The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Espionage: German parliamentarians targeted in phishing campaign.
- Ransomware: Suspected in Channel 9 attack. Ransomware actors now read your insurance policies.
- Zero-day exploits: Vulnerabilities exposed by Google tied to counterterrorism campaign.
- PHP source code compromised: Malicious code identified in the PHP source code repository.
- Docker Hub becomes malware vector: 20 million containers laced with cryptominers downloaded.
- Life’s a breach: Mobikwik, SalusCare, 200 Networks, and Carding Mafia have data exposed.
German parliamentarians targeted in suspected espionage attack
- Russian military intelligence is believed to be behind the compromise of private email accounts belonging to seven German parliamentarians and 31 state legislators. The attackers, part of the Ghostwriter group, used a spear phishing campaign to deceive their victims.
- The attack is likely part of a wider Russian disinformation effort. Ghostwriter’s campaigns are known to create and disseminate false information to suit Russian interests. It is unclear whether sensitive information has been exfiltrated.
So what? Influence operations are an effective method for nation state actors to instil uncertainty and promote agendas, particularly in the lead up to elections. Germany is holding a federal election in September 2021.
Ransomware knocks out network and threat groups peruse insurance policies
- A suspected ransomware attack, likely conducted by a nation state actor, took down Australia’s Channel 9 TV network this week. A ransom is yet to be demanded and it is possible the attack was instead designed to simply cause destruction, similar to NotPetya.
- FatFace, a British clothing brand, paid a USD 2 million ransom after an attack in January 2021. The Conti group read FatFace’s cyber insurance policy to gauge their victim’s capacity to pay.
So what? Ransomware continues to pillage organisations worldwide. While prevention remains vital, companies must have a clear plan for how to respond when the inevitable happens.
Counterterrorism campaign behind zero-day exploits revealed by Google
- The 11 zero-day exploits in Chrome and Safari revealed in January this year appear to be linked to a Western nation state actor conducting a counterterrorism campaign. By revealing the zero-day vulnerabilities, Google shut down the attack.
- The decision to prevent a cyber attack conducted by a Western government was reportedly controversial inside Google. It is unknown whether Google notified the attackers before revealing the vulnerabilities.
So what? Vulnerability disclosure is an effective way to thwart threat actor campaigns, but the question of when and how to reveal bugs is complex. While this campaign was tied to counterterrorism work, any software flaws leave users open to attack by future, piggy-back actors.
PHP source code compromised
- PHP source code compromised with backdoor. The unauthorised code was disguised as a typo-related fix from a well-regarded developer. The team’s infrastructure hosting the source code was compromised.
- The backdoor was discovered quickly, preventing it from being made available to users. While the investigation is still ongoing, the PHP developers have taken the decision to discontinue their own git infrastructure and use only the repositories on GitHub.
So what? Organisations that develop applications should be scanning their source code for vulnerabilities prior to pushing code to production.
Docker Hub containers infect 20 million with malware
- Hackers plant cryptomining malware in Docker Hub container images. The malicious images have been downloaded more than 20 million times from Docker Hub, a trusted registry of container applications.
- Researchers suspect this is not an isolated incident, discovering 30 malicious images on Docker Hub alone. Given the trust placed in reputable registries, leveraging images to distribute malware is a highly effective threat vector, more easily scalable than disseminating payloads via phishing campaigns.
So what? Even when downloading containers from reputable registries, like Docker Hub, ensure you inspect the images for potential signs of compromise.
Life’s a breach. Millions of financial, medical, and VOIP records leaked in last two weeks
- Financial: Mobikwik, a popular Indian mobile payment service, saw 3.5 million customer records released onto the dark web.
- Medical and VOIP: SalusCare, Florida’s largest provider of mental health services, saw up to 85,000 patient records potentially accessed after a malware attack. A database belonging to 200 Networks LLC, a Nevada call centre provider, exposed nearly 1.5 million call data records.
- Criminal: Carding Mafia, a hacking forum, suffered a breach of 300,000 user accounts. The breach exposed emails, IP addresses, usernames, and hashed passwords of forum users.
So what? Controls such as encryption and network segmentation help lock down your data, while a thought-through incident response plan ensures your organisation can effectively react when necessary.
New Podcast: Optimising your cyber incident response plan
In this new S-RM Insider podcast, we bring together Joseph Tarraf, Associate Director, Cyber Incident Response team at S-RM; Magnus Josias, Co-Founder and COO of Krizo; and Greg Foss, Senior Cyber Security Strategist at VMware Carbon Black to explain how a typical cyber-attack unfolds, and the tools and tactics needed to optimise your cyber incident response plan. Listen here.