The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Recent cyber attacks. Denso, Bridgestone Americas, and Ubisoft fall victim to cyber attacks.
- Android trojans on the rise. Android banking trojan Aberebot returns under a new name.
- The Russian threat. German and US agencies warn of Russia-related cyber threats.
- GDPR fines. Meta Platforms and Tuckers Solicitors receive fines for violating GDPR rules.
- DDoS attacks. Israeli and Russian websites go offline.
- New wiper malware. A novel strain of data wiping malware appears on Ukrainian devices.
- Spectre returns. Intel, ARM, and AMD processors face a new variant of the Spectre vulnerability.
1. Companies park in the repair shop
- Automotive components manufacturer Denso confirmed it suffered a ransomware attack by the Pandora group last week. Although manufacturing schedules were not affected, Pandora claimed 1.4TB of Denso data had been exfiltrated, samples of which have already been published on Pandora’s leak site.
- Ransomware group LockBit 2.0 claimed responsibility for the 27 February 2022 ransomware attack against tire manufacturer Bridgestone Americas. The group claimed to have stolen data from its victim, however LockBit 2.0 is yet to leak any of it online.
- Video game producer Ubisoft suffered a cyber attack that disrupted some games and services. Lapsus$, the ransomware group allegedly behind the recent Nvidia and Samsung attacks, claimed responsibility. Ubisoft stated that there is no evidence that data exfiltration occurred.
Ransomware attacks can cause significant operational disruption and if data exfiltration occurs, substantial regulatory and legal costs may also arise. Intrusion prevention systems (IPS) can monitor networks for malicious activity and take action to prevent it.
2. The Android trojan threat
Android banking trojan Aberebot has reappeared under a different name: Escobar. Its new features include the ability to steal Google Authenticator multi-factor authentication (MFA) codes, take photographs, and record audio. The tool is primarily used to gather enough information to allow threat actors to take control of their victim’s bank accounts.
Researchers have also identified a recent increase in Android trojans present on the Google Play Store. One trojan has been downloaded over 500,000 times.
SO WHAT?Secure Android devices with Google Play Protect alongside an anti-malware solution.
3. German and US agencies warn of Russian cyber threats
- Germany's Federal Office for Information Security (BSI) has warned against using anti-virus software from the Russian-headquartered software provider Kaspersky because it could be leveraged to launch cyber attacks amid Russia’s ongoing invasion of Ukraine.
- The US Financial Crimes Enforcement Network (FinCEN) warned of the potential for an increase in Russia-based ransomware campaigns, including state-sponsored ones, as the Russian government and private individuals seek to ease the economic cost of sanctions.
SO WHAT?While the threat of cyber attacks from Russia-based groups is increasing, BSI’s warning is likely somewhat politically motivated and, as such, should be considered with some skepticism.
4. Protect your data subjects or pay
- Meta Platforms, the parent company of Facebook and WhatsApp, was fined EUR 17 million by the Irish Data Protection Commission for a series of GDPR infringements by Facebook during 2018.
- UK law firm Tuckers Solicitors was fined GBP 98,000 by the UK’s Information Commission Office (ICO) for GDPR infringements following a ransomware attack against the organisation that saw collections of court documents exfiltrated and published on the dark web.
SO WHAT?Both large and small organisations can receive penalties for violating data protection regulations. Organisations must familiarise themselves with their legal and regulatory data protection obligations.
5. DDoS attacks
- The Israeli National Cyber Directorate confirmed that a distributed denial of service (DDoS) attack against Israeli communications provider Bezeq rendered several Israeli government websites inaccessible on Monday.
- Several Russian websites, including those of the Federal Security Service (FSB), stock exchange, and Ministry of Sport, were forced offline following a wave of DDoS attacks. The hacktivist collective Anonymous claimed responsibility for the attack as part of their ongoing campaign in response to the Russian invasion of Ukraine.
Organisations can implement controls to protect against and mitigate the risk of DDoS attacks.
6. Data wiping malware continues to develop
A novel data wiping malware strain, CaddyWiper, has been discovered on Ukrainian devices. This is the fourth data wiping malware deployed against Ukraine this year, although it doesn’t share any significant code similarities with the other three.
CaddyWiper is typically deployed via Group Policy from compromised domain controllers. Interestingly, to maintain the persistence of its controller on compromised systems, it automatically identifies domain controllers and exempts them from being wiped.
There is the possibility for data wiping attacks to spill over to non-Ukrainian devices and for future threat actors to employ them more generally. Regular and isolated backups are critical to protect organisations against this threat.
7. Spectre vulnerability returns
Last week, a new Spectre vulnerability was discovered affecting major central processing units (CPUs), including Intel, ARM, and AMD. Originally drawing attention in 2017, Spectre vulnerabilities allow malware to obtain secrets stored in the memory of other programs running on a device, including passwords and emails.
Although some CPUs were initially believed to be immune to the vulnerability by virtue of a security solution implemented in 2018, Intel researchers discovered that the solution could be bypassed.
Fortunately, there is no evidence of the vulnerability being exploited in the wild and software patches are being created.
Organisations should remain alert for available software patches to address this vulnerability.