The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Ransomware rebranded. Two major ransomware groups have remerged under new brands.
- Forza Lazio! Italian region gets back on its feet after ransomware attack on vaccination services.
- GDPR bares its teeth. Amazon fined EUR 746 million over data processing violations.
- Stealthy SharePoint scam. Threat actors leverage SharePoint links in new phishing campaign.
- Raccoon Stealer. New info-stealer campaign targets cryptocurrency wallets and other personal data.
- Patches released. Vulnerabilities identified affecting Cisco Small Business VPN Routers.
Ransomware rebranded: After a period of inactivity, two major groups are back
- DarkSide, the perpetrators of the Colonial Pipeline attack, appear to have resurrected their operation under the moniker BlackMatter. The encryption algorithms, the language used on their dark web leak site, and their intent not to target the oil and gas industry all suggest DarkSide is likely behind this new ransomware gang.
- A second group, Doppelpaymer, has also rebranded as Grief ransomware. Doppelpaymer was considered a sanctioned entity due to its close links to the US Treasury-sanctioned hacker group Evil Corp. It had been inactive since early May, coinciding with the increased focus on ransomware operations by global law enforcement.
SO WHAT? Attribution of ransomware attacks often rely on the threat actor’s own claim of who they are. When responding to an incident, gathering intelligence on the threat actor’s profile is crucial to making informed decisions regarding an appropriate engagement strategy.
Italian region of Lazio suffers ransomware attack
Regional government services in Lazio have suffered a cyber attack. The threat group Ransom EXX is the suspected perpetrator, although there is yet to be an official attribution. The Lazio regional government was forced to shut down systems to contain the incident.
While individuals’ health and financial data was not affected, the IT system shutdown has caused disruptions to the region’s COVID-19 vaccine rollout. Financial and medical data was unaffected, and emergency and hospital systems have been restored.
SO WHAT? Lazio’s government appears to have had an effective incident response plan. This helped it get critical systems back up and running with minimal disruption. It is vital that organisations have such plans in place, and regularly review and practice them, to make sure they are ready to respond when the inevitable occurs.
Amazon fined record EUR 746 million for data processing violations
The Luxembourg National Commission for Data Protection (CNPD) has fined Amazon EUR 746 million over GDPR violations. Amazon’s processing of personal data failed to comply with the GDPR, resulting in the largest issued fine since the regulations came into effect in 2018.
While the specific violation has not been officially disclosed, it is alleged that Amazon collected personal data for ad targeting without consumer permission.
SO WHAT? Organisations must understand what data they hold, where it’s stored, and how it’s processed; failing to do so could result in fines of up to EUR 20 million, or 4% of the business’ annual turnover, whichever is higher.
Microsoft warns O365 users about “crafty” phishing attacks
Threat actors are using spoofed email addresses and other techniques to bypass email filtering and phishing protection systems. The ongoing campaign includes a fake, but legitimate-looking, SharePoint link, aimed to convince users that a file has been shared with them. If a victim clicks on the link, they are taken to a login page to input their credentials, which are promptly stolen.
SO WHAT? Organisations should enforce security controls such as multi-factor authentication. Microsoft has also released URL scanning software as part of Defender for Office 365 that can help combat phishing attacks.
Raccoon Stealer gets its paws on cryptocurrency wallets
The info stealer-as-a-service malware has been upgraded to target and steal financial information and cryptocurrency. Raccoon Stealer has changed its propagation method from spam emails to malicious sites that use search engine optimisation techniques.
The malicious sites claim to offer ‘cracked’ legitimate tools. The files downloaded from these pages contained a variety of malware types including crypto-miners, malicious browser extensions, and YouTube click-fraud bots.
SO WHAT? Just because a website is ranked highly in Google search results doesn’t mean it is not malicious. Additionally, never download cracked versions of tools as you cannot guarantee what they will contain.
Vulnerabilities affecting Cisco VPNs are patched
Cisco has patched several vulnerabilities affecting Cisco Small Business VPN Routers. The vulnerabilities were identified in the web-based management interfaces, which are disabled by default. If exploited, they could allow an attacker to execute arbitrary code or cause a denial of service.
Cisco is not aware of any incidents where these vulnerabilities have been exploited in the wild. However, similar vulnerabilities in other VPN products have been a major source of compromise by threat actors, particularly over the past year. Cisco has released a software update to address these vulnerabilities.
SO WHAT? Verify whether your product is impacted (CVE-2021-1609, CVE-2021-1610, and CVE-2021-1602) and ensure that you have updated to the newest firmware.