The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Business email compromise. Four individuals charged for major campaign.
- New NOBELIUM malware. FoggyWeb has been observed in the wild since April 2021.
- VMware exploit released. Attacks against vulnerable devices likely to increase.
- VPN security. US NSA and CISA release guidance on securing remote access solutions.
- SonicWall patch critical vulnerability. Get patching before it’s too late!
- More DDoS. Bandwith.com is the latest victim in a series of DDoS attacks targeting VoIP providers.
1. Four individuals charged for alleged business email compromise campaign
Four individuals have been charged by US federal prosecutors in relation to a campaign to defraud businesses. The accused are alleged to have compromised numerous business email accounts and impersonated various stakeholders in order to convince victims to settle fraudulent invoices. The actors are understood to have primarily used phishing and other social engineering techniques to gain access to the email accounts.
Because of the high-profile nature of ransomware attacks, business email compromises usually fly under the radar. However, these incidents can cause significant financial damage to a business, with little recourse, and even amount to a data breach.
SO WHAT? Firstly, one of the best controls to mitigate the risk of a business email compromise is enforcing the use of multi-factor authentication. Secondly, it is important that employees know their organisation's proper processes and are confident following them even if an apparent stakeholder, such as an important client, is pressuring them to diverge from protocol. Finally, if a breach does happen, employees should be familiar with the correct incident reporting procedures for their organisation and not fear punishment if they report a cyber incident.
2. Major threat group operating with new malware
A new malware FoggyWeb, used and developed by NOBELIUM, the threat actor responsible for the major SolarWinds supply chain hack, has been described as a “passive and highly targeted” backdoor.
FoggyWeb can be used to exfiltrate sensitive information from a compromised Active Directory Federation Services server and enable attackers to decrypt token-signing and decryption certificates. In addition, it can be used to receive additional components from an attacker’s command and control server to enhance its capabilities and further compromise victim’s servers.
Microsoft has notified customers that it has observed being targeted or compromised by NOBELIUM’s activity.
SO WHAT? Microsoft has released guidance for others who believe they may have been compromised.
3. Critical VMware vulnerability actively exploited in the wild.
A working exploit has been released for the critical file upload vulnerability (CVE-2021-22005) in VMware vCenter Servers that was disclosed last week and is being actively used by threat actors.
Following VMware’s disclosure, threat actors quickly showed interest in the vulnerability and have been conducting scans to identify vulnerable devices to target. With the release of a full, working exploit, the number of attacks will likely increase as less sophisticated threat actors start to get involved.
SO WHAT? vCenter Server 6.5, 6.7, and 7.0 are impacted. Details on how to patch affected devices can be found on the VMware advisory page.
4. Patch vulnerable SonicWall devices ASAP
SonicWall has patched a critical vulnerability affecting its Secure Mobile Access (SMA) 100 series products. The vulnerability could allow unauthenticated attackers to delete arbitrary files and gain remote admin access to target systems. SonicWall’s SMA 200, 210, 400, 410, and 500v are all at risk of compromise.
The vulnerability has reportedly not yet been exploited in the wild; however, vulnerable SonicWall and other VPN products have been attractive targets for ransomware groups in 2021.
SO WHAT? Visit SonicWall’s advisory page for guidance on patching the vulnerable devices.
5. NSA and CISA release guidance on securing remote access VPN solutions
The US National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA) have released a guide for selecting and securing VPN solutions. The guidance follows a trend of both financially-motivated and state-sponsored attackers targeting and exploiting VPN vulnerabilities.
Meanwhile, for federal agencies themselves, CISA has released draft guidance for transitioning to using IPv6 and related security considerations. The advice can also be relevant for organisations given IPv6 is enabled by default on modern operating systems and devices. Accordingly, a lack of oversight regarding IPv6’s configurations and implementation can lead to security blindspots.
SO WHAT? Insecure configuration and implementation of key network components – such as VPN solutions and IPv6 – can significantly increase an organisation’s risk of cyber attack. Following formal guidance, such as that offered by CISA, can help align companies to established security standards and reduce the likelihood of a successful compromise.
6. DDoS attacks hit record levels
Bandwith.com is the latest victim of distributed denial of service (DDoS) attacks targeting Voice over Internet Protocol (VoIP) providers. The past six months have seen a record number of DDoS attacks. Atlas VPN recorded nearly 5.4 million DDoS attacks in the first half of 2021.
Another VoIP provider, VoIP.ms, suffered a week-long DDoS attack earlier in the month when threat attackers impersonated the ransomware group REvil in an attempt to extort the provider for millions of dollars.
SO WHAT? DDoS attacks can cause damage to the availability of your infrastructure and be used in extortion attempts. Planning ahead is vital to protecting your company from attacks of this nature. There are many popular services that offer DDoS protection and mitigation solutions.