The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- “Be aware” says VMware. A critical vulnerability affecting vCenter Servers has been identified.
- Ransomware as a disguise. Threat actors are masking their activity as ransomware when pursuing other objectives.
- More zero-day vulnerabilities in Apple products. Three zero-day vulnerability fixes released by Apple.
- Large data breach round-up. Threat actors breach the data of millions at Domino’s Pizza, Bose, and Air India
- A response to ransomware. AXA’s pledge to stop covering cybercriminals’ ransom demands in France is indicative of a broader shift in ransomware deterrence.
Critical remote code execution vulnerability discovered in vCenter servers
- VMware has disclosed a critical vulnerability in the vSAN plugin that affects all vCenter Server deployments. The plugin is enabled by default and VMware urge all users to immediately update any vCenter Server versions 6.5, 6.7, and 7.0.
- The vulnerability, tracked as CVE-2021-21985, allows for remote code execution. Successful exploitation could allow attackers to execute commands on the host operating system with unrestricted privileges.
SO WHAT? In addition to updating vulnerable servers, organisations should refer to VMware’s additional guidance on disabling the plugin.
Attacks disguised as ransomware
- Microsoft researchers identified a phishing campaign in which threat actors were disguising StrRAT malware as ransomware. The malware, which creates a backdoor into Windows systems, is typically distributed through malicious PDF documents attached in emails with payment-related subject lines.
- Agrius, an Iranian hacking group, has also been observed using similar disguise techniques. The threat group has been pretending to launch ransomware attacks and extorting their victims in the process by claiming to have encrypted and/or stolen their data. Instead, the group has deployed wiper malware and their victims’ data has already been deleted.
SO WHAT? Security teams should investigate incidents carefully to identify the true nature of the threat actor’s activity and gather intelligence on a threat actor's likely profile to ensure that necessary and appropriate response actions are taken.
Three more zero-day vulnerabilities patched by Apple
- Apple has patched three zero-day vulnerabilities affecting its macOS and tvOS, which are being actively exploited. One of them, CVE-2021-30713, affects MacOS Big Sur devices, making them vulnerable to attackers accessing sensitive user data.
- The other two vulnerabilities affect Apple TV’s WebKit, responsible for rendering HTML content. CVE-2021-30663 and CVE-2021-30665 leave unpatched Apple TV devices vulnerable to maliciously crafted web content that could trigger arbitrary code execution.
SO WHAT? There has been an increase in the number of zero-day vulnerabilities discovered in Apple devices in recent months. Apple’s Senior VP of Software Engineering has recently said that the “level of malware on the Mac is unacceptable”. Be sure to patch devices as soon as possible.
A large slice of data flies into threat actor hands
- Air India disclosed it suffered a data breach after personal information of 4.5 million customers was leaked online. The breach occurred after SITA, the company processing the passenger data, was hacked in February 2021 and is reported to affect many other major airlines.
- Domino’s Pizza in India suffered a data breach, exposing customer details for over 18 million orders. The leaked data includes the delivery address, phone number and email address of Domino’s customers in India.
- Bose, the audio company, also disclosed a data breach after it suffered a ransomware attack in March. Bose has notified affected individuals but has not identified evidence of stolen data being sold or distributed online.
SO WHAT? Implement controls such as encryption and network segmentation to secure your data, even if your internal network is breached.
A response to ransomware
- AXA, the global insurer, announced that it will stop reimbursing cyber policy holders in France for ransom payments. The pledge follows a discussion in the French Senate, in which prosecutors argued that to stop cyberattacks, hackers’ demands shouldn’t be met.
- The development comes amid broader discussions about how to adjust insurance policies in response to the surging tide of ransomware attacks. Reports suggest that other cyber insurers are themselves raising premium prices and limiting coverage for cyber policies.
SO WHAT? Policy discussions in the public and private sectors will likely increase as options are weighed for countering the dramatic rise in ransomware attacks. Ensure that your business stays up to date with any changes in policy.