Cymulate’s March 2021 Cyberattacks Wrap-up

In March 2021, threat actors targeted high-profile organizations, employing advanced tactics and malware to compromise systems globally. Key incidents include breaches of SITA, RDC, Microsoft Exchange servers, and attacks by the notorious Lazarus Group.

SITA and RDC Data Breaches

• SITA: The global IT company supporting 90% of the world’s airlines suffered a breach, exposing passengers’ PII, including names, card numbers, and status levels.
• RDC: In the Netherlands, personal data from 7.3 million residents, including home addresses, phone numbers, and license plates, was stolen and put up for sale online.

Microsoft Exchange Server Exploitation

The Microsoft Exchange Server breach, which began in January 2021, escalated with the deployment of DearCry ransomware on compromised servers in the US, Luxembourg, Indonesia, Ireland, India, and Germany. Using ProxyLogon vulnerabilities, threat actors followed a predictable attack pattern:

• Created a Windows service named “msupdate.”
• Encrypted files using AES-256 and RSA-2048 keys, appending .CRYPT to file names.
• Left ransom notes (e.g., readme.txt) with contact details and MD4 hashes.
• Demanded ransoms of up to $16,000 per case.

Pay2Decrypt Ransomware

Another ransomware variant, Pay2Decrypt, encrypted files multiple times, appending extensions such as .aes and .lck. It bypassed Microsoft UAC, disabled cybersecurity tools, modified registry keys, and deleted shadow copies of compromised files. The ransomware also deployed .txt files containing ransom demands and contact details.

Spectre Malware Reemerges

The Spectre vulnerability (CVE-2017-5753) resurfaced in unpatched Linux and Windows systems. Similar to Meltdown, Spectre exploits vulnerabilities to steal sensitive data, including passwords and documents, from privileged memory. Major operating systems like Windows, Linux, macOS, Android, and ChromeOS remain at risk.

Lazarus Group’s ThreatNeedle Campaigns

The Lazarus Group (aka APT38/Hidden Cobra) continued its cyberespionage campaigns using ThreatNeedle malware. Backed by the North Korean government, the group targeted research labs, defense contractors, and security researchers.

• Spear-phishing emails were used to deliver malicious macros that downloaded and executed additional payloads.
• The malware enabled lateral movement, credential gathering, and exfiltration of valuable data.
• ThreatNeedle granted full control of compromised machines, allowing manipulation of files and execution of commands.

Protecting Against Advanced Threats

Organizations can validate their defenses against these threats using Cymulate’s Immediate Threats assessment. This platform tests exposure to the latest attacks and provides actionable mitigation steps. Indicators of Compromise (IOCs) are available in the Cymulate UI to help identify vulnerabilities and fortify defenses.