CERT-W Newsletter February 2021

Ethical Hacking & Incident Response

Posted on

Monthly indicators

TOP ATTACKTwo French hospital under ransomware attacks
Ransomware attacks struck two French hospital groups in less than a week, prompting the transfer of some patients to other facilities but not affecting care for Covid-19 patients or virus vaccinations. The two French hospitals were stricken with ransomware attacks, and a third pre-emptively cut connections with an IT provider. The Villefranche-sur-Saône hospital complex in France’s eastern Rhone département (administrative area) announced Monday that a cyber-attack had been detected at 4:30am local time. The attack by the crypto-virus RYUK, a kind of ransomware, “strongly impacts” the Villefranche, Tarare and Trévoux sites of the North-West Hospital.
TOP EXPLOITAn outdated version of Windows and a weak cybersecurity network allowed hackers to poison the Florida water treatment
The hacker was able to use remote access software to raise the levels of sodium hydroxide in the water from about 100 parts per million to 11,100 parts per million for a few minutes, according to investigators. The FBI’s Cyber Division on Tuesday notified law enforcement agencies and businesses to warn them about the computer vulnerabilities, which led to the Bruce T. Haddock Water Treatment Plant in Oldsmar being hacked on Feb. 5.
The plant’s computer systems were using Windows 7, which hasn’t received support or updates from Microsoft in over a year, according to the FBI.
TOP LEAKCOMB: more than 3 billion of Gmail, Hotmail, Netflix passwords have leaked
It’s being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords. While many data breaches and leaks have plagued the internet in the past, this one is exceptional in the sheer size of it. To wit, the entire population of the planet is at roughly 7.8 billion, and this is about 40% of that.

Cybercrime watch

Arrest,Ten hackers arrested after stealing over USD 100 million in cryptocurrencies by hijacking phone numbers
Around 10 criminals have been arrested as a result of an international investigation into a series of sim swapping attacks targeting high-profile victims in the United States. The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families. The criminals are believed to have stolen from them over USD 100 million in cryptocurrencies after illegally gaining access to their phones.
Sandworm intrusion set campaign targeting Centreon systems, impacting several French entities
ANSSI has been informed of an intrusion campaign targeting the monitoring software Centreon distributed by the French company CENTREON which resulted in the breach of several French entities. This campaign mostly affected information technology providers, especially web hosting providers.
On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm.
Following Emotet and Netwalker arrest, groups of cybercriminal publicity released victim’s decrytption keys
Less than one month after the arrest of Emotet and Netwalker networks, two cybercriminal groups known as Ziggy and Fonix announced that they were shutting down their ransomware operations and would be releasing all of the decryption keys. The groups mentioned concerns about recent law enforcement activity and guilt for encrypting victims. Ziggy ransomware admin indeed posted a SQL file containing 922 decryption keys for encrypted victims. For each victim, the SQL file lists three keys needed to decrypt their encrypted files.

Vulnerability watch

CVE-2021-1300Cisco SD-WAN Vulnerability
CVSS score: 9.8 CRITICAL

Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users. One of them is this buffer-overflow flaw stems from incorrect handling of IP traffic; an attacker could exploit the flaw by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. Ultimately, this allows an attacker to execute arbitrary code on the underlying operating system with root privileges.

CVE-2021-1257Cisco Digital Network Architecture CSRF Vulnerability
CVSS score : 8.8 HIGH

The flaw exists in the web-based management interface of the Cisco DNA Center, which is a centralized network-management and orchestration platform for Cisco DNA. An attacker could exploit the vulnerability by socially engineering a web-based management user into following a specially crafted link, say via a phishing email or chat. If the user clicks on the link, the attacker can then perform arbitrary actions on the device with the privileges of the authenticated user.

CVE-2021-1647Microsoft Defender Remote Code Execution Vulnerability
CVSS score : 7.8 HIGH

It could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack.