The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Meat operations butchered. World’s largest meat processor disrupted after ransomware attack.
- DOJ steps in. US Department of Justice seizes web domains used in spear-phishing campaign.
- The more the merrier. Password data identified in FBI investigations will be uploaded to Have I Been Pwned.
- One more down. Dark web marketplace Le Monde Parallèle seized by French authorities.
- New ransomware spotted. Researchers identify new ransomware – Epsilon Red.
World’s largest meat producer suffers ransomware attack
- Threat actors disrupted the Australian and North American operations of JBS, the world’s largest meat processor. There are concerns that the attack could drive up meat prices across the US.
- The FBI has attributed the attack to the REvil threat group, likely based in Russia. The White House is engaging directly with the Russian government over the incident.
SO WHAT? Companies that play a critical role in supply chains are increasingly being targeted by ransomware groups for various reasons, including larger and quicker ransom payments due to the critical nature of their victims’ operations.
US Department of Justice (DOJ) tackles cyberespionage
- The DOJ has seized two web domains used in a cyberespionage spear-phishing campaign. The hackers impersonated the US Agency for International Development (USAID) to distribute emails containing malicious URLs.
- The hackers, aligned to the Russian-backed group Nobelium, used the domains to receive exfiltrated data and execute malware commands. Over 3,000 email accounts at more than 150 organisations have been targeted – victims include government agencies, think tanks, and NGOs.
- The two seized domains are theyardservice[.]com and worldhomeoutlet[.]com. Further domain indicators of compromise can be found here.
SO WHAT? The DOJ’s actions offer interesting and encouraging insight into the US government’s increasingly proactive approach to disrupting and responding to cyberespionage and cybercriminal campaigns.
Have I Been Pwned database expands with participation of the FBI
- Have I Been Pwned (HIBP) is a popular resource for checking if emails or passwords have been involved in a data breach. HIBP data has been incorporated into password managers and helps users know when to change login details or avoid certain passwords.
- The FBI will now expand the database by uploading compromised password data it has identified during its own investigations. The uploaded data will not include personal user details.
SO WHAT? Attackers routinely use lists of compromised passwords to further their attacks. The more comprehensive the HIBP database, the more effective it will be in preventing the use of compromised passwords.
- WhatsApp’s change of course follows the decision in early May by Hamburg’s data protection commissioner to ban the company from processing WhatsApp user data for three months. It notes that most users have already accepted the new data sharing terms.
SO WHAT? WhatsApp collects extensive data about its users. There are several less-invasive instant messaging apps available to users who are concerned about their privacy.
French authorities seize the dark web marketplace Le Monde ParallèlE (LMP)
- Thousands of users and criminals used LMP as both a marketplace and discussion forum. In addition to selling carding data and weapons, LMP helped criminals identify partners for committing crimes across France and Europe.
- The French authorities arrested two LMP administrators and seized several thousand euros in cryptocurrency. The LMP take-down follows the seizure of other large French-speaking criminal platforms in 2018 and 2019.
SO WHAT? Organisational crime continues to flourish online, resulting in a cat-and-mouse game with authorities. Unfortunately, when one site is taken down, users quickly move on to another.
Epsilon Red: New ransomware strain identified
- A new strain of ransomware, Epsilon Red, has been identified targeting a US-based hospitality company. The ransomware strain threatens business disruption as there are no restrictions on encrypting file types and folders.
- The ransomware’s initial point of entry appears to be an unpatched on-premise enterprise Microsoft Exchange server, possibly leveraging the ProxyLogon vulnerabilities which were disclosed by Microsoft in March 2021.
SO WHAT? While 92% of all internet-connected on premises Microsoft Exchange servers have now been patched, ensure your organisation does not fall within the 8% by following Microsoft’s guidance.