Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about a second group of malicious actors that may have exploited a SolarWinds bug to install the Supernova backdoor. Also, read about how common cloud misconfigurations can lead to cybersecurity problems and how to mitigate them.
Understanding Cloud Misconfigurations — With Pizza and Lego
Now, more than ever, cloud migration is a relevant topic. Businesses, schools, and other organizations have moved online and consequently, many IT departments have had to deal with a move to the cloud. Such a fast adoption of cloud technologies might have left organizations exposed to risks brought on by customers’ unfamiliarity with the specifics of its configurations. In this blog, Trend Micro discusses how common cloud misconfigurations can lead to cybersecurity problems and how to mitigate them.
Board Members Aren’t Taking Cybersecurity as Seriously as They Should
Trend Micro shared results from a study that reveals systemic challenges with security integration into business processes. The report includes the top ways to drive engagement and agreement around cybersecurity strategies within an organization. The study found that only 23% of organizations prioritize the alignment of security with key business initiatives.
Finding and Decoding Multi-Step Obfuscated Malware
Recently, Trend Micro’s investigation of an unusual DNS query by a command-line tool led researchers to the discovery of a multi-step obfuscated malware. In this blog, these researchers outline where the execution came from and the events that coincided with execution.
This Old Form of Ransomware has Returned with New Tricks and New Targets
Cerber, once the most popular choice of ransomware among cyber criminals, has made a comeback and is being used to target healthcare. Back in 2017, it was the most dominant family of ransomware, at one-point accounting for 90% of all ransomware attacks targeting Windows systems. By 2018, it looked as if Cerber had disappeared, replaced by other forms of ransomware, but VMware Carbon Black identified it as the most common ransomware targeting healthcare during 2020.
XDR: Up-Leveling Security Integration
The cybersecurity discipline entails data collection, analysis, and responding to threats with precision, confidence, and speed. Yet, with threat actors utilizing multiple attack vectors and a range of lateral-movement tactics, a single source of telemetry is insufficient to fully uncover all the tentacles of attack campaigns. In this blog, IDC analyst Michael Suby explains the importance of upgrading XDR security integrations.
Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices
A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks. Called "Matryosh" by Qihoo 360's Netlab researchers, the threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare them into its network.
Becoming A CVE Numbering Authority
As a global security company, Trend Micro is not a stranger to offensive vulnerability discovery and disclosure for bugs. Researchers are very familiar with finding a vulnerability, reporting, and writing about it via responsible disclosure. In this blog, learn how Trend Micro learned to embrace recognition and mitigations of vulnerabilities as a strength.
Bad Patching Practices are a Breeding Ground for Zero-Day Exploits, Google WarnsCustomers of major software vendors take comfort whenever a vendor issues a security fix for a critical software vulnerability. The clients expect that software update to keep attackers from stealing sensitive information, but new data from Google’s Project Zero suggests that assumption is misplaced. One in four zero-day, or previously unknown, software exploits that the Google team tracked in 2020 might have been avoided if a more thorough investigation and patching effort were explored.
Chopper ASPX Web Shell Used in Targeted Attack
Web shells are highly potent when it comes to compromising systems and environments. These malicious code pieces can be difficult can be written in ASP, PHP, and JSP, or any script that can execute a system command with a parameter that can pass through the web. They can also be embedded on web servers and used by malicious actors to launch arbitrary code. In this blog, Trend Micro dissects a targeted attack that made use of the Chopper ASPX web shell.
Second SolarWinds Attack Group Breaks into USDA Payroll — Report
There are hints that a second group of malicious actors may have exploited a SolarWinds bug to install the Supernova backdoor. Notably, there was a conclusion by Microsoft back in December that this was the case. Now, sources told Reuters that there’s indeed evidence that a separate advanced persistent threat (APT), likely China-backed, is behind the malware.
The State of Ransomware: 2020's Catch - 22Ransomware continues the trend of targeted attacks but with the added challenge of double extortion. Organizations need to be one step ahead of such coercive tactics to avoid potential disruptions, financial losses and reputational damage. Using case studies and examples, Trend Micro examines the ransomware variants that populated 2020 to create a guide for dealing with future attacks.
Cloud Security Alliance Updates It IoT Security FrameworkFirst published in 2019, the IoT Security Controls Frameworks explored numerous security controls needed to reduce risks related to IoT systems. For the latest version released in January 2021, CSA updated security controls, introduced a new domain structure and a new legal domain. The organization also added a new security testing domain and streamlined infrastructure allocations.
Interview with a Russian CybercriminalIT security practitioners spend a lot of time strategizing ransomware defense, but many know little about the criminals plotting attacks. To better understand the attacker's perspective, Cisco Talos researchers interviewed a LockBit ransomware operator. The Talos team learned a key factor in choosing a form of ransomware is the percentage of profit the malware developers require attackers to pay.
Does your organization have strong patching practices? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.