FBI Flash report: Indicators of compromise associated with Ranzy Locker ransomware
The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.
A majority of victims reported the actors conducted a brute force attack targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. Recent victims reported the actors leveraged known Microsoft Exchange Server vulnerabilities and phishing as the means of compromising their networks.
(Source: FBI Internet Crime Complaint Center – IC3)
Why Hive attacks are the latest menace to healthcare sector
Several characteristics of the Hive ransomware group make the threat actor particularly menacing to victims, which include healthcare sector targets.
"A lot of the ransomware actors focus on one particular platform, like Windows," says the vice president of intelligence at security firm CrowdStrike. "The Hive is a group that has [ransomware] for multiple platforms … Windows, Linux, and also EXSi hypervisors, which is another tactic that's relatively new,” he says.
Hive was the subject of a recent warning issued by the FBI (see: FBI Issues Alert on Hive Ransomware).
Read the latest threat brief on Hive Ransomware from the Department of Health and Human Services (HHS), dated October 21, 2021.
(Sources: Data Breach Today, HHS)
SolarWinds threat actor targeted IT service providers in thousands of attacks, Microsoft says
Nobelium, the Russian nation-state threat actor behind the SolarWinds compromise, is targeting resellers and service providers that help customers manage, deploy and customize cloud services, Microsoft said in a Sunday, Oct. 24 blog post. The hackers did not exploit any vulnerabilities in its software but instead relied on password spraying and phishing to gain access, Microsoft said.
The campaigns began in May and so far Microsoft identified at least 14 breaches, though the technology company did not provide details on how severe the breaches were. The attacks were part of a larger wave of Nobelium activities this summer.
CISA urges users and administrators to review Microsoft Threat Intelligence Center’s Oct. 25 article, NOBELIUM targeting delegated administrative privileges to facilitate broader attacks and apply the necessary mitigations.
(Sources: Cybersecurity Dive, CISA)
Ransomware summit takeaways: Pledges to disrupt safe havens, money laundering
The Biden administration concluded a 30-nation virtual summit on ransomware Thursday, Oct. 14, with a joint call to action that officials hope will gather worldwide support to crack down on malicious cyber activity and the illicit use of cryptocurrency.
The countries promised to collaborate on intelligence sharing; investigation and prosecution of criminal ransomware gangs; tracing and disruption of illegal funds transfer and money laundering; and diplomatic efforts to root out safe havens for such criminals, according to a joint statement from participating ministers and national representatives.
The meeting may further isolate ransomware havens like Russia and to a lesser extent China, industry analysts and security researchers said. But some experts are still calling for more robust, open and direct countermeasures to deter rogue nation states from using cybercriminals as geopolitical proxies.
(Source: Cybersecurity Dive)
GPS daemon (GPSD) rollover bug
Critical Infrastructure (CI) owners and operators, and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices, should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021).
On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive.
CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer.
For more information, see Keeping Track of Time: Network Time Protocol and a GPSD Bug
(Source: CISA)
Natural disasters can set the stage for cyberattacks
An earthquake strikes a city in Indiana, causing chaos and destruction, sending emergency managers and first responders scrambling. Then the water system goes down, and everyone figures it’s because of the natural disaster.
But it isn’t. It’s a ransomware attack by cybercriminals, who are taking advantage of the disruption to infiltrate the water system’s network.
The incident isn’t real, but it is a scenario played out as part of a three-day, full-scale cybersecurity drill in Indiana in August attended by more than 500 people, including Indiana National Guard members, first responders, health care providers and state, local and federal officials.
Cybercriminals, who are becoming increasingly sophisticated, could take advantage of natural disasters such as hurricanes, wildfires and tornadoes to wreak havoc on critical infrastructure, experts say, including transportation, emergency response, water and sewer systems and hospitals.
That’s why Indiana and some other state and local governments are trying to prepare by holding drills or creating preparedness plans.
(Source: Stateline)
|
