Looking back at the month of June, we continue to deliver the latest insights within the cybersecurity landscape. We turn special attention to the exploited MOVEit Transfer vulnerabilities that have targeted over fifty organizations worldwide.
On this note, AMATAS CEO, Marko Simeonov, reminded,
“Organizations need to be especially cautious when it comes down to their third-party service providers or vendors. It’s not enough anymore to have solely internal cybersecurity procedures. This exploited vulnerability should be your red light to reconsider your cybersecurity efforts to be more encompassing as to external communication.”
Apart from data breaches due to third-party service providers, this month, we observed:
- Microsoft and iOS vulnerabilities;
- politically-attributed spyware campaigns and the rise of a new, Russian state-sponsored group;
- three years after EncroChat’s encryption.
Cybercrime Breaking News
The BBC, British Airways, and UK drugstore Boots were affected by a data breach at payroll provider, Zellis. Thousands of staff data may have been exposed as a result of a zero-day vulnerability that impacts a file-transfer tool that is used by Zellis – MOVEit Transfer.
Other victims of the MOVEit vulnerability include several US federal government agencies, Shell, Gen (the cybersecurity giant behind Norton, Avast, and LifeLock), Siemens Energy, and more than fifty companies.
The vulnerability, CVE-2023-34362, was added to Cybersecurity and Infrastructure Security Agency (CISA)’s website while patches were released. By the end of the month, two more MOVEit vulnerabilities were tracked (one of which is CVE-2023-35708).
Writing to Reuters, the “cl0p team” claimed responsibility for the breaches and threatened to publish victim data on their website. The Microsoft Security Intelligence Team has also attributed the vulnerability, to Lace Tempest, the group running the Clop website. But, towards the end of June, Clop hackers to the BBC claiming that they aren’t behind the hack on Zellis, “We don’t have that data… We are an old group and have never deceived anyone if we say that we do not have information, then we do not have it”.
At the beginning of the month, cybersecurity experts and MOVEit creators, Progress Software, warned that the vulnerability “could lead to escalated privileges and potential unauthorized access to the environment”.
Mondelez files an official notice, as more than 50,000 of their employees may have been affected by a third-party legal service provider data breach.
Cybersecurity researchers discover a vulnerability in Microsoft Teams that allow hackers to deliver malware to systems via external accounts.
The National Security Agency issued a guide on how to mitigate the threat imposed by the BlackLotus “bootkit” malware, executed via a vulnerability in the Microsoft Windows secure startup process.
Microsoft Azure outage as a result of an “abnormal” increase in HTTP requests due to a distributed denial-of-service (DDoS) attack.
A Joint Cybersecurity Advisory was issued to better define the threat imposed by LockBit ransomware. The report details the actors’ activities in Australia, Canada, New Zealand, and the United States in 2022. According to the advisory, since January 2020, an approximate total of $91M ransom has been paid to the group by the US.
Apple patches two-zero day vulnerabilities believed to have been exploited to disseminate the spyware campaign Operation Triangulation.
“Highly skilled actor”, suspected to have links with China, exploits a zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances to collect data. Barracuda issued a warning that “compromised ESG appliances must be immediately replaced regardless of patch version level”.
Researchers disclose that the cybercriminal group, Asylum Ambuscade, has started doing espionage work against governments in Europe and Central Asia. The criminal organization has been active since 2020 and used to mainly target bank customers and cryptocurrency traders both in North America and Europe.
Cyberwar between Russia and Ukraine: Updates
Microsoft Threat Intelligence team shares insights into new, Russian state-sponsored actor Cadet Blizzard, believed to have perpetrated attacks against Ukraine. The report notes, “A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate… Cadet Blizzard is also linked to the defacements of several Ukrainian organization websites, as well as multiple operations…”. Microsoft believes that Cadet Blizzard may be associated with the Russian General Staff Main Intelligence Directorate (GRU).
Cybersecurity Justice
Europol announces that as a result of the dismantling of EncroChat, over 6 000 arrests have been made, worldwide, and +EUR 700 million have been seized. Just last month, the Investigatory Powers Tribunal ruled that the UK’s National Crime Agency (NCA) had obtained all the proper warrants to access EncroChat.
Three months after disrupting BreachForums’ operations, the FBI has arrested and charged the alleged criminal marketplace administrator with conspiracy to commit access device fraud.
A Romanian national, who ran “bulletproof hosting” that enabled the dissemination of various malware (including Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and the BlackEnergy), was sentenced to three years in prison.
The Justice Department arrested and charged a Russian national said to have deployed multiple LockBit ransomware and other cyberattacks.
FinTech Updates
The Justice Department unsealed charges against perpetrators believed to have been behind the hack of the biggest cryptocurrency exchange platform, Mt. Gox.
”Less than 1%” of decentralized cryptocurrency platform Atomic Wallet users are affected by a cyber incident, resulting in more than $35 million being stolen. Researchers attribute the incident to the North Korean Lazarus Group.
Cisco Talos identify a new botnet, Horabot, that has been dispersed across the Americas since at least November 2020. The botnet delivers a banking trojan and a spam tool, targeting mainly Spanish-speaking users. The Cisco Talos team believes Horabot creators are located in Brazil.
Cybersecurity News Across The Globe
- Ransomware attacks Xplain, a company that provides Swiss government software. After the attack, malicious actors encrypted the stolen data and posted some of it on the dark web.
- Cybersecurity researchers discover a new malicious PowerShell script, PowerDrop, that is targeting the US aerospace industry.
- A ransomware attack encrypts some of the Japanese pharmaceutical company Eisai’s servers. The pharma giant created a task force and is working with external experts and law enforcement to recover its systems.
- A major bank that deals with consumer loans in Spain, Globalcaja, is targeted by a ransomware attack.
This month, the AMATAS team’s focus is all about compliance, data protection, and cybersecurity audits. Learn more:
- Why Start Your SWIFT Audit in Q3: Exclusive Offer for SWIFT Members
- Data Protection: How to Decide Which Types of Data to Secure
- Navigating the Complex World of Data Privacy: An Interview with a Legal Advisor
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report, and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website, www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.