Weekly Cyber News Roundup

March 27th to 31st 2023

Content

01. This week’s observation from our Incident Response Team 
02. Vulnerabilities
03. News Bites
  • Crown Resorts Probes Possible Data Compromise Following Assertions from Ransomware Collective

  • Linus Tech Tips YouTube channel hacked to spread cryptocurrency scam

  • Hackers steal employee data from UK Pension Protection Fund

04. Conclusion

A Note From The Cyber Threat Response Team

Recent data released by NCC group has revealed a staggering 45% increase in ransomware attacks took place in February, with a significant portion of this spike attributed to the Lockbit ransomware gang’s heightened activity following the well-publicized Royal Mail attack in January. Out of the 240 ransomware incidents reported in February, Lockbit was responsible for 129 (54%), a significant increase from the 50 cases documented in the previous month.

Although the exact reason behind Lockbit's surge in activity remains unclear, it can be conjectured that the group's success and subsequent profits have enabled them to expand their operational resources. Another possibility is that they have stepped up their efforts in response to growing resistance to their demands. As organisations become more knowledgeable about ransomware gangs and their tactics, the number of paid ransoms has dwindled. Consequently, groups like Lockbit are likely to broaden their scope and target a larger number of businesses in search of victims willing to pay the ransom.

To counter ransomware attacks, individuals and organisations should take a proactive approach to cyber security. This includes implementing robust security measures such as regularly updating software, using strong and unique passwords, and employing multi-factor authentication. Additionally, it is crucial to maintain up-to-date backups of important data to facilitate recovery in case of an attack. Organisations should also invest in employee training to raise awareness of potential threats, such as phishing emails, and promote safe online practices.

Finally, in the event of a ransomware attack, it is advised to seek professional help from cyber security experts and law enforcement to handle the situation appropriately, instead of giving in to the attackers' demands. By adopting these strategies, businesses can reduce the likelihood of falling victim to ransomware and mitigate the impact of any potential attacks.

Vulnerabilities 

A critical flaw, CVE-2023-23397, has been identified in Microsoft Outlook, posing a significant risk to users of the widely-used email client.

CVE-2023-23397 is a remote code execution vulnerability that affects Microsoft Outlook, allowing attackers to execute arbitrary code on the targeted system, potentially compromising sensitive data or installing malware. It stems from how Outlook processes specific email attachments and notification sounds.

Due to its potential impact and ease of exploitation, CVE-2023-23397 has been classified as critical. It affects multiple Outlook versions, including Outlook 2019, 2021, and Microsoft 365 Apps for enterprise.

Attackers can craft malicious email attachments that, when opened, trigger arbitrary code execution on the target system. Exploiting this vulnerability requires a particular combination of attachment types and notification sounds, enabling code execution with the logged-in user's privileges.

Detecting and Mitigating CVE-2023-23397: Microsoft has issued patches for affected Outlook versions. To protect yourself, promptly apply these updates via Microsoft Update service or by downloading them from the Microsoft Security Response Center (MSRC).

Additional measures to mitigate risks related to CVE-2023-23397 include:

  1. Exercising caution when opening email attachments from unknown or untrusted sources, verifying the sender's identity.
  2. Disabling automatic email attachment downloads in Outlook settings, preventing malicious attachments from being downloaded and executed.
  3. Utilising a robust antivirus solution capable of detecting and blocking malicious attachments and files.
  4. Training employees to recognise phishing attempts and report suspicious emails to IT or security teams.
  5. Implementing email filtering and scanning solutions to block malicious attachments before reaching your inbox.

CVE-2023-23397 is a critical Microsoft Outlook vulnerability with potentially severe consequences if unaddressed. Understanding the vulnerability, applying necessary patches, and following recommended mitigation strategies can protect your systems and data from potential attacks. Stay vigilant and prioritise email environment security to defend your organisation against this and other cyber threats.

Quick News Bites

Crown Resorts Probes Possible Data Compromise Following Assertions from Ransomware Collective

Australian casino behemoth Crown Resorts has disclosed a potential data breach after being targeted by a ransomware group that asserts to have illicitly accessed numerous files. The company is prioritising the investigation into the legitimacy of these claims.

A representative for Crown Resorts announced on Monday that the hackers purported to have infiltrated the GoAnywhere file transfer service. About two months ago, a US based cyber security firm detected unusual activity on GoAnywhere, which has affected several organisations, including mining powerhouse Rio Tinto.

As reported by News.com.au, the spokesperson stated, "We can confirm no customer data has been compromised and our business operations have not been impacted." They added, "We are continuing to work with law enforcement and have notified our gaming regulators as part of the ongoing investigation and will provide relevant updates, as necessary."

Australia has seen numerous organisations hit by hackers in recent months with the fallout from the massive Latitude Financial Services breach still making waves.

Linus Tech Tips YouTube channel hacked to spread cryptocurrency scam

The popular YouTube channel Linus Tech Tips, along with two additional channels from Linus Media Group, have been reinstated after a significant security breach enabled a malicious individual to perform actions such as broadcasting cryptocurrency scam livestreams, altering channel names, and even erasing videos. In a recent video, Linus Sebastian, the owner, clarifies that the intrusion managed to bypass standard security measures like passwords and two-factor authentication by exploiting session tokens, which maintain user logins on websites.

Sebastian revealed that a member of the Linus Media Group team downloaded what seemed to be a collaboration proposal from a prospective partner, opening the attached PDF containing the alleged agreement terms. However, Sebastian discloses that the proposal was, in fact, embedded with malware designed to harvest "all user data from both their installed browsers," including session tokens. This enabled the perpetrator to effectively create an "exact copy" of the affected browsers, which they could export and utilize to cause chaos without needing to input security credentials. This incident serves as a reminder to remain vigilant against phishing scams that can lead to significant security breaches. An increasing number of YouTube channels are being targeted by malicious actors.

Hackers steal employee data from UK Pension Protection Fund

Cybercriminals gained access to data belonging to several employees of the UK's Pension Protection Fund by exploiting a third-party data transfer service, as stated by a spokesperson for the fund.

Managing £39 billion in assets for its 295,000 members, the Pension Protection Fund safeguards individuals with defined benefit pensions in cases where employers become insolvent. The Go Anywhere transfer service was exploited by the attackers, compromising some employee data, according to Jenny Peters, the fund's spokesperson.

Peters explained that the hackers accessed a portion of the fund's data via Go Anywhere, which is used for certain secure data transfers. She emphasised that the stolen information "was not related to our members or pensioners."

Employees affected were offered support in the shape of an Experian monitoring service.

The ransomware group Cl0p claimed on Thursday that it had targeted the organisation. Cl0p published a post on its website, listing the Pension Protection Fund as one of its recent victims. This group is notorious for using ransomware to encrypt victims' computers, rendering them inaccessible, and then demanding payment for the decryption key while concurrently threatening to release stolen information online.

In early February, Go Anywhere's developer, Fortra, revealed that cybercriminals had exploited a software vulnerability in its data transfer product. The Cl0p gang claimed to have used this security flaw in Go Anywhere to pilfer data from over 130 organisations.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

LONDON | 28 April 2022
DUBLIN | 11 May 2022

Join us in Dublin or London for the Security First 2022 conference.  We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.