Cyber Pulse: Edition 138 | 8 December 2020

Here is our cyber security news round-up of the week:

Canada’s Vancouver Metro disrupted by cyber attack

The Egregor ransomware operation has breached Metro Vancouver’s transportation agency TransLink, with the cyberattack causing disruptions in services and payment systems. TransLink announced that they were having issues with their information technology systems that affected phones, online services and the ability to pay for fares using a credit card or debit card. All transit services were unaffected by the IT problems.

"We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure. This attack includes communications to TransLink through a printed message," TransLink disclosed in a statement.

Egregor is the only ransomware known to run scripts that print bomb ransom notes to available printers. Egregor is a new organised cybercrime operation that partners with affiliates to hack into networks and deploy their ransomware. As part of this arrangement, affiliates earn 70% of ransom payments they generate, and the Egregor operators make a 30% revenue share. The affiliates who compromise a network are known to steal unencrypted files before encrypting devices with the ransomware. The hackers then use these stolen files as further leverage by telling victims their data will be publicly released if a ransom is not paid.

Covid-19 vaccine spear-phishing campaign

IBM's X-Force discovered a spear-phishing campaign targeting the Covid-19 vaccine cold chain – the link in the supply chain responsible for maintaining the vaccine's temperature during storage and transit. The campaign began in September and focused on organisations affiliated with the Vaccine Alliance's Cold Chain Equipment Optimization Platform (CCEOP) program. IBM reports that its targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organisations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organisations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan. The spear-phishing emails impersonated an employee at the legitimate cold-chain supplier Haier Biomedical, and contained HTML attachments designed to harvest credentials.

IBM's Claire Zaboeva told Reuters that the attackers expended "an exceptional amount of effort" in crafting the phishing lures, noting that "whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic."

Reuters also reported late last week that AstraZeneca, one of the leading Covid-19 vaccine developers, had been targeted by threat actors. The attackers approached AstraZeneca employees with bogus job offers on LinkedIn and WhatsApp, then sent them documents loaded with malicious macros. The attempts are thought to have been unsuccessful.

VMware security bug being exploited in the wild

The US National Security Agency (NSA) warns that state-sponsored threat actors are exploiting a recently patched VMware vulnerability to steal sensitive information after deploying web shells on vulnerable servers.

"NSA encourages National Security System (NSS), Department of Defence (DoD), and Defence Industrial Base (DIB) network administrators to prioritise mitigation of the vulnerability on affected servers," the US Defence Department's intelligence agency said.

VMware released security updates to address the security bug on 3 December after publicly disclosing the vulnerability two weeks ago and providing a temporary workaround that fully removes the attack vector and prevents exploitation. CVE-2020-4006 was initially rated as a critical severity vulnerability but VMware has lowered its maximum severity rating to "Important" after releasing a patch and sharing that exploitation requires a valid password for the configurator admin account. This account is internal to the impacted products and a password is set at the time of deployment.

A malicious actor must possess this password to attempt to exploit CVE-2020-4006. In attacks exploiting CVE-2020-4006, the NSA observed the threat actors connecting to the exposed web-based management interface of devices running vulnerable VMware products and infiltrating organisations' networks to install web shells using command injection. The agency recommends in the advisory [PDF] that "NSS, DoD and DIB network administrators limit the accessibility of the management interface on servers to only a small set of known systems and block it from direct internet access."

Microsoft seals highest US Government classification accreditation

Microsoft today announced Azure Government Top Secret, a new cloud service that meets government mission requirements. Microsoft is now working with the US Government on accreditation. Azure Government Top Secret regions will offer the same capabilities as Azure (commercial), Azure Government and Azure Government Secret. Government Secret is authorised by the DoD Impact Level 6 and Intelligence Community Directive (ICD) 503.

Microsoft execs noted that the consistency among its various flavours of Azure means it is easier for development to happen anywhere and code to be promoted seamlessly to enclaves with higher classification levels. In addition to Azure Government Top Secret, Microsoft today announced several new services in Azure Government Secret:

• Azure Kubernetes Service (AKS)
• Azure Container Instances
• Azure Sentinel
• Azure Security Center
• Azure Monitor

Job-seeking site Glassdoor vulnerable to attack

A security researcher has earned a $3,000 bug bounty by achieving site-wide cross-site request forgery (CSRF) on job-hunting website Glassdoor. By exploiting the vulnerability, attackers could take control of jobseeker profiles – enabling them to edit their profile, add or delete CVs, apply for jobs, or add reviews – and employer accounts, in which they could post or delete jobs. Taking the exploit one step further, an attacker had the potential to gain administrative privileges over a company’s Glassdoor account, although this would require some degree of social engineering, such as a phishing email.

The Indian researcher demonstrated the potential impact of the vulnerability to Glassdoor by seizing control of a jobseeker account, changing the name, and adding fictional job experience entries. The latest of numerous bugs unearthed by Tabahi on Glassdoor.com, the find netted him a $500 bonus on top of the maximum $2,500 reward for critical vulnerabilities under Glassdoor’s public bug bounty program.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses