Cyware Weekly Threat Intelligence - May 08–12

Weekly Threat Briefing • May 12, 2023
Weekly Threat Briefing • May 12, 2023
Taking down cybercrime operations requires diligent efforts and cooperation between national and international law enforcement agencies. Setting another such example, the FBI led an operation to dismantle the infrastructure behind the Snake malware used by Russian state actors. In a bid to improve cloud security, an open-source tool was launched this week to make a Kubernetes Bill of Materials (KBOM) standard accessible for security teams.
CyberArk has introduced a new decryptor called 'White Phoenix' that enables victims to partially restore files affected by ransomware strains utilizing intermittent encryption. The development of White Phoenix involves CyberArk's experimentation with partially encrypted PDF files, aiming to recover text and images from stream objects. Intermittent encryption is a tactic employed by various ransomware groups, involving the alternating encryption and non-encryption of data chunks.
Law enforcement in Spain has conducted a series of arrests, detaining numerous individuals believed to be part of a significant organized crime syndicate. These apprehensions come as a result of the gang's alleged involvement in phishing activities that helped them reportedly amass more than €700,000 ($767,000). Out of the 40 individuals apprehended, two were identified as hackers, while 15 were suspected members of the "Trinitarios" group.
Operation Medusa, spearheaded by the FBI, successfully dismantled the Snake malware infrastructure operated by Russia's Federal Security Service (FSB) Center 16. The primary objective of this operation was to gather sensitive information from high-profile targets, including government entities, research facilities, and journalists. Snake malware infections were detected across more than 50 countries, encompassing regions such as the United States, Europe, and Asia. In the United States, numerous organizations in the education, media, financial, and government sectors fell victim to this cyberattack.
The Kubernetes Security Operations Center (KSOC) has introduced the inaugural Kubernetes Bill of Materials (KBOM) standard, marking a significant milestone. This KBOM standard is accessible through an open-source command-line interface (CLI) tool, empowering cloud security teams to gain insights into the extent of third-party tools deployed in their environment. By doing so, teams can respond swiftly to emerging vulnerabilities, which have become increasingly prevalent in recent months.
It’s not all sunshine and rainbows in the cyber landscape as cyber intruders continue to cause disruptions at numerous organizations. Some of the prominent victims this week include a U.S. food distributor, an iconic Canadian art gallery, and a SaaS provider for the education sector. Even more concerning, a new threat actor has surfaced with a track record of 350 BEC attack campaigns, carried out in a span of two years.
Constellation Software Inc., headquartered in Toronto, reported that a select number of its IT systems were affected by a ransomware attack orchestrated by the BlackCat group. The cybercriminals purport to have stolen over 1TB of data. This event could potentially have jeopardized the private information of individuals and data pertinent to its partners.
NextGen Healthcare, based in Atlanta, announced that its systems were breached by an unauthorized entity between March 29 and April 14, 2023. This breach resulted in the unauthorized access to patients' personal information, including names, addresses, birth dates, and Social Security numbers. The company, however, affirmed that the intruders were unable to access any health or medical records and data belonging to individuals.
Following its decision not to comply with the ransom requests from the LockBit 3.0 group, lending company Fullerton India experienced a data breach involving 600 GB of information. It's expected that the cybercriminals may now resort to a triple extortion strategy. This could involve threatening Fullerton India's clients, business associates, and suppliers in an effort to coerce the company into negotiating with the ransomware perpetrators. The company officially acknowledged the data breach on April 24.
OT&P Healthcare, a Hong Kong-based healthcare group, reportedly suffered a cyberattack that seems to have affected the personal data and medical records of approximately 100,000 patients. Though the full extent of the data theft is yet to be determined by the authorities, it's known that individuals' identification cards and passport numbers were also housed on the servers that were breached. The healthcare group operates a total of eight clinics across Central, Repulse Bay, and Clear Water Bay.
Sysco, a prominent food distribution company, acknowledged a cyberattack that compromised its network earlier this year and exposed sensitive information belonging to both employees and customers. An investigation into this breach is currently underway, and initial findings indicate that the accessed data comprises employee names, Social Security numbers, and account numbers.
In a recent announcement, the Metropolitan Opera disclosed that a cyberattack in December of last year had a significant impact on the personal details of more than 45,000 customers. The compromised information encompassed names, financial account details, tax identification numbers, Social Security numbers, payment card information, and driver's license numbers. The breach occurred between September 20, 2022, and December 6, 2022, during which the attackers gained unauthorized access to the opera's systems.
The National Gallery of Canada disclosed that it experienced a ransomware attack, resulting in the temporary shutdown of its IT systems. As one of North America's largest art museums in terms of exhibition space, it assured the public that no customer data was compromised during the incident. Notably, no ransomware group has claimed responsibility for the attack at this time.
American cloud-based software provider for schools, colleges, and universities, Brightly Software, disclosed a breach incident involving unauthorized access to the database of its SchoolDude online platform. The threat actors are believed to have stolen customer account information, including names, email addresses, account passwords, phone numbers (where available), and school district names.
Following a thorough two-year investigation, the Korean National Police Agency (KNPA) uncovered evidence of a cyberattack perpetrated by North Korean hackers targeting Seoul National University Hospital. The breach occurred between May and June 2021, resulting in the exposure of data belonging to 831,000 individuals. The compromised information consists of confidential medical records as well as personal data belonging to visitors and employees of the hospital.
Over the past two years, an Israeli cybercriminal group has executed over 350 BEC campaigns, specifically targeting major MNCs worldwide, revealed Abnormal Security. This group distinguishes itself through the utilization of various techniques, such as email display name spoofing and the creation of multiple fictitious personas within email chains. Notably, their attempts to extort abnormally large sums of money from organizations also set them apart from other cybercriminals.
As a consequence of the recent ransomware attack on Micro-Star International (MSI), it is alleged that the Intel Boot Guard OEM private keys were compromised. This event has raised concerns since PCs equipped with Intel chips and Boot Guard protection rely on these keys to ensure the authenticity of the firmware. If individuals possess these private Boot Guard keys, they could potentially sign malicious software, bypassing the defenses on MSI systems.
ABB, a multinational company specializing in electrification and automation technology, fell victim to a significant cyberattack by the Black Basta ransomware group. This attack affected ABB's business operations, particularly its Windows Active Directory, impacting numerous devices. To contain the spread of the ransomware, ABB promptly terminated VPN connections with its customers.
This week saw the discovery of multiple new malware threats. This included two ransomware groups, namely Akira and Cactus. While Akira targets enterprise networks to extract up to millions of dollars in ransomware, Cactus is noteworthy for its unique self-encryption features that enable it to avoid detection by security solutions. Meanwhile, the Papercut vulnerability saga continues to threaten vulnerable servers with the release of a brand new exploit and the discovery of two Iranian state-backed threat actors abusing the flaw.