Summary of Findings
- Unpatched ProxyLogon vulnerabilities continue to attract targeted exploitation.
- The education sector will continue to face a very high risk of ransomware attacks, largely targeting Western countries where remote learning is still dominant.
- Ransomware shows increasing evidence of development and merging with APT attack patterns.
- A whistleblower claims data exposed from the SolarWinds breach at Ubiquiti puts users of the company’s IoT devices at very high risk.
- Purple Fox malware is targeting outdated Windows systems to achieve deep network access.
Threat Actors Continue Exploiting Unpatched ProxyLogon Vulnerability
Antivirus detection of generic web shells likely associated with the Microsoft Exchange ProxyLogon vulnerability peaked on March 15, 2021, but detection of unpatched and exploited systems remains high – in the tens of thousands. Italy, Germany, France, the United Kingdom, and the United States comprise the top five countries with the greatest level of detections. Malicious activities from established web shells will most likely include ransomware and crypto-botnets. DearCry and BlackKingdom are two variants detected in the past week that are designed to piggyback onto exploited servers.
Patching CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 will remove the ProxyLogon exploitation vector, but it is still possible that threat actors have already exploited gaps in patch management to achieve persistent access. Companies with lagging patch practices should hunt for changes to Remote Desktop Protocol (RDP), firewalls, Windows Management Instrumentation subscriptions, and Windows Remote Management configuration of internet-facing systems that could have been reconfigured by the attacker to allow persistence.
Educational Institutions Face High, Ongoing Risk of Ransomware Attacks During Extended Remote Learning
During the pandemic, educational institutions have become enticing targets for ransomware because the IT systems supporting remote learning are now critical pieces of infrastructure. It is possible institutions are more likely to pay a ransom during the pandemic than risk extended disruption to operations. Separate ransomware syndicates recently compromised the Harris Federation of London, a multi-academy trust, and at least six universities in the United States. The attacks affected education operations and, in the case of CL0P ransomware, resulted in the theft of personal data belonging to students and staff members.
Ransomware attacks in education have increased about 150% over the past year and most increases occurred in the final quarter of 2020. The data indicates this strong upward trend in ransomware attacks against education will undoubtedly extend through the first half of 2021, until schools close for summer break.
Sodinokibi Ransomware-as-a-Service (RaaS) Has Co-opted Multiple Tools for Big Game Hunting (BGH)
Recently, threat actors have paired the deployment of Sodinokibi with IcedID (bot) infections delivered in spam [to attack high-value targets?]. Cobalt Strike is used for lateral movement and exploitation of RDP up to the domain controllers. In the final attack phase, data is encrypted across the network from Windows tools after data is exfiltrated.
Ransomware and APT Operators Likely to Increase Cooperation Over Vulnerabilities Providing Opportunistic and Strategic Access to Many Targets
Awake Security proposes a possible connection between Hades and Hafnium threat actors. The most substantial evidence for a connection is a Hafnium domain likely linked to a Hades ransomware infection that occurred within the timeline of known Hades operations. There is evidence of other threat actors present within some Hades victim environments.
Hades is a specialized group targeting logistics, manufacturing, construction, and auto supply chains. EclecticIQ analysts assess with low confidence that the operators behind the Hades variant are pursuing a goal other than monetization. Evidence includes the specialized industries targeted and the lack of a ransom demand and/or a weak ransom negotiation infrastructure.
For example, a ransomware attack on an Australian news organization disrupted broadcast operations but the threat actors did not demand a ransom. The lack of extortion means it is likely the ransomware attack was a cover for other actions or objectives. An investigation is ongoing.
Ubiquiti Breach May Have Put Far More IoT Devices at High Risk Than Previously Reported
An anonymous source reported to KrebsOnSecurity that the January breach at Ubiquiti, a supplier of cloud-enabled Internet of Things (IoT) devices, involved far more data exposure than previously reported. The whistleblower claims attackers had root administrator access to all cloud servers as well as full source code control and signing keys. If the reports are confirmed, there is a high risk that the threat actors can access consumer and enterprise communication devices supplied by Ubiquiti.
Malware Targeting Older Systems and Protocols Provides Deep Reach into Networks
Purple Fox malware now exhibits both rootkit capabilities and worm propagation techniques. The malware targets unpatched Windows systems using SMB brute-forcing and null session connections for initial access. Initial infections very likely occur through phishing links. The malware has a large C2 network and can modify firewall rules, so blacklisting may not be effective against infections. Hunting for the malware commands provides the most effective detection method.