header image

Cyber Intelligence Briefing: 15 January 2021

Billy Gouveia, Mona Damian 15 January 2021
15 January 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

Cyber Threat Intelligence Briefing

Security Round-up

SolarWinds: the tip of the iceberg

  • SolarWinds has provided an update on its investigation into the SUNBURST malware. Attackers first compromised SolarWinds’ development environment on 4 September 2019 and then began testing code designed to inject backdoors into Orion, a suite of SolarWinds tools used by many large global organisations.[1]
  • Technical analysis revealed that the intruders tried to deduce whether their specifically-designed ‘SUNSPOT’ malware could insert a malicious backdoor into Orion products without tripping alarms.[2]
  • The US Department of Justice (DOJ) confirmed that it too was caught up in the SolarWinds attack. Reportedly, hackers leveraged the trojanised Orion update to move across the DOJ’s network and access some employees’ O365 mailboxes.[3]

So what for security teams? Review your network hardening and threat hunting capabilities. 

So what for software development teams? Look to integrate security throughout the development process by designing security requirements, applying ongoing static and dynamic analysis, and conducting code reviews and penetration tests. (See here for more information regarding integrating security into the DevOps cycle with DevSecOps).

Another link in the supply chain: Ubiquiti suffers a data breach

  • Networking device manufacturer and cloud management platform Ubiquiti suffered a data breach. Best known for its UniFi wired and wireless network products, Ubiquiti became aware of the breach after it noticed unauthorised access to cloud-hosted IT systems.[4]
  • This data breach may be related to a widespread outage to Ubiquiti’s cloud management platform that prevented use of web and mobile applications to manage their devices.

So what? Because hackers are targeting organisations to gain access to their customers, businesses should increase the scrutiny of their digital supply chains and re-evaluate their vendor risk management controls.

Sophisticated threat actor compromises Mimecast authentication certificate

  • A threat actor successfully compromised a Mimecast certificate that is used to authenticate to Microsoft 365 Exchange Web Services. Mimecast, a global cloud security provider, was compromised in a hack that enabled the threat actor to use one of its digital certificates to gain access to its clients’ Office 365 accounts. While the incident has affected approximately 10 percent of Mimecast’s customer base, only a small number of Mimecast customers have had their Microsoft 365 tenancies targeted so far.[5]
  • Although several security companies, including CrowdStrike, have confirmed attempted attacks by the threat actors behind the SolarWinds breach, Mimecast has not stated that the “sophisticated threat actor” is the same as that involved in the SolarWinds attack.

So what? If you use Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products, refer to Mimecast’s latest update for urgent mitigation measures.

Ransomware: Enter China? Targeting Executives' Data?

  • The Chinese threat group, APT27, has reportedly added ransomware to its repertoire. Although Chinese APT (Advanced Persistent Threat) groups are not traditionally linked to financially-motivated cybercrimes, researchers found malware code, tactics, techniques, and procedures that are closely associated with APT27 in several recent ransomware incidents.[6]
  • Data on devices belonging to senior executives and leadership teams are increasingly being targeted by ransomware groups in search of information that can be used to extort their victims into paying ransoms.[7] Ransomware groups have been cold-calling executives to maximise their extortion operations, and now ZDNet reports that a ransomware group has been prioritising data exfiltration from senior executives’ workstations.
So what? Review hardening and monitoring procedures for senior leader devices, conduct focused security awareness training, and involve leadership in response exercises.

Mobile security: Android malware exposed and Google uncovers hacking campaign

  • A new strain of Android malware, Rogue, has been identified on underground forums. The mobile remote administration access tool (MRAT) can access, monitor, modify, or exfiltrate sensitive user data including location, contacts, messages, files, and calls.[8] (Refer to Check Point's research paper for further details.)[9]
  • Google’s bug-hunting team has reported a hacking campaign exploiting zero- and n-day vulnerabilities on Windows and Android phones. [10] The campaign took place in early 2020, although Google has not disclosed the attacker’s identity nor the victims targeted.[11] 

So what? Swiftly update mobile operating systems and maintain user vigilance when downloading applications from online stores.

Capitol riots: We the People, on social media           

  • Last week’s riots at the US Capitol saw the fears of those researching online extremism realised. Although security researchers had warning of increased online extremist chatter, US lawmakers are asking why the security apparatus was surprised when rioters stormed the Capitol last week.[12] 
  • Tech companies took decisive (and divisive) action. Twitter permanently suspended @realDonaldTrump, while Facebook banned ‘stop the steal’ content. Parler, an alternative social media platform, was removed from Amazon’s cloud hosting service as well as from the Apple and Google Play stores.[13] The riots and responses by tech companies have prompted debate on revising Section 230,[14] the US law that provides immunity for websites from user content.
  • In other social media developments, messaging apps Signal and Telegram saw a spike in new users while WhatsApp downloads declined by 17 percent.[15] This is largely attributed to controversial changes to WhatsApp’s privacy terms, as the app looks to merge with Facebook’s Messenger app.[16]

So what for security teams? Consider how threats made in the digital realm can turn physical and how monitoring for online threats can help you contain emerging risks to your organisation and people.

Further reading

  • Earlier this week was Microsoft’s monthly Patch Tuesday, where Microsoft patched 83 vulnerabilities, including one zero-day vulnerability (CVE-2021-1647) in its Defender antivirus that was being actively exploited in the wild.[17]
  • Capcom, the Japanese gaming company, has announced that as many as 390,000 people may be affected by a data breach originating from a ransomware attack it suffered in November last year.[18] This follows our story last week regarding gaming companies being increasingly targeted by cybercriminals.
  • Microsoft has updated its Sysmon utility to detect Process Herpaderping and Process Hollowing attacks.[19] Both attacks involve altering content to hide malicious processes.
References:

[1] ‘New Findings From Our Investigation of SUNBURST’, Orange Matter, 11 January 2021.

[2] ‘SUNSPOT: An Implant in the Build Process’, CrowdStrike, 11 January 2021.

[3] ‘SolarWinds fallout: DOJ says hackers accessed its Microsoft O365 email server’, ZDNet, 6 January 2021.

[4] ‘Networking giant Ubiquiti alerts customers of potential data breach’, Bleeping Computer, 11 January 2021.

[5] ‘Hackers Compromise Mimecast Certificate For Microsoft Authentication’, CRN, 11 January 2021.

[6] ‘Chinese espionage group APT27 moves into ransomware’, SCMagazine, 4 January 2021.

[7] ‘Some ransomware gangs are going after top execs to pressure companies into paying’, ZDNet, 9 January 2021.

[8] ‘Rogue Android RAT Can Take Control of Devices, Steal Data’, Security Week,13 January 2021.

[9] ‘Going Rogue – a Mastermind behind Android Malware Returns with a New RAT’, Check Point Research, 12 January 2021.

[10] ‘Google discloses hacking campaign targeting Windows, Android users’, Bleeping Computer, 13 January 2021.

[11] ‘Introducing the In-the-Wild Series’, Project Zero, 12 January 2021.

[12] ‘Social-Media Watchdogs Detect Signs of Ongoing Extremist Threat’, Wall Street Journal, 11 January 2021.

[13] ‘Parler has now been booted by Amazon, Apple and Google’, CNN, 11 January 2021.

[14] ‘How the Capitol riot revived calls to reform Section 230’, Vox, 11 January 2021.

[15] ‘Signal sees "unprecedented" growth after WhatsApp controversy’, Reuters, 13 January 2021.

[16] Ibid.

[17] ‘Microsoft January 2021 Patch Tuesday fixes 83 flaws, 1 zero-day’, Bleeping Computer, 12 January 2021; ‘Microsoft patches Defender antivirus zero-day exploited in the wild’, Bleeping Computer, 12 January 2021.

[18] ‘Capcom: 390,000 people may be affected by ransomware data breach’, Bleeping Computer, 12 January 2021.

[19] ‘Microsoft Sysmon adds support for detecting Process Herpaderping attacks’, ZD Net, 11 January 2021.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy Gouveia Senior Managing Director Email Billy
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report