Morphisec Cybersecurity Blog

Ransomware gangs least million ! | Morphisec

Written by Nuni Snowden | July 17, 2021 at 1:00 PM

Wow, what a week. From new incentives to become a cyber defender to new targets for threat actors, this week had it all. We start with the $10 million dollar information bounty currently offered by the US Government and we end with the startling news of the Trickbot comeback. See? This week was wild--keep reading for the News In Review.

U.S. Offering up to $10 Million for Information to Combat Overseas Ransomware Attacks

The U.S. government will begin offering up to $10 million for information to identify or locate threat actors working on behalf of foreign governments that are trying to cripple the internet operations of American businesses and infrastructure. The new reward was announced as the U.S. faces a growing threat from ransomware attacks. Apparently, ransomware attacks went up by 300% in the last year alone. These attacks on US enterprises are usually from Russia, according to US officials. For more information about the new incentive, click here.

Revil Group Is Missing

The REvil ransomware gang, implicated in the high-profile attacks on JBS and Kaseya, seems to have disappeared. Cybersecurity researchers report that the entirety of the group’s infrastructure, from extortion pages to servers, has gone offline. The group has even closed up pages advertising its services on the dark web. Even on the dark web, no trace of the group can be found. Authorities are unsure if this vanishing act is permeant or part of a larger scheme. To learn more about the missing gang, click here.

SonicWall warns of 'imminent' SMA 100/SRA ransomware attacks

An "imminent ransomware campaign" will impact SonicWall's Secure Mobile Access 100 series and Secure Remote Access products, according to a security advisory from the vendor. SonicWall published a security advisory Wednesday for unpatched and end-of-life (EOL) 8.x firmware versions of its SMA 100 and SRA devices. According to the vendor, threat actors are "actively targeting" and exploiting a known vulnerability in an "imminent ransomware campaign" using stolen credentials. The advisory doesn't identify the vulnerability. Impacted devices include SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016), SSL-VPN 200/2000/400 (EOL 2013/2014), and SMA 400/200, supported in "Limited Retirement Mode."

They have issued the following statement: "Threat actors will take any opportunity to victimize organizations for malicious gain. This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021. SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance.
Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats. The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk."

To read the full story about the potential attack, click here.

Windows Print Spooler Has A Security Flaw

Microsoft has notified users of another vulnerability in the Windows Print Spooler, just days after addressing the PrintNightmare vulnerability in the same subsystem. The latest bug, tracked as CVE-2021-34481, is a local privilege escalation vulnerability that can be exploited to give attackers enhanced privileges. Microsoft notes that to successfully exploit the vulnerability, the attacker must have physical access to a victim’s system. This makes the vulnerability less severe than those that can be exploited remotely, such as PrintNightmare. To read more about the vulnerability and what you can do to protect yourself, click here. 

Critical Sage X3 RCE Bug Allows Full System Takeovers

Four vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale.  This is noteworthy because security vulnerabilities in the ERP platform could allow attackers to tamper with or sabotage victims’ business-critical processes and intercept data. Two of the bugs could be chained together to allow complete system takeovers, with potential supply-chain ramifications.

Sage X3 is targeted at mid-sized companies, particularly manufacturers and distributors, that are looking for all-in-one ERP functionality. The system manages sales, finance, inventory, purchasing, customer relationship management, and manufacturing in one integrated ERP software solution. To read the full story about the latest threat to cloud security, click here.

Cyberattacks increased 17% in Q1 of 2020, with 77% being targeted attacks

You read that right. Then again, if you’ve been paying attention it probably doesn’t come as much of a surprise. According to a new Positive Technologies Cybersecurity Threatscape Q1 2021 report, the number of cyberattacks increased by 17% compared to Q1 2020, and compared to Q4 2020, the increase was 1.2%, with 77% being targeted attacks. To read a full summary of the report, click here.

Attackers Exploited 4 Zero-Day Flaws in Chrome, Safari & IE

According to Google, at least two government-backed actors, including one Russian group, used the now-patched flaws in separate campaigns to target the internet browsers. Google researchers discovered one of the two Chrome zero-days flaws (CVE-2021-21166) in February and the other (CVE-2021-30551) in June. Exploits for both these remotely executable flaws in the Chrome renderer were delivered as one-time links via email to targeted individuals, all of whom were in Armenia. Furthermore, a Russian threat actor — believed to be the same one behind the SolarWinds campaign — was observed delivering an exploit for the WebKit vulnerability (CVE-2021-1844) in a separate credential theft campaign targeting governments and non-governmental organizations in Western Europe. To read the full story of attackers and zero days, click here.

IoT-Specific Malware Infections Jumped 700% Amid Pandemic

New telemetry on Internet of Things (IoT) devices demonstrates a dramatic increase in attacks on those devices during the work-from-home phase of the COVID-19 pandemic. The IoT malware, blocked by Zscaler, represented a 700% increase in activity against these devices compared with data gathered by the security firm before the pandemic. Nearly all of the IoT malware was the infamous Gafgyt and Mirai families, and more than 500 different types of IoT devices, including printers, digital signs, and smart TVs, were communicating with corporate IT networks when waves of employees were working from home amid the pandemic. To read a full summary of the report, click here.

Trickbot makes a comeback with its VNC module for high-value targets

Despite law enforcement actions intended at eliminating the Trickbot botnet, it continues to evolve. The creators recently released an upgrade for the VNC module, which is used to control infected systems remotely. Although Microsoft and their partners pulled the TrickBot infrastructure down, its operators sought to restart operations by developing new command and control (C&C) servers online. To read the full Trickbot timeline, and understand how it affects your enterprise, click the link above.