The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- Hybrid adaptability. S-RM research highlights the importance of adapting security practices to hybrid working models.
- Google and Microsoft take the gloves off. Tech firms target a global botnet and espionage group.
- SPAR supply chain attack. Hundreds of SPAR stores forced to close after cyber-attack.
- Emotet evolution. Change in Emotet's tactics risks an accelerated ransomware attack chain.
- SonicWall patches. SonicWall discloses more vulnerabilities that require your attention.
- Omicron scam. Malicious phishing campaign targets dozens of American universities.
1. The importance of adapting security practices to a hybrid working model is highlighted in S-RM’s report, ‘Investing in Cyber Resilience: Spend, Strategy and the Search for Value'
The shift to hybrid working has introduced a broader attack surface and a new threat landscape. As an example, between January 2020 and January 2021 phishing sites increased by 27%. Attackers also took advantage of remote working conditions, with Remote Desktop Protocol (RDP) attacks increasing by 768% in 2020 alone.
Consequently, 95% of respondents to our survey have decided to pivot their cyber incident response plans to reflect the new hybrid working models. Most of the organisations that haven’t made any changes cited having a reactive instead of a proactive board when it comes to cyber security.
SO WHAT? Making a proactive effort to mitigate against the challenges of hybrid working will see companies enjoy greater resilience in the face of an ever-evolving threat landscape. It will also ease the tension between cyber security priorities and keeping business functions running smoothly.
2. Google and Microsoft take the gloves off
- Microsofthasobtained a court order to seize websites linked to the China-based threat group, APT15. Seizing the websites aims to disrupt APT15’s data stealing and spying espionage campaigns.
- Elsewhere, Google has taken action against the Glupteba botnet that controls over one million Windows PCs. Google has targeted the botnet’s operations by seizing control of its key command and control infrastructure, and launching legal action against the 17 individuals suspected of operating the botnet.
SO WHAT? TThese are encouraging signs that influential organisations are looking to take action against prevalent threat groups. Nevertheless, their efforts might be quick wins, with both threat groups likely to find alternative means of launching their respective attacks.
3. SPAR shops closed by a supply chain attack
SPAR, an international supermarket franchise, was forced to close more than 300 stores across Northern England following a supply chain attack that impacted the shops' payment processing capabilities. The incident occurred after James Hall & Co, SPAR's supplier that operates IT and till systems, was hit by a ransomware attack. There is no indication whether James Hall & Co paid the ransom or whether any customer data has been exposed.
SO WHAT? Organisations should conduct regular third-party risk assessments to ensure that all providers have appropriate security controls in place.
4. Emotet malware changes tactic to install Cobalt Strike directly
Since resurfacing in November 2021, the infamous Emotet malware is now directly installing Cobalt Strike beacons. Previously, Emotet would install the Trickbot or Qbot trojans on infected devices, before later deploying Cobalt Strike. Deploying the beacons directly will provide attackers with immediate network access, and allow them to quickly run commands and carry out remote surveillance upon device compromise.
SO WHAT? Eliminating the installation of Trickbot and Qbot decreases the time organisations now have to detect an Emotet infection. It also enables threat actors to accelerate their attack objectives, for instance the deployment of ransomware.
5. SonicWall discloses more vulnerabilities needing your attention
SonicWall has identified and patched critical vulnerabilities impacting its Secure Mobile Access (SMA)100 appliances. Attackers could leverage these vulnerabilities to remotely inject arbitrary code and take control of unpatched devices.
While the security flaws are yet to be exploited in the wild, SonicWall devices have been attractive targets in 2021 with the HelloKitty ransomware group and the Mirai botnet both exploiting previously disclosed vulnerabilities. As such, timely patching is required.
SO WHAT FOR SECURITY TEAMS? Review SonicWall’s Security Notice to understand whether your SonicWall appliances are vulnerable, and if so, how best to patch them.
6. Omicron scam targets universities in the US
A coordinated cyber-attack against dozens of US universities has leveraged the new Covid-19 Omicron variant to steal login credentials. The malicious phishing emails were themed around testing for the new variant. Email attachments and URLs directed the victims to either fake Office 365 login portals, or sites designed to mimic their university’s official login page.
SO WHAT? While this incident appears to be localised to US universities, it highlights how phishing campaigns continue to leverage the latest trends and ‘legitimate’ systems to deceive their victims. Arm your employees to identify such attempts through regular phishing simulation campaigns.