Canary Trap’s Bi-Weekly Cyber Roundup – Canary Trap
Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
In a week dominated by the CrowdStrike incident, we will review the latest updates on the global IT crisis. First, however, we’ll cover some other news: a new Linux ransomware has been discovered, and the largest trial court in the U.S. has fallen victim to a ransomware attack.
-
New Linux Variant of Play Ransomware Targeting VMWare ESXi Systems
Cybersecurity researchers have uncovered a new Linux variant of the Play ransomware, targeting VMware ESXi environments. This development indicates the Play ransomware group is expanding its attacks across the Linux platform, increasing its potential victim pool and likelihood of successful ransom negotiations.
Play ransomware, which first emerged in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment for a decryption key. As of October 2023, approximately 300 organizations have been victimized by the Play ransomware group.
Trend Micro’s data for the first seven months of 2024 shows the U.S. with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. The most affected industries include manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.
The analysis of the Linux variant of Play ransomware comes from a RAR archive file containing tools previously used in attacks. Although no actual infection has been observed, the C&C server hosts tools commonly used by Play ransomware, suggesting that the Linux variant might employ similar tactics. Upon execution, the ransomware confirms it is running in an ESXi environment before encrypting virtual machine (VM) files and appending them with the “.PLAY” extension. A ransom note is then placed in the root directory.
The Play ransomware group is leveraging services and infrastructure provided by Prolific Puma, which offers an illicit link-shortening service to aid in evading detection while distributing malware. This service employs a registered domain generation algorithm (RDGA) to create new domain names, a tactic used for phishing, spam, and malware distribution. RDGAs are challenging to detect and defend against because they allow threat actors to generate and register numerous domain names for various malicious activities. Unlike traditional DGAs, RDGAs keep the algorithm secret, and all domain names are registered by the threat actors. ESXi environments are particularly valuable targets due to their critical role in business operations and the valuable data they contain, making them highly lucrative targets for cybercriminals.
The findings suggest a collaboration between two cybercriminal entities, with Play ransomware actors using Prolific Puma’s services to circumvent security protocols.
-
California Officials Say Largest Trial Court in US Victim of Ransomware
A ransomware attack has disabled the computer system of the Superior Court of Los Angeles County, the largest trial court in the United States, officials announced. The Superior Court of Los Angeles County is the largest unified superior court in the U.S., serving 10 million residents across 36 courthouses. In 2022, nearly 1.2 million cases were filed, and 2,200 jury trials were conducted in this jurisdiction.
The cyberattack began early Friday. Officials stated that it is not believed to be linked to the recent faulty CrowdStrike software update, which has caused disruptions across airlines, hospitals, and governments worldwide. Upon discovering the attack, the court immediately disabled its computer network systems. These systems are expected to remain offline through at least the weekend. A preliminary investigation has found no evidence that users’ data was compromised, according to the court’s statement. The affected systems span the court’s entire operation, including external systems like the MyJuryDuty Portal and the court’s website, as well as internal systems such as case management. The Monday closure will impact all 36 courthouse locations in the county. The investigation involves the California Governor’s Office of Emergency Services and multiple law enforcement agencies. Preliminary findings indicate no evidence of court user data being compromised. The court credited its heavy investment in cybersecurity for the quick response.
While progress towards restoration has been swift, many critical systems remained offline as of Sunday evening. The additional day of closure will allow the court’s team to focus on bringing systems back online for a smooth resumption of operations. Officials do not anticipate the court system being closed beyond Monday. Court staff, in collaboration with outside consultants, vendors, other courts, and law enforcement, have been diligently working to restore network systems. Despite significant progress, some challenges remain.
This hack marks the second significant cyber-attack against a major Los Angeles public agency in recent years, following the Los Angeles Unified School District ransomware attack in September 2022.
On Saturday, Microsoft reported that a faulty software update from CrowdStrike affected an estimated 8.5 million Windows devices, causing widespread IT outages across the globe. Despite less than one percent of all Windows machines being affected, Microsoft has deployed hundreds of engineers and experts to assist customers in restoring services. The issue stemmed from a routine sensor configuration update pushed to Windows systems on July 19, 2024, at 04:09 UTC, which triggered a logic error causing critical systems to blue-screen worldwide. Microsoft emphasized that although the percentage of affected devices was small, the economic and societal impacts were significant due to the widespread use of CrowdStrike by enterprises providing critical services. The incident has been described by mainstream media as “chaos” and “disaster” and is potentially one of the worst cyber failures in history. The faulty update caused major outages across several industries, including aviation, financial services, healthcare, and education. CNN reported over 1,500 flight cancellations and thousands of delays for the third consecutive day on Sunday.
CrowdStrike, known for its security software designed to protect systems from external threats, released the faulty update to its Falcon Sensor software, impacting millions of PCs globally. This update, referred to as a “Channel File,” was intended to identify new malicious activity by cybercriminals.
Despite having a .sys extension, the file was not a kernel driver but interacted with other Falcon components at the kernel level. CrowdStrike attributed the issue to a “logic error” in the update, which caused PCs and servers to crash almost immediately.
Repairing the damage is a labor-intensive process, requiring affected PCs to be rebooted into Windows Recovery Environment and manually removing the faulty file via the command line. If the system drive is protected by BitLocker encryption, a unique 48-character recovery key is needed to access and fix the drive. To aid in the recovery, Microsoft released a USB tool designed to help IT administrators repair impacted Windows clients and servers. To use this tool, users need a Windows 64-bit client with at least 8GB of free space and administrative privileges to create the bootable USB drive.
The situation has drawn comparisons to a similar incident from 14 years ago. In 2010, McAfee released a defective antivirus update that mistakenly flagged a critical Windows file as a virus, leading to widespread system failures and network access issues. Both incidents involved flawed updates pushed to millions of devices, requiring extensive manual intervention to resolve.
Microsoft noted in a blog post that this incident highlights the interconnected nature of the tech ecosystem, involving global cloud providers, software platforms, security vendors, and customers. They stressed the importance of prioritizing safe deployment and disaster recovery mechanisms. The company also acknowledged the sector-wide cooperation and collaboration over the past two days and promised to continue providing updates and next steps as they learn and recover from the incident.
While CrowdStrike and Microsoft have provided tools and resources to assist affected organizations in restoring their systems. Individuals and organizations have been warned that financially motivated threat actors have seized the opportunity to exploit the chaos. With many people and organizations scrambling to find information and fixes, these actors are exploiting the chaos for phishing, scams, and malware distribution.
Threat intelligence firm ThreatMon reported the distribution of malicious archive files named ‘crowdstrike-hotfix’ delivering HijackLoader payloads to customers in Latin America. Malware analysis service Any.Run confirmed these hotfixes deliver Remcos, a remote access tool (RAT) that enables attackers to control infected devices.
AnyRun also detected a campaign distributing a data wiper disguised as a CrowdStrike update. This wiper, which destroys data by overwriting files with zero bytes, was reported over Telegram. A hacktivist group claimed responsibility for this attack, using emails from a domain similar to CrowdStrike’s to deceive targeted companies. Since Friday, dozens of domains referencing CrowdStrike have been registered, many of which could be used for malicious purposes, such as hosting phishing pages, malware, or scams. Some of these domains offer ‘fixes’ that users must pay for in cryptocurrency.
Government agencies have issued warnings to users and organizations. The UK’s NCSC noted an increase in phishing related to the outage, and the US’s CISA also reported seeing phishing and other malicious activities. CISA urged organizations and individuals to stay vigilant and only follow instructions from legitimate sources, recommending organizations to remind employees to avoid clicking on phishing emails or suspicious links. CrowdStrike has confirmed that it is actively assisting affected customers and advises verifying communications through official channels to avoid falling victim to scams. CEO George Kurtz emphasized the importance of engaging only with legitimate representatives and using CrowdStrike’s blog and technical support for updates.
This outage has underscored the significant business continuity risks associated with concentrating the world’s technology infrastructure within a few major firms, experts warn.
Aleksandr Yampolskiy, CEO and co-founder of SecurityScorecard, highlighted a study from May 2024 showing that just 150 companies are responsible for 90% of the global attack surface. More concerning, 62% of this attack surface is concentrated within the portfolios of only 15 tech firms, including Microsoft. The study, based on SecurityScorecard’s proprietary rating system, found that these 15 companies had below-average cybersecurity risk ratings. This poses a serious concern, given that ransomware gangs and other threat actors often exploit third-party vulnerabilities on a large scale.
Yampolskiy emphasized that the CrowdStrike incident highlights the growing importance of understanding one’s supply chain (KYSC) for operational resilience. IT teams must gain a clearer understanding of their dependencies and those of their tech suppliers. This knowledge is crucial for effectively responding to outages, whether caused by malicious cyber-attacks, human error, or other factors.
References:
Share post:
Source link
lol
Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news. In a week dominated by the CrowdStrike incident, we will…