The Good, the Bad and the Ugly in Cybersecurity – Week 48

The Good

This week it was announced that INTERPOL and Group-IB successfully joined forces for what was dubbed “Operation Falcon’, arresting, three individuals in Lagos, Nigeria. These individuals are charged with connections to larger organized crime groups involved in mid-level Business Email Compromise (BEC) operations as well as associated phishing and malware distribution operations.

According to the release from INTERPOL, some 50,000 victims of their crimes have been identified so far. If history is any guide, there are many more that are unknown or yet to be discovered.  ‘Operation Falcon’ was carried for ~1year and was instrumental in successfully tracking these criminals and facilitating the exchange of threat and actor data across the participating parties.

The criminal group was involved in the distribution of multiple commodity malware families including Nanocore, AgentTesla, LokiBot, Azorult and many others. Malicious emails were used to either link to or distribute the malware to their targets. All the standard social engineering lures were in play, including the typical ‘purchase order’ style phish. The criminals even used COVID-19-based lures in some of their operations (making their actions that much more unsavory).

We applaud the efforts of INTERPOL and Group-IB, and encourage everyone to continue to be vigilant against these attacks and continue to cooperate where possible to keep bringing these criminals to justice.

The Bad

This week, the FBI updated an earlier flash alert, FLASH MU-000136-MW, regarding cyber actors targeting misconfigured SonarQube instances and accessing proprietary source code of US government agencies and businesses.

Unknown actors have been targeting exposed and vulnerable SonarQube instances since at least April of 2020. These are considered high-value targets given they tend to contain source code repositories of both private entities and US Government agencies. Such sensitive data can be used by cybercriminals in a variety of ways, with the most common being exfiltration for the purpose of extortion. That is, similar to what we see with modern ransomware campaigns, malicious actors can threaten to publicly release the data should the victim not comply with the demands of the attacker.

The FLASH alert notes that there have already been multiple examples of leaked data from these repositories being distributed in the public domain. SonarQube’s recommendations for mitigation include:

  • Changing the SonarQube default settings, including changing default administrator username, password, and port (9000).
  • Placing SonarQube instances behind a login screen, and checking if unauthorized users have accessed the instance.
  • Revoking access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
  • Configuring SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.

We encourage all SonarQube users to review the FLASH releases and do the needful to stay safe and secure!

The Ugly

School districts and related entities have always been targets of malware attacks; however, there seems to be an uptick in recent ransomware attacks against schools and district administration infrastructure.

This week, news broke of the Baltimore County Public School district being “crippled” by a ransomware attack (early reports suggest Ryuk may be responsible), which effectively shut down schools for all 115,000 students on Wednesday. And Baltimore is not alone. Many schools and school districts appear in the lists of victims on ransomware attackers’ public blog sites. Egregor operators posted Spring ISD in Houston just this past week as well.

If we go back a little bit in history, we can also see other concerning examples:

  • Way House School – Maze
  • Fairfax County Public Schools – Maze
  • Clark County School District – Maze
  • Toledo Public Schools – Maze
  • Spring ISD – Egregor
  • Horry County Schools – CryptoLocker
  • Monroe County School District – GandCrab
  • Ouachita School District, Louisiana – Ryuk
  • Morehouse Parish School District – Ryuk
  • Rockville Centre School District – Ryuk
  • Houston County schools, – Ryuk
  • Cherry Hill School District – Ryuk
  • Las Cruces Public School District – Ryuk
  • Maine School Administrative District #6 – Ryuk
  • Crystal Lake Community High School District 155 – Ryuk
  • Mountain View Los Altos Union High School District – REvil
  • Havre Public Schools – Ryuk
  • Haywood County School District – SunCrypt

That is just a small subset.  Unfortunately, school and related infrastructure can often be ‘low hanging fruit’ to the bad guys, as it is not uncommon for exposed school networks to be out-of-date (patch-wise) or otherwise unprotected.

Ironically, one way to improve this situation is education. We encourage those in our community and industry to reach out and find ways to instruct education-related infrastructure-owners to advise on where the risks are, how to reduce exposure, where to concentrate detective and preventive controls for the greatest effect, and beyond. The bad guys are not going to stop, so it is up to us to stay ahead of them.