Hsinchu, Taiwan - January 17, 2024 - In early 2024, Foxsemicon Integrated Technology Inc. (Fiti, TWSE: 3413), a major semiconductor equipment manufacturer within the Foxconn Technology Group, fell victim to a cyberattack by the LockBit ransomware group. LockBit is a notorious cybercriminal organization that offers ransomware as a service (RaaS). The sophisticated ransomware developed by the group not only managed to steal sensitive internal data from Foxsemicon but also threatened to release it publicly.
Furthermore, the LockBit group hijacked the official website of Foxsemicon, replacing it with a message claiming that they had stolen 5 terabytes of data, including valuable customer information. The message also contained threats directed at Foxsemicon employees, warning them of potential job losses if the company failed to comply with their demands.
This was the first time in Taiwan that cybercriminals had not only stolen data from a company but also seized control of its website. Despite the severity of the attack, Foxsemicon issued a public statement assuring customers and stakeholders that their preliminary assessment indicated no major impact on the company’s operations. Foxsemicon also contacted the Investigation Bureau of the Ministry of Justice to launch a full investigation into the incident.
About Lockbit
Lockbit ransomware initially spreads through email attachments. Once someone clicks on it accidentally, Lockbit starts running and begins scanning nearby devices for any network vulnerabilities that it can exploit. Once it finds one, it copies itself over and remotely executes a new instance of the Lockbit ransomware.
Therefore, do not open attachments carelessly, always remember to back up regularly, these are still the general recommendations for preventing against ransomware.
It is noteworthy that Lockbit 3.0 has an affiliate program, it is possible that insiders within the company executes Lockbit ransomware. Therefore, it is necessary to deploy a large amount of network security filters in network segments, such as Pico-UTM or Tera-UTM, in each segment of the company’s internal network to prevent Lockbit ransomware from spreading internally.
Lionic Actions
Upon learning about the Lockbit ransomware attack on Foxsemicon, Lionic immediately checked the status of Lockbit in their anti-virus database. The cloud-based anti-virus server had already collected over 500,000 instances of the Lockbit ransomware.
The following is the partial list of anti-virus signatures which can defend against the Lockbit family.
| Anti-Virus Signature ID | Virus Name | Release Date |
|---|---|---|
| 9269823910101921 | Trojan.Win32.Lockbit.j | 2023-12-12 |
| 9233970457236220 | Trojan.Win32.Lockbit.j | 2023-12-04 |
| 9041380854200519 | Trojan.Win32.Lockbit.j | 2023-11-23 |
| 9202100030870260 | Trojan.Win32.Lockbit.j | 2023-11-10 |
| 9110006882884620 | Trojan.Win32.Lockbit.j | 2023-11-04 |
| 9183050870493262 | Trojan.Win32.Lockbit.j | 2023-11-02 |
| 9198504858767879 | Trojan.Win32.Lockbit.4 | 2023-11-01 |
| 9243198351326660 | Trojan.Win32.Lockbit.4 | 2023-10-29 |
| 9131979991142791 | Trojan.Win32.Lockbit.4 | 2023-10-26 |
| 9134384088522549 | Trojan.Win32.Lockbit.4 | 2023-10-24 |
| 9035587964425902 | Trojan.Win32.Lockbit.4 | 2023-10-17 |
| 9237410090896048 | Trojan.Win32.Lockbit.4 | 2023-10-11 |
Investigations into the LockBit ransomware infection have revealed that there are 14 Common Vulnerabilities and Exposures (CVEs) that could potentially be exploited by the ransomware. Lionic has developed anti-intrusion signatures that can defend against these 14 CVEs.
The following is a summary of the 14 CVEs and their corresponding anti-intrusion signatures:
| Anti-Intrusion Signature ID | Message | CVE | Release Date |
|---|---|---|---|
| 8100513 8102453 | Fortinet FortiOS SSL VPN Web Portal Directory Traversal | CVE-2018-13379 | 2020/12/04 |
| 8100527 | Microsoft Windows RDP Channel MS_T120 Use After Free | CVE-2019-0708 | 2022/06/16 |
| 8100568 8100569 | Microsoft Windows Server Netlogon NetrServerReqChallenge Privilege Escalation | CVE-2020-1472 | 2021/03/26 |
| 8102020 8102021 | F5 iControl REST Interface Server Side Request Forgery | CVE-2021-22986 | 2022/11/11 |
| 8102726 | Microsoft Exchange Server MailboxExportRequest Arbitrary File Write | CVE-2021-31207 | 2023/08/18 |
| 8100634 8101552 8101553 8101554 8101555 | Microsoft Exchange Server Autodiscover SSRF | CVE-2021-34473 | 2022/08/19 |
| 8403390 | Microsoft Exchange server security feature bypass | CVE-2021-34523 | 2023/05/30 |
| 8100725 | Microsoft Windows LSA Spoofing NTLM Relay Attack CVE-2021-36942 2021/10/08 | ||
| 8100664 8100676 8100677 8100680 8100720 8100956 8100957 8100958 8101585 | Microsoft WIndows MSHTML ActiveX Remote Code Execution | CVE-2021-40444 | 2021/09/24 |
| 8100903 8100904 8100905 8100906 8100907 8100908 | Apache Log4j JNDI Injection Remote Code Execution | CVE-2021-44228 | 2021/12/17 |
| 8102442 8102443 | Forta GoAnywhere MFT Unsafe Deserialization Remote Code Execution | CVE-2023-0669 | 2023/05/03 |
| 8102865 8102866 8102867 | PaperCut MF/NG PrintScript Remote Code Execution | CVE-2023-27350 | 2023/10/20 |
| 8102887 | Citrix NetScaler ADC and NetScaler Gateway Information Disclosure | CVE-2023-4966 | 2023/11/03 |
Based on the anti-virus and anti-intrusion signatures mentioned earlier, Lionic’s network security products, such as Pico-UTM, Tera-UTM, and Dual Ark-UTM, have already proven their effectiveness in defending against LockBit. These products are capable of defending against ransomware attacks using both anti-virus and anti-intrusion ways. Lionic’s network security products are well-equipped to provide comprehensive protection against ransomware threats.
Lionic’s CEO, Eric Lu, emphasized the company’s commitment to ransomware research and defense, stating that “Lionic has invested significant efforts in ransomware research and defense. In addition to data backups, adopting Lionic Pico-UTM, Tera-UTM, or Dual Ark-UTM stands out as one of the most effective strategies to shield users from ransomware.”
While data backups are essential in protecting against ransomware attacks, users can also choose to adopt a network security appliance to block the ransomware. Lionic is confident that its Pico-UTM, Tera-UTM, and Dual Ark-UTM products are the best choices for this purpose. By adopting these products, users can significantly reduce their risk of falling victim to ransomware attacks and protect their valuable data and assets.
Reference
- “國內首例 駭客挾持京鼎網站 公開威脅”, https://udn.com/news/story/123894/7714748
- “Lockbit”, https://en.wikipedia.org/wiki/Lockbit
- “All About LockBit Ransomware”, https://www.securin.io/articles/all-about-lockbit-ransomware/
About Lionic Corp.
Lionic Corporation is recognized globally as a leader in advanced Deep Packet Inspection (DPI) solutions. The technology suite includes a state-of-the-art DPI engine and comprehensive software application modules. The Security modules cover Anti-Virus, Anti-Intrusion and Anti-WebThreat, while the Content Management modules focus on application and device identification, application-based quality of service (QoS), web content filtering and parental control. Lionic’s offerings in security and content management, along with cloud-based scanning services and signature subscription services, are deployed extensively worldwide.
