Overview of security incidents for the period from 21 to 27 August 2021
New cyber ransomware, serious additions to the arsenal of cybercriminal groups, attacks by APT groups, hacking of routers and Microsoft Exchange servers through the sensational vulnerabilities of ProxyShell and PetitPotam
Less than a week after the incident with the American telecom operator T-Mobile, an array of personal data allegedly belonging to 70 million customers of the largest US telecommunications company AT&T was put up for sale at one of the hacker forums. The starting price of the AT&T database is $ 200,000 with the ability to purchase fragments of it for $ 30,000. Those who wish can buy the entire array at once for $ 1 million. Judging by a small fragment of the database posted on a hacker forum, the data includes customer names, addresses, phone numbers, date of birth and social security numbers.
A week ago, SecurityLab reported on vulnerabilities in the Realtek SDK affecting hundreds of thousands of smart devices from 65 vendors. Now it became known that these vulnerabilities are already being exploited by operators of the acclaimed DDoS botnet Mirai. According to the information security company SAM, the attacks began three days after the publication of the details of the vulnerabilities by the specialists of the information security company IoT Inspector.
The new cyber ransomware group LockFile encrypts Windows domains after hacking Microsoft Exchange servers through the notorious ProxyShell vulnerabilities and gaining access to the domain controller through the PetitPotam vulnerability. Little is known about the cyber ransomware group LockFile at this time. The ransomware was first recorded in July 2021. On the systems he attacked, he left a ransom note in the LOCKFILE-README.hta file. However, since last week, there have been reports of ransomware called LockFile. In the process of encrypting files, the ransomware adds the extension .lockfile to the file name.
Specialists from Unit 42 of Palo Alto Networks reported at once about four ransomware groups that can pose a serious threat to enterprises and critical infrastructure. According to the researchers, the groups LockBit 2.0, HelloKitty, AvosLocker, Hive pose a serious threat to enterprises and critical infrastructure.
In turn, the US Federal Bureau of Investigation released the first public notice, which details describes the methods of work of the partner groups extortionate. The posted post is an important step by the FBI in clarifying how the cybercrime ecosystem actually works.
Cyber attack using extortionate software has undergone the largest in Brazil, Lojas Renner clothing chain stores. As a result of the incident, some of its IT systems were unavailable. Lojas Renner did not disclose details about the attack, but, according to one of the Brazilian blogs, the cyber ransomware group RansomExx may be behind it.
The cyber ransomware group Ragnarok (Asnarök) announced the end of its activities and released a free utility to recover encrypted files. A free decryptor with an embedded master key for decryption was published on Thursday, August 26, on the group’s web portal on the darknet, where it previously published the data of victims who refused to pay the ransom. A number of security researchers have studied the decryptor and confirmed its authenticity. They are currently conducting a detailed analysis of the tool with the aim of rewriting it into a safe and easy-to-use version, which will then be published on Europol’s NoMoreRansom portal.
Kaspersky Lab experts spoke about a large-scale Trojan-dropper campaign recorded in April 2021. The dropper, dubbed Swarez, was distributed under the guise of 15 popular video games: Among US, Battlefield 4, Battlefield V, Control, Counter-Strike Global Offensive, FIFA 21, Fortnite, Grand Theft Auto V, Minecraft, NBA 2K21, Need for Speed Heat, PLAYERUNKNOWN’S BATTLEGROUNDS, Rust, The Sims 4, Titanfall 2. Attempts to download such files were recorded by the company’s products in 45 countries, including Russia.
Cybersecurity researchers at AT&T Alien Labs reported a discovered cluster of Linux ELF binaries identified as modifications to the open-source PRISM backdoor. Attackers have used the backdoor in several campaigns over the past three years.
Financially motivated cybercriminal group FIN8 has also acquired a new backdoor. According to Bitdefender experts, the group hacked into the computer network of a financial institution in the United States and installed a new Sardonic backdoor in it. During the attack on a bank in the United States, the backdoor was deployed and executed on the attacked systems in a three-step process using a PowerShell script, a .NET bootloader, and a bootloader shellcode. As the researchers explained, the PowerShell script is manually copied to the compromised system, while the bootloaders are delivered automatically.
Cybersecurity experts at antivirus company ESET have discovered the SideWalk modular backdoor used by an APT group called SparklingGoblin. This backdoor has a lot in common with the CROSSWALK backdoor used by the group. SparklingGoblin primarily targets the academic sector in East and Southeast Asia but has also shown an increased interest in education in Canada, media companies in the US, and at least one unnamed computer company in the US.
Not without new reports of hacking tools this week from the Israeli commercial spyware maker NSO Group. In their new report, experts from the Citizen Lab Research Center at the University of Toronto talked about a previously unknown vulnerability in iOS, which can be exploited with just one click. Since February 2021, a vulnerability called FORCEDENTRY has been used in attacks against several activists and dissidents in Bahrain, according to the report.
Specialists of information security company Trend Micro reported that the theme of commercial spyware Pegasus from NSO Group is used by cybercriminals in phishing campaigns. According to experts, recently the Confucius cybercriminal group conducted a phishing campaign aimed at the Pakistani military. The malicious campaign was discovered in a broader Trend Micro investigation into Confucius.
Specialists from Intel 471 opened the curtain on how the ShinyHunters cybercriminal group, which is behind a series of high-profile data leaks, conducts its operations. According to a new report from Intel 471, the group is closely scrutinizing the company’s source code on GitHub repositories for vulnerabilities that could be exploited to launch larger cyberattacks.
Fox News journalist Jackie Heinrick, citing her source, said that a cyberattack had been carried out on the US State Department.
“The State Department has been cyberattacked,” the journalist wrote. She added that the hacker attack may have happened “a couple of weeks ago.” The journalist said that the Pentagon Cyber Command had sent a notice of a possible serious breach. At the same time, she clarified that the scale of the hacker attack, as well as the scale of the investigation against the alleged criminals, “remain unclear.” It is also unknown what measures were taken to mitigate the impact of the cyberattack, and what the “current risks to operations” are.
Opponents of the political regime in Belarus announced a very daring cyber operation, as a result of which dozens of databases of the Ministry of Internal Affairs were compromised. Over the past few weeks, hackers who call themselves Belarusian cyber-guerrillas have published a considerable part of the stolen data, according to them, including containing classified information. The database contains lists of Interior Ministry informers, personal data of high-ranking officials and intelligence officers, video images collected from police drones and security cameras in correctional facilities, and even recordings of secret telephone conversations, Bloomberg News reports. In addition, the stolen data includes details about the close associates of Alyaksandr Lukashenka and the “top” intelligence.
Catch up on more articles here
Follow us on Twitter here