5 July 2024

5 min read

Hackers apologise to Indonesian government following ransomware attack | Cyber Intelligence Briefing: 5 July

July 2024
Cyber Intelligence Briefing: 5 July

Top news stories this week

  1. Brain Cipher. Ransomware group apologises to Indonesian government and offers free decryptor.
  2. Collateral damage. Financial technology partner firms impacted by Evolve Bank cyber attack.
  3. Struck down. Europol coordinates global action against criminal abuse of Cobalt Strike.
  4. Cold calling. New ransomware group tracked as Volcano Demon targets victims through phone calls.
  5. Patch patch. Cisco patches vulnerability exploited by nation-state hackers.
  6. Healthcare under attack. Ransomware attacks cause operational disruptions at healthcare organisations in Croatia and South Africa. 

Zywave IR Team of the Year 2024

 

1. Brain Cipher offers free decryptor after Indonesian government hack

The threat actor responsible for a major cyber attack on an Indonesian government data centre has issued an apology and claimed it will provide a free decryption key. The attack caused widespread disruption due to various government agencies’ failure to back up data. Security researchers have indicated that Brain Cipher ransomware is based on a leaked version of the LockBit 3.0 encryptor.

So What?

Gestures of good will from threat actors are extremely rare. It is vital for organisations and government entities to maintain viable backups in the face of persistent cyber threats. 

[Researcher: Lawrence Copson] 


2. Evolve Bank cyber attack impacts customers of multiple other fintech firms

US-based lender Evolve Bank & Trust was hit by a LockBit ransomware attack in May, which has led to data breaches at several of the bank's partners. Buy-now-pay-later company Affirm has communicated with the US Securities and Exchange Commission that personal data from its cardholders may have been stolen during the cyber attack. Money transfer firm Wise also disclosed that some of its users may have been impacted by the breach.

So what?

When entrusting sensitive customer data to third parties, you must understand how your data is processed, and the reputational and legal risks you may face if that data were to be breached.

[Researcher: Adelaide Parker]


3. Europol coordinates global action against criminal use of Cobalt Strike

International law enforcement agencies have joined efforts with the private sector to clamp down on illegal copies of the security tool Cobalt Strike, resulting in the takedown of 593 Cobalt Strike servers used by threat actors. This tool is used legitimately by IT security experts to perform cyber attack simulations, while cybercriminals typically operate its unlicensed copies and use it to infiltrate victims’ IT systems.

So what?

In the past months, law enforcement has been busy dismantling various criminal activities in the cyber space and this operation is yet another significant disruption of criminal infrastructure.

[Researcher: Milda Petraityte]


4. New ransomware group Volcano Demon targets victims through phone calls

Researchers have identified a new threat group that targets victims and demands ransom payments from organisations through threatening phone calls. The new group, tracked as Volcano Demon, does not have a public leak site, but is also known to exfiltrate data as well as encrypting it.

So what?

The cybercriminal ecosystem is constantly changing and evolving as new groups emerge. Organisations should engage professionals and implement robust communication plans to help staff deal with harassing phone calls.

[Researcher: Waithera Junghae]


5. Cisco patches vulnerability exploited by state-sponsored hackers

Cisco has issued a patch for a software vulnerability (CVE-2024-20399) exploited by Chinese state-sponsored hackers. The vulnerability in the command line interface of Cisco's NX-OS software could enable authenticated threat actors to execute any command with the elevated root user privileges.

SO WHAT? 

Organisations with vulnerable devices should follow Cisco's recommendation to update to the most recent version.

[Researcher: Aditya Ganjam Mahesh]


6. Healthcare organisations face significant disruptions following ransomware attacks

A ransomware attack on The University Hospital Centre in Zagreb, has forced Croatia’s largest hospital to temporarily shut down IT systems, and revert back to using pen and paper. LockBit, the ransomware group behind the attack, claims to have accessed sensitive information, including medical records.

Separately, South Africa's National Health Laboratory Service is also facing operational disruptions following a ransomware attack, which might slow down its response to new disease outbreaks.

So what?

Ransomware attacks on the healthcare industry can have grave consequences, making it essential for organisations in the sector to proactively invest in their cyber defences.

[Researcher: Anna Tankovics]

 

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.