June brought about plenty of impactful developments that resonated across the global cybersecurity space.
In the June edition of AMATAS’s Cyber Threat Report, explore the following significant cyber incidents:
- The ransomware disruptions affecting London hospitals and major software providers like CDK Global and TeamViewer;
- Insights into how a malicious actor targeted government entities across Asia and EMEA with sophisticated espionage tactics;
- Urgent advice on why you should delete your polyfill scripts ASAP!
In other news, delve into:
- The Global Interpol-led operation that cracked down on online scam networks;
- The FBI’s possession of 7,000 LockBit ransomware decryption keys;
- The new bounty on the “Cryptocurrency Queen”.
Stay up to speed with our latest insights into the evolving landscape of cybersecurity threats.
Cybercrime Breaking News
A ransomware attack on the third-party provider Synnovis has led to a critical incident at multiple London hospitals, resulting in canceled operations and significant disruptions to healthcare services, including pathology tests crucial for patient care. The cybercriminal group Qilin, believed to be responsible, has published stolen data online, prompting concerns about patient confidentiality and operational continuity across affected healthcare facilities. The UK’s National Crime Agency (NCA) and the FBI joined forces to disrupt Qilin’s activities. Efforts to mitigate the impact are ongoing, with NHS England coordinating response efforts amidst fears that disruptions could persist until September.
TeamViewer investigated a breach in its corporate IT environment following irregularities discovered at the end of June. The breach, attributed to APT29 (Cozy Bear, a Russian hacking group associated with the SVR), involved a compromised employee account and led to the copying of employee directory data, including names, corporate contact information, and encrypted passwords. The company reassured that the breach was contained within its corporate IT environment and did not impact its product environment, TeamViewer connectivity platform, or customer data.
Cozy Bear has also been attempting to infiltrate the networks of the French Ministry of Foreign Affairs using compromised emails belonging to staff at the French Ministry of Culture and the National Agency for Territorial Cohesion, as announced by the French National Agency for Information Systems Security (ANSSI).
CDK Global, a major software provider for car dealerships in North America, dealt with a ransomware attack that has severely disrupted operations since June 19. A cybercrime group based in Eastern Europe demanded a ransom of tens of millions of dollars.
The domain polyfill.io, historically used for JavaScript polyfills to enhance browser compatibility, has been compromised and is now distributing malicious code across more than 100,000 websites. Following its acquisition by a Chinese organization earlier this year, the domain began serving dynamically generated malware based on visitors’ HTTP headers. This supply chain attack has prompted multiple security warnings, urging affected organizations to remove any polyfill.io scripts immediately. Google has taken proactive measures to block Google Ads on affected sites to mitigate the further spread of the malware.
Hackers auctioned off stolen data belonging to customers of LendingTree Inc., following unauthorized access to a cloud database hosted by Snowflake Inc. LendingTree investigated the incident to determine the full scope of the hack and its impact, while confirming that operations have not been disrupted. Neiman Marcus, a luxury retailer, reported that it was another company affected by the Snowflake hack, which resulted in a breach impacting over 64,000 individuals.
Cisco Talos researchers recently identified a new threat actor, SneakyChef, who has been conducting an espionage campaign primarily targeting government entities across Asia and EMEA (Europe, Middle East, and Africa) since August 2023. Using the SugarGh0st malware, SneakyChef lures victims with scanned documents from Ministries of Foreign Affairs and embassies. Researchers linked the actor to Chinese-speaking origins based on language cues and the use of Gh0st RAT variants.
TikTok has acknowledged a security vulnerability involving a zero-click exploit that allowed attackers to take control of accounts, including high-profile ones like CNN, Paris Hilton, and Sony, through the direct message function.
Cyberwar between Russia and Ukraine: Updates
Two individuals, detained by Ukraine’s security service, the SBU, are suspected of aiding Russian intelligence in spreading pro-Kremlin propaganda and hacking Ukrainian military phones. They are said to have operated bot farms using servers and SIM cards to manage fake social media accounts; and sold virtual mobile numbers and Telegram accounts on Russian criminal websites.
The European Council sanctioned six hackers connected to Russian state-sponsored or financially motivated cyberattacks targeting the European Union and Ukraine. This action, part of the EU’s “Cyber Diplomacy Toolbox,” aims to deter such attacks, freezing assets and prohibiting financial transactions involving the sanctioned individuals within EU member states.
Cybersecurity Justice
In a global Interpol-led operation named Operation First Light 2024, police from 61 countries cracked down on online scam networks, arresting 3,950 suspects and identifying 14,643 others across continents. They seized assets totaling $257 million, froze 6,745 bank accounts used for illegal money transfers, and intercepted $135 million in fiat currency and $2 million in cryptocurrency. Additionally, authorities recovered $3.7 million in funds fraudulently transferred in an impersonation scam.
In an Interpol-led operation, four individuals were detained in Moldova for allegedly attempting to sabotage Interpol’s Red Notice system, (used to track and arrest wanted criminals worldwide). The operation, supported by French prosecutors and the FBI, involved over 30 searches and uncovered attempts to misuse the system to block and delete notices.
The suspected leader of the hacking group Scattered Spider, who is said to have stolen $27 million in Bitcoin, has reportedly been arrested. The arrest was part of a joint operation between Spanish police and the FBI.
Two of the alleged operators of the dark web marketplace Empire Market face life sentences for facilitating over $430 million in illegal transactions. Charged by the Department of Justice, the pair operated the site from 2018 to 2020, enabling nearly four million transactions involving drugs, counterfeit currency, and stolen credit card information.
A believed Conti and LockBit ransomware affiliate is said to have been identified. According to the Ukrainian cyber police, the individual is said to have developed cryptors and allegedly provided his services (for cryptocurrency rewards) to Conti and LockBit hackers.
Four individuals associated with the cybercrime group FIN9 have been indicted for orchestrating computer intrusions that collectively caused over $71 million in losses to victim companies. They allegedly conducted phishing campaigns and supply chain compromises from May 2018 to October 2021.
A Russian national has been indicted and faces up to five years of imprisonment for his believed involvement in the cyberattacks against Ukraine and its allies, before Russia’s 2022 invasion. The U.S. Department of State’s Rewards for Justice program has offered a $10 million reward for information leading to his location or details on the cyberattacks he orchestrated.
FBI disclosed that it possesses over 7,000 decryption keys linked to the LockBit ransomware operation, enabling victims to recover their data without cost.
FinTech Updates
The Brooklyn District Attorney disrupted a cryptocurrency scam operation, targeting New York’s Russian diaspora, by seizing and taking offline 70 linked domains. The scam used Facebook ads featuring deep fake videos of Elon Musk, connecting victims with Russian-speaking “investment advisors” who guided them to fraudulent trading platforms. Victims across the US lost over $5 million.
The United States has increased the reward to $5 million for information leading to the arrest and/or conviction of Ruja Ignatova, the alleged fugitive behind the believed OneCoin cryptocurrency fraud. The reward increase, announced by the State Department as part of its Transnational Organized Crime Rewards Program, aims to encourage tips while protecting the identities of informants for their safety.
An unidentified security researcher used a zero-day vulnerability in Kraken, the cryptocurrency exchange platform, to steal $3 million, and refused to return it.
Cybersecurity News Across The Globe
- Poland’s state authorities suspect Russian hackers disrupted an online broadcast of the Euro 2024. A distributed denial of service (DDoS) attack targeted the public television network TVP’s website, temporarily taking down the online broadcast of the Polish national team’s opening match against the Netherlands.
- Vietnam’s state-owned postal service, Vietnam Post, restored its operations following a ransomware attack, affecting its postal and delivery services.
- Twenty-two individuals pleaded guilty to cybercrime charges in Zambia, arrested during an April raid on Golden Top Support Services, said to be a “sophisticated internet fraud syndicate”. Zambia’s Drug Enforcement Commission believes that the company misled locals into working for a scam call center.
- At the beginning of June, Verny, a major Russian discount supermarket chain with over 1,000 stores, was hit by a cyberattack that disabled their website and mobile app, halting bank card transactions and online order processing.
Want to find out more about:
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.