header image

Cyber Intelligence Briefing: 22 January 2021

Billy Gouveia, Mona Damian 22 January 2021
22 January 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

Cyber Threat Intelligence Briefing

Hack-and-leak, COVID-style

  • Stolen COVID-19 vaccine documents were published on cybercrime forums. Pharmaceutical regulator European Medicines Agency (EMA) confirmed that documents stolen in the December 2020 hack, which contain details on the Pfizer vaccine, have been posted on two cybercrime forums.[1]
  • Some of the published documents were edited. A review by EMA revealed that ‘some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.’ [2]
  • Reports suggest a state-sponsored actor is involved. Investigations suggest a nation state may have targeted an EMA employee working at home to access the documents. [3]

So what for security teams? Ensure user access to highly sensitive data is restricted on a need-to-know basis, particularly when operating remotely.

SolarWinds update new details about this expansive Russian campaign

  • A fourth malware strain involved in the SolarWinds chain attack has been identified.  Symantec’s researchers suggest that a strain named Raindrop was only deployed recently in the networks of a few victims.[4]
  • Malwarebytes hacked by same actor as SolarWinds. The actor abused privileged access to security company Malwarebytes’ Office 365 tenant, accessing a ‘limited subset’ of internal emails.[5] 

So what? This campaign was expansive – stay abreast of the latest updates to detect how your organisation may have been affected.

Financial sector faces tougher guidelines in Singapore

  • Amidst the recent series of supply chain attacks, the Monetary Authority of Singapore (MAS) revised its technology risk guidelines. The financial service industry is leveraging cloud technologies and APIs at an ever-increasing rate, prompting the need for the revised guidelines.[6]
  • The guidelines include having ‘strong oversight’ of partnerships with third-party providers to ensure a high standard of diligence in safeguarding data confidentiality, integrity, and system resilience.[7]
  • The guidelines also state that organisations should appoint a CIO or CISO.

So what for security teams? Regulators are increasing scrutiny of vendor risk, so ask if your third-party security assessments cover an extensive range of security controls.

Joke’s over? The Joker’s Stash marketplace closes

  • A favourite marketplace for cybercriminals, Joker’s Stash announced it will close following law enforcement operations. The marketplace was one of the largest dark web marketplaces, providing a venue to buy and sell stolen credit card details, among other activities.[8]
  • The Federal Bureau of Investigation (FBI) and Interpol seized the primary domains for the marketplace in mid-December 2020.[9]

So what? Despite successful law enforcement operations being carried out against well-known cybercriminal operations, the threat landscape changes little as the sellers of stolen data will typically move to another marketplace.

Parler: Booted from AWS, finds a new home with Epik and DDoS Guard

  • After being dropped by AWS, Parler has landed with hosting companies Epik and DDoS Guard. Following the US Capitol riots, AWS ended their previous web hosting agreement due to Parler users promoting violence on their platform.[10]
  • Epik hosts other extremist sites such as Gab, 8chan, and conspiracy theorist Alex Jones’ InfoWars.[11]
  • Parler also hired the Russian company DDoS Guard to protect it from cyber-attacks. Previous reporting indicates that DDoS Guard’s traffic is likely monitored by the Russian government.[12]

So what? Parler’s move to new hosting providers shows that there are alternative options to AWS but, given the jurisdiction of DDoS Guard, Parler users may now be caught up in Russian surveillance.

Threat actors increasingly target ICS in manufacturing companies

  • Manufacturing companies face increased risk of industrial espionage and ransomware, targeting industrial processes and vulnerable supply chains.[13]
  • We have also observed an increase in the number of manufacturing companies successfully breached by the four-month-old ransomware strain, Egregor.[14] 

So what? As threat actors continue to target critical operational systems, security programs must fully encompass operational technology (OT) and Industrial Control Systems (ICS).

References:

[1] ‘Documenti Riservati di EMA sul Vaccino Pfizer Trovati nel Dark Web’, Yarix, 11 January 2021.

[2] ‘Cyberattack on EMA’, EMA, 15 January 2021.

[3] ‘War es ein Geheimdienst?’, Tagesschau, 17 January 2021.

[4] ‘Fourth malware strain discovered in SolarWinds incident’, ZDNet, 19 January 2021.

[5] ‘Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments’, Malwarebytes, 19 January 2021.

[6] ‘Singapore tightens cyber defence guidelines for financial services sector’, ZDNet, 18 January 2021.

[7] ‘Technology Risk Management Guidelines’, MAS, 18 January 2021.

[8] ‘Joker’s Stash Carding Market to Call it Quits’, Krebs on Security, 18 January 2021.

[9] Source: Brian Krebs, Twitter.

[10] ‘Amazon cuts off Parler’s Web hosting following Apple, Google bans’, Ars Technica, 10 January 2021.

[11] ‘Parler's new registrar, Epik, is the right wing's best friend’, Fortune, 19 January 2021.

[12] ‘Hamas May Be Threat to 8chan, QAnon Online’, Krebs on Security, 5 January 2021.

[13] ‘Manufacturing sector is increasingly a target for adversaries’, Cyber Wire, 16 January 2021.

[14] Of the more than 120 confirmed Egregor ransomware cases we have analysed, the sector Egregor targeted the most was the manufacturing sector, accounting for at least 17 incidents.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Mona Damian
Mona damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report