The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- Pegasus Project. NSO Group’s spyware allegedly used to target journalists, activists, and politicians.
- Official attribution. China accused of being responsible for widespread compromise of Exchange servers in 2021.
- Admin privileges for anyone? Researcher discovers Windows 10 zero-day vulnerability.
- Data breach round-up. Data breaches affecting Saudi Aramco and various healthcare companies.
- Cloudstar down. Ransomware attack against US cloud-hosting provider causes business disruption for its customers.
- SonicWall devices under threat. Threat actors are targeting vulnerable SonicWall devices in ransomware attacks.
- Another printer vulnerability. Millions of HP, Samsung, and Xerox printers are all at risk of compromise.
Pegasus targeted journalists, activists, and politicians
A collection of 17 media organisations has revealed evidence that Pegasus, a spyware developed by Israel-based technology firm NSO Group, may have been abused to monitor targets of the firm’s government clients. This allegedly includes journalists, lawyers, politicians, and human rights activists.
Pegasus can infect a mobile phone and allow operators to access all the data on, and potentially control, the device. NSO Group insists its products are only sold to countries with good human rights records and that Pegasus is solely used in national security and law enforcement investigations. Despite these statements, the evidence revealed by the media consortium suggests that many individuals with no ostensible link to criminal activity may have been monitored.
SO WHAT? In light of these revelations, the topic of government surveillance is likely to come under increased scrutiny. Similarly, NSO Group and the Israeli government may face legal and diplomatic action as a result.
US, UK, and allies officially attribute Exchange Server attacks to China
- The US, UK, and other allies have officially blamed China for the widespread compromise of Microsoft Exchange servers earlier this year as part of a state-sponsored cyber espionage campaign. This was expected as HAFNIUM, the threat group understood to be behind the majority of attacks, is widely believed to be affiliated with the Chinese government.
- In a separate move, the US Department of Justice indicted four members of APT 40, a Chinese state-sponsored threat group, for various cyber-attacks against US entities between 2011 and 2018. All four individuals worked as intelligence officers for a provincial arm of China’s Ministry of State Security.
SO WHAT? Despite these latest moves, and the US’ increasingly combative stance against alleged Russian cyber activities, the threat from state-sponsored groups remains significant and there is no indication of it slowing down.
Elevation of privilege vulnerability uncovered in Windows 10
A security researcher has uncovered a local privilege escalation vulnerability affecting all Windows 10 versions released since October 2018. The vulnerability, dubbed SeriousSAM, allows users with low privileges to access sensitive Registry files. This includes the Security Account Manager (SAM) database, which contains hashed passwords for all users. By exploiting the vulnerability and accessing these passwords, a threat actor can elevate their privileges on the local machine.
SO WHAT FOR SECURITY TEAMS? Until an official patch is released, organisations should follow Microsoft’s temporary workaround to block exploitation of the vulnerability.
Organisations experience data breaches stemming from third parties
- One terabyte of data belonging to Saudi Aramco is being sold on the dark web, starting at a price of USD 5 million. Saudi Aramco confirmed that the release of data was not due to a breach of its systems but rather data that was held by third party contractors.
- Patient data from numerous healthcare companies, including Intermountain Healthcare, Jefferson Health, and Cancer Center of Greenwood, was impacted by the April 2021 breach of medical software company, Elekta. A threat actor gained unauthorised access to systems containing protected health information.
SO WHAT? Organisations should conduct regular third party risk assessments to ensure that any third party that holds sensitive data has the necessary cyber security controls in place to protect this data.
SonicWall devices are HelloKitty’s newest target
Cybercrime groups are exploiting unpatched and end-of-life SonicWall devices in ransomware attacks. HelloKitty, a threat group understood to be based in Russia, is reportedly the primary culprit of the recent wave of these attacks exploiting CVE-2019-7481.
SO WHAT? Vulnerable devices should either be patched or disconnected. See SonicWall’s advisory for information on how to mitigate this vulnerability.
Florida-based cloud-hosting provider Cloudstar targeted in ransomware attack
On 16 July, a ransomware attack took down the majority of Cloudstar’s infrastructure. The company, which operates several data centres in the US, supports industries such as the title insurance, real estate, and financial sectors.
Cloudstar has started negotiations with the hackers. However, with no estimated recovery timeline announced, concerns have been raised about the knock-on impact the attack will have on customer operations, such as preventing real-estate brokers from registering transactions and consumers from closing loans.
SO WHAT? Incidents at cloud-hosting providers can cause significant disruption for customers. Organisations should have business continuity plans in place in case of service outages, especially given the ever-increasing prevalence and disruption caused by ransomware attacks.
Printer vulnerability threatens millions of HP, Samsung, and Xerox devices
A 16-year-old privilege escalation vulnerability affecting HP, Samsung, and Xerox printers has been uncovered. If exploited, attackers could bypass security measures, modify data, and run code in kernel mode. While the vulnerability is yet to be exploited in the wild, millions of enterprises and users are vulnerable.