This week in security news in review, we have reporting on the Avaddon ransomware gang closing down, Google releasing a new framework about supply chain attack prevention, and a new malware that prevents you from visiting piracy sites. These and other stories in this week’s edition of the cyber news you need to know.
Ukrainian Police Nab Six Tied to CLOP Ransomware
Ukrainian authorities this week arrested and charged six people that allegedly had ties to the CLOP ransomware gang. CLOP is one of several ransomware types that encrypts files and then demands money for a digital key needed to unlock access. Over the past six months, CLOP has exploited four zero days in File Transfer Appliance (FTA), made by Accellion, to target customers including U.S. grocery chain Krogers, the law firm Jones Day, security firm Qualys, and the Singaporean telecom giant Singtel. The CLOP gang also recently began a double-extortion methodology, demanding a ransom not to release files as well.
A Framework to Halt Supply Chain Attacks?
The team at Google has proposed a software development framework, called "Supply chain Levels for Software Artifacts" (SLSA, and pronounced "salsa"), with the goal of halting software supply chain attacks. The goal of the framework is to secure the software development and deployment pipeline, from source to build to publish, and mitigate threats that arise out of source-code tampering. Google developed the framework in the wake of the SolarWinds and Codecov security incidents. The SLSA framework is inspired by Google’s own internal Binary Authorization for Borg auditing tools that verify code provenance and implements code identity.
Avaddon Calls It Quits
After landing squarely in the crosshairs of law enforcement in both the United States and Australia, it looks like the Avaddon ransomware gang has thrown in the proverbial towel. This week, they released 2,934 decryption keys to Lawrence Abrams’ Bleeping Computer, about a month after the Australian Cyber Security Centre and the U.S. Federal Bureau of Investigation released an alert about the criminal gang. They apparently spent the next several days collecting as much ransom as possible before shutting down operations.
CVS Health Data Exposure Due to Cloud Misconfigurations
News came out this week that more than a billion CVS Health records were exposed online as the result of a cloud misconfiguration. According to Threatpost, WebsitePlanet and researcher ving Jeremiah Fowler revealed the discovery of the internet-exposed database belonging to CVS Health. The database had no form of authentication in place, and was not password-protected in the slightest. No personally identifiable information was in the exposed database, which CVS Health said is managed by a third party, but it would have been a simple matter to use the data -- which did include device information and prescription data -- for targeted phishing attacks using some of the emails that were included in the database. This underscores the critical nature of keeping cloud data secure.
Cyberattack Takes down Carnival Cruises for second time in a year
Carnival Corp, the parent company of Carnival Cruises, has experienced its second major cyberattack in a little over a year. In a data breach letter first reported by Bleeping Computer, Carnival said that unauthorized third-party access to a “limited number” of email accounts was noticed in mid-March. “It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees and crew,” SVP and chief communications officer Roger Frizzell reportedly said. “The impacted information includes data routinely collected during the guest experience and travel-booking process, or through the course of employment or providing services to the company, including COVID or other safety testing.”
Ransomware Gangs Purchase Initial Access from other criminals
Ransomware gangs are increasingly turning to other adversaries who plant backdoors into corporate networks and license access for a portion of the ransom proceeds. These initial access brokers (IABs) occupy an interesting position in the cybercriminal landscape. They often use first-stage malware like The Trick, Dridex, or Buer Loader and then license the access they create to other cybercriminals who deploy the ransomware attack. it’s rare for ransomware to be directly distributed via email, instead using these initial access exploits as a way into the network.
New Malware Blocks Pirate Websites
The new Vigilante malware is unusual in its target: pirate websites. Revealed recently, the booby-trapped files rat out downloaders and try to prevent unauthorized downloads in the future. Dubbed “Vigilante” because it takes aim at software piracy, the malware is unusual in that it modifies victims’ computers so they can no longer access thepiratebay.com as well as up to 1,000 different piracy sites.