Ransomware Gang Threatens to Leak Stolen Data, REvil Back in Action, New Zero-Day Attack in Microsoft Office, Atlassian Confluence Exploit, Fortinet VPN Password Leak

1.  Ransomware gang threatens to leak stolen data if victims contact law enforcement

• During a ransomware attack, one of the most notorious ransomware groups, Ragnar Locker, threatened to leak complete data of victims who seek help from law enforcement agencies, including the Federal Bureau of Investigation (FBI). The ransomware group claims that incident investigators and recovery experts often collaborate with law enforcement agencies.
• According to Ragnar Locker, the warning also applies to victims that attempt to involve incident investigation and recovery experts to help with decryption and negotiation processes.
• Although the ransomware group is famous for encrypting victims’ systems via manually deployed payloads, they are also known for conducting deep reconnaissance about a victim. This helps them understand the caliber of the computing resources, including backup infrastructures, that they plan to attack. Thus far, Ragnar Locker has attacked companies in the aviation and chip manufacturing industries, demanding up to $11 million in ransom payment.

Expert Commentary: The cybersecurity industry has learned to collaborate with public and private parties to combat ransomware attackers. Such collaboration often involves global law enforcement agencies, whose primary goal is to restore normalcy. However, law enforcement agencies, especially the FBI and INTERPOL, have recently applied more pressure than previously when dealing with ransomware prevention, detection, and recovery. Frequently, the recovery piece of the process cause threat actors to lose out on ransom payments or even capture and imprisonment. Therefore, it is no surprise that ransomware actors are trying to deter organizations from seeking outside help. However, despite said threats from ransomware actors, the FBI and other security incident recovery experts remain an integral part of the ransomware attack recovery process because it is in the U.S. national interest to disrupt ransomware campaigns targeting private and public entities.

Learn More

2.  REvil ransomware gang is back in action

• To date, REvil accounts for more than 23% of the ransomware attacks discovered in August 2021 – more than any known ransomware group. After compromising zero-day vulnerabilities in Kaseya’s remote management software and demanding a $70 million ransom payment, REvil ransomware actors faced heightened pressure from global law enforcement agencies and the U.S. government following President Biden’s meeting with Russia’s President Putin about the nature of Russian-based ransomware attacks.
• Law enforcement and diplomatic pressure forced the ransomware gang to abandon their attack infrastructure abruptly, including their Tor servers, negotiation portal, and blog site. However, after a two-month hiatus, security researchers discovered that dark web servers and the blog belonging to the REvil ransomware gang surprisingly came back online this week.
• REvil’s absence created a massive gap in the cyberthreat landscape, which no ransomware group could fill due to the increasing demand for REvil’s unique attack techniques and malicious codebase.

Expert Commentary: The REvil ransomware gang happens to be one of the top 2 most lethal cyber-attackers known in the industry today. As a result, they are known to have attacked at least 360 U.S.-based organizations in 2021 alone. Additionally, a global network of attackers leverages their attack tactics, techniques, procedures, and technologies. Therefore, shutting down their operation in July 2021 was simply the ransomware gang attempting to buy time by allowing the pressure to cool off. However, suppose this return is the same REvil ransomware gang that attacked Kaseya and JBS networks (using the same attack infrastructure). In that case, law enforcement agencies would most likely capture them in no time – security researchers and law enforcement agencies are now very well-versed in attack tactics.

Learn More

3.   A new zero-day attack leverages Microsoft Office documents to target Windows users

• Microsoft recently warned users about a zero-day vulnerability actively being exploited in the wild. This vulnerability impacts Internet Explorer (IE), whereby threat actors are leveraging weaponized Microsoft Office documents in IE to hijack vulnerable Windows infrastructures.
• Security experts have discovered that threat actors exploit the vulnerability by creating a malicious ActiveX control app, which inserts poisoned web-based content into Microsoft documents.
• Thus far, security experts have discovered that affected Microsoft Office tools include Word, Excel, and PowerPoint documents. Windows machines with fewer user rights are typically not the intended target of this exploit. Administrative user rights are the prime targets, as threat actors use stolen administrative access to conduct privilege escalation and lateral movement activities on a victim’s network.

Expert Commentary: Although this exploit is actively occurring in the wild, it appears that the attackers are using logical flaws to exploit the flaw successfully, thereby dangerously improving the success rate of impact across Microsoft Office infrastructures. While Microsoft actively works to deliver a patch update for users, the identity of the threat actors is unknown currently. Nonetheless, based on the MITRE Common Vulnerability and Exposure (CVE) rating framework, security experts gave this remote code execution-based zero-day flaw the label: CVE-2021-40444. It carries a severity score of 8.8 (high severity). Users can suppress the current exploit by running Microsoft Office with default configurations as users await a patch. Such a step ensures that web contents downloaded from the internet are only opened in a Protected View, and untrusted files can’t access trusted resources in a compromised network.

Learn More

4.  The Atlassian Confluence exploit impacts the most popular open-source automation system, the Jenkins server

• Threat actors gained access to internal infrastructure resources owned and controlled by the Jenkins server, one of the most used open-source automation systems. Developers of the Jenkins server disclosed that threat actors used the latest Atlassian Confluence flaw to breach their internal servers.
• The developers noticed malicious activity within their infrastructure after discovering a Monero crypto-miner using their computing resources to run unauthorized crypto-mining campaigns. However, according to Jenkins, the security incident did not impact their source codes, plugins, or product releases.
• Due to the mass usage of the Atlassian Confluence platform to collaborate across critical business operations, a treasure trove of sensitive business information, as well as supply-chain details, could be leveraged for follow-on attacks against companies providing services within the U.S. critical infrastructure sectors and beyond.

Expert Commentary: This security incident is among the many breaches occurring due to the recent exploitation of the authentication bypass and command injection bug in Atlassian’s Confluence server. Currently, about 15,000 Atlassian Confluence servers are reachable over the internet today, and security researchers estimate that (as of September 5th, 2021), about 8,597 of said servers remain vulnerable. Despite the availability of a security patch and warnings issued by the U.S. Cyber Command, many organizations have failed to implement patching processes that would secure their computing infrastructure. Unfortunately, the security incident that affected the Jenkins server is just another example of the consequences of not having a robust security patching cadence. In cases like these, having an automated patching cadence is key to preventing widespread exploits from compromising critical projects associated with popular open-source tools such as the Jenkins server.

Learn More

5.  Threat actors leak passwords for 500,000 Fortinet VPN accounts

• A threat actor known as ‘Orange,’ formerly of the Babuk ransomware gang, revealed a list of access credentials belonging to 500,000 Fortinet VPN users. The leaked credentials include Fortinet VPN login passwords and usernames, most likely scraped from exploitable devices.
• Although Fortinet released a patch to mitigate this incident, the threat actor claims that most stolen credentials are still valid. Therefore, this leak is a severe issue. Threat actors typically use VPN credentials to access otherwise protected network environments to install malware, conduct data exfiltration and even facilitate ransomware attacks.

Expert Commentary: Recently, the security industry has experienced the effects of power struggles within ransomware groups, leading many members to go rogue and leak valuable hacker details, including attack playbooks and sometimes stolen artifacts. The split that occurred because of the dispute within the Babuk ransomware gang birthed a new ransomware gang known as Groove ransomware. Leaking thousands of Fortinet VPN account credentials is the latest ransomware group’s way of introducing themselves to the world. While VPN remains an essential tool during the continuous remote work culture, we will see more emboldened attacks targeting VPN infrastructures. Therefore, Fortinet VPN server administrators should assume that the stolen credentials are valid. They should immediately perform a forced reset of all user credentials and inspect the VPN logs for potential intrusion.

Learn More