The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Acer hit by two cyber-attacks. Hacking group successfully breached Acer’s network in both India and Taiwan in less than a week.
- Active phishing campaign targets finance industry. Russian threat group uses obfuscation to hide malicious macros.
- REvil down… again. Ransomware group targeted by unknown actor.
- Plan comes to fruition. Sinclair Broadcast Group activated its incident response plan following a ransomware attack.
- New US controls restrict sale of cyber security items. Ban on sale of technologies impacting national security.
1. Acer hit by two cyber-attacks
A group of hackers known as the Desorden Group claims to be behind two successful attacks targeting Acer, the hardware and electronics company, in the past week. The group alleges to have breached Acer’s network in India, stealing confidential employee data, before breaching a separate Acer-owned network in Taiwan.
The Desorden Group claims the second attack was not financially motivated but instead intended to highlight that Acer’s global network is insecure.
SO WHAT? While secondary attacks from the same threat actor remain rare, the incident underscores the importance of ensuring that once an attack is fully contained, additional measures are immediately taken to protect any unaffected network infrastructure.
2. Phishing campaign targets finance industry
Russian threat group TA505, renowned for crafting malicious Excel documents, is understood to be behind an active phishing campaign targeting the financial services sector. The campaign, dubbed MirrorBlast, utilises macros in Excel documents to evade detection from security tooling.
The campaign’s objective is to exfiltrate information about a compromised device, which is used in a second stage of the attack.
SO WHAT? Organisations should adopt a multi-layered approach to defend against phishing attacks. Email security tooling, endpoint detection and response solutions, and user awareness are all critical controls that should be employed together.
3. REvil targeted by unknown actor
The infamous ransomware gang REvil has shut down its operations for a second time in three months. The group disappeared last Sunday after its dark web infrastructure, including its payment portal, was hijacked and shut down.
There is speculation that REvil’s former leader, Unknown, is behind the takeover. The group’s initial shutdown was in July 2021, coinciding with increased scrutiny from global law enforcement as a result of the Kaseya supply-chain attack.
SO WHAT? While it’s common for ransomware groups to disappear for short periods before re-emerging, this latest blow to REvil’s reputation as a sophisticated cybercriminal organisation makes it likely that the group will now be gone for good. However, we assess that the operators behind REvil will resume their criminal operations under a new moniker in the near future.
4. Sinclair Broadcast Group announces ransomware attack disrupting operations
Sinclair Broadcast Group, one of the largest television broadcasting companies in the US, has confirmed it suffered a ransomware attack. The incident was only first identified on 16 October, however, the company had already released a formal press release detailing the incident by 18 October, including that data had been exfiltrated from the company’s network.
SO WHAT? A tried and tested incident response plan can play a critical role in mitigating the impact of a cyber incident. Appropriate preparation will reduce the time it takes for leadership to make decisions during a response, a factor that has a direct bearing on the cost of an incident, both financially and reputationally.
5. US Commerce Department issues ban on cyber security items
The US Department of Commerce has announced new rules limiting the sale or distribution by US companies of technologies that could be used for malicious cyber activities or to abuse human rights. The rules also ban the export or resale of “cyber security items” to countries that the US considers a national security risk.
The rules will come into effect in approximately three months.
SO WHAT? Organisations should keep abreast of regulations affecting their supply chains. The new controls include exemptions and licensing requirements. If you supply or distribute affected software or hardware, ensure that you understand your obligations and restrictions.