The S-RM Incident Response team issued a report on an encounter with threat actors from the Lorenz ransomware group. The group used a latent back-door planted months earlier to attack a network, doing so by initially exploiting a vulnerability CVE-2022-29499 in the Mitel VOIP solution in order to create a PHP web shell on the target host, giving them an initial foothold in the network. While the vulnerability was patched a week later, the foothold remained and the attackers returned some months later to execute a ransomware attacks. This shows that vulnerability patching alone is not enough and active measures must be taken to detect and respond to unknown threats. This incident is particularly interesting as it contrasts with the behaviour we’re used to seeing in Incident Response which is usually fast paced attacks.
This week saw Microsoft’s latest Patch Tuesday. This one was especially important as it contained an update for 98 vulnerabilities (one of which was classed as critical) in Windows and fixed 1 zero day vulnerability. Other companies have released patches this month including Adobe, Cisco, Citrix, Fortinet, Intel, SAP and Synology. If your organisation uses any of their products or services we suggest you implement the released patches as soon as possible.
The new State of Ransomware report from Delinea was released this week and shows that the volume of ransomware attacks in 2022 was 61% lower than 2021’s figure. There’s several potential reasons for the drop with one factor being the disbanding of the Conti ransomware group and law enforcement actions.
While on the surface this number looks good the sceptical among us may think the figures are just an indication that companies aren’t admitting that they were a victim of a ransomware attack due to concerns over reputational damage and financial loss.
Other key points from the report includes:
2023, however is looking like ransomware may be back with a vengeance as several of our stories this week involve the attack vector.
Royal Mail announced on Wednesday that it was experiencing significant disruptions to its international export services as a result of a cyber incident. The company stated in an update on its website that it was unable to dispatch items to overseas destinations at the moment, and advised customers to hold on to their export mail items while the issue is being resolved. Thousands of businesses rely on Royal Mail for exporting goods worldwide. In a statement Royal Mail said that is working with external specialists to investigate the incident, and has also reported it to regulatory and security authorities.
Since the initial report it has now been revealed that the disruption has been caused by Lockbit ransomware, a favoured version used by a number of Russian linked hacker groups.
The news follows another incident this week that saw Royal Mail’s sorting base in Mallusk being hit by a ransom cyberattack Tuesday evening. According to a report in the Belfast Telegraph, printers throughout the building suddenly began producing large orange-colored documents, displaying the hacker's demands. One of these documents implored Royal Mail to get in touch with the hackers in an effort to secure a decryption of a file that would apparently verify the claims of a hack, which they offered to do for free. It’s believed the attack wiped out the hub’s entire operations and threatened to release data stored by the company.
These latest incidents follow an attack in November last year that shut down its Click & Collect service and exposed customer data.
British industrial firm Morgan Advanced Materials Plc announced on Tuesday that it had detected unauthorised activity on its network and was conducting an investigation into a cyber security incident. In a statement on the company’s website said ‘To minimise disruption to its operations, the company is implementing measures to maintain communication and trade with its customers and suppliers.’
No more information has been released at the time of publication.
According to Hull and East Yorkshire news teachers at 16 schools across the Hull and Yorkshire areas of the UK have been unable to use their computers after the Hope Sentamu Learning Trust was hit by a ransomware attack.
Hackers are demanding a ransom of £15 million, the report suggests that none of the impacted schools has paid the ransom that the hackers demanded be paid in cryptocurrency. Attacks against educational institutions and organisations are common with the UK’s National Cyber Security Centre (NCSC) issuing a warning over the increasing number of attacks against schools and universities.