The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- ProxyShell hacks. Attackers actively exploit Microsoft Exchange server ProxyShell vulnerabilities.
- Power Apps palaver. American Airlines and Ford expose PII stored in Microsoft Power Apps.
- Insiders called upon. Employees offered USD 1 million to deploy Black Kingdom ransomware.
- Law passed. The Chinese government has passed the Personal Information Protection Law (PIPL).
- PYSA’s PowerShell. A decoded script reveals specific data sought by ransomware gang PYSA.
- Ransomware infrastructure. FBI issues first alert about a ransomware affiliate.
CISA issues urgent alert over exploitation of Microsoft Exchange server ProxyShell vulnerabilities
The US Cybersecurity Infrastructure Security Agency (CISA) has issued an urgent alert regarding ProxyShell vulnerabilities on unpatched on-premises Exchange servers. Attackers are actively exploiting the vulnerabilities, which can result in unauthenticated, remote code execution.
Attackers engaging in these attacks include the LockFile ransomware gang, which has exploited the ProxyShell vulnerabilities to gain access to on-premises Microsoft Exchange servers as part of their ransomware attacks.
Power Apps palaver
Misconfigured Microsoft Power Apps publicly exposed sensitive data for entities including American Airlines, Ford, and the State of Indiana. Exposed data included social security numbers, COVID-19 vaccination details, and addresses.
The misconfiguration allowed for external unauthenticated access to sensitive data held within the platform. Microsoft has created a tool to help users self-diagnose this issue for their own portals.
SO WHAT? Check any Microsoft Power Apps you own using the Microsoft provided tool to see if you are at risk of external anonymous access.
Ransomware group calls upon insiders
Attempts of a Nigerian ransomware group to recruit employees to deploy ransomware have been observed. Interested employees were provided links to download the ransomware payload from file sharing site WeTransfer.
Up to 40 percent of the ransomware demand, paid in Bitcoin, has been used to incentivise employees willing to deploy the Black Kingdom ransomware on their corporate computers.
This follows an emerging trend we are observing, where threat actors are finding new ways to social engineer employees. Almost 1 year ago, a Tesla employee was offered USD 1 million to compromise the business, which they rightly turned down.
SO WHAT? Organisations should take steps to combat the risk of insider threats, such as improving access controls and monitoring data exfiltration attempts.
Chinese government passes data protection law
The Chinese government has passed a new data protection law that governs how personal data is collected, used, and stored. The Personal Information Protection Law (PIPL) is set to come into effect on 1 November 2021.
The PIPL applies to organisations both in and outside of China, when certain conditions are met, for instance when a company provides products or services to consumers in China.
The law outlines various penalties for noncompliance including the confiscation of unlawful income, the issuing of fines to people directly responsible and in charge, and fines up to RMB 50 million or 5 percent of annual revenue for the prior fiscal year. Moreover, the transfer of personal information of Chinese citizens will be restricted or barred to overseas entities who “infringe on the rights of Chinese citizens or jeopardize the national security or public interests of China.”
SO WHAT? Organisations should consult lawyers to determine whether the PIPL applies to them and, if so, that they understand the requirements. Organisations should ensure they are compliant prior to the law coming into effect.
New PowerShell script REVEALS data SOUGHT BY prolific ransomware gang
Last week S-RM, recovered a PowerShell script during a forensic investigation into a ransomware attack by PYSA. Once decoded, the script shows exactly which files PYSA is looking for when stealing data from their victims.
The script contains 123 keywords that show the group is interested in a wide array of data including banking information, login credentials, tax forms, student information, social security numbers, insurance documents, and SEC filings.
SO WHAT? The script shows how important sensitive data has become for ransomware groups. Beyond just encrypting the victim’s data, most major groups will also steal your data and hold this to ransom also.
FBI issues first public advisory about a known ransomware affiliate
On 23 August, the FBI issued a public advisory that focuses on the modus operandi of the cyber-criminal OnePercent Group. Although not specifically identified by the FBI as an “affiliate”, cyber security researchers have reported on the OnePercent Group’s collaboration with REvil (Sodinokibi), Maze, and Egregor ransomware operations.
Rather than being the ones who developed the malware themselves, ransomware affiliates are third-parties who rent access to ‘Ransomware-as-a-Service’ platforms. Once the affiliates compromise a system, they then use the rented ransomware to encrypt data and earn a commission from successful extortions.
SO WHAT? The FBI advisory draws important attention to ransomware operation infrastructure and highlights how various cyber-criminals collaborate behind-the-scenes of ransomware and data exfiltration attacks.