Cuba Ransomware Operation, (Another) LastPass Breach, & Hacks on Redis

Cuba ransomware operation, another breach at LastPass, new hacks on an old vulnerability.

Latest Threat Intel News:

Cuba Ransomware Receives $60 Million in Ransoms from Over 100 Victims

In a joint advisory, the FBI and CISA have detailed the extent and profit behind the Cuba ransomware operation. As of August 2022, Cuba ransomware has demanded more than $145 million and received over $60 million in ransom payments from more than 100 victims. In this update to a similar Cuba advisory released one year ago, the two government agencies report that the number of U.S. entities compromised has doubled with both ransoms demanded and ransom paid increasing since the December 2021 report. Cuba is continuing to victimize U.S. companies in some critical infrastructure sectors including: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.

Why This Matters

Even from a smaller and less active ransomware group like Cuba, there’s clearly too much potential profit in ransomware to stop anytime soon. If a group such as Cuba can pull in $60 million (the total is likely higher due to underreporting), there’s strong incentive to keep going. Organizations should prepare for the ever-growing likelihood that they will be in a ransomware gang’s sights at some point.

Focusing on the basics in cyber hygiene can go a long way toward frustrating attackers:

• Phishing-resistant Multi-Factor Authentication

• Regular patching

• Endpoint security solutions

• Resilient backups

Additional Information:

• #StopRansomware: Cuba Ransomware (CISA)

LastPass Reports Another Attack

Password management firm, LastPass, reported another breach after a prior incident in August. This time attackers accessed customer data, although the company confirmed that customer passwords remain safely encrypted. Threat actors used information stolen from the first attack to carry out the second, this time making their way further into the LastPass environment. This time malicious activity was detected in a third-party cloud storage service shared by LastPass and one of their affiliates, GoTo. Law enforcement and an incident response firm have been called to assist in the investigation.

Why This Matters

Attacks beget attacks. Since threat actors gained access to LastPass developer and source code data in August, it’s not surprising they were able to steal information granting them additional access. We shouldn’t forget that this all started in August with the compromise of a single employee’s account. Enabling strong, phish-resistant multi-factor authentication (MFA) can help prevent account takeovers. Following best practices in identity and access management can further limit what an unauthorized user could access, preventing free rein of cloud accounts in case of successful phishing.

Additional Information:

• Notice of Recent Security Incident  (The LastPass Blog)

• Lastpass says hackers accessed customer data in new breach (BleepingComputer)

New Hacks for an Old Redis Vulnerability 

Hackers are using new malware to exploit an old vulnerability for Redis servers, a popular platform for databases. The previously undocumented malware, called Redigo, is written in the Go programming language and is being used to create backdoors on Redis servers vulnerable to CVE-2022-0543. A successful attack would allow hackers to execute code on the server, escalate their privileges, and access data. Security researchers aren’t yet sure as to the true intent of this malware, although they think it could be to deploy cryptocurrency miners or steal data. This isn’t the first time this Redis vulnerability has come under exploitation either. Back in March 2022, Juniper Threat Labs reported on attacks carried out by the Muhstik botnet leveraging this same vulnerability.

Why This Matters

Attackers gaining unauthorized access to databases is never a good thing. While researchers couldn’t yet determine the end goal of hackers deploying this malware, the possibilities are endless because the malware gives any attacker a foothold into the database server and the ability to execute their own code. Organizations using Redis servers should ensure that they are patched and up-to-date to prevent a Redigo attack.

Additional Information:

• Aqua Nautilus Discovers Redigo (Aquasec)

• Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers (The Hacker News)

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.