TMB Blog: News & Articles On Technology, IT Support & Services

How Cybercriminals Exploit Business Software Vulnerabilities

Written by Technology Means Business | Nov 2, 2023 5:10:44 PM

The latest global cybercrime statistics for the UK make grim reading and underline the importance for all internet users to invest in reliable and robust cybersecurity to protect their sensitive data. According to official figures, the UK has the highest number of cybercrime victims in the world, with 4,783 victims per one million internet users, an alarming rise of more than 40 per cent since 2020.

While there may be a tendency to assume that only big corporations are targeted by cybercriminals, the fact is that businesses of all sizes are at-risk of becoming victims, with nearly two-fifths having experienced a cyberattack in 2022 at an average cost of £4,200 – money that many small and middle-sized enterprises (SMEs) can ill-afford to lose.

Conversely, it may be assumed that criminals are more likely not to target the largest organisations as they have the funds to implement the most effective cybersecurity measures. However, as the following three case studies demonstrate, even the most well-protected businesses are vulnerable:

US Government Hit By Russian Clop Attack

In June, the US Department of Energy and other federal agencies revealed they were affected by a Russian ransomware gang that exploited a security vulnerability in the MOVEit file-transfer software.

The gang, known as Clop, has been using the vulnerability to steal data from vulnerable networks and demand ransom payments. While the US Cyber and Infrastructure Intelligence Agency (CISA) said that it was not aware of any instances where Clop threatened to release data stolen from government agencies, it is clearly concerning that a criminal gang was able to steal highly sensitive data via a software vulnerability.

Progress Software, the developer of MOVEit, initially disclosed the vulnerability on 31st May and released a patch the following day. However, by that time, the vulnerability had already been exploited by Clop and other attackers.

In addition to the US government, other prominent organisations targeted in the attack included the Minnesota Department of Education, the UK telecommunications regulator Ofcom, and the health authority of the Canadian province Nova Scotia. CISA warned that the MOVEit attacks are likely to continue, and that organisations globally should take steps to protect themselves.

Chinese spies use email to infiltrate users’ devices

Chinese spies have been using a vulnerability in Barracuda's Email Security Gateway (ESG) devices to steal data from organisations around the world since October 2022.

 

The vulnerability, known as CVE-2023-2868, allows attackers to gain remote access to vulnerable ESG devices and install malware. Mandiant, a cybersecurity firm that has been investigating the attacks, has identified the actor behind the attacks as UNC4841, a China-based group that is known for conducting espionage operations.

 

UNC4841 started the intrusion by sending emails to victim organisations that contained malicious file attachments. Designed to look like spam, the emails were intended to be ignored by security analysts but opened by unwary recipients. Once opened, the attachments exploited the CVE-2023-2868 vulnerability to gain access to the ESG devices, from where it installed three pieces of malware: Saltwater, Seaspy, and Seaside. These programs allowed UNC4841 to maintain a persistent presence on the ESG devices, upload files, and steal data.

 

Mandiant estimates that UNC4841 has compromised about 5 per cent of Barracuda ESG devices globally and has advised customers to immediately replace any infected devices. The attack is a potent reminder of the importance of keeping software up to date and implementing strong security measures. Organisations should also be aware of the tactics used by sophisticated threat actors, such as sending spam emails with malicious attachments.

 

FBI Issues Warning About BianLian Ransomware

 

The FB and CISA have issued a joint warning to organisations about the BianLian ransomware gang, which typically gains access to victims' Windows systems via Remote Desktop Protocol (RDP) credentials, then uses software tools and command-line scripting to find and steal more credentials and snoop through the network and its files. Once the intruders gain access, they can mine sensitive data with which they can extort their victims.

BianLian emerged in June 2022 and quickly made a name for itself by targeting healthcare and other critical infrastructure sectors. The group has been known to demand ransom payments of up to $1 million.

To reduce the threat of becoming BianLian's next victim, organisations are urged to:

  • Strictly limit the use of RDP and other remote desktop services.
  • Disable or limit command-line and scripting activities and permissions.
  • Restrict the execution of application software.
  • Restrict use of PowerShell.
  • Update Windows PowerShell or PowerShell Core to the latest version.
  • Increase PowerShell logging.
  • Add time-based locks to accounts.
  • Monitor domain controllers and active directories for suspicious new accounts and activities.

For many SMEs, however, who do not have in-house IT professionals to make the necessary changes, it can be challenging to ensure that all the vulnerabilities are addressed to reduce the chance of a cyberattack that could leave their business on the brink.

How TMB Can Help To Keep Your Business Safe

At TMB, we provide comprehensive cybersecurity solutions for businesses throughout London, the South and the East, to protect our clients from cybercrime and prevent catastrophic data theft.

We can support your organisation to develop a robust cybersecurity strategy by:

  • Backing up your business’s critical data so that you can recover it should the worst-case scenario occur.
  • Creating an incident response plan so that your staff are fully prepared for a ransomware attack.
  • Automatically updating security patches as soon as they are released to eliminate software vulnerabilities that expose your business to cybercrime.

Image Source: Canva