The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Ransomware galore. A number of high-profile ransomware attacks this week underscore that this threat is here to stay, causing significant disruption across industries.
- Cyber casualty. In a reminder of the physical consequences of cyber-attacks, German prosecutors allege a ransomware attack on a hospital caused the death of a patient.
- In other stories this week, Shopify deals with an incident caused by rogue employees, and patching Zerologon remains a priority.
Prosecutors open case of negligent homicide after ransomware attack
- German prosecutors have opened a homicide investigation into a ransomware attack on the University of Dusseldorf’s main hospital that took place in early September. The perpetrators exploited a vulnerability in a Citrix virtual private network (VPN) before deploying the ransomware payload.
- The encryption process affected the hospital’s main IT systems, reducing its capacity to intake casualty patients. A critically ill patient was redirected to a hospital approximately 25-30 km away and later died.
- The case represents the first documented cyber security incident which may have directly or indirectly resulted in a fatality.
So what? The case is a pertinent reminder of the potential physical consequences of cyber security incidents. Referred to as ‘silent cyber’ or ‘affirmative cyber’ risks, an increasingly important factor to consider is whether a threat actor can use unauthorised access to corporate networks to cause bodily harm or physical damage to property. While the hospital in this incident appears to have been collateral damage from an attack targeting the university, threat actors continue to target the healthcare and pharmaceutical industries.
Zerologon exploited in the wild, attacks increasing
- Microsoft warns that threat actors are actively exploiting CVE-2020-1472, also known as the Zerologon vulnerability, in attacks in the wild. Not only have threat actors begun to exploit this critical vulnerability in isolated cases, but according to security researchers, the number of attacks has increased significantly over the past week.
- The Zerologon vulnerability enables an unauthenticated threat actor with network access to a domain controller to compromise all Active Directory identity services.
- Threat actors have been observed incorporating this exploit into existing playbooks and modules used in cyber security incidents.
- While Microsoft have not released Zerologon patches for its end-of-life products, the company 0patch has issued a micro-patch for the vulnerable Windows servers that are no longer receiving support, such as Windows Server 2008 R2.
So what for security teams? Mitigation of this vulnerability is a two-step process depending on your environment. Step one is to deploy the initial patch issued by Microsoft on 11 August Patch Tuesday, which solves the vulnerability affecting Windows devices as well as Active Directory domains and trusts. However, to patch the vulnerability to third-party devices, security teams need to not only update the domain controllers, but also enable ‘enforcement mode’. This security feature will automatically be rolled out by Microsoft in February 2021, but we recommend implementing this change manually as soon as possible. As always, audit your logs and check whether any suspicious connections are made to your domain controllers.
Ransomware against shipping
- In the latest cyber security incident in the maritime industry, the French shipping giant CMA CGM has been hit by a ransomware attack. This means that, since 2017, all four of the maritime industry’s largest shipping companies have been infected with ransomware.
- The company took down its shipping container booking system after its Chinese branches in Shanghai, Shenzhen, and Guangzhou were hit by Ragnar Locker ransomware.
- Threat actors are targeting the corporate networks within ports, such as offices and data centres. These systems manage personnel, email, ship inventories and are used to book containers, and as such hold both critical business data as well as control of systems that are also critical for container management on and offshore.
So what for security teams? Security teams in the maritime industry need to focus on securing port systems, instead of the less-likely attacks affecting ships at sea. The fact that ransomware has infected all of the Big Four in the maritime industry presents an interesting case study, as this is the only sector where all Big Four companies have been successfully exploited. Cyber criminals have likely analysed the impact of NotPetya on Maersk in 2017 and determined that the exorbitant impact makes shipping companies attractive targets.
Healthcare provider, UHS, suffers ransomware attack
- Universal Health Services, a US healthcare giant, suffered a ransomware attack over the weekend. The provider caters to millions of patients in 400 facilities across the US and UK. According to TechCrunch, sources close to the incident believe that Ryuk ransomware may be the strain responsible.
- Due to the disruption caused by the ransomware, some patients have had to be turned away and emergencies rerouted to other facilities.
- A UHS statement issued Monday said, “No patient or employee data appears to have been accessed, copied or otherwise compromised.”
So what for security teams? Ransomware attacks against healthcare organisations are a serious threat. Last week’s announcement that German police are investigating the death of a woman, who had to be rerouted to another hospital due to a ransomware attack, as a homicide case, highlights how detrimental such attacks can be to healthcare organisations. Security teams should have the basics in place to protect against ransomware attack: securing against the most common initial entry vectors of ransomware – phishing and open RDP ports – and ensuring your organisation has up-to-date backups.
So what for leadership? Healthcare organisations are increasingly targeted by ransomware actors. Ensuring incident response plans are drawn up and rehearsed is one key way leadership at healthcare organisations can ensure that, in the event of an incident, response can be as rapid and effective as possible, minimising the downtime that can be so disruptive to life-saving services.
CISA issues advisory on ransomware
- A new guide published by the Cybersecurity and Infrastructure Security Agency (CISA) and MS-ISAC offers essential recommendations and resources for responding to a ransomware incident.
- The report offers insights and advice from CISA’s incident responders, from recognising initial infection vectors to best practices when handling an incident.
So what for leadership? As this week’s set of stories show, ransomware continues to be an increasing threat, affecting many sectors. The CISA guide lays out the essential steps leadership and security teams should be taking to protect their organisation. The guide highlights that the infection vector for ransomware typically is a successful phishing attack or internet-facing vulnerabilities and misconfigurations, rather than “fancier” vectors such as zero-day exploits. Every organisation should seek to protect itself from these common entry vectors.
Investigation and debate around Tyler Technologies ransomware attack
- Tyler Technologies, a provider of software to US state and federal governments, suffered a ransomware attack on Wednesday 23 September. Ongoing investigations have revealed suspicious logins and previously unseen remote access tools (RATs) on the company’s networks.
- Given Tyler Technologies’ public sector customers, suggestions have been made that ransomware might be being deployed “to sow chaos and uncertainty” as the US heads into November’s election, according to a New York Times article. However, other commentators have warned against hasty conclusions and the importance of responsibly reporting on, and not conflating, intelligence, particularly in an election year.
So what? Ransomware is certainly a disruptive, highly prominent threat at present. Theoretically, it certainly could be used to disrupt an election process, though there is a lack of hard intelligence suggesting that that represents current facts on the ground. Regarding Tyler Technologies, while the company does support public sector organisations, as Kim Zetter points out, it is “overstating” to call the company a provider of election software.
Shopify discloses incident, perpetrated by two employees
- Last week, the online retailer Shopify disclosed that it was working with the FBI to investigate a data breach. The incident appears to have occurred when two Shopify support team members accessed and tried to obtain customer transaction details from Shopify merchants.
- The employees in question had their access to Shopify networks cut-off and the investigation is ongoing.
So what for leadership? This is another case of an “insider threat” leading to a cyber incident. Last month’s revelation that a Russian cybercrime group had sought to recruit a Tesla employee to deploy malware similarly highlighted the dangers posed by malicious insiders. Insider threats can be mitigated by implementing strong access controls and carrying out background checks on new employees.
Indicators of compromise
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.
Zerologon: increased attacks targeting domain controllers
Emotet heightened spam activity
The security researcher collective Cryptolaemus (@Cryptolaemus1) continues to be a prime resource for Emotet IOCs: