Cyware Weekly Threat Intelligence - January 17–21
Weekly Threat Briefing • Jan 21, 2022
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Jan 21, 2022
The Good
We have a bunch of good news this week to pair with your morning coffee. Governments across the world are relentlessly working on improving the cybersecurity postures of their nations. In one such development, the U.S. NSA has now gained greater authority to defend national security systems. On the same page, the U.K's NCSC issued guidance for companies to make it easier for their customers to differentiate between phishing and legitimate texts of calls.
In the wake of proliferating SMS-phishing scams targeting bank customers, the Singapore Police, the Monetary Authority of Singapore (MAS), and the Association of Banks in Singapore (ABS) announced measures to further secure digital banking. Banks are expected to work in tandem with MAS, the police, and the Infocomm Media Development Authority to tackle the constant barrage of scams.
The Nigerian Police Force, along with the INTERPOL, detained 11 members of the SilverTerrier group that has successfully pulled off more than 50,000 BEC scams worldwide.
The NCSC issued guidelines for organizations to follow while communicating with customers via phone calls or texts. The guidance aims to make it harder for scammers to trick the public by making it easier to distinguish between fraudulent and legitimate communications.
The European Union kicked off a six-week cyber exercise to test its cyber-defense responsiveness by simulating an attack on a fictitious Finnish power company.
Pennsylvania Senate passed two bills aimed at controlling cybersecurity breaches. While one requires the state to form a strategy to prevent and mitigate ransomware attacks, the other one mandates state agencies, local government agencies, and school districts to inform victims within seven days of identifying a breach incident.
Russia’s FSB claimed to have arrested 14 members belonging to the infamous REvil ransomware group. It has also seized around $5.5 million and a few premium cars.
NATO entered an agreement with Ukraine to bolster cyber cooperation, including providing Ukraine access to NATO’s malware information sharing platform. The agreement would also enable NATO to collaborate with Ukraine in modernizing the latter’s IT and communications services while identifying domains where personnel training is required.
The White House published a memo that grants the NSA greater authority to protect national security systems. The memo also enables the agency to issue emergency and binding directives to take discrete action against emerging cyber risks and threats.
The Bad
Why do threat actors decide to attack humanitarian agencies and services? We do not have a proper answer yet. The Red Cross became the victim of such an unfortunate attack that resulted in the theft of the personal information of hundreds of thousands of people. This week was rife with state-backed threat activity as the UNC1151 group defaced more than 70 Ukrainian government websites. A cyberespionage campaign was revealed targeting ICS vendors, universities, and other organizations related to renewable energy. The campaign began in 2019 and is still ongoing.
The International Committee of the Red Cross (ICRC) was hit by an advanced cyberattack that compromised the personal data of over 515,000 highly vulnerable people. The data came from at least 60 Red Cross and Red Crescent National Societies located across the world. ICRC stated that the data stolen has not been leaked yet; the perpetrator remains unidentified.
Marketing giant RR Donnelly (RRD) underwent a Conti ransomware attack that disrupted the IT systems, making its customers unable to receive printed documents required for vendor payments, disbursement checks, and motor vehicle documentation. The attackers claimed responsibility and leaked 2.5GB of the stolen data.
The reclusive Earth Lusca threat actor, reportedly linked to the Winti group, was found targeting organizations worldwide for financial benefits. The list of victims includes governmental and educational institutions in Hong Kong, COVID-19 research organizations, and the media, among others. It mainly conducts spear-phishing and watering hole attacks.
A large-scale cyberespionage campaign, active since at least 2019, is targeting renewable energy and industrial technology organizations. Threat actors behind the campaign used legitimate websites, DNS scans, and public sandbox submissions to steal login credentials of the employees. The targeted organizations include Schneider Electric, Honeywell, Huawei, Telekom Romania, University of Wisconsin, Utah State University, and Taiwan Forestry Research Institute, among others.
Non-profit organization Goodwill notified its users about a security breach that affected their personal information. The cybercriminals gained unauthorized access by exploiting a vulnerability in the website. The compromised information includes full names, email addresses, phone numbers, and mailing addresses.
Dozens of Ukrainian government websites were defaced by the APT group UNC1151. The defaced websites were displayed with messages written in Russian, Ukrainian, and Polish languages. The campaign abused compromised Content Management Systems (CMS) to disseminate fake news.
Citizen Labs unearthed critical flaws in MY2022, the official app for Beijing 2022 Winter Olympics. The flaw can allow attackers to sidestep encryption for users’ audio and file transfers. In addition to that, health custom forms containing users’ passport details, travel and medical history, and demographic details are at risk.
The central bank of the Republic of Indonesia confirmed sustaining a ransomware attack that disrupted its operations. Experts suspect that the attack was conducted by Conti although Bank Indonesia did not confirm it. The bank claimed that the attack did not compromise any sensitive data and public services.
New Threats
QNAP NAS devices are once again under attack by the QLocker ransomware in a new campaign. More Ukrainian organizations are under attack by a new malware, dubbed WhisperGate, that pretends to be a ransomware but is a data wiper in reality. The week also brought us a new cryptocurrency scam that abuses the Amazon brand to trick potential investors into giving up their money.