Top news stories this week
- Threat hunting. S-RM identifies novel vulnerability exploited by Lorenz.
- LockBit releases free decryptor. Ransomware gang apologises to children’s hospital for affiliate attack.
- Change your passwords. More details emerge on LastPass breach.
- Too risky? Zurich Group CEO warns cyber attacks may become uninsurable.
- I spy. TikTok banned on US federal government devices after spying revelations.
- Hot off the press. The Guardian continues to suffer from suspected ransomware attack.
- New extortion tactic. ALPHV/BlackCat ransomware group replicates victim's website to leak stolen data.
1. S-RM identifies novel vulnerability exploited by Lorenz
S-RM’s Incident Response team recently observed the threat actor group Lorenz using a 5-month-old web shell (a malicious script that compromises the web server) as a way into a victim’s network and a foothold for a ransomware attack.
While Lorenz has long exploited Mitel VoIP (internet telephony system) vulnerabilities, returning to backdoors that are several months old is new behaviour.
We have published a special edition of the Cyber Intelligence Briefing, where we explain the technical detail behind the vulnerability discovered, the current risk to businesses using Mitel VoIP and the mitigating actions to consider taking.
2. LockBit gives hospital free decryptor
LockBit ransomware group released a free decryptor to the Hospital for Sick Children in Toronto after an affiliate attack. LockBit issued a rare apology on their leak site and claimed that the partner is no longer part of their affiliate programme because they violated its policy, which prohibits ransomware attacks against medical institutions.
However, LockBit still appears to condone data theft from medical institutions and, despite their policy, has previously attacked hospitals, as seen in the attack on Center Hospitalier Sud Francilien.
The application of ransomware groups’ policies and questionable ethical standards remains inconsistent. Organisations must, regardless of the industry they operate in, remain resilient to ransomware attacks through proactive measures such as patching vulnerabilities and an endpoint detection and response solutions.
3. LastPass breach update
Password manager LastPass released an updated statement on the December 2022 breach. The statement confirmed that the threat actor may have gained access to customers’ encrypted password vaults although would still have required a valid master password to access stored passwords.
Password managers are an effective tool for storing passwords but are not immune to breaches. To avoid a compromise of LastPass vaults, accounts should be protected with complex and unique passwords as well as multifactor authentication.
4. Cyber insurability at risk
Zurich Insurance Group’s CEO warned that cyber attacks may eventually become uninsurable. He also supported the US and Australian governments’ efforts to discourage ransom payments to reduce attacks, citing Medibank’s refusal to pay hackers USD 15.6 million.
Organisations can consider an incident response retainer as an alternative or add on to cyber insurance. Read our latest report Cyber Security Insights Report 2022 for further advice on tackling the hard insurance market.
5. TikTok banned on US federal government devices after spying
Popular social media app TikTok has been banned on US federal government devices after its Chinese parent company ByteDance admitted to accessing private data in order to spy on US journalists. This comes only two months after TikTok denied its application could be used to track US citizens.
The risk posed by third party applications is greater for organisations that encourage employees to use their own devices for work purposes. Organisations should publish a robust Bring Your Own Device policy to address these risks.
6. Guardian attack
The Guardian continues to suffer from a reported ransomware attack that affected parts of its key technology infrastructure, including those controlling elements of the organisation’s internet. Although both online and print publications remain unaffected, staff in the UK, US, and Australia are required to work from home until 23 January until IT systems have been restored.
Media organisations are attractive targets for cyber criminals due to their highly publicised nature. Strong backup policies, network segmentation and a carefully thought out incident response plan should be in place to ensure minimal business disruption.
7. BlackCat adopts new extortion technique
The ALPHV/BlackCat ransomware group was observed using a new strategy to pressure victims into paying a ransom. The new tactic involves uploading stolen data to a replica of their victim's website. The cloned site is on the clear web and potentially exposes a breach to a wider audience.
Organisations can limit the impact of typosquatting by registering similar domains and redirecting these to their legitimate website. In addition they can also register alternative top-level domains, such as .com or .net, to prevent a threat actor from using them.