In the first six months of 2021, many countries were experiencing the worst waves of the COVID-19 pandemic and organisations came under increased strain, both from a business standpoint and a cybercriminal one. Critical infrastructure and enterprises were hit by attacks from disruptive ransomware and the opportunistic exploitation of multiple 0day vulnerabilities by state-sponsored APTs. Ransomware, in particular, has become a pre-eminent cyber threat. Ransom demands have grown; as groups have generated considerable financial resources their attacks have become more challenging to defend against.
A higher number of attacks have been responsible for physical disruption: targeting medical systems – such as the Irish Health Service Executive; the gasoline supply chain – with the Colonial Pipeline incident; and many more. There were several shifts in the macOS threat landscape, which has received more attention from malware and exploit developers. The fraud landscape evolved following the closure of the infamous Joker’s Stash.
#1 Ransomware increases demands
In March, US insurance firm, CNA Financial, suffered a debilitating ransomware attack that impacted business operations and shut down its website and various other critical IT systems. Sources familiar with the incident have said that the attack occurred on 21 March and encrypted over 15,000 devices, including those of employees working remotely. It was later revealed that CNA Financial had fallen victim to a new variant of ransomware called Phoenix Cryptolocker, which may have links (through code overlaps with BitPaymer and WastedLocker) to the gang of Russian cybercriminals known as Evil Corp. CNA has since fully restored its systems and is back to normal operations but reportedly paid a $40 million ransom. This was the second-highest ransom demand known to have been secured – the highest was $50 million demanded from Acer by the REvil group, although this is not known to have been paid. [1, 2, 3, 4, 5]
#2 Attacks on Critical National Infrastructure
Industrial control systems and other operational technology (OT) in the US are attractive targets for advanced persistent threat (APT) groups and cybercriminals alike. In February, the Oldsmar water treatment plant in Tampa, Florida, was the target of a cyberattack that attempted to poison the water supply of 15,000 people in the area. The threat actor tried to increase additives in the water to a dangerous level via a remote TeamViewer connection to the user interface of the industrial control system (ICS). Employees at the water treatment plant safely prevented the attack by cutting the remote connection. In early May, the Colonial Pipeline company was shut down by DarkSide ransomware. We now know that the ransomware was spotted on a “control-room computer”, which indicates the human-machine interfaces (HMI) for the pipeline’s operational technology (OT) and ICS were impacted. This is despite CISA specifying in an advisory that there was no evidence the DarkSide operators moved laterally to encrypt the OT systems themselves. This incident was one of the most disruptive attacks on US critical national infrastructure (CNI) to date. [1, 2, 3, 4, 5]
#3 Microsoft Exchange Servers mass compromised
On 2 March, Microsoft disclosed the active exploitation, by a Chinese threat group dubbed HAFNIUM, of a chain of four 0day vulnerabilities (also known as ProxyLogon) present in Exchange servers. Successful exploitation included the deployment of the ChinaChopper webshell, the theft of locally stored emails, and the installation of additional malware to maintain persistence. Current estimates state that hundreds of thousands of exposed servers are likely to have been compromised, including 30,000 from the United States alone. Multiple security vendors reported HAFNIUM attacks against primarily US-based entities across a number of industry sectors, including infectious disease research, law, higher education, defence, policymakers (think tanks and NGOs), retailers, local governments, universities, engineering firms, telecoms companies, and healthcare are among the most affected. ESET Research disclosed that at least 10 distinct Chinese state-affiliated APT groups have been involved with the exploitation of the Microsoft Exchange servers. This includes Hafnium, LuckyMouse, Tick, Calypso, WinntiGroup, Websiic, Mikroceen, and TontoTeam, as well as other uncategorised clusters. The attacks began on 28 February, suggesting that multiple APTs had access to the exploit details before the patch was released. [1, 2, 3]
#4 0day vulnerability in Accellion FTA exploited
In February, US cloud service provider Accellion has announced that its FTA product will reach end-of-life on 30 April 2021, following its use in the breach of tens of organisations and government agencies worldwide since late December 2020. The first publicly reported case of an organisation being compromised through Accellion FTA was the Reserve Bank of New Zealand, which disclosed a data breach on 10 January. This announcement was followed by disclosures from numerous other organisations, including the Australian Securities and Investments Commission (ASIC), Allens international law firm, the University of Colorado, the Washington State Auditor Office, Singtel, the QIMR Berghofer Medical Research Institute, cybersecurity firm Qualys, Jones day, Danaher, Fugro, Kroger, ABS Group, and Bombardier. US cybersecurity firm, Mandiant, found that this incident was linked to two clusters of activity leveraging Cl0p ransomware, itself connected to the FIN11 cybercriminal APT group. Over 300 organisations reportedly used the legacy software and nearly 100 of them were reportedly targeted. [1, 2, 3]
#5 Increased targeting of ESXi and Linux versions of ransomware
In March, threat researchers reported that two organised cybercriminal groups, tracked as CarbonSpider and SpriteSpider, represent a significant threat to enterprise ESXi systems. These groups are responsible for “big game hunting” campaigns that aim to compromise and extort large organisations using ransomware. The operators of the now-defunct DarkSide (known as CarbonSpider) and RansomExx (known as SpriteSpider) ransomware reportedly exploited vulnerabilities in the VMware ESXi hypervisor and deployed Linux versions of the viruses. ESXi is targeted because the virtualisation software is used by numerous organisations to host their corporate systems. Successful infections led to a much wider scope of affected systems. Cyjax analysts also observed multiple access brokers offering access to EXSi servers across several Russian- and English-speaking hacking forums. Both these sales and the targeting of ESXi servers by multiple ransomware groups have notably increased. For ransomware operators, attacking virtual environments increases the likelihood of a ransom being paid. It is likely that access brokers, having seen the success of ransomware operators in this field, have now started offering EXSi in the hopes of increased business. [1]
#6 Chinese APTs exploit Pulse Secure
In April, a 0day exploit for a new critical remote code execution (RCE) vulnerability in Pulse Connect Secure, tracked as CVE-2021-22893, was leveraged by multiple APT groups in the wild. In total, 12 malware families are currently being distributed by at least two threat actors tracked as UNC2630 and UNC2717, the former has tentative ties to @APT5. Alongside the use of a critical 0day vulnerability, the APT groups have leveraged multiple techniques to bypass single- and multi-factor authentication on Pulse Secure VPN devices. The attackers also used a combination of prior vulnerabilities including CVE-2020-8243, CVE-2020-8260, and CVE-2019-11510. Since 31 March, the US Cybersecurity and Infrastructure Security Agency (CISA) has assisted multiple entities whose vulnerable Pulse Connect Secure products were exploited by the APT groups. [1, 2, 3]
#7 SonicWall 0day exploited by FiveHands ransomware
In May, a financially motivated threat actor, tracked as UNC2447, exploited a 0day vulnerability in Sonicwall SMA 100 Series VPN appliances (CVE-2021-20016) in the wild to deploy the FiveHands ransomware at organisations in North America and Europe. UNC2447 used the SonicWall flaw to breach the network, followed by the deployment of CobaltStrike for persistence and the installation of the SombRAT backdoor. This backdoor was then used to deploy FiveHands. Interestingly, the ransomware shares similarities with another, known as HelloKitty; both are rewrites of the DeathRansom ransomware. Further, UNC2447 affiliates have previously used the RagnarLocker ransomware, as well as WarPrism, FoxGrabber, and Cobalt Strike Beacons. This led researchers to connect these operators to Darkside and SunCrypt attacks which also saw the deployment of WarPrism, FoxGrabber, and Cobalt Strike Beacon in the past. The connection between FiveHands and other ransomware, as well as its use of malware known to be used by other groups, highlights the interconnectivity between various ransomware groups and affiliates. This can make attribution difficult and potential criminal prosecution challenging. [1, 2, 3, 4]
#8 Multiple macOS 0days exploited in the wild
Apple Macs have become increasingly targeted by more sophisticated malware and exploit developers. In May, Apple patched multiple macOS 0day vulnerabilities that were actively exploited in the wild by malware, namely XCSSET, to bypass macOS privacy protections. XCSSET leveraged these issues to bypass protections and achieve full disk access, perform unauthorised screen recording, and enabled other permissions to view sensitive user data. In April, a new variant of the Shlayer malware was discovered using a previously undisclosed 0day vulnerability against macOS users since January, at least. The malware leveraged a bypass for fully patched macOS protection systems, including File Quarantine, Gatekeeper, and Notarization. The Shlayer variant leveraging the bypass is spreading via poisoned search engine results. Further, in February, security researchers uncovered a malware, dubbed SilverSparrow, targeting Macs with the new Apple M1 chipset. The malware had largely gone undetected and was first seen on 17 February, and had already by then infected 29,139 macOS endpoints across 153 countries, including Canada, France, Germany, the UK and the US. [1, 2, 3, 4, 5]
#9 Joker’s Stash closing down, fraud market vacuum
In January, Cyjax analysts discovered on an underground forum that the infamous marketplace for stolen credit cards, known as Joker’s Stash (or JStash), announced its closure. A message posted by the admin stated “we will wipe our servers and backups and Joker will fade to dark, forever”, adding that “after 2021-02-15 there will be no more Joker and no more Joker’s Stash”. The long-running fraud market first appeared in 2014 and enjoyed a reputation among cybercriminals as a highly reliable source of stolen credit cards and other information. With Joker’s retirement, there is now a large hole that needs to be filled by one of the many carding shops on the darknet. There are at least two contenders for the position of top carding market and a group of others that could be looking to take up some of the slack. This includes Brian’s Club and Yale Lodge, as well several other smaller carding sites. The carding scene is similar to the darknet drug markets, except for the fact that all of these markets sell the same thing and reputation is, therefore, all the more important. Competition is fierce, with types of fraud, lower prices, gimmicks, customer service, and reputation playing huge roles in the success or otherwise of cybercriminals operating in this space.
#10 NOBELIUM campaigns
In late May, the Microsoft Threat Intelligence Center (MSTIC) disclosed new information regarding a campaign launched by the APT group it tracks as NOBELIUM, attributed to the Russian Foreign Intelligence Service (SVR). The group is responsible for a widespread malicious email campaign targeting at least 7,000 accounts at over 350 organisations, of which included government agencies, think tanks, consultants, and NGOs. The US was the main target, but a further 24 nation-states in Europe and elsewhere were also affected. The malicious emails were distributed using a compromised Constant Contact account belonging to USAID. The APT operators were then able to push malware in authentic-looking emails with malicious links from the legitimate account. Windows systems were targeted with a cocktail of four unique malware, including a custom version of Cobalt Strike. If a server controlled by the NOBELIUM group detected an Apple iOS device, it would serve a 0day exploit for the WebKit cross-site scripting (XSS) vulnerability (CVE-2021-1879). MSTIC assures that the success of this operation was limited: many of the emails were blocked and no vulnerabilities in Microsoft products were exploited. However, the adversaries used multiple sophisticated techniques to increase their chances of a successful infection. This includes leveraging a legitimate mass email provider, profiling their victims before initiating attacks; as well as the weaponisation of a 0day vulnerability in fully-patched iOS devices. By collecting a list of users who are most likely to click on a link or open a file, the threat actors gained a considerable advantage. [1]
Conclusion
Ransomware continues to present a significant threat to organisations worldwide. Reducing the chances of being targeted by a “big game hunting” ransomware gang requires a multi-pronged approach. The key prevention strategy is to stop threat actors at the initial access stage. Bolstering email security to prevent phishing attacks; improving endpoint security to detect malware; upgrading vulnerability management to prevent exploitation of public-facing applications and brute-forcing are all key defence methods. It is recommended that organisations in all sectors look to maintain regular backups; having a recovery process in place is also key to mitigating the effects of a successful ransomware attack.
The recent new malware and 0days targeting macOS also highlighted that sole dependence on Apple’s security products could lead to a lack of protection from evasive and sophisticated threats. The Colonial Pipeline and Oldsmar incidents, and a string of attacks on hospitals, have shown that threat actors are increasingly targeting critical national infrastructure. Organisations continue to fail in their attempts to prevent even the simplest attacks. Although uncommon, further disruptive attacks are to be expected as threat actors continue to target OT systems that are either directly exposed to the internet or indirectly exposed through connections to other systems that are internet-facing.
The Russian SVR’s cyberspies are some of the most advanced threats to target private enterprises and public sector agencies. As we saw in the SolarWinds campaign, a clear tactic of the NOBELIUM group is to utilise trusted technology providers to infect customers and partners. This increases its chances of successful infections and, as an added benefit to the cybercriminals, undermines trust in the technology ecosystem and supply chains.