This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In this issue, ransomware attacks are discussed in the global expansive threat landscape. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.
Microsoft Exchange Vulnerability Report
Microsoft released information regarding multiple exploits being used to compromise instances of locally hosted Microsoft Exchange Servers. Tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-2658 and CVE-2021-27065 these zero-day exploits allow an attacker to completely compromise a targeted network.
Originally associated with a state-sponsored hacker group operating out of China known as Hafnium, these exploits were being leveraged in highly targeted campaigns. However, once Microsoft had become aware of their exploitation and publicly acknowledged its existence through patching, the attacks quickly escalated, with ransomware becoming the payload of choice for opportunistic attackers. At the time of writing over 30,000 American organisations have been hacked with roughly 1,500 Exchange Servers being compromised by the Black Kingdom ransomware alone.
At this stage, many experts have stated that if an organisation has not patched their systems then they should assume that they have been compromised, with automated programs scouring the internet for victims and quickly exploiting them. Chris Krebs the former director of the CISA has also stated that this exploit will affect government agencies and small businesses the most, with many being under-resourced to apply timely patches.
In response to these events, CTRL Group issued an emergency alert for this vulnerability to all of its clients with Microsoft Exchange deployment, urging the immediate patching of all vulnerable systems, suggesting that any impacted servers be taken offline until patching had been completed.
Unfortunately, zero-day attacks can rarely be mitigated before patches are released. If your organisation has not patched a vulnerable exchange server, please contact CTRL Group immediately and scan the server before using the following tools issued by Microsoft to apply mitigations and assess the extent to which your organisation may have been impacted: https://github.com/microsoft/CSS-Exchange/tree/main/Security
Further information on this incident can be found on the Australian Cyber Security Centre website.
Adobe Fixed Critical ColdFusion Flaw in Emergency Update
Adobe warns of a critical security flaw in its ColdFusion platform, used for building web applications. If exploited, it could allow for arbitrary code execution on vulnerable Windows systems. The latest flaw tracked as CVE-2021-21087 with priority rating 2 assigned to flaws with no known exploits affecting products that have historically been at elevated risk. This vulnerability stems from improper input validation, which is a type of issue that occurs when the affected product does not validate input. This can affect the control flow or data flow of a program and allow for an attacker to launch a slew of malicious attacks.
|Product||Vulnerable versions||Updated version||Platform||Availability|
|ColdFusion 2016||Update 16 and earlier version||Update 17||All||Tech note|
|ColdFusion 2018||Update 10 and earlier versions||Update 11||All||Tech note|
|ColdFusion 2021||Version 2021.0.0.323925||Update 1||All||Tech note|
Adobe released ColdFusion 2016 Update 17, ColdFusion 2018 Update 11, and ColdFusion 2021 Update 1, and updated ColdFusion JDK/JRE to the latest version of the TLS releases for 1.8 and JDK 11 to patch the vulnerability. All previous versions before these patches are vulnerable to attacks. Adobe recommends administrators install the security updates as soon as possible and apply the security configuration settings. Please be aware that applying the ColdFusion update without a corresponding JDK update will not secure the server.
Insurance Giant CNA Hit with Ransomware Attack
A novel ransomware attack forced insurance giant CNA to take systems offline and temporarily shut its website. The attack leveraged a new variant of the Phoenix CryptoLocker malware. Cryptolockers are a use case of ransomware that instantly encrypt files on the machines they attack and demand a ransom from the victims in exchange for the key to decrypt the files. The impact of the group’s latest attack was serious that CNA disconnected its systems from its network “out of an abundance of caution” and is currently providing workarounds for employees where possible so the company can continue operating to serve its customers. Sources reveal that the threat actors encrypted more than 15,000 devices on CNA’s network—including those of employees working remotely who were logged onto the company’s VPN at the time. The company is currently in the midst of an ongoing investigation into the incident that started immediately after its discovery and it is aiming to restore systems using backups rather than paying the ransom.
Ransomware attacks can negatively impact a company’s capital and reputation. CTRL Group has a list of measures that can help prevent such an attack even before it surfaces. This includes:
- Training users on phishing and vishing safety, such as advising them to refrain from clicking unverified links, opening untrusted attachments, and providing personal details to an unknown person.
- Browsing safety such as accessing and downloading from trusted websites only.
- Backing up your data regularly.
- Securing connection by using VPN for remote access and avoiding connection via public WiFi.
- Other secure cyber practices such as avoiding the use of unfamiliar removable storage devices, keeping the OS and software tools used up to date, and using security software.
In case of a successful attack: do not panic, isolate the system, run thorough scans, use Ransomware decryption tools and restore files from backup.