Top news stories this week
- Under attack. UK and US agencies issue guidance on legal and energy sector attacks.
- Deceptive dial. US legal and financial sectors targeted in social engineering campaign
- Signalgate continues. Data stolen from unofficial Signal app.
- Hackers check out. Supply chain attack impacts e-commerce websites six years after initial exploit.
- LockBitten. Internal LockBit information published on website.
- School daze. Education tech provider is extorted despite paying ransom.
1. Cyber threat actors continue targeting UK and US governments and infrastructure
The UK Ministry of Justice announced that they are working with authorities to investigate a data breach within the Legal Aid Agency (LAA). The LAA, responsible for overseeing billions of pounds of legal funding in the UK, has not confirmed what information was accessed, but did warn law firms of the breach via letter last week.
Separately, the US Cyber Infrastructure Security Agency (CISA) announced that “unsophisticated” threat actors are increasingly targeting US critical infrastructure, particularly in the oil and gas industries. CISA have advised critical infrastructure review and reduce their attack surface as threat actors target industrial control systems (ICS) and operational technology (OT).
So what?
Organisations in targeted sectors should ensure proactive cyber security measures are in place by scaling up monitoring, threat intelligence, and attack surface management capabilities.
[Researcher: Stephen Ross]
2. Luna Moth target US legal and financial sectors in social engineering campaign
Luna Moth, also known as Silent Ransom Group, has intensified their callback phishing attacks on US legal and financial institutions. The group impersonate IT support through email, fake sites, and phone calls, persuading victims to install remote monitoring software, which grants them access to their victims' systems.
So what?
Organisations should ensure their IT helpdesk staff are able to recognise malicious calls and other social engineering techniques employed by threat actors. S-RM provided additional advice in our advisory following a surge in attacks on the UK retail sector using social engineering techniques.
[Researcher: Lawrence Copson]
3. Data stolen from unofficial Signal app
TeleMessage, an unofficial version of the popular encrypted messaging app Signal, says it has temporarily suspended services following a reported hack that exposed some of its potentially sensitive messages. The attacker breached TeleMessage and gained access to direct messages and group chats archived using TM SGNL, TeleMessage's unofficial Signal clone, which is used for archiving Signal messages.
So what?
Organisations should thoroughly vet their third party applications, particularly those that are used to store sensitive data.
[Researcher: Milda Petraityte]
4. Hackers exploit supply chain vulnerability six years after initial compromise
Attackers exploited a backdoor dormant for six years to compromise an estimated 1,000 e-commerce sites. The trojan backdoor impacted license check files of 21 Magento extensions. These compromised plug-ins may have allowed the hackers to access payment card details and other sensitive customer data.
SO WHAT?
Supply chain attacks remain an oft forgotten but increasingly commonplace threat to businesses and their customers. Development and security teams should regularly audit their software dependencies for vulnerabilities.
[Researcher: Jack Woods]
5. LockBit ransomware website latest to be defaced
LockBit ransomware gang’s infrastructure has been compromised, with their dark web affiliate panels defaced, displaying the message "Don't do crime CRIME IS BAD xoxo from Prague" and a link to a database dump. The news follows an almost identical attack on ransomware group Everest in early April. This breach revealed nearly 60,000 bitcoin addresses, details of ransomware builds, targeted company names, over 4,400 negotiation messages, and passwords of 75 admins and affiliates in plaintext.
So What?
While the breach provides valuable insight into LockBit’s operational secrets, organisations previously impacted by the group should stay vigilant over the disclosure of prior negotiations.
[Researcher: Lena Krummeich]
6. Education tech provider extorted despite paying ransom to prevent leak
PowerSchool, an education tech provider managing over 60 million student records in North America, is now witnessing its customers facing individual extortion despite having paid a ransom to prevent the release of stolen student and teacher data. Whether the same threat actor or affiliates are responsible for this double extortion remains unclear.
SO WHAT?
This incident highlights the inherent uncertainty of paying a ransom – even more so dealing with unknown threat actors, of which we have observed significant proliferation in our Cyber Incident Insights Report.
[Researcher: Lester Lim]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
