Another year, another reshaping of the never-boring and constantly evolving world of online crime.
Old favorites like phishing, MITM attacks, and, of course, ransomware carried on strong while new variations and tricky workarounds continued to develop.
For our final monthly cyber attack roundup of the calendar year, let’s take a look at four cases that stood out for the versatility of their executions, the escalation of their tactics, and/or the aggressiveness of their perpetrators.
The Biggest Cyber Attacks of December
Rackspace Gets Ransomed
Thousands of users of the cloud computing giant Rackspace had email service disrupted in early December after the company was hit by a nasty ransomware attack.
Rackspace’s hosted exchange services were hobbled for several days following a December 2 intrusion that forced the company to temporarily move thousands of customers to Microsoft 365 until exchange functions could be restored. Service was restored relatively swiftly for some users, although others still remained disconnected weeks later. Many expressed concerns over what they saw as Rackspace’s lack of transparency into the incident.
Rackspace has to date confirmed only that the attack was financially motivated, but TechCrunch reports that at least one expert pointed the finger at the Play ransomware group and an exploit of a known Microsoft Exchange vulnerability called ProxyNotShell.
While that vulnerability has since been mitigated, the Rackspace attack may have gotten in under the wire (and the mitigation seems to have been only a speed bump for the Play gang, as we’ll see later in this roundup).
Records Exposed: Email services for thousands of businesses
Type of Attack: Ransomware
Industry: Cloud storage
Date of Attack: December 2, 2022
Location: Windcrest, TX
Key takeaway: We see the ripple effect of cyberattacks play out time and again. It’s worth remembering that the impacts of a successful data breach are not always limited to the company being targeted.
In this instance, the criminals were able to impact thousands of organizations in one fell swoop. Even if it counts only as collateral damage to the hackers, the loss of business and interruptions in communications are very real pain points for Rackspace customers.
Organizations with a wide network of clients relying on their services need to be even more conscious of security than others, and more transparent in their communications when breaches do occur.
New Data Wiping Tool Hits the Russian Market
Just when you think you’ve seen the worst of what the cybercrime community has to offer, you can always count on something even scarier to emerge. Organizations across Russia have reported late 2022 attacks using a new data wiping tool known as CryWiper.
This particularly malicious tool presents itself as ransomware, but once the victim has agreed to pay the ransom, their data is not restored but instead irretrievably deleted.
While it isn’t clear exactly how the systems affected by CryWiper were infected, experts say these attacks bear the earmarks of a phishing scheme. The targets thus far have been mostly Russian governmental agencies, including municipal governments and court systems. That would seem to suggest a political motivation behind the attacks, although no suspects have been publicly identified.
Whatever the motivation, CryWiper is part of a disturbing rise in data-wiping attacks across all sectors that have security teams working hard on preventative measures.
Records Exposed: Internal data erased from networks
Type of Attack: Data wiping disguised as ransomware
Industry: Governmental and legal bodies
Date of Attack: Winter 2022
Location: Russia
Key takeaway: While it may be understandably difficult for many observers to generate much sympathy for Russian government entities right now, the technology involved in these attacks should be sobering for organizations across the spectrum.
Data wiping is generally not a sensible strategy for profit-minded cyber attackers, but the increasing availability of this particular kind of malware should raise some serious concerns.
A bad actor with an eye toward doing maximum damage can sow chaos that goes well beyond a traditional ransom, and it only takes one breach to impact an organization in a profound way.
US Government Warns of Healthcare Attacks
In an increasingly common instance of a U.S. governmental agency spotlighting a specific industry while calling out a specific threat actor, the United States Department of Health and Human Services (HHS) issued a warning that the Royal ransomware collective is known to be targeting healthcare organizations.
An official HHS statement declares that, “due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.”
The announcement was presumably driven by a noticeable uptick in activity from the Royal group since this September. The group is seen as especially malicious since they not only target healthcare organizations via phishing, but also routinely publicize their attacks via hacked Twitter accounts in order to boost pressure on victims, and then leak the stolen data after receiving payment.
As Bleeping Computer notes, this isn’t the first time HHS has called out a specific bad actor, but the aggression, versatility, and relative obscurity of the Royal group has clearly identified them as a unique threat to the healthcare industry.
Records Exposed: Potential for personally identifiable information (PII) including medical records
Type of Attack: Ransomware
Industry: Healthcare
Date of Attack: The foreseeable future
Location: United States
Key takeaway: It’s a cruel truth of cybercrime that many of the most valuable targets are also the most vulnerable in terms of societal infrastructure. The tremendous amount of personal data housed by healthcare organizations is irresistible to thieves, and governmental warnings about the threat are well-warranted.
The specific focus HHS is putting on the Royal group underlines both the fact that most ransomware gangs play by a certain set of rules in order to keep the profits flowing, and also the fact that a single gang that’s willing to bend those rules can throw things into even more confusion than a traditional attack.
Microsoft Exchange Exploit Opens the Door to Ransomware
And now we come full circle.
In further evidence of the endless adaptability of cybercriminals, multiple security outlets warned in late December of a newly discovered rash of attacks that take an unexpected angle on breaching Microsoft Exchange.
The new exploit, known as OWASSRF, gets around a recent attempt by Microsoft to patch existing vulnerabilities, instead sending requests directly through the Outlook Web Application (OWA) endpoint. This is all rather technical, but the bottom line is that this unconventional route has allowed the ransomware collective known as Play (remember them?) to get access to corporate networks, steal valuable data, and encrypt devices.
That same exploit is also reportedly being used by the FIN7 ransomware group in an ongoing operation known as “Checkmarks.” This approach gives the group access to organizations’ internal networks, which are then added to a curated list of potential ransomware targets organized by desirability.
As of this writing the Microsoft Exchange exploit remains vulnerable, although an Arctic Wolf report notes that mitigation on the previously identified ProxyNotShell URL rewrite vulnerability seems to be holding strong.
Records Exposed: Personally identifiable and confidential business data
Type of Attack: Web application exploit
Industry: Various
Date of Attack: December 2022
Location: United States
Key Takeaway: Cybersecurity often feels like patching a hole in a dam while other cracks form in unseen areas. That’s certainly the case here, as Microsoft works to repair a key vulnerability and hackers simply find a different route to their goal. The best remedy for organizations using Microsoft Exchange is to make sure that all available security updates have been installed and to follow the preventative steps laid out in this Arctic Wolf report.
All of these cases demonstrate just how fluid the modern cybercrime landscape can be. When one exploit gets addressed, criminals simply navigate to the next one. When victims start to grasp the established protocol for being ransomed, threat actors change the rules. Whether your organization is safeguarding sensitive personal data, defending government secrets, or simply trying to protect the bottom line, there’s a criminal out there with big ideas about how to get into your system.
As always, the best measure is to turn to security professionals who know the latest situations and have the flexibility and expertise to adapt to whatever unforeseen challenges develop next.
