header image

Cyber Intelligence Briefing: 21 May 2021

Billy Gouveia, Kyle Schwaeble 21 May 2021
21 May 2021    Billy Gouveia, Kyle Schwaeble

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

OVERVIEW


Update: Fallout from Colonial Pipeline attack continues

  • Colonial Pipeline confirmed it paid USD 4.4 million to the DarkSide ransomware group to restore services. The ransom is above average for DarkSide, who usually demand anywhere between USD 200,000 and USD 2 million.
  • Some researchers claim that law enforcement may have seized DarkSide’s infrastructure. After the attack, a key DarkSide cryptocurrency wallet was emptied of funds and the ransomware group reportedly lost access to their leak site and servers.
  • There are some suggestions, however, that DarkSide may instead be trying to get out while they can. The group is reported to have accrued at least USD 90 million since they began operating nine months ago. 

 SO WHAT?  Despite reports that DarkSide is shutting down, ransomware groups rarely stay dormant for long and we’ll likely see them return in the future or their operation taken over by an affiliated group.


The human cost of ransomware

  • Ireland’s Health Service Executive (‘HSE’) shut down IT systems on Friday following a Conti ransomware attack. The attack on the public healthcare system caused the cancellation and delay of hospital treatments across the country.
  • The HSE announced that the ransom won’t be paid. However, the healthcare system will likely need to spend tens of millions of euros as part of the recovery and rebuild process, which may take weeks to complete. 

 SO WHAT?  Conti has recently targeted multiple healthcare agencies, including New Zealand’s Waikato District Health Board and an unsuccessful attempt to encrypt the systems of Ireland’s Department of Health. Such attacks can have detrimental impacts beyond IT systems, disrupting the provision of vital medical services.


Encrypt me two times, baby

  • A novel approach by some ransomware groups has seen them encrypting a victim’s data twice. These incidents involve the data being encrypted with two different ransomware strains.
  • Double encryption is not always clear from the outset. In some cases, threat actors might leave two separate ransom notes, making it obvious. While, in other cases, a victim might pay a ransom to decrypt their data, only to find they must pay another ransom for a second decryption tool. 

 SO WHAT?  Victims of multiple encryption ransomware attacks are likely to face increased difficulty when it comes to successfully decrypting their data.


Combatting Cybercrime

  • DarkSide’s recent attack on Colonial Pipeline has prompted widespread discussion about potential legislation to combat cybercrime. President Biden signed an executive order last Wednesday increasing security and reporting standards for the government’s software suppliers.
  • The US Congress will also consider two bills addressing weaknesses in the US national cyber security programme. One focuses on properly securing oil and gas pipelines, while the other envisages a national programme for government and companies to test their IT and security infrastructure. There are also discussions in the US about a national data breach notification law.
  • The UK government also made a public call for advice to defend against supply-chain attacks.

 SO WHAT?  It will be interesting to see what steps government and private sector organisations take in the coming months to combat cybercrime, and ransomware in particular.


Bizarro banking trojan goes intercontinental as the trojan is spotted in Europe 

  • The Bizarro banking trojan, originating in Brazil, has now expanded to target users in Europe. The trojan has now evolved to target and extort customers of 70 European and South American banks.
  • The threat actors utilise various stages and techniques to make malware analysis and detection more difficult. The attack chain includes human elements with money mules withdrawing stolen funds as well as social engineering elements to dupe victims into providing sensitive information.

 SO WHAT?  As cybercrime pay-outs become more lucrative in Europe, we will continue to see localised threat groups evolving to target more victims in other countries and continents.


Phishing trends: Meal-kit delivery companies impersonated; Formbook campaign evolves

  • Attackers are impersonating meal-kit delivery companies by sending text messages to users, asking them to rate their experience. The message contains a malicious link that redirects the victim to a fake website designed to harvest personal and financial information.
  • Separately, a new phishing campaign delivering Formbook malware is leveraging an email relating to a false product order. The fake email, sent from Dubai, contains a compressed attachment where the malware executable is hidden.
  • Lastly, researchers discover that over 52 million malicious messages have abused cloud-based services in 2021 Q1. Phishing attempts are utilising services such as Azure, SharePoint, One Drive, and Google Workspace to increase the legitimacy of their attacks.

 SO WHAT?  So what? Phishing campaigns will continue to leverage the latest trends and services to gain legitimacy. Train your employees to scrutinise all links and attachments they may receive through email, text message, or other communication methods.


Indicators of Compromise:

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with the Bizarro banking trojan.

MD5 Hashes:

e6c337d504b2d7d80d706899d964ab45

daf028ddae0edbd3d7946bb26cf05fbf

5184776f72962859b704f7cc370460ea

73472698fe41df730682977c8e751a3e

7a1ce2f8f714367f92a31da1519a3de3

0403d605e6418cbdf8e946736d1497ad

d6e4236aaade8c90366966d59e735568

a083d5ff976347f1cd5ba1d9e3a7a4b3

b0d0990beefa11c9a78c701e2aa46f87

38003677bfaa1c6729f7fa00da5c9109

 

Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report