Corvus Threat Intel
Ransomware Attacks on Critical Infrastructure, BlackByte 2.0, & New Vulnerabilities
The UK faces more cyber attacks on critical infrastructure, BlackByte launches a new iteration, and more vulnerabilities are discovered.
Another UK Ransomware Attack on Critical Infrastructure as Clop Misidentifies Victim
Clop, an established Russian-speaking ransomware group, raised a few eyebrows this week as it publicly named the wrong victim. Clop claimed to have compromised Thames Water—which supplies water to roughly 15 million people in the UK—by stealing over 5TB and securing access to its industrial control systems. It turns out that the ransomware gang was mistaken. They had compromised South Staffordshire Water, a company serving 1.6 million customers elsewhere in the UK. Thames Water was quick to dispel the misinformation and Clop corrected its blunder. The Clop ransomware gang wrote that it decided to forego encryption and opted only to steal data, claiming that they “do not attack critical infrastructure.” South Staffordshire has confirmed that there is no disruption to water supply or quality, and that they are working with authorities to investigate the incident.
Why This Matters
This is another frightening example of a ransomware attack on critical infrastructure. While there is never a welcome time for a cyber attack on water supplies, this is especially dangerous during one of the driest summers on record in the UK.
The misidentification could also be due to the propensity of some ransomware groups to hack first and ask “who” later. Many victims are chosen because of software vulnerabilities that cybercriminals can scan the internet for en masse. For these targets of opportunity, identification is made after the fact, which occasionally leads to mistaken identity. By regularly patching and managing what’s exposed to the public internet, you can limit opportunities for ransomware gangs to misidentify you too.
BlackByte Ransomware Releases Version 2.0
After just over one year of activity, the BlackByte ransomware gang has risen in prominence, garnering the attention of the US government and cyber defenders alike. You might remember them from their infamous attack on the NFL’s 49’ers earlier this year. The group just released its second iteration, calling it BlackByte 2.0. Borrowing from the latest Lockbit release, BlackByte 2.0 sports a new leak site and some new extortion methods. Victims can now pay to extend the ransomware deadline or prevent publication of their data right on the site. However, victim data can also be purchased by other visitors on the BlackByte site as well. The group accepts cryptocurrency in Bitcoin (BTC) or privacy-focused Monero (XMR). It’s unclear as yet whether the latest iteration includes improved encryption capabilities. The gang worked to fix encryption bugs last year after researchers found a loophole and provided a free decryptor to victims.
Why This Matters
The ransomware market is ever-changing as seasoned groups dissipate or re-brand and new ones arise. Monitoring threat actor capabilities is an important part of defending against attacks. As with Lockbit 3.0, expect the same core functionality with some new bells and whistles.
Realtek System on a Chip (SoC) Exploit Code Released (CVE 2022-27255)
Summer conferences like BlackHat and DEFCON usually involve presentations on interesting exploits that left groups scrambling for security patches. This year was no different. A group of university students presented an exploit for the Realtek system on a chip (SoC) which is used in many routers and IoT devices. The exploit allows code to be executed on the device without authentication. A patch has been available since at least March 2022 but since the chip resides in a myriad of products across different vendors, it’s up to each vendor to make the patch available via firmware updates for its devices. SANS Institute Dean of Research, Dr. Johannes B. Ullrich, writes that although the exploit is a big deal, there is not much that can be done about it. As the devices in need of updates likely number in the millions, this may be an issue for a long time.
Why This Matters
Vulnerability management is difficult as is, but when “zero trust” might even extend to the chips in our routers, it gets even more difficult. Establishing the most rigorous detection can give added peace of mind for things outside of your control, such as your router manufacturer not releasing a firmware update for a vulnerable chip. The more lines of detection and defense around your systems, the better.
If you believe any of your devices might be affected, make sure to check with your vendor and apply any firmware updates.
Zimbra Collaboration Suite Vulnerabilities
Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. Two vulnerabilities in the ZCS have been added to the CISA Known Exploited Vulnerabilities Catalog as reports of widespread exploitation recently surfaced. Threat actors are actively exploiting these vulnerabilities in tandem, giving them the ability to remotely execute arbitrary code on ZCS servers. Researchers at Volexity observed attackers placing backdoors on over 1,000 victims’ ZCS servers using the two exploits.
Why This Matters
ZCS servers likely contain sensitive data and remote code execution capability gives attackers nearly free reign. This is known to be exploited in the wild so be sure to follow vendor guidance on remediating the vulnerabilities as soon as possible.
- Zimbra Product Releases (Zimbra)
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.