InForce Cyber

Threat Report January 2021

The month of January was heavily dominated by Ransomware attacks. Here are some topics to support this statement:

Fonix ransomware shuts down and releases master decryption key

The Fonix Ransomware operators have shut down their operation and released the master decryption allowing victims to recover their files for free.

Fonix Ransomware, also known as Xinof and FonixCrypter, began operating in June 2020 and has been steadily encrypting victims since. The ransomware operation was not as widely active as others, such as REvil, Netwalker, or STOP, but starting in November 2020, it picked up a bit, as shown by the ID Ransomware submissions below.

Emotet, NetWalker and TrickBot have taken big blows, but will it be enough

A trio of operations meant to disrupt ransomware outfits in recent months — two of which came to light this week — could have lasting impacts even if they stop short of ending the threat, security experts say.

Researchers are still sizing up the effects of recent busts of the Emotet and NetWalker gangs, but those operations have the potential to be more potent than last fall’s maneuvers against the TrickBot ransomware.

TrickBot returns with campaign against legal and insurance firms

The new iteration of the TrickBot botnet, which had enabled Ryuk and other ransomware attacks, uses malicious links in emails rather than rogue email attachments.

Despite the security industry’s efforts to disrupt the TrickBot botnet, its operators are trying to revive it with new infection campaigns. The latest one, observed by researchers this month, targeted legal and insurance companies.

Ransomware gang taunts IObit with repeated forum hacks

A ransomware gang continues to taunt Windows software developer IObit by hacking its forums to display a ransom demand.

On January 16th, the IObit forums were hacked as part of an attack to distribute the DeroHE ransomware. During this attack, the threat actors emailed all of the IObit forum users with a free software promotion linking to a ransomware installer hosted on IObit’s forums. When recipients downloaded the fake IObit software installer, they were infected with the DeroHE ransomware. To gain access to a decryptor, the threat actors demand $100 in the DERO cryptocurrency, or IObit could pay them $100,000 in DERO to decrypt all victims.

8+ million Teespring user records leaked on hacker forum

A user on a popular hacker forum has leaked an archive containing user and creator data allegedly exfiltrated from Teespring, an e-commerce platform that allows people to design, market, and sell custom (and often controversial) apparel.

The files contained in the leaked archive include email addresses and last update dates for 8,242,000 user accounts, as well as full names, phone numbers, locations, and other account details of more than 4 million Teespring users and apparel creators.

Clop ransomware gang clips sensitive files from Atlantic Records’ London ad agency The7stars, dumps them online

A London ad agency that counts Atlantic Records, Suzuki, and Penguin Random House among its clients has had its files dumped online by a ransomware gang, The Register can reveal.

The7stars, based in London’s West End, filed revenues of £379.36m up from £326m, gross billing of £426m and net profit of £2.1m for the year ended 31 March 2020.

In the same accounts filed with UK register Companies House, it boasted of its position as the “largest independently owned media agency in the UK by a significant factor”, making it a juicy target for the Clop ransomware extortionists.

Hacker leaks full database of 77 million Nitro PDF user records

A stolen database containing the email addresses, names, and passwords of more than 77 million records of Nitro PDF service users was leaked today for free.

The 14GB leaked database contains 77,159,696 records with users’ email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related information.

The database has also been added to the Have I Been Pwned service which allows users to check if their info has also been compromised in this data breach and leaked on the Internet.

 FBI warns of vishing attacks stealing corporate accounts

The Federal Bureau of Investigation (FBI) has issued a notification warning of ongoing vishing attacks attempting to steal corporate accounts and credentials for network access and privilege escalation from US and international-based employees.Vishing (also known as voice phishing) is a social engineering attack where attackers impersonate a trusted entity during a voice call to persuade their targets into revealing sensitive information such as banking or login credentials.

Ransomware cyber attack suspected on Okanogan County

Okanogan County that lies on the borders of Washington and close to the American- Canadian border was hit by a cyber attack on Monday this week and security analysts suspect that the attack could be ransomware genre as the data remains locked up and inaccessible.

The county officials including those belonging to Public Health have disclosed that the phone and email systems were deeply impacted in the attack and the time for restoration is unknown yet.

A team of Cybersecurity experts along with a third party company are busy analyzing the incident and are trying their best to recover the IT infrastructure from cyber attacks.

Officials have confirmed that the 3rd street entrance to the courthouse will be closed and are requesting the public to use the 4th Street entrance.

Data Breaches
Hackers leaked altered Pfizer data to sabotage trust in vaccines
The European Medicines Agency (EMA) today revealed that some of the stolen Pfizer/BioNTech vaccine candidate data was doctored by threat actors before being leaked online with the end goal of undermining the public’s trust in COVID-19 vaccines.EMA is the decentralized agency that reviews and approves COVID-19 vaccines in the European Union, and the agency that evaluates, monitors, and supervises any new medicines introduced to the EU.”The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines have been leaked on the internet,” the agency disclosed today.
 
Dutch Energy Supplier Blames Cyber Intrusion on Data Breaches Suffered by Other Companies
Dutch energy supplier Eneco has warned tens of thousands of clients, including business partners, to change their passwords amid a recent data breach.Eneco, a producer and supplier of natural gas, electricity and heat in the Netherlands, serves more than 2 million business and residential customers.In a recent statement, the company said that “cyber criminals have used email addresses and passwords from previous thefts at other websites to gain access to approximately 1,700 private and small business My Eneco accounts, the online environment for Eneco customers.”It claims affected customers may have had their data “viewed and possibly changed by third parties,” but doesn’t go into detail about the nature of the data, nor does it mention that attackers may use it to conduct phishing campaigns or fraud – which is typically the case in such attacks.The company adds that “affected customers have been notified and must create a new account with a different password.” 
12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency
We recently discovered an unsecured Microsoft Azure Blob that contains deeply sensitive documents of more than 12,000 construction workers, including scans of passports, national IDs, birth certificates, and tax returns. The cloud storage also contains self-employment contracts that include personally identifiable information such as full names, addresses, UK national insurance numbers, and signatures.The database appears to belong to Nohow International, a UK-based recruitment and staffing agency that provides blue- and white-collar personnel services to companies across the UK and other countries.On December 8, we reached out to Nohow regarding the leak but received no response from the company. We then reported the leak to Microsoft CERT on December 15 and the blob was secured sometime in early January.
SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale
The SolarLeaks website offers source code allegedly obtained from Microsoft, Cisco, SolarWinds and FireEye. The information allegedly taken from Microsoft, offered for $600,000, is contained in a 2.6 Gb file and the seller claims it includes partial source code for Windows and “various Microsoft repositories.”The files allegedly originating from Cisco, offered for half a million dollars, include 1.7 Gb worth of product source code and a dump of the networking giant’s internal bug tracker, the seller claims. For $250,000, the seller claims to offer 612 Mb worth of source code for SolarWinds products and information taken from the company’s customer portal.
 

Security Threats By Trend

Vulnerability Summary Jan 2021

Following vulnerabilities, were rated “CRITICAL” by Microsoft

CVETitleSeverityPublicExploitedXI – LatestXI – OlderType
CVE-2020-1248GDI+ Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1299LNK Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1219Microsoft Browser Memory Corruption VulnerabilityCriticalNoNo11RCE
CVE-2020-1181Microsoft SharePoint Server Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1073Scripting Engine Memory Corruption VulnerabilityCriticalNoNo22RCE
CVE-2020-1213VBScript Remote Code Execution VulnerabilityCriticalNoNo11RCE
CVE-2020-1216VBScript Remote Code Execution VulnerabilityCriticalNoNo11RCE
CVE-2020-1260VBScript Remote Code Execution VulnerabilityCriticalNoNo11RCE
CVE-2020-1281Windows OLE Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1300Windows Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1286Windows Shell Remote Code Execution VulnerabilityCriticalNoNo22RCE

Recommendations

  1. Following Microsoft critical vulnerabilities, update all vulnerable services
  2. Only allow traffic to necessary and well secured ports
  3. Update AV solutions
  4. Phishing training for the employees.
  5. Regular pentests would identify possible weak points
  6. Encrypt data in transit and in rest

 Sources:
Exploit-DB
McAfeee
TrendMicro
Symantec
NIST
Google
FireEye