Weekly Cyber News Roundup

August 28th to September 1st 2023

Content 

01. News Bites
  • Kroll cyberattack compromises customer data
  • Poland’s rail network hit by Russian cyber attack, 2 arrested   
  • UK to ban equipment used to hack cars
  • 3 Malware loaders responsible for 80% of computer and network attacks in 2023
  • Data of 1.2 million Purfoods customers stolen
02. Conclusion

Quick News Bites

Kroll cyberattack compromises customer data

Three cryptocurrency firms, FTX, BlockFi, and Genesis, faced data breaches after a SIM swapping attack on the financial advisory firm, Kroll. The attacker managed to switch an employee's T-Mobile number to their SIM card, enabling unauthorised access to Kroll's systems. These files had personal data from bankruptcy claimants linked to the three companies.

On discovering the breach, Kroll took rapid measures to safeguard the accounts of the affected companies and informed the impacted parties through email. As per Kroll, “We have no evidence suggesting other systems or accounts were compromised. We're working closely with the FBI on a full-scale investigation.”

FTX alerted its users that the attacker accessed details like names, addresses, emails, and FTX account balances. However, FTX clarified that account passwords weren't with Kroll, ensuring their digital assets remained secure. Customers were advised to watch for potential scams.

Soon after these announcements, some FTX users received misleading emails, suggesting they could now withdraw funds from their accounts. Genesis and BlockFi also informed their users about the breach. Genesis indicated compromised details included names, addresses, and claims against Genesis debtors. Both companies emphasized the potential for increased phishing emails and scam calls.

Poland’s rail network hit by cyber attack, 2 arrested

Hackers disrupted railway traffic in north-west Poland at the weekend, using frequencies to play Russia's national anthem and a speech by President Vladimir Putin, as reported by the Polish Press Agency (PAP).

During the incident, hackers transmitted signals near Szczecin, halting about 20 trains. Services resumed within hours. On Sunday, Polish police detained two Polish men, aged 24 and 29, in Bialystok, suspected of the hack into the national railway's communication. Radio equipment was confiscated from their residence.

The railway network had first been hacked last Friday night near Szczecin, affecting several trains. Further attacks were registered over the weekend across the country, but without significant disruption.

Poland's role in supporting Ukraine and its key position in the transit of arms has made it a target. The internal security agency confirmed its investigation into the matter. Stanislaw Zaryn from the special services told PAP that there have been months of efforts by Russia, in partnership with Belarus, to destabilise Poland. However, he assured that the recent cyber-attacks did not endanger passengers' safety.

UK to ban equipment used to hack cars

Keyless car hacking tools may soon be outlawed in the UK, following discussions between ministers and police chiefs in response to a 25% surge in vehicle thefts. The proposed ban focuses on the sale and possession of devices like keyless repeaters, signal jammers, and related hacking tools, believed to be the main culprits behind the uptick in UK vehicle thefts which reached 130,389 in 2022.

Police attribute most thefts to organised crime syndicates, targeting high-end cars for export or disassembly in “chop shops”. They often employ jamming tools to neutralise car GPS trackers. Thieves typically utilise “relays” and “repeaters” to capture keyless fob signals, subsequently used to unlock vehicles. To counter this, car manufacturers have improved security, and owners are urged to shield their keys using “faraday bags”.

The National Crime Agency notes an increase in criminals using advanced tools to bypass keyless systems or directly hack into cars. These hacking devices, sell for around £2,500 online or via encrypted messaging platforms like Telegram, infiltrate the car's internal networks, facilitating unauthorised access.

3 Malware loaders responsible for 80% of cyber attacks in 2023

Security experts have identified three malware loaders that account for 80% of the computer and network attacks this year, QBot, SocGholish, and Raspberry Robin. Between January and July, QBot (also known as QakBot, QuackBot, and Pinkslipbot) was the most observed loader, responsible for 30% of breaches, SocGholish followed at 27%, and Raspberry Robin at 23%.

Loaders play an intermediary role in malware attacks. After being activated on a victim's system—often through an email attachment or system vulnerability—they ensure their persistent presence and fetch the primary malware, like ransomware. Identifying and blocking a loader can prevent a broader malware attack. But as ReliaQuest notes, what mitigates one loader might not work for another.

QBot, a 16-year-old banking trojan, has evolved to deliver ransomware, steal data, and enable lateral movement in networks. Recently, it adopted new malware delivery techniques, including using malicious OneNote files in phishing emails. This week the FBI revealed that it along with international partners had successfully dismantled the Qakbot network.

 

SocGholish, a JavaScript-based malware linked to Russia's Evil Corp, typically masquerades as a fake update. It recently led "aggressive watering hole attacks," compromising significant organizational websites.

Lastly, Raspberry Robin, which targets Windows, has evolved from a worm spread via USB drives, primarily delivering ransomware.

Data of 1.2 million Purfoods customers stolen

Purfoods, a US based health-focused food-delivery business alerted over 1.2 million customers of a potential data breach earlier this week. This breach may have exposed personal, financial, and medical details. In January, criminals reportedly infiltrated Purfoods' network via ransomware, encrypting specific files and possibly extracting customer data.

A subsequent investigation revealed files containing private and health-related information of some customers, such as names, Social Security numbers, medical information, and financial account details. While the company has informed the US Department of Health and Human Services in line with HIPAA regulations, it has also sought external assistance to enhance security and offered free credit monitoring for the affected individuals for a year. However, with recent incidents compromising the credibility of their credit monitoring partner, Kroll, Purfoods also shared information to help victims safeguard against identity theft. Following this incident, several law firms are already targeting affected customers, highlighting potential forthcoming legal challenges for Purfoods.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

LONDON | 28 April 2022
DUBLIN | 11 May 2022

Join us in Dublin or London for the Security First 2022 conference.  We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.