Hello and welcome back to our blog. Here's a recap of some of the biggest and thought-provoking stories of the week.
We begin at the U.S. Department of Justice, which this week announced the seizure of approximately $500,000 in Bitcoin paid to the operators of the Maui ransomware group by several American health care providers. This particular ransomware group is a North Korean-backed ransomware operation focused on western healthcare and public health organizations. According to Acronis, the threat actors behind Maui ransomware use a command-line interface to interact with the Maui from afar, and to identify files to encrypt. These might include electronic health records services, diagnostics services, imaging services and intranet services.
The government of Albania is still recovering from a cyber attack. It was originally described as "massive". According to the Albanian Daily News, the attack on "e-Albania" lasted about a week and some of its services are still being restored. The government's Prosecutor's Office is currently investigating the incident and has registered numerous criminal offenses.
In a speech at Fordham University on Wednesday, FBI Assistant Director for Cyber Bryan Vorndran said the FBI is deeply worried that cybercriminals and nation-state adversaries are developing more precision in their attacks and taking advantage of innovations in artificial intelligence that will compound the digital threat in the years to come. Vorndran is especially concerned at how precise cyber criminals can be when it comes to its targets.
Four interesting reports were released in the last week or so.
- Advanced Intelligence's (AdvIntel) report offers insight into the recent devastating ransomware attack against the government of Costa Rica. Though it should be noted the attack occurred not long before Conti changed its focus. The report says Conti's entry point was a system belonging to Costa Rica’s Ministry of Finance. The compromised credentials were obtained from malware installed on the initial device compromised on the victim network.
- Check Point Research announced the results of its brand phishing report. It said that, once again, LinkedIn is the most faked brand for when it comes to phishing attacks. In the second quarter of 2022, 45% of all phishing attempts come from faked LinkedIn phishing attempts.
- A report from Surfshark found that Brazil surpassed the U.S. in terms of breached users this past quarter. According to ZDNet's story (see below), "With 3.2 million users breached in Q2, the report suggests Brazil has seen a seven-fold increase in leaked accounts quarter-over-quarter, and a 771% spike compared to the previous quarter when the country had seen a slight improvement in its data breach situation."
- Finally, a report from Proofpoint (last week actually) found that hackers are now posing as journalists to breach media organization's networks. One of their tactics is to target journalists' work email accounts. The report goes on to say that "between January and February 2021, Proofpoint researchers identified five campaigns by TA412 targeting US-based journalists, most notably those covering US politics and national security during events that gained international attention. Of note a very abrupt shift in targeting of reconnaissance phishing occurred in the days immediately preceding the 6 January 2021 attack on the US Capitol Building. Proofpoint researchers observed a focus on Washington DC and White House correspondents during this time."
That's a wrap for the week. See you next Friday for the latest in cybersecurity news.
Top Global Security News
Teiss (July 21, 2022) U.S. Agencies recover $500,000 in Bitcoin from North Korean ransomware actors
The U.S. Department of Justice has announced that it seized approximately $500,000 in Bitcoin that was paid to the operators of the Maui ransomware group by several American health care providers.
Earlier this month, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury published a joint advisory, highlighting the Maui ransomware group as a North Korean-backed ransomware operation specifically targeting western healthcare and public health organisations.
According to the US Department of Justice, the new strain of ransomware was discovered when a security incident was reported by a Kansas hospital to the FBI. “Thanks to rapid reporting and cooperation from a victim, the FBI, and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui’.
Bleeping Computer (July 21, 2022) How Conti ransomware hacked and encrypted the Costa Rican government
Details have emerged on how the Conti ransomware gang breached the Costa Rican government, showing the attack's precision and the speed of moving from initial access to the final stage of encrypting devices. This is the last attack from the Conti ransomware operation before the group transitioned to a different form of organization that relies on multiple cells working with other gangs.
A report from cyber intelligence company Advanced Intelligence (AdvIntel) details the Russian hackers’ steps from initial foothold to exfiltrating 672GB of data on April 15 and executing the ransomware.
The threat actor entry point was a system belonging to Costa Rica’s Ministry of Finance, to which a member of the group referred to as ‘MemberX’ gained access over a VPN connection using compromised credentials.
Advanced Intelligence CEO Vitali Kremez told BleepingComputer that the compromised credentials were obtained from malware installed on the initial device compromised on the victim network.
Engineering & Technology (July 20, 2022) Albanian government services suffer ‘massive’ cyber attack
The government of Albania has been forced to shut down its online services after suffering ‘a synchronised criminal attack from abroad’.
Albanians were unable to use scores of government services on Monday as a cyber attack caused the main servers of the National Agency for Information Society to go down only a few months after shifting most public sector services to an online portal.
“Albania is under a massive cybernetic attack that has never happened before. This criminal cyber-attack was synchronised… from outside Albania,” the Council of Ministers said in a press release.
The “wide and complex” attack began on Friday and targeted government infrastructure and other public online services and rendered them functionless, the government added.
Laptop (July 21, 2022) LinkedIn is the most faked brand for phishing attacks — beware of malware-infested emails
Cybersecurity researchers list the most frequently faked brands cybercriminals imitate in phishing attacks to steal users' private information and payment information — and LinkedIn is leading the pack.
In Check Point Research's brand phishing report, the professional networking and social media platform continues to be the biggest target for threat actors to trick unsuspecting victims into sharing confidential credentials. In the second quarter of 2022, 45% of all phishing attempts come from faked LinkedIn phishing attempts.
While this is a slight decrease compared to its 52% share in the first quarter of this year, the trusted platform still takes up a significant amount of brand phishing attempts, as Microsoft-related scams take second place with a 13% share. While Adidas, Adobe, and HSBC are seeing a slight rise in being imitated by cybercriminals at 1% each, the report points out that social networks are still the most susceptible.
Microsoft saw the biggest spike in phishing attacks, with scammers using the technology brand's name more than twice as much compared to the previous quarter. Delivery company DHL is also frequently faked, taking up 12% of malicious phishing attempts.
Cyberscoop (July 20, 2022) The growth in targeted, sophisticated cyberattacks troubles top FBI cyber official
The FBI is deeply worried that cybercriminals and nation-state adversaries are developing more precision in their attacks and taking advantage of innovations in artificial intelligence that will compound the digital threat in the years to come, FBI Assistant Director for Cyber Bryan Vorndran said Wednesday.
“When we think about software as a service or even supply chain attacks, what happens when the adversary understands that there is perhaps one software factory that services the entire community,” said Vorndran, who oversees 1,000 FBI agents focused on cybercrimes nationwide, during a speech Wednesday at a Fordham University cybersecurity conference.
“If they’re that precise on targeting, it could shut down the entire commercial real estate industry. That is a huge problem,” he said.
ZDNet (July 19, 2022) Brazil surpasses US in breached users in Q2 2022
Brazil was the fourth most breached country in the world second quarter of 2022, according to a global data breach study produced by cybersecurity company Surfshark.
With 3.2 million users breached in Q2, the report suggests Brazil has seen a seven-fold increase in leaked accounts quarter-over-quarter, and a 771% spike compared to the previous quarter when the country had seen a slight improvement in its data breach situation. Russia tops the list with 28.8 million breached users, followed by India (4.4 million) and China (3.4 million), while Brazil ranks fourth, surpassing the US (2.3 million) which appeared in the fifth position.
According to the report, since data breaches became widespread in 2004, 15.1 billion accounts have been leaked, of which 244.4 million belong to Brazilian users. The study added that, for every ten leaked accounts in Brazil, half are stolen alongside a password.
Across South America, an average person has been affected by data breaches at least once. However, in Brazil, these statistics go up even higher, said Agneska Sablovskaja, data researcher at Surfshark. "The difference could be due to user online habits or data collection practices by various services or applications. A high number of affected accounts show that there is more to be done in regards to online data protection," she added.
Bleeping Computer (July 16, 2022) Hackers pose as journalists to breach news media org’s networks
Researchers following the activities of advanced persistent (APT) threat groups originating from China, North Korea, Iran, and Turkey say that journalists and media organizations have remained a constant target for state-aligned actors.
The adversaries are either masquerading or attacking these targets because they have unique access to non-public information that could help expand a cyberespionage operation.
Proofpoint analysts have been following these activities from 2021 and into 2022 and published a report about several APT groups impersonating or targeting journalists.
Other Thought Provoking Stories