The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Trending: Supply chain attacks. Further information surrounding the recent SolarWinds supply chain attack continues to come to light. Elsewhere, a North Korean threat group has recently been discovered launching its own supply chain attack.
- Privacy concerns over contact tracing. Singapore has admitted that data collected for contact-tracing is accessible by the police.
- A sea change for cyber security in the maritime industry. The White House releases a National Maritime Cybersecurity Plan while the International Maritime Organization (IMO)’s new regulations come into force.
- In other news, we bring you several ransomware updates to start your 2021, gaming credentials widely observed on the underground, and Australian Government bodies find themselves impersonated in social engineering attacks.
Trending: Supply chain attacks
- Microsoft announced last week that the threat actors behind the SolarWinds supply chain attack managed to access some of Microsoft’s source code. Fortunately, they were unable to modify any of the source code, but the fact that threat actors had sight of it is concerning to some experts. However, Microsoft has reassured customers that they should not be worried as the company professes to already have an “open source-like culture” and that it does not “rely on the secrecy of source code for the security of products”.
- Security researchers have revealed that a North Korean threat group, Thallium, has launched its own supply chain attack, targeting users of a stock investment messenger application by altering the software to transmit malicious code. Thallium has traditionally been associated with phishing attacks but has seemingly now also started employing more sophisticated methods to target its victims.
So what? Supply chain attacks involve the breach of a target’s system through the introduction of malicious code into third-party software that has access to the target’s system. Such attacks significantly alter and increase the threat landscape and require organisations to pay more attention to third-party risk, especially when terminating a vendor relationship. Although it is necessary for organisations to protect themselves, the management of third-party risk is also increasingly becoming part of regulatory obligations.
Singaporean police access to contact-tracing data raises privacy concerns
- Singapore contact-tracing data is accessible by police. Singapore’s TraceTogether programme for tracking close contact of people infected with COVID-19 is currently used by about 80 percent of residents after the government made it mandatory for accessing particular public facilities. However, a member of the Singapore parliament admitted that police could ‘…obtain any data…’ collected under TraceTogether during the course of a criminal investigation.
- While it was later found out that police had only accessed the TraceTogether data once during a murder probe, anger was sparked online by Singaporeans, and Human Rights Watch accused the government of undermining the right to privacy.
- This development comes after the Australian Government refused a police request for access to the Australian COVID-19 contact tracing data in April 2020.
So what? This story highlights the growing recognition of the right to privacy globally, independent of the circumstances. As consumers consider privacy a fundamental right, organisations must take steps to ensure that data protection measures are in place. The location of this data, the retention period, the data custodian, and the security controls set up to protect the data should be documented in a centralised register.
A sea change: New regulations for the maritime industry
- The new year ushered in new regulations for the maritime industry, with the IMO making cyber risk part of all existing safety management systems from 1 January. The key change is that shipowners will need to demonstrate that the appropriate cyber security measures are in place as part of their safety management audits.
- In late December, President Donald Trump issued the National Maritime Cybersecurity Plan, which seeks to establish internationally recognised standards for maritime cyber risk measurement and mitigation. While the plan covers a wide array of actions, it will include strengthening cyber security requirements for companies involved in port service contracts and leasing.
So what? Both the IMO regulations and the White House’s plan exemplify the pressure that regulatory bodies will be putting on the maritime industry to address its security challenges in 2021. Given the criticality of the maritime sector for the global economy, and the various high-profile incidents that have plagued the industry in recent years, it is high time for maritime organisations to focus more on their cyber security.
Ransomware: Ryuk continues to target the healthcare sector, and a new strain identified
- Cyber security incidents targeting the healthcare industry increased at more than twice the rate of attacks targeting any other sector in the last two months. The largest increase in attack type was predictably ransomware, with threat groups Ryuk and Sodinokibi largely responsible for this activity. Check Point observed the largest increase in incidents in Canada (250%), Germany (220%) and Spain (200%).
- In other ransomware news, it did not take long for the identification of the first new strain of 2021. Dubbed Babuk Locker, although this new strain does not appear to be used by a sophisticated threat actor, it does use a strong encryption algorithm to prevent users decrypting their infected files for free. At this stage, the targets appear to be multinational manufacturing companies, with an average ransom demand of around $80,000.
- Also on our radar… the transparency-focused activist group, Distributed Denial of Secrets, is mining and making data troves stolen by ransomware criminals available. The group argues its endeavours to increase transparency are in the public interest; others caution that publishing this data will exacerbate the problem of cybercriminals using data as another lever to pressure victims into paying a ransom. Wired has the details.
So what? Ransomware continues to be the weapon of choice for many financially motivated cybercriminal groups. This is unlikely to stop any time soon as ransomware strains, extortion methods (including the publishing of stolen data) and threat groups continue to proliferate, and ransom demands continue to increase. As such, staying informed of the latest intelligence about these groups and methods is important for effective prevention and response.
News from the underground: Gaming credentials increasingly sought after on the dark web
- Nearly one million compromised accounts promising access to video game companies are listed for sale on dark web forums, according to security company Kela. The accounts were found belonging to both gaming company employees and gaming users. At least half the dark web listings were made in 2020.
- Gaming companies are an increasingly high-value target for cybercriminals. With the industry projected to reach $200 billion in revenue by 2022, it is not surprising that the criminal underground is turning its focus on the gaming sector.
So what? Kela found that a majority of the credentials posted for sale can be traced back to older, third-party breaches. This illustrates the importance of discouraging your employees from signing up to third-party services (such as the latest gaming platform) using corporate email addresses. Once breached, that information is recycled by criminals and used to perform account take-over attacks.
So what for gaming companies? This research, and other evidence, indicates that the gaming sector is of increasing interest to cybercriminals. The leak of data from the two gaming giants Ubisoft and Crytek by ransomware group Egregor in October 2020, served as a further reminder that it is high time the gaming world invested more in enhancing its security, for the sake of both gaming organisations and their customers.
Social Engineering: Hi, this is your government speaking…
- The Australian Government has issued a warning about an ongoing social engineering campaign where threat actors are impersonating the Australian Cyber Security Centre (ACSC) in an attempt to infect targets with malware. The threat actors’ goal is reportedly to steal their victim’s banking information.
- In addition to sending emails, the threat actors are allegedly also calling Australians via mobile phone, claiming to be from the ACSC and convincing them that their computer has been compromised.
So what? Phishing attacks are not the only form of social engineering attacks that individuals and organisations need to protect themselves against. Vishing, where a threat actor impersonates a trusted party over a telephone call, is just as dangerous as, and can often be more difficult to identify than, conventional phishing attacks. It is important for organisations to ensure that their employees are aware of the various methods of attack they are faced with and are familiar with how to identify them and prevent them from being successful.
INDICATORS OF COMPROMISE
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with the SolarWinds supply chain attack.