header image

Cyber Intelligence Briefing: 18 June 2021

Billy Gouveia, Kyle Schwaeble 18 June 2021
18 June 2021    Billy Gouveia, Kyle Schwaeble

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.


Volkswagen suffers a data breach

A third-party vendor for Volkswagen Group left data exposed to the internet for over 18 months. The exposure involved 3.3 million customers in the US and Canada, 97% of whom are either Audi customers or prospective buyers.

An estimated 90,000 customers also had more sensitive data exposed, including social security and loan numbers, as well as details regarding their eligibility for a vehicle purchase, loan, or lease. The company has begun notifying the customers who had sensitive data exposed.

 

 SO WHAT?  The incident reinforces the importance of conducting cyber due diligence on vendors and third parties. Additionally, individuals should be hesitant to trust breach notifications because threat actors who have accessed stolen data may leverage it to conduct spear phishing attacks.


Ikea France fined EUR 1 million for privacy violations

A French court ordered Ikea to pay EUR 1 million for invading the privacy of staff and job applicants. Ikea France used private investigators and police sources to collect private information about employees and conduct illegal background checks.

Ikea paid EUR 600,000 annually towards private investigators to investigate current and prospective employees. Ikea’s former head of risk management has received a suspended two-year prison sentence and fine of EUR 20,000.

 

 SO WHAT?  Organisations should ensure that all parts of their business have a clear understanding of, and adhere to, applicable privacy regulations.


Attackers poison PDF documents with SEO techniques to install malware

Attackers are leveraging PDF documents to launch search engine optimization (SEO) poisoning attacks. The PDFs are stuffed with thousands of SEO keywords to increase their visibility on search engines.

Opening the PDF redirects the victim to a Google Drive containing the SolarMaker remote access trojan (RAT). If downloaded, the RAT creates a backdoor to compromise systems and steal credentials from web browsers.

Microsoft Defender Antivirus is known to have detected and blocked thousands of the PDF documents.

 

 SO WHAT FOR SECURITY TEAMS?  Find Microsoft’s guidance on advanced hunting queries here.


Puerto Rico’s electrical supplier targeted in DDoS attack

On 11 June, a distributed denial of service (DDoS) attack targeted LUMA Energy, Puerto Rico’s new power authority. A fire at a LUMA Energy power facility later that day caused more than 800,000 Puerto Ricans to lose power. The cyber attack and fire have not yet been linked.

During the DDoS attack, attackers flooded LUMA Energy’s client portal and mobile application with 2 million visits per second. The attack delayed customer access to online services. 

 

 SO WHAT?  DDoS attacks have become increasingly prominent in recent months and, while not the case in this instance, attackers are also threatening their victims with DDoS attacks to apply pressure during ransomware negotiations.


U.S. nuclear weapons contractor has data put up for auction

Sol Oriens, a US nuclear weapons contractor, has confirmed it suffered a cyberattack in May 2021. The REvil ransomware group has listed the stolen data for auction on their leak site whilst also threatening to share the information with other military agencies.

Sol Oriens are in the process of determining the scope of data that may have been stolen. The company confirmed that there is no indication that client classified data, nor critical security-related information, has been stolen.  

 

 SO WHAT?  Organisations operating in strategic industries are more likely to be actively targeted by threat actors, including sophisticated organised criminal groups and nation states.


Ransomware feeling the heat

Ukrainian law enforcement officials arrested multiple members of the Clop (aka Cl0p) ransomware group this week. The arrested individuals are reportedly not core members of the gang, but are focused on laundering the proceeds of Clop’s ransomware operations.

Avaddon ransomware group appears to have voluntarily shut down, publicly releasing the decryption keys for 2,934 unique victims. It’s unclear exactly why the group shut down, although it may be from the increasing pressure from governments and law enforcement agencies, globally.

 

 SO WHAT?  Despite these crackdowns, ransomware remains pervasive, with new threat groups emerging regularly.

 

Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report