There’s no shortage of cyber-attacks making the headlines, but what do they mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Aggressive patching key to limiting your exposure to newly discovered vulnerabilities
For anyone that still needs convincing of the importance of aggressive patching, the latest Microsoft Exchange Server breach should be all the evidence you need.
Aggressive patching adopts an ad-hoc approach that emphasises ongoing patching as soon as updates are released, rather than relying on cyclical patching timetables conducted monthly or quarterly. Cyclical timetables may be fine for run-of-the-mill updates, but when an urgent patch is released to stop a newly discovered zero-day vulnerability, any delay could leave you dangerously exposed.
Microsoft, which typically releases patches on the second Tuesday of each month, released four out-of-band security updates on 2 March 2021. This was in response to the identification of zero-day vulnerabilities in the Microsoft Exchange Server that were being exploited by a sophisticated threat actor, labelled HAFNIUM, that is assessed with high confidence to be operating out of China.
Subsequent reporting indicates that the vulnerabilities are being exploited by an ever-growing list of threat actors, both state-based and criminal, following the public disclosure of the vulnerabilities and the release of public proof-of-concept exploits.
If left unpatched, these vulnerabilities allow unauthenticated threat actors to gain access to files, mailboxes and login credentials. Threat actors would also have the ability to deploy webshells that act as backdoors, allowing them to conduct persistent remote code execution attacks.
That’s why it is absolutely essential to avoid delays and run critical patches as quickly as possible.
In this particular breach, even those who acted swiftly to run Microsoft’s patches may still be at risk. It is possible for threat actors to use deployed, but undetected, webshells to gain access to the network. That’s why it is also imperative to clean up after patching. Organisations should conduct investigations to identify any potential compromises of your Microsoft Exchange Server from 1 September 2020.
Using the Exchange On-premises Mitigation Tool script released by Microsoft, it should be possible to clean up any identified webshells.
If you’ve yet to run Microsoft’s patches for Exchange Server versions 2010, 2013, 2016 and 2019, we urge you to do so immediately. If this is not possible, we strongly recommend disconnecting vulnerable Exchange servers from the internet until patches can be applied. Please note, these patches must be applied from an admin account. We also urge you to follow Microsoft’s guidance in relation to cumulative updates for Exchange Server.
Acer reportedly facing $50M ransomware attack
The REvil ransomware group has reportedly targeted computer manufacturer Acer with a $50 million ransomware attack.
News of the ransomware campaign surfaced when attackers claimed on their data leak website to have breached Acer, publishing some reportedly stolen files as evidence of a successful intrusion. The documents included bank balances, financial spreadsheets, and financial communications.
Further investigations revealed a ransom demand of $50 million, with reports that the attackers offered Acer a 20% discount on their initial ransom demand if it was paid by March 17. It is believed the company offered $10 million. Subsequently, the attackers gave Acer a new payment deadline of March 28 or the demand would be doubled.
REvil is known for its high ransomware demands. The large demand suggests they exfiltrated information that is highly confidential, or information that could be used to launch cyberattacks on Acer’s customers.
The case highlights the importance of having professionals on hand to lead any negotiations with ransomware groups. Dealing with criminals is a complex and sensitive issue. It should always be handled by those with extensive experience with such matters.
Ransomware – a unique challenge for small business
The news often reports cases of large corporations being targeted by ransomware attackers, demanding extortionate sums. Yet, ransomware attacks against small businesses are also a significant challenge.
Small businesses can be devastated by ransomware. Often, small businesses don’t have critical data backed-up, nor deep enough pockets to pay ransom demands.
The National Cyber Security Centre (NCSC) have produced a guide for small business – How to improve your cyber security; affordable, practical advice for businesses.
The guide offers five key steps to significantly reduce the chances of a business becoming a victim of cyber crime.
Step 1 – Backing up your data
5 things to consider when backing up your data.
Step 2 – Protecting your organisation from malware
5 free and easy-to-implement tips that can help prevent malware damaging your organisation.
Step 3 – Keeping your smartphones (and tablets) safe
5 quick tips that can help keep your mobile devices (and the information stored on them) secure.
Step 4 – Using passwords to protect your data
5 things to keep in mind when using passwords.
Step 5 – Avoiding phishing attacks
Steps to help you identify the most common phishing attacks.