Black Basta Ransomware Gang strikes Multinational Tech Firm ABB
ABB, the Swiss multinational specialising in electrification and automation technologies, has been hit by a ransomware attack orchestrated by the Black Basta group, affecting its business activities.
The attack reportedly took place on May 7th and saw the company become the latest target of the increasingly active Black Basta ransomware group, a cybercrime faction that emerged in April 2022.
With its headquarters in Zurich, Switzerland, ABB designs industrial control systems (ICS) and SCADA systems for manufacturers and energy providers, serving a broad client base and local governments, such as Volvo, Hitachi, DS Smith, and the cities of Nashville and Zaragoza.
According to reports on BleepingComputer, several employees said that the ransomware strike impacted the company's Windows Active Directory, affecting a significant number of devices. To mitigate the attack, ABB severed VPN connections with its clients to inhibit the ransomware's proliferation to other networks.
The assault disrupted ABB's operations, causing project delays and affecting factory performance. Following initial reluctance to comment, ABB later released a statement post-publication of the incident.
"ABB recently detected an IT security incident that directly affected certain locations and systems," the company said.
Cuba Ransomware Gang claims responsibility for Philadelphia Inquirer attack
The Cuba ransomware group has taken credit for the recent cyberattack on The Philadelphia Inquirer, which caused a temporary disruption in the newspaper's distribution and interfered with various business functions.
The Philadelphia Inquirer, the largest newspaper in Philadelphia in terms of circulation, is among the three longest-operating daily newspapers in the United States with a history dating back to 1829. It has earned 20 Pulitzer Prizes for its outstanding journalistic contributions. On May 14th, The Inquirer revealed it had been the target of a cyberattack, leading its IT department to disconnect computer systems to halt the attack's proliferation. Kroll, a forensic firm, was hired to inspect the "unusual activity."
Data that is now openly accessible on Cuba's extortion platform includes financial records, communications with bank personnel, account transactions, financial statements, tax files, compensation details, and source code. The public release of all purloined files signifies that the newspaper declined to comply with the ransom demand, leading to a stalemate in the extortion process.
Dorchester School hit by Ransomware
Following a cyberattack, Thomas Hardye School in Dorchester has been unable to utilise its email system or process payments.
The school, which serves over 2,000 students, experienced an attack on Sunday that resulted in the locking of its screens and systems. Accompanied by a ransom demand payable via the dark web, the attack has rendered functions like canteen payments, records, and emails that are reliant on the school's server inaccessible since the incident. Parents have been requested to communicate via phone in the interim.
The school has declared it will not comply with the ransom demand and is collaborating with the National Cyber Security Centre and the police to rectify the situation.
Schools and educational institutions often become targets for hackers because of several reasons. Firstly, they hold a wealth of personal and financial information about students, staff, and parents, making them lucrative targets. Secondly, they often lack robust cybersecurity measures due to budget constraints, making them easier targets. Lastly, their systems are usually interconnected and widely used, meaning a successful attack can cause significant disruption, increasing the likelihood of a ransom being paid.
USA issues $10 million Bounty for Russian Hacker and former Apple engineer charged for selling secrets to China
US officials have set a $10m bounty on Mikhail Matveev, a self-proclaimed Russian elite hacker from Kaliningrad. Matveev, alias Wazawaka, is believed to be a key figure in the Hive, LockBit, and Babuk ransomware syndicates. The 30-year-old drew attention for a disturbing video where he flaunted a self-amputated finger, allegedly due to a lost wager.
Previously, LockBit had targeted Royal Mail, demanding a £66m ransom after compromising their parcel sorting software. The mail service denied the request, which was made in cryptocurrency for the restoration of their system.
Additionally, Matveev is implicated in the 2021 theft of home addresses of Washington DC officers and the purported exposure of numerous police informants.
Separately, former Apple engineer Weibao Wang is facing charges for allegedly attempting to steal trade secrets before absconding to China. Wang is accused of trying to pilfer the company's "entire autonomy source code," the software behind Apple's future self-driving car. The 37-year-old had access to sensitive databases only accessible to 2% of Apple's workforce and reportedly amassed stolen data at his California residence before fleeing post a police search.
A newly formed US body, the Disruptive Technology Strike Force, charged another Chinese national for allegedly trying to sell confidential graphite technology to Iran for missile use.
Ukraine issues warning over cyber espionage attempts on state agencies
Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about cyber-espionage attacks targeting the nation's state agencies. The attacks are associated with a threat actor, UAC-0063, known since 2021, employing phishing techniques to inject malicious tools into compromised systems. The identity of the hacking group remains undisclosed.
In the described attack pattern, the threat actor sent emails posing as the Embassy of Tajikistan in Ukraine to an unspecified ministry. These emails, believed to originate from a previously compromised account, contained a Microsoft Word attachment. On enabling macros, an encoded VBScript called HATVIBE is activated, introducing further malware into the system. This includes a keylogger (LOGPIE), a Python-based backdoor (CHERRYSPY), and a file-exfiltrating tool (STILLARCH or DownEx).
Bitdefender recently highlighted DownEx's usage by an anonymous actor in highly targeted attacks on Kazakhstan and Afghanistan's government bodies. CERT-UA's examination revealed the group's interest extends to organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.
The investigation underscores that some threat actors persist in using macro-based malware, despite Microsoft's default disabling of macros in downloaded Office files. Consequently, several attack groups have innovated their attack strategies and payload delivery systems, employing unique file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques such as HTML smuggling.
