Welcome to #WakeUpWednesday. We want to make the Netherlands digitally safe and resilient. That is why Tesorion will now give you a short overview every Wednesday in a post about vulnerabilities or hacks that have received national or international attention. We want to wake up as many people as possible and make them aware of possible risks in the field of cyber security.
We will of course report directly on important vulnerabilities and options to mitigate them. Our #WakeUpWednesday is a kind of retrospective. Below the archived posts from 2021.
There is more news on the Log4j vulnerability, again a new patch has been released. See our liveblog for the latest information. Want to be immediately aware of critical vulnerabilities? Subscribe here for the Tesorion Technical Update.
Most ransomware attacks are primarily aimed at financial gain, but unfortunately these attacks often also cause collateral damage. A good example of this are attacks aimed at the healthcare sector. The Ponemon Institute in the US conducted research into the effects of ransomware attacks and concluded that they often disrupt (critical) hospital equipment as well. According to the research, these disruptions lead to, for example, longer hospital stays, more complications, delayed examinations and an increased mortality rate. It is therefore more important than ever for hospitals and other care institutions to have their cyber security in place. Read more about what Tesorion can do for your organisation or contact our experts.
Last week we already wrote about the abuse of the pandemic in phishing mails, but now we see a variation on this. Cyber criminals are sending e-mails stating that the recipient has been in contact with a colleague who tested positive for the omikron variant or that the employee has been fired. An attached file with ‘more information’ is used to try to infect the system with malware. By opening this Excel file and enabling macros, the Dridex malware, a form of malware that steals bank data, is installed. Be alert to phishing mails and do not open documents or links when in doubt. Improve your ability to recognise and resist phishing by requesting the Tesorion Recognise Phishing Poster (in Dutch) with useful tips.
The holiday season is a time of celebration for cybercriminals. Due to lower staffing levels, alertness to cyber attacks is often lower. Now that the Christmas holidays are behind us, we seem to have come through them well. Some companies, such as the Kamer van Koophandel, decided to take services offline during the holiday season to prevent cyber criminals from taking advantage of the Log4j vulnerability. Also with New Year’s Eve in sight, more employees will be off or less active and it remains important to be alert. Cyber criminals see this as an opportunity to attack. Make sure that lower staffing levels do not become a trap.
The Apache Log4j vulnerability kept everyone concerned for the past week. It still requires our attention. It is now known that the notorious ransomware group Conti uses this vulnerability. They use a leak in the VMware vCenter Server. The vulnerability is known as CVE-2021-44228 with a CVSS score of 10 and is therefore critical. Conti is not the only one to exploit this vulnerability. TellYouThePass, a ransomware group which has been less active recently, now also exploits this vulnerability. In addition, we have seen a new group, Khonsari, attack Windows servers by using CVE-2021-44228. It seems that this group is only interested in destroying data, not financial gain. Other attackers use the Log4j vulnerability to infect Windows and Linux systems. To do this, they use Dridex malware and Metasploit, amongst others, to exploit other possible vulnerabilities. In short, the Log4j vulnerability is being exploited to the full. It is still extremely important to remain alert. Follow the technical update of Tesorion to stay informed.
Microsoft has warned users this week to apply patches. Updates were released to address CVE-2021-42287 and CVE-2021-42278. Through these vulnerabilities, malicious actors can easily gain rights as domain admin, which can result in an attacker gaining almost unlimited access to the network. Please install the updates as soon as possible.
Phishing; we can’t ignore it anymore. Criminals are currently abusing the pandemic in phishing mails. They pretend to be Pfizer Netherlands. These mails are aimed at getting information, such as bank details, or getting medical equipment that is not paid for. Get the Tesorion Recognize Phishing Poster (in Dutch) with useful tips to recognize phishing.
With the holiday season in sight, it is wise to be extra alert. Cybercriminals see their chance now that work is often done with minimal staffing.
Several critical vulnerabilities have been published in the past week, including around VMware vCenter, SonicWall and Apache Log4j. The latter in particular has a huge impact (CVSS score of 10) and is currently also actively used. Information about critical vulnerabilities is also shared by Tesorion via email. You can register for these updates via: http://www.tesorion.nl/en/posts/tesorion-technical-update/
In addition, Fortiguard Security Advisory has published articles on 40 vulnerabilities across 10 products. One of these vulnerabilities is known as CVE-2021-26109 and is considered critical (CVSS score of 7.7/10). This vulnerability is an integer overflow in the FortiGate FortiOS SSL VPN interface. This gives the attacker the ability to make unauthorized special HTTP requests and execute code on the system.
In general, make sure that systems are patched as soon as possible. If so, take mitigating measures. It is wise to be extra vigilant during the holidays. many organizations work with a minimal staffing, so that cyber criminals can see their chance.
An increase in Emotet has been observed worldwide. The malware was initially used to steal banking and login details. Emotet is currently widely used for the distribution of, among other things, spyware and ransomware. In addition, an increase is seen in the number of WordPress sites that have been affected. In particular, the distribution of Emotet via email makes it important that employees are aware of their online behavior and increase their cyber awareness.
On the 1st of December 2021, a Proof-of-Concept exploit for VMware vCenter was published on GitHub by a user with nickname l0ggg. The Proof-of-Concept exploit seems to leverage an unauthenticated arbitrary file read and a SSRF vulnerability in VMware vCenter version 7.0.2.00100 (update 2a). Currently the Proof-of-Concept exploit has not been attributed to a particular CVE. In public discussions, it has been suggested the exploit may be related to either CVE-2021-21980 or CVE-2021-22049 as described in VMware Advisory VMSA-2021-0027. However, based on our analysis, we believe the exploit may be related to CVE-2021-21986 as described in VMware Advisory VMSA-2021-0010. More information on this PoC can be found in our blog.
Websites with contact forms, response options and forums are currently regularly victims of cyber criminals who try to activate RedLine malware via malicious Excel XLL plug-ins. This malware targets, among other things, stealing usernames and passwords, stealing cookies and credit cards stored in web browsers.
Multi-factor authentication is an important means of increasing employee cybersecurity. It is important to consider which technique is used. The preference is for multi-factor authentication via an app and not via SMS due to the risk of SIM swapping.
Smart devices are popular gifts. Varying from smart TVs, robot vacuum cleaners and doorbells, to all kinds of gadgets from foreign web shops, all with the intention to make life more fun and easier. Be aware of what equipment you connect to your network and what the possible risks are. This not only concerns, for example, data that is (unintentionally) shared, but also the possibility to access the network via these smart equipment. The security standards and/or requirements from manufacturers for smart devices are, on average, rather low compared to traditional IT equipment. With a lot of employees working from home, this can also pose a potential risk to company data. As for other equipment, this also applies to these devices, install updates and adjust factory default data (such as user name and password). For example, a smart aquarium pump, connected to the network, caused a serious data breach at an American hotel.
A critical vulnerability (CVE-2021-39238) was recently discovered in more than 150 models of HP printers. This vulnerability allows cyber criminals to take over the devices remotely. HP has released firmware updates. The advice is to install it as soon as possible.
Cyber criminals respond to social problems and trends. For example, researchers at Threat Fabric have discovered after analysis. Several apps in the Google Play Store, including QR code readers and crypto apps, were found to trick users into trying to install malware. After the initial download, you will be prompted to update. After installation, you will be prompted for additional permissions. This update is actually a banking trojan that tries to retrieve the data used in internet banking. Pushing the update outside of the Play Store will prompt users to enable installation of unknown apps. Be aware of this, this option is disabled in Android by default. The extra permissions allow a cyber criminals to take full control of the device.
Patching remains an important tool to keep cybercriminals out. Earlier this year, we warned about the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities. These vulnerabilities are still being used to compromise Exchange servers. Attackers then use these servers to interfere with internal mail traffic by (targeted) responding to existing conversations. It is still a challenge for attackers to convince employees in an organization to click on a link. By using internal mail conversations, they can more quickly gain the trust of their victims and thus spread their malware. Therefore, make sure that patches are implemented on time. If that is not possible, take adequate measures in the periphery.
In addition to the earlier mentioned Exchange vulnerabilities, Emotet has also been spotted again. The malware is accompanied by an increase in phishing messages as the new Emotet-infected machines send emails with malicious email attachments. The number of command & control servers is currently expanding rapidly.
Sharkbot is a trojan that runs on Android systems. This trojan targets financial data. The main purpose of Sharkbot seems to be to initiate transactions from the compromised systems through Automatic Transfer Systems (ATS). These transactions bypass multi-factor authentication. In addition, Sharkbot is equipped with a number of functions that block regular messages sent by the bank via SMS, enable keylogging and allow cyber criminals to take over full access and control of a device. Currently, Sharkbot appears to be distributed outside of the PlayStore through social engineering and downloads.
Cyber criminals are getting more and more inventive when it comes to distributing malware. One of the techniques that Microsoft is increasingly seeing is the use of HTML smuggling. The result of this attack technique is that the malicious executable is built behind an organization’s firewall. As a result, it is not detected by the firewall and the attacker goes undetected for longer.
Another attack method that is currently being actively exploited is the use of rogue advertisements. These exploit two vulnerabilities (CVE-2021-40444 and CVE-2021-26411) for which security updates were already released on March 9 and September 14. Unpatched Internet Explorer users are at risk of being infected with ransomware.
WordPress users can also be misled by cyber criminals. Visitors to these sites will see a message that the site has been hit by ransomware and has been encrypted. In reality, it appears that a plugin is being used that ensures that this message is displayed. How the attackers were able to install this plugin is not yet clear. Removing the plugin will stop the ransomware message from being displayed.
On average, more than 400 companies and organizations in the Netherlands are victims of cybercrime. Not all organisations, such as VDL or Mediamarkt, are featured in the media. Still, it is important to share information about attacks and data breaches. Only then can we learn from each other’s mistakes. Hacks and data leaks are displayed graphically on datalekt.nl.
A worrying trend is that ransomware attacks are increasing in aggression and brutality. In addition to encrypting files and threatening to disclose data stolen for encryption, the attacked organizations are further pressured. With the increase in triple extortion, for example in the form of Ddos attacks on the organization already affected by ransomware, the demand for payment is further reinforced.
Supply chain attacks are also carried out in different ways. Last week, data was found in two widely used open source repositories that enable attackers to gain access to systems.
For the fourth time this year, Google has released security updates for actively attacked zero days in Chrome. The actively attacked zerodays are known as CVE-2021-38000 and CVE-2021-38003. For both CVEs, the impact has been assessed as ‘high’.
Thanks to the Internet of Things, more and more data is being made accessible via the internet. Not all equipment is equally protected, so this trend also poses a cybersecurity risk. The European Commission recently decided that standard passwords on Internet of Things devices will be banned from 2024. Of course, this does not alter the fact that users of this equipment still have a responsibility themselves to ensure a cyber-secure implementation. Think of regular patching, segmentation and password use.
The number of cyber attacks on the tech and retail sector has increased sharply in the past year, partly due to the number of online options to allow employees to work remotely. Research by Zscaler shows very sharply increasing numbers in this area. With the upcoming holiday season and the increasing digital options in e-commerce and digital payment platforms, it is important to be prepared for cyber attacks. Especially when the number of transactions increases sharply just before the holidays, while at the same time support staff often take their days off.
In the healthcare sector, too, holidays are a favorite moment for cyber criminals. During the Labor Day weekend, for example, the Las Vegas Cancer Center was the victim of a ransomware attack and data of about 3,000 patiënts was found to be compromised.
Research by HP Wolf Security shows that nearly 90% of detected malware came to companies via email. Web downloads accounted for nearly 10%. As a result, the employee remains a very important link in the cybersecurity chain. The most commonly used terms in the phishing emails were words such as order, payment and quotation, terms that are frequently used within, connect with business processes and do not immediately arouse suspicion. Ensuring that employees (learn to) recognize phishing emails and know how to deal with a possible threat is essential to prevent a cyber incident, or to nip it in the bud. For example, it is important that employees realize that a document does not have to be opened to start a cyber attack. Viewing a document in the preview window can be enough.
Research by TrendMicro also shows that the behavior of an employee is essential to keep cyber attacks at bay. Email and critical vulnerabilities turned out to be the most important ways to launch a ransomware attack in the first half of 2021.
Cybersecurity awareness is also important for a completely different reason. Cyber criminals start seemingly legitimate organizations to hire software engineers. These engineers are deployed to perform penetration tests. The results of these tests are then used, without the engineer’s knowledge, to perform, for example, a ransomware attack.
So make sure you have the basics in order and know who you are doing business with.
Bitdefender’s research, based on a survey of more than 10,000 internet users in 11 countries, found that half of the respondents use the same password for their online accounts. With an average of eight online accounts and three devices per respondent, attention to increasing cybersecurity awareness among employees remains essential. Especially if business and private use are mixed.
Being aware of your behavior and online activity also remains essential when installing updates. Not every update is equally legitimate. For example, an American company became the target of an attack after an employee installed an update that contained malware. In this case, it was an update of a website that, according to the pop-up shown, had to be installed in order to use certain features of the site. Make sure you have taken basic measures, such as a good virus and malware scanner.
Recent figures show that in Q2 2021, 91.5% of malware entered via encrypted connections. A strong increase from Q1. With many people working from home or hybrid, strong endpoint protection and EDR is essential to keep malware at bay.
It will come as no surprise to many people that ransomware is a business that involves a lot of money. Cryptocurrency is a widely used tool. The US Treasury Department has linked $5.2 billion in bitcoin transactions to possible ransom payments from ransomware victims. The Financial Crimes Enforcement Network (FinCEN) further indicates that the number of suspicious transactions is currently already 42 percent higher than in the whole of 2020. If the current trend continues, the total result in 2021 will be higher than the past ten years combined.
In addition, the advance of ransomware is a major concern for many healthcare institutions in several respects. In a situation where there is a high dependence on medical data and equipment, ransomware can contribute to the death of people. According to figures from Z-CERT, significantly more attacks have been registered this year. Reason to provide immediate insight into the current data regarding the number of attacks on their website.
October is cybersecurity month. That means even more attention to cybersecurity measures, coupled with more policy-related attention from the government and increasing employee awareness. That the impact of a cybersecurity attack can be significant was apparent this week from the coverage surrounding VDL. The broadcast of Zembla, about the vulnerability of organizations that are part of the critical sector, also indicates that there is still a lot of work to be done.
In this #wakeupwednesday, therefore, we invite you to participate in our darkweb tour, to learn more about this topic.
Mobile phones have become an integral part of our daily life. It is therefore very important to update these devices as soon as a new software version is released. In October, 51 vulnerabilities in Android were fixed. The most dangerous (CVE-2021-0870), made it possible for attackers to take over a remote device.
Also, be critical of the source when installing security updates. For example, FluBot malware appears to be spreading abroad through a page that appears to warn of a malware infection. FluBot is malware that steals data from Android phones and then commits bank fraud. To remove FluBot an update must be installed. However, this update does the opposite; the malware is not removed, but installed.
One of the basic measures to avoid making things too easy for cyber criminals is to use a strong password. The fact that half of the employees find it too much work to use a unique password for each account is a non-negligible risk. A risk that can be mitigated by providing a password manager.
During the problems at Facebook this week, alternatives such as Twitter and SMS were massively used. Due to all the commotion, the coverage surrounding a years-long data breach at the largest SMS processor in the world was somewhat insignificant. If SMS is used as an extra verification method, this means an extra risk. It is also striking that the attackers had access to the systems since 2016.
Patching software is one of the ways to ensure that your systems are less vulnerable. Still, installing updates and patches is a regular concern within many organizations. Because Microsoft has recently found that organizations do not patch their Exchange servers, or do not patch them in time, a new feature is being rolled out. This feature allows Microsoft to automatically install workarounds.
Google has released a patch for an actively attacked zero-day vulnerability in Chrome. This concerns CVE-2021-37973, a vulnerability whose impact has been assessed as high. The urgent advice is therefore to update to Google Chrome 94.0.4606.61 as soon as possible.
It also warns of a critical vulnerability in VMware’s VCenter Server. This critical vulnerability is currently being actively exploited, allowing cybercriminals to take over remote systems. The impact of this vulnerability, CVE-2021-22005, has been rated 9.8. In addition, this vulnerability also lends itself to possible ransomware attacks.
Within the ransomware attacks we see a development from double extortion to triple extortion. This means that data is not only held hostage and ransom is demanded, but cyber criminals also use extortion by threatening to offer the data held hostage for sale or to publish it. However, triple extortion goes even further, in these cases the cyber criminals actively seek contact with, for example, customers and media in order to discredit the attacked company. In the most aggressive form, there are even active attacks on the already affected organizations to sabotage the recovery process and increase the pressure.
Despite the increasing focus on preventive measures, Dutch organizations remain vulnerable to cybercriminals. Research has shown that more than three quarters of healthcare institutions are at risk of email fraud. There is an increasing dependence on digital processes, such as making appointments or online consultations. At the same time, email is still one of the most widely used ways to access employee and organization data. Therefore, increase the cyber awareness of employees, ensure that systems are properly set up and make tooling available so that employees are also able to work safely digitally.
Ransomware remains popular with cybercriminals, with one in three financial institutions being the target of a ransomware attack last year. This is shown by worldwide research by Sophos. The financial sector is one of the best prepared industries, partly because of all the laws and regulations that must be complied with. However, about half of these attacks proved successful. During our virtual expert lunch we provide more insight into how financial institutions can test whether they are resistant to advanced cyber attacks and the consequences.
Researchers are working on an overview of vulnerabilities used to initiate a ransomware attack. Combining the increasing number of exploits that are being used with the number of vulnerabilities that are actively being exploited, the number of attack vectors is large. The overview offers tools to act quickly and adequately in the event of a ransomware attack. Incidentally, it is a misconception that only new vulnerabilities are exploited by cyber criminals: The Cring group, for example, uses the 11-year-old ColdFusion vulnerability.
Computers, as well as smartphones, are increasingly being misused for mining cryptocurrency. By circumventing existing security mechanisms, cybercriminals can use this equipment for their own purposes. According to researchers at security firm, new cryptojacking techniques usually involve malware that installs legitimate cryptocurrency mining software on specific systems. This legitimate software is usually modified to redirect generated digital coins to wallets, which are controlled by the criminals.
Patching systems is and remains an important means of minimizing digital vulnerabilities. Two important patches of the past few days are those from Microsoft and Apple. Microsoft has released a patch for the now actively exploited vulnerability CVE-2021-40444. Apple released a patch this week that fixes vulnerabilities in iOS. iOS 14.8 includes a fix for a vulnerability that was actively used by the Pegasus spyware, which allowed remote access to iPhones, among others, without the owner having to click a link.
This article paints a startling picture of exploits from 1999 that are still being abused. A vulnerability that did not have a major impact in 2016 may suddenly mean greater risk in 2021. The relationship between seeing the need for patching versus the actual implementation becomes painfully clear.
Data is valuable to cybercriminals, but why? Many people have the idea that cyber criminals can’t do much with their name, email address and date of birth. This article explains how cyber criminals handle personal information and use it to their advantage. The value of a dataset is determined based on several criteria. For example, credit card information appears to be less valuable because an extra layer of verification makes it more difficult to use than, for example, Paypal accounts.
New software releases or important news items are perfect for cyber criminals to use for malicious activity. Currently, for example, the release of Windows 11 is used for the distribution of Malware. In this case, an attachment is sent suggesting that the document was created with a newer version. This would make the document incompatible with the victim’s version, which can be solved by enabling macros and running the script. However, the moment you enable the macros, malware is installed.
In addition, Microsoft has issued a warning for a zero-day in Internet Explorer that is currently under active attack. This vulnerability (CVE-2021-40444) is present in all supported versions of Windows. There is no update available yet, it is advised to disable ActiveX controls.
The majority of smartphone users regularly receive text messages with notifications about orders that are being delivered and whose progress can be followed by clicking on a link. Or messages about a missed call and a left voicemail message that can be listened to by clicking on a link. There are countless examples like these one, and in almost all cases the goal is, for example, to install malware or get login credentials. Another reason why these activities still take place is to let you take out an expensive subscription.
Make employees aware of their online activities, whether they are working from home or in the office, and help them recognize suspicious situations.
The alertness of employees is important for good cybersecurity, as is having an overview of your data sources and systems. This does not only concern your own, live, on-premise systems, but also, for example, test systems and cloud solutions in use. In addition, it is important to know which functionality is additionally implemented with a software update.
Last week it turned out that a cybercriminal had gained access to the production environment of T-Mobile US through the test environment, including access to customer data of many dozens of customers. Personal data, such as telephone number, address and license plate details have been captured and offered for sale on forums.
In the previous #WakeUpWednesday, we briefly mentioned LockFile ransomware. What is special about this ransomware type is that it actively tries to evade ransomware detection tools based on statistical content inspection.
Microsoft is warning users of Azure about a critical vulnerability in its Azure Cosmos Database that could allow cybercriminals to gain access to the databases. The vulnerability arose because a specific feature was switched ‘on’ for users at the beginning of this year, in combination with a number of misconfigurations. Previously, features that were activated by default already caused potential vulnerabilities in WhatsApp and Google Groups.
Cyber criminals are becoming increasingly sophisticated and respond to current events. Therefore, be extra alert to messages about problems during a ‘zoom meeting’ or an e-mail with a request from, for example, a management team member where something is asked of you that goes outside the regular channels. Another variant that is currently actively used is the request from a so-called bank employee to install Teamviewer or Anydesk. This would be necessary due to a problem with the bank account. In practice, the bank account is looted through these sessions.
We have previously shared updates regarding ProxyShell and PetitPotam attacks. LockFile ransomware combines these attacks, noting that there is a very short time, 20 to 30 minutes, between the time the servers are compromised and the ransomware attack is executed.
The Internet of Things, in which everyday objects are connected to the internet and can exchange all kinds of data, is increasingly creating threats in the field of cybersecurity. An increasing number of medical devices, such as pacemakers and insulin pumps, are proving vulnerable to cyber-attacks. In addition to the fact that hackers can endanger the health of patients, they can also gain further access to the network. Another risk was discovered this week by Microsoft, the company warns of an IoT botnet that tries to infect routers from, among others, Huawei, Netgear and ZTE in order to carry out so-called man-in-the-middle attacks. For example, this way an attacker can redirect victims to a malicious banking website instead of the legitimate one. In addition, infected IoT devices can be used to participate in DDoS attacks.
Cyber criminals use a variety of ways to gain entry into an organization. One of the ways is by involving an employee in their activities. In this case, Nigerian criminals approached an employee asking if he had access to the server and was willing to unleash ransomware on the corporate network for a percentage of the ransom to be paid.
Last week, the risk of the Windows LSA Spoofing Vulnerability was scaled up to high/high (chance/damage) by the National Cyber Security Center (NCSC). More about this vulnerability in our blog.
In addition, various data leaks have been reported, including at Blue Sky Group (Pension manager of KLM, Philips and SNS Reaal, among others) and Radboudumc. In both cases, data has unintentionally ended up with third parties due to human actions. In the case of Blue Sky Group, the source was a phishing email.
Phishing campaigns are becoming more and more professional. Alerting employees and helping them to increase cyber awareness is essential to prevent potential incidents. For example, Microsoft indicates that a phishing campaign has been going on for more than a year via an xls.html file (xls is used as the name for an html file). The phishing email gives the impression that it is an invoice. The campaign is aimed at recovering login details, which can then be used in later attacks.
The number of ransomware attacks on connected devices (network-connected, smart, devices) and the associated increase in the security risks of these devices is on the rise, according to research. The reason for this is that these devices often cannot or hardly be provided with security updates. VoIP phones, security cameras and badge readers are generally not developed according to the ‘security by design’ principle and do not support endpoint security agents. This means that as an organization you may have to set up the cybersecurity for these devices differently in order to still protect your organization, for example network segmentation.
Ransomware continues to keep organizations busy. We recently analyzed a sample of BlackMatter, a new player in this field. This sample supports the analysis that BlackMatter is a rebrand of DarkSide. The blog written by Gijs gives more detailed technical background.
If you have been affected by Kaseya, there is good news: there is a working masterkey available for decryption.
On the British Isle of Wight, a number of schools start the new school year later after being hit by ransomware and not having a properly working backup. Make sure that you as an organization have the basics in order because successful ransomware attacks have major consequences and can cause social disruption.
A new vulnerability has been published under the name ProxyShell. See our blog for more information.
In addition to Ransomware, the prevention of data leaks is also a constant point of attention for many organizations. A data breach can arise in various ways. Similarly, viewing a medical file without necessity is technically a data breach, just like emailing personal or company data to the wrong person. It is a misconception that data breaches are always noticed immediately. Unfortunately, the University of Kentucky, where an attacker gained access through a vulnerability in one of its websites early this year, is an example of this. The attacker had stolen the underlying database with data of 355,000 students and teachers. This was only noticed when the University ordered an annual pen test (penetration test).
The cyber security incidents involving Kaseya have been widely covered in the news in recent weeks. It is reported that Kaseya obtained this decryptor and is working hard to help victims recover. In a recent article, Kaseya states that they have not paid a ransom to obtain the decryptor.
Last week, Microsoft shared information about a new vulnerability called PetitPotam. This vulnerability concerns NTLM under Windows and, among other things, allows an attacker to take over a domain controller. This article lists mitigation measures for domain controllers, so make sure that vulnerable systems in your organization are checked.
Several data breaches have been announced in recent weeks, including a data breach at various general health practitioners. The vaccination data of about 700 patients has been shared with the RIVM without permission. The GGD also does not rule out the possibility that a similar data breach could have occurred at their place. To prevent such a data breach, it is important to always make a risk analysis in advance and to continue testing and checking the system during use. Certainly for systems that process such sensitive information, it is wise to have a penetration test performed. This allows you to anticipate vulnerabilities in the software that could otherwise cause a data breach at a later time.
Initial Access Brokers (IABs) are individuals or groups who have managed to silently gain access to a corporate network or system through, for example, stolen credentials, brute-force attacks, or exploiting vulnerabilities. This article presents some trends in ILO activities based on global survey data from the past year.
Last week we announced that patches have been made available for Kaseya’s on-premises solutions and the Windows Print Spooler vulnerability. In addition, Microsoft announced last week that they found a zero-day vulnerability in the SolarWinds Serv-U software. SolarWinds already has a patch available for this vulnerability. Make sure these patches are installed if you are using the affected software.
Hack groups that take your files hostage with ransomware nowadays also often use the so-called ‘double-extortion’ strategy. This strategy involves the hackers first exfiltrating (stealing) sensitive files to strengthen their position in the extortion. ReversingLabs reported last week that they found malware specifically designed for this purpose. Their blog lists some indicators of this malware. Recognizing this malware could be an early warning for a potential ransomware attack.
Ransomware attacks are becoming more common, and their impact is also increasing. Take, for example, the attack on Colonial Pipeline in the US. The US DHS and DOJ therefore launched a new initiative last week called StopRansomware.gov. The goal of this initiative is to provide a collective resource of information to help organizations better guard against ransomware. StopRansomware.gov describes step-by-step what you can do for prevention, detection and once you are infected.
Another data breach was reported last weekend, this time to the Dutch Ministry of Justice and Security. An outside employee had illegally copied sensitive information into his own work environment. This information subsequently also ended up in two other government environments. The personal data of about 65,000 civil servants were leaked because an employee did not follow the rules.
FortiNet has released an advisory regarding a critical vulnerability (CVE-2021-32589) in the FortiManager and FortiAnalyzer products. The vulnerability may allow a remote, non-authenticated attacker to execute unauthorized code as root by sending a specifically crafted request to the fgfm port of the targeted device. For details, please read the FortiNet advisory.
Last week there was a lot of attention for the issues with Kaseya and for the Microsoft printnightmare. The latest update regarding Kaseya: a patch is available for the on-premise solutions. More info in our blog.
A patch is available for the Microsoft printnightmare vulnerability, but configuration changes also need to be made to be fully protected. The latest updates are described here.
In addition, there were several data breaches last week in which private data unintentionally ended up in the hands of third parties. This concerns various combinations of first and last name, email address, address details and bank details. Therefore, make sure that you use different passwords for the different online webshops and applications. In addition, if possible, use multi-factor authentication.
Make sure employees are alert and cyber-aware. Cyber criminals are becoming more and more creative and also regularly use the combination of online and offline activities. One of the most striking or convincing examples is the combination between vishing and a physical visit by a so-called bank employee.
Last week there was a lot of talk about the supply chain attack at Kaseya. One of the lessons that can be drawn from this is that cybersecurity is not only about preventing incidents, but also about rapid detection and taking appropriate action, response.
In our blog, we keep up with the latest developments about the ransomware attack that is underway via a supply chain attack at Kaseya.
In addition to this attack, there were two Microsoft vulnerabilities, one in PowerShell 7 and an RCE vulnerability in Windows Print Spooler that requested updates. For PowerShell 7, it is recommended that you update to PowerShell version 7.0.6 or 7.1.3 as soon as possible. For the RCE vulnerability, all supported Windows versions are vulnerable. Microsoft has published two workarounds. The first option is to disable the Print Spooler service. This has the disadvantage that the system can no longer print. The second option concerns disabling inbound remote printing. The system then no longer functions as a print server, but local printing is still possible. An update for this vulnerability has been released.
We are closing this week with a new data breach at Linkedin. Combinations of passwords and e-mail addresses are on the street. The advice is to change your Linkedin password and to come up with a unique password for all applications and/or online accounts.
Ransomware is a threat to national security, according to the Dutch National Coordinator for Counterterrorism (NCTV) in the Cyber Security Assessment Netherlands 2021 this week. A danger that we also identify. Our analysts therefore work very closely with various authorities daily to minimize the consequences of this danger. One of the results of those efforts is a new decryptor. In some cases, this decryptor can help decrypt files encrypted by Lorenz ransomware without paying the requested ransom. The decryptor is made available for free through nomoreransom.
Another ransomware development is that ransomware organizations are creating websites to recruit affiliates. For example, promotional texts are used to attract partners who can use the Ransomware as a service. This allows many more cybercriminals (even without specific ransomware knowledge) to use this form of cybercrime.
In line with the Cyber Security Assessment, both the government and academia are calling on organizations to increase the knowledge of cybersecurity and information security among employees. One of these initiatives was initiated by ACCSS, with an Dutch open letter called: “Open Brief: Overstappen naar de Cloud, bezint eer ge begint”. Know where your data is stored, under what conditions and who has access to it.
Cyber criminals are getting more and more inventive. In addition to responding to current events, such as the campaigns on Covid-19, they also consciously respond to people’s sense of safety.
After the DarkSide ransomware group announced to cease its activities, we see new activities emerging under the same name. Cyber criminals use the DarkSide name to steal a lot of money from organizations in the energy and food industry, partly by acting on fear. As with DarkSide’s ransomware attacks, a ransom claim is made, however, contrary to the actions of the original group, there is no proof that any data is in possession. The approach of this new party also differs in other respects. In addition, this party also claims the attack on JBS, but this was carried out by REvil. The advice is be alert and if in doubt, contact experts for further analysis.
Research from Cybereason shows that once hit by ransomware, you are likely to be attacked a second time. In addition, half of the organizations lose data despite payment and one in four companies is forced to stop its activities.
An example of responding to the feeling of safety is the incident at Ledger, in December 2020. This organization makes crypto wallets, USB sticks with which you can send and receive Bitcoins, among other things. After user data was stolen from Ledger, these users were sent a new USB stick with the message that the old one was no longer safe after the hack. Because the stick and the packaging were indistinguishable from the real thing, this new stick was used and the instructions followed. The result is clear, the cyber criminals took many cryptos.
If you use Google Chrome, it is recommended to update Chrome as soon as possible. For the seventh time this year, vulnerabilities have been found that are being actively exploited.
Cybersecurity is not only an important topic during office hours. Cybercrime can happen anytime, anywhere. Taking basic measures, including increasing the cyber awareness of employees, can reduce the risk of an incident. Also during the holidays. Think, for example, of awareness about the risks when it comes to free WiFi, an easy first step.
Looking up data and e-mailing is no longer just a PC based task, it can be done just as easily with the mobile phone. In short, keeping these devices up-to-date is now just as important as the network. Cyber criminals can spy on users and access data via pre-installed Samsung Apps. Multiple vulnerabilities were patched in April and May. Do your employees know this too?
Are you dealing with a data breach? Do not forget to report this to the Dutch Autoriteit Persoonsgegevens (for Dutch companies). Failure to report, or not on time, may result in a fine. There are various ways in which a data breach can occur. For example, the VPRO was hit by a data breach after a break-in on a server at a supplier. This could potentially affect thousands of subscribers.
Cyber criminals are actively exploiting a vulnerability in VMware vCenter server that could allow a cyber criminal to take over the control remotely. A patch has been available for CVE-2021-21985 since May 25, but many systems are still vulnerable. We recommend patching systems as soon as possible.
There are also two critical vulnerabilities for Citrix systems and appliances that require urgent attention. Details about these vulnerabilities can be found in the blog we published yesterday.
In addition, Microsoft released updates for six vulnerabilities, one of which, CVE-2021-33742, has been labeled critical. This is a vulnerability in the Windows MSHTML platform that allows remote code execution. Patching as soon as possible is also the urgent advice here.
In recent weeks, the developments regarding the ransomware at Colonial pipeline have been frequently covered in the media. The origin of this extensive ransomware is a confluence of various aspects in the field of people, process and technology. In this case, the same password was used by a user in multiple places. The leaked VPN password also belonged to an account that was no longer in use, but that was still operational. Because no multi-factor authentication was used, it was relatively easy for cyber criminals to get acces. Meanwhile, the bitcoins in which the ransom was paid have been traced and recovered by hacking one of the accounts used by the cyber criminals.
Because cyber criminals take advantage of this type of news, the first phishing attacks have now also been discovered in which this ransomware attack is used as a reason. Employees are asked to install ransomware system updates. However, these updates do not protect you against ransomware, but facilitate these types of attacks.
Last week, it was announced that cybercriminals launched an advertising campaign on Google to mislead those interested in AnyDesk (a remote desktop access solution). These individuals were ingeniously seduced, using a clone of the original website to install malware.
Another clever way that was made public is the extortion of gas station owners. After the recently exposed form of Whatsapp fraud in April, contact is now being made, stating that the driver left without paying, but that they still want to pay for the petrol. You will then be asked to provide the name and account number, or to make a payment request. What follows is not a payment, but ransomware or a virus.
It is good to realize that cyber criminals do not only use online resources. Another way that was recenlty made public, is where you receive an email with a subscription for an online streaming service. However, you never subscribed, so call the number stated in the email to make a complaint. A call center employee will then help you to cancel the (non-existing) subscription and install malware on your PC at the same time.
Not only on the user side there are a lot of developments, there are also the necessary developments on the technical side.
The CISA (Cybersecurity & Infrastructure Security Agency) released an update last week for the vulnerabilities in Pulse Connect Secure. The advice is, if the patches for these vulnerabilities are not yet installed, to install them as soon as possible.
The last few days, a lot of attention was paid to the default settings of Whatsapp. It can be easy for anyone to add random people (people who are not in your contact list) to a Whatsapp group. This functionality did already exist, but recently a lot of warnings were issued. Although it is not considered to be a vulnerability in the software, you should be in control of what is happening on your device. In this case, it is not only about usability, it also poses a great risk of phishing or extortion, for example. Make sure you know which applications you have installed, what functionality they offer and what they have access to.
Examples from America show that cyber criminals regularly misuse the data of missing people for their campaigns. Details of family members looking for their loved ones are retrieved through various online channels, after which these people are approached with ransom claims, among other things.
QR codes are also abused to send people to malafid websites. On these sites, you are then asked to enter personal data that can be misused. Another possibility is that malicious software is installed from this site to your device.
Today, VMWare has released an update for critical vulnerabilities CVE-2021-21985 and CVE-2021-21986. These affect VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation) and can be used for remote code execution. The advice is to patch these as soon as possible.
Microsoft recently released a patch for two critical vulnerabilities, CVS-2021-31166 and CVE-2021-28476, that have been rated “Critical” by Microsoft. More details about these vulnerabilities can be found in our blog. Of course we advise you to install the released patch as soon as possible!
In addition to these vulnerabilities in Windows, there are also signs that cyber criminals are using Microsoft Build Engine to proliferate malware. The attackers distribute input files for the build tool MSBuild. Malicious executable files are put in these input files, which then open back doors on the system in question at the time of compilation and deployment. These then allow cyber criminals to take control of victims’ machines and steal sensitive information.
Last week, we indicated in our wakeup Wednesday that the French branch of insurer AXA is no longer reimbursing ransom money that must be paid in ransomware cases. It was revealed this week that an Asian division of the company has recently been hit by ransomware. The attack was claimed by the group behind the Avaddon ransomware. The group has now made some of the stolen data, including screenshots of ID cards and passports, public.
The FBI and the Australian Cyber Security Center (ACSC) have also warned about the Avaddon ransomware. Urgent advice was also given to pay more attention to the security of teleworking solutions. These are widely used by attackers to gain access to corporate networks.
Online shopping has increased enormously in the past year, resulting in a strong growth in the number of packages. Cyber criminals are responding to this development in various ways. More than 10,000 Android phones in Belgium were recently infected with FluBot malware, a banking trojan that, among other things, tries to steal data in order to commit bank fraud. This malware uses a text message stating that the delivery person is on its way with your package with a track and trace link that points to a rogue app that contains malware. The malware then sends an SMS to random people. KPN is now also warning for this malware and for potentially unexpected high telephone bills.
In addition to patching systems, it remains very important to make your employees, also when they mostly work from home, aware of the many different ways in which cyber criminals try to gain access to company data and networks.
Last week Tuesday and Wednesday, we have been publishing blogs for Dell driver and 21Nails Exim vulnerabilities. For details about these vulnerabilities and how to fix them, please refer to the relevant blogs.
Adobe released a patch for the following vulnerability (CVE-2021-28550) in her applications for Windows and MacOS. In total 12 different Adobe applications are vulnerable. We strongly advise to patch your systems as this vulnerability is currently being exploited.
In addition, the Dutch CBS (Central Agency for Statistics in the Netherlands) sees a sharp increase in the number of data leaks at large companies. For example, it indicates that in 2019 a quarter of companies with 250 or more employees were affected by a data breach as a result of an internal incident. In 2018, that percentage was still 17%. Relatively speaking, most data breaches occurred in healthcare. In total, almost 30,000 reports were made to the Dutch Data Protection Authority (AP) in 2019.
Delivery service Gorillas recently had a data breach invlovling data from 200,000 customers and deliverers. The customer data that was leaked included: name, address details, credit card details and e-mail address, in the case of the deliverers it concerned name and telephone number. The data turned out to be easily accessible via an API, a similar vulnerability was previously exploited by the German delivery service Flink.
Insurer AXA has indicated that it will stop paying ransom money in France that victims of ransomware have to pay to criminals to regain access to their data and systems. Many organisations are paying close attention, not only to see who will follow but also to monitor what will be the effect on ransomware cases.
To stop ransomware, 60 representatives from the security industry and US governments have set up a task force to fight ransomware. They are supported in this by, among others, Europol. The responsibility of the ISP is also considered, as well as the payment process. Because crypto currencies play an important role in payment in ransomware cases, possible measures will also be examined in this area.
Multiple vulnerabilities in Exim mail transfer agent (MTA) allow attackers to fully compromise mailservers. The vulnerabilities, known as 21Nails, require immediate patching. Check our blog for more info.
Pulse Connect Secure released a patch for the recently announced vulnerability. Our advise is to patch your systems as soon as possible.
Despite all the warnings to be cautious with unexpected requests in emails, such as changing a bank account number, it is easy to make a mistake. Last week it was announced that online store Bol.com has transferred 750,000 euros to the account number of scammers instead of that of one of their Dutch partners, Brabantia. Stay alert to these kind of change requests. Ensure a procedure that, if requests are made to change, for example, an account number, these are always verified in a second way, such as contacting the relevant party by telephone.
Swiss cloud provider Swiss Cloud has been hit by ransomware, preventing thousands of customers from accessing their applications and data. Be aware that if criminals have access to your cloud provider’s systems, they may also be able to access your systems. As an organization, therefore, regularly test your own cyber security measures and ensure that offline backups are also available of your systems and data.
In many organizations more and more equipment is connected and data is made accessible via the Internet. The Internet of Things (IoT) has enormous potential for both IT and OT (operational technology). At the same time, it is necessary to also be aware of the risks you run with IoT.
Microsoft has recently found many (over 25) vulnerabilities in IoT and OT devices. Although patching the software for these devices is often very difficult, this is necessary. If it is not necessary for these devices to have a connection to the internet, then taking these devices offline is of course the easiest solution. In addition, segmenting the network, whereby these devices are placed in their own segment, is a step that contributes to increasing cybersecurity within the organization.
Last but not least: If you use an iPhone, it is recommended to install the latest iOS update as soon as possible (if you have not already done so). In addition to the new privacy policies that have been implemented, no fewer than 50 vulnerabilities have been patched.
Last week several organizations have issued warnings for vulnerabilities in their software. Patching is essential, where no patch is yet available (Pulse Secure), a workaround is described.
In addition, Apple came into the media as a victim of the hacker collective REvil. $ 50 million in ransom has been demanded for blueprints and other confidential data. The hackers obtained this information via a supply chain attack.
Another ransomware attack was carried out by cyber criminals on IT supplier Managed IT. This attack could also have been evolved as a suppychain attack, but fortunately the systems and data of the affiliated notary offices were not hit.
Several vulnerabilities have been disclosed during the last few days.
Pulse Secure announced a vulnerability in Pulse Connect Secure, a solution used for VPN connections. This vulnerability (CVE-2021-22893) is considered very critical and is currently actively exploited in the wild. Cyber criminals can take over vulnerable VPN servers remotely, the FireEye blog describes a number of scenarios. There is currently no patch available for this vulnerability, the security update is expected in May. There are, however, mitigating measures that can be taken. Check for the latest information our live blog.
In addition, three vulnerabilities related to SonicWall Email Security have also been published. CVE-2021-20022 is particularly serious, it can allow an attacker to create an administrator account with an http package. These vulnerabilities are also currently being actively used. A patch was released for these vulnerabilities on April 19.
We cannot mention this too many times: install updates and security patches as soon as possible. Not only for your operating system or business software, but also for your browser, for example. Important patches were released last week for both Microsoft Exchange and Google!
Microsoft Exchange: As mentioned last week, two new very serious vulnerabilities have been revealed for which patches are available.
Google: There have been a number of vulnerabilities fixed in the Chrome browser. An unauthenticated attacker could potentially exploit the vulnerabilities remotely to execute arbitrary code or gain access to sensitive data in the context of the application. To this end, the malicious person must induce the victim to visit a malicious web page. Google has indicated that exploit code is in circulation for the vulnerabilities that have been fixed.
Just like last week, there were several data leaks. Perhaps the biggest leak in ages was found at allekabels.nl. This concerns data of over than 3.6 million customers.
Another notable leak was that of real estate company Heijmans. Here an email was accidentally sent to interested parties for a house in a new construction project, with an Excel file enclosed containing the personal data of more than 1100 other interested parties. Unfortunately, the Excel file was not protected, with for example a password. This means that the data could be viewed by everyone receiving the file.
Your digital security is essential. An important detail is not to lose sight of your physical security. Last week, for example, a hard drive was stolen at the tax office in Amsterdam containing data from 30,000 people. The disk contains scans of documents sent by post from July 2020 to March 2021 by approximately 30,000 taxpayers. Be alert to what data is on external data carriers and where you store it!
Making backups is very important, especially when it concerns your most business-critical data. It can be essential for the survival of your organization. Make sure that you also make an offline backup of this data! We regularly see that these backups are made online and in the case of ransomware are included in the encryption together with the original data!
Microsoft announced security patches for newly found critical vulnerabilities this Patch Tuesday, following the critical vulnerabilities disclosed last month in Microsoft Exchange (Hafnium). Microsoft Exchange Server 2013, 2016, and 2019 are impacted by these new vulnerabilities, Exchange Online customers are already protected. Via Remote Code Execution an attacker can run malicious code on the system. Currently there are no signs of any active exploits in the wild. As Tesorion we advise you to patch Exchange as soon as possible.
Because a logistics service provider has been hit by ransomware, problems have arisen with the supply of Albert Heijn. As a result, there were empty shelves in the cheese department. Even though only a part of the organization was affected, the collateral damage in the supply chain turns out to be significant.
After some problems with Zoom during the start of the Corona crisis last year, ethical hackers appear to have discovered a new vulnerability last week. This vulnerability allows cyber criminals to take control of the computer, even if Zoom is not in use at that time.
Last week, we mentioned in our #WakeUpWednesday, that data from Facebook users is being offered for sale. This week it emerged that data from Clubhouse users has been made public. The dataset was created via scraping. According to Cybernews, the data of 1.3 million users has been combined. Clubhouse is a relatively new social media app enabling live conversations, so without images and chat functionality, with different people. Clubhouse has been under fire before, partly because you have to share your address book in order to invite others.
Privacy is a great asset that, for some time now, is not only covering compliance. It is a fundamental human right that you as an organization are confronted with. Partly due to the introduction of the GDPR. This means that as an organization, you also have a duty to act quickly and carefully if you become a victim of a data breach. Reporting too late can result into significant costs, Booking.com was one of the companies that found out the hard way. The fine in this case: EUR 475,000.
The number of data breach reports that the Dutch government reported to the Dutch DPA last year, also increased by 13 percent compared to the previous year. However, the increase cannot yet be explained by the minister.
Facebook was also in the media last week, announcing that data of 533 million users have been leaked, of which 5.4 million are Dutch. The data breach took place back in 2019, the data could be stolen via a vulnerability that had been resolved already some time ago. The information leaked is including full name, phone number and date of birth. This data is currently provided free of charge.
In general: Be aware of your online activities and what information you share with third parties (including on social media). Many people still work from home. It is important to be aware of the fact that spam is still one of the most used ways by cyber criminals to distribute malware. In addition, new malware is still on the market.
The following points are therefore still important to realize:
- Install your security updates as soon as they arrive.
- Update your virus scanner and spam filter.
- If you receive mail in your inbox from an unknown sender, do not open it.
- Know how to recognize malicious emails.
- Do not click on links and do not leave any personal information.
- Know what to do if you are affected by malware.
The FBI has warned this week about the use of FortiOS vulnerabilities. Advanced attackers have been detected using CVEs CVE-2018-13379, CVE-2020-12812 en CVE-2019-5591. These groups scan for ports 4443, 8443, and 10443. For more information, see the FBI’s report.
March 31 was World Backup Day. A day to remind people of the importance of making backups. Backups are an essential part of a good cyber security policy. In fact, in the case of ransomware, it can sometimes be the only option to fall back on.
Despite all the attention that has been devoted to patching Microsoft Exchange, there are still organizations that have failed to do so. As we mentioned on March 12, there are cyber criminals who have exploited this vulnerability to place ransomware. This ransomware is currently being actively used.
What many organizations seem to overlook is that patching does fix the vulnerability, but it is not a solution if cyber criminals are already in! Currently, ransomware is placed via backdoors on servers that have now been patched but were previously vulnerable. In addition, an increase can also be seen in the number of hacks on web shells (Dutch content). It is therefore important not only to patch, but also to scan your systems!
Other vulnerabilities currently actively used by cyber criminals are vulnerabilities in F5’s BIG-IP platform. This platform is widely used for load balancing of (web) servers and (web) application delivery systems. The vulnerabilities were reported two weeks ago, a patch is available.
That data is worth big money for cyber criminals is also evident from the recent data breach at RDC.
The private details of potentially millions of Dutch car owners have been stolen and are being offered for sale on the internet. According to the NOS, this concerns information such as name, address details, e-mail addresses and dates of birth. The data was stolen from RDC (Dutch only), an ICT service provider for car companies.
In the past week, a lot of attention has again been paid to the Exchange vulnerabilities. Still, that is not the only cybersecurity news from the past week. What else happened:
The research report on the hack athas been published with important learning moments, among other things, the vulnerability caused by weak passwords. So, provide definitions around password settings that go beyond 8 characters, a capital letter and alternation between numeric and alphanumeric. In addition, errors in the network configuration and too many assumptions were also to blame for this hack.
Other Notable News: Prison needs to change 600 locks by one WhatsApp photo of intern. Behavior and awareness play an important role, both offline and online. The intern from this article was unaware that sharing an image of a runner key is enough to duplicate the profile. Therefore, make employees aware of the possibilities that arise when work-related images are shared on social media. For example, at the start of the corona crisis, we shared images of online measurements en masse. In several cases with the access code for the meeting in view.
Was by far the biggest hack in the news last week. Four vulnerabilities in on-premises Exchange (OWA) servers 2013, 2016 and 2019, not in O365. Perpetrators are (Chinese) state sponsored Hafnium hackers, abused by more than 10 APT parties. There are patches that need to be done properly or they won’t work. There is not enough patching, many systems are still open. The Zero Day vulnerability has been widely exploited for months (100,000+ worldwide). With tooling you can find out if your Exchange has been abused, not what they did.
Impact is huge and it could be years before we become aware of the impact. Ransomware is now being rolled out to organizations. Companies, universities, banks, governments, everything, and everyone is affected.
Most important for organizations now is to patch and scan their environment. Tesorion can help you.
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.