header image

Cyber Intelligence Briefing: 23 July 2021

Billy Gouveia, Kyle Schwaeble 23 July 2021
23 July 2021    Billy Gouveia, Kyle Schwaeble

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

OVERVIEW


Pegasus targeted journalists, activists, and politicians

A collection of 17 media organisations has revealed evidence that Pegasus, a spyware developed by Israel-based technology firm NSO Group, may have been abused to monitor targets of the firm’s government clients. This allegedly includes journalists, lawyers, politicians, and human rights activists.

Pegasus can infect a mobile phone and allow operators to access all the data on, and potentially control, the device. NSO Group insists its products are only sold to countries with good human rights records and that Pegasus is solely used in national security and law enforcement investigations. Despite these statements, the evidence revealed by the media consortium suggests that many individuals with no ostensible link to criminal activity may have been monitored.

 

 SO WHAT?  In light of these revelations, the topic of government surveillance is likely to come under increased scrutiny. Similarly, NSO Group and the Israeli government may face legal and diplomatic action as a result.


US, UK, and allies officially attribute Exchange Server attacks to China

  • The US, UK, and other allies have officially blamed China for the widespread compromise of Microsoft Exchange servers earlier this year as part of a state-sponsored cyber espionage campaign. This was expected as HAFNIUM, the threat group understood to be behind the majority of attacks, is widely believed to be affiliated with the Chinese government.
  • In a separate move, the US Department of Justice indicted four members of APT 40, a Chinese state-sponsored threat group, for various cyber-attacks against US entities between 2011 and 2018. All four individuals worked as intelligence officers for a provincial arm of China’s Ministry of State Security.

 

 SO WHAT?  Despite these latest moves, and the US’ increasingly combative stance against alleged Russian cyber activities, the threat from state-sponsored groups remains significant and there is no indication of it slowing down.


Elevation of privilege vulnerability uncovered in Windows 10

A security researcher has uncovered a local privilege escalation vulnerability affecting all Windows 10 versions released since October 2018. The vulnerability, dubbed SeriousSAM, allows users with low privileges to access sensitive Registry files. This includes the Security Account Manager (SAM) database, which contains hashed passwords for all users. By exploiting the vulnerability and accessing these passwords, a threat actor can elevate their privileges on the local machine.

 

 SO WHAT FOR SECURITY TEAMS?  Until an official patch is released, organisations should follow Microsoft’s temporary workaround to block exploitation of the vulnerability.


Organisations experience data breaches stemming from third parties

 

 SO WHAT?  Organisations should conduct regular third party risk assessments to ensure that any third party that holds sensitive data has the necessary cyber security controls in place to protect this data.


SonicWall devices are HelloKitty’s newest target

Cybercrime groups are exploiting unpatched and end-of-life SonicWall devices in ransomware attacks. HelloKitty, a threat group understood to be based in Russia, is reportedly the primary culprit of the recent wave of these attacks exploiting CVE-2019-7481.

 

 SO WHAT?  Vulnerable devices should either be patched or disconnected. See SonicWall’s advisory for information on how to mitigate this vulnerability.


Florida-based cloud-hosting provider Cloudstar targeted in ransomware attack 

On 16 July, a ransomware attack took down the majority of Cloudstar’s infrastructure. The company, which operates several data centres in the US, supports industries such as the title insurance, real estate, and financial sectors.

Cloudstar has started negotiations with the hackers. However, with no estimated recovery timeline announced, concerns have been raised about the knock-on impact the attack will have on customer operations, such as preventing real-estate brokers from registering transactions and consumers from closing loans.

 

 SO WHAT?  Incidents at cloud-hosting providers can cause significant disruption for customers. Organisations should have business continuity plans in place in case of service outages, especially given the ever-increasing prevalence and disruption caused by ransomware attacks.


Printer vulnerability threatens millions of HP, Samsung, and Xerox devices

A 16-year-old privilege escalation vulnerability affecting HP, Samsung, and Xerox printers has been uncovered. If exploited, attackers could bypass security measures, modify data, and run code in kernel mode. While the vulnerability is yet to be exploited in the wild, millions of enterprises and users are vulnerable.

 

 SO WHAT FOR SECURITY TEAMS?  Install the security patches released by HP and Xerox, found here and here.

 

Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report