On the one hand, the COVID 19 pandemic has made Work-from-Home the new normal, allowing organizations worldwide to work efficiently and continue their business operations. On the other hand, it has given cyber adversaries a field day as working at home has made employees let their guard down when it comes to adopting cyber hygiene. The shift from offline to cloud-based exchange of confidential data has made data accessible to both employees and attackers.
Cybersecurity is ensured while making sensitive data transfers using a VPN, but what if even the VPN services get attacked? This week’s cyber news headlines highlight such daunting aspects of VPN security and other related news.
VPN Attacks – The New Cyber Threat
Around 100GB of Colonial Pipeline data was lost due to a compromise of VPN password. VPN accounts getting compromised is a scary attack trend for organizations and governments globally. A recent study shows that there has been a 1916% and 1527% rise in attacks against Fortinet’s SSL-VPN and Pulse Secure VPN, respectively.
The adversaries targeted a path reversal vulnerability (dubbed as CVE-2018-13379) in Fortinet VPN and a file distribution vulnerability (dubbed as CVE-2019-11510) in Pulse Secure Connect VPN. Though these vulnerabilities are now patched, they were used by threat actors to deploy malware tools like Rapidpulse, Bloodmine, Cleanpulse, and Bloodbank to attack the government, defense, transport, technology, and financial entities of Europe and the US. Additionally, the adversaries exploited another vulnerability in SonicWall VPN (dubbed as CVE-2019-7481) to attack SonicWall SRA 4600 VPN devices.
Compromising a VPN essentially means that the adversaries can deploy malware and exfiltrate data from endpoint systems.
Baltimore County Schools Spend $8m On Recovery After Ryuk Attack
The Baltimore County Public Schools, which underwent a Ryuk ransomware attack last November, has spent over $8.1 million (so far) to recover from the attack! While two million dollars went on ERP cloud transition and recovery, a cloud-based endpoint security license came for $699,298. Another $606,648 was invested in device monitoring and tracking.
Of all these recovery costs, only $2 million was covered by insurance. It is uncertain whether the BCPS complied with ransom requests, but data shows that $11,500 was spent on ransomware negotiation costs. Ransomware attacks continue to affect a system long after they’ve been targeted, and the BCPS recovery costs are a testimony to that. Cybersecurity tools are often a draining investment, but working without them can lead to much worse circumstances, as evident from this incidence.
Ransomware Actors May Be Trading Access To Your Network For Money
The latest strategies of deploying ransomware include purchasing access to compromised networks from cybercriminal enterprises. Cybersecurity researchers at Proofpoint have identified around ten threat actors who act as initial access facilitators and provide an entry point to cybercrime groups and affiliates to launch their encryption and data theft operations.
These initial access facilitators deploy first-stage malware payloads (Qbot, The Trick, IcedID, Dridex, BazaLoader, etc.) to infiltrate networks. The commonly seen cyberattack brokers include TA570, TA544, TA547, TA551, TA569, TA571, TA574, TA575, TA577, and TA800. While TA577 and TA551 used IcedID to deploy Maze, Egregor, and REvil ransomware, TA800 used BazaLoader to deploy Ryuk. Such brokers usually target networks with phishing emails containing malicious documents. Once they’re in, they sell their backdoor access to other threat actors for a share of the profits.
The First Ransomware Attack Will Be Followed By A Second One, For Sure!
A study of 1,263 security professionals in the US, the UK, Germany, France, Singapore, and two other global markets revealed that 46% of the 80% of organizations that comply with ransom demands experience a second attack, which they believe to be linked to the same threat actors.
While 51% of respondents could retrieve their encrypted systems successfully, others (90% of Singaporean respondents) reported having undergone a second breach within two weeks of paying millions in ransom to the same threat actors. This is one reason why experts advise not to comply with ransom demands but to invest in ransomware protection instead.
Is Avaddon Gone For Good?
The Avaddon ransomware operators are shutting their operations and have released the decryption keys for all 2934 victims. The ransomware gang pretended that the tip was from the FBI and released the decryption keys in three files.
The legitimacy of these keys has been verified, and it looks like email security services now have one less threat actor to worry about. Avaddon’s Tor sites are currently down, indicating that the ransomware gang might be actually shutting its operations. Several other ransomware gangs have announced their retirement in the past, such as FilesLocker, AES-NI, TeslaCrypt, Ziggy, GandCrab, Crysis, FonixLocker, Shade, etc. However, one must not let their guard down, as it won’t be surprising if a new attack emerges tomorrow resembling those of Avaddon.
New Bill Would Mandate US Entities To Report Breaches Within 24 Hours
Matching the quick pace of cyber attackers and their meticulous ways of evading the filters of email security software, US lawmakers are in the process of releasing a 24-hour attack reporting legislation for public and private entities.
This move results from a severe wave of ransomware attacks targeting the US and national security lately. Three senators Mark Warner, Marco Rubio, and Susan Collins, had created the draft of the bill. If passed, the legislation would require government agencies, critical infrastructure owners, federal contractors, financial services, energy, and manufacturing businesses to issue breach reports to the CISA within 24 hours of an attack.
Liability protections remain assured for companies that submit breach notification reports within the stipulated time. The US officials perceive this move to be seminal in ensuring cybersecurity for the entire nation.
Ukrainian Police Locate Six Hackers Linked To The Cl0p Ransomware
The Ukrainian police found a group of malicious actors using the Cl0p encryption software to attack foreign businesses in South Korea and the United States. A group of six hackers used the Cl0p encryption software to decipher stolen data and demanded ransom for the same from an unnamed South Korean firm, the University of Maryland, Stanford University Medical School, and the University of California.
These attacks have been identified as double-extorsion campaigns costing around $500 million. It is uncertain whether the Ukrainian police made any arrests in this case, but they could shut down the infrastructure spreading the virus and demanding ransom payments. While this revelation serves as a cybersecurity measure, it is yet to be disclosed whether the six accused are only affiliates or members of the ransomware gang. All we know now is they used the Cl0p software to get the decryption key and demanded money from victims.