The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- UK Labour Party suffers data breach. Members’ details compromised.
- Ransomware’s new strategy. Publicly held companies targeted at significant financial events.
- HelloKitty ransomware. Ransomware group adds DDoS to list of extortion tactics.
- Attacks against critical infrastructure. Healthcare and finance sectors affected in Canada and Pakistan, respectively.
- Shadow war. Iranian threat actor leaks sensitive data from a hospital and an Israeli LGBTQ+ dating site.
- 5G attacks. US NSA warns of threat actors compromising 5G networks via cloud resources.
1. UK Labour Party suffers another data breach
The UK Labour Party disclosed on Wednesday that personal data belonging to its members and other individuals who provided their information to the party had been exposed in a data breach. The incident occurred after a supplier processing the party’s data suffered a ransomware attack. The Labour Party became aware of the incident on 29 October.
In 2020, the Labour Party disclosed a similar data breach following a cyber-attack on its cloud software provider Blackbaud.
SO WHAT? Victims of data breaches often become the targets of social engineering attacks. If your data is exposed in a data breach, you should be extra vigilant when receiving emails, phone calls, and text messages that you don’t recognise.
2. FBI warns of new ransomware extortion tactic
The FBI has warned that ransomware groups are adapting the timing of their attacks to target publicly held companies involved in “significant, time-sensitive financial events”, such as initial public offerings or corporate mergers & acquisitions (M&A). Certain groups are even threatening to impact stock prices by releasing sensitive information regarding the relevant financial event.
Using sensitive information as leverage is not a new method of attack for such groups; however, adapting strategies to target organisations at critical financial junctures demonstrates the growing sophistication of today’s ransomware gangs.
SO WHAT? Organisations should have a heightened security awareness when approaching significant financial events. Penetration tests and thorough assessments of information security controls are recommended.
3. HelloKitty ransomware group expands extortion tactics
The FBI has also published an alert warning that the HelloKitty ransomware group is now using Distributed Denial of Service (DDoS) attacks on their victims’ website as another method of extortion.
HelloKitty is also known to exfiltrate data and post it online or sell to a third-party if a victim fails to pay the ransom.
SO WHAT? When preparing for a ransomware attack, organisations should consider and plan a response to the various extortion techniques they may face. There are also several solutions available to mitigate the threat posed by DDoS attacks.
4. Attacks against critical sectors in Canada and Pakistan
- A cyber-attack has caused significant disruption to the healthcare services in Newfoundland and Labrador, Canada. The suspected ransomware attack, which took place on 30 October, resulted in numerous healthcare systems shutting down and thousands of medical appointments being cancelled. There are also reports of people struggling to reach 911 emergency services by phone.
- Separately, a cyber-attack paralysed the operations of the National Bank of Pakistan last week, impacting the bank's ATMs, internal network, and mobile applications. Initial indications are that the incident primarily involved data destruction and not ransomware.
SO WHAT? Organisations operating in critical national infrastructure are amongst the most attractive targets for threat actors due to the potential impact of a successful cyber-attack. Regular penetration tests and well-thought-out crisis plans are vital components of a sophisticated cyber security programme.
5. The shadow war rages on
BlackShadow, an Iran-backed threat actor, has claimed responsibility for an attack on CyberServe, a hosting company based in Israel. The threat actor has subsequently leaked user data stolen from an Israeli LGBTQ+ dating website that was hosted by CyberServe as well as sensitive medical data for 290,000 Israeli patients of Machon Mor Medical Institute.
Many analysts suspect the incident to be politically motivated amidst tensions between Iran and Israel. The incident also follows a cyber-attack on Iran’s petrol distribution system, which caused widespread disruption in the country, and was covered in last week’s Cyber Intelligence Briefing.
SO WHAT? The political environment within which organisations operate can have a significant impact on their risk profile and should be considered during risk assessment exercises.
6. NSA warns of threat actors compromising 5G networks via cloud resources
The US National Security Agency (NSA) and US Cybersecurity Infrastructure and Security Agency (CISA) have published an advisory warning how threat actors could compromise entire 5G networks by exploiting vulnerable cloud resources. The advisory highlights attack vectors such as exploiting insecure identity and access management policies, out-of-date/vulnerable software, and insecure network configurations.
As the first piece in a four-part series, the advisory focuses on recommendations for mitigating the risk of lateral movement in case an attacker gains access to a 5G cloud resource. The rest of the series will be released on the NSA’s advisory page in the coming weeks.
SO WHAT? As 5G becomes more prominent, establishing the security of its underlying infrastructure is crucial. This advisory series should provide the US telecommunications industry with resources to help harden their 5G infrastructure, a key step in defending against potential attacks.