Cybersecurity News & Trends for June 3, 2022

Curated stories about cybersecurity news and trends from major news outlets, trade pubs and infosec bloggers.

A fresh batch of articles for SonicWall News surfaced this week from nearly every business sector, plus quotes from SonicWall CEO and President, Bill Conner, and General Director of SonicWall in Iberia, Sergio Martínez. Our biggest problem this week for Industry News was deciding what to leave out. From Forbes, a guide on how to inspire your employees to care about cybersecurity. From Bleeping Computer, ransomware gang Black Basta attacks VMware ESXi servers. Then from the BlackBerry Threat Vector blog, a new Linux malware called “Symbiote” that’s almost impossible to detect. Next, from Dark Reading, the Emotet banking trojan resurfaces—and skates past email security. And finally, a compiled reading from CNN, MIT Technology Review, and PC Magazine on Chinese hackers breaking into “major” telecom firms.

As always, click through to the links in the headlines to see the full stories from our sources. And remember, cybersecurity is everyone’s business. Be safe!

SonicWall News

An Update from SonicWall on ICSA Certification

Security Brief (Asia), SonicWall in the News: Ken joins us today to discuss SonicWall’s recent ICSA certification and also current threat detection research that is currently taking place.

How Can Small Businesses Protect Themselves from Cyber Threats?

Insurance Business America, Threat Report Mention: Separate data gathered by cybersecurity firm SonicWall has shown that there were almost 421.5 million ransomware attempts against US businesses in 2021 – a figure that dwarfed that of second-placer Germany, which registered about 34.3 million hits.

An Update From SonicWall On ICSA Certification

Security Brief (Asia), SonicWall news: “Ken joins us today to discuss SonicWall’s recent ICSA certification and also current threat detection research that is currently taking place.”

How Can Small Businesses Protect Themselves from Cyber Threats?

Why is Ransomware Getting the Better of Us?

Security Boulevard, Threat Report Mention: The ransom crisis is particularly bad in the UK. A SonicWall report found that UK-based organizations faced the second-highest number of ransomware attacks in the world in the first half of 2021. According to SonicWall, ransomware attacks increased by 234% across Europe in that time, while CyberEdge’s 2022 Cyberthreat Defense Report found that 80% of UK organizations had been successfully targeted in the past year.

Special Cloud Security

ComputerWorld CSO (Spain), SonicWall Quote: Sergio Martínez, general director for Iberia at SonicWall, gives his vision, in the gallery Ensuring the availability of information, the pillar of the contingency plan, on new security strategies in a context in which there are more and more devices connected to business networks.

Ransomware Losses, Frequency Increase Rates: Howden

Business Insurance, Threat Report Mention: London-based Howden Broking Group Ltd. said in its report that the annualized number of globalized ransomware incidents was up 235% in 2021 compared with 2019, and average U.S. ransom payments increased by 370% over the same period. It was citing data from San Jose, California-based cybersecurity company SonicWall Inc. and ransomware incident response company Westport, Connecticut-based Coveware Inc.

Contractors Beset by Ransomware Threats Have Too Few Options

Bloomberg Law, Bill Conner Quote: The contracting community is aware of the confusion. Chester Wisniewski at Sophos, Carolyn Crandall at SentinelOne, and Bill Conner at SonicWall all outlined suggestions to Bloomberg Government in a series of interviews. Conner, SonicWall’s president and CEO, said he wants the government to install so-called “cyber czars” at each federal agency to better streamline communication.

SonicWall Recognizes APAC Partners and Distributors at FY2022 Partner Awards

Channel Life (Australia), SonicWall News: SonicWall has recognized its distributors and partners for their efforts in producing the company’s most successful year to date. The recent SonicWall FY2022 Partner Awards recognized companies for their commitment to demonstrating excellence, innovation and leadership in cybersecurity during the fiscal year. They are also thanked for continuing to drive digital transformation for businesses that leverage SonicWall solutions.

Industry News

Inspire Your Employees to Care About Cybersecurity

Forbes: We spent a lot of time talking about how humans are the weak link in cybersecurity. First, let’s recognize that a company’s employees are a significant vulnerability due to the increasing complexity and threat of cybersecurity. With more than 15 billion devices in circulation, including computers, servers and mobile phones operating worldwide—digital fluency and literacy remain challenges in the transforming cybersecurity landscape.

Many functions are performed by devices that we don’t even know about. These functions include tracking and storing location information, saving passwords and sharing information with apps, and listening to our conversations. Today, organizations have greater responsibility for cybersecurity to protect their interests and that of their employees.

It is essential to communicate basic cybersecurity expectations to raise awareness. For example, employees need to be familiarized with complex password requirements, multi-factor authentication (2FA/multi-factor authentication), screen locks, and the importance of keeping current with software updates. Understanding cybersecurity requires that you know the basics.

If your team is not in person, create attention-grabbing graphics that include slogans and statistics about the company’s cybersecurity policies. Then, share the policies by any means throughout the workforce environment. Growing threats means educating employees about cyber threats while taking steps to protect their data.

Black Basta Ransomware Attacks VMware ESXi Servers

Bleeping Computer: Black Basta is the latest ransomware gang that supports encryption of VMware ESXi virtual machine (VM) on enterprise Linux servers. Ransomware groups have been focusing their attacks on ESXi VMs because this strategy aligns with their enterprise targets. They can encrypt multiple servers faster with one command. So it makes sense to encrypt VMs, as many companies recently switched to virtual machines. From purely a business perspective, hackers now have the dual benefits of simpler device management and more efficient resource use.

Linux ransomware encryptions are not new. BleepingComputer has reported similar encryptions by numerous other gangs, including LockBit and HelloKitty, BlackMatter and REvil, AvosLocker and RansomEXXX.

However, Black Basta’s ransomware will search for the /vmfs/volumes containing the virtual machines stored on compromised ESXi server servers. And if no such folders are present, the ransomware exits. Additionally, this encryptor does not have command-line arguments that can target other encryption paths, indicating that it is only designed to target ESXi servers.

Ransomware employs the ChaCha20 algorithm for encrypting files. Additionally, multithreading is used to speed up encryption by using multiple processors.

The ransomware will encrypt encrypted files by adding the .basta extension and creating ransom notes called readme.txt within each folder. Notes include a chat support panel link, which unique ID victims can use to communicate directly with the attackers.

Symbiote — The New Linux Malware That’s Almost Impossible To Detect

BlackBerry ThreatVector Blog: As if Linux’s malware problems couldn’t get any worse, recent reports have revealed that Symbiote is a new type of Linux malware that’s “almost impossible to detect.”

This rootkit-level hack is being called Symbiote by the research team, which includes lead members from Intezer and BlackBerry. It has the parasitic ability to act like a shared object (SO) and loads on all processes via LD_PRELOAD native function. This is why it’s so terrible.

Researchers say the shared object library “parasitically compromises” a target machine. Once its claws are embedded deep in the system, malware gives attackers rootkit functionality.

Researchers discovered the first sample in November 2021. It appears that it was created to attack Latin American financial institutions. Researchers aren’t sure if Symbiote has been used in broad or targeted attacks because it is still new malware. However, Symbiote is full of interesting features. The malware employs Berkeley Packet Filter hooking (BPF), a function that hides malicious traffic from infected machines. BPF is also used in malware created by Equation Group. BPF bytecode can be injected into the kernel to determine which packets are captured. Administrators use BPF to start any packet capture software on infected machines. Symbiote then adds its own bytecode to the kernel to filter out any network traffic it does not want the packet-capturing program to see.

Symbiote can facilitate everything, from data scrapes to backdoors. Hackers can use Symbiote to stealthily harvest credential information from hacked Linux devices by hooking the “libcread” function. This is an important mission for targeting Linux servers in high-value networks. Hackers can gain unimpeded lateral movement and unlimited access by stealing administrator account credentials. Symbiote allows remote SHH access for its operators via the PAM service. It also allows the threat actor or a hacker to gain root privileges.

Many IT and cybersecurity bloggers have reported on this story. Keep an eye out for new developments.

Emotet Banking Trojan Resurfaces, Skates Past Email Security

Dark Reading: After being taken down by a joint international task force in January 2020, the malware botnet Emotet is back in an advanced form. The Emotet malware was a prolific threat during the pandemic. It originated as a trojan for banks in 2014. Its creators were the first to offer malware-as-a-service (MaaS) to criminal organizations.

Although it still uses many of the same attack methods it used in the past, Emotet has seen a rise in its ability to collect and use stolen credentials. According to the report, hackers can use these stolen credentials to distribute malware binaries. In addition, attackers are using hijacked email threads to use those accounts as a launch pad and trick victims into activating macros in attached malicious office documents.

Emotet also uses 64-bit shell code, advanced PowerShell and more advanced active scripts. Nearly a fifth of malicious samples exploits the 2017 Microsoft vulnerability CVE-2018-11882.

The attacks were mainly focused on Japan’s victims, but the focus has shifted to targets in the United States of America and Italy since March.

Chinese Hackers Breach “Major” Telecom Firms

Compiled Reading: The report is compiled from multiple sources offering a slightly different perspective: CNN, MIT Technology Review, and PCMagazine.

First, CNN’s headline: Chinese government-backed hackers have breached major telecommunications companies, among other targets, the US CISA warned this week. Cyber defenders often overlook these devices as they struggle to keep up with the routine software patching of Internet services and endpoint devices. CISA, FBI, and NSA did not identify the hackers; the advisory appears to focus on getting organizations aligned on security measures and updating their software and equipment. CNN named devices manufactured by Cisco, Fortinet, or other vendors.

MIT Technology Review included Netgear and Citrix security vendors. All vulnerabilities were publicly known, including a five-year-old critical flaw in Netgear equipment that allows attackers to bypass authentication checks to execute any code they want. This will enable them to take over the entire device and gain unrestricted access to the victim’s network. MIT says the campaign’s success shows how dangerous software flaws can be even after being made public. Zero-day attacks—hacks exploiting previously unknown weaknesses—pack a punch and demand our full attention. Plus, known flaws are still dangerous because it can be hard to update and secure networks and devices with limited resources, personnel and money.

PCMagazine stated that the vulnerabilities allowed actors to access victim accounts via publicly available exploit codes against VPN services and public-facing applications without using any unique or identifying malware.