Breach Trends and Ransomware Statistics: June – July 21

Ransomware attacks globally have gone up by 102% in 2021 compared to last year.
In 2021 alone, cybercrime has been predicted to cause damages worth over $6 Trillion. Most common tactics Ransomware attackers are using are phishing campaigns, RDP vulnerabilities. We will track the Ransomware attacks each month to share via blog. To keep informed about the recent Data breaches & Ransomware Attacks, please follow this blog and can also register for our Free Ransomware Risk Assessment.

In this report we will talk about some of the important cyberattacks that have taken place during last month.

Key Statistics about Ransomware Attacks

  • Experts estimate that a ransomware attack will occur every 11 seconds in 2021.(Cybercrime Magazine)
  • It is estimated that the cost of ransomware to businesses will top $20 billion in 2021
  • Average downtime due to ransomware attacks is 21 Days (Coveware, 2021)
  • Average days it takes a business to fully recover will be 287 Days
  • Malicious emails are up 600% due to COVID-19. (ABC News, 2021)
  • The most common tactics hackers use to carry out ransomware attacks are email phishing campaigns, RDP vulnerabilities, and software vulnerabilities. (Cybersecurity & Infrastructure Security Agency, 2021)
  • Ransomware attacks around the globe have gone up by 102 per cent in 2021 compared to 2020 (Checkpoint)
  • The industry sectors that are currently experiencing the highest volumes of ransomware attack attempts globally are (in No. of attack attempts per organization per week):
    Healthcare – 109
    Utilities Sector – 59
    Insurance/ Legal – 34
  • Organisations in the Asia Pacific (APAC) currently experience the highest volume of ransomware attacks with 51 attack attempts per week
  • In 2021, the largest ransomware payout was made by an insurance company at $40 million. (Business Insider, 2021)
  • From a survey conducted with 1,263 companies, 80% of victims who submitted a ransom payment experienced another attack soon after, and 46% got access to their data but most of it was corrupted. (Cybereason, 2021)

Following are summary of the significant breaches in the month of May’ 2021

Kaseya Ransomware Attack: What We Know as REvil Hackers Demand $70 Million

REvil ransomware conducted a massive attack through the Kaseya VSA patch and remote management software that encrypted MSPs worldwide and their customers. The zero-day Kaseya vulnerability was discovered by DIVD researcher Wietse Boonstra and was assigned the CVE-2021-30116 identifier. Kaseya states that REvil used the Zero-day vulnerability in their on-premise VSA service to conduct the attack and that a patch would be released soon.
REvil ransomware gang targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack. Eight known large MSPs that have been hit as part of this supply-chain attack. Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack’s spread while investigating.
Attack Summary:

  • Use zero-day and SQLi to infiltrate it into Kaseya VSA server
  • Use trusted channel to infiltrate into the managed system
  • Use leveraged trust into the local host to run main install command
  • Run PowerShell command to stop Windows Defender
  • Renamed CERTUTIL.EXE decodes AGENT.EXE from AGENT.CRT
  • AGENT.EXE is executed, drops MSMPENG.EXE and MPSVC.DLL into C:Windows
  • MSMPENG.EXE is executed, and side-loads the REvil DLL
  • Files are encrypted, ransom note created
  • Netsh.exe turns on network discovery
  • Perform lateral movement and effect other windows machines
  • Continue encryption

Cause: REvil used the Zero-day vulnerability in their on-premise VSA service to conduct the attack
Impact: Impacted nearly 40 of the company’s on-premises MSP customers. Ransomware attack affected multiple managed service providers and over a thousand of their customers
Reference: BleepingComputerNBC News

>> Get a Free Ransomware Risk Assessment

Russian hackers had months-long access to Denmark’s central bank

Russian state hackers compromised Denmark’s central bank (Danmarks Nationalbank) and planted malware that gave them access to the network for more than half a year without being detected. The compromise came to light after technology publication Version2 obtained official documents from the Danish central bank through a freedom of information request.
The hackers, accused by the United States of working for Russian intelligence, were unusually sophisticated and modified code in SolarWinds network management software that was downloaded by 18,000 customers around the globe. The attackers could use SolarWinds to get inside a network and then create a backdoor for potential continued access.
Such a backdoor stood open at the Danish central bank for seven months until it was discovered by U.S. security firm FireEye, Version2 said, citing various documents it obtained under a freedom of information request, such as SolarWinds emails.. This indicates that Denmark’s central bank was merely a victim of the larger attack and it was not a target of interest for the hackers
Impact: Though hackers had access for more than 6 months without being detected, No evidence of compromise was found.
Cause: It was part of the Solarwinds Breach that happened last year (Because of Installation of trojanized version of SolarWinds Orion).
Reference: BleepingComputer

Microsoft Discloses New Customer Hack Linked to SolarWinds Cyberattackers

Microsoft Corp. said hackers, linked by U.S. authorities to Russia’s Foreign Intelligence Service, installed malicious information-stealing software on one of its systems and used information gleaned there to attack its customers.
Microsoft is aware of three customers that were affected by the recent activity, the company said in a blog post. The hackers compromised a computer used by a Microsoft customer support employee that could have provided access to different types of information, including ”metadata” of accounts and billing contact information. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. Microsoft said that they have removed access and secured the device.
The incident marks the second time in recent months that Russia-linked hackers have breached Microsoft’s networks. In December, Microsoft said Nobelium hackers had broken into the company’s networks to view internal source code, used to build software products
Cause: The hackers compromised a computer used by a Microsoft customer support employee that could have provided access to different types of information, including ”metadata” of accounts and billing contact information
Reference: WSJ

LinkedIn breach reportedly exposes data of 92% of users, including inferred salaries

A second massive LinkedIn breach reportedly exposes the data of 700M users, which is more than 92% of the total 756M users. The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries.
RestorePrivacy reports that the hacker appears to have misused the official LinkedIn API to download the data, the same method used in a similar breach back in April. On June 22nd, a user advertised data from 700 Million LinkedIn users for sale. The user of the forum posted up a sample of the data that includes 1 million LinkedIn users. It is found that all the data is authentic and tied to real users.
Impact: 700M users’ data got exposed. The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries.
Cause: Hacker exploited the LinkedIn API to harvest information that people upload to the site.
Reference: 9to5 Mac

University Medical Center says hackers breached data server

The University Medical Center hospital, in Nevada, discloses a security breach, the hackers compromised its data servers and published online the pictures of the allegedly stolen personal information.
In July first week, the threat actors published the images of the driver’s licenses, passports and Social Security cards of about half a dozen alleged victims on its website. The news was reported by the Las Vegas Review-Journal, the incident took place in mid-June, and law enforcement was investigating the attack.
Hospital said that it has no evidence that hackers breached any clinical systems. The hospital is notifying patients and employees that their personal information may have been exposed and will offer identity protection and credit monitoring services to the impacted customers.
Cause: Hackers compromised the data server of The University Medical Centre Hospital
Reference: AP News

More than 1 billion CVS data records accidentally exposed, researcher says

An unsecured database of more than a billion search records belonging to CVS Health was accidentally posted online and accessible to the public.
The non-password protected database was discovered at the end of March by independent cybersecurity researcher Jeremiah Fowler, who then alerted the company to the exposure. A CVS spokesperson confirmed that they immediately took down the database, which was hosted by a third-party vendor.
CVS released a statement: “We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients.
As the researcher’s report indicates, there was no risk to customers, members or patients, and we worked with the vendor to quickly take the database down.
We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter”
Impact: More than 1 billion CVS data records exposed
Cause: Non-password protected database, hosted by third party vendor of CVS Health
Reference: ABC7 Chicago

Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability

Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.
On 8th July, Microsoft released an out-of-band KB5004945 security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident in June.
After the update was released, security researchers Matthew Hickey, co-founder of Hacker House and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability. However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems only if the Point and Print policy is enabled.
Today, as more researchers began modifying their exploits and testing the patch, it was determined that exploits could bypass the entire patch entirely to achieve both local privilege escalation (LPE) and remote code execution (RCE).
Reference: Bleeping Computer

Crackonosh: How hackers are using gamers to become crypto-rich

Gamers are being duped into helping hackers become rich, after downloading games laced with hidden malware. Versions of Grand Theft Auto V, NBA 2K19, and Pro Evolution Soccer 2018 are being given away free in forums.
But hidden inside the code of these games is a piece of crypto-mining malware called Crackonosh, which secretly generates digital money once the game has been downloaded.
When Crackonosh is installed, it takes actions to protect itself including:

  • disabling Windows Updates
  • uninstalling all security software

The researchers, at Avast, say the “cracked” games are spreading Crackonosh fast and the cyber-security software company is now detecting about 800 cases on computers every day.
Reference: BBC

30M Dell Devices at Risk for Remote BIOS Attacks, RCE

A high-severity series of four vulnerabilities can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on Dell devices, researchers said. They affect an estimated 30 million individual Dell endpoints worldwide.
According to an analysis from Eclypsium, the bugs affect 129 models of laptops, tablets and desktops, including enterprise and consumer devices, that are protected by Secure Boot. The bugs allow privileged network adversaries to circumvent Secure Boot protections, control the device’s boot process, and subvert the operating system and higher-layer security controls, researchers at Eclypsium said. They carry a cumulative CVSS score of 8.3 out of 10.
The issues affect the BIOSConnect feature within Dell SupportAssist (a technical support solution that comes preinstalled on most Windows-based Dell machines). BIOSConnect is used to perform remote OS recoveries or to update the firmware on the device.
Vulnerabilities in the BIOSConnect:

  • CVE-2021-21571 – Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering.
  • CVE-2021-21572, CVE-2021-21573,CVE-2021-21574 – Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.

Dell has now pushed out patches for BIOS on all of the affected systems. For details please refer to DELL Advisory on multiple vulnerabilities.
Reference: Threatpost

Free Ransomware assessment