3 February 2023

5 min read

Taking stock | Cyber Intelligence Briefing: 3 February

February 2023
Taking stock | Cyber Intelligence Briefing: 3 February placeholder thumbnail


Top news stories this week

  1. Taking stock. LockBit 3.0 attacks UK-based trading software provider.
  2. Class dismissed. Ransomware attack shuts down US public schools.
  3. Certified con. Hackers steal GitHub certificates.
  4. Serious operation. Killnet claims responsibility for DDoS attacks on US hospitals.
  5. Trust no one. Threat actors exploit Microsoft’s verified publisher badge.
  6. Keyless entry. Password manager KeePass receives warning for vulnerability.


1. Taking stock

UK financial data firm ION Group suffered a ransomware attack that impacted its derivatives section. The group that provides software used for trading and market analytics has forced UK- and US-based clients to trade derivatives manually. The prolific ransomware group LockBit 3.0 claimed responsibility for the attack and has listed ION on their leak site, threatening to leak stolen data unless a ransom is paid. ION disclosed that 42 of their clients have been affected.

So what?

Network segmentation and strong backup practices can significantly reduce the impact of a ransomware attack.     



2. Ransomware attack on US public schools

A ransomware attack on Nantucket Public Schools forced four public schools in Massachusetts to close on Tuesday. The cyber attack shut down the devices of all staff and students, as well as safety and security systems. No group has claimed responsibility for the attack and it is uncertain when the schools’ operations will resume.

So what?

Schools generally have limited cyber security budgets that make them attractive targets for cyber attacks. However, basic security controls that require little investment, such as strong password policies, multi-factor authentication (MFA), and cyber awareness training, can go a long way towards reducing the likelihood of a cyber incident.   



3. Hacker steal GitHub certificates 

GitHub has confirmed that unknown threat actors stole encrypted code-signing certificates for its Desktop and Atom applications. Once decrypted, the certificates could be used to sign unofficial applications that will appear to be created by GitHub. GitHub is expected to revoke the stolen certificates soon, rendering applications signed with those certificates invalid.

So what?

Verify that newly integrated software and applications with GitHub certificates are not signed with the stolen certificates.  



4. DDoS attacks on US hospitals  

The Russia-linked threat group Killnet has claimed responsibility for distributed denial of service (DDoS) attacks on eight hospitals across the United States. The University of Michigan Hospital and Stanford Health Care are amongst those that have reportedly had their operations impacted. The attacks are ongoing.

So what?

DDoS attacks are often overshadowed by ransomware attacks as a significant threat to business operations. Simple content delivery and perimeter protection measures exist to mitigate the risk of DDoS attacks. 



Cyber Security Insights Report


5. Microsoft's verified publisher badge exploited

Microsoft has taken steps to disable fraudulent Microsoft Partner Network accounts. Threat actors used the fake accounts to create malicious OAuth applications. A phishing campaign was designed to trick users into granting permissions to these malicious OAuth applications and ultimately compromise Microsoft 365 estates.

So what?

The ability to grant permissions to applications in Cloud environments should be restricted to a subset of authorised users. Conduct regular audits of applications and their respective permissions.




6. KeePass vulnerability

The Federal Cyber Emergency Team of Belgium has issued a warning regarding a vulnerability in the local password management utility KeePass. The warning states that threat actors with write access to the KeePass' configuration file may maliciously configure it to export the passwords in cleartext. KeePass has refuted the claim.

So what?

MFA is a critical security control to prevent unauthorised access but should also be supplemented with robust privileged access management policies and procedures.


Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Jon Seland
Jon Seland
Senior Analyst, Incident Response

Jon Seland is a cyber security senior analyst in S-RM’s incident response UK team. He has experience in a variety of ransomware and business email compromise incidents.

Jon holds a GCFE certification and a Master of Commerce in Occupational Psychology at Stellenbosch University.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Jon Seland
Jon Seland

Senior Analyst, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.