This Week in Cyber 10th February 2023

UK Second Most Targeted Nation After America for Ransomware

Cyber security firm Outpost24's KrakenLabs team have compiled a report of ransomware trends, threat groups, victim profiles and threat actor motives throughout 2022 and they identified 2363 victims who had been disclosed by ransomware groups in that time. Reviewing 101 different countries, they discovered that the US was a victim of 42% of these attacks, with the UK coming second at 6.5%. While this doesn't seem much on its own, Europe in its entirety only made up 28% of the total attacks. According to KrakenLabs, the most active ransomware group was Lockbit with 4x the amount of attacks of the second most prevalent actor, Blackcat at 800 to 200. This comprises 34% of the total attacks recorded last year. While critical infrastructure as a whole made up for 51% of total victims, the most targeted single sector was construction at 21.4%.

The EU Plan To Upgrade Cyber Security Laws

The EU Parliament and Council have approved the implementation of Network and Information Security Directive 2 (NIS 2.0), a new policy that aims to upgrade the EU's cybersecurity framework. NIS 2.0 will replace the original NIS Directive, which was introduced in 2016. NIS 2.0 will expand its coverage to include more sectors and increase baseline security requirements for member states, with a focus on critical infrastructure such as energy systems, health care networks, and transportation services. The directive also introduces new mechanisms for cooperation among national authorities and establishes a centre to coordinate response to major cyber-attacks, called the European Cyber Crises Liaison Organisation Network (EU-CyCLONe). The new policy is expected to help 160,000 entities improve their security and make Europe a safer place.

Huge Ransomware Campaign Targets 1000+ VMware ESXi Servers

On Friday 3rd February, CERT-FR disclosed information about a ransomware attack targeting VMware ESXi servers using a 2 year old vulnerability. The vulnerability, tracked as CVE-2021-21974 is rated high severity with a CVSS score of 8.8/10. This vulnerability is found within the OpenSLP (Open Service Location Protocol) software within ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG and 6.5 before ESXi650-202102101-SG, and allows the threat actor to trigger a heap overflow and inject malicious code. This then enables them to load the ESXi Args Ransomware along with remote execution capabilities if port 427 (SLP) remains open on the victim system. CERT-FR also released figures with over 1000 systems being infected globally. The top 3 countries based on discovered infections are: France, with over 200, The US with around 190 and Germany with about 110. These are figures as of last week so it may well be more. It is recommended that anyone using ESXi upgrade to 7.0 ESXi70U1c-17325551 or later, 6.7 ESXi670-202102401-SG or later, and 6.5 ESXi650-202102101-SG or later.

New Vulnerability In Sunlogin Are Being Exploited By Hackers

Threat actors are using known vulnerabilities in the Sunlogin remote desktop software to deploy the Sliver C2 framework for post-exploitation activities, according to researchers from AhnLab Security Emergency response Center (ASEC). The attackers first exploit two remote code execution bugs in older versions of Sunlogin and then deliver Sliver or other malware such as Gh0st RAT or XMRig crypto coin miner. In some cases, the attackers also use the BYOVD malware to disable security products and install reverse shells. The BYOVD technique abuses a vulnerable Windows driver to gain elevated permissions and stop antivirus processes.