The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Stolen data now searchable. BlackCat and LockBit enhance leak sites to include search functionality.
- Don’t put all your eggs in MFA’s basket. Phishing attacks bypass MFA, demonstrating a need for defence in depth.
- SHI cyber attack. IT service giant takes systems offline following cyber attack.
- Prison break. Australian prison suffers ransomware attack, and new Australian breach reporting bill is passed.
- Maastricht strikes gold. Dutch university earns money on recovered ransom payment.
- Time to patch! Microsoft releases patches for 84 vulnerabilities, including the actively exploited CSRSS bug.
1. BLACKCAT AND LOCKBIT LEAK SITES
BlackCat and LockBit 3.0 have made their leak site databases searchable. BlackCat has adopted an advanced search function that allows individuals to search for information by company name or by information stolen. This adaptation will make it easier for cybercriminals to locate confidential information about compromised organisations. The LockBit 3.0 threat actor leak site is also now live, but has a less advanced search function.
SO WHAT?This marks a step forward in the threat actor extortion strategy, placing increased pressure on victims to pay the ransom to avoid having company data uploaded to searchable leak sites.
2. MFA BYPASSED IN PHISHING ATTACKS
A new series of phishing attacks has targeted more than 10,000 organisations, hijacking victims’ Office 365 accounts that are even protected by multifactor authentication (MFA). The attacks are using adversary-in-the-middle phishing sites, which enable threat actors to steal credentials and bypass the authentication process. The stolen credentials are then being leveraged to launch business email compromise campaigns.
MFA is still an important and effective security control, but it must be configured correctly. MFA should also not be relied upon as a silver bullet, with organisations strongly advised to utilise multiple security controls to achieve defence in depth.
3. SHI SUFFERS CYBER ATTACK
IT service giant SHI experienced a cyber attack last week, resulting in major disruptions to business critical services. As a precautionary measure, the company shut down its public website and email server. While no customer data has been reportedly compromised, SHI’s customers voiced complaints when unable to purchase IT service goods, demonstrating the reputational impacts that cyber attacks can have.
It is crucial to have incident response and disaster recovery plans in place before a security breach occurs. One key feature of recovery plans is to identify all critical systems that enable the business to function. Recovery procedures can then be incorporated into the plan to ensure these critical systems are brought back online as soon as possible.
4. AUSTRALIAN CRITICAL INFRASTRUCTURE IN THE SPOTLIGHT
A new Australian bill now requires organisations that operate in critical industries to report cyber attacks within 12 hours to the Australian Signals Directorate. Failure to do so will result in fines starting at AUS 11,100. The critical industries affected by the bill include banking, healthcare, education, and aviation.
Shortly before the passing of the bill, an Australian maximum security prison experienced a ransomware attack. The unidentified threat actor encrypted the online network forcing the prison to suspend all in-person and remote visitors.
SO WHAT?Critical infrastructure is often not always built with cyber security in mind, making them attractive and high-impact targets for threat actors. Penetration tests and information security control reviews aimed at identifying critical vulnerabilities are strongly advised.
5. MAASTRICHT UNIVERSITY RECOVERS RANSOM PAYMENT
The Netherlands Public Prosecution Service seized a bitcoin wallet containing a BTC 30 payment made by Maastricht University following a ransomware attack in 2019. The ransom was initially worth EUR 200,000 when paid by the Dutch university, but its value has subsequently increased to EUR 500,000.
SO WHAT?Global law enforcement agencies are becoming increasingly competent in seizing cryptocurrencies. However, whilst this revelation is great news for Maastricht University, organisations should not assume that ransom payments can be recovered.
6. PATCH TUESDAY
For July’s Patch Tuesday, Microsoft has released security fixes for 86 vulnerabilities, including the actively exploited Windows Client Server Runtime Subsystem (CSRSS) bug, which allows threat actors to gain the highest SYSTEM-level privilege.
Moreover, four of the vulnerabilities addressed are critical, including CVE-2022-30221, which could be exploited by ransomware groups who target victims via remote desktop protocol (RDP)
SO WHAT?Organisations should review whether any affected software is employed in their estate. If so, implement the available patches as soon as possible.