The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Cybercrime progress by law enforcement. An international sting operation and indictments for a malware author.
- Ransom recovered. The FBI has recovered a large portion of Colonial Pipeline’s recent ransom payment.
- Internet blackout. The cause of Tuesday’s widespread internet outage is revealed.
- Governments attacked. Government departments in New York City, Spain, and Southeast Asia were the victims of cyber-attacks.
- Phishing catch-up. Agent Tesla malware returns and the Financial Industry Regulatory Authority issues phishing warning.
- Plethora of passwords. Hacker forum user posts file containing 8.4 billion passwords, making it the largest password compilation yet.
Recent steps by law enforcement in combatting cybercrime
- FBI, Europol, AFP, and other agencies arrested over 800 people who were tricked into using an FBI-operated messaging app called ANOM. The app was installed on phones that were distributed, via informants, through organised crime networks, allowing law enforcement to monitor criminal planning in real-time.
- Separately, a Latvian woman, Alla Witte, has been arraigned on numerous charges for her alleged role in the Trickbot operation. Witte is alleged to have co-authored and deployed Trickbot malware, which harvested banking credentials of, and distributed ransomware to, millions of victims.
SO WHAT? The arrests of ANOM users is the latest display of the increasingly active role law enforcement agencies are taking to combat cybercrime. For example, in April, the FBI proactively removed web shells from numerous organisations affected by the now infamous Exchange Server vulnerabilities.
FBI recoverS PORTION OF ransom payment MADE TO Darkside ransomware group
US officials recovered Bitcoin worth USD 2.3 million from DarkSide, the ransomware group behind the recent Colonial Pipeline attack. Colonial Pipeline had paid a USD 4.4 million ransom to DarkSide to obtain a decryption key.
The FBI now control access to the threat actor’s cryptocurrency wallet. The Justice Department has not yet disclosed how it gained control of the account.
SO WHAT? It was unprecedented for government officials to publicly announce recovery of ransomware payments and this development could cause cybercriminal groups to shift focus away from high-profile US targets and demand payment in less common cryptocurrencies.
Software bug causes major internet blackout
A cloud computing provider named Fastly disclosed that a software bug caused a major internet outage on Tuesday. The bug, contained in a May software update, was triggered after a Fastly customer changed their settings.
Approximately 85 percent of Fastly’s network was impacted, with many prominent websites, including Amazon, New York Times, and Reddit, experiencing a denial of service. Fastly was able to remedy the bug within one hour.
SO WHAT? The outage caused some to question how reliant the world is on only a few companies to support the infrastructure underpinning the internet. It’s also a good reminder for organisations to anticipate incidents like these when putting together their business continuity plans.
Government departments fall victim to cyber-attacks
- The New York City Law Department was hacked on 6 June, resulting in access to certain systems being shut off for more than 2,000 employees.
- Spain’s Ministry of Labour and Social Economy announced on 9 June that it was the victim of a cyber-attack. This incident has impacted several entities dependent on the Ministry.
- A cyber espionage operation, targeting an unspecified Southeast Asian government, has been identified by researchers. Chinese threat group, SharpPanda, is believed to be leveraging a backdoor that enables them to capture screenshots, run commands, and alter files.
SO WHAT? Government agencies will continue to be targeted by threat actors due to the sensitive data they hold, the criticality of their operations, and the minimal security controls that are often in place.
Phishing: Agent Tesla malware returns; FINRA leveraged in new phishing campaign
- Attackers are distributing updated versions of Agent Tesla malware via a phishing email. The malware is typically used to steal usernames, passwords, and bitcoin address information. The malware executable is hidden within the email’s Microsoft Excel attachment.
- Separately, the Financial Industry Regulatory Authority (FINRA) has warned of a phishing campaign leveraging the regulator for legitimacy. The email threatens victims with penalties unless they disclose personal information. Fraudulent emails have been sent from name@gateway-finra[.]org.
SO WHAT? Train your employees to scrutinise all links, attachments, and threatening requests, regardless of their perceived legitimacy.
RockYou2021 represents largest publicly available password compilation to date.
A user on a popular hacker forum has posted a 100GB .txt file titled RockYou2021. The file contains an estimated 8.4 billion passwords.
The passwords have most likely been compiled from previous data breaches. Although this means many of the passwords from the original breaches have since been changed, they are still likely to contain active and commonly used passwords.
SO WHAT? Attackers use password compilations such as this one to further their attacks, knowing that users often choose common passwords or re-use passwords across accounts. Users should employ passphrases instead of passwords, and not reuse the same credentials for multiple accounts.