Threat Briefing: June 23, 2023

The exploitation of MOVEit by the Cl0P ransomware group has been the top cybersecurity news story over the last few weeks and recently the group has announced victims of the attack which includes victims in the education sector. While Cl0P has dominated the news with MOVEit, cyber actors are continuing to launch new ransomware variants, changing tactics to steal data and information, and utilizing other methods to launder illicit funds serving as a reminder that cybersecurity is a constantly-evolving landscape and requires a team effort to protect your organization and its customers.

Cl0P Ransomware Group Releases Names of Victims from MOVEit Exploitation, Includes Financial Service Organizations and Universities – The group has posted victims on its dark web leak site. Victims include the University System of Georgia and Johns Hopkins University. First National Bankers Bank and 1st Source Bank are some of the victims in the financial services sector. Other victims include government organizations, a health insurance company, and a manufacturing company. Additional victims are likely to be identified as Cl0P releases more names. TechCrunch

Over 100,000 ChatGPT Credentials Offered for Sale on Dark Web Marketplaces, Obtained from Information Stealer Malware between June 2022 and May 2023 – The majority of the credentials were obtained from victims in the Asia-Pacific region, while almost 3,000 were linked to victims in the United States. The majority of the credentials were obtained from the Raccoon, Vidar, and RedLine information stealers, which are used to swipe passwords, credit cards, browser information. The Hacker News

New Ransomware Groups Emerge as Number of Ransomware Victims also Increases – While some ransomware groups like LockBit were associated with fewer attacks from April to May, other new ransomware groups have emerged. In the month of May 28 groups were linked to over 410 ransomware attack, a 13% increase from April 2023. Dark Reading

Microsoft DDoS Attack Resulting in Disruptions to Outlook, OneDrive, and Azure in Early June 2023 Attributed to Cyber Group Storm-1359, Linked to Hacktivist Group Anonymous Sudan – The attack temporarily disrupted access to Microsoft services, but did not result in any compromise to data in Microsoft services. Microsoft attributed the activity behind the attack to Storm-1359, a group linked to hacktivist group Anonymous Sudan which launched DDoS attacks against entities in Europe throughout 2023. The Hacker News

Cybercriminals Utilizing Cryptomining Pools to Launder Illicit Funds and Challenge Anti Money Laundering Regulations – The amount being laundered using cryptomining has grown from approximately $10,000 in 2018 to approximately $10 million during the first quarter of 2023. Laundering money through mining pools challenges the ability of law enforcement or private companies from tracing the flow of cryptocurrency. Bank Info Security

Cybercriminals Pose as Journalist as Part of Phishing Attack Leading to Cryptocurrency Theft, Resulting in Approximately $2.9 Million in Loss – The group known as Pink Drainer has been linked to over 1,900 victims. Members of Pink Drainer will pose as journalist from known cryptocurrency news sites to build rapport with victims before directing them to phishing websites used to steal victim credentials. Bleeping Computer

Manhattan District Attorney’s Office Seizes Domain for Fraudulent Cryptocurrency Recovery Company – Coin Dispute Network claimed to trace cryptocurrency and help with recovery for victims who previously had cryptocurrency stolen. Victims made payments to Coin Dispute Network, and the company also acquired additional Ethereum deposits from the victims. TRM Labs

U.S. Law Enforcement Arrests and Charges Russian National Suspected of Engaging in LockBit Ransomware Attacks– The individual arrested was suspected of being directly involved in five ransomware attacks against victims in the U.S. and overseas. This represents the third member of LockBit to be charged for their role in the LockBit campaign. U.S. Department of Justice

Federal Communications Commission Establishing New Task Force to Improve Data Privacy and Data Protection – The task force will work to address SIM swapping concerns and how mobile carriers collect private data such as geolocation data. CyberScoop

U.S. Department of Justice Establishing Nation Security Cyber Section, Focusing on Nation State Cyber Activity – The new section will help the department increase its ability to respond to nation state cyber threats and is an example of the U.S.’s increasingly aggressive approach to prosecuting cyber activity. The Record

Romanian National Sentenced for Operating Bulletproof Hosting Service Used to Distribute Multiple Forms of Malware Used to Steal Financial Information – The individual, who previously pled guilty in February 2023, was sentenced to three years in prison and ordered to forfeit approximately $3.5 million. U.S. Attorney’s Office, Southern District of New York

Cyber Actors Impersonating Cybersecurity Researchers to Distribute Fake Proof-of-Concept Exploits Used to Deploy Malware, Targeting Cybersecurity and Vulnerability Researchers – The cyber actors created a fake company and a Twitter account to promote a GitHub repository used to distribute the malware which could infect both Windows and Linux systems. Bleeping Computer

Ransomware Attack Against a Sharepoint Online Site Exploited Microsoft Global Software-as-a-Service Account to Steal Files from Victim Organization – The cyber actor created a new Active Directory User with elevated privileges which was used to remove over 200 existing administrators from the victim’s account. Security Week

Microsoft Addresses Vulnerabilities Impacting Azure Which Could Have Resulted in Cyber Actors Gaining Access to Victim Data and Azure Virtual Environment – Microsoft was not aware of any known exploitation of the vulnerabilities and patches deployed in May 2023 mitigated the vulnerabilities. The Record

U.S. Government Information Sharing for Russia-Ukraine War Information Potentially a Model for Future Conflicts – Leading up to the invasion of Ukraine, the U.S. government shared information with U.S. critical infrastructure operators regarding potential Russian cyber operations. A similar model of information sharing could be a model for future cyber operations, especially from Chinese cyber actors. CyberScoop

European Union Officials Concerned about Huawei and ZTE 5G Equipment in European Cellular Networks – Only 10 members of the European Union have blocked the presence of Huawei and ZTE equipment in their cellular networks. Thierry Breton, EU Internal Market Commissioner, has requested more European countries to aggressively oppose the two Chinese manufacturers as they pose cybersecurity risk. Bank Info Security

Ukrainian Law Enforcement Disrupts Social Media Bot Farm Suspected of Distributing Pro-Russian Disinformation Regarding the War in Ukraine – Three people were detained for their role in the operation. Over 4,000 fake accounts were registered and used to spread disinformation regarding the Ukrainian armed forces. The Record