December 2022 was quite an eventful month for cybersecurity professionals across the globe. More information is coming to light about the LastPass breaches; the imminent threat to healthcare institutions, posed by the Royal ransomware group; and high-profile politicians, activists, journalists, etc. becoming targets of Iranian-backed hackers.
On the Russian and Ukraine war front, cyberattacks carried out against NATO member states continue to be on the rise.
Also through December, the Met, the city of Antwerp in Belgium, and one of Europe's biggest ports (the Port of Lisbon) all suffered from cyberattacks.
This further highlights that no industry, no organization, and no one is virtually safe anymore from cyber threats within the digital space!
In other news, discover more about the US Cyber National Mission Force - elevated to "highlight the evolution of a persistent, professional cyber force today and into the future" and Europol's takedown of about 50 DDoS sites.
Cybercrime Breaking News
In the days before Christmas, Last Pass, the password manager, announced that as a result of two consecutive breaches (in August and November 2022), hackers had gained access to and copied information from third-party, cloud-based storage of data. That includes archived backups: users' passwords in an encrypted format. In an official statement, Last Pass noted that while no customer information was stolen during the August attack, the hackers were able to obtain "some source code and technical information from the development environment", which they later on used "to target another employee" in gaining access to login credentials. LastPass CEO, Karim Toubba, warned users, “If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account.” Some cybersecurity experts, discontent with the situation, are pointing out that LastPass has committed “every ‘crypto 101’ sin”.
The Human Rights Watch announced that Iranian-backed hackers have targeted via social engineering and phishing campaigns two Human Rights Watch employees “and at least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues”. Initial investigations believe that APT42 or Charming Kitten is behind the attacks. Human Rights Watch security director, Abir Ghattas, noted that “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”
The U.S. Department of Health and Human Services (HHS) warns the healthcare sector to stay alert about a new ransomware group, Royal. The group first appeared in September 2022, and their demands for payments currently range between $250,000 and $2 million.
In early December, a malicious actor breached Okta's GitHub repositories, copying source codes pertaining to Okta Workforce Identity Cloud. The product provides anti-phishing features, passkey management, and various security tools to enterprise users. Okta confirmed in an official statement that there was no unauthorized access to the Okta service and customer data.
Personal data, pertaining to 77 000 Uber employee records, was published on the dark web. It is believed that the information was compromised as a result of an attack on a third-party vendor, Teqtivity.
Guardian newspaper is suspected to have been hit by a potential ransomware attack, impacting numerous business services, excluding its website and apps.
Cyberwar between Russia and Ukraine: Updates
New report findings highlight how on August 30th, 2022, the advanced persistent threat (APT) Trident Ursa group (or Gamaredon, UAC-0010, Primitive Bear, Shuckworm), which the Security Service of Ukraine associates with Russia’s Federal Security Service (FSB), was unsuccessful in trying to gain access to a large petroleum refining company in a NATO member state.
Ukrainian government entities were targeted by a new, socially engineered supply chain attack, leveraging trojanized ISO files, pretending to be Windows 10 Operating System installers, hosted on file-sharing websites.
Ukraine’s Computer Emergency Response Team believes that the Ukrainian government agencies and state railway were targeted by phishing attacks, distributing DolphinCape malware.
Since the beginning of the war between Russia and Ukraine, Poland has become a "constant target" of pro-Russian hackers, with the attacks recently intensifying, notes the country's security agency.
The US Defense Department established the Cyber National Mission Force (CNMF) as a “subordinate unified command” answering CYBERCOM. This would establish the CNMF as a permanent military organization, allowing it to move faster in the digital space. “What this designation is really about is the maturity of the Cyber National Mission Force as a forward-looking organization to defend the Nation,” said Maj. Gen. William J. Hartman, the commander of CNMF.
Europol's Operation Power Off takes down around 50 of the most prominent, global booter services that allow for distributed denial-of-service (DDoS) attacks to be launched. One of the taken-down services alone was used in the past to complete +30 million attacks. The operation saw US, UK, Netherlands, Polish, and German law enforcement join forces in "an international crackdown against DDoS service providers".
Two men have been arrested for "conspiring with Russian nationals" in hacking JFK Airport taxi software, Port Authority. The hackers are charged by the Department of Justice (DoJ) with "two counts of conspiracy to commit computer intrusions". In exchange for payment, they moved certain drivers to the front of the queue within the airport's taxi dispatch system.
The DoJ has arrested a man who has admitted to having been responsible for the $100 million hack of the cryptocurrency platform, Mango Market, that took place in October. Avraham Eisenberg has been charged with "market-manipulation offenses" and, in an unsealed indictment, for "commodities fraud and commodities manipulation".
Binance freeze $3 million in cryptocurrency after $5 million in Binance coin was seized from Ankr, a Web3 infrastructure provider, by hackers.
One of the world's biggest cryptocurrency mining organizations, BIT Mining, loses $3 million as a result of a cyberattack.
Cybersecurity News Across The Globe
- The Metropolitan Opera in New York, the largest performing arts organization in the United States, was impacted by a cyberattack. Hackers targeted the Met's website, box office, and call center functions, between December 7th and December 15th, leaving it "unable to sell tickets" during this time.
- A Cybersecurity and Infrastructure Security Agency (CISA) and FBI announcement believe that between December 2021 and August 2022, the Cuba ransomware group targeted 100 global organizations and stole $60 million.
- The website of the busiest and most used port in Europe - the Port of Lisbon - was shut down for a couple of days due to a cyberattack. The operations of the port weren't compromised, and the National Cybersecurity Center and the Judiciary Police were immediately notified.
- Cyberattacks target the city of Antwerp in Belgium, disrupting educational (and daycare), law enforcement, and various services, used by citizens.
- Australian Fire Rescue Victoria’s (FRV) service shut down its networks for up to four days due to a cyberattack.
- Organizations in the United States and Western Europe are targeted via a business email compromise (BEC) campaign by 'Lilac Wolverine', Nigerian-based cybercriminals, who are using "emotionally charged themes, e.g. cancer/ COVID-19".
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
As always – be vigilant, stay alert, and think twice.