Ransomed Companies = Ransomed Customers, Unpatched Cyber Infrastructure Targeted Worldwide and Rust Leaks
1. European Commission and E.U. Organizations Hit By a Massive Cyber Attack
- The European Commission’s spokesperson revealed that its entity, alongside several other E.U. organizations, were victims of a targeted and sophisticated cyberattack in March 2021. The cyberattack likely impacted critical IT infrastructures being used to facilitate sensitive government operations.
- While a robust forensic analysis is still going on, the European Commission asserted that no critical data breaches have been detected so far. However, the commission has established 24/7 security monitoring controls and is actively taking mitigating measures.
- Although the European Banking Authority (EBA) and the European Medicines Agency (EMA) were also attacked in January 2021 and March 2021. Consequently, the EBA had to take down all of its email systems, while the EMA’s COVID-19 vaccine database was leaked online.
Expert Commentary: The security incidents targeting critical agencies and sectors within the European Union, since January 2021, appear to be the Modus Operandi of Advanced Persistent (state-sponsored) Threat (APT) actors. Although no specific threat actor has taken ownership of said attacks, the current diplomatic tensions between the Russian and Chinese governments (on matters ranging from global trade to human rights violations) allow security experts to assess with high confidence that said APT actors are most likely originating from Russia and/or China. While the European Union aims to project a united front, it is clear that, like the United States, its critical infrastructures (such as banking and finance, healthcare, agriculture, etc) are powered by outdated architectures that are easily accessed via the internet.
2. Ransomware Gangs Leverage Unpatched Fortinet VPN Devices
- According to security researchers, threat actors are actively exploiting dynamic vulnerabilities associated with unpatched Fortinet SSL-VPN servers. To advance this attack campaign, said actors are using a ransomware strain called, “Cring.”
- In one case, Cring ransomware actors forced a temporary shutdown of an industrial process, after they encrypted servers used to control critical production processes. The cring ransomware strain encrypts files using strong encryption algorithms, such as RSA-8192 and AES-128, then deletes any backup files, thus killing Microsoft Office and Oracle Database processes.
- While said ransomware strain is also known as Crypt3r, Vjiszy1lo, Ghost, or Phantom, this specific exploit allows attackers to breach and encrypt a target’s network, particularly in the industrial manufacturing sector. The FBI and CISA have warned corporate entities to immediately patch this VPN server vulnerability, as it can be leveraged to gain the initial access into critical infrastructures.
Expert Commentary: In recent months, Advanced Persistent Threat (APT) actors and cybercriminals have exploited multiple vulnerabilities associated with Fortinet products, such that the FBI and CISA warned against leaving Fortinet products unpatched. Due to the sophistication of this sort of attack, it can be said that the threat actors focused on exploiting Fortinet’s vulnerabilities tend to use unpatched infrastructure tools to conduct lateral movement across a target’s enterprise network – for the sole purpose of stealing privileged user credentials. However, whenever such intrusive activities are carried out against a VPN infrastructure, as it is in this case, then the attacker’s goal is almost always to set up a backdoor architecture for unrestricted and undetected command and control (C2) access.
3. A New Ransomware Trend is Targeting Victims’ Customers
- Security researchers discovered that top ransomware gangs have begun to deploy a new pressure tactic, to compromise organizational integrity, thus motivating victim organizations to pay off ransom demands. This new pressure tactic includes sending emails to the victim’s customers and partners, warning them of a potential breach of their data – the goal of this tactic is to cause public chaos.
- In the said threatening emails, the attackers threaten that if the affected company fails to pay the ransom demands, then customers’ and partners’ data will be sold on the darknet. Recently, the Clop ransomware gang sent these pressure emails to the customers of RaceTrac Petroleum, and individuals associated with the University of California.
- The Clop ransomware gang is one of the few ransomware groups that demand ransom payments not only for encryption keys but also to avoid the sale and distribution of stolen data.
Expert Commentary: Ransomware is here to stay. Whether a company becomes a victim of a ransomware attack or not is simply a matter of time because cybercriminals are always developing newer and sophisticated ransomware techniques to increase their loot. Therefore, companies must formulate an open line of communication along their supply chain to strengthen information sharing channels that are capable of mitigating and preventing cybersecurity incidents. As supply chain attacks continue to sweep across industries, vendors and partners must ensure that their security posture is resilient and up-to-par with industry standards.
4. Rust Programming Language Leaks Potentially Sensitive Debug Data
- Today’s threat landscape appears to be heavily focused on software supply chain infrastructure because of its far-reaching impacts on both governments and multinational organizations. As Rust takes the top spot as the most-adored programming language, software developers and security experts have raised serious security and privacy concerns regarding sensitive production data leaks affecting debug functions throughout the DevOp process.
- According to Rust programing language developers, potentially sensitive debug data that informs about the operational health of major software infrastructures are being leaked to unauthorized entities.
- The programming language retains system-specific information including absolute file paths of the source in the binaries it generates. These pathnames reveal the system username as well as the overall structure of directories. However, the unpremeditated inclusion of metadata poses a serious privacy risk.
- Surprisingly, this sensitive DevOps-related data loss is neither documentable nor is there any way to prevent it, as none of the workarounds suggested by the Rust developer community seems to be working.
Expert Commentary: Data leaks are often one of the lucrative ‘low hanging fruits’ that threat actors tend to leverage while conducting attack reconnaissance on a target infrastructure.
5. Vulnerabilities in NSA Application Revealed
- Security researchers disclosed five critical vulnerabilities in Emissary, an open-source, peer-to-peer (P2P), workflow application developed by software engineers at the U.S. National Security Agency (NSA). Most of the discovered vulnerabilities tend to affect Java web functionalities of the application, which happens to run on a multi-tiered P2P network.
- In association with the NSA and security experts, several demonstrations have shown how threat actors could launch cross-site request forgery (CSRF) attacks against a legitimate user (when logged on), to achieve remote code execution via the exploitation of identified code injection vulnerability.
- Furthermore, the attackers are also capable of exploiting cross-site scripting (XSS) flaws to uncover an administrator’s credentials, to compromise IT infrastructures, such as servers. Against this backdrop, an updated version (v6.1) of the Emissary application tool was released. However, the mean time-to-deployment is unknown at this time.
Expert Commentary: Software vulnerabilities happen to be some of the most critical threats in cybersecurity today. When successfully exploited, software vulnerabilities, such as cross-site scripting (XSS), SQL code injections, XML External Entities (XXE), etc., could greatly impact business continuity. In this scenario, security researchers discovered that attackers were capable of chaining multiple vulnerabilities to gain access to arbitrary files from the NSA Emissary server. To defend against this sort of vulnerability, an automated vulnerability scanner is required to assess the health of web and mobile-based applications in a corporate computing environment.
Share This Story, Choose Your Platform!
Get Updates Right In Your Inbox