In this week’s Cyber Weekly Digest we dive into the biggest cyber security news from the week including an automotive company that was hit by 3 different ransomware groups in the space of 2 weeks. Keep reading to stay up to date on the latest cyber security news.
New ransomware statistics have shown that from the second quarter of the year that the ransoms paid to extortionists have dropped in value, this trend has been continuing since the last quarter of 2021. In Q2 20221 the average ransom payment was $228,125. However, the medium ransom payment was $36,360 which is a steep fall of 51% compared to the previous quarter. The new reports suggest that “this trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,”. The trend has been caused by the creation of many smaller Ransomware-as-a-service operations that draw affiliates from recently defunct syndicates and perform lower-tier, opportunistic attacks.
North Korean threat group, Lazarus has been targeting cryptocurrency platform deBridge to try stealing cryptocurrency. deBridge is a cross-chain protocol that enabled the decentralised transfer of assets between various blockchains. The threat actor's initial step is a phishing email sent to the employees of deBridge which then launches malware that collects various information from Windows systems and allows the delivery of additional malicious code for further attacks. The phishing email pretends to be an email from the company co-founder Alex Smirnov. The email attaches a HTML file that when opened requires a password, the email, however, includes a fake txt file that is actually an LNK file. When this file is opened, it creates further attack vectors for the threat actor with the use of malware.
Microsoft has stated that some of the Exchange Server flaws addressed as part of the August 2022 Patch Tuesday also require admins to manually enable Extended Protection on affected servers to fully block attacks. The critical rated DogWalk Windows zero-day, along with 121 other vulnerabilities, was patched on Wednesday 10th August 2022. A threat actor could gain initial access through low-complexity attacks such as phishing emails or chat messages to gain further escalated privileges using the exploits. Microsoft stated “Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited.”
It has been reported that an automotive supplier was targeted by 3 different ransomware gangs in the space of 2 weeks in May, two of the attacks happening within 2 hours. The attacks commenced after an initial breach of the company’s systems by a likely initial access broker (IAB) in December 2021, who exploited a firewall misconfiguration to breach the domain controller server using a Remote Desktop Protocol (RDP) connection. Some time after the initial compromise, LockBit, Hive, and ALPHV/BlackCat affiliates also gained access to the victim’s network on April 20, May 1, and May 15th. “Some files have been encrypted 5 times”, the report stated. A file called utilpack.pbl has 5 file extensions from 3 different ransomware gangs encrypting the file repeatedly.
This week Cisco Systems revealed the details of a May breach by the Yanluowang ransomware group that leveraged a compromised employee’s Google account. Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. Using the credentials, attackers then used a multitude of techniques to bypass the multifactor authentication tied to the VPN client. Efforts included voice phishing and a type of attack called MFA fatigue. In response to the attack, Cisco implemented a company-wide password reset immediately.