9 June 2023

Cyber security week in review: June 9, 2023


Cyber security week in review: June 9, 2023

Clop ransomware gang issues ultimatum to victims breached in MOVEit zero-day attacks

Clop, a prolific ransomware group behind a recent wave of MOVEit zero-day attacks posted a notice on their dark web data leak website telling their victims to email them before their set deadline of 14 June, or have their data leaked.

The widespread hacking campaign is said to have affected more than a hundred companies, including high-profile British firms like a payroll provider Zellis, British Airways, the pharmacy chain Boots and the BBC, as well as other organizations such as the government of the Canadian province of Nova Scotia, the University of Rochester, and Irish airline Aer Lingus.

According to cybersecurity firm Kroll, the Clop gang was likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021.

In the wake of the recent Clop ransomware campaign the US CISA and the FBI published a joint advisory detailing the gang’s TTPs and IOCs related to attacks attacks targeting MOVEit file-transfer servers.

The Atomic Wallet hack: At least $35 million in crypto stolen

Users of multichain crypto wallet Atomic Wallet were robbed of $35 million in a hack, impacting 1% of its 5 million users. The cryptocurrency wallet provider has yet to determine the root cause of the breach. Blockchain analysis company Elliptic has linked the hack to the well-known North Korean threat actor Lazarus Group.

Orgs urged to immediately replace hacked Barracuda ESG appliances

Email and network security solutions provider Barracuda Networks has urged its customers to immediately replace Email Security Gateway (ESG) appliances compromised in the recent series of attacks using a zero-day vulnerability (CVE-2023-2868) in ESG devices.

Google releases security updates to patch a Chrome zero-day

Google issued security updates for its Chrome browser versions for Mac, Linux, and Windows to address a zero-day vulnerability said to have been exploited in real-world attacks. The flaw, tracked as CVE-2023-3079, is a type confusion issue within the V8 engine in Google Chrome. The vulnerability can be used by a remote hacker to execute arbitrary code on the target system via specially crafted web page.

Cybersecurity authorities offer guidance on how to secure remote access software

CISA and partners published a joint guide to help organizations identify and defend against cyberattacks abusing remote access software by providing common exploitations and associated tactics, techniques and procedures (TTPs).

AvosLocker ransomware abusing Veritas backup servers for initial access

The AvosLocker ransomware gang has been observed abusing known vulnerabilities in Veritas backup servers to gain access to victim networks. The threat actors are chaining three vulnerabilities in the Veritas software - CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 - to gain initial access and encrypt the victim’s network with the AvosLocker ransomware. All three bugs are related to the SHA authentication scheme used by Backup Exec. Although the vendor fixed the flaws back in March 2021, it seems that many systems are still remain unpatched.

Zipper giant YKK confirms a cyberattack

Japanese manufacturing conglomerate YKK Group, the world’s largest manufacturer of zippers, was hit with a cyberattack that reportedly affected its US operations. The company did not reveal the nature of the incident but said it was able to contain the attack before damage was done or data was stolen. However, on June 2, 2023, the notorious LockBit ransomware gang listed YKK as one of its victims on its dark web data leak site, indicating that the company might have been hacked.

In a separate incident, Japanese pharmaceutical company Eisai fell victim to a ransomware attack on June 3, 2023 that resulted in the encryption of multiple servers. Eisai took offline some of its systems, including logistics systems, implemented an incident response plan, and launched an investigation into the incident.

Multi-stage phishing/BEC campaign targets financial sector

Microsoft said it discovered what it describes as “a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack” focused on banking and financial services organizations. The campaign involves breached accounts at trusted vendors used to send emails to their targets that redirect victims to AitM-based phishing sites and an AiTM phishing kit developed by a threat actor Microsoft tracks as Storm-1167.

Over 60K fake Android apps push adware to unsuspecting users

Researchers at Romanian cybersecurity firm Bitdefender discovered a widespread malware distribution campaign involving 60,000 Android apps masquerading as popular games, VPN apps, and security tools typically found on official Google Play Store. The operation has been active since at least October 2022 and is likely fully automated.

New PowerDrop malware targets US aerospace defense industry

An unknown threat actor has been found targeting the US aerospace defense industry with a new PowerShell malware script, which uses advanced techniques to evade detection. Dubbed 'PowerDrop,' the malware was discovered in the network of an unnamed domestic aerospace defense contractor in May 2023. The analysis showed that PowerDrop “was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT),” and was used to run remote commands after hackers gained initial access, execution, and persistence into servers.

North Korea’s Kimsuky strikes with new social engineering campaign

Researchers at SentinelLabs detailed a new social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware.

Asylum Ambuscade cybercrime group turns to cyber-espionage

ESET has a report out on Asylum Ambuscade, a threat actor that previously was mostly running cybercrime campaigns but has recently turned to cyber-espionage operations. The group was first mentioned in Proofpoint’s March 2022 report focused on a phishing campaign against entities aiding the Ukrainian refugees' movement.

Cyber-espionage campaign targets government orgs and media in Ukraine

Computer Emergency Response Team of Ukraine (CERT-UA) discovered a cyber-espionage operation that has been targeting Ukrainian government organizations and editors working for media outlets since at least second half of 2022. Tracked as UAC-0099, the operation uses several malware families like Lonepage, Clogflag,Seaglow and Overjam to spy on victims and steal data.

US offers a $5M reward for Swede who sold encrypted phones to criminals

The US State Department has announced a reward of up to $5 million for information leading to the arrest and/or conviction of Swedish national Maximilian Rivkin, who has escaped arrest since the 2021 takedown of the ANOM network that sold over 12,000 ANOM encrypted devices and services to more than 300 criminal syndicates operating in more than 100 countries, including Italian organized crime, Outlaw Motorcycle Gangs, and various international drug trafficking organizations.

The authorities said Rivkin “was an administrator and influencer of an encrypted communication service used by criminals worldwide.” He is accused of distributing thousands of encrypted communication devices to criminal syndicates.

Back to the list

Latest Posts

New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024
Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024