16 January 2024

6 min read

Fake security researcher targets Royal and Akira victims with hack-back scam | Cyber Intelligence Briefing: 16 January

January 2024
Cyber Briefing News

 

Top news stories this week

  1. Hack-back hoax. Royal and Akira victims targeted by fake hack-back offers promising to delete stolen data.
  2. Case closed. Merck reaches undisclosed settlement with insurers over $1.4 billion NotPetya claim. 
  3. Patch Pending. Ivanti warns about critical vulnerabilities in its VPN.
  4. Stuffed. Australian retailer The Iconic blames fraudulent orders on customers reusing passwords.
  5. Serving security. Decryption key for Babuk Tortilla ransomware released.
  6. Exposed. Chinese sportswear brand Halara and Saudi Ministry of Foreign Affairs employees face data leaks.

1. Fake security researcher targets Royal and Akira victims with hack-back scam

A threat actor posing as a security researcher has been contacting victims of Royal and Akira ransomware attacks claiming to be able to delete stolen data. The threat actor claimed to have access to the gangs’ infrastructure and offered to delete files for a fee of five Bitcoins, or around USD 190,000.

So what?

It is unclear whether the threat actor had insider knowledge of the attacks. Organisations should be cautious when receiving unusual communications post-cyber incident. 

[Researcher: Lawrence Copson] 


2. Merck settles landmark cyber insurance claim stemming from the NotPetya incident

The pharmaceutical giant Merck & Co has reached an undisclosed settlement with their insurers over their USD 1.4 billion claim in response to the NotPetya cyberattack of 2017. The New Jersey Superior Court Judge dismissed the insurer's invocation of the war exclusion clause, deeming it inapplicable in this specific case.

So what?

The settlement concludes Merck’s landmark and potentially precedent-setting dispute regarding attribution of damages and financial costs during and after cyber incidents.

[Researcher: Lawrence Copson]


3. Nation state actors are exploiting critical vulnerabilities in Ivanti VPN

US IT firm Ivanti has confirmed that hackers are exploiting critical vulnerabilities in its VPN service Ivanti Connect Secure (ICS). Researchers have identified links to Chinese state actors who have been exploiting these vulnerabilities, that enable remote code execution, since early December. Patches won't be available until after 22 January.

Separately, Microsoft addressed 49 bugs and 12 remote code execution vulnerabilities in the most recent Patch Tuesday.

So what?

Install the latest patches for Windows systems immediately, and follow Ivanti's advisory to apply the mitigations ahead of its patch release on 22 January.

[Researcher: Aditya Ganjam Mahesh]

 

Download now

 

4. Australian retailer hit by fraudulent orders after credential stuffing attacks

Fashion brand The Iconic apologised to customers and promised to issue refunds after fraudulent orders worth thousands of Australian dollars were made on their accounts. The breaches were a result of customers reusing passwords on multiple sites.

Separately, genetics testing firm 23andMe has taken a more aggressive stance on the same issue, claiming it has zero responsibility for a data breach in late 2023 which was the result of customers reusing passwords.

So what?

Organisations can enforce multi-factor authentication (MFA) to reduce the risk of credential stuffing attacks, but better user education to avoid password reuse is also crucial.

[Researcher: Aditya Ganjam Mahesh]


5. Decryptor for Babuk Tortilla ransomware strain released

Security firm Avast have updated their Babuk ransomware decryptor to include the Tortilla variant. This followed a successful collaboration between Cisco and the Dutch police which also led to the arrest of the threat actor behind Babuk. Babuk Tortilla was based on the source code of the Babuk ransomware strain which leaked in 2021.

So what?

Ransomware developers are quick to adapt, addressing vulnerabilities in their tools and creating even more advanced versions.

[Researcher: Ineta Simkunaite]


6. Halara and the Saudi Ministry of Foreign Affairs experience data breaches 

Chinese sportswear brand Halara is investigating a data breach after a threat actor posted personal information of approximately one million customers on a hacking forum. The threat actor claims to have accessed this database by exploiting an API vulnerability in Halara’s website.

Separately, an anonymous attacker uploaded sensitive data of allegedly over 1.4 million Saudi Ministry of Foreign Affairs employees to a dark web forum, revealing details such as names, contact information, and job titles.

So what?

The act of publishing stolen data isn't exclusively driven by financial gain. Threat actors may seek to publicly embarrass organisations for their inadequate data protection, stemming from ideological motivations, or aim to bolster their profile within the underground world.

[Researcher: Ineta Simkunaite]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.