header image

Cyber Intelligence Briefing: 8 January 2021

Billy Gouveia, Mona Damian 8 January 2021
8 January 2021    Billy Gouveia, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • Trending: Supply chain attacks. Further information surrounding the recent SolarWinds supply chain attack continues to come to light. Elsewhere, a North Korean threat group has recently been discovered launching its own supply chain attack.
  • Privacy concerns over contact tracing. Singapore has admitted that data collected for contact-tracing is accessible by the police.
  • A sea change for cyber security in the maritime industry. The White House releases a National Maritime Cybersecurity Plan while the International Maritime Organization (IMO)’s new regulations come into force.
  • In other news, we bring you several ransomware updates to start your 2021, gaming credentials widely observed on the underground, and Australian Government bodies find themselves impersonated in social engineering attacks.

Cyber Threat Intelligence Briefing

Security Round-up

Trending: Supply chain attacks

  • Microsoft announced last week that the threat actors behind the SolarWinds supply chain attack managed to access some of Microsoft’s source code.[1] Fortunately, they were unable to modify any of the source code, but the fact that threat actors had sight of it is concerning to some experts. However, Microsoft has reassured customers that they should not be worried as the company professes to already have an “open source-like culture” and that it does not “rely on the secrecy of source code for the security of products”.[2]
  • Security researchers have revealed that a North Korean threat group, Thallium,[3] has launched its own supply chain attack, targeting users of a stock investment messenger application by altering the software to transmit malicious code.[4] Thallium has traditionally been associated with phishing attacks but has seemingly now also started employing more sophisticated methods to target its victims.

So what? Supply chain attacks involve the breach of a target’s system through the introduction of malicious code into third-party software that has access to the target’s system. Such attacks significantly alter and increase the threat landscape and require organisations to pay more attention to third-party risk, especially when terminating a vendor relationship. Although it is necessary for organisations to protect themselves, the management of third-party risk is also increasingly becoming part of regulatory obligations.

Singaporean police access to contact-tracing data raises privacy concerns

  • Singapore contact-tracing data is accessible by police. Singapore’s TraceTogether programme for tracking close contact of people infected with COVID-19 is currently used by about 80 percent of residents after the government made it mandatory for accessing particular public facilities. However, a member of the Singapore parliament admitted that police could ‘…obtain any data…’ collected under TraceTogether during the course of a criminal investigation.[5]
  • While it was later found out that police had only accessed the TraceTogether data once during a murder probe, anger was sparked online by Singaporeans, and Human Rights Watch accused the government of undermining the right to privacy.
  • This development comes after the Australian Government refused a police request for access to the Australian COVID-19 contact tracing data in April 2020.[6]

So what? This story highlights the growing recognition of the right to privacy globally, independent of the circumstances. As consumers consider privacy a fundamental right, organisations must take steps to ensure that data protection measures are in place. The location of this data, the retention period, the data custodian, and the security controls set up to protect the data should be documented in a centralised register.

A sea change: New regulations for the maritime industry

  • The new year ushered in new regulations for the maritime industry, with the IMO making cyber risk part of all existing safety management systems from 1 January.[7] The key change is that shipowners will need to demonstrate that the appropriate cyber security measures are in place as part of their safety management audits.[8]
  • In late December, President Donald Trump issued the National Maritime Cybersecurity Plan, which seeks to establish internationally recognised standards for maritime cyber risk measurement and mitigation.[9] While the plan covers a wide array of actions, it will include strengthening cyber security requirements for companies involved in port service contracts and leasing.

So what? Both the IMO regulations and the White House’s plan exemplify the pressure that regulatory bodies will be putting on the maritime industry to address its security challenges in 2021. Given the criticality of the maritime sector for the global economy, and the various high-profile incidents that have plagued the industry in recent years, it is high time for maritime organisations to focus more on their cyber security.

Ransomware: Ryuk continues to target the healthcare sector, and a new strain identified

  • Cyber security incidents targeting the healthcare industry increased at more than twice the rate of attacks targeting any other sector in the last two months. The largest increase in attack type was predictably ransomware, with threat groups Ryuk and Sodinokibi largely responsible for this activity. Check Point observed the largest increase in incidents in Canada (250%), Germany (220%) and Spain (200%).[10]
  • In other ransomware news, it did not take long for the identification of the first new strain of 2021. Dubbed Babuk Locker, although this new strain does not appear to be used by a sophisticated threat actor, it does use a strong encryption algorithm to prevent users decrypting their infected files for free. At this stage, the targets appear to be multinational manufacturing companies, with an average ransom demand of around $80,000.[11]
  • Also on our radar… the transparency-focused activist group, Distributed Denial of Secrets, is mining and making data troves stolen by ransomware criminals available. The group argues its endeavours to increase transparency are in the public interest; others caution that publishing this data will exacerbate the problem of cybercriminals using data as another lever to pressure victims into paying a ransom. Wired has the details.[12]

So what? Ransomware continues to be the weapon of choice for many financially motivated cybercriminal groups. This is unlikely to stop any time soon as ransomware strains, extortion methods (including the publishing of stolen data) and threat groups continue to proliferate, and ransom demands continue to increase. As such, staying informed of the latest intelligence about these groups and methods is important for effective prevention and response.

News from the underground: Gaming credentials increasingly sought after on the dark web

  • Nearly one million compromised accounts promising access to video game companies are listed for sale on dark web forums, according to security company Kela.[13] The accounts were found belonging to both gaming company employees and gaming users. At least half the dark web listings were made in 2020.[14]
  • Gaming companies are an increasingly high-value target for cybercriminals. With the industry projected to reach $200 billion in revenue by 2022,[15] it is not surprising that the criminal underground is turning its focus on the gaming sector.

So what? Kela found that a majority of the credentials posted for sale can be traced back to older, third-party breaches. This illustrates the importance of discouraging your employees from signing up to third-party services (such as the latest gaming platform) using corporate email addresses. Once breached, that information is recycled by criminals and used to perform account take-over attacks.

So what for gaming companies? This research, and other evidence, indicates that the gaming sector is of increasing interest to cybercriminals. The leak of data from the two gaming giants Ubisoft and Crytek by ransomware group Egregor in October 2020,[16] served as a further reminder that it is high time the gaming world invested more in enhancing its security, for the sake of both gaming organisations and their customers.

Social Engineering: Hi, this is your government speaking…

  • The Australian Government has issued a warning about an ongoing social engineering campaign where threat actors are impersonating the Australian Cyber Security Centre (ACSC) in an attempt to infect targets with malware.[17] The threat actors’ goal is reportedly to steal their victim’s banking information.
  • In addition to sending emails, the threat actors are allegedly also calling Australians via mobile phone, claiming to be from the ACSC and convincing them that their computer has been compromised.

So what? Phishing attacks are not the only form of social engineering attacks that individuals and organisations need to protect themselves against. Vishing, where a threat actor impersonates a trusted party over a telephone call, is just as dangerous as, and can often be more difficult to identify than, conventional phishing attacks. It is important for organisations to ensure that their employees are aware of the various methods of attack they are faced with and are familiar with how to identify them and prevent them from being successful.

INDICATORS OF COMPROMISE

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with the SolarWinds supply chain attack. [18]

Latest hashes:

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c

c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77

c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b

Latest URLs:

Virtualdataserver[.]com

Digitalcollege[.]org

Seobundlekit[.]com

Avsvmcloud[.]com

Virtualwebdata[.]com

Zupertech[.]com

Panhardware[.]com

Highdatabase[.]com

Databasegalore[.]com

Websitetheme[.]com

Incomeupdate[.]com

Globalnetworkissues[.]com

Freescanonline[.]com

Virtualdataserver[.]com

Deftsecurity[.]com

Digitalcollege[.]org

Thedoccloud[.]com

Seobundlekit[.]com

Virtualwebdata[.]com

Avsvmcloud[.]com

References:

[1] ‘SolarWinds hackers accessed Microsoft source code in a number of repositories, the company says’, Computing, 4 January 2021.

[2] ‘Microsoft Internal Solorigate Investigation Update’, Microsoft Security Response Center, 31 December 2020.

[3] ‘Also known as Reaper or APT37. Source: ‘APT37 (Reaper): The Overlooked North Korean Actor’, FireEye, 20 February 2018.

[4] ‘North Korean software supply chain attack targets stock investors’, Bleeping Computer, 5 January 2021.

[5] ‘Singapore Admits Police Can Access Contact-Tracing Data’, SecurityWeek, 6 January 2021.

[6] ‘Government refuses police request for access to Australian coronavirus contact tracing app’, The Guardian, 23 April 2020.

[7] ‘Maritime Cyber Risk Management in Safety Management Systems’, IMO, 17 June 2017.

[8] ‘IMO 2021: What is going to happen on 1 January?’, Dualog, 11 November 2020.

[9] ‘National Maritime Cybersecurity Plan’, The White House, December 2020.

[10] ‘Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks’, Info Security, 5 January 2021.

[11] ‘Babuk Locker is the first new enterprise ransomware of 2021’, Bleeping Computer, 5 January 2021.

[12] ‘Anti-Secrecy Activists Publish a Trove of Ransomware Victims' Data’, Wired, 6 January 2021.

[13] ‘Cyber criminals are taking aim at online gaming for their next big pay day’, ZDNet, 6 January 2021.

[14] Ibid.

[15] Ibid.

[16] ‘Ubisoft, Crytek data posted on ransomware gang's site’, ZDNet, 15 October 2020.

[17] ‘Australian cybersecurity agency used as cover in malware campaign’, Bleeping Computer, 5 January 2021.

[18] ‘SolarWinds Vulnerability Update Resource Page’, Protiviti, n.d.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy Gouveia Senior Managing Director Email Billy
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report