header image

Cyber Intelligence Briefing: 5 March 2021

Billy Gouveia, Mona Damian 5 March 2021
5 March 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.

OVERVIEW

Emergency patches for Microsoft Exchange vulnerabilities

  • Microsoft has released emergency patches for four zero-day vulnerabilities affecting its Exchange Server software.[1] Adversaries can exploit the vulnerabilities to access Exchange servers, compromise email, and install malware.
  • The vulnerabilities are being actively exploited in the wild.[2] Microsoft initially attributed exploitation of these vulnerabilities to HAFNIUM, a Chinese state-sponsored threat group. Since then, at least three further Beijing-backed groups have been observed leveraging the vulnerabilities.

So what? Microsoft’s emergency patches, released on Tuesday, should be installed as a top priority. The vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. 

Chinese actor targeting Indian critical infrastructure

  • The Chinese threat group RedEcho has reportedly been targeting India’s critical infrastructure.[3] Amid heightened border tensions, suspected targeted intrusion activity has been observed against Indian power organisations and seaports.
  • RedEcho shares tactics, techniques, and procedures (TTPs) with other Chinese state-sponsored groups.[4] This is an evolving story and further details on victimology, threat actor behaviour, and possible overlap with other groups are likely to emerge.

So what? Beyond demonstrations of power, the strategic objectives behind this activity, whether espionage or network access, remains to be seen.

ObliqueRAT plays Hide and Squeak with compromised websites

  • A malware campaign is hiding ObliqueRAT in images to evade previous detection methods.[5] The threat actor responsible is using compromised websites to deliver the Remote Access Trojan (RAT).
  • Victims are directed to the adversary-controlled websites which host seemingly innocent image files containing the hidden RAT. 

So what? This new campaign shows the importance of a layered approach to security, as obfuscation techniques, such as steganography, can bypass signature-based detection.

New Ryuk ransomware variant identified

  • A new version of Ryuk ransomware with worm-like capabilities has been identified. Using scheduled tasks, the malware can now self-propagate to machines over a victim’s local network.[6]
  • The automated dispersal of the malware will reduce its “intrusion to infection” time.[7] This makes containment of the malware, once deployed, difficult.

So what? If countermeasures to prevent the initial foothold fail, change or disable the privileged user account’s password, and then force a domain password change through the KRBTGT account.

Severe new vulnerability affects VMware servers

  • VMware has issued a patch for a remote-code execution vulnerability (CVE 2021 21972) affecting its vCenter servers. The vulnerability impacts vSphere Client (HTML5) and could be used to upload files to vulnerable vCenter servers publicly accessible over port 443.[8]
  • Threat actors are mass-scanning for affected servers, after proof-of-concepts were published. The scans aim to identify servers that have not been updated for the patch.[9]

So what? If you deploy vCenter servers, patch with priority. Mass scanning and availability of exploits means threat actors are already leveraging this bug.

Oxfam Australia and Ticketcounter data leaked on hacking forums

  • A database belonging to Oxfam Australia was leaked on a hacking forum. Personal information of more than 1.8 million Oxfam supporters was exposed by the leak.[10]
  • Ticketcounter, a Dutch e-ticketing platform, also suffered a breach. A database containing 1.9 million unique email addresses was stolen from an unsecured staging server.[11] The database was posted on a hacking forum and soon removed, after it was allegedly sold.

So what? Ensure passwords are regularly rotated and dissuade employees from reusing old passwords that may have been compromised in prior breaches and subsequently sold on underground forums.  

Cyber Threat Intelligence Briefing

References:

[1] ‘Microsoft fixes actively exploited Exchange zero-day bugs, patch now’, Bleeping Computer, 2 March 2021.

[2] ‘State hackers rush to exploit unpatched Microsoft Exchange servers’, Bleeping Computer, 3 March 2021.

[3] ‘China-Linked Group RedEcho Target the Indian Power Sector Amid Heightened Border Tensions’, Recorded Future, 28 Feb 2021.

[4] Ibid.

[5] ‘ObliqueRAT returns with new campaign using hijacked websites’, Talos Intelligence, 2 March 2021.

[6] ‘Ryuk Ransomware’, CERT-FR, 25 February 2021.

[7] ‘Ryuk Ransomware updated with ‘worm-like Capabilities’, Bank Info Security, 1 March 2021.

[8] ‘Code-execution flaw in VMware has a severity rating of 9.8 out of 10’, ArsTechnica, 25 February 2021.

[9] ‘More than 6,700 VMware servers exposed online and vulnerable to major new bug’, ZDNet, 24 February 2021.

[10] ‘Oxfam Australia supporters embroiled in new data breach’, ZDNet, 2 Mar 2021.

[11] ‘European e-ticketing platform Ticketcounter extorted in data breach’, BleepingComputer, 1 Mar 2021.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Mona Damian
Mona damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report