Threat Briefing: June 9, 2023

The recent exploitation of the MOVEit File Transfer software system illustrates the importance of quickly patching vulnerabilities and how much of a target file transfer systems have been to cyber actors over the years, with MOVEit being the second file transfer system exploited in 2023. The CL0P ransomware group has claimed responsibility for the attack and early research into the vulnerability indicates the group was targeting MOVEit since 2021 as a target for exploitation.

The exploitation of file transfer systems also provides bad actors another way to gain access to large amounts of sensitive company data without compromising computer networks and encrypting data. Updating and patching vulnerabilities in file transfer systems is an important aspect of keeping your business and customer data safe and secure.

CL0P Ransomware Group Claims Responsibility for Exploitation of MOVEit Vulnerability – The group has indicated it has stolen data from hundreds of victims and is threatening to release stolen data on June 14th if victims don’t negotiate a ransom with the CL0P actors. Confirmed victims of the attack include the University of Rochester, the government of Nova Scotia, British Airways, and the BBC. In the past CL0P has indicated it won’t extort victims in the government or law enforcement fields. Security Week

North Korean Cyber Group “Kimsuky” Utilizing Social Engineering to Compromise Academic, Media, and Think Tank Sectors – The group impersonates legitimate entities to launch spear phishing campaigns. These campaigns are used to collect information on foreign policy and security issues from think tank researchers, academic scholars, journalists, and even government officials. The stolen information is used to support North Korea’s strategic decision-making process. Kimsuky has also created fraudulent versions of websites, portals and mobile applications in an effort to steal credentials from victims as well. The Hacker News

The United Kingdom’s University of Manchester Victim of Cyber Attack, Resulting in Loss of Data – The university is one of the largest in the United Kingdom, and admitted to being the victim of an attack. The university confirmed data was likely taken form the university, but did not confirm the type of data taken. In early 2023, University of Manchester established a “highly restricted data service” system allowing for researchers to store data for highly restricted or commercially-sensitive data to be used by university researchers. The Record

Cyber Group Asylum Ambuscade Engaging in Cybercrime and Cyber Espionage, Focused on Victims in Cryptocurrency and Finance in North America, Europe and Asia – The group is believed to be aligned with the government of Belarus. Much of the group’s cybercrime activity is focused on stealing cryptocurrency and credentials from customers of U.S. and Canadian banks. The cyber espionage activity of the group has been focused on entities in Europe and Central Asia, particularly concentrating on personnel supporting programs for Ukrainian refugees. Bank Info Security

Web Skimmer Attack Utilizing Compromising Websites to Serve as C2 Servers, Helping to Distribute Malicious Code, and is impacting victims in North America, Europe, and Latin America, targeting personally identifiable information (PII) and credit card data from e-commerce websites. The cyber actors behind the attacks have compromised legitimate websites and used them to host web skimmers, providing a level of obfuscation to the attacks. The attack has impacted Shopify, WordPress, WooCommerce, and Magento e-commerce platforms. The Hacker News

The United Kingdom’s Financial Services Sector Experiences $1.5 Billion in Losses During 2022 – The losses represent a decline from 2021, however, the actual number could be higher as financial losses aren’t always documented. The majority of the U.K.’s financial fraud losses were the result of unauthorized transactions, such as the use of stolen credentials. Authorized push payment accounted for the second most popular form of fraud, which allows for attackers to engage in social engineering to facilitate financial scams against individuals. Financial losses against businesses were likely due to malicious actors engaging in invoice fraud of CEO impersonation fraud. Bank Info Security

Lazarus Group Linked to $35 Million Theft from Atomic Wallet – The attack, which impacted 1% of Atomic Wallet customers according to the company, suffered a breach in early June 2023. An analysis of the of stolen crypto assets indicates a similar pattern of mixing stolen cryptocurrency seen in past attacks from the Lazarus Group. One of the services utilized by Lazarus Group to launder funds was the Sinbad mixer. The Record

Six Individuals Arrested for Conspiring to Commit Wire Fraud and Money Laundering to Support Business Email Compromise Scheme – The scheme resulted in the lose of approximately $5.8 million to bank accounts established with stolen or fake information between July 2021 and February 2022. The victims of the scheme came from the healthcare, legal, real estate, logistics sectors, and as a labor union. Once the victims sent money to the fake accounts, the money was withdrawn in a manner to evade federal reporting requirements and transferred using a variety of means, to include using P2P payment services, ACH transfers, or withdrawn in cash. U.S. Attorney’s Office, Southern District of New York

South Korean Government Sanctions North Korean Cyber Group Kimsuky – The sanctions impact two cryptocurrency wallet addresses known to be utilized by Kimsuky, which may have been used to receive payments as part of a blackmail or fraud campaign. Kimsuky has also been identified as engaging with cryptocurrency mining pools and hashing services as a means of laundering cryptocurrency. Chainalysis

U.S. Department of Defense Shares New Classified Cyber Strategy with Congress – The strategy is an update to its 2018 cyber strategy and is based on its experience conducting real-world cyber operations over the last several years. An unclassified fact sheet regarding the strategy highlights the Defense Department prioritizing China, Russia, North Korea, Iran, and transnational crime as key threats in cyberspace. The strategy also emphasizes protecting cyberspace through cooperation with cyber allies and partners. DefenseScoop

Federal Trade Commission Issues Fine to Amazon’s Ring for Failure to Implement Privacy and Security Measures – As part of the agreement, Ring will pay a $5.8 million fine to the FTC. Ring will also be required to delete data and videos from prior to 2018, and any work product derived from those videos. Additionally, Amazon also agreed to a $25 million fine for collecting and storing voice and geolocation information associated with children, a violation of the Children’s Online Privacy Protection Act. CNBC

U.S. Offers $5 Million Reward for Swedish Individual Who Sold Encrypted Phones to Illicit Actors – The encrypted phone service known as Anom was utilized by over 300 illicit actor groups starting in 2018 as part of an undercover law enforcement operation into illicit activity and a joint operation by the FBI and Europol. The Record

Dual U.S.-Turkey Citizen Pleads Guilty to Trafficking Fraudulent Cisco Networking Equipment between 2014 and 2019 – In July 2021, a search warrant conducted in a warehouse for the equipment resulted in the seizure of over 1,000 counterfeit devices with a retail value of over $7 million. The individual behind the scheme operated online storefronts, known as Pro Network Entities, on Amazon and eBay to sell the counterfeit Cisco equipment which was imported from China. The devices were low-quality networking devices that were sold with counterfeit Cisco labels, documentation and packaging, making the devices appear to be new, high-quality Cisco equipment. U.S. Department of Justice

Microsoft Preparing for Multi-Million Dollar Fine for Violating the European Union’s General Data Protection Regulation (GDPR) Act – The intended fine is a result of Microsoft engaging in targeted advertising practices on LinkedIn during 2018, a violation of the GDPR. Microsoft is anticipating the fine will be approximately $425 million and will occur in Q4 of 2023. The investigation into Microsoft’s activity was carried out by the Irish Data Protection Commission. Bank Info Security

Microsoft Visual Studio Vulnerability Could Allow Cyber Actors to Compromise Development Environments – The vulnerability CVE-2023-28299, allows cyber actors to develop and distribute malicious extensions to application developers. Once cyber actors gain access through the extensions, they are able to access developer environments and even steal code. While Microsoft initially rated the vulnerability as less likely to be exploited, a cybersecurity company has indicated the vulnerability could be easily exploitable and impacts multiple versions of Visual Studio. Dark Reading

Hardware Manufacturer GIGABYTE Releases Firmware Update to Address Security Vulnerabilities – The vulnerabilities impact over 250 different models of motherboards and would allow a cyber actor to install malware. The URLs used to download firmware for GIGABYTE motherboards utilizes non-secure HTTP, which could be exploited through a man-in-the-middle attack. Bleeping Computer

Multiple Vulnerabilities Patched for Splunk Products, Including Vulnerabilities from Third-Party Packages Used by Splunk – The vulnerabilities impacted Splunk Enterprise, Splunk Cloud, and Splunk Universal Forwarders. The third-party vulnerabilities came from sources such as Curl, SQLite, Go, OpenSSL, and Libxml2, with some of the vulnerabilities having been public for several years. Security Week

Cyber Actors Exploit Google’s Brand Indicators for Message Identification Program – The new program, known as BIMI, provides blue check marks alongside logos of companies participating in the Google program, helping to prevent against email impersonation and phishing. An unknown cyber actor was able to send an email to circumvent the BIMI program. To remediate the issue, Google is encouraging members of the BIMI program to implement DomainKeys Identified Mail authentication standard to quality for BIMI status. CyberScoop

Picture-in-Picture Obfuscation Utilized to Direct Victims to Credential Harvesting Sites – Cyber actors have utilized photos for loyalty programs and gift cards to obfuscate links to malicious web pages used to harvest credentials. This technique is able to bypass email filters that do not scan images. Dark Reading

Ukrainian Hacker Group Claims Responsibility for Attack on Russia’s “Silicon Valley” – The attack against the Skolkovo Foundation, which oversees high-tech businesses in the Moscow, Russia area, was established to compete with Silicon Valley for technology development. The Ukrainian hackers behind the attack indicated they stole data to include source code for projects, presentations, contracts, and photos, and disrupted infrastructure utilized by Skolkovo Foundation. The Record

Iranian President’s Office Compromised by Iranian Dissidents, Resulting in the Release of Government Data, which includes floor plans of buildings, network topologies, and information on diplomatic correspondence. A group calling itself GhyamSarnegouni (Rise to Overthrow), posted data on a Telegram channel, claiming responsibility for the compromise. Some of the data was previously public knowledge or not considered sensitive data. The compromise also resulted in the defacement of several websites and access to 120 servers and over 1,300 computers. CyberScoop

NATO to Increase Focus on Cyber Defense During Peacetime, Identifying Cyberspace as “Permanently Contested Environment” – The change is likely to be a central focus of an upcoming NATO summit in July. Moving forward, NATO will advocate for an increased cooperation with industry experts on cyber defense and more proactive in responding to state-sponsored cyber-attacks. The Record

U.S. Cyber Command Conducts First Mission in Latin America – The “hunt forward” mission deployed members of U.S. Cyber Command to a Latin American nation to engage in cyber defensive actions, a first for a Latin American country. The specific country was not identified by U.S. Cyber Command, which has now conducted “hunt forward” operations in every continent. The operations are conducted at the request of the host-country and enable the U.S. to help increase security of the host country and provide the U.S. with additional insight into malicious cyber activity. DefenseScoop

Content from this threat briefing was provided by Nelnet’s CyberSecurity Threat Intel.