30 June 2023

6 min read

Major Canadian energy supplier hit by cyber attack | Cyber Intelligence Briefing: 30 June

June 2023
Major Canadian energy supplier hit by cyber attack | Cyber Intelligence Briefing: 30 June placeholder thumbnail

 

Top news stories this week

  1. Pit stop. Suncor Energy cyber attack disrupts payments at gas stations across Canada.
  2. June ransomware trends. Cl0p on top as LockBit 3.0 hits TSMC and 8Base maintains momentum.
  3. Boardroom blues. SEC goes after executives in SolarWinds probe into 2020 breach response.
  4. Unlocked. Researchers publicly release decryptor for Akira ransomware.
  5. Snake oil. Google Play Store apps spread new Anatsa banking trojan.
  6. Turbulence ahead. American Airlines and Southwest Airlines pilots’ data leaked.
  7. Two down. Law enforcement takes down EncroChat and the person responsible for Monopoly Market.
 

 

1. Major Canadian energy supplier hit by cyber attack

Suncor Energy has confirmed it has been targeted in a cyber attack which has impacted hundreds of Petro-Canada gas stations across the country. The incident has caused ongoing issues with payment systems at Petro-Canada gas stations, leaving customers unable to use reward points to complete purchases or make card transactions.

So what?

Threat actors will target critical systems to cause as much disruption as possible. Business continuity plans are critical to enable the continuation of crucial business operations in the event of a cyber incident.

 

 

2. June ransomware trends: Cl0p takes top spot as LockBit hits TSMC

In terms of victims listed on a leak site in the past 30 days, Cl0p was the most active ransomware group having named 91 new victims in the wake of their exploitation of the MOVEit vulnerability.

LockBit 3.0 followed with 62 victims listed on its leak site in June, including the Taiwan Semiconductor Manufacturing Company (TSMC), the largest global producer of semiconductors.

The upstart group 8Base claimed 40 attacks, putting them just above established player ALPHV (BlackCat) who claimed 38 attacks. 8Base has been linked to the RansomHouse ransomware group.


So what?

To reduce your risk of falling victim to ransomware, patch any known vulnerabilities and consider performing a ransomware readiness assessment to evaluate your organisation’s resilience to an attack.

 

 

3. SEC warns SolarWinds execs of potential enforcement action

The US Securities and Exchange Commission (SEC) has warned SolarWinds’ CFO, CISO, and other current and former executives that they may face civil enforcement action. The SEC is investigating violations of securities law related to the company’s public disclosures and internal controls regarding cyber security following a 2020 supply chain attack that affected multiple US government agencies.

So what?

US law enforcement is increasingly holding c-suite executives personally liable for violations following data breaches. A good cyber security culture starts with ownership and accountability from senior leadership.

 

 

4. Researchers develop Akira ransomware decryptor

Researchers have released a decryption key for Akira ransomware by exploiting a vulnerability in the malware’s encryption algorithm. The key allows for data encrypted by Akira ransomware to be decrypted without requiring the attacker’s private key. Akira emerged in March 2023, and has claimed a total of 38 attacks primarily on US-based companies in various sectors including real estate, education, and finance.

So what?

Ransomware is not immune from having exploitable vulnerabilities. Companies recently affected by Akira should consider using the decryptor to recover encrypted files, but the group is likely to adapt its methods quicky.

 

 

5. Anatsa banking trojan targeting Android users on Google Play store

Threat actors are spreading a new Android banking trojan named Anatsa by disguising it as seemingly innocuous apps such as PDF readers and QR code scanners. The trojan is thought to be targeted at users in the UK, US, Germany, Austria, and Switzerland, and is reportedly able to steal bank account details on over 600 global banking apps.

So what?

Implement Mobile Device Management software on all corporate devices to prevent employees from downloading malicious apps.

 

 

6. American Airlines and Southwest Airlines pilots' data leaked

The personal data of over 8,000 pilots and applicants at American Airlines and Southwest Airlines was leaked following a hack on their third-party vendor, Pilot Credentials. Both airlines have stated they intend to transition to self-managed portals for pilot applications in future to mitigate third-party risk.

So what?

Organisations should include third-party risk assessments as an important component of their cyber security programmes.

 

 

7. EncroChat taken down and monopoly market founder arrested 

An extensive operation by Europol has led to the takedown of the encrypted mobile communications platform EncroChat, with over 6,600 arrests and seizure of USD 979 million. EncroChat is a specialised version of Android that promised anonymity and untraceability to criminals.

Separately, a Serbian man has been extradited to the United States and charged with running Monopoly Market, a dark web marketplace for illegal narcotics, since 2019.

So what?

There is increasing international cooperation between law enforcement agencies to counter cyber criminals and bring them to justice. However, it is an uphill battle and new illicit platforms are constantly emerging.

 


 

CRA23_Winner Shield

S-RM is proud to have been voted Cyber Incident Response Team of the Year at Zywave’s 2023 Cyber Risk Awards. Read more here.

 

Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Authors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.