Please see Security Advisories for the week ending May 21, 2021
- CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware
- Cisco Releases Security Updates for Multiple Products
- Emergency Notification About Ransomware has been made
________________________________
CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware
Situation
CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks.
Problem
Regarding the recent incident where a pipeline company was negatively affected by a ransomware attack called “DarkSide”, which was initiated by a cybercrime syndicate. This syndicate has been observed gaining initial access by exploiting remotely accessible systems and accounts and phishing and using RDP to maintain persistence. After gaining initial access, DarkSide is then implemented to steal and encrypt sensitive information and then hold the information for ransom.
Implication
If these mitigations are not implemented where appropriate, vulnerable organizations and enterprises could find themselves compromised by similar ransomware attacks or even DarkSide.
Need
The updated AA21-131A provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware..
For a brief overview:
For a more technical overview:
https://us-cert.cisa.gov/ncas/alerts/aa21-131a
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has discovered and patched numerous vulnerabilities in several products: Cisco Prime Infrastructure and Evolved Programmable Network Manager as well as Cisco Modeling Labs Web UI
Problem
Cisco has found and patched multiple vulnerabilities in many of their products such as Cisco Prime Infrastructure and Evolved Programmable Network Manager and Modeling Labs WebUI where remote attackers could exploit the vulnerabilities to take over the affected systems and potentially use the devices as a pivot point into the network or a cause denial of service attacks.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Cisco advises patching the software and hardware to the most recent security updates. There are several security updates so please follow the Cisco technical link provided to ensure all necessary systems are patched.
For a brief overview:
For a more technical overview:
https://tools.cisco.com/security/center/publicationListing.x
________________________________
Emergency Notification About Ransomware has been made
Situation
There appears to be a surge in Ryuk ransomware coming from cybercriminal group Wizard Spider. A France based IP address 95.179.219.169 in connection with the Ryuk ransomware has been seen recently attempting to make connections to U.S.-based companies.
Problem
Wizard Spider initially scans networks looking for vulnerabilities to exploit as well as perform phishing attacks to install the TrickBot and BazarLoader trojans that provide remote access to the infected machines. Using this remote access, the threat actors spread laterally through a network while stealing credentials and harvesting unencrypted data stored on workstations and servers. Once Wizard Spider have stolen enough information and gained access to Windows domain credentials, they will then deploy the Ryuk ransomware on the network to encrypt all of its devices. Ryuk is specifically used to target enterprise environments and could take down an entire company in minutes.
Implication
If the Ryuk ransomware is successfully deployed it can allow the attacker to cripple or even take down entire company’s network.
Need
We recommend the following actions be taken:
• Please consider blocking this IP address (95.179.219.169)
• If your firewalls have geo fencing capabilities it would be prudent to block traffic from any countries that are not required for business functionality.
• And be very careful of any emails that are not expected or come from internal or external people you may know but look suspicious. Look for spelling and the domain they originate from.
For additional information please check out the link below: