The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Ransomware rising. March is a record-breaking month for ransomware incidents.
- Red dawn. Russian hackers target critical infrastructure and the NCSC issues advisory on Cisco router vulnerabilities.
- 831`Hackers extort Western Digital and LockBit shows remorse for medical facility hack.
- Mayday, mayday. Software update failure causes military helicopter crash.
- The threat within. Former UK government employee steals top secret data.
- Expanding horizons. macOS encryptors found in latest LockBit ransomware
1. RANSOMWARE INCIDENTS SHOW NO SIGN OF DECREASING
Ransomware attacks surged in March 2023, with a record-breaking 450 publicly reported incidents. According to global data seen by S-RM, over 100 of these were due to Cl0p exploiting Fortra's zero-day GoAnywhere MFT file transfer vulnerability.
Recent high profile ransomware incidents include an attack on NCR, a major payment software provider. Meanwhile, ransomware gang Black Basta has reportedly leaked sensitive data stolen from IT services firm Capita on the dark web.
| SO WHAT?
Ransomware incidents are increasing in severity and frequency, and proactive measures need to be taken to safeguard data and vital assets. Consider performing a ransomware readiness assessment to evaluate your organisation’s resilience to such an attack
2. RUSSIAN HACKERS TARGETING CRITICAL INFRASTRUCTURE AND NCSC ISSUES JOINT ADVISORY REPORT
The UK’s National Cyber Security Centre (NCSC) has warned of an emerging threat from Russian hackers targeting critical infrastructure. This coincides with the advisory report issued by the NCSC and US intelligence agencies that outlines tactics used by the Russian state hacking group, APT28, to exploit Cisco routers.
SO WHAT FOR SECURITY TEAMS?
If Cisco routers are within your network, follow the vendor’s security guidance which can be found here.
3. ALPHV DEMAND ATTENTION AND LOCKBIT APOLOGISE TO LATEST VICTIM
Frustrated over an apparent lack of contact from their victim, the ransomware group ALPHV has released a “final warning” on their leak site to Western Digital. The post included allegations that the company mislead the US Securities and Exchange Commission.
Separately, LockBit has apologised for targeting the Home and Heart Health medical facility in Virginia, USA. The threat group offered a free decryptor key to enable the restoration of systems. LockBit has previously stated that it would not target medical care facilities.
4. SOFTWARE UPDATE FAILURE CAUSES MILITARY HELICOPTER CRASH
An Australian military helicopter crashed during a training operation due to engine failure, stemming from missed software updates. The update would have prevented “hot starts”; an operational error where engine fuel ignites uncontrollably during start-up. Thankfully no-one was seriously injured in the crash.
Keeping software and technology up to date is critical for maintaining the security and safety of systems and personnel that rely on them.
5. INSIDER THREAT STEALS TOP SECRET GOVERNMENT DATA
A former employee of a ‘sensitive UK government organisation’ has been accused of transferring top secret data to his personal computer. The ex-employee reportedly exfiltrated sensitive information from a restricted workstation to his work phone before taking it home.
SO WHAT?Organisations can mitigate the risk of an insider threat through a formalised joiners, movers, leavers procedure as well as stringent access controls, and regular monitoring of network activity.
6. MAC OS ENCRYPTORS FOUND IN LOCKBIT RANSOMWARE
Researchers have discovered encryptors under development for Mac operating systems when examining LockBit operations. The ransomware group, which typically target Windows, Linux, and ESXi servers, operate a Ransomware-as-a-Service business model, allowing different threat actor groups access to their malware.
As ransomware groups look to target macOS, users should take proactive measures to protect their systems, such as regularly updating their software, implementing strong password practices, and being vigilant against phishing attacks.