16 July 2021 | Asia Cyber Summary

In the Spotlight This Week:

  • SonicWall devices targeted with ransomware utilising stolen credentials

  • Microsoft attributes new SolarWinds attack to a Chinese hacker group

  • REvil: Ransomware gang websites disappear from internet

  • Fashion retailer Guess discloses data breach after ransomware attack

  • Morgan Stanley discloses data breach that resulted from Accellion FTA hacks

  • Hackers spread BIOPASS malware via Chinese online gambling sites

SonicWall Devices Targeted With Ransomware Utilising Stolen Credentials

SonicWall, a network and cyber security appliance vendor, is reporting that ransomware activity is currently targeting their Secure Mobile Access (SMA) and Secure Remote Access (SRA) products. This ransomware activity is reported by SonicWall as abusing stolen credentials.

The ACSC is aware of stolen credentials affecting Australian organisations that were likely the result of vulnerable SonicWall devices being exploited. The ACSC has previously issued an alert on a remote credential access vulnerability affecting SonicWall products.

Australian organisations should review their networks for the presence of affected SonicWall products which are outlined in the security notice from SonicWall. If vulnerable products are identified, Australian organisations should review and implement the recommended mitigations provided by SonicWall.

Assistance / Where can I go for help? The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.

Microsoft Attributes New SolarWinds Attack To A Chinese Hacker Group

Microsoft’s Threat Intelligence Center (MSTIC) reported on Tuesday that SolarWinds software was attacked with a zero-day exploit by a group of hackers it calls “DEV-0322.” The hackers were focused on SolarWinds’ Serv-U FTP software, with the presumed goal of accessing the company’s clients in the US defense industry.

The zero-day attack was first spotted in a routine Microsoft 365 Defender scan. The software noticed an “anomalous malicious process” that Microsoft explains in more detail in its blog, but it seems the hackers were attempting to make themselves Serv-U administrators, among other suspicious activity.

SolarWinds reported the zero-day exploit on Friday, July 9th, explaining that all of the Serv-U releases from May 5th and earlier contained the vulnerability. The company released a hotfix to address the issue and the exploit has since been patched, but Microsoft writes that if Serv-U’s Secure Shell (SSH) protocol connected to the internet, the hackers could “remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data.” Anyone running older Serv-U software is encouraged to update it as soon as possible.

REvil: Ransomware Gang Websites Disappear From Internet

Websites for a Russian-linked ransomware gang blamed for attacks on hundreds of businesses worldwide have gone offline. Monitors say a payment website and a blog run by the REvil group became suddenly unreachable on Tuesday.

The reason behind the disappearance is unknown, but has sparked speculation that the group may have been targeted deliberately by authorities. It comes amid growing pressure between the US and Russia over cyber-crime.

US President Joe Biden said he raised the issue with Vladimir Putin during a phone call on Friday, after discussing the subject during a summit with the Russian president in Geneva last month. Mr Biden told reporters that he had "made it very clear to him...we expect them to act" on information and also hinted the US could take direct digital retaliation on servers used for intrusions.

The timing of Tuesday's outage has sparked speculation that either the US or Russian officials may have taken action against REvil - though officials have so far declined to comment and cyber experts say sudden disappearances of groups are not necessarily uncommon.

Fashion Retailer Guess Discloses Data Breach After Ransomware Attack

American fashion brand and retailer Guess is notifying affected customers of a data breach following a February ransomware attack that led to data theft.

"A cybersecurity forensic firm was engaged to assist with the investigation and identified unauthorized access to Guess’ systems between February 2, 2021 and February 23, 2021," the company said in breach notification letters mailed to impacted customers.

"On May 26, 2021, the investigation determined that personal information related to certain individuals may have been accessed or acquired by an unauthorized actor."

Guess directly operates 1,041 retail stores in the Americas, Europe, and Asia, and its distributors and partners another 539 additional stores worldwide as of May 2021. The stores part of Guess' retail network currently operate in roughly 100 countries around the world.

Morgan Stanley Discloses Data Breach That Resulted From Accellion FTA Hacks

Morgan Stanley suffered a data breach that exposed sensitive customer data, and it became the latest known casualty of hackers exploiting a series of now-patched vulnerabilities in Accellion FTA, a widely used third-party file-transfer service.

The data obtained included names, addresses, dates of birth, Social Security numbers, and affiliated corporate company names, Morgan Stanley said in a letter first reported by Bleeping Computer. A third-party service called Guidehouse, which provides account maintenance services to the financial services company, was in possession of the data at the time. Unknown hackers obtained the data by exploiting a series of hacks that came to light in December and January.

Hackers Spread BIOPASS Malware Via Chinese Online Gambling Sites

Cybersecurity researchers are warning about a new malware that's striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio's live-streaming app to capture the screen of its victims.

The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads. Specifically, the websites' online support chat pages are booby-trapped with malicious JavaScript code, which is used to deliver the malware to the victims.

"BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution," Trend Micro researchers noted in an analysis published Friday. "It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data."

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.