1. The U.S. DOJ Takes Down NetWalker Ransomware Attacker
- The U.S. Department of Justice (DOJ) issued rare charges against a member of the notorious ransomware group, NetWalker. The NetWalker threat group is responsible for multi-million dollar ransomware attacks against global healthcare infrastructures, utility facilities, university campuses, etc.
- Although the DOJ announced charges against Sébastien Vachon-Desjardin (a Canadian citizen), whose immediate contributions in the NetWalker ransomware operation netted him a profit of $27 million, its long-term goal is to enhance collaborative efforts with international law enforcement agencies to disrupt NetWalker’s operations for good.
- In a recent show of collaborative efforts, authorities in Bulgaria seized several Dark Web resources belonging to the NetWalker ransomware group, as well as computers and other attacker communication systems.
SME Comments: NetWalker is one of the most notorious and fastest-growing ransomware groups in the world. They target critical infrastructures in the United States by utilizing advanced encryption techniques to encrypt windows machines, then demand a ransom payment in Bitcoin. Victims who fail to adhere to the ransom demands often experience data spillage and social engineering attacks, as NetWalker has been known to auction-off stolen data.
2. Hezbollah’s Cyber Threat Group Compromised Global ISPs and Telecom Infrastructures
- Security researchers discovered that Volatile Cedar, an APT group believed to be linked to the Lebanese Hezbollah Cyber Unity, has been quietly deploying cyberespionage operations against communications infrastructures around the world.
- Volatile Cedar are known to attack organizations based in the U.S., Egypt, Israel, Lebanon, Saudi, and the Palestinian Authority.
- In a recent incident, forensic experts discovered that Volatile Cedar compromised more than 250 Oracle and Atlassian services belonging to companies in the mobile communications and internet services industry. Once command-and-control of the compromised servers were established, the threat actors leveraged various open tools, such as JSP file browser, GoBuster, etc., to perform lateral movements and privilege escalation across a target’s network.
SME comments: Although Volatile Cedar has only been operational for 3 years, its attack goals include passive intelligence gathering and theft of sensitive data. Leveraging a customized remote access trojan (RAT) payload named ‘Explosive,’ Volatile Cedar’s attack methodology involves targeting publicly-facing web servers using automated and manual vulnerability discovery tools.
3. Blind TCP/IP Hijacking Returns to Windows 7
- Windows 7 reached its end-of-life in January 2020, which marked the end of regular security updates. However, 1 in 4 PC users are still running Windows 7, thus exposing their sensitive data to several cyber-threats and risks, including TCP/IP hijacking.
- In 2012, security researchers notified Microsoft about Windows 7’s susceptibility to TCP/IP hijacking. Although Microsoft deemed the vulnerability “very difficult to exploit,” threat actors have been discovered hijacking established TCP/IP sessions, to facilitate malicious botnet operations.
- Due to the sophisticated encryption mechanisms implemented in Windows 8 by Microsoft, threat actors are limited from accessing the upper layer structure of the OS.
SME Comments: Blind TCP/IP hijacking is a very prevalent man-in-the-middle attack methodology used by threat actors to command-and-control a victim’s infrastructure. Although the official end-of-life for the Windows 7 OS happened one year ago, threat actors will most likely continue to successfully deploy this attack mechanism to compromise users who are still running Windows 7 systems, which happens to be 25% share of the OS market. Fortunately, the blind TCP/IP attack methodology is not as fatal as it used to be years ago because modern protocols today are laced with stronger encryption.
4. USCellular’s CRM Software is Compromised
- The mobile network operator, USCellular, disclosed that it recently suffered a major data breach after attackers compromised its CRM systems and gained access to customers’ sensitive data. The company’s retail stores’ employees were successfully tricked into downloading malicious software, which was designed to steal specific personally identifiable information (PIIs).
- Said software provided attackers with remote access to the store’s computer systems. When the employees logged into the CRM, the attackers were potentially able to view and access customers’ information, including wireless accounts, phone numbers, services plans, and billings statements.
- Although specific details relating to this attack are unknown, USCellular assured customers that their social security numbers and credit card information are ‘safe’ because of data segmentation that was implemented within the compromised CRM system.
SME Comments: Although the source of this data breach is currently unknown, this attack is another attempt to gain access into USCellular’s ‘crown jewels,’ using its trusted CRM software. Therefore, it is imperative for organizations to equip their employees with a robust security awareness training program to help minimize the probability and impact of security incidents.
5. Trickbot Has Returned with Renewed Sophistication
- In late 2020, a coalition of cybersecurity companies, led by Microsoft and the U.S government, disrupted Trickbot’s large-scale infrastructure. However, it appears that Trickbot is back with renewed vigor and highly sophisticated methodologies for launching precise and scalable phishing attacks.
- Initially, Trickbot’s malware started as a banking trojan but it later became very popular among cybercriminals, owing mainly to its modular structure. Trickbot’s efficient attack infrastructure allows attackers to launch a variety of automated cyber-attacks all at once, including credential theft.
- Additionally, the newly deployed Trickbot has the capability to rapidly propagate itself on a target network, while obfuscating its attack path. Trickbot is historically known to target the legal and insurance industries in North America.
- The attacks appear to be targeting North American users in insurance and legal companies. These payloads connect to domains known to spread Trickbot malware, indicating that the malware is once again active with fresh phishing attacks.
SME comments: Unlike the previous Trickbot campaigns that used weaponized email attachments, this one encourages users to click phishing links that redirect them to a compromised server that downloads a malicious payload. This new Trickbot malware can be deployed as a loader for other malware, including strains of Ryuk ransomware.