Welcome back to our weekly security news wrap up!
Kicking off this week, a company in England has been impacted by a sophisticated cyberattack that forced the company to shut down its entire network. The company, Giant Group, confirmed on September 24th that it was indeed the victim of an attack. Unfortunately, it prevented an unspecified number of people from receiving their pay when the UK is suffering from a panic buying–induced fuel shortage and a dearth of HGV drivers and food caused by Brexit. Fortunately, the company managed to pay more than 8,000 workers last week.
It looks like the cyber criminals behind the SolarWinds attack aren’t letting up. Just a few days ago SearchSecurity reported that Microsoft researchers believe Nobelium (AKA APT29, Cozy Bear, and The Dukes) have been using a backdoor tool called FoggyWeb since at least April. The researchers say "FoggyWeb" is being used to maintain persistence on compromised Active Directory servers to steal data from compromised servers and receive and execute additional malicious code. The backdoor had been observed in the wild as far back as April.
Also this week, Twitter bots are tricking users into making PayPal and Venmo payments into fraudsters' accounts. The bots appear to be activated when a legitimate user asks another for their payment information, presumably discovering these tweets via a search for keywords such as ‘PayPal’, ‘Venmo’, or other services. They masquerade as the other user by scraping their profile picture and adopting a similar username, before supplying them with false payment information in the hopes the original tweeter will pay into this account.
The leaders of the U.S. Senate Homeland Security and Governmental Affairs Committee on Tuesday introduced legislation that would give set timelines for cyber incident reporting, including giving certain organizations 24 hours to report if they paid the sum demanded in a ransomware attack. Organizations required to report ransomware payments within a day of handing over the funds include critical infrastructure groups along with nonprofits, businesses with more than 50 employees, and state and local governments.
Finally, there have been not one, but two, recent attacks on European call centers. Below you'll find articles about them from BleepingComputer and The Record, cybersecurity firm Recorded Future’s blog. Perhaps this is the next major target for hackers. We shall see.
That’s all for this week. Wishing everyone a great weekend!
Top Global Industry News
The Hill (September 28, 2021) Senators roll out bill giving organizations 24 hours to report ransomware attack payments
"The leaders of the Senate Homeland Security and Governmental Affairs Committee on Tuesday introduced legislation that would give set timelines for cyber incident reporting, including giving certain organizations 24 hours to report if they paid the sum demanded in a ransomware attack.
The Cyber Incident Reporting Act, sponsored by committee Chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), would also require owners and operators of critical infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
Organizations required to report ransomware payments within a day of handing over the funds include critical infrastructure groups along with nonprofits, businesses with more than 50 employees, and state and local governments."
InfoSecurity (September 28, 2021) Cyber-attack Floors British Payroll Firm
"A 'sophisticated' cyber-attack has forced a British payroll company to shut down its entire network, leaving some contractors without pay.
Giant Group confirmed on September 24 that it had taken its network and its fully integrated IT infrastructure, phone, and email systems offline last Wednesday after detecting suspicious activity.
In a statement published on its website September 27, the company said: "We can confirm that Giant Group was the victim of a sophisticated cyber-attack on September 22nd. International law firm Crowell & Moring immediately put in place a team of experts in the US, UK and Brussels who have been carrying out necessary steps as part of the ongoing investigation."
ZDNet (September 28, 2021) Microsoft warning: This malware creates a 'persistent' backdoor for hackers
"Microsoft has uncovered another piece of malware used by the attackers who were behind the SolarWinds software supply chain attack discovered in December.
Security researchers have discovered numerous modules used by the attack group, which Microsoft calls Nobelium. The US and UK in April officially blamed the attack on the hacking unit of the Russian Foreign Intelligence Service (SVR), which are also known as APT29, Cozy Bear, and The Dukes.
Microsoft in March uncovered the GoldMax, GoldFinder, and Sibot components from Nobelium, building on other malware from the group including Sunburst/Solarigate, Teardrop and Sunspot. The newly discovered malware, called FoggyWeb by Microsoft, is a backdoor used by the attackers after a targeted server has already been compromised."
Portswigger (September 28, 2021) Social media scam: Twitter bots are tricking users into making PayPal and Venmo payments into fraudsters’ accounts
"Fraudsters are using Twitter bots to trick unsuspecting tweeters into making PayPal and Venmo payments to accounts under their control.
The bots appear to be activated when a legitimate user asks another for their payment information, presumably discovering these tweets via a search for keywords such as ‘PayPal’, ‘Venmo’, or other services.
They masquerade as the other user by scraping their profile picture and adopting a similar username, before supplying them with false payment information in the hopes the original tweeter will pay into this account.
By way of example, Twitter user ‘Skye’ (@stimmyskye) posted a screenshot online detailing how they were targeted by a bot."
Bleeping Computer (September 27, 2021) Bandwidth.com is latest victim of DDoS attacks against VoIP providers
"Bandwidth.com has become the latest victim of distributed denial of service attacks targeting VoIP providers this month, leading to nationwide voice outages over the past few days.
Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers.
Starting September 25th at 3:31 PM EST, Bandwidth began reporting that they were experiencing unexpected failures with their voice and messaging services.
'Bandwidth is investigating an incident impacting Voice and Messaging Services. Calls and Messages may experience unexpected failures. All teams are actively engaged,' reported Bandwidth on their status page."
Portswigger (September 27, 2021) VMware vCenter deployments under attack as enterprises urged to update systems
"Attackers are actively exploiting a critical vulnerability in VMware vCenter Server that exposes vulnerable enterprise networks to the risk of infiltration.
The arbitrary file upload flaw (CVE-2021-22005) – one of a raft of vCenter vulnerabilities addressed by software updates released on September 21 – can be abused regardless of configuration settings, says VMware.
The situation was serious enough to prompt the US Cybersecurity and Infrastructure Security Agency (CISA) to warn on Friday (September 24) that “widespread exploitation” was likely after RCE exploits surfaced online."
Other Industry News
Port of Houston was hit by an alleged state-sponsored attack - Security Affairs
A Hospital Hit by Hackers, a Baby in Distress—The Case of the First Alleged Ransomware Death - WSJ (requires subscription)
Millions of Windows 10 PCs exposed by nasty security vulnerability - TechRadar
75k email inboxes impacted in new credential phishing campaign – Dark Reading
WireX DDoS botnet admin charged by DOJ for 2017 hotel chain attack – Bleeping Computer
Major European call center provider goes down in ransomware attack - The Record by Recorded Future
Ukraine takes down call centers behind cryptocurrency investors scams – Bleeping Computer
Navigate IoT regulations at local and global levels - Tech Target
We all need to up our game on cybersecurity – The Parliament Magazine