
Ransomware Type Can be Customized for Victims
A new ransomware type discovered in the wild, Agenda, has targeted healthcare and education organizations. It reportedly allows actors to tailor the binary payloads for each victim so that they can decide on the ransomware note, encryption, and the list of processes or services to terminate before encrypting data. This ransomware type also takes advantage of safe mode to avoid detection.
Action Items:
- See Trend Micro’s account of an attempt on one of its clients.
- See more details in Hacker News
Zeppelin Ransomware
The FBI and CISA warn of Zeppelin ransomware, a derivative of the Delphi-based Vega malware family that functions as Ransomware as a Service. Since 2019, actors have used the malware to target defense contractors, educational institutions, manufacturers, technology companies, and healthcare organizations.
With this ransomware type, actors gain access to networks by RDP exploitation, using SonicWall firewall vulnerabilities and phishing campaigns. Prior to deploying the ransomware, actors spend one or two weeks mapping the victim network to identify cloud storage and network backups.
Action Items:
- Review the brief at gov
- Strengthen your password policy
- Require multifactor authentication (MFA)
- Keep all software and firmware up to date
- Segment networks
- Use a monitoring tool to identify unusual activity
- Grant permissions based on the principle of least privilege
- Maintain offline backups of data and ensure all backup data is encrypted and immutable
- Implement a recovery plan
- Download the YARA signature for Zeppelin
Multiple CVEx Exploit Zimbra Collaboration Suite Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) report multiple common vulnerabilities and exposures (CVEs) against the Zimbra Collaboration Suite (ZCS), a collaboration and email platform.
CVEs include:
- CVE-2022-24682
- CVE-2022-27924
- CVE-2022-27925 chained with CVE-2022-37042
- CVE-2022-30333
Unpatched ZCS accounts are at risk.
Action items:
CISA and MS-ISAC recommend:
- Upgrading to the latest ZCS version
- Testing your incident response plan
- Following your vulnerability management strategy
- Ensuring internet-facing devices are properly configured
- Adopting zero-trust principles
- Referring to Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 for mitigation steps
DeFi Vulnerabilities Enable Hackers to Steal Cryptocurrency
The FBI has identified actors exploiting vulnerabilities in DeFi smart contracts to steal investors’ cryptocurrency. The FBI reports that actors have stolen approximately $2.3 billion from January to March 2022, with almost 97 percent from DeFi platforms.
Action Items:
- Research platforms, protocols, and smart contracts before investing
- Ensure the DeFi platform has used independent auditors for code audits
- Stay alert to risks from crowdsourced solutions for vulnerability identification and patching – some participants may have malicious intentions.
- Victims should contact the FBI through their local field office or the Internet Crime Complaint Center.
Actor Uses Discord to Steal Data
Snyk security researchers, who monitor open source systems, have found 12 unique pieces of malware from the same actor. The malicious packages were designed to avoid detection while they infiltrated Windows and executed malicious files from the Discord content delivery network onto the host.
The malware targets data stored for user applications. When executed, it attempts to steal Google Chrome passwords, cookies, web history, search history, and bookmarks. With that information, actors can move through a victim’s accounts with their credentials.
Action Items:
- See the Snyk blog for the cyphers package, including a deep look at the malware’s executables.
- Update security policies to prohibit users on your network from visiting sites other than those necessary for work.
For more security updates and insights, visit DevPro Journal’s Security resources page.