The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Bumpy ride. Volkswagen and Audi report data exposure affecting millions of customers.
- Ikea France found guilty. French courts fine Ikea France EUR 1 million for illegal surveillance on staff.
- Poisoned PDFs. Search engine optimization techniques used within PDFs to deploy malware.
- Service disruption. Distributed denial of service attack targets Puerto Rico’s electricity provider.
- Selling to the highest bidder. REvil are auctioning data belonging to the nuclear weapons contractor, Sol Oriens.
- Ransomware shutdown. Avaddon appears to go under, and Clop members arrested.
Volkswagen suffers a data breach
A third-party vendor for Volkswagen Group left data exposed to the internet for over 18 months. The exposure involved 3.3 million customers in the US and Canada, 97% of whom are either Audi customers or prospective buyers.
An estimated 90,000 customers also had more sensitive data exposed, including social security and loan numbers, as well as details regarding their eligibility for a vehicle purchase, loan, or lease. The company has begun notifying the customers who had sensitive data exposed.
SO WHAT? The incident reinforces the importance of conducting cyber due diligence on vendors and third parties. Additionally, individuals should be hesitant to trust breach notifications because threat actors who have accessed stolen data may leverage it to conduct spear phishing attacks.
Ikea France fined EUR 1 million for privacy violations
A French court ordered Ikea to pay EUR 1 million for invading the privacy of staff and job applicants. Ikea France used private investigators and police sources to collect private information about employees and conduct illegal background checks.
Ikea paid EUR 600,000 annually towards private investigators to investigate current and prospective employees. Ikea’s former head of risk management has received a suspended two-year prison sentence and fine of EUR 20,000.
SO WHAT? Organisations should ensure that all parts of their business have a clear understanding of, and adhere to, applicable privacy regulations.
Attackers poison PDF documents with SEO techniques to install malware
Attackers are leveraging PDF documents to launch search engine optimization (SEO) poisoning attacks. The PDFs are stuffed with thousands of SEO keywords to increase their visibility on search engines.
Opening the PDF redirects the victim to a Google Drive containing the SolarMaker remote access trojan (RAT). If downloaded, the RAT creates a backdoor to compromise systems and steal credentials from web browsers.
Microsoft Defender Antivirus is known to have detected and blocked thousands of the PDF documents.
SO WHAT FOR SECURITY TEAMS? Find Microsoft’s guidance on advanced hunting queries here.
Puerto Rico’s electrical supplier targeted in DDoS attack
On 11 June, a distributed denial of service (DDoS) attack targeted LUMA Energy, Puerto Rico’s new power authority. A fire at a LUMA Energy power facility later that day caused more than 800,000 Puerto Ricans to lose power. The cyber attack and fire have not yet been linked.
During the DDoS attack, attackers flooded LUMA Energy’s client portal and mobile application with 2 million visits per second. The attack delayed customer access to online services.
SO WHAT? DDoS attacks have become increasingly prominent in recent months and, while not the case in this instance, attackers are also threatening their victims with DDoS attacks to apply pressure during ransomware negotiations.
U.S. nuclear weapons contractor has data put up for auction
Sol Oriens, a US nuclear weapons contractor, has confirmed it suffered a cyberattack in May 2021. The REvil ransomware group has listed the stolen data for auction on their leak site whilst also threatening to share the information with other military agencies.
Sol Oriens are in the process of determining the scope of data that may have been stolen. The company confirmed that there is no indication that client classified data, nor critical security-related information, has been stolen.
SO WHAT? Organisations operating in strategic industries are more likely to be actively targeted by threat actors, including sophisticated organised criminal groups and nation states.
Ransomware feeling the heat
Ukrainian law enforcement officials arrested multiple members of the Clop (aka Cl0p) ransomware group this week. The arrested individuals are reportedly not core members of the gang, but are focused on laundering the proceeds of Clop’s ransomware operations.
Avaddon ransomware group appears to have voluntarily shut down, publicly releasing the decryption keys for 2,934 unique victims. It’s unclear exactly why the group shut down, although it may be from the increasing pressure from governments and law enforcement agencies, globally.
SO WHAT? Despite these crackdowns, ransomware remains pervasive, with new threat groups emerging regularly.