Cyber Pulse: Edition 152 | 21 May 2021

US introduces bills to secure critical infrastructure from cyber attacks

The US House Committee on Homeland Security has passed five bipartisan bills on Monday to bolster defence capabilities against cyber attacks targeting US organisations and critical infrastructure. These bills were introduced as a direct result of the Homeland Security Committee's oversight of recent cyber attacks, including the ransomware attack that forced Colonial Pipeline to shut down the largest US pipeline. While Colonial Pipeline reportedly paid a $5 million ransom, this didn't stop a widescale fuel shortage that impacted multiple north-eastern states. The five bipartisan bills are also designed to make it easier to defend networks from cyber attacks using critical security vulnerabilities such as those abused in campaigns targeting vulnerable Microsoft Exchange Server and Pulse Connect Secure devices earlier this year.

"Since the beginning of this Congress, this Committee has engaged in extensive oversight of these events and how the Federal government partners with others to defend our networks. The legislation we reported today was the result of this oversight. I am pleased that they received broad bipartisan support and hope they are considered on the House floor in short order," said Chairman Bennie G. Thompson.

"Other measures passed in today’s markup include bills to help State and Local governments protect their networks, provide critical infrastructure owners and operators with mitigation strategies against critical vulnerabilities, and establish a national cyber exercise program to promote more regular testing of preparedness and resilience to cyber-attacks against critical infrastructure," the Committee said in a press release.

The five bipartisan bills introduced include:

• H.R. 2980, The “Cybersecurity Vulnerability Remediation Act” authorises CISA to assist critical infrastructure owners and operators with mitigation strategies against the most critical, known vulnerabilities.
• H.R. 3138, The “State and Local Cybersecurity Improvement Act” seeks to authorise a new $500 million grant program to provide State and Local, Tribal, and Territorial governments with dedicated funding to secure their networks from ransomware and other cyber-attacks.
• H.R. 3223, The “CISA Cyber Exercise Act” establishes a National Cyber Exercise program within CISA to promote more regular testing and systemic assessments of preparedness and resilience to cyber-attacks against critical infrastructure.
• H.R. 3243, The “Pipeline Security Act” enhances the ability of TSA – the principal Federal entity responsible for pipeline security – to guard pipeline systems against cyberattacks, terrorist attacks, and other threats. This measure codifies TSA’s Pipeline Security Section and clarifies TSA’s statutory mandate to protect pipeline infrastructure.
• H.R. 3264, The “Domains Critical to Homeland Security Act” authorises DHS to conduct research and development into supply chain risks for critical domains of the United States economy and transmit the results to Congress. 

Norway energy provider shut down in ransomware attack

Norway-based green energy solutions provider Volue has been working on restoring systems after being targeted in a ransomware attack. The attack was discovered on 5 May, when Volue said some of its operations had been impacted. The company shut down affected applications and started working on restoring systems. It said all data had been backed up in the cloud and back-ups were not affected by the attack. The attack involved the notorious Ryuk ransomware, whose operators make a profit by asking for a ransom after encrypting a company’s files. However, they do not appear to operate a website where they leak data stolen from victims who refuse to pay up, a fact Volue pointed out following the attack. It also noted that Ryuk operators are “not known for performing supply chain attacks”.

Volue’s investigation is ongoing, but so far it has found no evidence of data exfiltration, either personal or “energy-sensitive data”. The firm said the attack targeted systems related to Powel domains, but the Volue domain did not appear to be compromised. The ransomware attack on Volue came just days before Colonial Pipeline, the largest refined products pipeline in the United States, said it was forced to shut down operations due to a ransomware attack. The attack involved the Darkside ransomware and it had significant implications, including states declaring a state of emergency, temporary gas shortages caused by panicked motorists stocking up over fears of gas shortages caused by the hack, and gas prices rising.

Threat actors are abusing the Microsoft Build Engine

Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools (RATs) and information-stealing malware filelessly as part of an ongoing campaign. MSBuild (msbuild.exe) is a legitimate and open-source Microsoft development platform, similar to the Unix make utility, for building applications. As Anomali's Threat Research team observed, the malicious MSBuild project files delivered in this campaign bundled encoded executables and shellcode the threat actors used for injecting the final payloads into the memory of newly spawned processes.

"While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer," Anomali intelligence analysts Tara Gould and Gage Mele said.

Using Microsoft's legitimate MSBuild development tool enables the attackers to successfully evade detection while loading their malicious payloads directly into a targeted computer's memory. Malware samples used in this campaign are either not detected or detected by a very low number of anti-malware engines, according to VirusTotal. The fileless malware further decreases the chances that the attack is spotted since no actual files are written on the victims' devices, with no physical traces of the payloads left on the infected devices' hard drives.

Irish Health System Hit by ‘significant’ ransomware attack

Ireland’s national health service, the Health Service Executive (HSE), temporarily shut down its IT systems today after suffering a ransomware attack overnight. The organisation, which is in the mid of its Covid-19 vaccination program, said the attack did not impact its ability to provide urgent medical care but that some routine checks and services might be delayed or cancelled. The HSE described the ransomware incident as “significant” and “human-operated”, a term used to describe high-end sophisticated ransomware groups that orchestrate targeted attacks against carefully big organisations.

In a morning radio show with public broadcaster RTE, HSE Chief Executive Paul Reid said the agency’s IT teams are currently investigating the incident to find out its breadth. In a different radio show, Reid identified the ransomware gang behind the attack as Conti, a ransomware gang that started operating in the summer of 2020.

Banking trojan stealing bank details from Android users

Bizarro, a new banking trojan that has been discovered, can harvest bank account logins from Android mobile users. The malware originated in Brazil and is targeting banking customers of 70 banks located in South America (mostly Brazil) and Europe (Spain, Portugal, France, and Italy). According to an analysis by Kaspersky, Bizarro is a mobile malware that, in addition to aiming to steal online banking credentials, it hijacks Bitcoin wallets from Android users. It propagates via Microsoft Installer packages, which are believed to be downloaded directly by victims from malicious links sent in spam emails or installed via a trojanised app. After installation, it terminates all running browser processes to end any existing sessions with online banking websites. This forces a user to sign back in, allowing the malware to harvest information.

Moreover, to increase the success chances, the trojan disables autocomplete feature in the web browser and even displays fake pop-ups to steal 2FA codes. It can capture the screen of a user and regularly monitor the system clipboard, looking for a Bitcoin wallet address. If it spots one, it is swapped with a wallet of malware developers.

UK recruitment company data exposed

FastTrack Reflex Recruitment firm recently joined the ranks of other companies that have been affected by data leaks due to misconfigured AWS S3 buckets. This data breach majorly affected the applicants whose CVs containing personal information were leaked, reports the research team at Website Planet. Attached to numerous CVs were the personal IDs of applicants, including passports, citizen ID cards, driver’s licenses, and skilled worker IDs. All of these constitute direct and indirect applicant PII. 

It is worth noting that the configuration of the server is not the responsibility of Amazon but rather the company, FastTrack, that is using it as a public cloud storage resource. The bucket, according to Website Planet’s blog post, included 21,000 client files (including duplicates), equating to 5GB of data, which were left unprotected for any hacker or cyber criminal with a malicious intent to take advantage of. The data breach was first discovered on 29 December 2020 by the Website Planet research team and the company was contacted on 15 and 17 January 2021, but they only replied on 17 March, after several attempts of contacting them, and the bucket was secured on 23 March 2021. 

Google Chrome makes it easier to update compromised passwords

Google is launching a new capability in Chrome to alert users when a password is compromised and automate the process of updating to a new one. The feature runs on Google's Duplex technology and will roll out gradually, starting on Chrome for Android. The technology will be used to help people create strong passwords for certain websites and applications when Chrome determines their credentials have been leaked. The browser has had the ability to check passwords' safety for a few years now.

When someone checks their passwords and Chrome finds a password has been compromised, the new capability will show a "change password" button from Google Assistant. Tapping the alert will prompt the automatic process of changing the password for that site. It's worth noting users can do this process manually from the start or switch to manual during the process. Google says the automatic password changes will first be available to Chrome on Android for users in the US; it will be available for more websites and countries in the coming months.