Cybersecurity agencies warn of ransomware attacks exploiting a 2-year-old vulnerability
Munster Technological University (MTU) hit by suspected ransomware attack
LockBit ransomware gang behind ION cyber-attack and claim ransom was paid
LockBit claims responsibility for Royal Mail cyber-attack
Another UK Engineering firm hacked
CVE-2021-21974, an easily exploitable vulnerability that allows threat actors to run exploit code remotely, without prior authentication dominated the headlines this week.
Patches for the vulnerability in ESXi's OpenSLP service (CVE-2021-21974) were released by VMware two years ago. The recent attack has uncovered the large number of servers that remain unpatched, with the SLP service still operational and the OpenSLP port (427) still accessible.
It is crucial that organisations apply the patches released to address this vulnerability as soon as possible in order to protect their systems.
The National Cybersecurity Agency of Italy issued a warning to organisations worldwide on February 5th to take prompt action to secure their systems following a large-scale ransomware hacking attack that compromised thousands of computers globally.
Roberto Baldoni, the director general of the Agency, told Reuters that the attack exploited a software vulnerability on a massive scale. According to Italian news outlet ANSA, servers in countries including the USA, Canada, Finland, and France were also impacted. The Agency advised Italian organisations to act preventively to avoid being locked out of their systems. He added that there was no evidence that the attacks were being carried out by a nation state but probably the handiwork of cyber criminals.
The alert follows a widespread ransomware attack that utilised the easily exploitable vulnerability, CVE-2021-21974, to remotely execute exploit code without authentication on VMware ESXi hypervisors.
The group responsible for the campaign has not been identified. DarkFeed reported that each victim was given a unique Bitcoin wallet for payment. No website associated with the group has been found, only a Tox messaging app ID for communication.
In what may be linked to the previous story Munster Technological University (MTU) was forced to shutter its campuses this week after being hit by a suspected ransomware attack. investigations are underway by the gardaí and the National Cyber Security Centre to determine if it is related to the international ransomware attack affecting hundreds of organisations. The incident further highlights the risks posed to educational facilities from hackers who target them due to the wealth of data they typically hold and the perception they have weaker cyber security measures in place than other sectors.
The Integrity360 IR team is seeing an increasing number of educational facilities being breached. Some threat actors claim to not purposely target institutions such as schools, colleges and hospitals, but still end up doing so. One threat actor for example (Vice Society) states this but the majority of their targets are still schools.
The LockBit ransomware group claimed responsibility for the recent attack on ION Trading UK and stated that the ransom they demanded has been received. A representative informed Reuters that they have supplied a decryption key to ION to unlock their infected systems. However, the hackers did not reveal the exact ransom amount, or provide proof of payment, and kept the identity of the person or entity who paid the ransom undisclosed, only referring to them as a "very rich unknown philanthropist." LockBit had warned that they would release stolen material from ION if the ransom was not paid by February 4th.
The LockBit ransomware group has taken responsibility for a cyber-attack on the UK's primary mail delivery service, Royal Mail. The attack resulted in a suspension of the company's international shipping services due to "severe service disruption".
LockBitSupp (the ransomware gang's public-facing representative) confirmed that LockBit was responsible for the attack in a post on a Russian-language hacking forum, indicating that one of their affiliates deployed the ransomware. The group stated that they will only provide a decryption tool and erase stolen data after a ransom is paid.
Despite not acknowledging the attack as a ransomware incident, Royal Mail may still suffer a data breach, as LockBit is known to leak stolen data if ransom demands are not met. Currently, the company has reported some restoration of services impacted by the attack and describes the situation as a "cyber incident"
Vesuvius, a London-based molten metal flow engineering firm, reported a cyber incident involving unauthorized access to its systems. In response, the company shut down the affected systems and is now working with cyber experts to determine the extent and potential consequences of the event on manufacturing and contract fulfilment.
The company said it is taking steps to comply with relevant regulations as more information is uncovered through ongoing investigations. There is currently limited information available on the scope of the incident, impacted IT systems, nature of the attack, or if the attackers made any communication with the company. The incident follows last month's cyber-attack on Morgan Advanced Materials Plc and is one of the latest in a series of attacks against UK businesses, that has seen Royal Mail and financial software provider ION.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
From Ransomware to the cost of living crisis, businesses are facing an unprecedented number of cyber threats. Join us at Integrity 360’s Security First Conference and discover the Power of Visibility, hear from industry-leading experts and build your network. Come and join us!