide ransomware gang. Such a large reward is unprecedented and will be an attractive incentive to threat actors familiar with those behind DarkSide.
- Finally, new information has come to light on an international law enforcement operation headed by Interpol that led to the arrest of six alleged affiliates of the Clop ransomware group in June 2019. Interpol has also issued Red Notices, naming international wanted fugitives, for two further Clop affiliates.
SO WHAT? These cases demonstrate the growing pressure that ransomware gangs face from law enforcement agencies across the world.
2. MediaMarkt suffers a ransomware attack
MediaMarkt, Europe's largest consumer electronics retailer, suffered a ransomware attack on Sunday. Reports indicate that the threat actor, Hive, initially demanded a USD 240 million ransom but reduced it to USD 50 million during negotiations.
The incident affected MediaMarkt's IT systems, preventing customers from completing orders or returns. There is no indication that MediaMarkt has already paid the ransom.
SO WHAT? Before demanding a ransom, threat actors often research their victim’s financial statements and whether or not they have cyber insurance cover in order to set a high, but realistic, ransom from the outset.
3. Organisations lack visibility of user activity in business applications
A survey of 900 security leaders found that 80% of organisations experienced employees misusing or abusing business applications. Furthermore, 48% of respondents also reported that they had limited ability to view and audit employee activity, potentially increasing the chances of an insider incident going undetected.
SO WHAT? A cyber incident caused by an insider, both deliberately or accidentally, is one of the biggest risks facing all businesses. Organisations should ensure that permissions are assigned according to the principle of least privilege, that access reviews are conducted regularly, and that appropriate user auditing is in place.
4. Energy, Healthcare, and Defence organisations breached by nation-state hackers
Threat actors are actively exploiting the Zoho password management vulnerability that was discovered and patched in September 2021. At least nine entities across critical sectors have been compromised and a further 11,000 internet exposed servers are reportedly running the vulnerable software.
The threat actors behind the campaign have been linked to the Chinese state-sponsored group, APT27, although this connection has not yet been confirmed.
SO WHAT FOR SECURITY TEAMS? If your servers are running the vulnerable Zoho software, carry out the necessary updates immediately. Details on how to do so can be found here.
5. US sanctions Chatex cryptoexchange
The US Treasury Department has announced sanctions against the cryptocurrency exchange Chatex for allegedly facilitating ransom payments to ransomware groups. Over half of the transactions on the Chatex exchange have been linked to illicit or high-risk activities such as darknet markets and ransomware attacks.
SO WHAT? Individuals and organisations should confirm that they do not transact with sanctioned entities, including cryptocurrency exchanges.
6. Patch patch patch!
- Microsoft’s November Patch Tuesday has fixed 55 software vulnerabilities, including six zero-days. Of particular note are the two actively exploited vulnerabilities: CVE-2021-42292, a vulnerability in Microsoft Excel that allows certain security features to be bypassed; and CVE-2021-42321, a remote code execution vulnerability in Microsoft Exchange Server. Microsoft on-premise Exchange Servers have been one of the most attractive targets for threat actors this year.
- Elsewhere, the US Cyber and Infrastructure Security Agency (CISA) released a list of almost 300 vulnerabilities and issued a binding directive requiring all US federal agencies to patch them. Agencies have two weeks to patch vulnerabilities with a 2021 CVE code, and six months to patch all others.
SO WHAT? Organisations should have an established patch management process and address vulnerabilities as they arise. Microsoft’s patch updates can always be found here.