Cyber Intelligence Briefing: 14 May 2021

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.

• Ransomware’s dark side. Colonial Pipeline hit by DarkSide ransomware, triggering several US states to declare a state of emergency.
• Ransomware wrap-up. Norwegian technology provider Volue and US police departments targeted.
• German watchdog growls. Three-month ban on Facebook processing WhatsApp data.
• Android malware targets European banks. TeaBot trojan facilitates fraudulent activity.
• E-voting machine flaws. Three flaws found within an e-voting machine used in Australia.
• You snooze, you lose. Patch Tuesday and an Adobe zero-day vulnerability.

Ransomware’s dark side: Fuel supply across the US affected by attack

• The DarkSide ransomware group infected Colonial Pipeline, the largest fuel pipeline operator in the US. This attack on US critical national infrastructure restricted the transport of fuel across the eastern seaboard, prompting a state of emergency to be declared in several US states.
• Colonial Pipeline announced it would resume operations after a five-day shut down. It closed the 8,900 km pipeline after the ransomware infected its critical IT systems.
• DarkSide posted a statement declaring that they will introduce new vetting measures to prevent future attacks targeting critical infrastructure. The group stated that the attack was conducted by one of their partners; this is a common occurrence among malware authors as payloads are often sold for wider use.

 SO WHAT?  The Colonial Pipeline attack is significant because it hit critical national infrastructure. Ultimately, it is a ‘proof of concept’ that demonstrates the potential for cyber-attacks against strategic targets. It has prompted President Biden to sign an executive order to strengthen the US government’s cyber defence.

In other ransomware news: Ryuk strikes again and attackers increase pressure on police

• Attackers targeted Volue, a Norwegian company providing technology to European energy and infrastructure firms, with Ryuk ransomware. The attack brought down applications used by 200 Norwegian municipal water and wastewater facilities.
• Separately, ransomware attackers leverage pressure tactics against US police departments. These include threatening to publish stolen data containing identities of confidential informants and releasing personal details from background checks on officers.

 SO WHAT?  See our Top 5 Ransomware Protection Tips below.

All bark and no bite in Germany?

• The Hamburg data protection commissioner banned Facebook from processing WhatsApp users’ data for three months. This follows WhatsApp’s announcement that, from 15 May, users must choose to either share certain WhatsApp data with Facebook or settle for limited WhatsApp features.
• Despite the ban, WhatsApp intend to proceed with the new data sharing policy, claiming the watchdog’s assertions are wrong. Users who opt-out of the policy will eventually be unable to send or receive messages or calls.

 SO WHAT?  If users are unwilling to share their data in this manner, there are several alternative instant messaging apps that avoid such data collection and processing, offering a heightened level of privacy.

TeaBot trojan targets European banks

• A new Android trojan is enabling attackers to conduct fraudulent activity against European banks by hijacking user credentials and text messages. The trojan has facilitated fraud against 60 banks across Italy, Belgium, the Netherlands, and Spain.
• TeaBot disguises itself as popular package delivery and media service applications to deceive victims. Once installed, Teabot allows attackers to log keystrokes, take screenshots, and inject malicious overlays on top of banking login screens.

 SO WHAT?  Android malware is on the rise. Avoid clicking on suspicious links delivered through SMS and only install mobile applications from official app stores.

Security flaws found in Australian e-voting systems

• Researchers found three flaws within e-voting machines used in Australia’s ACT 2020 election. The flaws found could affect the privacy, integrity, and accuracy of elections; however, the research group concluded that the faults did not change the 2020 election result.
• The research group is asking for full access to all e-voting modules. In recent years, similar research groups have requested access to e-voting machines in Europe and the US to quash the claims of election fraud.

 SO WHAT?  Security by obscurity only works if it does in fact remain obscure. Voting systems should be designed to be secure, even if a hacker has a copy.

Patch Tuesday!

• Included this week is a Windows 10 and Windows Server flaw that allows for a wormable exploit. CVE-2021-31166 allows an unauthenticated attacker to remotely execute malicious code; the vulnerability is rated as critical.
• Adobe also announced that a zero-day bug in its software is being actively exploited. CVE-2021-28550 allows attackers to run code in user context; if an admin user is exploited, the code will run with full admin rights.

 SO WHAT?  Both exploits are critical vulnerabilities that should be prioritised by organisations. Patches are ready and available from Microsoft and Adobe, so don’t be caught napping!

top 5 ransomware prevention tips

• All systems should be patched regularly, with critical patches implemented as soon as possible. Devices that interact with the public internet should be prioritised.
• Services designed to be used in secure networks like RDP and SMB should not be exposed to the open internet, they are prime targets for ransomware actors.
• Multi-factor authentication should be enforced for all remote connections.
• Vulnerability scanning should be conducted on a reoccurring basis, with a process in place to action findings.

• Having an email gateway represents a basic level of competency but investing in a machine learning-based solution is even more effective.
• Training provided to users in the form of yearly computer-based courses and quarterly phishing exercises work as a good last line of defence.

• Companies should be applying more than a traditional signature anti-virus. They should deploy endpoints capable of Endpoint Detection and Response (EDR) and heuristic detection.
• Endpoint protections should be installed as widely as possible to leverage the full benefit of their use.

• Administrator accounts should be granted only to select individuals.
• Use of admin accounts should be monitored and automatically logged off when not in use or, even better, controlled by a Privileged Account Management (PAM) solution.

• In order to recover from a ransomware attack all critical data needs to be backed up.
• Backups should be tested at least annually to confirm RTOs and RPOs can be met.
• If backups are being kept online, they should be secured with a unique, strong password and two-factor authentication to prevent attackers from gaining access to encrypt or delete them.