MSP cybersecurity news digest, December 5, 2024

Retailers struggle after ransomware attack on supply chain tech provider Blue Yonder

ransomware attack on Blue Yonder, a major supply chain technology provider with revenue of $1.28 billion, has disrupted services for several of its 3,000 global clients, including major retailers and food manufacturers. The incident has delayed delivery, inventory management, and payroll processes for companies like Starbucks, Morrisons, and Sainsbury’s. Starbucks reported manual workarounds to ensure employees were paid, while Morrisons and other U.K. grocery chains resorted to backup systems to manage fresh food supplies.

Blue Yonder, owned by Panasonic, has enlisted external cybersecurity experts, though no timeline for a full restoration has been provided. Despite the disruptions, Blue Yonder stated that its public cloud environment remains unaffected, and several clients, including DHL and Tesco, confirmed they experienced no significant impacts. As of now, no ransomware group has claimed responsibility, and Blue Yonder has not revealed whether a demand was made.

The incident marks the second ransomware attack on retailers this holiday season, following issues at Dutch company Ahold Delhaize, which impacted chains like Stop & Shop and Hannaford. With no updates from Blue Yonder or claims of responsibility from cybercriminals, the situation underscores growing concerns about the vulnerability of critical supply chain infrastructure to ransomware attacks.

RansomHub gang claims it breached municipal agencies in Texas and Minneapolis

The RansomHub ransomware gang has claimed responsibility for recent attacks on the city of Coppell, Texas, and the Minneapolis Park and Recreation Board, both causing significant disruptions to local services. Coppell, a city of over 40,000 residents, experienced a major technology outage, impacting internet, library services, municipal courts, and utility billing systems. City Manager Mike Land acknowledged that some data, potentially including sensitive information, may have been compromised, and the city is investigating the incident to determine its full impact.

In Minneapolis, the Park and Recreation Board reported a cyberattack, resulting in phone outages and potential data breaches, with the agency taking immediate steps to limit further damage. The attack is part of a larger trend of more ransomware attacks targeting both public and private entities. This shows the growing threat from groups like RansomHub.

RansomHub has been active since early 2024. It has been linked to hundreds of attacks on organizations from schools and cities to healthcare and important infrastructure. This has made it a leading cybercriminal operation. The RansomHub ransomware group (with 475 victims) is in second place after LockBit (with 516 victims) when reviewing data from January to November 2024.

APT-K-47 delivers advanced Asyncshell malware with Hajj-themed lures

APT-K, believed to originate from South Asia, has been active since at least 2022 and primarily targets Pakistani entities, often employing spear-phishing campaigns. Their latest attack used Hajj-themed lures to deliver a malicious payload disguised as a CHM file, which displays a decoy document while executing a hidden binary in the background.

The attack begins with phishing emails containing a ZIP archive. This archive includes two files: a CHM file claiming to outline the Hajj policy for 2024 and a hidden executable file.

When the CHM file is opened, it displays a legitimate PDF document hosted on the Pakistan Ministry of Religious Affairs website, serving as a decoy, while a hidden binary is executed in the background. The malware establishes a remote cmd shell connection and can execute cmd and PowerShell commands, highlighting its operational flexibility.

New malware using BYOVD can bypass antivirus protections

Researchers have identified a new campaign featuring malware that employs a legitimate but vulnerable Avast Anti-Rootkit driver (aswArPot.sys) to disable security software and take over infected devices.

It starts with an executable file, kill-floor.exe, which installs the driver as a service to gain kernel-level access and terminate 142 security-related processes. This process involves taking snapshots of active processes and cross-referencing them with a hardcoded list, enabling the driver to bypass tamper protection and neutralize antivirus and endpoint detection solutions. While the exact method of initial infection remains unknown, the campaign reflects a growing trend of threat actors using signed yet flawed drivers to deploy ransomware.

A similar attack in May used the same Avast driver to disable security processes, highlighting the increasing adoption of BYOVD techniques in cybercrime.

New method of URL rewriting causes spike in phishing attacks

Threat actors are increasingly exploiting URL rewriting, a feature meant to protect users, to disguise phishing links behind trusted security domains. By manipulating rewritten URLs, attackers bypass detection systems and lure users into clicking malicious links. This method has fueled a surge in advanced phishing attacks that abuse the very tools designed to prevent them.

Attackers leverage compromised accounts to generate rewritten URLs through trusted email security vendors, embedding malicious destinations that evade security scans. These URLs, often “whitelisted” by email security services, are later weaponized to redirect victims to phishing sites. Advanced evasion techniques, such as CAPTCHA challenges or geo-fencing, further enhance these campaigns' effectiveness.

This exploitation is particularly dangerous as it capitalizes on users' trust in known security brands, making phishing emails appear legitimate. Examples include attacks involving double rewrites or brand impersonation, targeting high-profile organizations worldwide. The trend underscores the need for dynamic, real-time URL analysis to counter these evolving threats.