MSP cybersecurity news digest: Jan. 25, 2024

Tietoevry, a Finnish IT services and enterprise cloud hosting provider, with a 2023 revenue of $3.1 billion, fell victim to a ransomware attack. The attack, allegedly carried out by the Akira ransomware gang, affected Tietoevry’s cloud hosting customers in a Swedish data center.

The incident impacted one section of a data center in Sweden. Although Tietoevry promptly isolated the affected platform and stated that the attack did not affect other parts of the company’s infrastructure, it led to outages for multiple customers in Sweden who utilize the enterprise-managed cloud hosting service. The company said it is actively restoring infrastructure and services, following a planned sequence to ensure proper handling of customer data, with the timeline varying depending on individual customer needs.

Notably, Sweden’s largest cinema chain Filmstaden, discount retail chain Rusta, raw building materials provider Moelven, farming supplier Grangnården, and Tietoevry’s managed payroll and HR system, Primula, were among the businesses impacted, affecting online operations, services and stores. The Akira ransomware operation is known for double-extortion attacks, and the Finnish government recently warned about Akira’s ongoing assaults on companies in the country, particularly exploiting weakly secured Cisco VPN implementations or unpatched vulnerabilities.

Google has addressed the first Chrome zero-day vulnerability exploited in the wild this year, as reported in a security advisory. The company swiftly fixed the issue for users in the Stable Desktop channel, issuing patched versions for Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) within a week of being informed.

While Google acknowledges that it may take days or weeks for the security update to reach all affected users, immediate updates were available upon checking via the browser. The high-severity zero-day vulnerability (CVE-2024–0519) is attributed to an out-of-bounds memory access weakness in the Chrome V8 JavaScript engine, posing risks of unauthorized access to sensitive information or triggering system crashes. Google has not disclosed further details about the zero-day exploits but has emphasized the importance of updating to mitigate potential risks.

In addition to CVE-2024–0519, Google also patched V8 out-of-bounds write (CVE-2024–0517) and type confusion (CVE-2024–0518) flaws, both capable of facilitating arbitrary code execution on compromised devices. Last year, Google addressed eight Chrome zero-day bugs, some of which were exploited for deploying spyware on devices belonging to high-risk users.

Ransomware actors have revived the use of TeamViewer to initiate unauthorized access to organizational endpoints, attempting to deploy encryptors based on the leaked LockBit ransomware builder.

Despite being a legitimate remote access tool valued for its simplicity, TeamViewer is exploited by scammers and ransomware actors to infiltrate remote desktops and execute malicious files. A similar occurrence was reported in March 2016 when victims disclosed that TeamViewer was used to encrypt files with the Surprise ransomware.

In two recent incidents, attackers attempted to deploy ransomware payloads using a DOS batch file (PP.bat), executing a DLL file (payload) via a rundll32.exe command. While the first attack succeeded but was contained, the antivirus product thwarted the second attempt, prompting repeated payload execution efforts with no success. Researchers couldn’t definitively attribute the attacks to known ransomware gangs, but similarities to LockBit encryptors, created using a leaked LockBit Black builder, were noted. The attacks appear to utilize the password-protected LockBit 3 DLL.

The Remcos RAT, a remote access trojan, has been identified using a new propagation method in South Korea, where it disguises itself as adult-themed games and is distributed through webhards (web hard drives), particularly the popular web hard drive system known as WebHard. Although webhards have been utilized in the past to deliver various malware variants, this is new for Remcos.

In these attacks, users are deceived into opening seemingly harmless files, presented as adult games, which, upon execution, trigger malicious Visual Basic scripts to run an intermediate binary called “ffmpeg.exe.” This leads to the retrieval of Remcos RAT from a server controlled by threat actors.

Originally marketed as a legitimate remote administration tool by the German firm Breaking Security in 2016, Remcos RAT has evolved into a sophisticated tool used by adversaries for unauthorized remote control and surveillance of compromised hosts, with capabilities such as keylogging, audio recording, screenshot capture, and more, posing significant threats to user privacy and system manipulation.

Researchers have alerted that threat actor TA866 has returned with a large-volume phishing campaign, distributing well-known malware like WasabiSeed and Screenshotter.

The campaign utilized invoice-themed emails with decoy PDF files, containing OneDrive URLs that initiated a multi-step infection chain leading to the deployment of WasabiSeed and Screenshotter. TA866, associated with the Screentime campaign, employs Screenshotter as a reconnaissance tool to identify high-value targets, potentially deploying the Rhadamanthys information stealer. The attack chain, with a shift to PDFs from macro-enabled Publisher attachments, relies on TA571’s spam services to distribute the malicious PDFs. TA571 is known for delivering various malware, including DarkGate, a malware as a service sold since 2017, allowing attackers to perform various commands.

TA866’s resurgence coincides with shipping-themed phishing emails increasingly targeting the manufacturing sector.