Morphisec Cybersecurity Blog

Security News In Review: Ryuk Ransomware Gets a Makeover

Written by Nuni Snowden | April 24, 2021 at 1:00 PM

In this week’s roundup, we discover new tactics of threat actors, ongoing cyberattacks, and (surprisingly) the new depths ransomware operators will travel in order to make their victims pay. Keep reading to learn about the latest developments in cybersecurity. 

Ryuk’s operators have devised new strategies. -- The operators of the Ryuk ransomware have switched their tactics. These threat actors now target victims with remote desktop connections that are exposed on the public internet when they want to gain initial access to the victim network. Additionally, it seems using targeted phishing emails to deliver their malware continues to be a favored initial infection vector for the threat actors. Ryuk ransomware is one of the oldest threat actor organizations and they are known as tough negotiators. It is estimated that they collected at least $150 million in ransoms, with one victim paying $34 million to restore their systems.

Security Bugs Are Actively Under National Attack -- According to the U.S. National Security Agency (NSA), the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes) is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.” The targets include U.S. and allied national-security and government networks. Researchers warned that the five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware that organizations should patch immediately. Details are included below.

  • CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)
  • CVE-2020-4006 VMware Workspace ONE Access (command injection)

Google’s Project Zero Gives Developers a 30 Day Grace Period  -- Google’s Project Zero, a team of dedicated security engineers tasked with reducing the number of “zero-day” vulnerabilities around the entire internet, says it will give developers an extra 30 days before disclosing vulnerability issues in order to give end-users time to patch their software. A Project Zero spokesperson said, “The goal of the 2021 update is to make the patch adoption timeline an explicit part of its vulnerability disclosure policy. This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive.” In layman's terms, developers will still have 90 days to fix bugs, but Project Zero will wait another 30 days before it discloses the details of the bug publicly. Additionally, if a flaw is being actively exploited in the wild, a company will have seven days to issue a patch, and a three-day grace period if requested. But Google Project Zero will wait 30 days before it discloses technical details. Click the link to learn more.

A ransomware gang with a PR strategy -- The Babuk ransomware gang has launched a public relations campaign, saying it has repaired a defect in the decryptor it provides to victims who pay the ransom demand. While a ransomware group launching a PR campaign may sound surprising for some, veterans of cybersecurity are not shocked in the slightest. Philip Reitinger, president and CEO of the Global Cyber Alliance, says as much--pointing out that the gang is just taking steps in hopes of getting more victims to pay a ransom.

"Ransomware gangs want victims to believe that paying the money means getting your data back and preventing a leak. That's clearly a 'business imperative' for them, and in that regard, I'm not surprised that the blog was written or by its content, which is focused on these two issues," he says. 

The second-largest auto insurance provider in the U.S. has sprung a leak. -- Threat actors stole driver license numbers from customers of GEICO insurance for nearly two months earlier this year due to a security flaw on its website that has since been fixed. GEICO disclosed the vulnerability in a data breach notice filed earlier this month with the California attorney general’s office. Geico advised customers to review any mailings from their respective state’s unemployment agency and to contact the agency if there is any chance fraud is being committed. The company also offered affected customers a one-year subscription to third-party solution IdentityForce, an identity-theft fraud-monitoring system that also provides $1 million in identity-theft insurance, as well as restoration services.

Cyberattacks on Japanese Aerospace companies exploit fatal flaw -- According to Japanese authorities and cybersecurity experts, revelations of cyberattacks targeting about 200 mainly aerospace companies in Japan show an intent to exploit software weaknesses before they could be fixed. The hackers appear to have launched a so-called zero-day attack, in which vulnerabilities unknown to target companies are exploited. While not convicted, the suspect worked at a Chinese state-owned telecom company and is believed to have been involved in cyberattacks against around 200 companies and research institutions between 2016 and 2018. 

Someone Tried To “Bite” The Apple -- A primary supplier of Apple was enduring a ransomware attack from a Russian operator claiming to have stolen blueprints of the U.S. company’s latest products. The ransomware group REvil, also known as Sodinokibi, published a blog on the dark web early on Tuesday in which it claimed to have infiltrated the computer network of Quanta Computer Inc. Based in Taiwan, the company is a key supplier to Apple, manufacturing mostly Macbooks. It similarly produces goods for the likes of HP Inc., Facebook Inc., and Alphabet Inc.’s Google. REvil is now attempting to shake down Apple in its effort to profit off the stolen data. They’ve asked Apple to pay their ransom by May 1, as was first reported by Bleeping Computer. Until then, the hackers will continue to post new files every day, REvil said on its blog. Apple has declined to comment.  

Attackers are Crypto-jacking Malware -- Cybercriminals are now uploading cryptomining malware onto vulnerable Microsoft Exchange Servers, according to a new report from Sophos. The cybersecurity giant said an unknown attacker has been attempting to leverage the ProxyLogon exploit “to foist a malicious Monero crypt miner onto Exchange server with the payload being hosted on a compromised Exchange sever.” According to Sophos, the attack has lost several servers but has gained new ones to make up for the early losses. Click the link above to learn more. 

The SolarWinds Supply Chain Compromise Saga Continues -- According to a recent alert from the Cybersecurity and Infrastructure Security Agency and the Cyber National Mission Force of the US. Cyber Command, Russian-based nation-state threat actors were recently tied to two newer malware variants leveraging the widespread SolarWinds Orion supply chain compromise for a host of nefarious activities. The malware variants are referred to as SUNSHUTTLE and SOLARFLARE, and they have been attributed to the Russian Foreign Intelligence Service. The joint alert preceded another federal agency warning that Russian-backed attackers were targeting five known vulnerabilities. To mitigate the threat, the federal researchers urged entities to assess their systems for indicators of compromise.

Here’s a Good Reason To Avoid 3rd Party Software -- Threat actors are turning their focus on cheaper, easier targets within an organization's supply chain, usually accessed through third-party suppliers. This tactic has only increased with time, especially as businesses increasingly acquire software from external suppliers. Last month, the personal details of 30,000 individuals in Singapore might have been illegally accessed following a breach that targeted a third-party vendor of a job-matching organization, Employment and Employability Institute (e2i). Earlier this year, the personal data of 580,000 Singapore Airlines (SIA) frequent flyers as well as 129,000 Singtel customers also were compromised through third-party security breaches. The threat will only get more complex as remote work grows in popularity. Business leaders are currently discussing ways to mitigate risks. 

South Korea is a favorite target for Lazarus -- Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea, known as one of the most prolific and sophisticated APTs out there. They have been in operation for over a decade and they are considered responsible for worldwide attacks. This includes the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges. South Korea is one of their favorite targets and they suffered an attack on April 13th. Click the link above to find out what that means for you. 

Google’s Newest Chrome Update Patches Vulnerabilities -- Google on Wednesday released version 90.0.4430.85 of the Chrome browser for Windows, Mac, and Linux. The update contains seven security fixes, including one for a zero-day vulnerability that was exploited in the wild. The advisory thanked five researchers for their contributions and added that its own ongoing security work was responsible for a wide range of fixes. Read more by clicking the link above. 

Impersonations Are Becoming Increasingly Common -- Attackers are promoting sites impersonating the Microsoft Store, Spotify, and an online document converter that distribute malware to steal credit cards and passwords saved in web browsers. The attack was discovered by cybersecurity firm ESET who issued a warning yesterday on Twitter to be on the lookout for the malicious campaign. Insidiously, the malware takes many forms including a chess app, Spotify link, etc.