Top news stories this week
- Delete after reading. Organisational failings to blame for Ministry of Defence and PSNI data breaches.
- Turncoat. LockBit recruits new affiliates after BlackCat disruption and NoEscape exit scam.
- Crackdown. Microsoft obtains court order to seize Storm-1152 infrastructure; France and Spain make further cybercrime arrests.
- Security slam. UK at heightened risk of cyber attack according to parliamentary report.
- Shutdown. Russian hackers leave millions of Ukrainians without phone or internet access.
- Time delay. Kraft Heinz investigates August cyber breach while US dental insurer confirms millions impacted in May MOVEit breach.
- Patch Tuesday. Microsoft addresses vulnerabilities, meanwhile Apache identifies vulnerability in its Struts 2 framework.
Listen to the Cyber Intelligence Briefing
1. Organisational failings in data security caused Ministry of Defence and PSNI breaches
The Information Commissioner’s Office (ICO) has fined the UK Ministry of Defence (MoD)GBP 350,000 over a 2021 data breach in which details of Afghan nationals who worked with the UK government were revealed over email. The ICO criticised lax data security practices at the MoD but reduced the fine in light of its cooperation and the fact it is a public body.
Separately, an independent report into a data leak last August which saw details of all employees of the Police Service of Northern Ireland (PSNI) published online found widespread organisational failings contributed to the breach.
So what?
A culture of security needs clear policies, processes, and procedures, including staff education around the importance of safeguarding sensitive data.
[Researcher: David Broome]
2. LockBit recruits new affiliates after BlackCat disruption and NoEscape exit scam
Prolific ransomware group LockBit is recruiting disillusioned affiliates after BlackCat’s infrastructure unexpectedly became unavailable amid rumours of a law enforcement operation. Separately, NoEscape affiliates have been poached after the group was accused of performing an exit scam and stealing ransom payouts.
So what?
Turbulence and uncertainty in the ransomware ecosystem means that accurate threat intelligence is vital to successfully navigating an incident.
[Researcher: David Broome]
3. Microsoft obtains court order to seize Storm-1152 infrastructure; Spanish and French authorities make further cyber criminal arrests
In a major clampdown, Microsoft obtained a court order to seize the infrastructure of the cybercrime group Storm-1152, responsible for creating around 750 million fraudulent Microsoft accounts. The group is part of a cybercrime-as-a-service ecosystem, supplying fraudulent accounts to cyber criminals worldwide.
Separately, a leader of 'Kelvin Security', the group behind 300 cyber attacks including breaches at Vodafone Italia and Frost & Sullivan, has been arrested in Spain. Additionally, French authorities and international law enforcement arrested a Russian based in Paris, suspected of laundering funds for the global Hive ransomware gang.
So what?
Legal action against threat actors can be effective if they lead to domain seizures. However, the success of prosecution largely depends on the criminals' geographical location, potentially limiting law enforcement capabilities.
[Researcher: Amy Gregan]
4. Parliamentary report reveals UK is at risk of ‘major cyber incident’
According to a report by the UK's parliamentary committee, the country is at high risk of a 'catastrophic ransomware attack' due to ineffective planning and inadequate investment into cyber security. The report warns that the UK's critical national infrastructure, including energy, water supply and health services, are particularly susceptible to a cyber attack due to outdated IT systems.
So what?
Cyber security should be a priority for all organisations due to its impact on business operations, finances, and reputation. Having an advocate for cyber security helps create a solid defence and a proactive culture to face evolving cyber threats.
[Researcher: Amy Gregan]
5. Russian hackers claim attack on Ukraine mobile network
Russia-linked hacking groups, KillNet and Solntsepek, have separately claimed responsibility for an attack on Ukraine’s largest mobile network operator Kyivstar in a cyber attack that left millions without phone or internet access and disrupted air raid alert systems in Kyiv. Security researchers have previously linked Solntsepek to the Russian military intelligence unit known as Sandworm.
So what?
Network segmentation and strong backup practices can significantly reduce the impact of a supply chain cyber attack.
[Researcher: Waithera Junghae]
6. Kraft Heinz investigates cyber breach while US dental insurer confirms millions impacted in MOVEit breach
US food giant Kraft Heinz is investigating the potential impact of a cyber attack that took place in August after its name recently appeared on the leak site of the data extortion group Snatch. The company said that it had not seen any evidence to suggest it was a victim of an attack.
Separately, Dental insurance company Delta Dental of California has confirmed that seven million of its customers were impacted in a MOVEit Transfer software breach in May.
So what?
Organisations should remain vigilant as data can take a long time to surface on a leak site and the true impact of a cyber attack can take months to be felt.
[Researcher: Waithera Junghae]
7. Patch Tuesday
Microsoft has patched 34 vulnerabilities, including four critical vulnerabilities allowing for remote code execution, and one zero-day vulnerability.
Meanwhile, Apache has identified a new vulnerability in its Struts 2 framework, which can be used for remote code execution.
So what?
Apply the latest patches and upgrade to Struts 2.5.33, 6.3.0.2 or greater.
[Researcher: Waithera Junghae]