The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Hack-and-leak, COVID-style. Edited versions of stolen COVID-19 documents seen on cybercrime forums.
- SolarWinds update. Details about this expansive Russian campaign continue to emerge.
- Financial sector faces tougher guidelines in Singapore. The Monetary Authority of Singapore (MAS) strengthens its current guidelines on technology risk.
- Joke’s over? The largest dark web marketplace for stolen credit card details, Joker’s Stash, closes.
- Parler. Booted from AWS, finds a new home with Epik and DDoS Guard.
- Manufacturing, beware. Threat actors increasingly target ICS in manufacturing companies.
- Stolen COVID-19 vaccine documents were published on cybercrime forums. Pharmaceutical regulator European Medicines Agency (EMA) confirmed that documents stolen in the December 2020 hack, which contain details on the Pfizer vaccine, have been posted on two cybercrime forums.
- Some of the published documents were edited. A review by EMA revealed that ‘some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.’ 
- Reports suggest a state-sponsored actor is involved. Investigations suggest a nation state may have targeted an EMA employee working at home to access the documents. 
So what for security teams? Ensure user access to highly sensitive data is restricted on a need-to-know basis, particularly when operating remotely.
SolarWinds update new details about this expansive Russian campaign
- A fourth malware strain involved in the SolarWinds chain attack has been identified. Symantec’s researchers suggest that a strain named Raindrop was only deployed recently in the networks of a few victims.
- Malwarebytes hacked by same actor as SolarWinds. The actor abused privileged access to security company Malwarebytes’ Office 365 tenant, accessing a ‘limited subset’ of internal emails.
So what? This campaign was expansive – stay abreast of the latest updates to detect how your organisation may have been affected.
Financial sector faces tougher guidelines in Singapore
- Amidst the recent series of supply chain attacks, the Monetary Authority of Singapore (MAS) revised its technology risk guidelines. The financial service industry is leveraging cloud technologies and APIs at an ever-increasing rate, prompting the need for the revised guidelines.
- The guidelines include having ‘strong oversight’ of partnerships with third-party providers to ensure a high standard of diligence in safeguarding data confidentiality, integrity, and system resilience.
- The guidelines also state that organisations should appoint a CIO or CISO.
So what for security teams? Regulators are increasing scrutiny of vendor risk, so ask if your third-party security assessments cover an extensive range of security controls.
Joke’s over? The Joker’s Stash marketplace closes
- A favourite marketplace for cybercriminals, Joker’s Stash announced it will close following law enforcement operations. The marketplace was one of the largest dark web marketplaces, providing a venue to buy and sell stolen credit card details, among other activities.
- The Federal Bureau of Investigation (FBI) and Interpol seized the primary domains for the marketplace in mid-December 2020.
So what? Despite successful law enforcement operations being carried out against well-known cybercriminal operations, the threat landscape changes little as the sellers of stolen data will typically move to another marketplace.
Parler: Booted from AWS, finds a new home with Epik and DDoS Guard
- After being dropped by AWS, Parler has landed with hosting companies Epik and DDoS Guard. Following the US Capitol riots, AWS ended their previous web hosting agreement due to Parler users promoting violence on their platform.
- Epik hosts other extremist sites such as Gab, 8chan, and conspiracy theorist Alex Jones’ InfoWars.
- Parler also hired the Russian company DDoS Guard to protect it from cyber-attacks. Previous reporting indicates that DDoS Guard’s traffic is likely monitored by the Russian government.
So what? Parler’s move to new hosting providers shows that there are alternative options to AWS but, given the jurisdiction of DDoS Guard, Parler users may now be caught up in Russian surveillance.
Threat actors increasingly target ICS in manufacturing companies
- Manufacturing companies face increased risk of industrial espionage and ransomware, targeting industrial processes and vulnerable supply chains.
- We have also observed an increase in the number of manufacturing companies successfully breached by the four-month-old ransomware strain, Egregor.
So what? As threat actors continue to target critical operational systems, security programs must fully encompass operational technology (OT) and Industrial Control Systems (ICS).
 ‘Documenti Riservati di EMA sul Vaccino Pfizer Trovati nel Dark Web’, Yarix, 11 January 2021.
 ‘Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments’, Malwarebytes, 19 January 2021.
 Of the more than 120 confirmed Egregor ransomware cases we have analysed, the sector Egregor targeted the most was the manufacturing sector, accounting for at least 17 incidents.