InForce Cyber

Threat Report March 2021

The month of March was the month of the Ransomware attacks. Here are some topics to support this statement:

CompuCom MSP expects over $20M in losses after ransomware attack

American managed service provider CompuCom is expecting losses of over $20 million following this month’s DarkSide ransomware attack that took down most of its systems.

CompuCom is an IT managed services provider (MSP) and a wholly-owned subsidiary of The ODP Corporation (Office Depot/Office Max).

The MSP’s workforce of over 8,000 employees provides hardware and software repair, remote support, and other tech services to high-profile companies, including Citibank, Home Depot, Wells Fargo, Target, Trust Bank, and Lowe’s. 

Hades ransomware operators are hunting big game in the US

On Friday, Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis into the latest Hades campaign which has been operating since at least December 2020 until this month.

According to the cybersecurity researchers, at least three major companies have been successfully attacked with the ransomware strain including a transport & logistics company, a consumer products retailer, and a global manufacturer. Forward Air was reportedly a past victim. 

Hades Ransomware Targets 3 US Companies

A previously unknown threat group is deploying Hades ransomware as part of an ongoing campaign that has already targeted three U.S. companies, Accenture’s cyberthreat intelligence group reports.

The three victims, which Accenture did not identify, are in the transportation, consumer products and manufacturing sectors. They each have revenue of over $1 billion.

“Based on the intrusion data from incident response engagements, the [Hades] operators tailor their tactics and tooling to carefully selected targets and run a more “hands on keyboard” operation to inflict maximum damage and higher payouts,” Accenture says.

Insurance giant CNA hit by new Phoenix CryptoLocker ransomware

Insurance giant CNA has suffered a ransomware attack using a new variant called Phoenix CryptoLocker that is possibly linked to the Evil Corp hacking group.

This week, BleepingComputer reported that CNA had suffered a cyberattack impacting their online services and business operations. 

Soon after we reported on the attack, CNA issued a statement confirming that they had suffered a cyber attack last weekend.

“On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email,” CNA disclosed in a statement.

FBI sends out private industry alert about Mamba ransomware

The US Federal Bureau of Investigations has sent out this week a private industry notification to US organizations warning about attacks carried out by the Mamba ransomware gang, along with basic instructions about how organizations could recover from an attack if the intrusion was caught in its early stages.

In their alert on Tuesday, FBI officials said the ransomware “has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.”

Black Kingdom ransomware foiled through Mega password change

Black Kingdom ransomware, which was detected in recent ProxyLogon attacks against Microsoft Exchange servers was, at least temporarily, foiled through a simple password change.

Brett Callow, Emsisoft threat analyst, told SearchSecurity that Black Kingdom was designed to generate and upload encryption keys to Mega, a cloud storage service. However, he added, if the ransomware is unable to reach Mega, it defaults to a static, local key. At some point during recent attacks, Black Kingdom seemingly failed to encrypt targeted systems, and in some cases defaulted to the static key. 

REvil Ransomware Can Now Reboot Infected Devices

The REvil ransomware gang has added a new malware capability that enables the attackers to reboot an infected device after encryption, security researchers at MalwareHunterTeam report.

In a recent tweet, the researchers note that REvil operators have added to the ransomware two new command lines called ‘AstraZeneca’ and ‘Franceisshit’ in Windows Safe Mode, which is used to access the Windows devices’ startup setting screen. .

Production halted at Sierra Wireless factories following ransomware attack

Canadian multinational Sierra Wireless has halted production at its manufacturing sites across the world after a ransomware attack has crippled its IT systems.

The attack hit the company over the weekend, on Saturday, March 20, 2021, it said in SEC documents filed earlier today.

The ransomware encrypted Sierra’s internal IT network, preventing staff from accessing internal documents and systems related to manufacturing and planning, which resulted in the company shutting down its manufacturing sites, most of which rely on up-to-date access to customer orders and product specifications.

Sierra Wireless is one of today’s wireless equipment manufacturers. Its products are sold directly to OEMs (official equipment manufacturers) and are embedded in billions of Internet of Things (IoT) devices, cars, smartphones, and industrial equipment. A basic Shodan search for the Sierra Wireless favicon found in some of the company’s products that come with an administrative panel reveals more than 103,000 devices installed across the globe, but the number is barely scratching the surface in regards to the company’s product reach. 

PYSA Ransomware Eyeing Educational Institutions

The PYSA ransomware gang is active again and targeting multiple sectors. Since March 2020, PYSA ransomware attacks have been launched against the U.S. and foreign government entities, private companies, educational institutions, and healthcare facilities.

What is happening?

  • According to the FBI, the cybercriminal gang is specifically targeting higher education, K-12 schools, and seminaries.
  • The ransom note includes the organization’s name and links to PYSAPysa’s Tor site and data leak site.
  • The actor steals sensitive files from the victims’ networks, including PII, payroll tax information, and other data to force the victims for a ransom.
  • The FBI has, however, issued an alert warning about this threat, which talks about the indicators of compromise to help guard against these ransomware attacks. 
Data Breaches
Billions of FBS Records Exposed in Online Trading Broker Data Leak
Ata Hakcil led the team of white hat hackers from WizCase in identifying a major data leak on online trading broker FBS’ websites.The data from FBS.com and FBS.eu comprised millions of confidential records including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more.Were such detailed personally identifiable information (PII) to fall in the wrong hands, it could have been used in the execution of a wide range of cyber threats. The data leak was unearthed as part of WizCase’s ongoing research project that randomly scans for unsecured servers and seeks to establish who are the owners of these servers. We notified FBS of the breach so they could take appropriate action to secure the data. They got back to us a few days later and secured the server within 30 minutes.
 
Purple Fox Malware Campaign Deploys Rootkit and Looks for Exposed SMB Services, Research Finds
Security researchers have discovered a new campaign distributing malware named Purple Fox. Although it has been around for a few years, the operators now use new infection vectors and they’ve enhanced the malware to ensure persistence and hide it from security solutions.Purple Fox initially targeted Windows machines and the old Internet Explorer. The new campaign, researchers have found, uses malware and tries to infect Windows machines through brute force via SMB.“May of 2020 brought a significant amount of malicious activity and the number of infections that we have observed has risen by roughly 600% and amounted to a total of 90,000 attacks,” say the researchers from Guardicore Labs. 
Engineer reports data leak to nonprofit, hears from the police
A security engineer and ex-contributor to an open systems non-profit organization recently reported a data leak to the organization.In return, he first got thanked for his responsible reporting, but later heard from their lawyers and the police.Apperta Foundation is a UK-based non-profit, supported by NHS England and NHS Digital, that promotes open systems and standards in the digital health and social care space.GitHub repository exposed passwords, keys, database
Arizona Complete Health notifies plan members of Accellion breach
On February 26, Arizona Complete Health notified plan members of the Accellion breach. According to the notification (see below), the threat actors (who have since self-identified as CLOP) were able to “view or save” member information between January 7 and January 25, 2021.The types of ePHI involved included insured members’ name and one or more of the following:AddressDate of birthInsurance ID NumberHealth information, such as your medical condition(s) and treatment informationAs part of its response to the incident, the covered entity offered those affected credit monitoring and identity theft restoration services for one year.  They also reviewed their processes for sharing data to make sure they are not at risk to a similar attack, and “Stopped using Accellion’s services and removed all of our data files from its system.”