Top news stories this week
- I like to MOVEit. Zero-day vulnerability in file transfer tool actively exploited for mass data theft.
- King of the hill. LockBit 3.0 remains prolific while new group 8BASE claims spate of attacks.
- Pull the plug. Greek national exams and Idaho hospital suffer disruptions.
- Cough up. Online retailer Sports Warehouse fined USD 300,000 for customer data exposure.
- Shields down! Novel EDR disabling tool “Terminator” for sale on Russian speaking forum.
- Dark secrets. Membership database of infamous dark web forum RaidForums leaked.
- App-spionage. Over 421 million downloads of Android apps containing SpinOK spyware.
- Not so pretty. Politically motivated threat actor Dark Pink targeting organisations in Southeast Asia.
1. Critical vulnerability file transfer tool actively exploited
A zero-day vulnerability in the file transfer tool MOVEit is being actively exploited to steal corporate data. The security researchers believe an unidentified data extortion/ransomware group is behind the attacks. Numerous organisations have reportedly been impacted.
There is no patch available as yet, but the tool developers have issued an urgent warning for customers to disable all HTTP and HTTPS traffic to their MOVEit environments.
2. Ransomware gangs: 8BASE emerges while LockBit sits on top
LockBit 3.0 remained the most active ransomware gang last month based on the number of victims posted on a leak site, claiming over 70 new victims. They recently claimed responsibility for an attack on US dental health insurance providers MCNA, in which they stole and leaked 700GB of personal information, impacting 9 million patients.
A new ransomware gang dubbed 8BASE has become the second-most active group by the same metric. The group added over 60 victims to its leak site in one day, many of which appear to be from historical attacks.
Ransomware groups pose a threat to organisations of all sizes. Consider conducting a ransomware readiness assessment to gauge your organisation's preparedness to withstand attack.
3. Greek national exams and Idaho hospital fall victim to cyber attacks
Greece’s education ministry has blamed widespread disruption to national high school exams on “one of the most extensive cyber attacks in the country’s history”. The disruption resulted in students waiting for hours before their exams could start, but with no further impact reported at this stage.
Separately, an attack on a hospital in Idaho forced ambulances to divert from call outs and personnel to return to pen and paper after attackers compromised their computer systems.
It is important to have a business continuity plan to ensure your business’ critical functions can remain operational during a cyber attack.
4. US retailer sports warehouse fined after data breach
The State of New York fined the online retailer Sports Warehouse USD 300,000 after a 2021 data breach impacted over one million US customers. The breach occurred after an attacker obtained login credentials for a database containing nearly 20 years' worth of payment card data. The exposed sensitive information included customer names, addresses, card numbers, CVVs, and expiration dates.
Inadequate data collection and retention practices can lead to significant financial penalties. Organisations must implement robust data protection measures, including encryption, regular security audits, and timely deletion of sensitive data.
5. Novel EDR disabling tool for sale on Russian-speaking forum
A tool which can allegedly bypass all major Endpoint/Extended Detection and Response (EDR/XDR) solutions is being sold on Russian-speaking dark web forums for as little as USD 300. The ubiquitous Windows Defender is one of the tools it can allegedly bypass.
While not a silver bullet, EDR and XDR tooling remain some of the best defences against modern cyber attacks. It is imperative to ensure that such tooling is properly configured to minimise the risk of it being disabled.
6. RaidForums member database leaked
A database containing membership details from defunct dark web forum RaidForums has been leaked on another dark web marketplace. Before being seized in 2022, RaidForums was a well-known platform for distributing data breaches and malware.
Mitigate the damage of having data leaked on the dark web by changing passwords, enabling multifactor authentication, and monitoring activity on compromised accounts.
7. Over 421 million downloads of Android apps containing spyware
A new Android spyware known as SpinOk has been discovered in multiple apps on the Google Play store, and have collectively been downloaded over 421 million times. The spyware is disguised as gaming apps, and if installed, can steal sensitive user information.
Organisations should implement mobile device management (MDM) solutions to safeguard against the risks posed by malicious apps. MDM solutions will help enforce security policies, monitor app installations, and ensure timely updates.
8. APT named Dark Pink targeting Southeast Asia
Researchers have discovered an Advanced Persistent Threat (APT) group named Dark Pink, believed to be based in the Asia-Pacific region. The geopolitically motivated group has primarily targeted government and non-profit organisations in Southeast Asia. The group uses social engineering to infect, and advanced techniques to maintain persistence with their victims.
Organisations must conduct employee training to effectively combat social engineering as threat actors will send enticingly named email attachments to lure their victims into opening them.