Cybersecurity agencies warn of ransomware attacks exploiting a 2-year-old vulnerability
The National Cybersecurity Agency of Italy issued a warning to organisations worldwide on February 5th to take prompt action to secure their systems following a large-scale ransomware hacking attack that compromised thousands of computers globally.
Roberto Baldoni, the director general of the Agency, told Reuters that the attack exploited a software vulnerability on a massive scale. According to Italian news outlet ANSA, servers in countries including the USA, Canada, Finland, and France were also impacted. The Agency advised Italian organisations to act preventively to avoid being locked out of their systems. He added that there was no evidence that the attacks were being carried out by a nation state but probably the handiwork of cyber criminals.
The alert follows a widespread ransomware attack that utilised the easily exploitable vulnerability, CVE-2021-21974, to remotely execute exploit code without authentication on VMware ESXi hypervisors.
The group responsible for the campaign has not been identified. DarkFeed reported that each victim was given a unique Bitcoin wallet for payment. No website associated with the group has been found, only a Tox messaging app ID for communication.
Munster Technological University (MTU) hit by suspected ransomware attack
In what may be linked to the previous story Munster Technological University (MTU) was forced to shutter its campuses this week after being hit by a suspected ransomware attack. investigations are underway by the gardaí and the National Cyber Security Centre to determine if it is related to the international ransomware attack affecting hundreds of organisations. The incident further highlights the risks posed to educational facilities from hackers who target them due to the wealth of data they typically hold and the perception they have weaker cyber security measures in place than other sectors.
The Integrity360 IR team is seeing an increasing number of educational facilities being breached. Some threat actors claim to not purposely target institutions such as schools, colleges and hospitals, but still end up doing so. One threat actor for example (Vice Society) states this but the majority of their targets are still schools.
LockBit ransomware gang behind ION cyber-attack and claim ransom was paid
The LockBit ransomware group claimed responsibility for the recent attack on ION Trading UK and stated that the ransom they demanded has been received. A representative informed Reuters that they have supplied a decryption key to ION to unlock their infected systems. However, the hackers did not reveal the exact ransom amount, or provide proof of payment, and kept the identity of the person or entity who paid the ransom undisclosed, only referring to them as a "very rich unknown philanthropist." LockBit had warned that they would release stolen material from ION if the ransom was not paid by February 4th.
LockBit claims responsibility for Royal Mail cyber-attack
The LockBit ransomware group has taken responsibility for a cyber-attack on the UK's primary mail delivery service, Royal Mail. The attack resulted in a suspension of the company's international shipping services due to "severe service disruption".
LockBitSupp (the ransomware gang's public-facing representative) confirmed that LockBit was responsible for the attack in a post on a Russian-language hacking forum, indicating that one of their affiliates deployed the ransomware. The group stated that they will only provide a decryption tool and erase stolen data after a ransom is paid.
Despite not acknowledging the attack as a ransomware incident, Royal Mail may still suffer a data breach, as LockBit is known to leak stolen data if ransom demands are not met. Currently, the company has reported some restoration of services impacted by the attack and describes the situation as a "cyber incident"
Another UK engineering firm hacked
Vesuvius, a London-based molten metal flow engineering firm, reported a cyber incident involving unauthorized access to its systems. In response, the company shut down the affected systems and is now working with cyber experts to determine the extent and potential consequences of the event on manufacturing and contract fulfilment.
The company said it is taking steps to comply with relevant regulations as more information is uncovered through ongoing investigations. There is currently limited information available on the scope of the incident, impacted IT systems, nature of the attack, or if the attackers made any communication with the company. The incident follows last month's cyber-attack on Morgan Advanced Materials Plc and is one of the latest in a series of attacks against UK businesses, that has seen Royal Mail and financial software provider ION.
