Cyber Intelligence Briefing: 28 January 2022

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

1. Insider threats, a growing security concern

In a recent survey of over 100 large organisations, 65% of respondents claimed that between 7 December 2021 and 4 January 2022, they or their employees were approached by a threat actor offering money in exchange for help establishing initial access to their organisation’s network.

Another study found a 44% increase in insider threats last year, likely caused by the shift to remote working which allows employees more unattended exposure to their organisation’s network and data. A notable 26% of recorded insider threats were due to insiders with malicious intent, but the majority were due to insider negligence.

SO WHAT?

These reports highlight that cyber threats are not limited to external threat actors, and that your employees pose a threat regardless of their intentions. The traditional security focus on perimeter defence needs to be complemented with an adequate approach to both malicious and negligent insider threats.

2. A shift in the Russian cybercrime landscape

The Federal Security Service (FSB), a Russian domestic intelligence service, arrested the alleged leader of the hacking group Infraud Organization, a group responsible for over USD 500 million in losses. The move follows recent FSB raids which resulted in the arrests of 14 alleged members of the notorious REvil group.

On the other side, Russian-based cybercriminals have begun to vocalise their fears on underground dark web forums. Many posters have lamented that Russia is no longer a haven for cybercriminal operations, and others even accused forum administrators of being involved with law enforcement.

SO WHAT?

These events signal a real shift in the Russian cybercrime landscape, and that Russia will no longer be a safe location from which threat actors can launch cyber-attacks globally.

3. Hacktivists target Belarusian state-run train company

The Belarusian Cyber Partisans, a hacktivist group, launched a ransomware attack on the Belarusian state-run train company, Belarusian Railways. The ransom demand included the release of 50 political prisoners and an end to Russian troops using the railway to move towards Ukraine. The attack comes in the wake of an increased Russian military presence on Ukraine’s border, alongside cyber-attacks on several Ukraine government agencies which Ukrainian officials have linked to the Russian and Belarusian governments.

SO WHAT?

Whether or not one applauds this action by the Belarusian Cyber Partisans, this case is a stark reminder of the rising popularity of ransomware-based extortion attacks. To prepare for these attacks, organisations should include a step-by-step ransomware response strategy within their incident response plan.

4. Anglo countries strengthen cyber defences

Australia, the UK, and the US have taken steps to strengthen cyber defences:

Australia and the UK signed a Cyber and Critical Technology Partnership, the latest step in wider trilateral security that includes the US. The new partnership aims to strengthen cyber response capabilities in the Indo-Pacific region.
US President Biden signed a National Security Memorandum requiring certain government agencies to adopt key cyber security practices, including implementing multi-factor authentication and certain forms of encryption, and requiring the National Security Agency (NSA) to hold those agencies accountable for the security of their environments.
The UK Government announced the first Government Cyber Security Strategy. The strategy involves establishing a new Government Cyber Coordination Centre to improve the coordination of cyber defences across the public sector, and the allocation of GBP 37.8 million to local authorities to protect essential services and data.
The US Department of Homeland Security (DHS) warned state and local governments and other critical infrastructure operators of the cyber threat posed by Russian state actors.
Following the cyber-attacks on Ukrainian government agencies, the UK National Cyber Security Centre (NCSC) urged UK organisations to harden their cyber defences.

SO WHAT?

While these moves to strengthen cyber defences are reassuring, they highlight the need for private organisations to take their own defences seriously in a world full of very real and potent threats.

5. Segway’s online store compromised in Magecart attack

The web store of Segway, the well-known scooter manufacturer, was compromised for nearly a month with e-skimmer malware deployed by the cybercrime syndicate Magecart. Once embedded into a website, an e-skimmer is able to covertly record information that users input into the site. Financial and personal information may well have been recorded in this case.

SO WHAT?

Malicious actors continuously develop better ways to hide skimmers. On top of keeping operating systems and software updated and patched, organisations should regularly carry out internal and external network vulnerability scans to detect threats before it’s too late.

6. The fight against smishing attacks

The UK’s National Cyber Security Centre (NCSC) has published new guidance on how organisations should communicate with customers via SMS and phone calls. The publication follows the arrival of a prolific new smishing (SMS-based phishing) campaign spanning multiple countries that attempts to lure message recipients into installing FluBot malware. Researchers at BitDefender have identified over 100,000 malicious SMS messages relating to this campaign since December 2021.

SO WHAT?

On top of implementing NCSC’s guidance, organisations must still protect their own networks and prepare their employees for all phishing variants. An email filtering service deployed across all endpoints, and regular phishing simulation campaigns are a great start.