header image

Cyber Threat Intelligence Briefing: 2 October 2020

Tyler Oliver, Mona Damian 2 October 2020
2 October 2020    Tyler Oliver, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders

Download Report

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • Ransomware galore. A number of high-profile ransomware attacks this week underscore that this threat is here to stay, causing significant disruption across industries.
  • Cyber casualty. In a reminder of the physical consequences of cyber-attacks, German prosecutors allege a ransomware attack on a hospital caused the death of a patient.
  • In other stories this week, Shopify deals with an incident caused by rogue employees, and patching Zerologon remains a priority.

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

Security Round-up

Prosecutors open case of negligent homicide after ransomware attack
  • German prosecutors have opened a homicide investigation into a ransomware attack on the University of Dusseldorf’s main hospital that took place in early September. The perpetrators exploited a vulnerability in a Citrix virtual private network (VPN) before deploying the ransomware payload.
  • The encryption process affected the hospital’s main IT systems, reducing its capacity to intake casualty patients. A critically ill patient was redirected to a hospital approximately 25-30 km away and later died.
  • The case represents the first documented cyber security incident which may have directly or indirectly resulted in a fatality.

So what? The case is a pertinent reminder of the potential physical consequences of cyber security incidents. Referred to as ‘silent cyber’ or ‘affirmative cyber’ risks, an increasingly important factor to consider is whether a threat actor can use unauthorised access to corporate networks to cause bodily harm or physical damage to property. While the hospital in this incident appears to have been collateral damage from an attack targeting the university, threat actors continue to target the healthcare and pharmaceutical industries.

Zerologon exploited in the wild, attacks increasing
  • Microsoft warns that threat actors are actively exploiting CVE-2020-1472, also known as the Zerologon vulnerability, in attacks in the wild.[1] Not only have threat actors begun to exploit this critical vulnerability in isolated cases, but according to security researchers, the number of attacks has increased significantly over the past week.[2]
  • The Zerologon vulnerability enables an unauthenticated threat actor with network access to a domain controller to compromise all Active Directory identity services.
  • Threat actors have been observed incorporating this exploit into existing playbooks and modules used in cyber security incidents.
  • While Microsoft have not released Zerologon patches for its end-of-life products, the company 0patch has issued a micro-patch for the vulnerable Windows servers that are no longer receiving support, such as Windows Server 2008 R2. 

So what for security teams? Mitigation of this vulnerability is a two-step process depending on your environment. Step one is to deploy the initial patch issued by Microsoft on 11 August Patch Tuesday, which solves the vulnerability affecting Windows devices as well as Active Directory domains and trusts. However, to patch the vulnerability to third-party devices, security teams need to not only update the domain controllers, but also enable ‘enforcement mode’. This security feature will automatically be rolled out by Microsoft in February 2021, but we recommend implementing this change manually as soon as possible. As always, audit your logs and check whether any suspicious connections are made to your domain controllers.

Ransomware against shipping
  • In the latest cyber security incident in the maritime industry, the French shipping giant CMA CGM has been hit by a ransomware attack. This means that, since 2017, all four of the maritime industry’s largest shipping companies have been infected with ransomware.[3]
  • The company took down its shipping container booking system after its Chinese branches in Shanghai, Shenzhen, and Guangzhou were hit by Ragnar Locker ransomware.
  • Threat actors are targeting the corporate networks within ports, such as offices and data centres. These systems manage personnel, email, ship inventories and are used to book containers, and as such hold both critical business data as well as control of systems that are also critical for container management on and offshore.

So what for security teams? Security teams in the maritime industry need to focus on securing port systems, instead of the less-likely attacks affecting ships at sea. The fact that ransomware has infected all of the Big Four in the maritime industry presents an interesting case study, as this is the only sector where all Big Four companies have been successfully exploited. Cyber criminals have likely analysed the impact of NotPetya on Maersk in 2017 and determined that the exorbitant impact makes shipping companies attractive targets.

Healthcare provider, UHS, suffers ransomware attack
  • Universal Health Services, a US healthcare giant, suffered a ransomware attack over the weekend. The provider caters to millions of patients in 400 facilities across the US and UK. According to TechCrunch, sources close to the incident believe that Ryuk ransomware may be the strain responsible.[4]
  • Due to the disruption caused by the ransomware, some patients have had to be turned away and emergencies rerouted to other facilities.[5]
  • A UHS statement issued Monday said, “No patient or employee data appears to have been accessed, copied or otherwise compromised.”

So what for security teams? Ransomware attacks against healthcare organisations are a serious threat. Last week’s announcement that German police are investigating the death of a woman, who had to be rerouted to another hospital due to a ransomware attack, as a homicide case, highlights how detrimental such attacks can be to healthcare organisations. Security teams should have the basics in place to protect against ransomware attack: securing against the most common initial entry vectors of ransomware – phishing and open RDP ports – and ensuring your organisation has up-to-date backups.

So what for leadership? Healthcare organisations are increasingly targeted by ransomware actors. Ensuring incident response plans are drawn up and rehearsed is one key way leadership at healthcare organisations can ensure that, in the event of an incident, response can be as rapid and effective as possible, minimising the downtime that can be so disruptive to life-saving services.

CISA issues advisory on ransomware
  • A new guide published by the Cybersecurity and Infrastructure Security Agency (CISA) and MS-ISAC offers essential recommendations and resources for responding to a ransomware incident.
  • The report offers insights and advice from CISA’s incident responders, from recognising initial infection vectors to best practices when handling an incident.[6]

So what for leadership? As this week’s set of stories show, ransomware continues to be an increasing threat, affecting many sectors. The CISA guide lays out the essential steps leadership and security teams should be taking to protect their organisation. The guide highlights that the infection vector for ransomware typically is a successful phishing attack or internet-facing vulnerabilities and misconfigurations, rather than “fancier” vectors such as zero-day exploits. Every organisation should seek to protect itself from these common entry vectors.

Investigation and debate around Tyler Technologies ransomware attack
  • Tyler Technologies, a provider of software to US state and federal governments, suffered a ransomware attack on Wednesday 23 September. Ongoing investigations have revealed suspicious logins and previously unseen remote access tools (RATs) on the company’s networks.[7]
  • Given Tyler Technologies’ public sector customers, suggestions have been made that ransomware might be being deployed “to sow chaos and uncertainty” as the US heads into November’s election, according to a New York Times article.[8] However, other commentators have warned against hasty conclusions and the importance of responsibly reporting on, and not conflating, intelligence, particularly in an election year.[9]

So what? Ransomware is certainly a disruptive, highly prominent threat at present. Theoretically, it certainly could be used to disrupt an election process, though there is a lack of hard intelligence suggesting that that represents current facts on the ground. Regarding Tyler Technologies, while the company does support public sector organisations, as Kim Zetter points out,[10] it is “overstating” to call the company a provider of election software.

Shopify discloses incident, perpetrated by two employees
  • Last week, the online retailer Shopify disclosed that it was working with the FBI to investigate a data breach. The incident appears to have occurred when two Shopify support team members accessed and tried to obtain customer transaction details from Shopify merchants.[11]
  • The employees in question had their access to Shopify networks cut-off and the investigation is ongoing.

So what for leadership? This is another case of an “insider threat” leading to a cyber incident. Last month’s revelation that a Russian cybercrime group had sought to recruit a Tesla employee to deploy malware similarly highlighted the dangers posed by malicious insiders. Insider threats can be mitigated by implementing strong access controls and carrying out background checks on new employees.

Indicators of compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.

Zerologon: increased attacks targeting domain controllers
File hashes:

c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b

24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439

b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d

Emotet heightened spam activity

The security researcher collective Cryptolaemus (@Cryptolaemus1) continues to be a prime resource for Emotet IOCs:

Latest URLs:

hxxp://bangkokcityjewel.com/cgi-bin/statement/sj6594562982750fucb18uggdz

hxxp://goldcoastoffice365.com/temp/RAr9U

hxxp://ibda.adv.br/inc/statement/nwjpre/g2352704995562durgmxn7zzs9me1/

hxxp://sff3d.com/3d/5ups3a48qp/30j87884959455bgf63z6vv4u7aalmvw1/

Active Hashes:

62367f1d017e4c3535c13696a526f07bac7a4458721e1a420fa635749ac3ab77

03878a541866eb10cf8e70299def43611594d575982bec266f7fb9ea9f7bd49f

afb6bfa98f289a3459898b87e24a1df45720ae93bc240b1554d3e0254720a049

9923a500d9596146dbce8fd49d4fe1237a4868abf40425c1989d1a5972fb6116

 
References

[1] ‘Microsoft says it detected active attacks leveraging Zerologon vulnerability’, Zdnet, 24 September 2020

[2] ‘Zerologon Attacks Against Microsoft DCs Snowball in a Week’, Threat post, 29 September 2020.

[3] ‘All four of the world's largest shipping companies have now been hit by cyber-attacks’, ZDNet, 28 September 2020.

[4] ‘Healthcare giant UHS hit by ransomware attack, sources say’, TechCrunch, 28 September 2020.

[5] ‘UHS hospital network hit by ransomware attack’, ZDNet, 28 September 2020.

[6] ‘Ransomware Guide September 2020’, CISA MS-ISAC, 30 September 2020.

[7] ‘Suspicious logins reported after ransomware attack on US govt contractor’, ZDNet, 28 September 2020

[8] ‘Ransomware Attacks Take On New Urgency Ahead of Vote’, The New York Times, 27 September 2020

[9] ‘Responsibly Reporting Wretched Ransomware’, Stranded on Pylos, 29 September 2020

[10] @Kim Zetter, Twitter, 24 September 2020

[11] ‘Shopify discloses security incident caused by two rogue employees’, ZDNet, 23 September 2020

To discuss this article or other industry developments, please reach out to one of our experts.

Tyler Oliver
Tyler Oliver Director Email Tyler
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report