Cyber Intelligence Briefing: 26 May 2023

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

top NEWS stories this week

1. Cyber diplomacy. Iranian threat actors target Israeli shipping and logistics firms, and separately GoldenJackal revealed to have been targeting Asian government entities since 2019.
2. iSpoof. British national jailed for running multimillion-pound fraud website.
3. Big game hunting. Rheinmetall AG and Capita fall prey to BlackBasta ransomware attacks.
4. Imposter. Malicious software mimicking original packages found in open-source software NodeJS.
5. Cyber espionage exposed. China-backed hackers breach critical infrastructure in US.
6. Tricky business. Philadelphia Inquirer denies ownership of leaked data. 

1. STATE-BACKED THREAT ACTORS TARGETING SHIPPING AND LOGISTICS FIRMS, AND ASIAN GOVERNMENT ENTITIES

Security researchers have attributed a series of targeted ‘watering hole’ attacks against Israeli shipping and logistics websites to an Iranian state-backed threat actor.

Separately, an Advanced Persistent Threat (APT) named GoldenJackal has reportedly carried out espionage activities against various Asian government agencies since 2019. The group, whose infection vectors are unknown, has maintained a low profile since inception to avoid detection.

2. FRAUD WEBSITE OWNER JAILED IN GLOBAL FRAUD INVESTIGATION

A British national has been jailed for running the multimillion-GBP fraud website iSpoof, following an international fraud investigation. The website allowed users to impersonate the phone numbers of major companies to defraud victims, with an estimate of 200,000 global victims and GBP 48 million stolen.

3. BLACKBASTA GOES BIG GAME HUNTING

German automotive and arms manufacturer Rheinmetall AG confirmed a BlackBasta ransomware attack last week. While the attack left Rheinmetall's military operations unaffected, stolen data samples, including non-disclosure agreements and technical schematics were published on BlackBasta's leak site. Notorious for targeting high-profile entities, BlackBasta recently attacked ABB and Capita.

4. MALICIOUS PACKAGE FOUND IN OPEN-SOURCE SOFTWARE LIBRARY NODEJS

Researchers have discovered malicious software packages in NodeJS libraries, an open-source software library used in multiple web applications. The malicious packages remained in the library for over two months, resulting in the deployment of trojan malware to victim systems.

5. CHINESE CYBER ESPIONAGE CAMPAIGN

Microsoft has warned that a Chinese espionage group named ‘Volt Typhoon’ has been targeting critical infrastructure organisations across the US since mid-2021. The group gains initial access by exploiting an unknown vulnerability in Fortinet FortiGuard devices. Microsoft assesses that Volt Typhoon's activities focus on intelligence gathering and espionage rather than immediate disruption.

6. RANSOMWARE GROUP CHALLENGED OVER PHILADELPHIA INQUIRER ATTACK

The Cuba ransomware group has claimed responsibility for the recent attack on the Philadelphia Inquirer. The threat group leaked information allegedly stolen from the attack, including balance sheets, financial documents, and source code. The newspaper has denied the authenticity of the leaked documents, resulting in the threat group deleting their post.