In this edition of the newsletter, we will cover:
- Ransomware
- Cyberattacks against banks
- Supply-chain attacks revisited
Ransomware
Ransomware continues to plague businesses globally. Several malware strains have been more active over the past 30 days, including:
- Darkside – US Colonial Pipeline (utilities), German Brenntag (chemical distribution)
- Avaddon – French Acer Finance (finance), Irish AXA (insurance)
- Conti – Irish Health Service Executive, California Scripps Health (healthcare)
- Ryuk – Norwegian Volue (green IT)
Curious facts about:
- MountLocker – A new executable has been identified which spreads like a worm throughout a corporate network, exploiting the Windows Active Directory Services API to discover and infect devices.
- Avaddon – Asian offices of the Irish-headquartered AXA have been hit with both DDoS and ransomware cyberattacks following the giant’s announcement that “cyber-insurance policies written in France would no longer include reimbursement for ransomware extortion payouts”.
- STRAAT – Microsoft has warned of a massive email campaign distributing a Java-based information stealer with ransomware-like behavior. Researchers have observed that the malware appends the “.crimson” extension to file names without encrypting the files.
Cyberattacks against banks
Banks are often categorized as critical infrastructure. They process and store vast amounts of sensitive data, and therefore are particularly attractive to cybercriminals.
With that said it is of no surprise that banking trojans continue to torment banks and their customers globally to steal personal and financial information. One such malware is Bizzarro. Originally targeting Brazil, the RAT has expanded its reach to include more than 70 banks across Europe and South America.
According to security experts, Bizzarro is distributed via Microsoft installation packages downloaded by victims from compromised WordPress, Amazon, and Azure servers. The infection chain continues with the fetch of a Dynamic Link Library, written in Delphi and archived in a ZIP file, which subsequently injects the implant. What makes this malware more interesting is that the main module of the backdoor is configured to remain idle until it detects a connection to an online banking system from a predefined list.
S&P reports that cyberattacks could damage a bank institution reputationally and financially, lowering its credit ratings. Investing in cyber defense will continue to be a vital component in a company’s information security strategy.
Supply-chain attacks revisited
The SolarWinds fiasco is a reminder to all that third-party risk is no longer to be marginalized. In the past month and half researchers have detected flaws in two other popular technologies whose successful exploitation could have been the starting point of severe supply-chain attacks.
- Microsoft Visual Studio Code Extensions – Recently discovered vulnerabilities in select VSC add-ons such as “LaTeX Workshop”, “Rainbow Fart”, “Open in Default Browser”, and “Instant Markdown” could have allowed nefarious parties to target roughly two million instances, to run arbitrary code remotely and to compromise many product engineering environments.
- Packagist – With PHP running on an estimated 80% of the websites and with the Packagist infrastructure serving circa 100 million PHP metadata requests per month, a critical vulnerability in this central repository of packages installable via the Composer dependency manager could have presented hackers with a scalable attack surface, remote command injection and backdoor installation opportunities.
Although the afore-mentioned flaws have now been patched, the findings show that development tools and environments could be highly appealing attack vectors leading to network intrusions, data breaches or other security incidents.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
SOURCES
Amatas, Cyware, Bleeping Computer, Kaspersky, Advanced Intel, The Hacker News, The Daily Swig, SolarSouce