header image

Cyber Intelligence Briefing: 13 May 2022

Roddy Priestley, Kyle Schwaeble 13 May 2022
13 May 2022    Roddy Priestley, Kyle Schwaeble

INVESTING IN CYBER RESILIENCE: SPEND, STRATEGY, AND THE SEARCH FOR VALUE

Today's fast-changing threat landscape puts increased pressure on companies to make the right investment choices and improve their cyber resilience. For this report, S-RM surveyed 600 senior leaders and IT decision makers to discover which cyber investment areas provide the best value for money and what savings result from investing in cyber security.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.


top NEWS stories this week

  1. Conti attacks. Costa Rica and Peru fall victim, while the US offers a USD 15 million reward for Conti members.  

  2. Colonial Pipeline penalty. Colonial Pipeline faces a USD 1 million penalty.

  3. A tough row to hoe. Farm machinery giant AGCO suffers ransomware attack.  
  4. Blender.io sanctioned. Popular cryptocurrency mixer sanctioned by US Treasury.

  5. AA New Zealand car crash. New Zealand’s Automobile Association (AA) suffers data breach.  
  6. Credit card skimmers. Stay aware of this popular credit card stealing service, Caramel.

  7. Return of the patch. Microsoft releases patches for three zero day vulnerabilities and 75 other flaws this Patch Tuesday. 

S-RM is honoured to be nominated for Cyber Event Response Team of the Year at Advisen's 2022 Cyber Risk Awards. We would really appreciate your support, please cast your vote for S-RM here.

 

Advisen Cyber Risk Awards

 

1. CONTI IN THE LIMELIGHT 

Costa Rica has declared a "state of national cybersecurity emergency as it tries to recover from widespread attacks by the Conti ransomware group. Costa Rica refused to pay Conti’s USD 10 million ransom, but has struggled to restore critical systems, with the Ministry of Finance operating without digital services since the attacks started on 18 April.   

Separately Conti also claims to have attacked the Peruvian National Directorate of Intelligence, allegedly stealing 9.41 GB of data.  

The US State Department has offered a USD 10 million reward for information that leads to the arrest of Conti leaders and an additional USD 5 million reward to locate the group’s members. 

 

SO WHAT?

Cyber attacks, particularly those involving ransomware, can cause significant disruption to business operations. Organisations must prepare for a crisis and have incident response and business continuity plans in place. Conduct regular run-throughs of these plans so that key stakeholders are familiar with their roles and responsibilities.  

 

 

2. COLONIAL PIPELINE RECEIVES PENALTY 

The US government’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed a penalty of USD 1 million to Colonial Pipeline. PHMSA discovered several security violations, including failure to plan and prepare for manual shut down and restart of the pipeline following the May 2021 ransomware attack 

 

SO WHAT?

Cyber attacks often expose vulnerabilities and shortcomings in an organisation’s security governance programme. Investing in cyber security not only reduces your risk of falling victim to a cyber incident, it can also reduce your risk of facing regulatory penalties or legal action following a data breach. 

 

 

3. AGCO HIT BY RANSOMWARE

Attackers have targeted the agricultural machinery manufacturer AGCO in a ransomware attack, affecting the company’s global production facilities. AGCO estimates that business operations will take several days to fully resume. 

The incident comes a few weeks after the FBI warned of increased cyber attacks against the US agriculture sector during critical planting and harvest seasons. 

 

SO WHAT?

Threat actors are more likely to target companies during their heightened seasons or at critical business junctures. At these times the impact of downtime costs are higher, with victims more willing to pay a ransom. To minimise downtime, organisations should have alternative systems defined to allow for redundancy. Performing regular backups will help too! 

 

 

4. BLENDER.IO SANCTIONED 

The US Treasury Department of Foreign Assets Control (OFAC) has sanctioned a popular digital currency mixing service. The service, known as Blender.io, is used to lauder proceeds from criminal activity. Many high-profile Russian and North Korean ransomware groups such as Conti and the Lazarus group have been attributed to the service. 

 

SO WHAT?

Organisations should be aware of any parties found on the sanctions list as transacting with sanctioned parties, including paying ransoms to retrieve encrypted data, could lead to fines or prosecution. 

 

 

5. AA NEW ZEALAND EXPERIENCES DATA BREACH

The New Zealand branch of the Automobile Association (AA) has confirmed that an unidentified threat actor exfiltrated over 100,000 customer records. Whilst investigations are still ongoing, the extent of the breach includes names, addresses, and contact details. This data is believed to have been accessed from the AA Traveller website in August 2021, despite the website being decommissioned in 2018. 

 

SO WHAT?

Personal data, regardless of how old it is, has value for threat actors. Organisations must have a data retention policy in place that outlines how long data can be stored before requiring deletion. Storing data for longer than a business requires can result in regulatory penalties. 

 

 

6. CARD SKIMMER ON THE RISE 

The Russian cybercrime organisation CaramelCorp’s credit card stealing service enables any low-skilled threat actors to carry out financial fraud attacks. The increasingly popular service injects malicious script into hacked e-commerce websites enabling the theft of credit card details.  

 

SO WHAT?

For organisations, it is crucial that patches for e-commerce software are kept up-to-date to avoid initial compromise. Customers of such platforms can protect themselves by using one-time private cards, or setting up charging limits and restrictions.  

 

 

7. PATCH TUESDAY! 

Microsoft’s May Patch Tuesday fixes 75 vulnerabilities and three zero day vulnerabilities. Of the 75, eight are classified as ‘critical’ as they allow remote code execution or privilege elevation.  

One of the zero day vulnerabilities (CVE-2022-26925) is being actively exploited in the wild, and allows for NTLM (NT LAN Manager) relay attacks. 

 

SO WHAT?

Organisations should have a formal vulnerability management programme in pace. This should consist of an automated solution that proactively scans the IT environment for vulnerabilities and applies the latest patches. Microsoft’s patch updates can always be found here. 

 

 

Cyber Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Roddy Priestley
Roddy priestley Director, Cyber Security Email Roddy
Kyle Schwaeble
Kyle schwaeble Associate, Cyber Security Email Kyle

Intelligent Business 2022 Strategic Intelligence Report

The evolution of strategic intelligence in the corporate world. Read S-RM's latest report.

Download Report