The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Emergency Microsoft patches: Updates issued addressing four Exchange Server vulnerabilities.
- Chinese actor testing Indian networks: RedEcho observed targeting Indian critical infrastructure.
- ObliqueRAT: The group behind ObliqueRAT leverages steganography to distribute their trojan.
- Ryuk ransomware: Worm-like capabilities are now among Ryuk’s arsenal.
- VMware vulnerability: Threat actors are mass scanning for impacted servers.
- Breach round-up: Almost four million records leaked on hacking forums through two separate breaches.
Emergency patches for Microsoft Exchange vulnerabilities
- Microsoft has released emergency patches for four zero-day vulnerabilities affecting its Exchange Server software. Adversaries can exploit the vulnerabilities to access Exchange servers, compromise email, and install malware.
- The vulnerabilities are being actively exploited in the wild. Microsoft initially attributed exploitation of these vulnerabilities to HAFNIUM, a Chinese state-sponsored threat group. Since then, at least three further Beijing-backed groups have been observed leveraging the vulnerabilities.
So what? Microsoft’s emergency patches, released on Tuesday, should be installed as a top priority. The vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Chinese actor targeting Indian critical infrastructure
- The Chinese threat group RedEcho has reportedly been targeting India’s critical infrastructure. Amid heightened border tensions, suspected targeted intrusion activity has been observed against Indian power organisations and seaports.
- RedEcho shares tactics, techniques, and procedures (TTPs) with other Chinese state-sponsored groups. This is an evolving story and further details on victimology, threat actor behaviour, and possible overlap with other groups are likely to emerge.
So what? Beyond demonstrations of power, the strategic objectives behind this activity, whether espionage or network access, remains to be seen.
ObliqueRAT plays Hide and Squeak with compromised websites
- A malware campaign is hiding ObliqueRAT in images to evade previous detection methods. The threat actor responsible is using compromised websites to deliver the Remote Access Trojan (RAT).
- Victims are directed to the adversary-controlled websites which host seemingly innocent image files containing the hidden RAT.
So what? This new campaign shows the importance of a layered approach to security, as obfuscation techniques, such as steganography, can bypass signature-based detection.
New Ryuk ransomware variant identified
- A new version of Ryuk ransomware with worm-like capabilities has been identified. Using scheduled tasks, the malware can now self-propagate to machines over a victim’s local network.
- The automated dispersal of the malware will reduce its “intrusion to infection” time. This makes containment of the malware, once deployed, difficult.
So what? If countermeasures to prevent the initial foothold fail, change or disable the privileged user account’s password, and then force a domain password change through the KRBTGT account.
Severe new vulnerability affects VMware servers
- VMware has issued a patch for a remote-code execution vulnerability (CVE 2021 21972) affecting its vCenter servers. The vulnerability impacts vSphere Client (HTML5) and could be used to upload files to vulnerable vCenter servers publicly accessible over port 443.
- Threat actors are mass-scanning for affected servers, after proof-of-concepts were published. The scans aim to identify servers that have not been updated for the patch.
So what? If you deploy vCenter servers, patch with priority. Mass scanning and availability of exploits means threat actors are already leveraging this bug.
Oxfam Australia and Ticketcounter data leaked on hacking forums
- A database belonging to Oxfam Australia was leaked on a hacking forum. Personal information of more than 1.8 million Oxfam supporters was exposed by the leak.
- Ticketcounter, a Dutch e-ticketing platform, also suffered a breach. A database containing 1.9 million unique email addresses was stolen from an unsecured staging server. The database was posted on a hacking forum and soon removed, after it was allegedly sold.
So what? Ensure passwords are regularly rotated and dissuade employees from reusing old passwords that may have been compromised in prior breaches and subsequently sold on underground forums.