Ransomware is Pressuring Public Services

 

The FBI and CISA has indicated that ransomware attacks are becoming a safety risk to public services as they are attractive targets to cybercriminals due to their critical nature. Public services such as utility companies, emergency services, safety operations, healthcare and the education sector are being increasingly targeted and sensitive personal data is being stolen which is putting local residents at risk of fraud.

Local governments will see no decline in these attacks as the deployment of malware continues to evolve. The FBI explained a ransomware attack in January of this year forced a US county to take down their computer systems and enact an emergency response through their backup procedures. The county jail was targeted which meant surveillance cameras were deactivated along with the jail’s data collection capabilities, automated doors, and internet access. This obviously caused alarm amongst employees and resulted in significant safety concerns for the facility.

There are plenty of other examples too, including an attack in September 2021 that closed a county courthouse and the attackers subsequently leaked personal details of employees and residents online after the ransom wasn’t paid. And in May 2021, several local governments were infected with a ‘PayOrGrief’ ransomware attack that led to servers and online services becoming inaccessible.

According to the report, only academia and higher education facilities were attacked more frequently than local government services in 2021. The FBI has restated several times that victims should not pay any ransom demands because it may encourage further attacks. However, some targets decide to pay so they are able to quickly restore their services.

After paying the ransom though, restoring a network can be a complicated and long task to complete, and there is no certainty that the decryption key provided by the hackers will work or that they won’t return later. The FBI encourages all victims to report any ransomware incident to help prevent future attacks.

They have also recommended numerous cybersecurity measures [PDF] that businesses can enact to help prevent becoming a victim, including keeping software and operating systems up to date with the latest security patches, and requiring strong passwords for online accounts. This makes it harder for criminals to exploit network and system vulnerabilities and guess user passwords.

In addition, organisations should keep offline backups of their data that are regularly tested and updated so networks can be restored without decryption keys. Employees should require the use of multi-factor authentication for their webmail, accounts, and VPNs to add an additional layer of protection against such attacks.

US Communications Provider Targeted by Russia

 

Viasat, a US satellite communications provider, recently experienced a cyberattack in February that led to service outages across central and Eastern Europe, along with disconnecting remote access to around 5,800 German wind turbines. It has now come to light that this attack was likely the result of wiper malware named “AcidRain” according to researchers at SentinelLabs. This malware was designed to erase exploitable routers and modems remotely. It wipes the filesystem and storage devices and then tries to destroy that data. After this is complete, the device is rebooted and rendered useless.

AcidRain’s functionality is relatively simple and generic and appears to use a bruteforce attempt that signals the attackers seemed inexperienced or unfamiliar with their target or simply wanted to keep their tool reusable. The attacker’s identity is still unknown, but there are many similarities between this malware and the “VPNFilter” malware which, in 2018, the FBI attributed to a Russian-backed hacking group known as APT28. More recently, this malware was also linked to another group known as Sandworm which is notorious for its “NotPetya” malware. Both groups have been tied to Russia’s military intelligence agency, the GRU.

Viasat was able to confirm the researcher’s findings and said they were consistent with the facts provided in their own report. This report goes into more detail about the attack and explains the attackers exploited a misconfigured VPN appliance to gain remote access to the trusted management segment of their network. This allowed the attackers to execute their destructive commands remotely.

The outage has still not been fully resolved and Viasat has since shipped 30,000 modems to their affected customers. CISA have warned that US satellites may be the next target. AcidRain is potentially the seventh wiper malware to target Ukraine since the start of Russia’s invasion.

Google Stops Hackers

 

Google has announced that it has prevented 2 North Korean hacking groups from exploiting a zero-day bug in its Chrome browser. The bug (CVE-2022-0609) was patched in February, but it was being exploited a whole month earlier than this, with reports it was being used as early as January 4^th 2022. The US agency, CISA, mandated that federal agencies must patch the bug in February. The North Korean hacking groups suspected at using the exploit are linked to Lazarus – another North Korean group accused of hacking Sony Pictures and attacking the SWIFT international bank-messaging system.

It is suspected that all of these groups are working for the same entity (potentially the North Korean government) and have a shared supply chain, thus they are all able to use the same exploits. However, each group seems to use different techniques and have different missions when deploying attacks. The hackers linked their exploit kits inside hidden iframes embedded on both websites they owned and websites they had compromised. This kit contained multiple different stages and components.

The groups have primarily targeted US tech, cryptocurrency, news media, and fintech organisations, but similar companies in other countries may also have been targeted according to Google. The groups have also targeted web-host providers, software vendors, and domain registrars with fake job offered in emails that impersonate recruiters from the likes of Oracle, Disney, and Google. These emails contained links to spoofed versions of job board websites that are popular in the US for hiring tech talent.

Once the group was discovered, Google added all known websites and domains to their Safe Browsing service which prevented users from further exploits. Google also sent alerts to all users that were targeted through Gmail and Workspace. A recent Google acquisition, Mandiant, has identified the hacking groups as Lab 110, TEMP.Hermit, APT38, Andariel, and Bureau 325 – all operating under North Korea’s foreign intelligence agency which deals with technology, operations, and reconnaissance. Mandiant claims that North Korea is borrowing China’s strategy of cajoling hacker groups to work with the government.

Each one of these groups is designated to target separate industries and gather intelligence for the purposes of geopolitical strategy or raise revenue for North Korea’s ballistic missile programs through cryptocurrency theft. Information collected through these attacks may also be used to develop vaccines, bypass sanctions, fund other weapon programs, and produce other strategies and internal items relevant to the North Korean regime.