The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
-
LinkedIn phishing. LinkedIn becomes the most impersonated company for phishing attacks in Q1 2022.
-
A bad gift and an old enemy. Funky Pigeon suffers an attack and REvil returns.
-
Pegasus campaigns. Pegasus spyware deployed against the UK government and Catalonians.
-
Karakurt and Conti. Data extortion group Karakurt is linked to Conti.
-
Device warning. US government agencies warn of new malicious tools targeting ICS/SCADA devices.
-
Emotet activity spikes. Distribution of the Emotet malware significantly increases.
1. LINKEDIN: THE MOST IMPERSONATED COMPANY FOR PHISHING
According to recent research, the professional social media platform LinkedIn was the most impersonated company in phishing attacks in the first quarter of 2022. LinkedIn accounted for 52% of all phishing attacks globally, followed by DHL (14%), Google (7%), Microsoft (6%), and FedEx (6%).
The typical aim of a LinkedIn phishing attack is to gather valid credentials for legitimate LinkedIn accounts, from which other lucrative attacks can be launched.
SO WHAT? Individuals should be particularly cautious when receiving communications from LinkedIn. To combat the threat of phishing, organisations should provide regular phishing awareness training for employees, alongside implementing technical controls such as spam filtering.
|
2. SOME UNWELCOME GIFTS AND AN OLD FOE REARS ITS HEAD
- Funky Pigeon, the online greetings card and gift business owned by WHSmith, fell victim to a cyber attack that forced the retailer to take its IT systems offline and suspend all online orders. The company is currently determining the extent to which any customer personal information was exposed.
- The notorious ransomware group REvil appears to have brought its infrastructure back online. The group had ceased operations towards the end of 2021. Before that, REvil was one of the most prolific groups and was responsible for the major supply chain attack against Kaseya in July 2021.
SO WHAT? It is not uncommon for threat actors to shut down their operations before re-emerging at a later date, although often under a different moniker. Organisations should be extra vigilant as REvil may look to make up for lost time with a wave of attacks.
|
3. PEGASUS SPYWARE DEPLOYED AGAINST THE UK GOVERNMENT AND CATALONIANS
- Digital rights watchdog Citizen Lab reported that the infamous Pegasus spyware was deployed on multiple devices associated with the UK Prime Minister’s office and the Foreign Commonwealth and Development office between 2020 and 2021.
- Citizen Lab also reported that smartphones of more than 60 Catalonian politicians, journalists, and activists associated with the pro-independence movement were infected with Pegasus.
SO WHAT? Mobile phone vulnerabilities are frequently exploited to deploy spyware such as Pegasus. Organisations and individuals should ensure that their devices have appropriate security mechanisms and controls in place.
|
4. KARAKURT: A SUBSIDIARY OF CONTI
According to recent research, data extortion group Karakurt is likely a subsidiary of prominent Russia-based ransomware group Conti. Karakurt is allegedly called upon by Conti when ransomware-based extortion against a target fails. The group then focusses on exfiltrating data from a target using backdoors that Conti leaves behind and uses this stolen data to extort victims.
SO WHAT? Ransomware groups are becoming increasingly sophisticated and similar to legitimate businesses, with various internal teams, each specialising in different parts of the operation.
|
5. ICS AND SCADA DEVICES UNDER ATTACK
The US Cybersecurity and Infrastructure Security Agency (CISA), NSA, FBI, and Department of Energy issued a joint warning about government-backed hackers developing malicious tools designed to scan for, and take control of, industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices. With control of such a device, a threat actor could potentially move laterally within an organisation’s network and disrupt critical functions.
SO WHAT? To defend against attacks targeting ICS/SCADA devices, change their default passwords, enforce multifactor authentication (MFA) when accessing them remotely, and isolate them as much as possible from the rest of your organisation’s network.
|
6. EMOTET ACTIVITY SPIKES
Researchers detected a tenfold increase in the amount of malicious emails containing the Emotet malware. The phishing campaign is particularly sophisticated, employing ten different languages and a range of techniques to lure targets into installing the attached malware, from seasonal themes in communications to intercepting chains of correspondences and adding phishing messages to them. Researchers also noted that actors have begun distributing a new form of the malware that anti-virus tools are unable to detect.
Once installed on a device, Emotet is designed to exfiltrate data and facilitate the installation of additional malware.
SO WHAT? Individuals should be wary of all hyperlinks and attachments contained in emails, including from known contacts.
|