The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- No panacea. Password manager Passwordstate urges password resets after a supply chain attack.
- Here phishy, phishy! Flubot phishing campaign targets Android devices.
- Ransomware update. Coveware reports attacks by Clop are driving increased ransom demands in Q1 and a SharePoint vulnerability continues to be exploited.
- Politicians tricked by deepfakes. MPs attend meeting with an AI-generated Russian politician.
- Emotet. Authorities remove the malware from infected machines.
- Beware the CozyBear. US agencies release advisory on Russian Intelligence Service cyber actors.
Passwordstate suffers supply chain attack
- The password manager Passwordstate has warned users to reset ‘all passwords’ following a supply chain attack. Passwordstate is an enterprise password manager, developed by Click Studios.
- The attacker compromised a software update to steal user passwords. The malicious update exposed user passwords between 20 and 22 April.
SO WHAT? Password managers are no panacea for password security, instead they can be leveraged by a threat actor for malicious purposes. If your organisation uses Passwordstate, follow Click Studios’ advisories which include checksums of the bad DLL and suggested actions.
Flubot phishing campaign targets Android devices
- A new phishing campaign is stealing passwords, bank details, and other sensitive information on Android devices. The Flubot malware is delivered via SMS, prompting victims to click a link and install a parcel tracking app. Delivery services such as DHL, Royal Mail, and Amazon are being leveraged to deceive the victims.
- Once installed, the malware gains access to the victim’s address book, enabling it to send infected text messages to all contacts.
SO WHAT? Do not click on suspicious links and only install mobile applications from official app stores. Guidance on how to identify and remove the Flubot malware can be found here.
Ransomware update: Clop uses Accellion breach to drive up ransom demands
- Coveware released data showing ransom demands increased by 48% to an average of USD 225,000 in Q1. The increase was attributed to the Clop threat group, who demanded tens of millions of dollars from victims following the Accellion breach.
- In separate news, ransomware group Wickr Me is exploiting SharePoint vulnerability CVE-2019-0604, using the ability to execute code remotely to install a web shell and ultimately deploy ransomware in the victim’s environment.
SO WHAT? Essential security measures such as a robust patch management programme can significantly reduce the risk of a successful ransomware attack.
MPs socially engineered into meeting with an AI-generated politician
- Dutch and Estonian MPs took a meeting with a deepfake version of Alexei Navalny’s campaign chief, Leonid Volkov. It is unconfirmed if the actors responsible were able to fake the Russian politician’s voice or if they edited real soundbites to mimic speech.
- Volkov calls the incident a deliberate ploy by the Kremlin to discredit politicians. The tricksters were likely aiming to make the MPs say they want to support the Russian opposition.
SO WHAT? Social engineering methods are constantly evolving and becoming more sophisticated. As deepfakes improve, we may see the need for identity verification on video calls.
US law enforcement takes significant steps in fight against Emotet
- Over the weekend, US authorities delivered a payload to infected machines within its jurisdiction designed to remove the Emotet malware. This is the latest step in a concerted global effort to disrupt the botnet, after authorities took control of its infrastructure in January this year.
- The FBI also publicly shared millions of email addresses collected by the botnet to use in its distribution campaigns. Despite the positive step, botnets are notoriously resilient, and we’ll likely see Emotet re-emerge in one form or another in the coming months.
SO WHAT? Determine whether you or your organisation’s email accounts were impacted by Emotet by checking on the HIBP site.
US agencies release roll-up on Russian cyber operations
- The FBI, DHS, and CISA have released a joint advisory on activity by actors connected to Russia’s Foreign Intelligence Service (SVR). Dubbed APT 29 or CozyBear, the SVR’s cyber actors are known to target government organisations, policy and think tank bodies, and information technology companies. The recent SolarWinds supply chain attack has been attributed to the SVR.
- The advisory features tactics, tools, and techniques to help organisations secure their network better against Russian nation-state activity.
SO WHAT? Network defenders should review the advisory and implement the recommended mitigating tactics to protect your organisation from this highly sophisticated actor.