GLOBAL RANSOMWARE ATTACKS IN 2020: THE TOP 4 VULNERABILITIES

Our team recently investigated the prominent ransomware attacks reported since the beginning of 2020 in order to draw general conclusions about these attacks and to reveal commonalities between them.  We also wanted to better understand the threat they pose and how to protect against it. While examining approximately 180 different ransomware incidents, we found that the most targeted sectors were Technology (11%), Government (10%), Critical Infrastructure (8.6%), Healthcare and Pharmaceutical (8%), Transportation (7%), Manufacturing (6%), Financial Services (5%) and Education (4%). It was also found that Sodinokibi/REvil, Maze and Ryuk are the most active ransomware strains.

A very interesting finding our investigation uncovered was that the operators behind these ransomware attacks commonly abused four notable vulnerabilities, that will be elaborately discussed in this blog post. This highlights the importance of timely installation of security updates as a defense mechanism to minimize the risk of ransomware and other malware attacks.

Here they are: The four top vulnerabilities abused in 2020 ransomware attacks (ordered from the most abused one):

  • CVE-2019-19781
  • CVE-2019-11510
  • CVE-2012-0158
  • CVE-2018-8453

Let’s take a closer look:

CVE-2019-19781

CVE-2019-19781 Characteristics

The CVE-2019-19781 vulnerability affects remote access appliances manufactured by Citrix, whose products are used by numerous organizations. The vulnerability was publicly disclosed at the end of December 2019 and fixed a month later. The vulnerability affects Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer.

Since the vulnerability was disclosed, it was successfully exploited by threat actors in a significant number of incidents. In January 2020, security researchers reported the REvil gang leveraged the vulnerability in its attack against the Gedia Automotive Group. No technical details about the attack were disclosed, but from the information published by the attackers, it appears the company used the vulnerable products. The Ragnarok ransomware gang also exploited this vulnerability in January 2020. The attackers exploited the vulnerability to download scripts and scan the targeted system for computers vulnerable to the EternalBlue vulnerability.

In February 2020, the cloud company Bretagne Telecom reportedly suffered a cyber-attack by cybercriminals operating the DopplePaymer ransomware. The DopplePaymer gang stated it carried out the attack in the first half of January 2020, when a fix for the vulnerability had still not been released. This suggests the attackers discovered the vulnerability even earlier. At the end of March 2020, it was reported the MAZE ransomware gang had also leveraged the vulnerability in an attack on the cyber insurer company, Chubb.

In a different incident from the beginning of June 2020, it was reported that the IT services giant, Conduent, had also fallen victim to a MAZE gang ransomware attack. According to reports online, MAZE targeted a Citrix server of the company that was not patched or properly updated. On June 22, 2020, it was reported that the Indian conglomerate, Indiabulls, had suffered a cyber-attack carried out by the CLOP ransomware operators. Cyber security company Bad Packets reported that Indiabulls used Citrix NetScaler ADC VPN Gateway, which was vulnerable to CVE 2019-19781. However, the company did not confirm this vulnerability was exploited in the attack. Recently, the New Zealand CERT (CERT NZ) reported that many threat actors are leveraging this vulnerability, and the Nephilim ransomware gang may have also attempted to exploit it.

CVE-2019-11510

CVE-2019-11510 Characteristics

The CVE-2019-11510 vulnerability affects VPN Pulse Secure products. It allows attackers to remotely access the targeted network, remove multi-factor authentication protections and access the logs that contain cached passwords in plain text. Although the vulnerability has already been publicly disclosed for some time now and patched back in April 2020, many organizations have not yet patched it and remain exposed to attacks.

In recent months, the vulnerability was reportedly successfully exploited in a number of ransomware attack incidents. In two incidents, the attackers gained domain admin privileges and used an open-source remote access software, VNC, to perform lateral movement on the targeted network. Then, the attackers turned off security software and infected the system with the REvil ransomware. The most notable ransomware attack affected Travelex at the end of December 2019. The company did not patch its VPN solution, which allowed the REvil ransomware gang to carry out a successful attack that paralyzed the company’s systems for a number of weeks, persisting into 2020.

In another incident reported in April 2020, the IT systems of several hospitals and government entities in the US were infected with an unknown ransomware by nation-state threat actors. In addition, in June 2020, the operators of the Black Kingdom ransomware reportedly attempted to exploit the vulnerability as well.

CVE-2012-0158

CVE-2012-0158 Characteristics

The CVE-2012-0158 is an old vulnerability in Microsoft products, but is still one of the most exploited vulnerabilities in recent years, according to the US CERT. In December 2019, our team also reported that it is one of the top 20 vulnerabilities to be patched before 2020, based on the number of times it has been exploited by sophisticated cyber-attack groups operating in the world today. The vulnerability allows the attacker to remotely execute code on the victim’s computer through a specially crafted website, Office or .rtf document.

In recent months, security researchers reported exploitation attempts for the CVE-2012-0158 vulnerability in COVID-19-related attacks. The researchers reported attack attempts against medical and academic organizations in Canada. One of the campaigns included infection attempts with the EDA2 ransomware, a strain of a wider ransomware family, known as HiddenTear. The attackers used an email address that resembles and imitates the legitimate address of the World Health Organization. The phishing emails sent to the targeted organizations contained malicious files designed to exploit this vulnerability to execute code remotely and infect them with the ransomware. An additional phishing campaign attempted to infect victims from the above mentioned organizations with a ransomware dubbed RASOM.

CVE-2018-8453

CVE-2018-8453 Characteristics

The CVE-2018-8453 resides in the win32k.sys component of Windows, since it fails to properly handle objects in memory. A successful exploitation can allow an attacker to run arbitrary code in kernel mode, install programs; view, change, or delete data; or create new accounts with full user rights.

The Sodinokibi/REvil ransomware was first spotted exploiting CVE-2018-8453 in 2019 in multiple attacks in the Asia-Pacific region, including Taiwan, Hong Kong, and South Korea. In July 2020, it was reported that it was exploited again by the same ransomware gang against Brazilian-based electrical energy company Light S.A. The attackers first demanded a ransom of 106,870.19 XMR (Monero), and after the deadline has passed the ransom doubled to 215882.8 XMR, which amounts to approximately $14 million.

SUMMING UP: THE PATCHING PARADOX

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox”: common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

The Top 20 Vulnerabilities to Patch before 2020

Published first in Dark Reading by Kelly Sheridan.

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox” – common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches.

Verint’s Cyber Threat Intelligence (CTI) Group analyzed the top 20 vulnerabilities that are currently exploited by attack groups worldwide. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

Key Findings:

  • 34% of the attacks exploiting these vulnerabilities, originated in China
  • 45% of the vulnerabilities affect Microsoft products
  • Vulnerabilities from as early as 2012 (!) are still used to carry out successful attacks

According to the National Vulnerability Database (NVD), since 2016 we have seen an increase of ~130% in the number of disclosed vulnerabilities, or in other words there is an average of ~45 new vulnerabilities per day as can be seen in the graph below. Additional statistics reveal that almost 60% of all vulnerabilities are classified as ‘Critical’ or ‘High’.

NVD_data

Recent threat intelligence gathered by Verint and Thales Group about 66 attack groups operating globally, revealed that advanced threat actors leverage old vulnerabilities that are left unpatched. To make things even more complicated, according to a recent study by Ponemon Institute for ServiceNow60% of breaches were linked to a vulnerability where a patch was available, but not applied.

So, How Can We Clean Up The Mess?

Operational Threat Intelligence – Each CVE is given a severity score. However, these scores do not necessarily represent the actual risk for the organization. For example, CVE-2018-20250 (WinRAR vulnerability) has a CVSS (Common Vulnerability Scoring System) base score of 7.8 (‘High’) in NVD and 6.8 (‘Medium’) in ‘CVE Details’. This vulnerability has been exploited by at least five different APT groups, from different locations, against targets in the U.S., South East Asia, Europe, and The Middle East and against a wide range of industries, including Government Agencies, Financial Services, Defense, Energy, Media and more. This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching.

Other contextual data that should influence your patching prioritization process is what vulnerabilities are currently discussed in the Dark Web by threat actors, or which exploits are currently developed? Threat intelligence is key when we try to determine what vulnerabilities are critical to our organization. Maintaining a knowledge base of exploited vulnerabilities according to the attack groups leveraging them, provides a solid starting point for vulnerability prioritization. In addition, having information about the attack groups – for example their capabilities, TTPs and the industries and countries they target – helps to better evaluate the risk and prioritize patching activities.

The Top 20 Vulnerabilities to Patch Now

Verint’s CTI Group constantly monitors different intelligence data sources and create daily CTI feeds, which include the latest daily cyber activities. The analysis below is based on over 5,300 feeds and other intelligence items the group has analyzed in the past 2.5 years, covering over 800 CVEs.

The 20 vulnerabilities were extracted based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low):

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days) Examples of Threat Actors
1 CVE-2017-11882 Microsoft Office 7.8 713 APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), Cloud Atlas (Unknown), FIN7 (Russia)
2 CVE-2018-8174 Microsoft Windows 7.5 558 Silent Group (Russia), Dark Hotel APT (North Korea)
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960 APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran)
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637 APT37 (North Korea), Lazarus Group (North Korea)
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578 Rocke Gang (Chinese Cybercrime)
6 CVE-2019-0708 Microsoft Windows 9.8 175 Kelvin SecTeam (Venezuela, Colombia, Peru)
7 CVE-2017-5638 Apache Struts 10 864 Lazarus Group (North Korea)
8 CVE-2017-5715 ARM, Intel 5.6 424 Unknown
9 CVE-2017-8759 Microsoft .net Framework 7.8 671 APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China)
10 CVE-2018-20250 RARLAB WinRAR 7.8 189 APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran)
11 CVE-2018-7600 Debian, Drupal 9.8 557 Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran)
12 CVE-2018-10561 DASAN Networks 9.8 385 Kelvin SecTeam (Venezuela, Colombia, Peru)
13 CVE-2017-17215 Huawei 8.8 590 ‘Anarchy’ (Unknown)
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690 APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Cloud Atlas (Unknown), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China)
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644 ‘Anarchy’ (Unknown)
16 CVE-2017-8570 Microsoft Office 7.8 552 APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China)
17 CVE-2018-0802 Microsoft Office 7.8 574 Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China)
18 CVE-2017-0143 Microsoft SMB 8.1 959 APT3 (China), Calypso (China)
19 CVE-2018-12130 Fedora 5.6 167 Iron Tiger (China), APT3 (China), Calypso (China)
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144 Panda (China)
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204 APT41 (China), Rocke Gang (Chinese Cybercrime)

Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE

Cyber Warrior is one of the biggest hacker groups in Turkey. The group was established in 1999. Their first significant cyber-attack was in 2003, when they launched a massive operation against 1,500 U.S. websites in protest against the American invasion of Iraq and a specific incident where Turkish military personnel in northern Iraq were captured and interrogated by the U.S. Army.

Turkish Hacking Group Cyber Warrior
Turkish Hacking Group Cyber Warrior

Cyber Warrior (CW) comprises teams for strategy, intelligence, logistics, R&D and a dedicated unit for waging cyber-attacks named Akincilar. In recent weeks, for examples, Akincilar has attacked official government websites of countries that discriminate against their Muslim populations, in their opinion.

Additionally, CW has been active developing cyber tools and improving others. They even write instructional manuals on cyber security and have established a Cyber Academy, where they provide online training.

In September 2014, the group published their first monthly e-Magazine. The magazine is published on their online platforms and it includes cyber news items from the IT world, new technologies, cyber security, hacking news, programming and more.

September 2014 issue of TeknoDE
September 2014 issue of TeknoDE

In their first issue, they featured a cryptography contest with the top prize of a book, mug and mouse pad.

Cryptography Contest
Cryptography Contest

In their October issue, they reviewed the recently discovered Shellshock vulnerability, shared information on how to locate a lost mobile phone and discussed ways to hack into Gmail accounts, and aircraft and satellite systems.

October 2014 issue of TeknoDE
October 2014 issue of TeknoDE

A couple of weeks ago, they produced the November 2014 issue, featuring articles about credit card frauds, new Android malware and interviews with Cyber Warrior founders.

November 2014 issue of TeknoDE

 

Currently, the magazine is in Turkish and it increases awareness of the Cyber world for users, while promoting an interest in cyber security among them.

Members of the website and readers of CWTeknoDE will not only be motivated to hack, but with this magazine they will have chance to learn more about the cyber world, and methods and vulnerabilities.

Related Posts


Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

RedHack – A Turkish Delight on February 5, 2014 by Sheila Dahan

Cyber Threats to the Aviation Industry

The aviation industry faces major risks on all of its fronts: from the air traffic control systems, to the aircraft themselves, to the airline companies and airports and border crossings. The identified threats stem from the current nature of aviation industry systems, which are interconnected and interdependent.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Aviation Industry”. If you are interested in receiving the full report please write to: info@sensecy.com)

On August 13, 2013, the AIAA officially released a Decision Paper entitled “A Framework for Aviation Cyber security”, outlining existing and evolving cyber threats to the commercial aviation enterprise and noting the lack of international agreement on cyber security in aviation. There is no common overall coordination of efforts seeking a global solution.

According to the report, the global aviation system is a potential target for a large-scale cyber attack with attackers focusing on malicious intent, information theft, profit, “hacktivism”, nation states, etc.

Aviation

The risks are not only theoretical. As portrayed below, some of the aforementioned security concerns have already been realized by hackers in real-life.

  • A presentation at the ‘Hack in The Box’ security summit in Amsterdam in April 2013 has demonstrated that it is possible to take control of an aircraft’s flight systems and communications using an Android smartphone.
  • Sykipot is a tool that serves as a backdoor that an attacker can use to execute commands on the affected system. It is being used to gather intelligence about the civil aviation sector in the U.S. Like most targeted attacks, Sykipot infects using spear-phishing techniques by sending emails with malicious attachments. Lately, as identified by Trend Micro, Sykipot has been observed gathering intelligence on the U.S. civil aviation sector. The intentions of this campaign are unclear as yet. Sykipot has a history of targeting U.S. Defense Initial Base (DIB) and key industries over the past six years.
  • Conficker, a worm that has infected millions of computers worldwide, infected the French Navy network on 2009, forcing it to cut connectivity to stop it from spreading, and to ground its Rafale fighter jets. It was probably introduced through an infected USB drive.
  • In 2008, Spanair flight 5022 crashed just after take-off, killing 154 people. According to the Spanish government’s Civil Aviation Accident and Incident Investigation Commission (CIAIAC), the disaster occurred because the central computer system used for monitoring technical problems in the aircraft was infected with a Trojan horse.
  • In 2008, the FAA reported that the computer network in the Boeing 787 Dreamliner’s passenger compartment was connected to the aircraft’s control, navigation and communication systems – a cause for grave security concern. This connection renders the plane control system vulnerable to cyber attack. Boeing advised that they would address the issue

Aviation sector under threat of cyber attacks

We believe that the aviation industry is facing major threats from cyberspace and these threats encompass large areas of the industry and may become a greater burden for it, compromising the safety of the passengers, and causing financial and commercial damage to the associated companies.