Ransomware attacks have been rising in recent years, with numerous high-profile incidents affecting individuals, organizations, and government agencies. This Weekly Cybersecurity Bulletin discusses top cybersecurity news from around the world, sharing multiple ransomware and zero day news and the CSA’s security advisory on 5G Network slices.
Ransomware Dropping Windows Zero-Day Patched by Microsoft
Microsoft patched a security flaw that threat actors could use to deliver Magniber ransomware and Qbot malware by bypassing the security features of its Windows SmartScreen. Called the CVE-2022-44698, this zero day vulnerability allowed threat actors to utilize standalone JavaScript files and bypass Windows alerts, notifying users to be cautious of Internet-downloaded files. Microsoft said that the zero-day could be exploited in three ways:
- A web-based case where threat actors could host malicious websites to exploit the security feature bypass.
- Threat actors could also send crafted URLs (Uniform Resource Locators) using emails or instant messages to exploit this bypass.
- Via compromised websites accepting or hosting user-provided content containing capabilities to exploit the zero day.
The Magniber ransomware being delivered using this zero-day vulnerability was also discovered by HP’s threat intelligence team back in October when SmartCheck showed an error due to the flaw and allowed threat actors to execute malicious files without throwing any security alerts.
Microsoft released the security patch recently and fixed another publicly disclosed zero-day, the CVE-2022044710, a vulnerability that allowed threat actors to gain System level privileges on computer systems running Windows 11.
NSA and CISA Report: Mitigating 5G Network Slicing Threats
The NSA (National Security Agency), CISA (Cybersecurity and Infrastructure Security Agency), and ODNI (Office of the Director of National Intelligence) released a new report highlighting the risks of 5G network slicing and advice to stay protected.
5G network slicing is a configuration that allows multiple virtual networks to run on top of a common infrastructure. Each slice is an isolated end-to-end network per application. The report shares a framework for the development of preventive and defensive measures implemented by 5G network providers and operators.
The guidelines provided highlight the complexity of such networks and how there are critical security gaps that need to be addressed with the adoption of 5G networks. The report highlights the three most significant threat vectors for this are:
- DoS (Denial of Service) on centralized controls
- Misconfigured control system attacks
- MitM (Man in the Middle) attack on unencrypted channels
The report mentions, “Improper network slice management may allow malicious actors to access data from different network slices or deny access to prioritized users” and promotes zero-trust architectures to protect and validate all users and endpoints.
US Health Department Warming: Healthcare under attack by Royal Ransomware
The HHS (US Department of Health and Human Services) is warning the country’s citizens and healthcare organizations about the surge in ransomware operations, with the Royal ransomware gang being the primary attackers.
The HHS released a new advisory stating, “Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.” The US healthcare sector has been suffering at the hands of the Royal gang’s threat actors since September. The Royal Ransomware gang started out using encryptors from BlackCat but later switched to their in-house Zeon encryptor.
The threat actors of the Royal ransomware gang make first contact via phishing emails, impersonating software providers or food delivery services, and utilizing social engineering tactics to trick corporate and healthcare employees into installing remote access software. After encrypting all systems and halting enterprise activities, the gang is known to demand a ransom between $250,000 and $2 million.
The HHS also warned about Venus ransomware last month. With this new warning, it is clear that threat actors are continuously targeting the US healthcare sector. Individuals are advised to keep minimal healthcare, financial, and personal data on healthcare websites or portals.
iOS Zero-Day for hacking iPhones, Apple Releases Fix
Apple released a new security update for its 10th zero day vulnerability of 2022, a hack that was targeting iPhones worldwide.
The zero-day exploit tracked as the CVE-2022-42856 was a type of confusion vulnerability in the Webkit web browser engine in Apple products. Using this, threat actors could maliciously craft web content and perform arbitrary code execution on victim devices, allowing them to execute operating system commands, deploy malware and spyware, or carry out other harmful intents. Apple addressed the zero day vulnerability with its new patch that contains improved state handling and is available for iPhone, iPad, and iPod models.
Apple disclosed the zero-day but did not share any details on cyberattacks resulting from said vulnerability. As discovered by Clément Lecigne of Google’s Threat Intelligence Team, the details of the attacks and more about the zero day will arrive in the future since it is a common approach for organizations to keep such details closed until a majority of devices have installed the security update.
Apple also fixed a zero day, the CVE-2022-42827, a flaw in its iOS Kernel back in October. It would be best for Apple users to keep their devices up to date, so that any security updates are installed to protect them.
Play Ransomware hits Belgium City of Antwerp
A ransomware attack recently hit the Belgium city of Antwerp, and the Play ransomware gang has claimed responsibility.
Digipolis, an IT enterprise that manages the city’s IT systems, suffered a ransomware attack. The attack aimed to disrupt all IT, email, and cell services in Antwerp, with local media reporting that the city’s applications went down due to the cyberattack. Furthermore, almost all services were disrupted or delayed, including library usage, new agreements, and job applications within the city.
On the other side, Play ransomware added Antwerp to its list of victims on its website, an entry that shows that nearly 557 GB of data was stolen during the ransomware attack that includes personal information, passports, financial documents, and IDs. The data has not been leaked yet, but the threat actors added the entry on 11 December, claiming that all data would be leaked in 7 days, i.e., 19 December 2022, unless their ransom demand is paid.
Play ransomware is a new operation that was launched in June and became known after their most significant attack on Argentina’s Judiciary of Córdoba. What is going to become of the critical data remains to be known.
Hackers Exploiting Internet Explorer Zero-Days, Says Google
The TAG (Threat Analysis Group) at Google has revealed that APT37, a North Korean group of hackers, is exploiting a zero-day vulnerability in Internet Explorer. The North Korean threat actors have leveraged this exploit to target South Korean targets with malware.
The threat actor group employs a malicious Microsoft Office document that downloads an RTF (Rich Text File) remote template, which downloads the malicious payload by rendering HTML (Hyper Text Markup Language). The downloaded content allows the threat actors to exploit the Internet Explorer zero day vulnerability even if the web browser is not their default.
Tracked as the CVE-2022-41128, the zero day is a weakness in Internet Explorer’s JavaScript engine that allows the threat actors to execute arbitrary code while rendering malicious websites or URLs.
Microsoft released a patch for the vulnerability, but Google could not analyze the malicious payload that the hackers distributed. APT37 has been active for nearly a decade, abuses legitimate cloud services as C2 (Command and Control) channels, and has also been linked to the North Korean government.