Cyber Security Headlines – July 30, 2021

Biden warns that severe cyberattacks could escalate to an actual war

During a speech at the National Counterterrorism Center of the Office of the Director of National Intelligence, President Joe Biden warned that cyberattacks leading to severe security breaches could lead to a “real shooting war” with another major world power. Biden went on to say, “we’ve seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world.” Biden’s remarks come on the heels wave of attacks affecting US critical infrastructure as well as NATO stating in June that cyberattacks are comparable to “armed attacks” in some cases. The White House has recently turned up the heat on Russia to take action to stop cybercriminals from operating within its borders, indicating the US would take action if the Russian government does not.

(Bleeping Computer)

New ransomware gangs emerge on cybercrime forums

Two new ransomware-as-service (RaaS) gangs, Haron and BlackMatter, have emerged this month, the latter of which professes to be a successor to DarkSide and REvil, the infamous ransomware syndicates that went off-grid following recent attacks on Colonial Pipeline and Kaseya.  BlackMatter noted in a darknet blog that they will not strike organizations in healthcare, critical infrastructure, oil and gas, defense, non-profit, and government sectors. According to Flashpoint, BlackMatter recently posted on Russian-language forums XSS and Exploit that they are looking to purchase access to infected corporate networks comprised of between 500 and 15,000 hosts in the US, Canada, Australia, and the UK and with revenues of over $100 million a year, signaling a potential large-scale ransomware operation. The emergence of BlackMatter coincides with the demise of DarkSide and REvil raising speculation that the groups may eventually rebrand and resurface under a new identity.

(The Hacker News)

New Android malware uses VNC to spy and steal victim passwords

A new Android-based remote access trojan (RAT), dubbed “Vultur,” uses Virtual Network Computing (VNC)’s remote screen-sharing technology to steal sensitive information on the device including banking credentials. The mobile malware was distributed via Google Play Store and masqueraded as an app named “Protection Guard,” attracting over 5,000 installs primarily targeting banking and crypto-wallet apps used in Italy, Australia, and Spain. Researchers from ThreatFabric noted, “For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way.”

(The Hacker News)

Cyber-attack on Iranian railway was a wiper incident, not ransomware

According to security firms, the cyber-attack that paralyzed Iran’s national railway system in early July was caused by disk-wiping malware named Meteor and not by a ransomware attack. The attacks, which caused train delays and cancellations across Iran, had three components: (1) Meteor malware that wiped the infected computer’s filesystem, (2) a file named mssetup.exe which locked users out of their PCs, and (3) a file named nti.exe that rewrote the victim computer’s master boot record (MBR). The attackers used group policies to perpetrate the attack and disconnect infected hosts from their local domain controller which hindered remediation efforts. Once the attack was over, infected computers had their filesystem wiped, and their screens jokingly instructed victims to call the office of Supreme Leader Ayatollah Ali Khamenei.

(The Record)

Thanks to our episode sponsor,
Varonis

We all know devasting ransomware goes beyond the endpoint. Big game ransomware defense for your cloud and on-prem data is on everyone’s mind. Varonis can help ease your worries with a free ransomware preparedness assessment. Visit varonis.com/risk for more information.

Serious vulnerabilities found in IP camera firmware

According to France-based security firm RandoriSec, IP cameras offered by a dozen vendors are exposed to several critical and high-severity remote code execution flaws found in their firmware which is produced by the South Korea-based firm UDP Technology. One authentication bypass vulnerability they’ve found can be used to take control of impacted IP cameras directly from the internet. A query by researchers shows over 140 affected devices exposed to the internet, mainly in the US and UK. RandoriSec published a blog post detailing its findings, and on Tuesday CISA released a related advisory. UDP Technology released patches after being informed of the vulnerabilities in its firmware.

(SecurityWeek)

Hack leads to breach of UC San Diego hospital’s sensitive info

UC San Diego Health announced this week that they suffered a breach resulting from a phishing attack that gave hackers access to a wide array of patient, student and employee data including names, claims, prescription and medical record info, Social Security numbers, government and student ID numbers, payment card and financial account numbers, and usernames and passwords. The hospital discovered suspicious activity back on March 12 but it took several weeks to identify it as a security incident. The hospital has engaged a cybersecurity firm to investigate the incident and has taken a number of steps to remediate the issue including bolstering security controls and offering free Experian credit monitoring and identity theft protection services to affected individuals.

(ZDNet)

Babuk ransomware beta decryptor causes encryption beyond repair

A new report from McAfee Advanced Threat Research spotlights the Babuk ransomware gang, which recently announced it would be developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems. The researchers have observed Babuk adopting a beta version of ransomware binaries written in the Golang (Go) cross-platform language. The researchers noted, “We have seen several victims’ machines encrypted beyond repair due to either a faulty binary or a faulty decryptor.”  The report speculates that the faulty ransomware may have been the reason Babuk has shifted its business model from encryption to data theft and extorsion.

(ZDNet)

Chipotle’s new secret ingredient is spam

Hackers have compromised an email marketing account belonging to the Chipotle food chain and used it to send out at least 120 phishing emails over a 3-day period. The majority of the messages directed users to credential-harvesting sites impersonating services from Microsoft and United Services Automobile Association (USAA). Using a legitimate email address increases the chances of delivery due to their ability to bypass security scanning and authentication solutions. According to email security firm INKY, the faux Microsoft emails alert the recipient that email could not be delivered due to low cloud storage and instructs them to click the button which directs them to a fake login page that harvests their sensitive information.

(Bleeping Computer and The Register)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.