Cyber Intelligence Briefing: 25 November 2022

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

1. ONGOING CAMPAIGNS DEPLOYING ROYAL, EMOTET AND BLACK BASTA MALWARE

S-RM has observed ongoing campaigns employing a variety of methods to access victims’ networks:

Royal ransomware is being distributed through phishing emails, fake updates, and malvertising links in an attempt to breach networks and encrypt them with file-locking malware.
Emotet malware is being distributed through hundreds of thousands of daily malicious emails, with a focus on US organisations. Emotet serves as a dropper for further malware strains.
The ransomware group Black Basta is utilising spear phishing to distribute the QakBot trojan. After creating a backdoor, the trojan deploys Cobalt Strike, a tool that can be used for malicious purposes.

SO WHAT?

The threat landscape is constantly evolving and threat actors use novel tactics, techniques and procedures (TTPs) to target their victims. S-RM recommend that organisations adopt a defence-in-depth approach to minimise the impact of a ransomware attack.

2. VULNERABLE AND DISCONTINUED BOA WEB SERVER STILL WIDELY USED IN IOT DEVICES

State-backed Chinese hacking groups compromised Indian critical infrastructure last year after targeting vulnerable Boa web servers which had been discontinued in 2005. Open-source code from the Boa web server is still commonly included in software development kits for Internet of things (‘IoT’) devices such as routers and cameras.

SO WHAT?

Organisations should regularly review the software in use across the supply chain, and replace discontinued services as a priority. Embedded open-source code can pose a particular security risk.

3. META FIRES EMPLOYEES FOR HIJACKING USER ACCOUNTS

Over the past year, Meta have allegedly fired or disciplined over two dozen employees and contractors for abusing an internal tool called ‘Oops’ (Online Operations). The tool allows access to Facebook and Instagram’s’ account recovery process. A collection of employees reportedly received bribes from hackers in exchange for abusing their internal access.

SO WHAT?

Insider threats can cause major reputational damage. Organisations must embed a strong culture of cyber security awareness across all levels.

4. DAIXIN TEAM CRITICISES AIRASIA OVER POOR CYER HYGINE AFTER HACK

Malaysian low-cost airline AirAsia was hit by ransomware group Daixin Team. The group claimed poor security controls, “the chaotic organization of the network”, and “the absence of any standards” as the primary cause of the attack. The attack has resulted in personally identifiable information of five million passengers being stolen.

SO WHAT?

As ransomware attacks are becoming increasingly common, it is important to have an effective incident response plan in place. This should include a communications strategy that can quickly address public concerns in the event of an attack.

5. CALL BACK PHISHING CAMPAIGN

Luna Moth, a recently established data exfiltration group, has been observed deploying a highly organised call back phishing campaign. The group distributes customised phishing emails to victims in an attempt to persuade them to contact the group-controlled call centres. Victims are then requested to download legitimate Remote Access Tools, which enable sensitive data exfiltration.

SO WHAT?

Organisations must take precautionary measures when interacting with correspondence that originates from outside of their organisation. Organisations must also conduct regular phishing awareness campaigns that emulate current attack trends.

6. KILLNET STRIKES AFTER EU PARLIAMENT’S RUSSIAN SANCTIONS DESINGATON

Pro-Russia hacktivist group Killnet has claimed responsibility for a distributed denial of service (‘DDoS’) attack targeting the European Parliament. After the EU Parliament passed a resolution that described Russia as a state sponsor of terrorism, part of their website was rendered inoperable and inaccessible for several hours. Access to the website has since been restored.

SO WHAT?

DDoS attacks can negatively affect functionality, and ultimately lead to reputational damage and loss of business. To reduce the impact, organisations should create a denial of service response plan, and explore DDoS protection tools and web application firewalls.

7. AMAZON’S RELATIONAL DATABASE SERVICE LEAKS PII

Researchers discovered that hundreds of Amazon Relational Database Service (RDS) instances are inadvertently leaking personally identifiable information (PII) online. The exposure resulted from ‘snapshots’, a feature allowing users to share a point-in-time copy of a database across various accounts, being left publicly accessible.

SO WHAT?

Don’t assume that default configurations for cloud storage are secure. Organisations should conduct regular configuration reviews to ensure that resources are protected.