Project Hyphae

Information Security News 2-13-2023

Share This Post

VMware ESXi Server Ransomware Evolves After Recovery Script Released

Article Link:

  • Attacks on VMware’s ESXi hypervisor were first made public on February 3rd. Since then, at least 3,800 outdated servers have been impacted by ransomware. Following the 3rd, the FBI and CISA have released a recovery script; however, the script doesn’t delete the affected configuration files and isn’t 100% effective. That said, it can be a beneficial first step for organizations who have been ransomed.
  • As more attacks have occurred, threat actors have enhanced the ransomware as well. Specifically, the ransomware is now encrypting a larger percentage of configuration files and newer attacks are said to potentially work on systems that don’t have SLP enabled, a key component of the attack.
  • Outside of the recovery script, the FBI and CISA recommend patching ESXi servers to the most recent version, shutting down the SLP service, and cutting the machines off from the public internet, among other risk mitigations. Something to note as well, the root vulnerability has had an available patch available for over a year.

City of Oakland Systems Offline After Ransomware Attack

Article Link:

  • The City of Oakland was hit by a ransomware attack on February 8th that forced it to take all systems offline until the network was secured and affected services were brought back online. According to the City’s statements, critical services like 911 dispatch, fire, and emergency services didn’t appear to be impacted.
  • The City said that delays were to be expected as IT personnel addressed the issue. It was also noted that the City is currently developing a plan to address the issue in line with industry best practices.
  • It is suggested that an understaffed City of Oakland IT department left the city more vulnerable to ransomware attacks.

North Korean Hackers Targeting Healthcare with Ransomware to Fund Its Operations

Article Link:

  • According to a joint advisory from U.S. and South Korean cybersecurity and intelligence agencies, state-sponsored hackers from North Korea are actively targeting healthcare, DoD Information Networks, and Defense Industrial Base organizations with ransomware.
  • Reports suggest that the North Korean hackers have been leveraging a mixture of custom ransomware and off-the-shelf tools, like BitLocker, to generate income for the North Korean regime.
  • Link to CISA Advisory:

Reddit Hack Shows Limits of MFA, Strengths of Security Training

Article Link:

  • On February 9, Reddit notified users that a threat actor had successfully convinced an employee to click on a link in an email sent out as part of a spear phishing attack, which led to a website that cloned the behavior of Reddit’s intranet gateway, in an attempt to steal credentials and 2FA tokens.
  • The compromise of the employee’s credentials allowed the attacker to sift through Reddit’s systems for a few hours, accessing internal documents, dashboards, and code. Access was limited due to the employee who was compromised self-reporting shortly after falling victim to the attack.
  • This incident highlights that multifactor authentication is still being heavily targeted and that employees, such as the one who self-reported, can be vital to limiting incident damage.

A Hacker’s Pot of Gold: Your MSP’s Data

Article Link:

  • MSPs are attractive targets for attackers because of the vast amount of client data stored in a single company’s systems. Cybercriminals need only to exploit the security vulnerabilities of one MSP to steal confidential data from dozens of organizations at once.
  • Attackers target the lowest hanging fruit for successful attacks, weak passwords. As the article notes, RDP brute-forcing is a common attack launched and one that MSPs should be aware of.
  • The bottom line is that IT should do their due diligence and review an MSP’s security practices before using their services.
  • Link to Reddit’s Notification:

Surge of Swatting Attacks Target Corporate Executives and Board Members

Article Link:

  • Swatting has affected many high-profile individuals, from Hollywood celebrities and music industry stars to political leaders and even cybersecurity journalists. Now, according to digital executive protection company BlackCloak, swatting incidents are reaching the top ranks of Fortune 500 companies, with unknown bad actors targeting C-suite executives and corporate board members.
  • Malicious actors go to the websites of corporations, identify the top executives and board members, and with lists in hand, visit the websites of data brokers to grab whatever information they can. Alternatively, information is gathered from past data breaches. From there, recorded or robot voice messages are sent out to police departments calling in threats.
  • Recommendations on lowering swatting chances include trying to remove personal information from data broker websites, sharing less personal information online, limiting the amount of information on your organization’s “About Us” page or in SEC reports, and registering your home in a trust or LLC.

An Email Attack can end up Costing You Over $1 Million

Article Link:

  • According to a report from Barracuda Networks based on responses by 1,350 IT decision makers from across the globe, 75% of the organizations had fallen victim to at least one successful email attack in the last 12 months, with those affected facing average potential costs of more than $1 million for their most expensive attack.
  • The fallout from an email security attack can be significant and varies between industries. The most widely reported effects were downtime and business disruption (affecting 44% of those that had been hit), the loss of sensitive, confidential, and business-critical data (43%), and damage to brand reputation (41%).
  • Link to Barracuda’s Report:

NIST Standardizes Ascon Cryptographic Algorithm for IoT and Other Lightweight Devices

Article Link:

  • NIST has announced that a family of authenticated encryption and hashing algorithms known as Ascon will be standardized for lightweight cryptography applications. These devices include IoT, implanted medical devices, infrastructure stress detectors, and keyless entry fobs for vehicles.
  • NIST still recommends using AES and SHA-256 for general encryption; however, Ascon encryption algorithms offer up a means to encrypt devices that have constrained electronic resources.
  • Link to NIST’s Report:

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.