The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- NHS emergency. Third-party patient management software targeted by ransomware.
- Whirlwind at Tornado Cash. Major cryptocurrency mixing service sanctioned.
- CISCO compromised. Threat actors allegedly steal 2.75GB of data from the CISCO network.
- Data breach at Twilio. SMS phishing attack leads to data breach at Twilio.
- Cellebrite hacked. Israeli digital intelligence firm Cellebrite suffers data leak.
- Difficult week for crypto. Spate of attacks hit three popular decentralised finance protocols: Coinbase, Solana, and Curve Finance.
- Patch, Patch, Patch! Microsoft releases patches for 121 vulnerabilities in August’s Patch Tuesday, including two zero-day vulnerabilities.
1. RANSOMWARE ATTACK ON NHS SYSTEMS CAUSES DELAYS ACROSS UK
Last week, an undisclosed ransomware group targeted a third-party patient management system that the NHS uses to send out ambulances and arrange out-of-hours prescriptions and appointments. Despite containing the ransomware attack, the incident still caused delays to critical services including the 111 telephone helpline.
|
SO WHAT? Large organisations often rely on software systems managed by third-party providers. Organisations should ensure that these are properly segregated from critical systems to minimise impact during an attack.
|
2. WHIRLWIND AT TORNADO CASH
Tornado Cash, a cryptocurrency mixing service used by cybercriminals to launder illicit funds, has been sanctioned by the United States Treasury Department's Office of Foreign Assets Control (OFAC). OFAC claims cybercriminals, including groups such as the North Korea-backed Lazarus group, have used the decentralised service to launder upwards of USD 7 billion.
|
SO WHAT? Sanctions against Tornado Cash will be a blow to cybercriminal enterprises, preventing groups from laundering their stolen funds and disrupting their operations. Some good news!
|
3. CISCO COMPROMISED, BUT AVOIDS RANSOMWARE
CISCO has confirmed that the Yanluowang ransomware group compromised its systems in May 2022. The hackers gained initial network access after compromising an employee’s personal Google account which contained credentials synced from their browser. Interestingly, the hackers used vishing (voice phishing) to bypass the victim’s multi-factor authentication control.
CISCO removed the hackers from the network prior to ransomware deployment, with only non-sensitive data exfiltrated.
|
SO WHAT? Employees should avoid syncing company credentials to their browsers. Password management solutions are a good alternative, although they are no silver bullet.
|
4. SMS PHISHING ATTACK LEADS TO DATA BREACH
Cloud communications company Twilio has confirmed attackers managed to gain access to customer data following a breach of their internal system. The attackers gained access after stealing credentials via a sophisticated SMS phishing attack which encouraged users to change their expired passwords. The SMS impersonated Twilio’s IT department to provide an element of legitimacy.
|
SO WHAT? While regular phishing awareness training is vital to help prevent employees from falling victim to sophisticated phishing attacks, fostering a culture that encourages employees to report successful phishing attacks is equally important. Doing so can greatly reduce the impact of such attacks.
|
5. CELLEBRITE HACKED
Cellebrite, a digital intelligence company, has had four TB of data leaked. An anonymous source made the data available to researchers and journalists on DDoSecrets, a non-profit whistleblowing organisation. No threat actor has claimed responsibility for the attack, nor has the method of attack been disclosed.
|
SO WHAT? An organisation's risk profile can dramatically change following a reputational crisis. Hacktivists may look to cause harm as retribution for the actions of an organisation that don't align with their social or political views.
|
6. DIFFICULT WEEK FOR CRYPTO
This week, popular cryptocurrency exchanges including Coinbase, Solana, and Curve Finance have been targeted in a series of attacks aimed at stealing funds, personal credentials, and account access. The Solana Foundation disclosed that attackers stole USD 4 million worth of Solana, while Curve Finance lost USD 570,000 in a DNS hijacking attacking. At Coinbase, users have been falling victim to sophisticated phishing attacks, allowing threat actors to bypass MFA and gain access to their crypto funds.
|
SO WHAT? These incidents reflect threat actors’ continued focus on decentralised finance networks, which were estimated to have cost businesses operating in this sector an estimated USD 1.8 billion last year. This trend has continued into 2022, with these same networks losing an estimated USD 678 million in Q2 alone.
|
7. PATCH, PATCH, PATCH!
Microsoft has released 121 patches for August‘s Patch Tuesday. This includes two zero-day vulnerabilities, one of which is the actively exploited ‘DogWalk’ vulnerability (CVE-2022-34713). Seven of the 121 are classified as critical.
|
SO WHAT? Organisations should review whether any affected software is employed in their estate, and if so, implement available patches as soon as possible. The full list of patches can be found here.
|
Email Miles
@SRMInform
S-RM
hello@s-rminform.com
S-RM YouTube
