Cyber Intelligence Briefing: 1 April 2022

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

top NEWS stories this week

1. Ukraine under attack. Attacks against organisations operating in Ukraine continue.

2. No let up from Anonymous. Anonymous continues its cyber campaign against Russia and the Kremlin.

3. Patch these vulnerabilities. Google, Microsoft, and Sophos patch significant vulnerabilities worth your attention.

4. The Lapsus$ saga continues. Lapsus$ continues its attacks whilst UK law enforcement makes seven arrests.

5. UPS attacks. CISA and the US Department of Energy warn of attacks against internet-connected UPS devices.

    

1. Ukraine under attack

• Ukrainian telecommunications provider Ukrtelecom suffered a cyber attack this week, resulting in the most severe disruption to Ukrainian internet access since the start of the Russian invasion. Internet connectivity dropped to 13% of pre-invasion levels.
  

• US satellite operator Viasat confirmed an attack against its European satellite network that occurred alongside the Russian invasion of Ukraine. Tens of thousands of satellite modems connected to the network were disabled across Ukraine and Europe. Consequently, tens of thousands of individuals around Europe lost internet access.
  

• Attackers injected WordPress websites with malicious scripts, causing denial of service (DoS) attacks to be launched against certain Ukrainian websites.
  

2. No let up from Anonymous

• The hacktivist group Anonymous continued its campaign against Russia, allegedly exfiltrating data from four notable organisations:
  • The Central Bank of Russia
  • Industrial companies MashOil and RostProekt
  • Thozis Corp, a Russian investment company involved in infrastructure projects

• The Russian Federal Air Transport Agency (Rosaviatsiya) allegedly suffered a cyber attack that resulted in the loss of 65 TB of data, a loss of internet access, and a malfunction in the organisation’s document management system. Interestingly, Anonymous is not claiming responsibility, stating that it would never endanger civilians.

3. New vulnerabilities to patch

• Google and Microsoft released emergency patches for Chrome and Edge, addressing a zero-day vulnerability (CVE-2022-1096) that affects Chromium-based web browsers. The vulnerability is being actively exploited in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered all US federal agencies to patch the flaw within the next three weeks.

• Sophos patched a critical vulnerability affecting its Sophos Firewall products that allows for remote code execution.

• CISA added a considerable 98 items to its Known Exploited Vulnerabilities Catalogue.

4. Lapsus$ cyber attacks continue

The City of London Police arrested seven individuals suspected of involvement with the cyber criminal group Lapsus$. The arrests follow the group’s explosive start and the alleged reveal of the group’s leader last week.

Despite the arrests the group continues to operate, allegedly breaching the software services company Globant. The group claimed to have exfiltrated 70GB of source code belonging to Globant customers, and credentials belonging to Globant’s DevOps infrastructure.

5. UPS attacks

CISA and the US Department of Energy have warned that threat actors are targeting uninterruptible power supply (UPS) devices. Actors are focusing on UPS devices that are accessible through an internet-facing management portal whose default login credentials have not been changed.

If a threat actor successfully gains control of a UPS device, they could tamper with the device’s settings to physically damage it or other connected assets. Moreover, with UPS devices now often connected to internal networks containing valuable assets and sensitive data, threat actors may be able to leverage their configuration to move laterally into the internal network.