Archive for January, 2021

MAZE Exfiltration Tactic Widely Adopted

MAZE Exfiltration Tactic Widely Adopted

New research by New Zealand company Emsisoft has found that a cyber-blackmail tactic first debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber-gangs.



The internationally renowned security software company declared a ransomware crisis in the last month of 2019. Their latest ransomware report shows that this particular type of malware has had a huge impact on the United States in 2020.



Emsisoft threat analyst Brett Callow described the numbers in “The State of Ransomware in the US: Report and Statistics 2020” as “pretty grim.”



At least 2,354 US governments, healthcare facilities, and schools were impacted by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, colleges, and universities.



Researchers noted that the attacks “caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted.”



In 2020, MAZE became the first ransomware group to be observed exfiltrating data from its victims and using the threat of publication as additional leverage to extort payment. 



“At the beginning of 2020, only the Maze group used this tactic,” wrote researchers. “By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites.”



According to a November report by Coveware, some ransomware gangs that exfiltrate data don’t delete it, even after receiving a ransom from their victims. Coveware observed REvil (Sodinokibi) asking for a second ransom payment for stolen data it had already been paid to erase. 



Netwalker (Mailto) and Mespinoza (Pysa) were observed publishing exfiltrated data on dedicated leak-site portals despite receiving ransoms from their victims. 



Emsisoft found that in 2019 and in 2020, the same number of federal, state, county, and municipal governments and agencies were impacted by ransomware (113). 



“Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4,” they wrote.


Source: Infosecurity
MAZE Exfiltration Tactic Widely Adopted

Suspicious Vaccine-Related Domains Triple

Suspicious Vaccine-Related Domains Triple

The number of suspicious domains that feature the word “vaccine” in their title increased by almost 100% in the month after the first Pfizer COVID-19 vaccine was given outside of a clinical trial.



British grandmother Margaret Keenan became the first person in the world to receive the vaccine on December 8, 2020, a week before her 91st birthday. 



New research by American cybersecurity software company Webroot observed that December 8 through January 6, there was an 94.8% increase in suspicious domain names using “vaccine” compared with the previous 30 days.



When compared with the month of March 2020, the total use of the word “vaccine” within suspicious domain names between December and January 6 was found to have increased by 336%.



“As 2021 brings the first mass vaccination programs to fight COVID-19, we’re already seeing cybercriminals exploiting the publicity and anticipation surrounding these to target businesses and consumers in phishing and domain spoofing attacks,” said Nick Emanuel, senior director of product at Webroot.



“Scams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when they’re in the public interest.”



Webroot’s Real-Time Anti-Phishing protection system detected a rise in malicious URLs using other words related to the pandemic.



Over 4,500 new suspicious domains were found, which contained a combination of words relating to “COVID-19,” “Corona,” “Vaccine,” “Cure COVID,” and others.



The word “vaccine” was specifically included in the title of 934 domains, while misspellings of “vaccine” cropped up in 611 more. 



“COVID” was in the title of 2,295 suspicious domains, and “Test” or “Testing” appeared in the title of 622 domains.



Threat actors also appeared to be using public interest in travel restrictions as a phishing lure. Among the suspicious domain titles flagged by researchers were “COVID Validator,” “Testing Update,” “COVID Travelcard,” and “Private Vaccine.”



“For individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive,” said Emanuel. 



“This should also be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies.”


Source: Infosecurity
Suspicious Vaccine-Related Domains Triple

CVE-2020-8581

Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled.
Source: NIST
CVE-2020-8581

The Most Pressing Concerns Facing CISOs Today

Building security into the software development life cycle creates more visibility, but CISOs still need stay on top of any serious threats on the horizon, even if they are largely unknown.
Source: DarkReading
The Most Pressing Concerns Facing CISOs Today

Atlanta Synagogue Reports Cyber-Attack

Atlanta Synagogue Reports Cyber-Attack

An annual religious service held in Atlanta in honor of Martin Luther King Jr. Day was disrupted by a cyber-attack. 



Threat actors reportedly targeted a Shabbat service that was being broadcast live over the internet from Atlanta synagogue The Temple on January 15. The attack occurred as US Senator-elect Raphael Warnock, the pastor at Martin Luther King Jr.’s historic Ebenezer Baptist Church in Atlanta, was delivering a sermon.



People attempting to watch the service live via the Temple’s website were unable to access it, according to a letter penned by the synagogue’s president, Kent Alexander.



Writing to the congregation on Saturday, Alexander said: “To the many of you who tried to log on through the Temple website but could not, and missed the service, we apologize and want to offer an explanation.



“Our website service provider informed our executive director, Mark Jacobson, last night that ‘malicious user agents’ had continuously loaded the Temple website with the objective of shutting it down.” 



Alexander did not name the service provider but added that he had been told that the attack was the “largest-ever attack affecting the provider’s network of client synagogues” and that websites across the United States had also been blocked.



“Eventually, access was restored for all, but The Temple was last,” the director wrote. “Our site was down for over an hour into the service.”



The incident is currently under investigation by the authorities. Alexander theorized that the attack was inspired by religious and racial bigotry.  



After highlighting that Warnock will soon become Georgia’s first African American senator, Alexander wrote: “Presumably, The Temple was singled out by a racist and anti-Semitic group or individual bent on silencing our joint Temple-Ebenezer Baptist Church MLK Jr. Shabbat.”



The Temple was founded in 1867 and is located in the city’s midtown. An annual Martin Luther King Jr. Day Shabbat service has been hosted there for over a decade. 



In 1958, the Temple’s north entrance was bombed by the “Confederate Underground” in an incident denounced by then President Dwight Eisenhower. The bomb, made using 50 sticks of dynamite, caused damage valued at $750k today.


Source: Infosecurity
Atlanta Synagogue Reports Cyber-Attack

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Source: NIST
CVE-2021-20190

CVE-2020-35929

In TinyCheck before commits 9fd360d and ea53de8, the installation script of the tool contained hard-coded credentials to the backend part of the tool. This information could be used by an attacker for unauthorized access to remote data.
Source: NIST
CVE-2020-35929

CVE-2020-27276

SOOIL Developments Co Ltd DiabecareRS,AnyDana-i & AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i & AnyDana-A mobile apps doesn’t use adequate measures to authenticate the communicating entities before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy.
Source: NIST
CVE-2020-27276

CVE-2020-27272

SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn’t use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via BLE.
Source: NIST
CVE-2020-27272

CVE-2020-27270

SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE).
Source: NIST
CVE-2020-27270