The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- Authorities move against cybercriminals. Numerous arrests and asset seizures in several operations.
- Record-high GDPR fines. Sanctions exceeded EUR 1 billion in 2021.
- Zoho vulnerable again. ManageEngine DesktopCentral has another critical vulnerability.
- Cyberespionage campaign. APTs target multiple renewable energy organisations.
- A wave of attacks. Threat actors target Ukrainian government agencies.
- DHL phishing attacks. A surge of DHL phishing campaigns appeared in Q4 2021.
1. Authorities move against cybercriminals
- The Federal Security Service (FSB), a Russian domestic intelligence service, launched a series of raids targeting alleged members of the notorious Russia-based ransomware group REvil. According to the FSB, 25 properties were raided, resulting in the arrest of 14 alleged REvil members, and the seizure of over RUB 426 million, USD 600,000, and EUR 500,000 in cash, alongside various cryptocurrency wallets, computers, and premium cars.
- Europol seized 15 servers owned by VPNLab.net, a virtual private network (VPN) service provider. VPNLab.net’s services are primarily advertised on underground criminal channels and frequently employed by threat actors to deploy malware. As a result of these seizures, the VPN service is now effectively inoperable.
- A joint operation involving Interpol and the Nigerian Police Force (NPF) has resulted in the arrest of 11 alleged members of SilverTerrier, a serious cybercriminal network known for business email compromise (BEC) attacks against companies across the globe. Initial analysis of seized computers and phones suggests the arrested individuals were collectively associated with over 50,000 victims.
SO WHAT? This is a good start to 2022, signalling the continued determination of global law enforcement authorities to combat cybercriminals.
2. Data regulators issued MORE THAN EUR 1 billion in GDPR fines in 2021
European data protection regulators issued over EUR 1 billion in GDPR fines in 2021, representing a 594% increase compared to 2020. The GDPR (General Data Protection Regulation) is aimed at protecting the personal data of European citizens and applies to any organisation that holds such data, no matter where they are located.
Amazon received the largest individual fine, EUR 746 million, for processing personal data in violation of GDPR rules. In second place, WhatsApp was fined EUR 225 million for failing to comply with transparency requirements, including not telling its customers how it was sharing their data with its parent company, Facebook.
SO WHAT? These cases show that the GDPR is growing teeth. Companies should follow best practices to minimise the risk of data breaches, including conducting regular risk assessments, training employees, and ensuring third-party vendors are compliant as well.
3. Zoho ManageEngine Desktop Central vulnerable
Zoho has disclosed another critical vulnerability in its ManageEngine Desktop Central and Desktop Central MSP solutions. Both are software solutions designed to facilitate remote management of endpoints. The authentication bypass vulnerability (CVE-2021-44757) could allow a threat actor to perform unauthorised actions on client devices and servers, including the deployment of malware. It is the latest in a series of critical vulnerabilities in Zoho’s products.
SO WHAT? Every organisation should have a system to keep track of the software employed in their IT estate and follow a rigorous patch management programme so that vulnerabilities are addressed as soon as possible.
4. Cyberespionage campaign targets the renewable energy sector
Multiple renewable energy and industrial technology organisations have been targeted in a cyberespionage campaign that has reportedly been active since 2019. Attackers leveraged phishing campaigns to steal employee credentials that were later used to access victims’ networks. Evidence suggests that Fancy Bear and Konni, advanced persistent threat (APT) groups from Russia and North Korea, respectively, may be linked to the attacks.
SO WHAT? Organisations should employ a variety of controls to combat phishing attacks, including email and URL filtering, as well as cyber awareness training for users.
5. Threat actors target Ukrainian organisations
On 14 January 2022, multiple Ukrainian government agencies were attacked with highly potent malware, resulting in the destruction of data and several government websites going offline. According to the Ukrainian cyber police, the attacks involved exploitation of the now well-known Log4j vulnerabilities.
The threat actors behind the attacks have not yet been identified, but Ukrainian officials have pointed to both Russia and her close ally Belarus, claiming that the attacks are part of a larger Russian move against Ukraine.
SO WHAT? This case provides yet another warning that organisations should know where, and how, Log4j is employed in their estate, and that the relevant measures to secure Log4j vulnerabilities are implemented swiftly. With the threat of destructive malware, it is also vital that organisations have an adequate data loss prevention programme in place.
6. DHL, the face of phishing attacks
DHL, the international package delivery service that delivers over 1.6 billion parcels per year, surpassed Microsoft as the most imitated brand in phishing attacks in Q4 of 2021. Seasonal sales periods, such as Black Friday and Cyber Monday, played a significant role in this. Threat actors took advantage of the large increase in goods ordered online during these periods, with the aim of their DHL-impersonating emails being to reach individuals waiting for packages.
SO WHAT? Phishing attacks involving e-commerce emails often create a sense of urgency in an attempt to convince users to take immediate action. Embedded buttons and links on emails should never be clicked on, and URLs can be validated by visiting the official website on a new browser tab.