Ransomware/Malware Activity
LockBit Claims Responsibility for Cyberattack on Tire Manufacturing Giant Bridgestone Americas
Bridgestone Americas, a tire manufacturing giant headquartered in Nashville, Tennessee with approximately 55,000 employees, was recently the victim of a cyberattack claimed by the LockBit ransomware group. Bridgestone, the parent company, has over 130,000 employees and various production locations globally. LockBit revealed that Bridgestone Americas' alleged exfiltrated data will be published on their leak site if they do not pay the demanded ransom and launched a countdown time that initially ended on March 11th, 2022, at 23:59 but has been extended to March 15th, 2022, at 23:59. The company confirmed to the media (NewsChannel5) that it launched an investigation for a "potential information security incident" on February 27th, 2022, but has yet to confirm if any data has been stolen during the cyberattack. Bridgestone Americas stated that they "disconnected many of [their] manufacturing and retreading facilities in North America and Latin America from [their] network to contain and prevent any potential impact". At this time in their investigation, Bridgestone Americas determined that the incident was a result of a ransomware attack, that there is no evidence of the attack being targeted, and that "the threat actor has followed a pattern of behavior common to attacks of this type by removing information from a limited number of Bridgestone systems and threatening to make this information public". CTIX analysts will continue to monitor this situation as well as LockBit's activity and supply updates as they are available.
- Bridgestone Americas Cyberattack Article 1
- Bridgestone Americas Cyberattack Article 2
- Bridgestone Americas NewsChannel5 Statement
Newest Wiper Malware Attack Discovered by ESET Researchers
A fourth data wiping malware has been leveraged against Ukraine since the start of this year. Following the attacks of WhisperGate, HermeticWiper, and IsaacWiper, CaddyWiper was discovered by ESET researchers early Monday morning. There is not much information surrounding CaddyWiper due to its recent appearance, though ESET was able to confirm the CaddyWiper code is not similar to the other malware. From an initial investigation, the researchers found that the wiper malware was uniquely selective in which systems it would destroy. For example, if the malware discovered the infected computer was a domain controller, it would refuse to wipe the system. The researchers noted that this is most likely to allow the malware to persist in the network for as long as possible. They were also able to determine the method the malware used to spread across a network. CaddyWiper leverages group policy object (GPO), a built-in Windows feature to give organizations control over settings and software used by computers in the domain. By creating a GPO entry for its installer, CaddyWiper is deployed to every system in the organization's network. It is clear that these four malware attacks against Ukraine are a direct cause of the conflict with Russia and, with no end in sight, CTIX analysts predict malware attacks against Ukraine will continue.
Nation-State Activity
Update: Threat Actor Tactics Surrounding Ukraine/Russia Conflict
Threat actors worldwide continue to target victims of the Ukraine/Russia conflict with extensive phishing campaigns and deployment of various malware distributions onto victim devices. Throughout this conflict, phishing campaigns are being utilized at a significant rate, often targeting victims attempting to flee the country to escape the violence. Some campaigns that have been observed thus far include a threat group asking for charity funds for refugees, other actors asking for Bitcoin financial assistance, and supposedly providing communication assistance throughout the conflict. Threat actors have been successful in most campaigns as users are desperate for any assistance that they can get, which ultimately lead to malicious programs being dropped onto the user's device(s). Campaigns have been seen using malicious Office documents (maldocs) to deliver their payloads, while others are more traditional with masked hyperlinks laced with malicious commands and communications to actor-controlled command-and-control (C2) nodes. From there, threat actors have the capability of deploying any number of ransomware, espionage, or remote access trojan payloads against the victim. CTIX continues to urge all users to verify the integrity of all email correspondence and report any suspicious activity.
Pandora Ransomware Extorts Vehicle Component Manufacturer
The Pandora ransomware affiliate has compromised one of the largest automotive car-component suppliers working alongside Toyota, Ford, and Mercedes-Benz. Pandora threat actors have recently emerged in the wild and are quickly growing a reputation of double-extortion; the theft of information from a victim, then continuing to hold that information hostage for more money, even though the victims paid the original ransom demand. The compromised manufacturer, Denso, stated on Monday that a cyber-attack was unleashed on the company over the weekend, resulting in exfiltration of classified information. IT teams noticed the attack unfolding and "promptly cut off the network connection of devices that received unauthorized access and confirmed that there is no impact on other Denso facilities." Shortly after, Pandora threat actors began leaking the exfiltrated data on dark web marketplaces and forums. So far, this is the second major supply-chain attack incident involving Toyota suppliers this year; with the first being the cyber-attack on Kojima Industries Corporation which also manufactures vehicle components. CTIX continues to monitor threat actors worldwide and will provide additional updates as needed.
Vulnerabilities
41% of Newly Downloaded Log4j Instances Still Vulnerable to Exploitation
UPDATE: It has been three months since the Apache Foundation successfully patched (version 2.15.0) the infamous Log4Shell vulnerability affecting the Log4j 2 Java library, however statistics show a vast number of downloads of Log4j are unpatched instances still vulnerable to exploitation. The flaw was mitigated in a series of four patches, however the dashboard deployed by Sonatype to track Log4j downloads shows that almost half of all Log4j downloads between February 4th, 2022, and March 10th, 2022, were unpatched versions prior to the secure Log4j 2.15.0. According to Sonatype, there have been more than 31.4 million downloads of Log4j since December 10th, 2021, meaning that if the dashboard statistics are accurate at-scale, there are potentially more than 10 million vulnerable instances being deployed. Unfortunately, it seems that the reason these exploitable versions of Log4j are still being downloaded is due to complacency. The vice president of the malware threat research firm Qualys stated, "The main culprit is likely automated build systems, which are configured to download a specific version build of their dependencies." An administrator or maintainer would need to be aware of Log4Shell and the fallout caused by its exploitation, to know that they need to manually update build processes to prevent running vulnerable instances of the library. It is vital for individuals in these positions to stay up to date with the current threat landscape and be aware of critical vulnerabilities potentially affecting the systems they are responsible for maintaining. Administrators must follow real-time reporting on breaking vulnerabilities and threats, to cultivate a more proactive approach to hardening their systems. Following published cybersecurity updates and reports like the Ankura CTIX FLASH report, is a fundamental part of being a competent and ethical administrator, and the Ankura CTIX will continue to provide real-time intelligence to bolster the defensive capabilities of our readers.
Critical Linux Bug in Netfilter Firewall Module Can be Exploited to Gain root Access
Nick Gregory, a threat researcher at Sophos, has identified a new critical Linux kernel vulnerability in the Netfilter firewall framework, that could be exploited by a local user to escalate their privileges and execute arbitrary code, leading to "Kernel Panic". Kernel Panic is a Linux safety measure for when an internal fatal operating system error is detected. The detection of a fatal error tells the operating system that it would be unsafe to recover the critical processes running at the moment, leading to a full shutdown similar to the infamous Windows "Blue Screen of Death". The flaw, tracked as CVE-2022-25636, is described as a heap out-of-bounds write that incorrectly handles the module's hardware offload feature, and it can be exploited to allow attackers to escape containers to gain access to out-of-bounds memory, facilitating the privilege escalation and malicious code execution. This vulnerability affects Linux kernel versions 5.4 through 5.6.10, and at this time there are currently no security patches or mitigation techniques. The Ankura CTIX urges administrators and maintainers deploying the Netfilter framework to be on the alert for updates so that as soon as they are available, the flaw can be remediated. An update to this piece may be released in future FLASH updates.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.