Threat Briefing: June 14, 2024

Cyber threat actors profit by targeting money and valuable information, such as credentials. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned the public about scammers posing as CISA employees to extort money from victims.

Meanwhile, new details have emerged about the data breach affecting cloud company Snowflake. Cyber threat actors exploited stolen credentials to compromise victim accounts, highlighting the high value of simple username and password combinations.

We often hear that “cybersecurity is a team sport,” and this is also true for cybercriminals. This week, reports revealed that a major cybercriminal group is collaborating with a newer, active group to offer ransomware-as-a-service. The relentless pursuit of information and collaboration among cyber actors contribute to an ever-evolving cyber threat landscape. This challenging environment underscores the importance of exercising caution when clicking links or downloading files.

• Cybercriminal Group Scattered Spider Joins Forces with RansomHub Cybercriminal Group – Scattered Spider has been conducting ransomware attacks using RansomHub’s  ransomware-as-a-service variant. RansomHub has advertised a 90/10 split of ransomware proceeds with affiliates and promises to let affiliates collect the ransom first and pay RansomHub later. Since February, RansomHub has added 75 victims to its data leak site. Dark Reading
• Criminal Actors Posing as Employees of U.S. Cybersecurity and Infrastructure Security Agency (CISA), Attempting to Defraud Victims – This week, CISA issued a warning about scammers making phone calls to victims. CISA clarified that it will never instruct people to send money, gift cards, or cryptocurrency. Bank Info Security
• U.S. Treasury Department Seeking Feedback About Usage of Artificial Intelligence at Financial Institutions – The department is asking for feedback from various stakeholders in the financial sector to determine risks and opportunities. The request for information sent out by the Treasury Department was derived from a previous Treasury Department project on AI and cybersecurity risks. FedScoop
• Over 150 Organizations Impacted by Snowflake Data Breach – The breach has been attributed to a financially motivated cyber threat group known as UNC5537. This group used stolen credentials obtained from various information-stealing malware to compromise Snowflake customer instances and has been selling the stolen data. UNC5537 likely began targeting Snowflake customers in April 2024. The Hacker News
• BlackBasta Ransomware Group Exploited Windows Vulnerability Before Researchers Discover Vulnerability – The vulnerability affected the Windows Error Reporting Service and was initially disclosed by Microsoft in March 2024. BlackBasta utilized the vulnerability in two attempted ransomware attacks but was not successful in completing the attacks. The Record