The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Pit stop. Suncor Energy cyber attack disrupts payments at gas stations across Canada.
- June ransomware trends. Cl0p on top as LockBit 3.0 hits TSMC and 8Base maintains momentum.
- Boardroom blues. SEC goes after executives in SolarWinds probe into 2020 breach response.
- Unlocked. Researchers publicly release decryptor for Akira ransomware.
- Snake oil. Google Play Store apps spread new Anatsa banking trojan.
- Turbulence ahead. American Airlines and Southwest Airlines pilots’ data leaked.
- Two down. Law enforcement takes down EncroChat and the person responsible for Monopoly Market.
1. MAJOR CANADIAN ENERGY SUPPLIER HIT BY CYBER ATTACK
Suncor Energy has confirmed it has been targeted in a cyber attack which has impacted hundreds of Petro-Canada gas stations across the country. The incident has caused ongoing issues with payment systems at Petro-Canada gas stations, leaving customers unable to use reward points to complete purchases or make card transactions.
SO WHAT? Threat actors will target critical systems to cause as much disruption as possible. Business continuity plans are critical to enable the continuation of crucial business operations in the event of a cyber incident.
|
2. JUNE RANSOMWARE TRENDS: CL0P TAKES TOP SPOT AS LOCKBIT HITS TSMC
- In terms of victims listed on a leak site in the past 30 days, Cl0p was the most active ransomware group having named 91 new victims in the wake of their exploitation of the MOVEit vulnerability.
- LockBit 3.0 followed with 62 victims listed on its leak site in June, including the Taiwan Semiconductor Manufacturing Company (TSMC), the largest global producer of semiconductors.
- The upstart group 8Base claimed 40 attacks, putting them just above established player ALPHV (BlackCat) who claimed 38 attacks. 8Base has been linked to the RansomHouse ransomware group.
SO WHAT? To reduce your risk of falling victim to ransomware, patch any known vulnerabilities and consider performing a ransomware readiness assessment to evaluate your organisation’s resilience to an attack.
|
3. SEC WARNS SOLARWINDS EXECS OF POTENTIAL ENFORCEMENT ACTION
The US Securities and Exchange Commission (SEC) has warned SolarWinds’ CFO, CISO, and other current and former executives that they may face civil enforcement action. The SEC is investigating violations of securities law related to the company’s public disclosures and internal controls regarding cyber security following a 2020 supply chain attack that affected multiple US government agencies.
SO WHAT? US law enforcement is increasingly holding c-suite executives personally liable for violations following data breaches. A good cyber security culture starts with ownership and accountability from senior leadership.
|
4. RESEARCHERS DEVELOP AKIRA RANSOMWARE DECRYTOR
Researchers have released a decryption key for Akira ransomware by exploiting a vulnerability in the malware’s encryption algorithm. The key allows for data encrypted by Akira ransomware to be decrypted without requiring the attacker’s private key. Akira emerged in March 2023, and has claimed a total of 38 attacks primarily on US-based companies in various sectors including real estate, education, and finance.
SO WHAT? Ransomware is not immune from having exploitable vulnerabilities. Companies recently affected by Akira should consider using the decryptor to recover encrypted files, but the group is likely to adapt its methods quicky.
|
5. ANATSA BANKING TROJAN TARGETING ANDROID USERS ON GOOGLE PLAY STORE
Threat actors are spreading a new Android banking trojan named Anatsa by disguising it as seemingly innocuous apps such as PDF readers and QR code scanners. The trojan is thought to be targeted at users in the UK, US, Germany, Austria, and Switzerland, and is reportedly able to steal bank account details on over 600 global banking apps.
SO WHAT? Implement Mobile Device Management software on all corporate devices to prevent employees from downloading malicious apps.
|
6. AMERICAN AIRLINES AND SOUTHWEST AIRLINES PILOTS’ DATA LEAKED
The personal data of over 8,000 pilots and applicants at American Airlines and Southwest Airlines was leaked following a hack on their third-party vendor, Pilot Credentials. Both airlines have stated they intend to transition to self-managed portals for pilot applications in future to mitigate third-party risk.
SO WHAT? Organisations should include third-party risk assessments as an important component of their cyber security programmes.
|
7. ENCROCHAT TAKEN DOWN AND MONOPOLY MARKET FOUNDER ARRESTED
An extensive operation by Europol has led to the takedown of the encrypted mobile communications platform EncroChat, with over 6,600 arrests and seizure of USD 979 million. EncroChat is a specialised version of Android that promised anonymity and untraceability to criminals.
Separately, a Serbian man has been extradited to the United States and charged with running Monopoly Market, a dark web marketplace for illegal narcotics, since 2019.
SO WHAT? There is increasing international cooperation between law enforcement agencies to counter cyber criminals and bring them to justice. However, it is an uphill battle and new illicit platforms are constantly emerging. |
S-RM is proud to have been voted Cyber Incident Response Team of the Year at Zywave’s 2023 Cyber Risk Awards. Read more here.