Cyber Threat Report | February 2023

Highlights

---

Diving into AMATAS's February cyber threat report, we note that February 24th marks one year since Russia's full-scale invasion of Ukraine began. 

"The one-year anniversary of the war between Russia and Ukraine marks the first hybrid war that sees a brand-new battlefront emerge in the face of digital space," remarks AMATAS CEO, Marko Simeonov. 

"Destructive malware (with record-breaking wiper malware attacks carried out against Ukraine), different cyber actors (nation-states, rise of the hacktivists, and cyber-crime offensive efforts), and cyber hostilities have damaged defense pacts and become critical instruments in cyber warfare."

AMATAS's cyber threat report provides the latest insights into the global cyber threat landscape. Find out more about the:

• Ransomware breach on the US Marshal Services
• Record-breaking DDoS attack to date
• Joint effort between the US and UK
• Most targeted sector by cyber criminals in 2022

Cybercrime Breaking News

A ransomware attack breached a stand-alone US Marshals Service computer system.  Drew Wade, U.S. Marshals Service (USMS) spokesperson, told NBC News that the breach was of 'law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.'

'Massive' ransomware campaign (named ESXiArgs), exploiting VMWare ESXi, is being perpetrated across North America and Europe. Austria's CERT warned that ‘at least 3,276 systems’ may have been affected, with the two-year-old vulnerability being named CVE-2021-21974. Later, through the month, CISA published a recovery script on their GitHub profile to help victims of ESXiArgs. 

Cisco Talos warns of new MortalKombat ransomware and a GO variant of the Laplas Clipper malware threats, which are both deployed to steal or demand ransoms in cryptocurrency. 

MortalKombat was first observed in January 2023, while Lalas Clipper - was in November 2022.

The typical infection campaign consists of these steps:

• phishing email
• which kicks off a multi-stage attack chain
• either the GO variant malware or MortalKombat ransomware is delivered
• all evidence is deleted.

Victims of the two types of cyberattacks are mainly located in the US, with others in the UK, Turkey, and the Philippines. At the end of the month, a free decryptor key was issued for MortalKombat.

Cloudflare detects and mitigates the largest DDoS attack on record to date, registered at 71 million request-per-second (rps). Previously, the largest DDoS was detected in June 2022 at 46 million rps.

Fortra released an emergency patch for a Zero-day vulnerability in GoAnywhere Managed File Transfer, which is actively exploited.

​​CISA adds an IBM Aspera Faspex file transfer tool bug (CVE-2022-47986) and two Mitel vulnerabilities to its catalog of exploited vulnerabilities.

​​The US and South Korea issued an advisory warning against North Korean-based threat actors targeting 'Healthcare and Public Health Sector organizations and other critical infrastructure sector entities' via ransomware attacks. The advisory also warns of the threat actors' usage of cryptocurrency to demand ransoms.

At the beginning of February, a 'sophisticated phishing campaign' targeted Reddit employees. The malicious actors were able to gain access to internal documents, codes, dashboards, and business systems. Primary production systems are supposedly not breached.

Vice Media filed two separate data breach notifications (both on January 30) regarding a cyberattack on its network. The breach notifications note that 1,724 people may have been affected, as malicious actors may have accessed Social Security numbers, financial account numbers, and/or credit/debit card numbers.

Darknet drug trading platform, BlackSprut, advertises its services using billboards across Moscow. BlackSprut is one of the leading illegal marketplaces in Russia.

Darknet market shares plummet from $2.1 B in 2020 and $3.1 B in 2021 to $1.5 B in 2022. This is attributed to the shutdown of the Hydra Market - the former largest dark web marketplace believed to have brought in at least $1.23 B in 2020.

Cyberwar between Russia and Ukraine: Updates

​​Be wary of data-collection scams which are targeting hosts of Ukrainian refugees in Poland, Lithuania, and the UK. Fake letters are sent to hosts via social media, paper, or email, impersonating the Ukrainian embassy and asking for the personal data of Ukrainian men, who are of age over 18 years.

Cybersecurity Justice

In a joint effort, the US and British authorities announce sanctions against seven men, believed to be part of Conti, Ryuk, and Trickbot gangs.

A Russian businessman is convicted for participating in a scheme that looted $90 million via security trades. The scheme was perpetrated using 'non-public information stolen from computer networks'. United States Attorney Rachael S. Rollins remarked, "Cybercriminals be warned: we will use every tool at our disposal to track you down and you will end up as a defendant in a courtroom."

Russian malware developer is arrested, extracted, and charged with 'conspiracy, access device fraud, and computer fraud' for developing 'NLBrute'. He used this malware to compromise thousands of computers around the world by decrypting login credentials. Once the malware obtained the data, the cyber criminal sold the stolen login credentials on dark web websites. He currently faces a maximum penalty of 47 years in federal prison.

Federal jury indicts the four founders of Forsage, a supposed DeFi cryptocurrency investment platform. Forsage was used as part of a global Ponzi scheme that raised about $340 million from victim investors.

Russian cryptocurrency money launderer pleads guilty to ‘one count of conspiracy to commit money laundering’ for Ruyk ransomware group between 2018 and 2021.

A Finnish man suspected to have hacked the private psychotherapy center, Vastaamo, was arrested in France. The cyberattack took place in 2018 with patient data and financial information stolen and supposedly fraudulently used. The police have ‘immediately started taking measures for the suspect’s surrender to Finland’.

Former Ubiquiti employee pleads guilty to ‘intentionally damaging a protected computer, wire fraud, and making false statements to the FBI’. In detail, he executed a ransomware scheme to steal confidential files from the company he worked for. While aiming to "support" the company during the security breach, the ex-employee extorted about $2 million and caused the publication of a misleading news article. Due to the article regarding the company's handling of the breach, Ubiquity lost over $4 billion in market value. 

FinTech Updates

2022 was the biggest year so far for cybercriminals, targeting the cryptocurrency sector. With North Korean-backed hackers being the majority, about $3.8 billion were stolen from firms in the industry. Chainalysis, the blockchain research company, confirmed that the most targeted were DeFi platforms.

Harmony hack after-effects: Binance and Huobi, cryptocurrency exchange platforms, freeze accounts worth $1.4 million. The total amount stolen from the Harmony attack, which took place in June 2022, was $100 million. 

About $8.5 million were stolen from DeFi platform, Platypus, in a flash loan attack ‘to exploit a logic error in the USP solvency check mechanism’.

Cybersecurity News Across The Globe

• A January cyberattack could cost UK engineering company, Morgan Advanced Materials, between £8 to £12 million. As a result of the attack, FY2023 operating profits could be between 10 and 15% below expectations. Morgan Advanced Materials is listed on the London Stock Exchange as part of the 350 most valuable businesses.
• The University of Zurich, Switzerland's largest university, was targeted by a cyberattack at the beginning of February. "It continues to be the case that as far as we know, no data from the University of Zurich has been encrypted or extracted," rules out an official statement.
• LockBit ransomware group leak chats with Royal Mail negotiators, who have refused to pay £65.7m ($79.85m), after January 2023 attack.
• The city of Oakland declared a state of emergency after a ransomware attack that has taken its non-emergency systems, including phone lines, offline.
• Lockbit ransomware group takes credit for the cyber attack on Porto’s water utility.

This month, we’re putting the focus on the role of chief information security officers (CISOs) with:

• CISO Insights: Leading by Example, Team Culture & Information Security | Part 1
• CISO Skills for Success in the Cyber Security Environment | Part 2
• 4 Things Your CISO and Board Should Be Talking More About

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.

As always – be vigilant, stay alert, and think twice.