LockBit's Royal Mail ransom deadline flies by. No data released
Also: Russian wiper malware authors turn to data theft, plus this week's critical vulns
in brief The notorious LockBit ransomware gang has taken credit for an attack on the Royal Mail – but a deadline it gave for payment has come and gone with nothing exposed to the web except the group's claims.
The attack, which occurred in January, led to disruptions in both inbound and outbound international post that still haven't been entirely resolved, the Royal Mail explained in an update on February 10.
Whether or not the Russian-linked ransomware gang was behind the attack was at first unclear, with some reporting LockBit took responsibility for it, and others denying the group was involved. Initial reports suggested it may have been a LockBit affiliate that used a leaked version of the group's software to launch an attack.
LockBit even published a page bragging of an attack against fintech firm ION without directly acknowledging the Royal Mail attack earlier this week – though that's now changed, according to Reuters.
Lockbit threatened on February 7 that it would release data stolen from the Royal Mail on February 9 if His Majesty's letter carriers didn't pay ransom demands. But multiple reports on Twitter as of Friday morning, February 10, indicate that the documents aren't available – despite LockBit claiming they were published.
The Royal Mail told Reuters that its investigation didn't find any financial or sensitive customer information among the exfiltrated data.
Brett Callow, threat analyst at Emsisoft, said in a tweet that the maneuver was likely a harassment tactic intended to keep Royal Mail under pressure, and that LockBit has reset release countdown timers in other breaches before.
"Bottom line: LockBit will not release data until they have given up on being able to monetize the attack," Callow said.
As of February 9, the Royal Mail said multiple international services had been reinstated, but it was still "unable to process new Royal Mail parcels purchased through Post Office branches."
Oakland city systems hit by ransomware – but everything's fine!
Oakland has endured many problems of late but this week there was a new woe: ransomware.
"The City of Oakland has learned that it was recently subject to a ransomware attack that began on Wednesday night," the city's rulers lamented in a statement.
"The Information Technology Department is coordinating with law enforcement and actively investigating the scope and severity of the issue. Our core functions are intact. 911, financial data, and fire and emergency resources are not impacted."
They explained that "the public should expect delays from the City as a result" – which won't come as a shock to anyone who has to deal with local sluggardly services. The statement came after East Bay reporter Jaime Omar Yassin first spotted the issue.
Without prompt, two sources I spoke to about this almost immediately complained about the City's archaic, under-resourced IT system and dept leading to this.
— Trash Night Heron (@hyphy_republic) February 9, 2023
Vulnerabilities you should know about
As a new feature of the weekly cybersecurity roundup, we're including a list of recently reported vulnerabilities with a CVSS score of 9.0 or greater.
- CVSS 9.8 – QNAP's QuTS hero and QTS operating systems, both v.5.0.1, contain a vulnerability allowing a remote attacker to inject malicious code;
- CVSS 9.8 – An LS Electric PLC performance module model contains several vulnerabilities that could give an attacker extensive control over the unit;
- CVSS 9.8 – ChangingTech's MegaServiSignAdapter has an input validation issue that could allow an attacker to modify current user Registry keys;
- CVSS 9.8 – SiteServer CMS v. 7.1.3 is vulnerable to SQL injection;
- CVSS 9.8 – LimeSurvey v5.4.15's plugin manager has an arbitrary file upload vuln that could give an attacker arbitrary code execution abilities with a malicious PHP file;
- CVSS 9.8 – Opencats has an SQL injection vulnerability in its importID parameter in the Import viewerrors function;
- CVSS 9.8 – Bank locker management platform PHPGurukul has an SQL injection vuln in its username field;
- CVSS 9.8 – Thinking Software's Efence product insufficiently validates user input in its login function;
- CVSS 9.1 – A pair of Control By Web ethernet I/O modules have firmware vulnerable to cross-site scripting and code injection;
Phew – now get patching.
- That's not a TP-Link access point, it's a… vacuum?
- Among the thousands of ESXiArgs ransomware victims? FBI and CISA to the rescue
- Embarrassment as US cyber ambassador's Twitter account is hacked
- School laptop auction devolves into extortion allegation
Shhh: The gang behind WhisperGate is back with a new nasty tool
Data wiping malware was in vogue at the start of Russia's illegal invasion of Ukraine last year, but the group behind one of the first launched at Kyiv in early 2022 appears to have moved on – if not in targets then at least in attack style.
Symantec's Threat Hunter Team said it discovered an information stealing malware called Graphiron targeting Ukrainian organizations. Like the other tools written by the group Symantec calls Nodaria, Graphiron is coded in Go – a more recent version, at that – pointing to it being a newer product.
Graphiron reportedly appeared in October, and uses a two-stage approach to infection that first checks for any of dozens of malware analytics tools before installing its payload. Unlike Nodaria's WhisperGate wiper – which did nothing but wreak havoc on infected systems – Graphiron is all about getting in, being quiet and stealing as much information as possible.
Once installed, Graphiron is able to read GUIDs, obtains the computer's IP address, retrieves the hostname and other system info, steals data including SSH known hosts, PuTTY data, stored passwords, encryption keys and arbitrary files, creates directories, takes screenshots, runs shell commands … and more.
Symantec noted that it has detected Graphirion in attacks against Ukrainian targets as recently as mid-January, and believes it's likely still an active part of Nodaria's attack toolkit. Symantec didn't indicate how Graphiron infections are occurring, but it did say Nodaria's typical attack vector is through spear-phishing emails.
Nodaria has been active since March of 2021, Symantec said, but it has focused on targeting organizations in Ukraine, with a few other attacks possibly launched against other targets in Kyrgyzstan and possibly Georgia.
It's not clear if the adoption of info stealing malware in Russian-linked attacks against Ukraine is a trend or if Nodaria is charting its own course, but Symanteic did say the group's high level of activity in the past year points to it being one of the key players in Russia's digital war against Ukraine.
With that in mind, it may be a good idea for Ukrainian organizations to start considering data theft, and not just debilitating system wipes, as potential collateral damage in the ongoing war. ®