Black Basta Ransomware Gang strikes Multinational Tech Firm ABB
Philadelphia Inquirer becomes the latest newspaper to fall victim to Ransomware
Ongoing Phishing Campaign Deploys XWorm Malware, Targets German Manufacturing and Healthcare Sectors
Fallout from Capita breach continues
Welcome to our weekly cyber news roundup, where we bring you the latest and most important updates from the world of cyber security.
The US Cyber security and Infrastructure Security Agency (CISA) has identified new Linux-related security flaws in its catalogue of known exploited vulnerabilities (KEV).
Seven new vulnerabilities were disclosed on Friday, including issues in Ruckus AP, Red Hat Polkit, the Linux kernel, Jenkins UI, Apache Tomcat, and Oracle Java SE and JRockit. The Ruckus product flaw has been exploited by the AndoryuBot DDoS botnet.
The security flaws incorporate CVE-2023-25717, which is a cross-site forgery request and remote code execution vulnerability found in several Ruckus Wireless Products; CVE-2021-3560, a vulnerability related to incorrect authorisation within Red Hat Polkit; CVE-2014-0196, a race condition vulnerability within the Linux Kernel; CVE-2010-3904, another Linux Kernel vulnerability pertaining to improper input validation; CVE-2015-5317, a Jenkins user interface issue leading to information disclosure; CVE-2016-3427, an unspecified vulnerability in both Oracle Java SE and JRockit; and finally, CVE-2016-8735, a remote code execution vulnerability in Apache Tomcat.
While no public reports exist for the exploitation of the other vulnerabilities, they all share a connection to Linux. NIST’s advisories for these security flaws reference advisories from various Linux distributions, including impact details and available patches.
CISA only lists a vulnerability if there is solid evidence of exploitation. The agency, a year ago, was the first to issue a warning about a Linux vulnerability known as PwnKit being exploited.
ABB, the Swiss multinational specialising in electrification and automation technologies, has been hit by a ransomware attack orchestrated by the Black Basta group, affecting its business activities.
The attack reportedly took place on May 7th and saw the company become the latest target of the increasingly active Black Basta ransomware group, a cybercrime faction that emerged in April 2022.
With its headquarters in Zurich, Switzerland, ABB designs industrial control systems (ICS) and SCADA systems for manufacturers and energy providers, serving a broad client base and local governments, such as Volvo, Hitachi, DS Smith, and the cities of Nashville and Zaragoza.
According to reports on BleepingComputer, several employees said that the ransomware strike impacted the company's Windows Active Directory, affecting a significant number of devices. To mitigate the attack, ABB severed VPN connections with its clients to inhibit the ransomware's proliferation to other networks.
The assault disrupted ABB's operations, causing project delays and affecting factory performance. Following initial reluctance to comment, ABB later released a statement post-publication of the incident.
"ABB recently detected an IT security incident that directly affected certain locations and systems," the company said.
The Philadelphia Inquirer is actively working to recuperate its systems and resume regular operations following a cyber-attack that has severely disrupted its services, making it the most recent significant media entity to be targeted.
With no Sunday paper and delayed online content, this cyber-attack represents the most severe interruption for the Inquirer in recent memory.
The FBI has been notified of the cyber-attack on Philadelphia's foremost newspaper. News organisations are facing an increasing number of sophisticated cyber-attacks, joining ranks with government bodies, hospitals, universities, and businesses.
In December, the Guardian fell victim to a ransomware attack, during which staff personal data in the UK and US was accessed. The incident, likely instigated by a phishing attempt, resulted in the closure of the Guardian offices for several months, despite the print edition remaining unaffected.
Details about the attack on the Inquirer are still sparse. It's unknown whether personal data was compromised, which systems were affected, or the identity and motives of the attackers.
Cyber security researchers have reported an ongoing phishing campaign that ingeniously employs a distinctive attack chain to plant the XWorm malware on specific systems. This malicious campaign is being actively tracked under the moniker MEME#4CHAN.
The victims of this campaign are primarily entities within the manufacturing and healthcare sectors, located predominantly in Germany. This geographic and sector-specific focus suggests a calculated strategy by the attackers, although their exact origins remain uncertain at this time. However, the researchers have stated that the attack methodology bears resemblances to the modus operandi of TA558, a threat actor previously associated with attacks on the hospitality industry.
The attack begins with a phishing attempt where the attackers distribute decoy Microsoft Word documents, which unsuspecting users are likely to open. Uniquely, these documents do not rely on macros, a usual instrument in such attacks, but instead weaponise the Follina vulnerability (CVE-2022-30190), a recently identified weakness with a CVSS score of 7.8. This exploitation results in the dropping of an obfuscated PowerShell script onto the targeted system.
Following the successful execution of the initial stage, the threat actors exploit the PowerShell script to bypass the Antimalware Scan Interface (AMSI), a built-in security measure in modern Windows operating systems. Simultaneously, they manage to disable Microsoft Defender, a vital layer of system security, thus leaving the system highly vulnerable. The threat actors then establish persistence on the compromised system, paving the way for the launch of the .NET binary containing the XWorm malware.
XWorm is a multifunctional malware available for purchase on underground forums. It comes loaded with a wide range of features that allow it to harvest sensitive information from infected systems. Furthermore, it is a veritable Swiss Army knife of cyber threats, capable of executing clipper, DDoS, and ransomware operations, spreading via USB drives, and dropping additional malware payloads. This highlights the multifaceted threat that the XWorm malware poses to affected systems, and by extension, the criticality of the ongoing MEME#4CHAN phishing campaign.
US officials have set a $10m bounty on Mikhail Matveev, a self-proclaimed Russian elite hacker from Kaliningrad. Matveev, alias Wazawaka, is believed to be a key figure in the Hive, LockBit, and Babuk ransomware syndicates. The 30-year-old drew attention for a disturbing video where he flaunted a self-amputated finger, allegedly due to a lost wager.
Previously, LockBit had targeted Royal Mail, demanding a £66m ransom after compromising their parcel sorting software. The mail service denied the request, which was made in cryptocurrency for the restoration of their system.
Additionally, Matveev is implicated in the 2021 theft of home addresses of Washington DC officers and the purported exposure of numerous police informants.
Separately, former Apple engineer Weibao Wang is facing charges for allegedly attempting to steal trade secrets before absconding to China. Wang is accused of trying to pilfer the company's "entire autonomy source code," the software behind Apple's future self-driving car. The 37-year-old had access to sensitive databases only accessible to 2% of Apple's workforce and reportedly amassed stolen data at his California residence before fleeing post a police search.
A newly formed US body, the Disruptive Technology Strike Force, charged another Chinese national for allegedly trying to sell confidential graphite technology to Iran for missile use.
Outsourcing company Capita is facing more fallout from the March data breach, as client Colchester Council criticised it for "improper storage of personal data". The council has voiced "extreme disappointment" after a significant data breach was revealed.
Several other local authorities are also thought to have been impacted by the incident. Capita provides services to many local authorities, including Colchester, Barking and Dagenham, and Barnet. School data in Sheffield was compromised in a March hack linked to Capita.
The aftermath of the March cyberattack continues, with Capita informing its pension trustee clients last week that the investigation into the breach is taking longer than expected due to its complexity.
Capita is yet to provide a specific completion date for the analysis but aims for around May 27. USS, the UK's largest private sector pension plan and a client of Capita, recently warned that the personal data of approximately 500,000 members may have been stolen during the cyber attack.
Capita also provides various services to central government departments, including the Ministry of Defence, administering recruitment for the army and training for the Royal Navy and defence fire and rescue services.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.