The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- US sanctions crypto exchange. Suex becomes first ever crypto exchange sanctioned by US.
- Looming agriculture disruption. BlackMatter targets US farm services provider with ransomware.
- VMware at risk. Take action now if your organisation uses vCenter Servers 6.7 and 7.0.
- High risk ManageEngine vulnerability. US government agencies urge organisations to apply patches.
- Thailand data exposure. Over 100 million visitors to Thailand have had their data exposed online.
- Ragnar Locker and Grief. Ransomware groups announce new extortion tactics.
1. US OFAC sanctions Suex crypto exchange
The US Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against a cryptocurrency exchange for the first time. Suex, a Czech Republic-registered cryptocurrency exchange, primarily operating in Russia, was sanctioned for facilitating ransom transactions for ransomware threat groups and helping them evade existing OFAC sanctions.
OFAC also added numerous digital currency addresses to its sanctions list.
SO WHAT? Paying a ransom to a threat actor comes with its own risks, including violating global sanctions. If an organisation elects to pay a ransom, it should conduct robust pre-transactional due diligence on the threat actor and any associated cryptocurrency wallets to ensure any ransom payment does not expose them to the risk of violating sanctions.
2. Iowa farm cooperative takes systems offline after BlackMatter ransomware attack
Iowa-based farm services provider New Cooperative confirmed this week it was the victim of a ransomware attack at the hands of BlackMatter, a Russia-based threat group. Subsequently, on Wednesday, another farming cooperative, Crystal Valley, which serves customers in Minnesota and Iowa, also confirmed it had suffered a ransomware incident by an undisclosed threat actor. Both firms were forced to shut down their IT systems.
In leaked negotiations between BlackMatter and New Cooperative, the farm services provider has claimed to be a part of the 16 critical sectors the US government has warned ransomware operators to avoid. Although BlackMatter asserts New Cooperative will only face financial losses, the New Cooperative representative has insisted that the attack would cause public disruption to the US grain, pork, and chicken supply chain if their operations did not resume soon.
SO WHAT? The incidents highlight the disregard attackers have had for the US’ 16 critical infrastructure sectors that are off-limits. It is also a good reminder that victims of ransomware attacks should not expect negotiations with threat actors to remain private and confidential. Any correspondence with criminals should be considered carefully as it could be made public at any time and used as additional leverage against your organisation or impair your reputation with stakeholders.
3. VMware vCenter servers at risk
VMware has warned customers of a critical arbitrary file upload vulnerability in its vCenter Servers. The vulnerability could affect all appliances running default vCenter Servers 6.7 and 7.0.
Threat actors can exploit this vulnerability if they have network access to the vCenter Server by uploading a specially crafted file. Doing so will allow them to execute commands on a compromised server.
SO WHAT? Patch your vCenter Servers immediately. If you are unable to patch, follow VMware’s workaround.
4. Vulnerability in ManageEngine exploited
Threat actors are actively exploiting a recently publicised vulnerability in ManageEngine, a password management and single sign-on solution developed by the multinational technology company Zoho.
This has prompted the FBI, the US Coast Guard, and the US Cybersecurity and Infrastructure Security Agency (CISA) to push out a joint alert urging organisations to apply the relevant patches. While not mentioned in CISA’s alert, there are concerns in the cyber security industry that the vulnerability could have a similar impact to the SolarWinds attacks in 2020.
SO WHAT? Organisations running Enterprise ManageEngine ADSelfService Plus should update their systems immediately.
5. Thailand exposes millions of visitors’ personal data
Over 100 million travellers to Thailand in the last decade have had their personal information exposed online. The database, which included passport numbers, names, residency statuses, and travel information, was publicly accessible on the internet without requiring a password.
Thai authorities claim that “the data was not accessed by any unauthorised parties”.
SO WHAT? Even countries can fall victim to large scale data exposure. Regularly review your assets to ensure private data stores are not publicly accessible.
6. Ransomware groups expand extortion tactics
Several ransomware groups have begun to warn their victims against contacting government and law enforcement agencies, data recovery firms, or ransomware negotiators. Ragnar Locker warned its victims that it would immediately leak stolen data, whilst the Grief ransomware group threatened to delete the decryption key should its victims get any such external support.
This comes as governments, regulators, and law enforcement agencies continue to warn organisations against engaging with ransomware groups. In a US Department of Justice advisory, published in September 2021, victims are encouraged to report ransomware incidents to law enforcement and are strongly discouraged from paying the ransom, noting potential sanctions risks.
SO WHAT? Ransomware groups are constantly evolving their extortion tactics. These new threats are an attempt to secure a quick and high ransom payment, and possibly convince unwitting victims into paying a ransom despite the risk of sanctions violations.