Black Basta Ransomware Gang confirmed as culprits of Rheinmetall cyber attack
Cuba Ransomware Gang claims responsibility for Philadelphia Inquirer attack
Dorchester School hit by Ransomware
Cisco has published a notice that outlines nine security weaknesses along with their corresponding fixes. These vulnerabilities affect the company's Small Business series of network switches, devices crucial for facilitating communication between various hardware components.
The advisory states that these vulnerabilities arise from inadequate validation of incoming requests to the switch's web interface.
Four of these vulnerabilities are particularly alarming, as they could grant an attacker the ability to run arbitrary code with root-level privileges on a compromised device. In the hands of a successful attacker, these vulnerabilities could be exploited to download confidential files, misappropriate data, or modify the system settings to create further access points.
Each of the potential exploits, if leveraged, could cause the affected device to enter a denial-of-service state, making it unreachable or inoperative. This implies that a cybercriminal could exploit a vulnerability to infiltrate a switch and utilize it as a bot in a distributed denial-of-service (DDoS) attack. DDoS attacks have seen a significant rise in use over recent months, notably being deployed by hacktivists amid the ongoing conflict between Russia and Ukraine.
The security flaws are independent of each other, simplifying their exploitation potential. As stated in the advisory, "One vulnerability's exploitation does not necessitate the exploitation of another." It further adds, "A software update impacted by one vulnerability may not be susceptible to the other vulnerabilities." Given the extensive use of Cisco networking equipment in corporate networks, these vulnerabilities could have severe consequences.
Last month, the UK's National Cyber Security Centre (NCSC) issued an alert about APT28, a notorious cybercrime group sponsored by the Russian government and also known as Fancy Bear. This group was reportedly installing malware on inadequately maintained, unpatched Cisco routers by exploiting a weakness first identified in 2017.
ABB, the Swiss multinational specialising in electrification and automation technologies, has been hit by a ransomware attack orchestrated by the Black Basta group, affecting its business activities.
The attack reportedly took place on May 7th and saw the company become the latest target of the increasingly active Black Basta ransomware group, a cybercrime faction that emerged in April 2022.
With its headquarters in Zurich, Switzerland, ABB designs industrial control systems (ICS) and SCADA systems for manufacturers and energy providers, serving a broad client base and local governments, such as Volvo, Hitachi, DS Smith, and the cities of Nashville and Zaragoza.
According to reports on BleepingComputer, several employees said that the ransomware strike impacted the company's Windows Active Directory, affecting a significant number of devices. To mitigate the attack, ABB severed VPN connections with its clients to inhibit the ransomware's proliferation to other networks.
The assault disrupted ABB's operations, causing project delays and affecting factory performance. Following initial reluctance to comment, ABB later released a statement post-publication of the incident.
"ABB recently detected an IT security incident that directly affected certain locations and systems," the company said.
The Cuba ransomware group has taken credit for the recent cyberattack on The Philadelphia Inquirer, which caused a temporary disruption in the newspaper's distribution and interfered with various business functions.
The Philadelphia Inquirer, the largest newspaper in Philadelphia in terms of circulation, is among the three longest-operating daily newspapers in the United States with a history dating back to 1829. It has earned 20 Pulitzer Prizes for its outstanding journalistic contributions. On May 14th, The Inquirer revealed it had been the target of a cyberattack, leading its IT department to disconnect computer systems to halt the attack's proliferation. Kroll, a forensic firm, was hired to inspect the "unusual activity."
Data that is now openly accessible on Cuba's extortion platform includes financial records, communications with bank personnel, account transactions, financial statements, tax files, compensation details, and source code. The public release of all purloined files signifies that the newspaper declined to comply with the ransom demand, leading to a stalemate in the extortion process.
Following a cyberattack, Thomas Hardye School in Dorchester has been unable to utilise its email system or process payments.
The school, which serves over 2,000 students, experienced an attack on Sunday that resulted in the locking of its screens and systems. Accompanied by a ransom demand payable via the dark web, the attack has rendered functions like canteen payments, records, and emails that are reliant on the school's server inaccessible since the incident. Parents have been requested to communicate via phone in the interim.
The school has declared it will not comply with the ransom demand and is collaborating with the National Cyber Security Centre and the police to rectify the situation.
Schools and educational institutions often become targets for hackers because of several reasons. Firstly, they hold a wealth of personal and financial information about students, staff, and parents, making them lucrative targets. Secondly, they often lack robust cybersecurity measures due to budget constraints, making them easier targets. Lastly, their systems are usually interconnected and widely used, meaning a successful attack can cause significant disruption, increasing the likelihood of a ransom being paid.
US officials have set a $10m bounty on Mikhail Matveev, a self-proclaimed Russian elite hacker from Kaliningrad. Matveev, alias Wazawaka, is believed to be a key figure in the Hive, LockBit, and Babuk ransomware syndicates. The 30-year-old drew attention for a disturbing video where he flaunted a self-amputated finger, allegedly due to a lost wager.
Previously, LockBit had targeted Royal Mail, demanding a £66m ransom after compromising their parcel sorting software. The mail service denied the request, which was made in cryptocurrency for the restoration of their system.
Additionally, Matveev is implicated in the 2021 theft of home addresses of Washington DC officers and the purported exposure of numerous police informants.
Separately, former Apple engineer Weibao Wang is facing charges for allegedly attempting to steal trade secrets before absconding to China. Wang is accused of trying to pilfer the company's "entire autonomy source code," the software behind Apple's future self-driving car. The 37-year-old had access to sensitive databases only accessible to 2% of Apple's workforce and reportedly amassed stolen data at his California residence before fleeing post a police search.
A newly formed US body, the Disruptive Technology Strike Force, charged another Chinese national for allegedly trying to sell confidential graphite technology to Iran for missile use.
Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about cyber-espionage attacks targeting the nation's state agencies. The attacks are associated with a threat actor, UAC-0063, known since 2021, employing phishing techniques to inject malicious tools into compromised systems. The identity of the hacking group remains undisclosed.
In the described attack pattern, the threat actor sent emails posing as the Embassy of Tajikistan in Ukraine to an unspecified ministry. These emails, believed to originate from a previously compromised account, contained a Microsoft Word attachment. On enabling macros, an encoded VBScript called HATVIBE is activated, introducing further malware into the system. This includes a keylogger (LOGPIE), a Python-based backdoor (CHERRYSPY), and a file-exfiltrating tool (STILLARCH or DownEx).
Bitdefender recently highlighted DownEx's usage by an anonymous actor in highly targeted attacks on Kazakhstan and Afghanistan's government bodies. CERT-UA's examination revealed the group's interest extends to organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.
The investigation underscores that some threat actors persist in using macro-based malware, despite Microsoft's default disabling of macros in downloaded Office files. Consequently, several attack groups have innovated their attack strategies and payload delivery systems, employing unique file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques such as HTML smuggling.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.