Symantec Security Summary – Aug 2020

Russian attacks, redux. Amidst fresh headlines of potential Russian disinformation campaigns to influence the 2020 election and a blockbuster bi-partisan report confirming the country’s role in 2016 election interference, Russia is also ramping up its global hacking efforts.

In a joint security alert issued in early August, the FBI and NSA warned of a new Linux strain of malware deployed in real-world attacks and developed by Russian state military hackers. The GRU’s latest work, dubbed Drovorub, is an undisclosed malware toolset, which when deployed on a victim machine, plants a backdoor inside targeted networks and implements hiding techniques to avoid detection, according to the alert’s description. The agencies say they have evidence that the malware is connected to the Russian state-sponsored APT group known as Swallowtail, Fancy Bear, or APT 28, among other nicknames.

To safeguard corporate systems, the agencies recommend an update to Linux Kernel 3.7 or later and to configure systems so they only load modules with a valid digital signature.

Another Russian group was just accused for a targeted cyber espionage campaign conducted over the last three years. RedCurl APT, a newly-discovered advanced persistent threat (APT) group, has been carefully planning attacks on enterprise companies across North America and Europe, attempting to steal commercial secrets as well as personal data.

RedCurl APT was identified by cyber security firm Group-IB after one of its customers got caught in the crosshairs of an attack. After that initial discovery, researchers have uncovered 26 additional attacks against 14 companies since 2018, involving construction firms, retailers, insurance companies, banks, law and consulting firms, and travel agencies, among others.

Spear phishing appears to be the conduit for initial access, specifically an email emanating from an HR team member at the targeted organization sent to multiple employees. The email includes links to malicious files containing Trojans that allow the RedCurl ATP hackers to search systems, download other malware, and upload stolen files to remote servers.

* * * 

Ransomware remains rampant. The latest big-name company to fall victim to a ransomware attack is the world’s largest cruise line operator. In a filing with the U.S. Securities and Exchange Commission (SEC), it was revealed that one of its brands was hit by a ransomware attack on August 15, but it wouldn’t confirm the target.

The filing stated that the company detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. “The unauthorized access included the download of certain of our data files,” the officials confirmed, adding that the data was likely stolen and could lead to claims filed from passengers and employees affected by the potential breach. In 2020, the same company experienced a data breach in March that exposed customers’ personal information, including possible payment data.

Ransomware was also an attack vector for a company catering to another recreational pass time: the cocktail hour.  The maker of favorite alcohol brands like Jack Daniel’s and Finlandia, confirmed it was hit by a cyber attack that may have impacted information, including employee data.

The ransomware used in the attack was Sodinokibi, also known as REvil (Ransom Sodinokibi). The company said it was able stop the attackers before its systems were encrypted and is now working with third parties to mitigate the effects of the attack.

* * * 

COVID sparks cyber security crisis. As if the physical and emotional toll related to COVID-19 weren’t enough to deal with, the pandemic is now fostering concerns about another kind of health issue—the well-being of corporate networks, which are increasingly under attack as more people work from home.

The FBI recently reported that the number of complaints pouring into the Cyber Division is up to as many as 4,000 daily—a 400% spike from what was common pre-COVID. Interpol is also reporting a shift away from attacks focused on individuals and small businesses to an “alarming” number directed at corporations, governments, and critical infrastructure in the COVID-19 era. Among the most prominent attack vectors is spear phishing, which uses emails, social media, IM, and other platforms to get victims to divulge personal data.

Legislative efforts. One U.S. Congressman has proposed legislation to help mitigate certain COVID-related cyber attacks. Congressman Andy Barr (KY-06) recently introduced the NIST COVID-19 Cyber-Security Act, which instructs the director of the National Institute of Standards and Technology (NIST) to create standards for mitigating and protecting against cyber attacks aimed at American universities researching the virus.

Security bug infestation. Apparently, there is a backlog of more than 57,000 unaddressed security issues as companies struggle to keep up the deluge of vulnerabilities affecting software and infrastructure. According to a new study by IBM and the Ponemon Institute, an average of 28% of vulnerabilities remain unmitigated. As a result, more than half (53%) of respondents to the survey confirm their organizations experienced a data breach in the past two years with 42% saying the breach occurred because a patch was available to fix a known vulnerability but was never applied.

Ineffective security processes were a big part of the problem: 57% of respondents said their firm doesn’t adequately identify which bugs are high priority while only a quarter base their bug patching on business impact.