Cyber Threat Intelligence Summary – October 2021

By Callie Guenther, Critical Start Cyber Threat Intelligence Manager

As a managed detection & response (MDR) company, Critical Start sees many threats of various kinds, thousands each day. As a matter of practice, we compile weekly threat summaries and send them to all of our MDR customers, so they know what to look out for – and what to patch.

We believe members of the wider community will appreciate a monthly summary of these reports, so we will focus on core themes from our research, which we’ll present each month. Of course, that won’t stop us from letting you know about immediate threats as they crop up.

Here is a summary of threat highlights for October, 2021.

Spotlight: The growing risk of Linux malware

Approximately 90% of the public cloud workload runs on Linux. For years, researchers have warned about potential threats to the operating system, yet there remains a strong belief in the tech community that Linux is safer than Windows. While this may have been true in the past, it is definitely not true now.

Between January and June of 2021, over 13 million malware attacks were attempted against Linux systems. A quarter of those were crypto miners targeting the enormous supply of processing power in the cloud. Over 1,000 cloud hosts have been compromised, resulting in tremendous damage to those systems.

In addition to using server resources to mine cryptocurrencies, attackers also dump credentials from the local network to expand their foothold. (Credential dumping is the process of obtaining account login and password information; it’s used to enable an attacker to move laterally to other devices on the network and harvest a Domain Admin account’s credentials). The attackers can then harvest cryptocurrency and sell network access on the Dark Web for additional income. The success of these attacks is primarily due to the lack of updating/patching of Windows and Linux servers.

Ransomware attacks made up about 12% of the attacks on Linux. Of the various Linux versions available, the most common target is the outdated CentOS Linux software.

The upshot: Organizations move to Linux systems due to flexibility in customization and the way the OS handles user permissions. The main protection against attacks is to not process executables without explicit permission.

Linux threats may not be as expansive as those against Windows, but they are no less severe. No system is 100% safe; the best practice is to become educated about threats targeting a particular operating system. It’s important for IT staff to learn the risks and update on a regular basis.

Verticals: Gaming, Industrial

In the Gaming sector, Twitch, the live video streaming service, was breached, and the cause appears to be misconfigured servers. The leaker posted his findings on the 4chan bulletin board and claimed the stolen data is from over 6,000 internal repositories. The individual who leaked this information stated this is just part one of the exposed data.

The Industrial sector was also hit in October with the rise of multiple Honeywell DCS flaws that could affect industrial processes. The flaws are:

  • CVE-2021-38395 – Improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition
  • CVE-2021-38397 – Vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition
  • CVE-2021-38399 – Vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories

The affected devices are Honeywell’s C200, C200E, C300 and ACE controllers. The company says ACE and C200 controllers will not receive updates, but that it has available mitigations because “network access is required for exploitation.”

Ransomware News

  • REvil ransomware operations shut down for a second time. The ransomware group REvil was shut down after an anonymous person hijacked its Tor portal and data leak blog. This was confirmed by a threat actor affiliated with the group on the XSS hacking forum. The same threat actor also asked that affiliates contact him for decryption keys via Tox. This is most likely so the group can continue to extort current victims until another site is set up.
  • FBI publishes a warning about the OnePercent ransomware group. The FBI has published a report about the OnePercent Group attacking companies in the US. The group, active since November 2020, reportedly uses Cobalt Strike to perpetuate ransomware attacks. OnePercent uses phishing emails with malicious attachments to compromise victims’ devices.

Other Threat News

  • Zero-day vulnerability found in Apache web server. CVE-2021-41773 is a dangerous Remote Code Execution flaw that is well known and easy to exploit. A web request that appears benign aimed at your webserver can lead to complete takeover. This bug was introduced less than a month ago with Apache 2.4.49, so if Apache users didn’t update and are using Apache 2.4.48 or earlier, they do not have this vulnerability. Users should immediately update to Apache 2.4.51 if they are using Apache 2.4.49 or 2.4.50.
  • New FinSpy malware variant infects Windows systems with UEFI bootkit. Commercially developed FinFisher surveillance-ware has been upgraded to infect Windows devices using a UEFI (Unified Extensible Firmware Interface) bootkit that leverages a trojanized Windows Boot Manager, marking a shift in infection vectors that allow it to elude discovery and analysis.
  • 71 Windows vulnerabilities fixed on Patch Tuesday. Microsoft’s October list of vulnerabilities patched is rather extensive, but a few are of note. Another PrintNightmare vulnerability that can be initiated remotely (CVE-2021-36970) was discovered. Successful exploitation doesn’t require any form of authentication but does require the intended target to take some action. Additionally, CVE-2021-26427 is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. It requires a single authentication for exploitation, and access of some kind must be gained by the attacker before using. Microsoft listed this vulnerability as “exploitation less likely” due to these requirements.

That’s it for last month. If you have questions about these attacks or others, feel free to reach out to us. Otherwise, stay safe out there.



You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar