Cyber Intelligence Briefing: 4 November 2022

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

1.THALES DENIES LOCKBIT RANSOMWARE ATTACK

French security and technology firm Thales claims it found no evidence of a network intrusion after it was named on ransomware group LockBit’s leak site this week. Thales also said it had not received any communication regarding a ransom demand.
Separately this week Hensoldt France was allegedly hit by Snatch ransomware group, and Australian defence communications platform ForceNet was disrupted by a ransomware attack on IT supplier Dialog.

SO WHAT?

Organisations operating in industries such as security or critical national infrastructure are attractive targets for ransomware groups. Organisations should conduct regular risk assessments to identify their biggest cyber threats and inform their cyber preparedness.

2. DROPBOX DATA BREACH

File hosting service Dropbox suffered a security breach in which threat actors gained access to one of its GitHub accounts, a platform for storing code. Hackers sent phishing emails to multiple employees which directed them to fake websites to harvest their credentials and one-time passwords for multi-factor authentication (MFA). Hackers copied source code repositories but ultimately no user data was compromised.

SO WHAT?

Threat actors are becoming increasingly skilled in bypassing multi-factor authentication, with new phishing platforms such as EvilProxy. On top of robust authentication controls, organisations should conduct regular training on how to spot phishing campaigns.

3. LIZ TRUSS'S PERSONAL PHONE ALLEGEDLY HACKED

Former UK Prime Minister Liz Truss' personal phone was allegedly hacked by a foreign entity, suspected to be Russia. The breach reportedly took place earlier this year while Truss was Foreign Secretary. Attackers are believed to have accessed a year's worth of personal communications, including sensitive exchanges with foreign officials.

SO WHAT?

Using personal mobile devices for work is a significant security risk. Access to a corporate network should be restricted to devices managed by the organisation with appropriate security controls, including malware protection.

4. NEW DATA WIPER FRAMES CYBERSECURITY RESEARCHERS

Authors of the new Azov Ransomware data wiper are attempting to frame well-known security researchers by falsely claiming that they are behind the attacks. Once devices are encrypted, the ransom note explains that the victims should contact security researchers such as Hasherazade and BleepingComputer for decryption keys. The individuals however are in no way associated with the ransomware and so will not be able to help.

SO WHAT?

Threat actors can be untrustworthy and ransomware victims may not always be able to obtain a working decryption key. Organisations should have a strong backup policy to ensure minimal business disruption if their data is encrypted.

5. THE WHITE HOUSE RANSOMWARE RETREAT

A two-day summit on ransomware concluded in the White House on Tuesday, with representatives from various nations establishing an International Counter Ransomware Task Force for coordinated disruption of cybercriminals and threat intelligence sharing.

The project was announced as the US Treasury Department released a report that revealed American banks had processed over USD 1.2 billion in ransomware related payments in 2021, a 200 percent rise over the previous year.

SO WHAT?

Ransomware is a major threat to businesses, therefore preventing unauthorised access to your network should be a top priority. However, even more important is the ability to detect an intrusion and respond appropriately.