The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- VPNs not always so private. Hacker exploits vulnerability CVE-2018-13379 to steal 50,000 credentials of Fortinet VPN users in the latest security incident targeting VPN providers.
- Ransomware causes a storm. The Brazilian government is recovering from a ransomware attack that brought the Superior Electoral Court’s systems to a standstill for over two weeks.
- In other news this week, Facebook has forked out over USD 11.7 million for its bug bounty program since 2011, QBot observed dropping Egregor ransomware payloads, and the US Congress passes an IoT cyber security bill.
Not-so-private: Fortinet VPNs targeted
- A threat actor posted a data dump on a hacking forum that contained the user credentials, including plaintext passwords, of at least 50,000 Fortinet VPN users. The threat actor exploited Fortinet VPNs that had not been patched to prevent the exploitation of CVE-2018-13379. Despite Fortinet asking its customers to patch this vulnerability in 2019, many did not do so.
- The incident is not the first large data breach affecting VPNs in 2020. In July, more than 1.2 terabytes-worth of information was stolen from seven VPN providers, affecting at least 20 million users in Hong Kong alone.
So what for security teams? While positioning remote access services behind a VPN does improve security, it is important to be aware of security vulnerabilities in unpatched VPNs. As such, we recommend keeping up to date with the latest threat intelligence regarding your respective VPN provider and making sure that updates are being pushed out as soon as possible.
Brazilian Superior Electoral Court system brought down for two weeks by ransomware
- After two weeks of standstill, the Brazilian Superior Electoral Court is back up and running, having been brought down by a ransomware attack. The attack took place on 3 November 2020 and rendered systems totally unusable for more than 24 hours.
- The recovery process which involved regaining network access and restoring systems from back-ups required support from security professionals from eight vendors, including Microsoft and Atos.
- While the minister for the Superior Electoral Court notes that they had not suffered a similar attack previously, they understand that their technology architecture needs to be constantly reviewed.
So what? 2020 has seen the rise of ransomware cases across all industries; this case highlights that sectors which cannot tolerate downtime for extended periods are attractive targets for ransomware operators. Recovery will have come at a great cost, both in terms of money and downtime. To prepare for these types of scenarios, organisations can run tabletop exercises to simulate the decisions that would be required in a real situation.
QuakBot banking trojan observed dropping Egregor ransomware
- In November 2020, the banking trojan QBot or QuakBot was observed dropping Egregor in a recent ransomware incident. Several banking trojans have been involved in Egregor ransomware cases since the strain became active in mid-September, including IcedID, Ursnif, Zloader and QakBot.
- Banking trojans have increasingly pivoted from simply stealing banking credentials to the more profitable enterprise of dropping ransomware payloads. As such, we frequently see attack chains involving two banking trojans, the penetration testing toolkit Cobalt Strike, followed by the deployment of the ransomware.
So what for security teams? QBot is the latest in a long-term trend of banking trojans partnering with ransomware groups. While banking credential theft used to be a lucrative scam, ransomware cases can result in payouts of several million USD. Given the importance of banking trojans in the attack chain, it is more important than ever to make sure you have an endpoint detection and response (EDR) solution that can detect threats based on heuristic and behavioural analysis.
- This week, Facebook announced that is has spent more than USD 11.7 million on bug bounty programs since 2011. Bug bounty programs reward security researchers for finding vulnerabilities and reporting them to organisations in a secure manner, allowing time for remediation prior to adversaries discovering and exploiting vulnerabilities.
- One of the most notable vulnerabilities was found in Messenger for Android by Google Project Zero. This vulnerability could have allowed an attacker to establish an audio connection to the targeted device while making a call to that device, without the victim’s interaction.
So what for leadership? It is common for large technology companies to offer rewards to security researchers for finding vulnerabilities. Smaller organisations that can’t afford these sorts of programs can implement a penetration testing program that covers all critical public facing applications and infrastructure.
Tesla fob proves a hacker’s keys to the kingdom; US Congress passes an IoT bill
- A vulnerability in the key-fob of Tesla Model X cars has been identified. A Belgian security researcher has shown how hackers could overwrite and hijack the coding of the Tesla Model X key-fob, to then steal the car. Tesla has promised Model X owners it is issuing a fix this week.
- The news comes in the same week as the US government passed the Internet of Things (IoT) Cybersecurity Improvement Act. The legislation seeks to enhance the safeguards of internet-connected devices – known as the internet of things. The legislation directs the US Commerce Department’s National Institute of Standards and Technology to establish security requirements for any IoT manufacturer, such as manufacturers of sensors for temperature control, smart speakers, and smart cars.
So what? Internet of Things (IoT) devices, such as smart cars, including their key-fob, can be a source of new vulnerabilities, emphasising the need to apply cyber security thinking beyond desktops and mobile phones. With the IoT revolution, any device, when connected to the internet, can become a threat surface for hackers to exploit. The new US government bill will challenge manufacturers of smart devices to step up their security game. Security teams too should recognise the risks IoT devices can introduce to their organisation and fold them into their risk assessments, patching cadences, and penetration test exercises.
COVIDSafe, but not spy safe?
- Australian intelligence agencies “incidentally” collected COVID-19 tracing app data. A report from the Australian government’s inspector general (IG) has said that data from Australia’s COVIDSafe contact-tracing app had been “incidentally” caught up in the “course of lawful collection of other data” by Australia’s intelligence agencies.
- A spokesperson for the IG said that the incidental collection happens when “it is not possible or not practicable to collect the data covered by the warrant without also inadvertently collecting COVIDSafe app data.” While collection occurred, the IG has said that this data was not decrypted, accessed, or used.
So what? This story highlights that even when intelligence agencies are not pursuing a dataset, the interconnected nature of the internet and how data flows could mean that data is nonetheless swept up in collection efforts. The United Nations this week, incidentally, issued a warning that the use of data and technology to help fight the pandemic could, if abused, violate “fundamental human rights and freedoms.”
Indicators of compromise
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.
A sample of SHA-1 hashes for Qbot trojan: