Critical Start Inaugural Cyber Threat Intelligence Report – September 2021

By Callie Guenther, Critical Start Cyber Threat Intelligence Manager

As a managed detection & response company, Critical Start sees lots of threats of various kinds, thousands each day. As a matter of practice, we compile weekly threat summaries and send them to all clients, so they know what to look out for – and what to patch.

As a service to the wider community, we thought readers may appreciate a monthly summary of these reports. So, you are reading the inaugural version of our cybersecurity threat report. We plan to bring it to you each month. Of course, that won’t stop us from letting you know about any immediate threats as they crop up.

Verticals: Food & Agriculture, Aviation, Education

The FBI warned the food & agriculture sector of increased ransomware attacks intended to disrupt operations, impact the food supply chain, and cause financial losses. Automation and the growth of IoT devices have increased the industry’s attack surface. Smaller businesses are considered soft targets and are more likely to be hit by ransomware, but larger players that can afford higher ransom payments are prime targets.

The means of infection have remained relatively common: email phishing campaigns, software vulnerabilities, and Remote Desktop Protocol vulnerabilities. Of companies hit by these attacks, studies show 50% to 80% pay the ransom and don’t report the incident. Threat actors increasingly follow the trend of launching attacks during weekends and holidays, when fewer people are in the office.

In addition to the well-publicized June ransomware attack on meat company JBS, other food and agriculture examples include:

• In July, a US bakery hit by Sodinokibi/Revil ransomware lost access to its server, files, and applications, halting production, shipping, and receiving.
• In March, a US beverage company suffered a ransomware attack that disrupted operations, production, and shipping. The company had to take its systems offline.
• In January, a ransomware attack against a US farm resulted in losses of $9 million due to a temporary operational shutdown. The threat actor accessed internal servers through compromised credentials.

Also in September, a malware attack on the aviation industry was uncovered. The phishing campaign appears to have been launched from Nigeria. “Operation Layover,” a small-scale cyberattack that went unnoticed for two years, is a spearphishing attack using malicious emails to distribute a loader for RevengeRAT or AsyncRat.

Finally, in the education sector, stolen data on school children was leaked on the dark web. Reports say cybercriminals have begun to leak the stolen personal information, which was obtained via data breaches at education institutions. Experts advise parents to run credit checks of their children to verify their data hasn’t been used maliciously.

Ransomware attacks on schools began increasing in 2020 at the start of the pandemic, when many switched to remote, online models. K-12 schools, especially, have proved to be a relatively easy target because they operate on tight budgets. Additionally, attackers have a higher success rate with phishing attacks when teachers think the emails pertain to their students and parents to their children.

Other recent ransomware attacks and news

• US to target ransomware payments in cryptocurrency with sanctions. Details are undetermined, but the goal is to make it more difficult for threat actors to be paid. Over the next few weeks, analysts say, new guidance will be released explaining fines and other penalties.

• Ragnarok shuts down, releases free decrypter. The Ragnarok ransomware group has shut down operations and released a free decryption key on its dark web portal. The master decryption key was published so victims could recover their data. Researchers plan to release a secure version of the decrypter on Europol’s NoMoreRansom portal. It’s not unusual for ransomware groups to shut down, especially if they suspect law enforcement is closing in. They often crop up again, potentially under a different name.

• Revil is back. The ransomware group REvil, for example, has reappeared after shutting down in July and is starting to leak data from recent attacks. The group has reactivated its servers and has a new spokesperson named “REvil” who has been posting in hacking forums.

• Groove posts stolen Fortinet credentials. Members of the Groove ransomware gang have posted 500,000 Fortinet VPN login credentials on hacking forums. The vulnerability used has been patched, but many of the credentials are still valid. It’s highly recommended that server administrators perform forced password resets. 

• Kaseya issues patches for new zero-day flaws affecting Unitrends servers. Security patches were released by Kaseya for two zero-day vulnerabilities that affect its Unitrends Enterprise backup and continuity solution. The danger these flaws present is privilege escalation and authenticated remote code execution. Kaseya is urging users to institute firewall rules and, if possible, to not leave servers accessible to the internet.
  
  
• CVE-2021-38647 (OMIGOD) – vulnerability affects Azure Linux VMs. Researchers found four vulnerabilities in Microsoft’s Open Management Infrastructure (OMI). This is an open-source Common Information Model management server used for managing Linux and Unix systems. An unauthenticated user can exploit this flaw by creating a specially crafted request to a vulnerable host on one of these ports: 5986, 5985 and 1270. If successful, an attacker could execute arbitrary code with root privileges.

• Azure Cosmos DBs exposed by critical vulnerability. The Azure cloud platform had a critical vulnerability that gave threat actors administrative access to Cosmos DB instances. The feature with the flaw has been disabled within 48 hours of the initial report. Microsoft is advising customers to regenerate the keys to remain secure.

• USCYBERCOM warns of mass exploitation of Atlassian vulnerability. CVE-2021-26084 has been seen used in the wild. This vulnerability can allow remote attackers to execute arbitrary code that would impact Confluence Servers and data centers. CISA is urging users to patch systems immediately.

• Realtek vulnerabilities under continued attack. Cybercriminals continue to use CVE-2021-35395, affecting IoT firmware built with the RealTek SDK. Wireless routers make up most of the attacks. The vulnerability lets attackers take full control of affected devices.

• BrakTooth flaw leaves millions of Bluetooth devices vulnerable. CVE-2021-28139 is the most severe of the 16 flaws found in the “BrakTooth” collection of vulnerabilities. It affects a large swath of Bluetooth-based devices. Affected appliances span the consumer and industrial sectors. The flaw lets attackers inject arbitrary code, including erasing NVRAM data. Patches should be installed as soon as possible.

That’s it for this month’s threat intelligence report. If you have any questions about any of these attacks, feel free to reach out to us. Otherwise, stay safe out there.

October 1st, 2021