Weekly Cyber News Roundup

Black Basta Ransomware Gang strikes Multinational Tech Firm ABB

ABB, the Swiss multinational specialising in electrification and automation technologies, has been hit by a ransomware attack orchestrated by the Black Basta group, affecting its business activities.

The attack reportedly took place on May 7^th and saw the company become the latest target of the increasingly active Black Basta ransomware group, a cybercrime faction that emerged in April 2022.

With its headquarters in Zurich, Switzerland, ABB designs industrial control systems (ICS) and SCADA systems for manufacturers and energy providers, serving a broad client base and local governments, such as Volvo, Hitachi, DS Smith, and the cities of Nashville and Zaragoza.

According to reports on BleepingComputer, several employees said that the ransomware strike impacted the company's Windows Active Directory, affecting a significant number of devices. To mitigate the attack, ABB severed VPN connections with its clients to inhibit the ransomware's proliferation to other networks.

The assault disrupted ABB's operations, causing project delays and affecting factory performance. Following initial reluctance to comment, ABB later released a statement post-publication of the incident.

"ABB recently detected an IT security incident that directly affected certain locations and systems," the company said.

Philadelphia Inquirer becomes the latest newspaper to fall victim to Ransomware

The Philadelphia Inquirer is actively working to recuperate its systems and resume regular operations following a cyber-attack that has severely disrupted its services, making it the most recent significant media entity to be targeted.

With no Sunday paper and delayed online content, this cyber-attack represents the most severe interruption for the Inquirer in recent memory.

The FBI has been notified of the cyber-attack on Philadelphia's foremost newspaper. News organisations are facing an increasing number of sophisticated cyber-attacks, joining ranks with government bodies, hospitals, universities, and businesses.

In December, the Guardian fell victim to a ransomware attack, during which staff personal data in the UK and US was accessed. The incident, likely instigated by a phishing attempt, resulted in the closure of the Guardian offices for several months, despite the print edition remaining unaffected.

Details about the attack on the Inquirer are still sparse. It's unknown whether personal data was compromised, which systems were affected, or the identity and motives of the attackers.

Ongoing Phishing Campaign Deploys XWorm Malware, Targets German Manufacturing and Healthcare Sectors

Cyber security researchers have reported an ongoing phishing campaign that ingeniously employs a distinctive attack chain to plant the XWorm malware on specific systems. This malicious campaign is being actively tracked under the moniker MEME#4CHAN.

The victims of this campaign are primarily entities within the manufacturing and healthcare sectors, located predominantly in Germany. This geographic and sector-specific focus suggests a calculated strategy by the attackers, although their exact origins remain uncertain at this time. However, the researchers have stated that the attack methodology bears resemblances to the modus operandi of TA558, a threat actor previously associated with attacks on the hospitality industry.

The attack begins with a phishing attempt where the attackers distribute decoy Microsoft Word documents, which unsuspecting users are likely to open. Uniquely, these documents do not rely on macros, a usual instrument in such attacks, but instead weaponise the Follina vulnerability (CVE-2022-30190), a recently identified weakness with a CVSS score of 7.8. This exploitation results in the dropping of an obfuscated PowerShell script onto the targeted system.

Following the successful execution of the initial stage, the threat actors exploit the PowerShell script to bypass the Antimalware Scan Interface (AMSI), a built-in security measure in modern Windows operating systems. Simultaneously, they manage to disable Microsoft Defender, a vital layer of system security, thus leaving the system highly vulnerable. The threat actors then establish persistence on the compromised system, paving the way for the launch of the .NET binary containing the XWorm malware.

XWorm is a multifunctional malware available for purchase on underground forums. It comes loaded with a wide range of features that allow it to harvest sensitive information from infected systems. Furthermore, it is a veritable Swiss Army knife of cyber threats, capable of executing clipper, DDoS, and ransomware operations, spreading via USB drives, and dropping additional malware payloads. This highlights the multifaceted threat that the XWorm malware poses to affected systems, and by extension, the criticality of the ongoing MEME#4CHAN phishing campaign.

USA issues $10 million Bounty for Russian Hacker and former Apple engineer charged for selling secrets to China

US officials have set a $10m bounty on Mikhail Matveev, a self-proclaimed Russian elite hacker from Kaliningrad. Matveev, alias Wazawaka, is believed to be a key figure in the Hive, LockBit, and Babuk ransomware syndicates. The 30-year-old drew attention for a disturbing video where he flaunted a self-amputated finger, allegedly due to a lost wager.

Previously, LockBit had targeted Royal Mail, demanding a £66m ransom after compromising their parcel sorting software. The mail service denied the request, which was made in cryptocurrency for the restoration of their system.

Additionally, Matveev is implicated in the 2021 theft of home addresses of Washington DC officers and the purported exposure of numerous police informants.

Separately, former Apple engineer Weibao Wang is facing charges for allegedly attempting to steal trade secrets before absconding to China. Wang is accused of trying to pilfer the company's "entire autonomy source code," the software behind Apple's future self-driving car. The 37-year-old had access to sensitive databases only accessible to 2% of Apple's workforce and reportedly amassed stolen data at his California residence before fleeing post a police search.

A newly formed US body, the Disruptive Technology Strike Force, charged another Chinese national for allegedly trying to sell confidential graphite technology to Iran for missile use.

Fallout from Capita breach continues

Outsourcing company Capita is facing more fallout from the March data breach, as client Colchester Council criticised it for "improper storage of personal data". The council has voiced "extreme disappointment" after a significant data breach was revealed.

Several other local authorities are also thought to have been impacted by the incident. Capita provides services to many local authorities, including Colchester, Barking and Dagenham, and Barnet. School data in Sheffield was compromised in a March hack linked to Capita.

The aftermath of the March cyberattack continues, with Capita informing its pension trustee clients last week that the investigation into the breach is taking longer than expected due to its complexity.

Capita is yet to provide a specific completion date for the analysis but aims for around May 27. USS, the UK's largest private sector pension plan and a client of Capita, recently warned that the personal data of approximately 500,000 members may have been stolen during the cyber attack.

Capita also provides various services to central government departments, including the Ministry of Defence, administering recruitment for the army and training for the Royal Navy and defence fire and rescue services.