Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 7/18/2022

    Hackers Targeting VoIP Servers

    Overview

    VoIP phones using Digium’s software have been targeted by malicious actors, suspected by researchers at Palo Alto Networks Unit 42 to have begun in December 2021. In this campaign, actors are dropping web shells by exploiting CVE-2021-45461, a vulnerability in FreePBX (a web-based open-source GUI used to control and manage Asterisk.). 

    Potential Impact

    Upon exploitation, actors establish backdoor access by creating two root accounts in addition to the access enabled by web shells. Also, scheduled tasks are designed to download scripts from servers operated by attackers. This opens the door for lateral movement within any impacted network. Actors exploiting this vulnerability have been known to exfiltrate data.

    Recommended Actions

    Administrators running the vulnerable versions of FreePBX (15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41) are urged to upgrade to 15.0.20 to 16.0.19 as soon as possible. Additionally, ensure that web interfaces for these systems are not publicly accessible from the Internet. 

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      H0lyGh0st Ransomware

      Overview

      Threat actors target small and midsize manufacturing, banks, schools, and event planning companies in North Korea using the H0lyGh0st Ransomware. Researchers have observed this trend since September 2021. 

      Potential Impact

      Malicious actors deploying the H0lyGh0st Ransomware variant have been known to gain initial access to victim environments by exploiting vulnerabilities in public-facing web applications and content management systems such as CVE-2022-26352, a remote execution flaw in dotCMS content management software. These threat actors are known to follow typical ransomware tactics. This includes reconnaissance privilege escalation, exfiltration, and eventually file encryption. 

      Recommended Actions

      Ensure public-facing applications and systems are patched in a timely manner. Regular vulnerability scanning and web application penetration testing are highly recommended. Furthermore, review the overall ‘defense-in-depth’ strategy to ensure systems are being monitored with Endpoint Detection & Response tools and that backups are properly segmented.

      Sources

      https://thehackernews.com/2022/05/critical-rce-bug-reported-in-dotcms.html
      https://thehackernews.com/2022/07/north-korean-hackers-targeting-small.html

      Primary Operational Technology (OT) Security Concerns: Human Error and Staffing Shortages

      Overview

      A survey of 3,500 security experts in the operational technology (OT) field has identified the human error and staff shortages as primary security programs.

      The survey conducted by IoT/OT security firm SCADAfence, indicates that 75% of surveyed experts cite a high or severe security risk in their company’s overall risk profile. Within this finding, 79% are most concerned about human error due to a lack of security training. SCADAfence also found that 83% believe significant staff shortages negatively impact OT space. A high burnout rate increases this among staff, lack of resources, and subpar training/expertise.

      Potential Impact

      These findings can quickly transfer into non-OT spaces, as many organizations worldwide have encountered a lack of highly trained security practitioners. This can lead to the proliferation of inadequate security posture design and implementation. Today’s organizations must be aware of these risks and continuously work to minimize the effects.

      Recommended Actions

      Gaining and keeping skilled team members is a primary need for any security team. As the security practitioner shortage rises, organizations must be focused on staff retention and training. Providing adequate training and specialization development funding is also critical for staff retention. Additionally, organizations must be cognizant of potential staff burnout and resignation due to work/life balance strains.

      Sources
      https://www.securityweek.com/two-big-ot-security-concerns-related-people-human-error-and-staff-shortages?&web_view=true
      https://www.scadafence.com/wp-content/uploads/2022/07/SCADAfence-2022-Industry-Report-Web-Version-1.pdf

      Analysis of Endpoint Security Risks

      Overview

      According to the inaugural report, ‘Managing Risks and Costs at Edge,’ from Adaptiva and the Ponemon Institute, endpoint devices remain a critical risk in today’s organizations. Adaptiva has found that an average of 48% of corporate devices are inadequately patched and missing updated security fixes. Adaptive has also found that 63% of respondents have cited a lack of visibility into their endpoints as the most significant barrier to security posture.

      Impact

      Adaptiva’s report has found additional worrisome statistics, including responding organizations estimating a 52% successful attack mitigation rating in their current technology stack and expertise. This is especially eye-opening as 54% of respondents indicated an average number of five targeted attacks against their enterprise in 2021, costing an annual $1.8 million in impact.

      Recommended Actions

      Although these findings are alarming, organizations can mitigate these risks in a variety of ways. Implementing robust Endpoint Detection and Response (EDR) solutions is of most importance, and Adaptiva CEO Deepak Kumar has made multiple further recommendations for mitigation.

      Kumar has noted that “shifting from centralized infrastructure, whether on-prem or in the cloud, to one powered by your edge will help keep endpoints visible.” This will allow organizations to have increased visibility into endpoints and allow IT security to manage enterprise security posture at a scale-able level.

      Sources
      https://www.techrepublic.com/article/enterprise-endpoints-present-risks/?web_view=true 
      https://adaptiva.com/resources/report/managing-risks-and-costs-at-the-edge

      Ransomware Surge

      Overview

      Security firm Digital Shadows has published its 2022 Q2 security report noting a “noticeable rise” in ransomware activity compared to Q1. Specific findings include LockBit ransomware’s new connection(s) to the cybercriminal group “EvilCorp,” as seen in multiple attacks. Along with this connection, LockBit ransomware 3.0 has improved the efficacy of attacks across the globe. 

      Digital Shadows has observed a rise in data-leak sites, specifically an uptick of over 20% in the number of existing sites. Notable areas include Alphv, Vice Society, and LockBit. 

      However, one silver lining seen in Q2 was the dismantling of the formal Conti ransomware cartel. Although many smaller groups imitating Conti have sprung up, the original and highly successful Conti group has dissipated. 

      Impact

      Ransomware is a constant threat to organizations and will not change moving into Q3 of 2022. The effectiveness of modern-day ransomware gangs continues to improve and significantly impacts victim organizations in all industries.

      Recommended Actions

      The good news? Defensive measures against ransomware attacks also continue to improve. Organizations can employ defense-in-depth strategies to minimize the likelihood of ransomware impact. These include strong email security, endpoint detection, and response capabilities, host-based and network-based logging, and effective security awareness training.

      Sources
      https://www.digitalshadows.com/blog-and-research/ransomware-in-q2-2022-ransomware-is-back-in-business/
      https://www.infosecurity-magazine.com/news/ransomware-activity-resurges-q2/?&web_view=true

      Researchers Highlight Spoof-ability of GitHub Metadata to Trick Users into Installing Malicious Code

      Overview

      Aviad Gershon from Checkmarx released a blog post on July 15, 2022, describing the ‘spoofability’ of GitHub commit metadata – such as commit timestamps and contributor – to trick users into believing that the repository has been maintained for an extended period. That well-respected coders have contributed to the project.  

      Often, when a user is looking at a GitHub project to decide whether or not it is supported, respected, and worth implementing, one of the first things they look at is the GitHub “Commit Graph,” which gives a synopsis of past code commits. Generally, trust increases with a high number of commits over several years. If well-respected coders commit to the code, the initial trust factor is even higher.

      Potential Impact

      Since most users who download code from GitHub are on technical teams for their organizations and will likely have administrative privileges, the prospect of this type of supply chain attack is alarming.  

      Recommended Actions

      Require static and dynamic code analysis for all code downloaded from Github and exercise high caution when installing any code.

      For GitHub committers, Gershon recommends implementing “commit signature verification” and “vigilant mode” for your GitHub account to help the open-source community verify commits made on your behalf.

      Sources
      https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us