The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Watch out. Royal, Emotet, and Black Basta launch new ransomware campaigns.
- Boa constricted. Critical Indian infrastructure compromised through long-discontinued software.
- Meta malfeasance. Meta fires employees for helping hackers take over user accounts.
- Fly-by-night. AirAsia lose details of five million passengers in Daixin Team ransomware hack.
- Call me back. Cybercriminal group uses dedicated call centres in targeted phishing attacks.
- Killnet Strikes Again. European Parliament suffers DDoS attack by Russian hacker group.
- Leaking PII. Amazon’s Relational Database Service leaks sensitive data.
1. ONGOING CAMPAIGNS DEPLOYING ROYAL, EMOTET AND BLACK BASTA MALWARE
S-RM has observed ongoing campaigns employing a variety of methods to access victims’ networks:
- Royal ransomware is being distributed through phishing emails, fake updates, and malvertising links in an attempt to breach networks and encrypt them with file-locking malware.
- Emotet malware is being distributed through hundreds of thousands of daily malicious emails, with a focus on US organisations. Emotet serves as a dropper for further malware strains.
- The ransomware group Black Basta is utilising spear phishing to distribute the QakBot trojan. After creating a backdoor, the trojan deploys Cobalt Strike, a tool that can be used for malicious purposes.
The threat landscape is constantly evolving and threat actors use novel tactics, techniques and procedures (TTPs) to target their victims. S-RM recommend that organisations adopt a defence-in-depth approach to minimise the impact of a ransomware attack.
2. VULNERABLE AND DISCONTINUED BOA WEB SERVER STILL WIDELY USED IN IOT DEVICES
State-backed Chinese hacking groups compromised Indian critical infrastructure last year after targeting vulnerable Boa web servers which had been discontinued in 2005. Open-source code from the Boa web server is still commonly included in software development kits for Internet of things (‘IoT’) devices such as routers and cameras.
Organisations should regularly review the software in use across the supply chain, and replace discontinued services as a priority. Embedded open-source code can pose a particular security risk.
3. META FIRES EMPLOYEES FOR HIJACKING USER ACCOUNTS
Over the past year, Meta have allegedly fired or disciplined over two dozen employees and contractors for abusing an internal tool called ‘Oops’ (Online Operations). The tool allows access to Facebook and Instagram’s’ account recovery process. A collection of employees reportedly received bribes from hackers in exchange for abusing their internal access.
Insider threats can cause major reputational damage. Organisations must embed a strong culture of cyber security awareness across all levels.
4. DAIXIN TEAM CRITICISES AIRASIA OVER POOR CYER HYGINE AFTER HACK
Malaysian low-cost airline AirAsia was hit by ransomware group Daixin Team. The group claimed poor security controls, “the chaotic organization of the network”, and “the absence of any standards” as the primary cause of the attack. The attack has resulted in personally identifiable information of five million passengers being stolen.
As ransomware attacks are becoming increasingly common, it is important to have an effective incident response plan in place. This should include a communications strategy that can quickly address public concerns in the event of an attack.
5. CALL BACK PHISHING CAMPAIGN
Luna Moth, a recently established data exfiltration group, has been observed deploying a highly organised call back phishing campaign. The group distributes customised phishing emails to victims in an attempt to persuade them to contact the group-controlled call centres. Victims are then requested to download legitimate Remote Access Tools, which enable sensitive data exfiltration.
Organisations must take precautionary measures when interacting with correspondence that originates from outside of their organisation. Organisations must also conduct regular phishing awareness campaigns that emulate current attack trends.
6. KILLNET STRIKES AFTER EU PARLIAMENT’S RUSSIAN SANCTIONS DESINGATON
Pro-Russia hacktivist group Killnet has claimed responsibility for a distributed denial of service (‘DDoS’) attack targeting the European Parliament. After the EU Parliament passed a resolution that described Russia as a state sponsor of terrorism, part of their website was rendered inoperable and inaccessible for several hours. Access to the website has since been restored.
7. AMAZON’S RELATIONAL DATABASE SERVICE LEAKS PII
Researchers discovered that hundreds of Amazon Relational Database Service (RDS) instances are inadvertently leaking personally identifiable information (PII) online. The exposure resulted from ‘snapshots’, a feature allowing users to share a point-in-time copy of a database across various accounts, being left publicly accessible.