Weekly Cyber News Roundup

March 13th to 17th 2023

Content

01. This week’s observation from our Incident Response Team 
02. Vulnerabilities
03. News Bites
  • UK crypto startup Euler Labs has $199 million stolen in cyber attack 

  • Prestigious Norfolk school  hit by cyber attack 

  • Warning as Medusa Ransomware Gang increases its activities 

  • ALPHV Ransomware gang claims to have hacked Ring 
04. Conclusion

A Note From The Cyber Threat Response Team

Ransomware gangs are hitting the headlines again this week with perhaps the biggest story being that of a suspected ransomware attack against video surveillance company, Ring. Speculation as to whether the company has been attacked is high after the ransomware gang ALPHV listed Ring as one of its victims on its website. Ring however, has not revealed whether it has been targeted. 

Companies shouldn’t panic when they are targeted by ransomware gangs in such a way as until evidence to the contrary is produced is just one word against the other. Companies don’t need to disclose anything at any time and responding to pressure from threat actors or the press might make things worse so it’s good to maintain a long-term strategy for public engagement and disclosure. 

Vulnerabilities 

On Tuesday, Adobe urgently cautioned users about limited attacks leveraging an unpatched flaw in their ColdFusion web development platform. This warning was included in a high-priority advisory that offers fixes for 2018 and 2021 ColdFusion versions. 

The company acknowledged the in-the-wild exploitation of CVE-2023-26360, targeting Adobe ColdFusion, without divulging further information about these occurrences. 

Adobe's PSIRT indicated that the patches address software glitches, potentially resulting in arbitrary code execution, unauthorized file system access, and memory leaks. 

The exploited vulnerability is described as a critical unauthorized file system read vulnerability, scoring 8.6 out of 10 on the CVSS scale. Additionally, the ColdFusion update addresses another critical flaw (CVSS 9.8) that could instigate code execution attacks. 

In total, Adobe unveiled fixes for a whopping 106 vulnerabilities across numerous products, some severe enough to expose Windows and macOS users to remote code execution attacks, including: 

Moreover, the company patched a critical vulnerability in the widely-used Adobe Photoshop (Windows and macOS), an isolated code execution flaw in the Adobe Creative Cloud desktop application, and 16 new issues in the Adobe Substance 3D Stager. 

This week also saw Microsoft’s Patch Tuesday which saw the company deliver fixes for 76 CVE-numbered vulnerabilities, including two actively exploited in the wild (CVE-2023-23397, CVE-2023-24880) by different threat actors. 

CVE-2023-23397 represents a severe EoP flaw in Microsoft Outlook, activated when an attacker transmits a message containing an extended MAPI property linked to a UNC path on an SMB (TCP 445) share hosted by a server under the threat actor's control. This process does not necessitate any user involvement. 

CVE-2023-24880 is a security flaw that enables threat actors to circumvent the Windows SmartScreen functionality. Exploiting this vulnerability involves creating a malevolent file that can elude the MOTW safeguards, resulting in the non-activation of protective features such as Windows SmartScreen and Microsoft Office Protected View. 

We recommend that you patch these vulnerabilities as soon as possible. 

Quick News Bites

UK crypto startup Euler Labs has $199 million stolen in cyber attack 

UK-based crypto startup Euler Labs has experienced a catastrophic cyber-attack, resulting in the theft of nearly $199 million from its DeFi lending platform. 

Euler Labs offers a DeFi protocol on Ethereum, enabling users to lend and borrow a wide range of cryptocurrencies. Unfortunately, hackers exploited a weakness in the platform's code, allowing them to abscond with roughly $199 million in various digital currencies, including USDC ($34.1m), Dai ($8.8m), Wrapped Bitcoin ($18.9m), and Staked Ether ($137.1m), as per blockchain analytics firm Elliptic. 

Elliptic further explained that the heist involved "flash loan attacks," which entail obtaining substantial, short-term, unsecured crypto loans from a DeFi service and utilising the borrowed funds to manipulate the market and other DeFi services for personal gain. The stolen proceeds are reportedly being laundered through Tornado Cash, a decentralized mixer previously sanctioned by the US government. 

According to Elliptic, the funds employed in the attack originated from a Monero wallet. Although Monero is a private coin lacking a public transaction ledger, Elliptic's investigative tools can track these funds. The company also cooperated with UK and US law enforcement agencies and attempted to communicate with the perpetrators to explore potential options. 

Euler Labs highlighted that previous audits of its lending protocol failed to detect the exploited vulnerability. 

Prestigious Norfolk school  hit by cyber attack 

Students at a renowned Norfolk educational institution are grappling with interruptions following a complex cyber-attack on the school. 

Wymondham College warned that the disturbance could persist until the Easter break due to the assault on its IT infrastructure. 

According to local media reports the school is currently collaborating with the Department of Education and the National Cyber Security Centre to address the issue. 

Schools, colleges, and universities are often targeted by hackers and cybercriminals due to these institutions typically storing a wealth of sensitive information, including personal data, financial records, and intellectual property, making them attractive targets for data theft and extortion. 

Unfortunately, educational institutions typically have less robust security measures in place compared to other organisations, given the open nature of their networks and the need to accommodate a diverse range of users and devices. Underfunded IT departments and insufficient cybersecurity training for staff and students also contributes to vulnerabilities.  

Warning as Medusa Ransomware Gang increases its activities 

The Medusa ransomware campaign, known for demanding million-dollar ransoms from corporate targets worldwide, has gained momentum in 2023. 

Although the operation commenced in June 2021, it initially experienced limited activity and impacted few victims. Nevertheless, in 2023, the Medusa gang intensified their efforts, launching the "Medusa Blog" to publicise data from victims who declined to meet ransom demands. The group hit the headlines this week after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and releasing a video showcasing the stolen information. 

Multiple malware are named Medusa, such as a Mirai-based botnet with ransomware capabilities, Medusa Android malware, and the well-known MedusaLocker ransomware operation. This shared name has led to confusion in reporting, as some mistakenly believe that the current Medusa campaign is the same as MedusaLocker. However, these are different operations. The Medusa ransomware campaign began in June 2021, utilising a ransom note titled !!!READ_ME_MEDUSA!!!.txt and a consistent encrypted file extension of .MEDUSA. 

Moreover, the Medusa operation employs a Tor website to facilitate ransom negotiations. As with many ransomware campaigns targeting enterprises, Medusa operates a data leak site called "Medusa Blog." This platform serves as a component of the gang's double-extortion strategy, disclosing data from victims who refuse to pay ransoms. 

Currently there are no known weaknesses in the Medusa Ransomware encryption that allow victims to recover their files for free.  

ALPHV Ransomware gang claims to have hacked Ring 

A well-known ransomware group has issued threats to disclose data allegedly associated  with Ring, the Amazon-owned video surveillance firm. 

On Monday, the ALPHV ransomware collective listed Ring as a target on its dark web site. The Russia-affiliated group stated, "There's always an option to let us leak your data.” 

The specific data ALPHV possesses remains unclear, and the gang has not provided any proof of data exfiltration. Employing tactics similar to other ransomware groups, ALPHV not only encrypts the victim's data but also exfiltrates it beforehand, aiming to extort the victim by threatening to expose the pilfered information. 

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

LONDON | 28 April 2022
DUBLIN | 11 May 2022

Join us in Dublin or London for the Security First 2022 conference.  We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.