1 July 2022

Cyber security week in review: July 1, 2022


Cyber security week in review: July 1, 2022

AMD investigates alleged leak of 450GB of internal data

This week, RansomHouse extortion group added the semiconductor giant AMD to its data leak site. According to the cybercriminals, they have stolen 450GB of data from the company’s network. While data was allegedly stolen last year, the threat actor added AMD to their data leak site on June 27, 2022.

RansomHouse claimed that the files stolen from a company includes research and financial information.

The hackers didn’t contact AMD and didn’t demand any ransom. From their perspective, it is more efficient to sell the stolen files straightaway to the third parties.

Ransomware operators hit publishing giant Macmillan

On June 25, 2022, publishing company Macmillan suffered a ransomware attack. To prevent the spreading of the infection the company was forced to shut down its servers. Thereby, it wasn’t able to process, receive, place, or ship orders.

Macmillan didn’t provide much information about the cyberattack. At this point, it remains unclear what ransomware operation is behind the incident and what kind of data (if any) was stolen.

Mitel MiVoice Connect zero-day vulnerability used by ransomware operators

Cybersecurity researchers from CrowdStrike warned about a critical remote code execution vulnerability (CVE-2022-29499) in Mitel MiVoice Connect. Hackers used this flaw to gain initial access to one of CrowdStrike’s customers’ network. This threat actor is believed to be a ransomware operator, but CrowdStrike didn’t attribute this incident to a specific cybercriminal gang.

LockBit 3.0 introduces the first ransomware bug bounty program

Ransomware operation LockBit announced the first bug bounty program offered by a RaaS gang. On its website, the gang asked security researchers to submit their bug reports in return for rewards. The amount of the reward depends on the severity of a flaw and ranges between $1,000 and $1,000,000.

$1,000,000 will be granted to the one who will provide the gang with the information about its leader LockBitSupp.

APT group used ProxyLogon vulnerability to hack building automation systems

Chinese-speaking state-sponsored threat actor used the ProxyLogon vulnerability (CVE-2021-26855) to breach building automation systems of organizations in the industrial and telecommunications sectors in Pakistan and Afghanistan. The hackers used the flaw to plant ShadowPad backdoor in organizations’ networks and gain access to more secured areas in these networks.

The XFiles info-stealer malware now supports Follina vulnerability

Researchers from Cyberint uncovered malicious campaigns delivering the XFiles malware which exploits the infamous remote code execution vulnerability in Microsoft Windows (CVE-2022-30190). The threat actors used this bug to download the payload, execute it, and create persistence on the target system.

XFiles operators has also expanded their operations by recruiting new members and launching new projects.

One of Iran’s major steel companies halted production because of a cyberattack

Iran’s industrial sector was hit by a major cyberattacks. A threat actor who calls themselves “Gonjeshke Darande” hacked a state-owned Khouzestan Steel Co. and two others Iran’s major steel firms Mobarakeh Steel Co. and Hormozgan Steel Co.

According to the hackers, they attacked three aforementioned facilities in response to the “aggression of the Islamic Republic.”

The attackers also posted a video that showed a damaged steel billet production line and a major fire allegedly on a factory floor.

Evilnum APT is back in a new malicious campaign

Researchers from ThreatLabz identified several instances of spear-phishing attack campaigns launched by Evilnum APT against organizations in the UK and Europe. The new instances of the campaign used updated TTPs such as MS Office Word documents, leveraging document template injection to deliver the malicious payload to the victims’ machines.

Evilnum APT also shifted its focus from financial services to intergovernmental organization connected to international migration services.

NFT marketplace OpenSea suffered a data breach

The largest NFT marketplace OpenSea disclosed a data breach and advised its users to be suspicious of emails because of potential phishing attempts.

According to OpenSea, an employee of its email delivery vendor Customer.io unlawfully downloaded and shared customers’ email addresses with an unauthorized third party.

At this point, the marketplace is working with Customer.io in ongoing investigation.

Back to the list

Latest Posts

Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022
Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser.
15 August 2022