A Month In Breaches: April

CTRL provides cyber security intelligence and prominent breaches in the past month, which sees a proliferation of ransomware attacks.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing vulnerabilities and critical security trends. In this Issue for the month of April, we continue to see the proliferation of ransomware attacks globally.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Google Chrome V7 Bug Allows Remote Code-Execution  

Google Chrome’s browser has several security flaws which the attacker could leverage to perform a remote code execution (RCE) attack. Tracked as CVE-2021-21227, the bug is described as “insufficient data validation in V8”, however, Google is keeping other details close to its vest. The bug is somewhat mitigated by the fact that it doesn’t allow attackers to escape the sandbox where Chrome runs, meaning attackers can’t reach any of the other programs, data, and applications on the computer. Thus, CVE-2021-21227 would need to be chained with another vulnerability in order to successfully wreak havoc on a target’s machine beyond the browser itself. According to researchers, the implications of an attack using the bug depends on the privileges associated with the application: In the worst-case scenario, an attacker could view, change or delete data.

Google Chrome has released the latest stable version, 90.0.4430.93, which is considered to be safe from the above-mentioned RCE attack. The Chrome 90 update includes 9 security fixes, including for a couple of other high-severity issues, three medium-severity bugs, and one low-severity vulnerability. Network administrators should verify that the recent updates are enforced on the network. CTRL Group recommends customers adhere to strong patch management. Any new patches to zero-day attacks should be implemented as quickly as possible to reduce the attack vector.

 

Pulse Secure Critical Zero-Day Security Bug Under Active Exploit  

A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defence, finance, and government targets. The latest flaw tracked as CVE-2021-22893 and rated 10 out of 10 on the CVSS vulnerability-rating scale. It’s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. Attackers harvest credentials from various Pulse Secure VPN login flows. This allows the attackers to use legitimate account credentials to move laterally into the affected environments. Once exploited, the followings can be done:

  • trojanise shared objects with malicious code to log credentials and bypass authentication flows,
  • inject web shell into Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices,
  • toggle the filesystem between Read-Only and Read-Write modes so they can make modifications,
  • maintain persistence on the appliances despite upgrades,
  • unpatch modified files and delete utilities and scripts after use to evade detection,
  • clear log files.

Pulse Secure said that the zero-day will be patched in early May, but in the meantime, the company released both mitigations and Pulse Connect Secure Integrity Tool to determine if systems have been impacted.

The mitigations involve importing a .xml file that disables the appliance’s windows file share browser and Pulse Secure Collaboration features. An administrator can also add the blocklist feature to disable URL-based attacks, the Pulse Secure noted the following URIs to block:

  • ^/+dana/+meeting
  • ^/+dana/+fb/+smb
  • ^/+dana-cached/+fb/+smb
  • ^/+dana-ws/+namedusers
  • ^/+dana-ws/+metric

 

 

More Ransomware Attacks Involved Threat to Leak Exfiltrated Data 

Organisations in all sectors are being increasingly targeted for ransomware attacks. Industries that are most impacted by ransomware in Q1 2021 are professional services, health care, the public sector, and food & staples. The report highlights a threat to publish exfiltrated sensitive data is one common ransomware technique. Whilst adversaries still rely on phishing emails to spread malware or a remote access trojan and launch the attacks, more ransomware attacks begin with compromising Remote Desktop Protocol services, either by using stolen credentials, guessing default or common passwords, or exploiting unpatched vulnerabilities, particularly when it comes to those in VPN applications.

According to the findings, adversaries behind the attacks are getting bolder, demanding ever-growing ransoms from target organisations. A single attack can also rapidly spread across borders. The average ransomware extortion demands are growing by 43% to US$220,298, and so is the average downtime caused by the attacks i.e. 23 days. The growth of ransomware-as-a-service operations, the rise of remote work, the decentralised nature of cryptocurrency, and the more complex IT infrastructure are some of the main reasons contributing to the rise of these threats.

As ransomware attacks present a major threat globally, it is critical that every business has a focus on cybersecurity, resiliency, and privacy. The following are a few precautionary steps that can prevent such threats and limit the damage it caused.

  • Regular backups – Backing up your data regularly and storing them offline allows you to restore your valuable data in case of a threat.
  • Prompt patching – Apply security patches and update as soon as possible after they’re released to stop adversaries from being able to exploit known vulnerabilities.
  • User training on phishing emails, other social engineering tactics and good cyber hygiene – Social engineering tactics, including phishing, have become increasingly sophisticated, and some are able to bypass security defences. End users are often the final defence to safeguard your data and network.
  • Strict access control – Enabling multi-factor authentication, disabling default login credentials and enforcement of strong password policies help secure user accounts.
  • Supply chain risk management – Regular security assessment of your external service providers who handle or store your data can minimise the attack vector from the supply chain.
  • Review Security Tools – Ensure your security tools are equipped to block known threats and malicious programs from the system.

Paying the ransom is not advisable. There is no guarantee ransom payment will fix your devices and recover your data. It can also make you vulnerable to future attacks. Instead, restore your files from backup and seek advice immediately.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS,  Ninessa, Jae and Vic.