CyberCX Security Report | April 2021
There’s no shortage of cyber news making the headlines, but what does it mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Aggressive patching key to limiting your exposure to newly discovered vulnerabilities
For anyone that still needs convincing of the importance of aggressive patching, the latest Microsoft Exchange Server breach should be all the evidence you need.
Aggressive patching adopts an ad-hoc approach that emphasises ongoing patching as soon as updates are released, rather than relying on cyclical patching timetables conducted monthly or quarterly. Cyclical timetables may be fine for run-of-the-mill updates, but when an urgent patch is released to stop a newly discovered zero-day vulnerability, any delay could leave you dangerously exposed.
Microsoft, which typically releases patches on the second Tuesday of each month, released four out-of-band security updates on 2 March 2021. This was in response to the identification of zero-day vulnerabilities in the Microsoft Exchange Server that were being exploited by a sophisticated threat actor, labelled HAFNIUM, that is assessed with high confidence to be operating out of China.
Subsequent reporting indicates that the vulnerabilities are being exploited by an ever-growing list of threat actors, both state-based and criminal, following the public disclosure of the vulnerabilities and the release of public proof-of-concept exploits.
If left unpatched, these vulnerabilities allow unauthenticated threat actors to gain access to files, mailboxes and login credentials. Threat actors would also have the ability to deploy webshells that act as backdoors, allowing them to conduct persistent remote code execution attacks.
That’s why it is absolutely essential to avoid delays and run critical patches as quickly as possible.
In this particular breach, even those who acted swiftly to run Microsoft’s patches may still be at risk. It is possible for threat actors to use deployed, but undetected, webshells to gain access to the network. That’s why it is also imperative to clean up after patching. Organisations should conduct investigations to identify any potential compromises of your Microsoft Exchange Server from 1 September 2020.
Using the Exchange On-premises Mitigation Tool script released by Microsoft, it should be possible to clean up any identified webshells.
If you’ve yet to run Microsoft’s patches for Exchange Server versions 2010, 2013, 2016 and 2019, we urge you to do so immediately. If this is not possible, we strongly recommend disconnecting vulnerable Exchange servers from the internet until patches can be applied. Please note, these patches must be applied from an admin account. We also urge you to follow Microsoft’s guidance in relation to cumulative updates for Exchange Server.
Acer reportedly facing $50M ransomware attack
The REvil ransomware group has reportedly targeted computer manufacturer Acer with a $50 million ransomware attack.
News of the ransomware campaign surfaced when attackers claimed on their data leak website to have breached Acer, publishing some reportedly stolen files as evidence of a successful intrusion. The documents included bank balances, financial spreadsheets, and financial communications.
Further investigations revealed a ransom demand of $50 million, with reports that the attackers offered Acer a 20% discount on their initial ransom demand if it was paid by March 17. It is believed the company offered $10 million. Subsequently, the attackers gave Acer a new payment deadline of March 28 or the demand would be doubled.
REvil is known for its high ransomware demands. The large demand suggests they exfiltrated information that is highly confidential, or information that could be used to launch cyberattacks on Acer’s customers.
The case highlights the importance of having professionals on hand to lead any negotiations with ransomware groups. Dealing with criminals is a complex and sensitive issue. It should always be handled by those with extensive experience with such matters.
Ransomware – a unique challenge for small business
The news often reports cases of large corporations being targeted by ransomware attackers, demanding extortionate sums. Yet, ransomware attacks against small businesses are also a significant challenge.
Small businesses can be devastated by ransomware. Often, small businesses don’t have critical data backed-up, nor deep enough pockets to pay ransom demands.
In response, the Department of Home Affairs released a new report – “Locked Out: Tackling Australia’s ransomware threat”.
The report offers specific advice for small businesses. They key is to have extensive prevention measures in place to avoid becoming victims in the first place.
Among the recommended measures are:
- Multi-Factor Authentication for email
This reduces reliance on passwords being the only control used to access email systems.
- Keeping software up to date
Switch on auto-updates, especially for operating systems. Also:
- Regularly check for and install updates ASAP if auto-updates are unavailable, especially for software
- Set a convenient time for auto-updates to avoid disruptions to business operations
- If Anti-Virus software is in use, ensure automatic updates are turned on
- Employee training
Training employees to be better prepared to identify suspicious emails and what to do about them is an important step to increase protection of small business. Employees are a key part of protecting a business because all it takes is one click on a link to become a victim of ransomware.
Having data backed-up will help a small business recover in the event of a ransomware threat.
- Data lifecycle management
Reduce the data which can be impacted by an attack by archiving data over 15 months old.