The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Lithuanian cyber attacks. Killnet carries out denial-of-service attacks against governmental entities.
- An outdated authentication standard. CISA recommends switching from Basic Authentication to Modern Authentication.
- Phishing infringement emails. Fake copyright infringement emails used to install ransomware.
- LockBit back with bug bounty. Prolific ransomware group offer rewards for bug reports.
- Payup! CafePress fined for data breach.
- Named and shamed. Walmart and AMD investigate security breach claims.
- Bots down. RSocks botnet taken offline.
1. KILLNET TARGETS LITHUANIA
The cybercrime gang Killnet has been carrying out denial-of-service (DoS) attacks against Lithuania in retaliation for the country’s decision to block the transit of sanctioned goods to Kaliningrad, Russia. The Russia-aligned criminal group claims that it will continue its attacks on Lithuania until trade routes to Kaliningrad are re-opened. Lithuanian state institutions are amongst those targeted, with further attacks expected against the energy and financial sectors.
|
SO WHAT? These latest attacks on Lithuania, alongside the previous attacks by Killnet on Romania, Czech Republic, and Italy, continue to highlight the spillover impacts of the ongoing Ukraine crisis.
|
2. AN OUTDATED AUTHENTICATION STANDARD
CISA has recommended that companies using Microsoft’s Exchange cloud email platform update their authentication method from Basic Authentication to Modern Authentication.
Basic Authentication allows attackers to guess credentials in password spray attacks whereas Modern Authentication uses OAuth access tokens to prevent the re-use of authentication credentials.
|
SO WHAT? Microsoft will disable Basic Authentication from 1 October 2022, but it is advised that organisations follow CISA’s guidance and update to Modern Authentication before then.
|
3. NEW PHISHING ATTACKS
A new phishing campaign is leveraging fake copyright claims to infect victim devices. The phishing emails warn of a copyright violation and demand that the recipient remove the infringing content from their websites or face legal action. LockBit ransomware affiliates are among the known associates to be using this approach.
|
SO WHAT? Creating a sense of urgency is a common phishing tactic used to solicit sensitive information or convince users to click on a malicious link. Organisations must regularly train their employees on the various phishing methods employed by threat actors.
|
4. LOCKBIT 3.0 LAUNCHES WITH NEW ‘BUG BOUNTY’ PROGRAMME
- Coinciding with the launch of its new ransomware strain ‘LockBit 3.0’, the Russia-linked cybercriminal group has announced the first ever bug bounty programme for malware. LockBit is offering security researchers and hackers rewards ranging from USD 1,000 to USD 1 million for submitting reports about errors in their malware code.
- Separately, South Korean researchers have published a decryption tool for Hive ransomware, another Ransomware-as-a-Service (RaaS) group, after receiving academic research sponsorship on Hive’s encryption methods last year.
|
SO WHAT? The bug bounty programme appears to be a response to increased collaboration among independent security researchers, law enforcement, and the private sector to crack down on malicious actors. It also shows that RaaS groups are highly organised and increasingly resemble legitimate technology firms.
|
5. PAYUP!
The US Federal Trade Commission has ordered Residual Pumpkin, the former owner of CafePress, to pay USD 500,000 following a data breach in February 2019. Among other violations, the commission found that sensitive information of 23 million individuals, including social security numbers, credit card details, and home addresses, were stored in plaintext for longer than legally required.
|
SO WHAT? The cost of fines and remediation efforts from a security incident will often exceed the expenditure of proactive cyber security measures. Don’t wait until it’s too late!
|
6. SECURITY BREACHES
- Yanluowang ransomware gang claim to have hacked Walmart over a month ago. The group claim to have encrypted thousands of Walmart’s devices, but were not able to steal any data. Walmart has denied the validity of Yanluowang’s claims.
- Advanced Micro Devices (AMD), a US chipmaker, is investigating a potential breach after RansomHouse claimed to have stolen 450GB of the company’s data last year. The exfiltrated data allegedly includes sensitive research and financial information.
|
SO WHAT? Even unfounded security incidents can cause reputational damages and loss of shareholder or consumer confidence. Ensure that your organisation has an incident response and crisis communications plan that can deal with such situations.
|
7. BOTS DOWN
A joint operation between US, UK, German, and Netherlands’ law enforcement agencies has taken the RSocks botnet offline. Since being established in 2016, RSocks has helped compromise millions of Internet of Things machines, Android devices, and computers. Attackers leveraged the botnet to infect machines with spam, launch DDoS attacks, and bypass online anti-fraud detection systems.
|
SO WHAT? While this is a win, the threat from other prolific botnets remains. It also shouldn’t be ruled out that RSocks will reappear in some form.
|
Email Roddy
@SRMInform
S-RM
hello@s-rminform.com
S-RM YouTube
