The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- Old dogs, new tricks. An overview of three novel threat actor attack vectors.
- A new weapon in the arsenal. AvosLocker now targets Linux-based virtual machines.
- Mandatory multi-factor authentication. Software company Salesforce enforces MFA.
- Caught in their own web. Hackers infect themselves with their own malware.
- CISA alert. Old, well known vulnerabilities are still being exploited.
- Patch time! Key patching news, including Microsoft’s January 2022 Patch Tuesday.
1. Attackers are using creative techniques to compromise their victims’ networks.
Recent media reports have revealed several novel attack methods leveraging malicious USB devices, Google Docs, and the Google Voice service.
- Cybercriminal group FIN7 has been posting malicious USB devices to several US organisations. The parcels impersonate Amazon or the US Department of Health and Human Services (HHS) and FIN7 employ traditional social engineering techniques to lure individuals into connecting the USB drives to a computer on their organisation’s network. Once connected, the device automatically installs malware onto the computer, allowing FIN7 access to the organisation’s wider network.
- Threat actors have been launching creative phishing attacks that abuse the Google Docs comment feature. The attacks exploit the fact that when a comment “mentioning” an individual is added to a Google Doc, an official Google email is sent to that individual detailing the full comment, including any malicious links in the comment. As such, threat actors can deliver malicious content via an official channel that bypasses traditional spam filters and is likely to be trusted by recipients.
- Fraudsters are using personal phone numbers shared online by individuals to set up fake Google Voice accounts and even compromise their victims’ Gmail accounts. These Google Voice accounts can then be used to conduct other attacks without being traced back to the threat actor.
SO WHAT? The techniques used by threat actors are constantly evolving. They often look to take advantage of trusted services to trick their victims into giving them access to their personal accounts or corporate networks. Employees should receive training to carefully scrutinize all communications they receive and identify potential threats.
2. AvosLocker now targets Linux-based virtual machines
AvosLocker is the latest ransomware group to specifically target Linux devices. The group has been promoting its updated Linux-focused ransomware variant on several underground forums. The new variant specifically targets VMware ESXi servers.
AvosLocker is not the only threat group to target Linux devices. Other large ransomware groups, including Hive, HelloKitty, Pysa, and BlackMatter, have been known to target Linux machines, and ESXi hosts in particular.
SO WHAT? Traditional Windows operating systems are not the only ones vulnerable to ransomware. Organisations should apply various defensive measures to protect their systems, including regular patching cycles, intrusion prevention systems, and regular backups that are well tested.
3. Salesforce introduces mandatory multi-factor authentication
Salesforce has announced that users must enable multi-factor authentication (MFA) by 1 February 2022 in order to access the company’s products. Therefore, all internal users who log into Salesforce must use MFA for each login attempt.
The rise of hybrid working models during the COVID pandemic has led to an increase in cyber security risks as threat actors take advantage of unsecure home networks. MFA is a simple but effective security measure for organisations to secure their networks, both on-premise and in the Cloud.
SO WHAT? Companies are often reluctant to implement MFA due to concerns that it may cause operational disruptions. However, Salesforce’s willingness to enforce MFA for its products adds additional weight to the argument that the significant security benefit MFA provides outweighs the temporary inconvenience it may cause to users.
4. Cybercriminals score an own goal in recent campaign
India-linked cyber espionage group Patchwork accidentally infected its own systems in the group’s latest spear phishing campaign. The attackers used weaponised Rich Text Format (RTF) files to drop the Remote Administration Trojan (RAT) variant Ragnatela. The RAT enables threat actors to capture keystrokes and screenshots, execute arbitrary commands, list and upload files, and download additional malware on compromised systems. However, Patchwork mistakenly infected its own infrastructure with the RAT which enabled researchers to analyse their operations.
SO WHAT? Well, we all need some good news occasionally.
5. CISA warns of ancient bugs still exploited
The US Cyber and Infrastructure Security Agency (CISA) has updated its list of known vulnerabilities that are frequently exploited to compromise federal organisations. Of the fifteen additions to the list, eleven are older than two years. The list includes several critical vulnerabilities, including a 2015 remote code execution (RCE) vulnerability. CISA has requested that federal agencies remediate the vulnerabilities in January 2022 and recommends regularly conducting updates as per vendor instructions.
SO WHAT? Security teams should confirm whether any of the CISA security issues included in the list apply to their own organisation and consider proactively remediating them.
6. Patch Time!
- Microsoft’s January 2022 Patch Tuesday update addresses over 90 vulnerabilities, including nine marked as “critical”. The update also details six zero-day vulnerabilities. Earlier this month, Microsoft also released patches for 24 vulnerabilities in its web browser Microsoft Edge. Many of the vulnerabilities addressed by Microsoft allow for RCE.
- Adobe’s January 2022 Patch Tuesday update addresses 41 vulnerabilities across its software offerings.
- All WordPress versions between 3.7 and 5.8 were updated to address four vulnerabilities, three of which have “high severity” ratings.
Fortunately, there have been no reports of any of these vulnerabilities being actively exploited in the wild.
SO WHAT? A key security maxim for any organisation is to know what software is being employed in your estate, stay alert for any news of vulnerabilities or patches relating to that software, and implement available patches as soon as possible. As always, Microsoft’s patch updates can be found here.