Cyber Security Bulletin – March 2022
Here is the latest Cyber Security Bulletin containing our top cyber security news stories from around the world. Specially selected by our in-house Security Operations Centre Team for being the most critical for your awareness.
Top 5 Security Issues This Week
1. Geopolitical situation in Eastern Europe may result in a significant and drastic increase in cyber-attacks against all organisations.
The fluid and dire situation in Eastern Europe is almost certain to have a dramatic effect on the amount and severity of cyber attacks against all organisations. There is a suspicion amongst our analysts, that the cyber “call-to-arms” from Ukraine and the subsequent retaliatory actions from both Russian and Belorussian hackers may undoubtedly influence the availability of nation-state offensive hacking tools. It is likely that criminal elements, lower-skilled hackers and/or hacker-enthusiasts, may take advantage of this, and gain access to these advanced and complex tools to launch completely unrelated (geo-politically) attacks against various SMEs.
Our analysts recommend the following actions:
- Patching and updates systems
- Increasing spam filter detection
- Enable and enforce multi-factor authentication wherever possible
- Improving access controls and enabling multi-factor authentication
- Implementing an incident response plan
- Test and confirm backups and business continuity and disaster recovery plans
- Test and confirm security posture
- Ensure industry-relevant threat intelligence capability
2. New “CyclopsBlink” malware that affects WatchGuard firewalls and routers linked to Russian-backed hacker group “Sandworm”.
A new strain of malware affecting WatchGuard firewalls and routers has been discovered by the NCSC and CISA. The malware in use since at least June 2019, is a replacement for another firewall-targeting malware known as “VPNFilter”. These types of malware allow malicious actors to gain access to corporate networks and “CyclopsBlink” is persistent on reboot. The malware is designed to make use of the device’s legitimate firmware upgrading system, to ensure and maintain access to compromised devices.
“Sandworm” is credited with the “NotPetya” ransomware attacks that crippled organisations around the world in 2017. They are thought to be part of the Russian GRU’s Min Centre for Special Technologies.
WatchGuard has worked closely with national security organisations to identify and help mitigate any exploited devices.
3. UK and US discover new malware used by Iranian nation-state actor “MuddyWater”.
The NCSC, along with the FBI, CISA and the NSA have revealed that an Iranian nation-state actor, known as “MuddyWater”, has been using multiple malware strains to infect organisations. The actor is known to target Middle Eastern energy firms since at least 2017 but has recently widened its target scope to North America and Europe. “MuddyWater” are primarily targeting telecommunications, defence, local government, and energy organisations of all sizes.
Their instruction is directed from Iran’s Ministry of Intelligence and Security, and their method of attack is usually by deploying ransomware. They make use of a number of open-source tools to exploit known vulnerabilities and gain access.
4. Supply chain hack halts Toyota’s Japanese car production.
A critical part of Toyota’s supply chain was wrecked by a cyber-attack, causing the car giant’s production to cease. The 3rd party’s website was taken down and media are reporting this as a significant cyber incident, and the incident has caused Toyota to halt 28 production lines in 14 of its factories. This will result in at least a 5% reduction in monthly production.
5. “Help Ukraine” crypto donation scams on the rise
Several industry researchers have disclosed that since the invasion of Ukraine, a series of scam campaigns have been launched. Attackers have been seen to use both phishing and social media as their means of attack.
Emails purporting to be from NPR (npr.org) or several United Nations Office for the Coordination of Humanitarian Aid (OCHA) domains, urge the recipient to donate funds, in the form of Bitcoin or Ethereum, to help aid refugees from the war. As with all phishing emails, there is a sense of urgency, and in this case, the attacks are taking advantage of the emotional and psychological state of the recipient.
Attackers are further making use of simple social media posts, to push their campaign.
Our advice is to consult with official sources (for example, Ukraine’s Twitter account has a post with legitimate crypto addresses) before any transaction. We also advise that organisations look to increase their phishing awareness and training to help mitigate an unprecedented increase in cyber incidents.
BONUS SECURITY NEWS STORY
HAFNIUM (Microsoft Exchange Server vulnerabilities) – One year on and still causing issues
Exactly one year, Microsoft disclosed a series of vulnerabilities relating to their Microsoft Exchange product line that devastated organisations around the world.
This attack included a number of zero-day vulnerabilities (those not yet discovered or fixed by the vendor) that were leveraged to create a chain of vulnerabilities. These were then exploited to allow the attacker to gain unrestricted administrative access to email accounts and vulnerable Microsoft Exchange servers. Malicious actors were then able to deploy stealthy control and communication (C2) malware that facilitated the long term, and undiscovered, access to affected environments.
Their exploits and attacks were credited to a Chinese-sponsored advanced persistent threat (APT) called HAFNIUM/Hafnium, whose primary target(s) were US government departments and organisations.
Microsoft disclosed the vulnerabilities on 02.03.2021, and by 10.03.2021 a security researcher had released a public proof-of-concept (PoC) piece of software that successfully exploited the vulnerabilities. Within days tens of thousands of attacks were being launched.
Microsoft released a series of emergency patches and updates that IT and security professionals around the world clambered to action.
This chain of vulnerabilities was successfully exploited by numerous malicious actors and resulted in thousands of organisations around the world having to conduct (sometimes unprepared) disaster recovery and business continuity actions to enable day-to-day business operations.
The HAFNIUM-related series of vulnerabilities are amongst CISA’s (US Cybersecurity & Infrastructure Agency) most dangerous and most exploited vulnerabilities and is still being exploited by malicious actors to access networks, steal data, and deploy ransomware.Contact us to find out more about our Cyber Security services