header image

Cyber Intelligence Briefing: 28 May 2021

Billy Gouveia, Kyle Schwaeble 28 May 2021
28 May 2021    Billy Gouveia, Kyle Schwaeble

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

OVERVIEW

 


Critical remote code execution vulnerability discovered in vCenter servers 

  • VMware has disclosed a critical vulnerability in the vSAN plugin that affects all vCenter Server deployments. The plugin is enabled by default and VMware urge all users to immediately update any vCenter Server versions 6.5, 6.7, and 7.0.  
  • The vulnerability, tracked as CVE-2021-21985, allows for remote code execution. Successful exploitation could allow attackers to execute commands on the host operating system with unrestricted privileges.  

 SO WHAT?  In addition to updating vulnerable servers, organisations should refer to VMware’s additional guidance on disabling the plugin.


Attacks disguised as ransomware

  • Microsoft researchers identified a phishing campaign in which threat actors were disguising StrRAT malware as ransomware. The malware, which creates a backdoor into Windows systems, is typically distributed through malicious PDF documents attached in emails with payment-related subject lines.  
  • Agrius, an Iranian hacking group, has also been observed using similar disguise techniques. The threat group has been pretending to launch ransomware attacks and extorting their victims in the process by claiming to have encrypted and/or stolen their data. Instead, the group has deployed wiper malware and their victims data has already been deleted.

 SO WHAT?  Security teams should investigate incidents carefully to identify the true nature of the threat actor’s activity and gather intelligence on a threat actor's likely profile to ensure that necessary and appropriate response actions are taken.


Three more zero-day vulnerabilities patched by Apple 

  • Apple has patched three zero-day vulnerabilities affecting its macOS and tvOS, which are being actively exploited. One of them, CVE-2021-30713, affects MacOS Big Sur devices, making them vulnerable to attackers accessing sensitive user data. 
  • The other two vulnerabilities affect Apple TV’s WebKit, responsible for rendering HTML content. CVE-2021-30663 and CVE-2021-30665 leave unpatched Apple TV devices vulnerable to maliciously crafted web content that could trigger arbitrary code execution.

 SO WHAT?  There has been an increase in the number of zero-day vulnerabilities discovered in Apple devices in recent months. Apple’s Senior VP of Software Engineering has recently said that the “level of malware on the Mac is unacceptable”. Be sure to patch devices as soon as possible.


A large slice of data flies into threat actor hands 

  • Air India disclosed it suffered data breach after personal information of 4.5 million customers was leaked online. The breach occurred after SITA, the company processing the passenger data, was hacked in February 2021 and is reported to affect many other major airlines.  
  • Domino’s Pizza in India suffered a data breach, exposing customer details for over 18 million orders. The leaked data includes the delivery address, phone number and email address of Domino’s customers in India. 
  • Bose, the audio company, also disclosed a data breach after it suffered a ransomware attack in MarchBose has notified affected individuals but hanot identified evidence of stolen data being sold or distributed online.

 SO WHAT?  Implement controls such as encryption and network segmentation to secure your data, even if your internal network is breached.


A response to ransomware

  • AXA, the global insurer, announced that it will stop reimbursing cyber policy holders in France for ransom paymentsThe pledge follows a discussion in the French Senate, in which prosecutors argued that to stop cyberattacks, hackers’ demands shouldn’t be met.  
  • The development comes amid broader discussions about how to adjust insurance policies in response to the surging tide of ransomware attacksReports suggest that other cyber insurers are themselves raising premium prices and limiting coverage for cyber policies. 

 SO WHAT?  Policy discussions in the public and private sectors will likely increase as options are weighed for countering the dramatic rise in ransomware attacks. Ensure that your business stays up to date with any changes in policy. 


Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report