The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- T-Mobile update. Responsibility claimed for the breach and lawsuits filed by T-Mobile customers.
- Ransomware onboard. Lockbit 2.0 attacks Bangkok Airways and Ethiopian Airlines.
- Data exposure. Indonesian government investigating sensitive data exposed by test-and-trace app.
- Ragnarok bow out. The Ragnarok ransomware group has closed down its operations, for now…
- SEC issue fines. Three US financial firms fined for inadequate security controls.
- Hacktivists target Belarusian government. Data stolen from government databases leaked.
21-year-old claims responsibility for attack on T-Mobile
21-year-old American John Binns has claimed responsibility for the T-Mobile breach. Binns, who now lives in Turkey, claims he gained access to T-Mobile’s network in July via an unprotected router, noting that T-Mobile’s security is “awful”. Binns stated that his motive was to generate noise and draw attention to his perceived persecution by the US government.
T-Mobile announced last week that the number of individuals affected increased to 54.6 million current, former, and prospective customers. Two class action lawsuits have been filed against T-Mobile by affected customers, claiming that T-Mobile violated the California Consumer Privacy Act.
SO WHAT? Opportunistic threat actors can cause just as much damage as sophisticated, targeted attacks. Organisations should conduct thorough assessments to determine the biggest threats they face and not disregard low-level cybercriminals.
LockBit 2.0 leaks Bangkok Airways and Ethiopian Airlines data
LockBit 2.0 has leaked over 200GB of data belonging to Bangkok Airways. The ransomware attack was discovered on 23 August but only publicly announced a week later after the group threatened to publish stolen data on its leak site. While the attack did not affect aviation operations or security systems, personal data belonging to passengers was stolen, including passport and credit card information, travel data, and addresses.
LockBit 2.0 is the same threat group that last month attacked Accenture, the global IT consultancy, and demanded a USD 50 million ransom. It has since claimed to have used data stolen from Accenture to launch attacks against some Accenture clients, including an unspecified airport. Interestingly, on the same day as Bangkok Airways’ incident, Ethiopian Airlines also suffered a ransomware attack at the hands of LockBit 2.0. It’s unclear if either incident was related to Accenture’s breach.
SO WHAT? Supply-chain attacks, like in the cases of SolarWinds or Kaseya, are becoming increasingly common. Organisations should be on extra alert if one of their service providers suffer a cyber incident. In addition, when onboarding new vendors, organisations should ensure that their third-party security assessments cover an extensive range of security controls.
Indonesian government investigating exposed data from COVID-19 test-and-trace application
Indonesia is investigating a security flaw in a previous version of its electronic Health Alert Card (eHAC) mobile application. The investigation follows the exposure of sensitive data belonging to 1.3 million people, including personal and health information.
According to security researchers, eHAC was storing data about its users and infrastructure in an unsecured Elasticsearch database. The Indonesian health ministry has advised people to delete the old version of the application, which was replaced with a new eHAC system in July 2021.
SO WHAT? Pressure to release applications quickly can often lead to security oversights and flaws. A penetration test or configuration review before a product’s launch reduces the risk of a security incident down the road.
Ragnarok depart from the ransomware scene, for now…
Ragnarok ransomware group has shut down its operations, releasing a master decryption key on their leak site. The group did not publish a departure note, leaving the circumstances around their abrupt shutdown unclear.
This is not the first abrupt shutdown of a high-profile ransomware group this year. Both REvil and DarkSide similarly closed at short notice, with suggestions they were facing increased pressure from the US government and global law enforcement agencies.
SO WHAT? Ragnarok may not be gone for long. Ransomware groups are known to go offline, before then re-branding, evolving their methods of attack, and emerging as a new, but related operation.
SEC penalise companies for cyber security malpractice
The U.S. Securities and Exchange Commission (‘SEC’) issued fines to Cetera, Cambridge Investment Research, and KMS ranging from USD 200,000 to USD 300,000. The three financial firms had personally identifiable information belonging to their clients exposed after suffering email account compromises.
The SEC issued the fines for violating the Safeguards Rule by having insufficient security measures in place to protect customer data. Cetera was also found to use misleading language in their breach notification, which lead to an increased penalty.
SO WHAT? Failing to implement appropriate security measures can lead to large financial penalties. Following a breach, it is important to abide by the applicable regulations to avoid even greater penalties – this includes informing the relevant authorities.
Belarusian hacktivists seek to topple Lukashenko Regime
The Belarusian Cyber Partisans, a hacktivist group, have reportedly compromised dozens of police and government databases over recent weeks. Leaked data includes personal information on government officials and spies and well as lists of alleged police informants.
The hackers claim the data is evidence that the regime lied about the country’s COVID-19 mortality rate and issued illegal orders to crack down on peaceful protests. Experts believe the attacks could undermine the regime and increase the likelihood of sanctions or the prosecution of Lukashenko and his subordinates.
SO WHAT? The FBI advisory draws important attention to ransomware operation infrastructure and highlights how various cyber-criminals collaborate behind-the-scenes of ransomware and data exfiltration attacks.