Our selection of key intelligence reports focus on the data leak extortion group RansomHouse’s continued activity. This week, RansomHouse compromised Advanced Micro Devices (AMD), an American multinational semiconductor manufacturer, and claims it has stolen 450GB of research and financial data. RansomHouse did not impose a ransom demand on AMD, suggesting that they anticipate a greater profit from selling the data on to other threat actors. The group also publicly criticised AMD’s alleged poor security practices. We have previously observed RansomHouse compromise other companies prior to shaming their poor security practices online and have suggested that RansomHouse could consist of disgruntled penetration testers that are keen to highlight such consequences.

RansomHouse uses its Telegram account as a publicity tool to highlight its operations in a similar manner to the now-defunct Lapsus$ data leak extortion group, where it was deployed as an extra lever to pressure victims into paying the ransom or advertising the data for a later sale. We anticipate that RansomHouse will continue to publicise its operations and thereby raise its profile while shaming companies by criticising their alleged deficiencies.

Key Vulnerabilities

  1. CVE-2021-26855
    This Microsoft Exchange Server Remote Code Execution vulnerability (CVSS:10| OVSS:100) is one of several vulnerabilities collectively labelled as ProxyLogon. Chinese espionage units used the vulnerability to gain initial access to targets in several different sectors within Pakistan, Afghanistan, and Malaysia to deliver the Shadowpad backdoor. The Proxylogon vulnerabilities have previously been exploited by a variety of cybercriminals, including ransomware groups, and other nation-state actors.
  2. CVE-2016-0718
    This Expat library vulnerability allows users to trigger a denial-of-service attack or execute arbitrary code via a malformed input document. This vulnerability (CVSS: 9.8|OVSS:23) could also cause a buffer overflow.
  3. CVE-2017-1000158
    CPython up to version 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, (CVSS: 9.8| OVSS:20). This could result in heap-based buffer overflow and the potential for arbitrary code execution.

Key Intelligence Reports

  1. Likely Chinese threat actor targets remote workers in North America and Europe with new ZuoRAT malware.
    A sophisticated yet unknown threat actor has been compromising small office/home office (SOHO) routers with a previously undetected remote access trojan (RAT) tracked as ZuoRAT. Read full report >>
  2. Data leak extortion group RansomHouse compromises American multinational semiconductor producer AMD.
    Data leak extortion group RansomHouse has compromised Advanced Micro Devices (AMD), an American multinational semiconductor manufacturer, and claims it has stolen 450GB of research and financial data. Read full report >>
  3. Norway’s National Security Authority claims pro-Russian group targeted Norwegian companies in DDoS campaign.
    The Norwegian National Security Authority (NSM) has revealed that a pro-Russian cybercriminal group is behind a wave of Distributed Denial-of-Service (DDoS) attacks against several large Norwegian companies that forced websites and services offline. Read full report >>

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)