Welcome to the Christmas edition of the Ironshare Cyber Round-up where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
2021 has been another rollercoaster year for us all, both in day to day life and Cyber Security.
This year pretty much started as the last year finished; the majority of the country in lockdown and thousands of companies still recovering from the SolarWinds supply chain attacks that were publicised in December.
We now enter the Christmas holiday season with the disappointing expectation that more COVID based restrictions are likely to be introduced in the coming days or weeks (in the UK at least), due to the new Omicron variant.
COVID remained a popular topic throughout 2021, with a continued increase in coronavirus based phishing emails and scams, which still proved highly effectively for internet bad guys.
As expected, Ransomware continues to be a major threat. Cyber criminals have had to expand their tactics and capabilities to stay effective though:
Ransomware-as-a-Service had an increasing presence, with attackers no longer having to write their own malicious code; instead they can rent attacker infrastructure and malware in a Pay-as-you-Go model.
In addition we saw a big rise this year in Double extortion Ransomware where the bad guys are not content with encrypting your data; they first spend time in your network, extracting company and personal data, so they can threaten to leak it, if you do not pay the ransom.
Defenders & IT professionals continued to have a torrid time this year, with what seemed like an unprecedented year for zero-day vulnerabilities. The year is not out yet and we have hit an all time high with over 19.5k vulnerabilities (CVEs) reported.
Microsoft Exchange Server took one of the biggest hits this year with a number of targeted zero-day vulns. Just after recovering from the Solarwinds fallout, the IT world was hit with the first in a series of critical Exchange vulnerabilities (that seemed to trend throughout 2021), dubbed ProxyLogon. It was very quickly understood that ProxyLogon was being actively exploited by a state sponsored group called HAFNIUM. The ProxyShell flaw followed in its trails, with hackers chaining both flaws in their exploits, to often devastating effect.
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Unsurprisingly, Crypto currency exchanges became bigger targets for cyber attack as the year went on. BitMart, Liquid and the Poly Network alone saw losses in the 100's of millions dollars, on the back of successful attacks.
https://www.bbc.co.uk/news/technology-59549606
In true cybersec form, the year end has not disappointed, with a huge 10/10 disclosure for Apache Log4j. Once again IT teams & vendors around the globe have been rushing to patch this series of exploited critical vulnerabilities. Log4Shell, as its become known (we have liked the name 'Shell' this year :) ), impacts millions of devices worldwide, due to its libraries being included in lots of different web based products and services.
2021 has sounded all doom and gloom so far but there has been some positive points to note.
In response to the increasing threat of phishing attacks, the NCSC in the UK, launched a new Suspicious Email Reporting Service. This has given private sector companies and the general public the ability to report scams and phishing emails to their report@phishing.gov.uk mailbox, where they will investigate and aim to takedown any suspicious sites they find. By November 2021 the service had removed 68,000 scam email addresses and websites.
https://www.ncsc.gov.uk/collection/phishing-scams
Takedowns of attacker groups and their infrastructure, performed by law enforcement (Eurpol, National Crime Agency, FBI etc.) and big tech companies (Cisco, Microsoft etc.) have been on the rise. Arguably, none as prominent as the takedown of Emotet, one of the largest and most active malware botnets in the last decade.
For me, its pleasing to see the cyber and information security community growing at a good rate. If we are to stand a chance against the continued threat of cyber attacks, we need more skilled and passionate people to help protect the public, businesses and the internet, from these ever-present modern day threats.
On a more personal note, we have had the pleasure of being involved with both new and existing customers, who have made fantastic progress with improving their cyber maturity. Some making small progressive changes, while others have made significant strides forward. These outcomes are just some of the professional positives that have kept me smiling and going through yet another turbulent year.
In this week’s round-up:
The Cybersecurity and Infrastructure Security Agency have released a vulnerability scanner allowing for the identification of services potentially vulnerable to the Log4j vulnerabilities: CVE-2021-44228 and CVE-2021-45046. The scanner evaluates a web services web application firewall and Log4j to identify if the service is vulnerable to the critical flaws and notifies the user. Failure to patch the vulnerability could allow hackers to run malicious code with privileges to access confidential information.
By bleepingcomputer.com
Conti, A ransomware group, has been detected using the Log4Shell vulnerability in their operations to successfully infect a machine and request a ransom. The group is thought to be specifically targeting VMware vCenter Servers which are vulnerable to the attacks. After initial exploitation the group gains access to the server and moves across networks to infect machines with their ransomware.
By therecord.media
The UK’s National Crime Agency has recovered vast amounts of stolen data after accessing a database owned by hackers. The previously unknown leaked data, which included passwords and emails, has been sent to the free online service https://haveibeenpwned.com to allow the public to assess if their information has been leaked. We recommend accessing the HIBP site and test all personal and professional emails to see if they are included in this dataset. If this is the case you should reset your password and ensure you have different passwords for each of your accounts.
By BBC.co.uk
A “cyber incident” has been reported by Gloucester Council; the attack has resulted in a serious internal system and services outage. It has been reported that Gloucester council is working with the National Cyber Security Centre and the National Crime Agency to resolve the issue and find out who is behind the attack. Phone calls and emails can still be received however it is said that it will take “longer than normal” for the council to respond.
By gloucestershirelive.co.uk
Meta, the parent company of Facebook, has banned 6 companies and a Chinese law enforcement supplier as it cracks down on surveillance for hire organisations. The alarming report by meta says that it is believed that 50,000 “everyday people” have been targeted by such organisations. Meta has also noted cease-and-desist letters to the companies as well as reporting the information gathered to law enforcement agencies across the world.
By Forbes.com
Two vulnerabilities tracked as CVE-2021-42278 and CVE-2021-42287 offer the potential for privilege escalation in Active Directory Domain Services. The vulnerabilities would allow a hacker to access a system with domain admin privileges. Although patches were released in November, a proof of concept has been developed and public disclosed, forcing Microsoft to notify its business users of its Domain Controller, to update to the newest security update or risk a critical threat to its infrastructure and information.
By blackhatethicalhacking.com
Microsoft has discovered four new vulnerabilities relating to its video conferencing application Teams. The vulnerabilities are:
• Server-side request forgery
• URL preview spoofing bug for web and desktop application
• IP address leak and denial of service for Android users
So far Microsoft has only patched the IP address leak for android however the rest of the vulnerabilities are active and users should be cautious. Microsoft has said the releases for the rest of the vulnerabilities will vary and are currently unknown but users should update as soon as they become available.
By portswigger.net
And that is it for this year’s round-up, please do not forget to tune in for new instalments every week.
We wish you all a very Merry Christmas and a (hopefully COVID-reduced) prosperous New Year.
See you all in January 2022.
Stay Safe, Secure and Healthy!
Edition #172 – 24th December 2021
Why not follow us on social media:
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
