LockBit 3.0 administrative staff clock out for the summer. | Cyber Intelligence Briefing: 10 July

Top news stories this week

1. Out of Office. LockBit 3.0 administrative staff clock out for the summer.
2. CL0P continues to MOVEit. More than 100 victims posted on CL0P’s leak site.
3. Safe harbour. Japan’s largest maritime port resumes operations after ransomware attack.
4. TeamsPhisher. Offensive security tool developed to exploit Microsoft Teams vulnerability.
5. Hoax or heist. Hacker group Anonymous Sudan claim theft of 30 million Microsoft accounts.
6. You can’t hide. International law enforcement arrest cyber crime mastermind.
7. Patching procrastination. New Truebot variant and FortiGate firewalls remain unpatched.

1. Volume of LockBit 3.0 attacks down as group allegedly begins summer holiday

Security researchers claim to have asked LockBit 3.0’s administrative staff why there has been a relative decline in the number of new victims posted by the ransomware group this month. The administrators stated that they were on holiday and enjoying the summer weather!

So what?

Many large ransomware as a service (RaaS) operations are highly professionalised, with paid staff, defined positions, and fixed working hours. In recent years we have observed a decline in ransomware activity over the summer period.

2. More than 100 new victims posted on Cl0p's leak site

Since 14 June, the Cl0P ransomware group has added 120 new victims to its leak site, likely related to the recent MOVEIT breach. Separately, MOVEit Transfer has released a patch that fixes a new critical SQL injection vulnerability. If left unpatched, attackers could exploit to gain unauthorised database access.

So what?

Organisations should communicate transparently and promptly with stakeholders during cyber security incidents to build trust and manage the reputational damage associated with a customer data breach.

3. Japan's largest port resumes operations after a LockBit 3.0 attack

LockBit 3.0 has claimed responsibility for a ransomware attack on Japan’s largest maritime port. The attack disrupted operations at Nagoya port for two days after the system that handles shipping containers was taken offline.

So what?

A robust and frequently tested incident response plan will help ensure you are able to recover from a cyber incident quickly and efficiently.

4. Tool developed to exploit unresolved Microsoft Teams vulnerability

In June, researchers discovered a method to deliver malware through Microsoft Teams. The loophole allows attackers to send malicious payloads directly to a target's inbox, evading client-side protections. A tool, dubbed TeamsPhisher, has now been published that automates the attack. The tool verifies that targets can receive external messages before sending a message with a malicious SharePoint link.

So what?

Consider either disabling external Teams access or implement domain allow-listing to reduce the risk of this vulnerability.

5. Anonymous Sudan claim to have hacked 30 million Microsoft accounts

The allegedly Russia-linked hacking group Anonymous Sudan has claimed to have accessed data belonging to 30 million Microsoft customers. The group is offering to sell email and password information for USD 50,000. Microsoft has denied the group’s claims.

So what?

Organisations should always attempt to verify any claims made by cyber criminals before taking any immediate actions.

6. International Law Enforcement arrest cyber crime mastermind

The suspected mastermind of the cybercrime group OPERA1ER which targeted mobile banking services and financial institutions across Africa, Asia, and Latin America has been arrested in Côte d'Ivoire. The group is believed to have stolen between USD 11 million and USD 30 million over the last four years.

So what?

International law enforcement agencies are successfully working together to tackle cybercrime, leading to increased pressure on cybercriminals across the world.

7. New Truebot variant and FortiGate Firewalls remain unpatched

The Cybersecurity and Infrastructure Agency (CISA) has warned that new variants of the remote access trojan Truebot are exploiting a now patched Netwrix Auditor vulnerability (CVE-2022-31199) to attack corporate networks in Canada and the US. Once in a network, Truebot can download and install malware on a victim’s device and add it to a botnet.

Separately, over 300,000 FortiGate Firewalls have still not been patched for CVE-2023-27997 and are vulnerable to unauthenticated remote code execution.

So what?

Patch management is crucial to prevent cyber attacks. Developing a process that identifies, prioritises, and remediates vulnerabilities as quickly as possible is crucial for reducing the likelihood of suffering a cyber incident.

S-RM are proud to have been voted Cyber Incident Response Team of the Year at Zywave’s 2023 Cyber Risk Awards. Read more here.