This week saw Microsoft release patches for nearly 100 vulnerabilities and a new tactic was seen being utilised by the Lorenz ransomware group. Read about both and the biggest cyber news in this week’s roundup.
This week’s observation from our Incident Response Team
The S-RM Incident Response team issued a report on an encounter with threat actors from the Lorenz ransomware group. The group used a latent back-door planted months earlier to attack a network, doing so by initially exploiting a vulnerability CVE-2022-29499 in the Mitel VOIP solution in order to create a PHP web shell on the target host, giving them an initial foothold in the network. While the vulnerability was patched a week later, the foothold remained and the attackers returned some months later to execute a ransomware attacks. This shows that vulnerability patching alone is not enough and active measures must be taken to detect and respond to unknown threats. This incident is particularly interesting as it contrasts with the behaviour we’re used to seeing in Incident Response which is usually fast paced attacks.
Vulnerabilities
This week saw Microsoft’s latest Patch Tuesday. This one was especially important as it contained an update for 98 vulnerabilities (one of which was classed as critical) in Windows and fixed 1 zero day vulnerability. Other companies have released patches this month including Adobe, Cisco, Citrix, Fortinet, Intel, SAP and Synology. If your organisation uses any of their products or services we suggest you implement the released patches as soon as possible.
Here’s a roundup of the cyber security incidents that have made headlines this week.
Ransomware attacks fell 61% in 2022 says new report
The new State of Ransomware report from Delinea was released this week and shows that the volume of ransomware attacks in 2022 was 61% lower than 2021’s figure. There’s several potential reasons for the drop with one factor being the disbanding of the Conti ransomware group and law enforcement actions.
While on the surface this number looks good the sceptical among us may think the figures are just an indication that companies aren’t admitting that they were a victim of a ransomware attack due to concerns over reputational damage and financial loss.
Other key points from the report includes:
- The larger the company, the more likely they were to be victimised.
- Companies with 100 or more employees experienced ransomware attacks at a rate of 56% in 2022, compared with 70% in 2021 (a decrease of 14 percentage points).
- 13% of companies with less than 100 employees said they were victims of ransomware this year, compared with 34% in the previous survey (a decrease of 21 percentage points).
- The average ransomware payment increased 71% in 2022 from 2021
2023, however is looking like ransomware may be back with a vengeance as several of our stories this week involve the attack vector.
Royal Mail hit by suspected Ransomware attack
Royal Mail announced on Wednesday that it was experiencing significant disruptions to its international export services as a result of a cyber incident. The company stated in an update on its website that it was unable to dispatch items to overseas destinations at the moment, and advised customers to hold on to their export mail items while the issue is being resolved. Thousands of businesses rely on Royal Mail for exporting goods worldwide. In a statement Royal Mail said that is working with external specialists to investigate the incident, and has also reported it to regulatory and security authorities.
Since the initial report it has now been revealed that the disruption has been caused by Lockbit ransomware, a favoured version used by a number of Russian linked hacker groups.
The news follows another incident this week that saw Royal Mail’s sorting base in Mallusk being hit by a ransom cyberattack Tuesday evening. According to a report in the Belfast Telegraph, printers throughout the building suddenly began producing large orange-colored documents, displaying the hacker's demands. One of these documents implored Royal Mail to get in touch with the hackers in an effort to secure a decryption of a file that would apparently verify the claims of a hack, which they offered to do for free. It’s believed the attack wiped out the hub’s entire operations and threatened to release data stored by the company.
These latest incidents follow an attack in November last year that shut down its Click & Collect service and exposed customer data.
Morgan Advanced Materials suffers cyber-attack, extent unknown
British industrial firm Morgan Advanced Materials Plc announced on Tuesday that it had detected unauthorised activity on its network and was conducting an investigation into a cyber security incident. In a statement on the company’s website said ‘To minimise disruption to its operations, the company is implementing measures to maintain communication and trade with its customers and suppliers.’
No more information has been released at the time of publication.
16 Yorkshire schools held to ransom as hackers demand £15 million
According to Hull and East Yorkshire news teachers at 16 schools across the Hull and Yorkshire areas of the UK have been unable to use their computers after the Hope Sentamu Learning Trust was hit by a ransomware attack.
Hackers are demanding a ransom of £15 million, the report suggests that none of the impacted schools has paid the ransom that the hackers demanded be paid in cryptocurrency. Attacks against educational institutions and organisations are common with the UK’s National Cyber Security Centre (NCSC) issuing a warning over the increasing number of attacks against schools and universities.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
