5 December 2023

8 min read

Property sales in limbo after IT service provider hack | Cyber Intelligence Briefing: 5 December

December 2023
Cyber Briefing News

 

Top news stories this week

  1. Homebuyer headache. Hack on UK IT service provider causes chaos for law firms and disrupts property sales across the country. 
  2. Retail nightmares. US retailers Dollar Tree and Staples suffer cyber hacks.   
  3. Cyber clampdown. International collaborations hinder ransomware gangs and seize cryptocurrency mixer.
  4. Surgical strikes. Ransomware attacks targeting healthcare providers in the US and UK.
  5. No reservations. Compromised hotel accounts used to target Booking.com customers.
  6. In the pipeline. Separate attacks on US water facilities and Slovenian energy supplier demonstrate critical infrastructure risks.

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

1. Major hack on IT service provider CTS leaves UK property sales in limbo 

A cyber attack on IT support company CTS, which provides services to 200 UK law firms, has left thousands of property purchases in jeopardy across the country, causing ongoing chaos for home buyers. The hack has also caused operational disruption for law firms which are unable to access case management systems and emails. The hack was reportedly caused by the high-risk software vulnerability known as “CitrixBleed”.

CTS first reported it was investigating a cyber incident on 24 November. On 1 December, the IT provider said it was in the final stages of restoring its systems but said overall recovery would take some time.

So what?

Law firms should carry out due diligence on their managed service providers (MSPs) checking they conduct regular security assessments, apply the latest patches, and proactively monitor for threats. Firms should also take steps to disable MSP accounts that are no longer in use, enforce multi-factor authentication on active MSP accounts and ensure they have robust incident response plans in case of successful attacks.

[Researcher: Waithera Junghae] 


2. Dollar Tree and Staples fall victim to cyber attacks  

US office supply retailer Staples has taken some of its systems offline in an effort to mitigate a cyber attack. Meanwhile, US retail discount store Dollar Tree suffered a third-party breach impacting nearly two million of its former and current employees after its HR service provider Zeroedin Technologies was hacked in August.

So what?

The immediate aftermath of a hack can be confusing. Having a post-incident communication plan for internal and external stakeholders will help organisations manage public relations and minimise potential reputational damage.

[Researcher: Waithera Junghae]


3. Global forces unite to dismantle ransomware gangs and seize cryptocurrency mixer 

The FBI and the Dutch Financial Intelligence and Investigation Service seized the website of cryptocurrency mixing service Sinbad, a key tool used by North Korean hacking group Lazarus to launder stolen money.

In a separate effort, an international collaboration of law enforcement from seven countries and Europol resulted in the arrest of five members of a prominent ransomware group based in Ukraine. Meanwhile, Russian national Vladimir Dunaev, who is facing trial in the US, has pled guilty to developing and deploying Trickbot malware.

So what?

The joint law enforcement efforts across multiple countries is evidence of growing international commitment to global cyber security. The Sinbad takedown will cause significant disruption to ransomware operations in the short term.

[Researcher: Lawrence Copson]


Join S-RM for our webinar on the 7th of December to gain valuable insights from our award-winning cyber experts

LEARN MORE AND REGISTER


4. Ransomware attacks hit Henry Schein, Ardent Health and King Edward VII’s hospital 

American health care giant Henry Schein and Ardent Health, which operates 30 hospitals across US, were targeted in separate ransomware attacks. The Ardent Health attack caused hospitals to shut down emergency treatment, while BlackCat/ ALPHV has reportedly encrypted Henry Schein’s systems three times since last October.

Separately, Rhysida has claimed responsibility for an attack on King Edward VII's Hospital in London, known for treating members of the British Royal Family.

So what?

The recent attacks on healthcare providers highlight the need for enhanced cyber security, including timely security patches, due to the sensitive and valuable nature of medical data.

[Researcher: Lawrence Copson]


5. Booking.com customers targeted in advanced phishing campaigns  

Cyber criminals are selling login credentials for the Booking.com administration platform on the dark web for USD 2,000. These credentials are used in advanced phishing campaigns targeting Booking.com customers. The compromised hotel accounts are used to access the Booking.com administration portal and send messages to customers imitating the hotel and requesting money.

So what?

It is important to independently verify unexpected communications, especially when requests are being made for personal information or payment details.

[Researcher: David Broome]


6. US and Slovenian critical infrastructure impacted by separate cyber attacks

An Iranian state-linked hacking group calling itself the CyberAv3ngers has compromised water facilities across the US, and defaced screens at a Pennsylvania-based municipal water authority with anti-Israeli messages. CISA linked the attacks to the use of default credentials on programmable logic controllers produced by the Israeli firm Unitronics. The UK’s NCSC has also warned that similar devices in other industries may be vulnerable.  

Separately, Slovenia’s largest power supplier Holding Slovenske Elektrarne (HSE) suffered a suspected Rhysida ransomware attack after credentials were reportedly stolen from unprotected cloud storage. Whilst the attack resulted in the encryption of some systems, it did not disrupt power production. 

So what?

Critical infrastructure is an attractive target for cyber criminals who seek to use operational disruption as a point of leverage. Ensuring that credentials are unique, complex, and utilise multi-factor authentication where possible is crucial to preventing compromise.

[Researcher: David Broome]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Authors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.