12 December 2023

7 min read

UK and US sanction Russian FSB cyber operatives | Cyber Intelligence Briefing: 12 December

December 2023
Cyber Briefing News

 

Top news stories this week

  1. I spy. UK and US sanction Russian FSB hackers over espionage campaign.
  2. Out of date. Hackers compromise US government servers through unpatched software.  
  3. Microsoft security shake-up. Microsoft appoints new CISO. 
  4. Nissan notifications. Nissan proactively warns customers of potential data breach.
  5. Hold the phone. FBI issues guidance on how to request delay for SEC incident disclosure.
  6. Appear offline? Law enforcement rumored to have taken ALPHV/BlackCat’s leak site offline. 

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

1. UK and US sanction Russian FSB cyber operatives

Two Russian nationals have been sanctioned for their roles in carrying out espionage operations on behalf of Russia’s foreign intelligence service. The individuals are part of a group known as Star Blizzard, which has conducted spear phishing campaigns against high profile political figures and government officials, as well as executives in civil society organisations and critical infrastructure facilities, using the open-source EvilGinx framework. Often, the group gains access through personal email addresses.

So what?

High risk individuals should be extremely vigilant to unsolicited email approaches and avoid correspondence over private email accounts which may have less protection than corporate accounts.

[Researcher: Adelaide Parker] 


2. Hackers use Adobe ColdFusion exploit to gain access to US government systems  

Two US federal systems were breached after threat actors exploited the Adobe ColdFusion (CVE-2023-26360) vulnerability to perform reconnaissance. A patch for the vulnerability had been published in March but, in both instances, unpatched versions of the software were still running on public facing web servers. CISA has also released an advisory warning of its continued exploitation by threat actors.

So what?

Hackers frequently look to exploit older, overlooked vulnerabilities to gain initial entry into a victim’s environment. It is crucial to upgrade vulnerable software and prioritise the patching of web facing systems.

[Researcher: Adelaide Parker]


3. Microsoft announces new CISO as part of security shake-up

In an overhaul of its security team, Microsoft has replaced its Chief Information Security Officer (CISO) and deputy CISO. The decision to restructure comes in the wake of recent security breaches, such as the GitHub data exposure and a Chinese government-backed hack which compromised US government email accounts.

So what?

This organisational shift comes as Microsoft looks to incorporate AI for advanced threat modelling and automation.

[Researcher: Amy Gregan]

 

Download now

 

4. Nissan proactively notifies customers of breach as 23andMe fallout continues

Carmaker Nissan is investigating a cyber incident impacting its operations in Australia and New Zealand. The auto manufacturer has cautioned customers about potential scams and is providing updates through its website.

Separately, the impact of the data breach at genetic testing company 23andMe continues to expand. In October, the company reported an impact to 14,000 customers, but after further investigation, the company confirmed that the breach affected 6.9 million users, representing half of the organisation’s customers.

So what?

Effective and prompt communication in the face of a cyber incident helps to minimise reputational risk. The impact can be even worse for organisations hosting high-value sensitive information.

[Researcher: Amy Gregan]


5. FBI issues guidance on requesting delay to SEC incident disclosures 

The FBI has issued guidance on how companies can request delays to reporting on the grounds of national security or public safety for reporting cyber incidents. Under the controversial new SEC regulations which come into effect on 18 December, listed companies will be required to report “material” cyber security incidents within four business days.

So what?

Organisations should ensure they are aware of their varying reporting requirements across all the jurisdictions in which they operate and consider engaging external legal counsel in the event of a breach.

[Researcher: Aditya Ganjam Mahesh]


6. ALPHV/BlackCat’s leak site offline amid rumours of law enforcement operation

S-RM has observed that the ALPHV/BlackCat leak site has been offline since Thursday morning, disrupting aspects of the threat actor's operations and ongoing negotiations. Rumors among researchers suggest that a law enforcement operation has caused this interruption in the ransomware gang's activities, whose infrastructure remains disrupted at the time of writing.

So what?

When law enforcement succeeds in takedowns, they might be able to develop decryption keys to share with recent victims. However, it's crucial for affected organisations to still pursue alternative recovery plans, especially when threat actors are offline.

[Researcher: Aditya Ganjam Mahesh]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.