Cybersecurity News & Trends for September 9, 2022

A curated collection of the top stories about cybersecurity news and trends that really matter most.

From Industry News, a new and ominous warning from CISA and the FBI about the vulnerability of U.S. schools to ransomware just as the school year is kicking off; this story has contributions from the SonicWall Threat Report, NPR, and ABC News. Next, the reconstituted Conti members are working under the banner of the group Initial Access Brokers, or IAB; a story with contributions from Dark Reading and The Verge. SpiceWorks reported on a new attack on another ransomware attack on InterContinental Hotels that affected 4,000 guests. ARS Technica reports that a new wave of data-destroying ransomware attacks that are hitting QNAP NAS devices. Fierce Healthcare reports on warnings about “exceptionally aggressive Hive ransomware” activity. Spiceworks is writing about the Ransomware as a Service (RaaS) ecosystem. And Infosecurity offers a comprehensive report on the Ragnar locker ransomware attack that targeted Greece’s natural gas supplier, DESFA.

Remember that cybersecurity is everyone’s business. Be safe out there!

SonicWall News

The Best Defense Is a Good Defense

ComputerWeekly (Spain), SonicWall Byline: In cybersecurity, building the best possible defense also means incorporating some offensive strategies to gain intelligence about attackers and understand how they try to penetrate systems, says SonicWall.

SonicWall Boosts Wireless Play with Ultra-High-Speed Wi-Fi 6 Access Points

AIthority, Threat Report Mention: SonicWall announced the introduction of the new Wi-Fi 6 wireless security product line, which provides always-on, always-secure connectivity for complex, multi-device environments. Powered by Wi-Fi 6 technology, the new SonicWave 600 series wireless access points, coupled with Wireless Network Manager (WNM) 4.0, enable organizations to automatically secure wireless traffic while boosting performance and simplifying connectivity.

Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

The Guardian, Threat Report Mention: The trial will play out as reports of ransomware attacks continue to rise. In 2021, the US saw a more than 95% increase in ransomware attacks, according to the threat intelligence firm SonicWall. Many of those attackers have targeted healthcare facilities and schools. Hackers targeted the Los Angeles Unified School District (LAUSD), the second-largest school district in the US, with a cyber-attack over Labor Day weekend.

Public Transport Group Go-Ahead Hit by Cyber Attack

Financial Times, Threat Report Mention: There were 2.8bn known malware attacks in the first half of the year, up 11 percent, according to cyber security company SonicWall.

Kansas Most at Risk for Malware Attacks

Fox 4 News Kansas City, SonicWall News: SonicWall reports that malware dropped 4% year over year in 2021, with a total of 5.4 billion hits reported by the firm’s devices around the world. The company detected 2.9 billion malware hits on their US sensors in 2021. Florida saw the most malware hits with 625 million in 2021. The state didn’t appear on the latest list, indicating that these attacks can be successfully thwarted by technologies like antivirus software and firewalls.

Our Success Is Based on The Philosophy of Knowledge Building And Sharing

Digital Terminal (India), SonicWall News: Commenting on the increasing cyber incidents, Debasish Mukherjee, Vice President, Regional Sales APJ, SonicWall Inc said, “Across the globe, we saw that pandemic while stretched companies’ networks, accelerated their digital transformation, on the downside exposed them to more cybercrime. Cybersecurity has become much more important in today’s times than ever before. The global cyber security market is estimated to record a CAGR of 10.5% over the forecast period of 2022 to 2032.”

SonicWall Boosts Wireless Play with Ultra-High-Speed Wi-Fi 6 Access Points

European Business Magazine, SonicWall News: SonicWall today announced the introduction of the new Wi-Fi 6 wireless security product line, which provides always-on, always-secure connectivity for complex, multi-device environments.

SonicWall Boosts Wireless Play with Wi-Fi 6 Access Points

Electronic Specifier, SonicWall News: SonicWall has announced the introduction of the Wi-Fi 6 wireless security product line, which provides secure connectivity for complex, multi-device environments.

SonicWall Ships Wi-Fi 6 Wireless Access Points

Channel Pro Network, SonicWall News: SonicWall has introduced a pair of remotely manageable Wi-Fi 6 access points designed to secure wireless traffic while boosting performance and simplifying connectivity. The SonicWave 641 and SonicWave 681, part of the vendor’s new SonicWave 600 series, are based on the 802.11ax standard, which according to SonicWall can increase overall wireless throughput by up to 400% compared to Wi-Fi 5 technology and reduce latency by up to 75%.

10 States Most at Risk for Malware Attacks

Digital Journal, SonicWall News: Malware attacks—when an intruder tries to install harmful software on the victim’s computer without their knowledge—are a huge problem around the world. Beyond Identity collected data from the 2022 SonicWall Cyber Threat Report to rank the top 10 US states that are the most at risk for malware attacks.

Managing Risk: Cloud Security Today

Silicon UK, Bill Conner Quoted: GCHQ advisor and cybersecurity veteran at SonicWall, Bill Conner, commented on the rise in attacks: “We are dealing with an escalating arms race. At the same time, threat actors have gotten better and more efficient in their attacks. They are now leveraging readily available cloud tools to reduce costs and expand their scope in targeting additional attack vectors. The good news is, that the cybersecurity industry has gotten more sophisticated in identifying and stopping new ransomware strains and protecting organizations.”

Norway’s Oil Fund Warns Cybersecurity is Top Concern

The Financial Times, Bill Conner Quoted: Perpetrators can range from private criminal groups to state-backed hackers. Russia, China, Iran and North Korea are the most active state backers of cyber aggression, according to Bill Conner, executive chairman at SonicWall. “As sanctions go up, the need for money goes up as well,” he said. A cyber security expert who advises a different sovereign wealth fund said the “threat landscape” for such groups was “massive.” “When it comes to ransomware, about half of network intrusions are phishing attempts and the other half are remote access attacks using stolen credentials. You’ve also got insider threats [involving] someone with a USB drive, and sometimes people with access are just bribed,” he added.

Industry News

Big Read: Feds Anticipate A Hard Year of Ransomware Attacks on U.S. Schools This Year

In a new warning, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) stated that ransomware attacks could rise as the school year starts. This warning comes as Los Angeles Times reports that Los Angeles Unified (LAUSD) was the victim of ransomware in the first week of September. Initial suspicions were that there had been technical problems, but LAUSD later revealed that the ransomware was criminal and affected its email system and other apps.

Although the attack is concerning, LAUSD expects to continue operating normally over the next few days. In addition, the attack has not affected critical business systems, such as employee healthcare, payroll, safety and emergency mechanisms.

The Mid-Year Update to the 2022 SonicWall Cyber Threat Report reports that ransomware attacks on education have increased by 51%. According to NPR, ransomware has infected 26 U.S. school districts (including Los Angeles) and 24 colleges or universities.

ABC News published a joint federal statement that the FBI and CISA anticipate attacks to increase in the 2022/2023 school years, and criminal ransomware organizations perceive opportunities for successful attacks. The statement also acknowledges that smaller school districts are most at risk School districts with limited cybersecurity capabilities or constrained resources are often at risk. However, cybercriminals may still target schools with solid cybersecurity programs. The bulletin states that K-12 institutions could be lucrative targets because of the sensitive student data available through school systems and managed service providers.

Former Conti Ransomware Members Join Group Targeting Ukraine

Dark Reading: Ex-members of the Russia-linked Conti ransomware group are using their tactics to join the group known as the Initial Access Brokers (IAB), which has been targeting Ukraine in a series of phishing attacks that took place over the past four months. Google Threat Analysis Group (TAG), which tracks the activity of a group it identifies as UAC-0098, is now believed to include former members of the ransomware actor.

The group is well-known for sending the IcedID bank Trojan as a prelude to other human-operated ransomware attacks. Additionally, they have targeted Ukrainian government agencies, pro-Ukraine European humanitarian, and non-profit organizations. This activity was designed to provide continued access to such targets’ networks to different ransomware groups, including Quantum, Conti (aka FIN12 and Wizard Spider).

According To The Verge, the group known as UAC-0098 used an IcedID banking Trojan to launch ransomware attacks. However, Google’s security experts say that the group is using its expertise with IAB hackers who first compromise computers and then sell access to other actors interested in the target.

Ransomware Attack on InterContinental Hotels Affects More Than 4,000 Guests

Spiceworks: ICH confirmed the attack in a filing submitted to the London Stock Exchange, where it is listed. The company did not reveal the nature of the attack, which led to some speculation by stakeholders about the exact scope of “unauthorized access” to its technology systems. According to what we know so far, and what cybersecurity experts have reported, this is another ransomware on the hotel (Reuters reports previous attack in 2017). While it is unconfirmed, IHG will likely be in negotiations with the attackers to try to restore access and get their systems back up and running. According to Spiceworks, hospitality was the eighth most targeted sector by ransomware groups between March 2021 and April 2022. According to the analysis by cyber forensics and intelligence company Hudson Rock, 4,053 ICH users and 15 of its 325,000 employees were compromised in the attack.

A New Wave of Ransomware Attacks on QNAP NAS Devices

ARS Technica: QNAP, a network hardware manufacturer, urges customers to update their network-attached storage devices as soon as possible to prevent a new wave of ransomware attacks. These attacks can wipe out terabytes worth of data in a single attack. QNAP, a Singapore-based company, recently stated that it had identified a new campaign by a ransomware group called DeadBolt. QNAP NAS devices, which use a proprietary feature called Photo Station, are targeted by the attacks. Although the advisory advises customers to update their firmware to avoid being exploited, it doesn’t mention a CVE designation security professionals use to identify such vulnerabilities. DeadBolt first appeared in January. Within a few months, Internet security scanning company Censys reported that the ransomware had compromised thousands of QNAP devices. The unusual move of the company was to automatically push the update to all devices even if they had turned off automatic updating. DeadBolt staff also provided instructions on obtaining the decryption keys needed to recover encrypted files and a proposal to QNAP for purchasing a master key that could be passed along to infected clients.

Feds Warn About a Ransomware Threat to Healthcare

Fierce Healthcare: This week, the Department of Health and Human Services Cybersecurity Program alerted healthcare providers about the “exceptionally aggressive Hive ransomware” group. According to the federal agency, although the group is known to have been operating since June 2021, it has been “highly aggressive” in attacking the U.S. healthcare sector. Like many cybercriminals, the financially motivated ransomware group has sophisticated capabilities. For example, it encrypts and steals data. In addition, the Hive Group employs many common ransomware tactics, including the remote desktop protocol, virtual private networks (VPNs), and phishing attacks. According to HHS, some victims are contacted by the ransomware group by phone to negotiate payment.

Ransomware: Unravelling the RaaS Ecosystem

Spiceworks: Ransomware is a constant in the world today, with an increasing number of attacks. As threat actors and ransomware organizations know, ransomware as a Service (RaaS) is being used to its fullest extent. What is the RaaS ecosystem? And what advice can security professionals give to their clients to protect their businesses? It is challenging to keep track of ransomware organizations, their attack methods, and their targets. However, threat intelligence research and information sharing allow us to continue to learn more about these adversaries. The Spiceworks report includes a review of online forums that analyze malware and hacking tools.

Here’s one bit of advice: ransomware groups are often mistakenly viewed as dysfunctional groups of scammers and hackers. On the contrary, they are organized, highly motivated businesses with well-resourced resources. They are diligent in their research and stay on the job long after an exploit is completed. As a result, RaaS and the groups that deploy these services are at the forefront of the most successful attacks in cybersecurity history.

Ragnar Locker Ransomware Targets Energy Sector

Infosecurity: The largest natural gas supplier in Greece, DESFA, announced that it was the victim of a cyber-attack. This attack impacted some of its systems. Ragnar Locker, a hacking group that operates under the pseudonym Ragnar Locker, claimed responsibility for the ransomware attack. It stated it had published more data than 360 GB allegedly stolen from DESFA.

Two weeks after the attack, security experts from Cybereason released a Threat Analysis report detailing the attack’s details. The document states that Ragnar Locker ransomware has been used since December 2019 and is generally targeted at English-speaking users. The FBI has been monitoring Ragnar Locker ransomware since it was discovered that Ragnar Locker had infected more than 50 organizations within ten crucial infrastructure sectors.

Cybereason advises that Ragnar Locker should check the machine’s location immediately after infecting it. The malware is stopped executing if it finds matches with certain countries such as Russia, Ukraine, or Belarus. Cybereason claims Ragnar Locker can check for specific products, including security software such as antivirus, backup solutions, and I.T. remote management solutions. This allows Ragnar Locker to bypass their defenses and prevent detection.

The ransomware attack on DESFA is the second attack on a major pipeline company in recent years, following the Colonial Pipeline attack in May 2021.