In this edition of the newsletter, we will cover:

 

  • Supply chain attacks reloaded
  • Ransomware in the gaming industry
  • Cyberattacks against healthcare and the cloud

 

  • Supply chain attacks reloaded

A team of security researchers has detailed a specialty supply chain attack which exploits hybrid package manager configurations.

 

What methodology was used?

 

The technique used is called “dependency confusion” or “substitution attack” and takes advantage of the fact that modern software heavily relies on external package dependencies and code libraries. If a threat actor were to upload a malicious version of a library to a public repository, those programs attempting to fetch the “latest” version of that code may get compromised.

 

What was the impact?

 

Using the above technique, the research team succeeded (1) in breaching the infrastructures of over 35 large organizations, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, (2) in escalating their privileges to execute remote code, and (3) in claiming more than $120,000 across 3+ bug bounty programs.

 

How could it be detected?

 

According to a PortSwigger report, a developer had exposed a similar attack following the mysterious failure of a program build. The issue had been traced back to suspicious libraries in the Python Package Index repository.

 

Recommendation: Raising awareness around supply chains attacks and the techniques used, staying valerts, and 24/7 monitoring are some of the steps an organization could take to reduce the risk of such attacks.

 

Therefore, having a monitoring system or a SOC – Security Operations Center is becoming more important as time goes by and we dive further into the digital future.     

 

  • Ransomware in the gaming industry

The global Coronavirus pandemic has triggered an increase in the use of online entertainment services, which has made the gaming sector, among others, an appealing target for hackers.

 

Not too long ago, the video game maker CD Projekt Red was hit with a ransomware attack. According to the news report, the suspected threat actor, HelloKitty, has managed to gain unauthorized access to the company’s internal network and to exfiltrate data before encrypting the servers of the Polish developers.

 

The cyber gang has issued a threat that stolen accounting, HR, administration, and investor relations files would be released to the public in case of non-payment.

 

 

  • Cyberattacks against healthcare and the cloud

 

Human lives at risk

 

Attacks on critical infrastructure are indisputably a national security concern. Time and again, cybercriminals have shown that endangering human lives is secondary to the accomplishment of their nefarious objectives.

 

On February 5, an employee at a U.S. water treatment plant noticed that his machine had been manipulated. The intruder had attempted to change the levels of sodium hydroxide in the water. If the poisoned water had reached the citizens, the consequences would have been catastrophic.

 

Surge in attacks against the healthcare sector

 

report by CTI League predicts a spike in ransomware attacks and the sale of databases containing Personal Health Information. Moreover, in a new triple extortion approach, ransomware encryption, data theft, and DDoS techniques are leveraged to get more money from healthcare providers.

 

Last year, 560 healthcare facilities were compromised by ransomware attacks. The attacks created life-threatening situations, including inaccessible lab tests and diversion of ambulances.

 

Cryptojacking attacks on the rise

 

In the so-called cryptojacking attacks malicious parties deploy code on systems and devices which are not owned by them to mine for cryptocurrencies.

 

Cyber experts have recently spotted a stealthy cryptomining operation, dubbed WatchDog. The campaign has been running undetected for more than two years. It is considered one of the largest Monero-mining attacks to this point, and according to Palo Alto’s Unit 42 has compromised at least 476 systems, most of which are Windows and Linux cloud instances.

 

Although the campaign’s focus is cryptojacking, researchers suspect that the attackers can find access credentials on those systems to launch more dangerous attacks.

 

Cryptojacking has become a lucrative operation for threat actors because of the growing cryptocurrency values, and it is no surprise that more mining operations are being conducted.

 

 

As always – be vigilant, stay alert, think twice.

 

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.

 

SOURCES


 

Amatas, Cyware, Bleeping Computer, Palo Alto, The Threat Post, CTI League, Health IT Security, PortSwigger, Creative Commons

Konstantina Kostadinova in AMATAS