Updated: Jul 29, 2022
In this week’s Cyber Weekly Digest we dive into some of the newest ransomware operations as well as how the UKs latest heatwave has affected companies such as Google and Oracle. Keep reading to stay up to date on the latest cyber security news from the week.
North Korean threat actors have been running a ransomware operation called HolyGhost, for over a year. They have been attacking small businesses in various countries. The group has been active for a while but has failed to gain notoriety due to the success of more prevalent ransomware gangs like LockBit2.0 and Conti. The North Korean group even used the same tactic of threats, double extortion with a leak site to publish the names of the victims and stolen data. The group demands anywhere from 1.2 to 5 bitcoins in ransom, but they have sometimes negotiated to lower the price to a third of the original value. Microsoft Threat Intelligence Centre has found emails from HolyGhost sent to Lazarus, a well-known threat actor owned under North Korean Reconnaissance General Bureau.
Threat analysts have uncovered a large-scale campaign that is targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of three months. Elastix is a server software that allows for unified communications that is used for the Digium phones module for FreePBX. The threat actors could most likely be exploiting a remote code execution (RCE) vulnerability identified as CVE-2021-45461, with a critical severity rating of 9.8 out of 10. The attack starts with the attacker adding a small PHP shell to backdoor the exploitable server, the attacker will then gain admin permissions and ensure persistence through scheduled tasks. The IP addresses of the attackers are said to have been from the Netherlands and Russian adult sites.
Due to the ongoing heatwave in the UK, the cooling systems for companies Google and Oracle at the data centres have failed. First Oracle shuts down its equipment to prevent damage to hardware at 11:30 AM EST 19th July, leading to outage in cloud services. They claim customers in certain zones may be unable to access resources, even if the intention were to limit long term impact for customers. 2 hours later, Google also reported cooling failures in one of their buildings, claiming it caused a partial failure of capacity in region Europe-west2, leading to loss of service from machines for a small set of customers in that zone. Both companies have worked hard to prevent damage and an extended outage by restoring redundancy for any remaining machines impacted like Persistent Disk devices and virtual machines.
The Knauf Group has reported that it has been a target of a cyber attack that has disrupted its business operation, which forced its global IT team to shut down all IT systems to isolate the incident. Black Basta Ransomware gang has claimed responsibility for the attack, as they added Knauf to their extortion site as a victim. The Ransomware gang has published 20% of the files they allegedly exfiltrated during the attack on Knauf, which over 350 visitors have accessed. It is reported that the sample that was posted on their extortion site included user credentials, email communication, production documents, and ID scans. Black Basta had established a payload delivery cooperation with Qbot (QuakBot) operators, also used for dropping Cobalt Strike and aiding lateral network movement.
The Redeemer Ransomware has released a new version that allows hackers to build their own ransomware with no barrier for entry: the author of the ransomware builder has made it free to use. This allows unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. The project is still proprietary, however the author says that the project will go open-source if they lose interest, which is what happened with Redeemer 1.0 in June 2021, when the author publicly released its source code. Redeemer 2.0 has been released to let low-skilled threat actors to start their own ransomware campaigns, the author earns a 20% cut of the ransom payment. This could be catastrophic for small businesses without proper endpoint protection, but low-skilled hackers usually lack the skills to gain initial access to cause any real damage to a business.