Cyber Intelligence Briefing: 17 June 2022

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

1. BLACKCAT ON THE PROWL

The prolific ransomware group BlackCat has claimed responsibility for a ransomware attack against the University of Pisa. The attackers exfiltrated and encrypted the university’s data, which BlackCat is leveraging to demand a USD 4.5 million ransom.

In an interesting change of methods, BlackCat is now also leaking victim data on the public internet, as opposed to only on the dark web.

SO WHAT?

The commercial costs associated with data exfiltration attacks will likely increase if stolen data is leaked to the public internet. Preventing data exfiltration should be a priority item for any cyber security programme. Labelling your sensitive data and implementing a data loss prevention solution is a good start!

2. LIGHTS OUT

German energy suppliers Entega and Mainzer Stadtwerke have recently suffered cyber attacks. Although the critical infrastructure of each organisation remained unaffected, with no customer data reportedly exposed, websites and staff email accounts have been impacted.

The incidents follow a series of attacks against the German wind power industry. Wind turbine maintenance company Deutsche Windtechnik took its IT systems offline for two days following an attack in April, while wind turbine manufacturer Nordex shut down various IT systems following an attack by the Russia-aligned group Conti in March.

SO WHAT?

The timings of these attacks may suggest that Russia-aligned actors have been motivated to increase German dependence on Russian oil and gas.

3. EMAIL COMPROMISE LEADS TO HEALTHCARE DATA BREACH

American non-profit healthcare provider Kaiser Permanente disclosed a data breach affecting over 69,000 individuals. The incident occurred after an attacker compromised an employee’s email account that contained sensitive patient data including names, medical records, and lab test results.

SO WHAT?

To reduce the likelihood of an email compromise, organisations should adopt a strong password policy, enforce multi-factor authentication, and block legacy authentication protocols.

4. HACKERS ATTACK UKRAINIAN MEDIA ORGANISATIONS

According to the Ukrainian cyber intelligence organisation CERT-UA, a new malware campaign targeting Ukrainian media organisations has emerged. The malware involved, CrescentImp, has been attributed to a Russia-backed threat group. CrescentImp is spread through malicious email attachments and exploits the infamous Follina vulnerability, a bug that can grant hackers remote access to a victim’s device.

SO WHAT?

Follina (CVE-2022-30190) is a critical vulnerability that is being actively exploited in the wild. Make sure you apply Microsoft's latest patches to your systems to mitigate this threat.

5. DRAGONFORCE STRIKES INDIA

Following contentious comments from a spokesperson for India’s ruling party, the hacktivist group DragonForce Malaysia launched a wave of distributed denial of service (DDoS) attacks against over 70 Indian websites. These attacks follow the hacktivist group’s recent DDoS and defacement attacks against Israeli websites in April 2022.

SO WHAT?

Organisations that have perceived political leanings or operations in geopolitically contentious regions must understand how it may impact their risk profile and attractiveness as a target.

6. PATCH TUESDAY

For June’s Patch Tuesday, Microsoft has released security fixes for 55 vulnerabilities, including the Follina zero-day and three critical bugs that allow remote code execution. Microsoft has also released a series of patches for its Edge web browser.

Elsewhere, Adobe’s Patch Tuesday addresses 46 vulnerabilities from across its software offerings, several of which are rated critical.

SO WHAT?

Organisations should review whether any affected software is employed in their estate, and implement available patches as soon as possible.