header image

Cyber Intelligence Briefing: 26 February 2021

Billy Gouveia, Mona Damian 26 February 2021
26 February 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.

OVERVIEW

FIN11 identified as actor behind Accellion FTA zero-day attacks

  • Cybercrime group FIN11, is likely behind recent attacks exploiting vulnerabilities in file transfer service Accellion FTA, to steal data.[1] FIN11 is extorting its victims by threatening to publish stolen data on the Clop ransomware leak site.
  • Accellion says less than 100 of its 300 customers using the legacy FTA product are affected.[2] Canadian airplane manufacturer Bombardier is the latest organisation to publicly disclose it suffered an Accellion-related breach.[3]

So what? If you use Accellion FTA, migrate away, right away. Legacy products are typically unsupported and will not be updated with software fixes, leaving you vulnerable to zero-day attacks. 

Federal Reserve IT outage disrupts US banking system

  • The US Federal Reserve experienced a significant IT outage on Wednesday. The issue was reportedly caused by an ‘operational error’.[4]
  • The outage impeded financial transactions and services throughout the day. Fortunately, the Federal Reserve managed to restore its systems after several hours.

So what? Organisations can improve their operational resilience by developing business continuity, disaster recovery, and incident management plans and regularly reviewing and testing them to validate information flows, decision rights, and integration points.

Victims of SolarWinds attack testify in US Senate

  • Victims discussed communication shortcomings within and between the public and private sector during the US Senate hearing on Tuesday. SolarWinds, Microsoft, FireEye, and CrowdStrike, all victims of the SolarWinds hack, criticised the lack of information sharing during breaches, and the number of authorities requiring notification.[5]
  • Executives testifying recommended greater transparency about breaches and a mandatory reporting law with liability protection.[6]

So what? Watch this space for the latest developments on regulatory and industry changes that emerge from the ongoing review. 

Credential stuffing attacks against SSO

  • RIPE NCC, which assigns IPv4 and IPv6 address spaces, disclosed a failed credential stuffing attack against its infrastructure. The attack targeted RIPE NCC’s single sign-on (SSO) service and resulted in operational downtime, but no accounts were compromised.[7]
  • IPv4 addresses are both scarce and in high demand globally. Adversaries may look to hijack existing address pools.

So what? Enforce multi-factor authentication across all accounts to protect against account take-over attacks.

Social engineering delivered in a flash

  • Scammers continue to exploit trust in Google services for malicious gain. A fake update for the now-deprecated ‘Adobe Flash Player’ leveraged Google Alerts to install potentially unwanted programs (PUPs) on user devices.[8]
  • Elsewhere, threat actors posing as FedEx and DHL targeted over 10,000 Microsoft email users with a phishing attack.[9] The phishing pages bypassed security filters by hosting content on reputable domains, including Google Firebase.

So what? Beware of attackers offering fake updates for discontinued software and, when submitting credentials online, check URLs to avoid imposter sites set-up to dupe you.

Silver Sparrow spreads its wings, targeting Macs

  • A new malware dubbed Silver Sparrow has infected almost 30,000 Mac devices.[10] The malware appears to target Apple’s new M1 chip, but its ultimate purpose remains unknown.
  • Silver Sparrow has primarily been detected in the US, UK, Canada, France, and Germany. The malware uses JavaScript to execute commands, making it more difficult to detect.

So what? The widely held assumption that macOS isn’t susceptible to malware is increasingly being challenged. Machines running macOS should be secured to the same standard as other endpoints, including patching regularly and monitoring for malware infections.

IN CASE YOU MISSED IT: S-RM WEBINAR - BUILDING CYBER CONFIDENCE

This webinar brings together experts from S-RM, Mullen Coughlin, Church & Dwight Co., Inc., Options Technology and Brown Advisory to provide guidance on mapping a path to cyber confidence. Our panel of specialists discuss governance, leadership, response, recovery, and how best to understand today's rapidly evolving cyber threat landscape. Watch it here.

Cyber Threat Intelligence Briefing

References:

[1] ‘Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion’, FireEye, 22 February 2021.

[2] ‘Mandiant Identifies Criminal Threat Actor and Mode of Attacks’, Accellion, 22 February 2021.

[3] ‘Bombardier Statement on Cybersecurity Breach’, Bombardier, 23 February 2021.

[4] ‘Federal Reserve nationwide outage impacts US banking system’, Bleeping Computer, 24 February 2021.

[5] ‘Tech executives call for improved public-private coordination after SolarWinds hack’, The Wall Street Journal, 23 February 2021.

[6] ‘SolarWinds, Microsoft, FireEye, CrowdStrike defend actions in major hack – U.S Senate hearing’, Reuters, 23 February 2021.

[7] ‘RIPE NCC discloses failed brute-force attack on its SSO service’, ZDNet, 18 February 2021.

[8] ‘Warning: Google Alerts abused to push fake Adobe Flash updater’, Bleeping Computer, 21 February 2021.

[9] ‘10K Microsoft Email Users Hit in FedEx Phishing Attack’, ThreatPost, 23 February 2021.

[10] ‘Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight’, Red Canary, 18 February 2021.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Mona Damian
Mona damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report