Threat Briefing: July 7, 2023

After Cl0P dominated the cyber threat landscape for June, hacktivists, state-sponsored cyber actors, and other ransomware groups have reminded us they still exist through a variety of attacks making the news, serving as a reminder of the short-term financial impacts for organizations suffering from a cyberattack, and also highlighting there are long-term impacts for the victims of cyber-attacks. It’s a good reminder there is a lot to defend, from hardware to software, to account credentials to understanding weakness in code and vulnerabilities, cybersecurity is a constantly evolving threat landscape.

Data Exfiltrated and Leaked from School Districts Includes Medical Information Along with PII, Highlighting Challenges to Cybersecurity for School Districts – The lack of federal regulations requiring notifications to students and their families has led to confusion on the extent of cyberattacks and what information, if any, was stolen during a cyberattack. Many school districts spend a small portion of their IT budgets focusing on cybersecurity. Security Week

Nebraska Supreme Court Victim of Cyberattack by Cyber Group Known as “SiegedSec” – The group has claimed responsibility for cyberattacks against multiple state government agencies, to include South Dakota, Texas, and Arkansas. The attacks have included website defacement and the loss of data. SiegedSec has previously been linked to cyberattacks against the Colombian and Russian governments, along with software companies and healthcare providers. The Record

LockBit Ransomware Group Claims to Have Compromised Taiwan Semiconductor Manufacturing Company (TSMC) and Stolen Sensitive Company Data, Demanding $70 Million Ransom – TSMC denies the claim and has indicated a supplier for TSMC was the victim of the cyberattack. LockBit has given a deadline of August 6th to comply with the ransom or it will release TSMC’s data. Security Week

Russian-Affiliated Cyber Actors Associated with Increase in Credential Stealing Attacks, Relying on Residential Proxy Services to Obfuscate Source IP – The attacks have focused on governments, IT service providers, and non-governmental organizations. Microsoft has linked the activity to a group it tracks as Midnight Blizzard, also known as APT 29, which was associated with the SolarWinds supply chain attack in 2020. The Hacker News

BlackCat Ransomware Group Utilizing Malvertising Campaign for Malicious Version of WinSCP File Transfer, Resulting in the Malware Distribution – The ads were seen on the Bing and Google search engines. Once victims download the malicious version of WindowsSCP, a Cobalt Strike beacon is downloaded onto a victim’s system connecting to a command-and-control server address, which has led to the downloading of other tools used by BlackCat to carry out ransomware attacks. Bleeping Computer

Cyber Actors Responsible for over $900 Million in Cryptocurrency Theft During the First Half of 2023, with cyberattacks focusing on smart contracts, stealing from crypto exchanges and phishing victims. Despite a loss of $900M in cryptocurrency losses, it represents a 54% decline from 2022 when over $2 billion was stolen in cryptocurrency attacks. Losses from DeFi platforms represented half of all the loss occurring in 2023. Bank Info Security

Nigerian Man Pleads Guilty to Participating in Business Email Compromise Scheme Impacting Victims in the U.S. between 2014 and 2016, resulting in millions of dollars in fraud loss. Two other individuals involved in the scheme were sentences to prison. U.S. Attorney’s Office, Southern District of New York

Suspected Member of OPERA1ER Cybercrime Group Arrested in Cote d’Ivoire, Linked to $11 Million in Losses from Cyberattacks, – The group has been active since 2018 and engaged in malware attacks, phishing campaigns, and business email compromise schemes. The arrest was part of a joint operation with INTERPOL, Afripol, the government of Cote d’Ivoire, the U.S. government,and the private sector. The Record

Four Individuals Indicted for Engaging in Business Email Schemes, Romance Schemes, and Insurance Fraud, – The individuals would obtain funds illicitly and then utilize the funds to obtain cashier’s checks and money orders, which were used to purchase vehicles later shipped overseas to Nigeria. U.S. Department of Justice

U.S. Government Considering Restricting Access of Chinese-based Companies to U.S.-based Cloud Services – Doing so would reduce Chinese companies having access to services utilizing artificial intelligence chips. This would address a current loophole in the U.S.’s existing sanctions on the export of chips to Chinese companies. CoinTelegraph

White House Identifies Five Cybersecurity Budget Priorities for Fiscal Year 2025, Aligning with U.S. National Cybersecurity Strategy, focusing on international partnerships, defending critical infrastructure, disrupting threat actors, investing in resilience and driving market forces to support security. The budget priorities will help to focus the federal government on modernizing federal defenses and implementing a federal zero-trust strategy. CyberScoop

Cyber Command to Increase Staff for Private Sector Engagement Unit – The group known as “Under Advisement” will increase a dozen military and civilian employees to two dozen people by 2024. The group works with private sector entities to share information on cybersecurity threats and support Cyber Command’s ability to engage in cyberoperations. The Record

University of California Sues Lloyd’s of London Regarding Cyber Insurance Policy Coverage – The lawsuit concerns an attack which started in 2014 and impacted patients at the University of California, Los Angles Health center. Lloyd’s of London has indicated University of California has not complied with cybersecurity provisions under its insurance policy and has refused to reimburse the university for costs it incurred because of the attack. CSO Online

Russian Cybersecurity Researcher Indicted by the U.S. Government Arrested in Kazakhstan; Russian Government Also Requesting Extradition Back to Russia – The individual was charged by the U.S. for selling stolen usernames and passwords in 2012 and formerly worked at a Russia-based cybersecurity magazine. Russia also issued an arrest warrant for allegedly engaging in unauthorized access to protection information, and sought the extradition of the individual back to Russia following his arrest by the government of Kazakhstan. The Record

Botnets Responsible for 95% of Malicious Web Traffic— Mozi, Mirari and Kinsing Most Popular Botnets Identified – Many of the botnets were utilized for mining cryptocurrencies or launch distributed denial of service attacks. The data was obtained from a six-month study which ended in May 2023 and utilized honeypot devices in the U.S, U.K., Ukraine, China, Russia, and Poland. CSO Online

MITRE Identifies Top 25 Software Weaknesses, Based on Analysis of over 43,000 Vulnerabilities in National Vulnerability Database – The top weakness identified was Out-of-bounds Write, which was the top weakness in 2022 as well. This weakness has been identified in 70 vulnerabilities released in 2021 and 2022 and added to CISA’s Known Exploited Vulnerabilities catalog. The Hacker News

Vulnerability in Solar Power Monitoring Product Exploited to Support Mirai Botnet – The vulnerability impacts a solar power monitoring tool used at over 30,000 power stations. As of early July, over 600 systems were exposed to the internet according to Shodan. Security Week

Node Package Manager “Manifest Confusion” Could Allow for Malicious Code to Be Hidden in Packages, currently NPM does not validate the metadata in packages with the metadata from its manifest, allowing for cyber actors to hide malware. Dark Reading

New TrueBot Malware Variant Used to Target Entities in the U.S. and Canada, while typically spread through phishing emails, TrueBot has also gained initial access by leveraging a vulnerability impacting the Netwrix auditor application. TrueBot has been utilized by the ransomware group CL0P in the past to collect and exfiltrate data from victim organizations since it was first identified. CISA

Switzerland’s Intelligence Service Warns Cyber Espionage Operations Likely to Increase Due to Degradation of Russia’s Human Intelligence Network in Europe – The most likely organizations to see increase cyber espionage attacks are critical infrastructure entities, financial service providers, and technology firms. Many European countries expelled Russian citizens suspected of committing espionage, impacting Russia’s intelligence collection operations. The Record

Police in Philippines Disrupt Human Trafficking Operation Supporting Cybercrime Group Running Online Gaming Websites – The operation received victims from various countries in Asia who had been lured to the Philippines through Facebook ads. Over 2,600 individuals were rescued as part of the operation and follows a previous operation in which approximately 1,400 victims were rescued from another operation in May 2023. Dark Reading

Russia’s Internet Research Agency (IRA), Linked to Interference in U.S. Elections, Reportedly Shut Down by Founder, Yevgeny Prigozhin Following Dispute with Russian Government – Prigozhin, who also operated the Wagner paramilitary force, had previously denied owning the IRA until early in 2023. Following Wagner’s capture of the Russian City of Rostov, the Russian government seized several of the IRA’s servers. While the IRA has been shut down, a sale had been under consideration in the past and the company could still be sold. The Record

China’s Revised Counter-Espionage Law Increases Power of Chinese Government to Investigate and Respond to Cyberattacks – The revisions to the law now allow for the government of China to seize property of companies doing business in China. The law also allows for facilities and electronic equipment to be inspected by the Chinese government. Prior to the law taking effect, several U.S. companies operating in China had their offices raided by the Chinese government. Bank Info Security

Cyber-Attacks Increasing in African Countries Despite Increase in Cybersecurity Hiring Throughout Africa, the top countries facing cyber-attacks were South Africa, Kenya and Zambia, likely due to their emerging economies. The majority of attacks relied on phishing, while the use of compromised passwords was also another common attack method. Focusing on Africa may also provide cyber actors an emerging market to engage in attacks and avoid U.S. scrutiny. Dark Reading