It has been an interesting month in the cyber world. We know it has been incredibly busy, but a limited number of incidents are breaking the “media-surface”. We continue to monitor the fallout from the BlackCat / LockBit takedowns, we take a keen interest in international developments, and we proudly launch our latest “Cross Examining Cyber” podcast, with Bill Siegel, CEO and Co-Founder of Coveware. There’s a bit in here, but we’ve collated the key stories so you don’t have to…
- The game of whack-a-mole continues with BlackCat and LockBit, and many in the media have continued to comment on the various take-down efforts by law enforcement. It looks like positive progress has been made by law enforcement and the efforts in this space are starting to bear fruit.
- Australia’s new National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, flagged in a recent speech the nation’s new campaign to change community behaviour and mitigate against a culture of underreporting cybercrime.
- The UN General Assembly approved the first resolution on artificial intelligence which promotes the “safe, secure and trustworthy” use of AI. This is an important step in ensuring the global community has the opportunity to fully participate in AI’s development, and it’s promising that the resolution is binding on every UN member state. Read the resolution here.
- The EU has strengthened their cyber resilience with its Cyber Solidarity Act, which features cross-sector incident reporting and joint response initiatives to optimise preparedness. It’ll be interesting to see whether the Federal Government adopts a similar model as they continue along with their precautionary and risk-based approach to legislating cyber.
- The US government has set aside over US$27 billion to spend on cybersecurity as part of its 2025 budget. This comes as no surprising against the backdrop of several executive orders being signed to counteract mounting cyber threats, while the White House also double downed with warnings about Chinese-backed threat actors. Australia’s Foreign Affairs Minister Penny Wong issued a joint statement with Home Affairs Minister Clare O’Neil backing US allegations against China too.
- We have seen a lot of media relating to the activities of different threat actors, including those linked with China. Chinese-linked hackers are suspected of hacking Taiwan’s largest telco two months after claims were made that Chinese threat actors conducted cyber espionage in an attempt to derail Taiwan’s recent elections. A former software engineer at Google was also charged with stealing Google’s AI trade secrets and transferring them to two Chinese companies.
- With that in mind, the Chinese-backed Volt Typhoon threat actor has ascended to become one the most prolific and aggressive adversary groups of 2024, with a new advisory released by the Five Eyes intelligence alliance. The group was also called out by Hamish Hansford, Deputy Secretary of the Cyber and Infrastructure Group, as targeting critical infrastructure providers, suggesting their campaigns may be part of a wider espionage policy of the Chinese government.
- The BlackBasta hacking group claimed to be in possession of over 700 gigabytes of data belonging to twelve Australian companies. The group has already been cited as walking away with over US$100 million since emerging in 2022, and it seems that they’ll remain just as active in Australia moving forward.
- The US Cybersecurity and Infrastructure Security Agency was hacked by an unidentified hacker, and the TA4903 adversary group has been uncovered as impersonating several US government entities to launch business email compromise attacks. Both of these serve as a reminder that even our government departments are not immune to cyberattacks.
- Finally, Mimecast published its report on ‘The State of Email and Collaboration Security 2024’ which addresses key issues relating to human risk and the effects poor security training can have on businesses of all sizes.
Contents
-
News from HSF
-
Regulatory and industry insights
-
Cyber research and reports
-
Recent cyber incidents and developments
Cross Examining Cyber
Hot-on-the-heels of our inaugural podcast with Hamish Hansford, our next episode involves a cross examination of Bill Siegel, CEO and Co-Founder of Coveware. This promises to be an incredibly interesting and informative discussion, with all three episodes of Cross Examining Cyber ready to be listened to here.
The Cyber Simulation – Client Seminars
Last year, we surveyed legal leaders from across Australia in our Cyber Risk Report. A massive takeaway was that businesses are lacking a legal specific incident response plan, nor have they participated in any cyber simulation exercises to test their cyber preparedness and identify areas of improvement. That’s why we’ve decided to bring a cyber simulation straight to you through an in-person event in Sydney on 1 May, and in Melbourne on 7 May. We’re also planning on holding simulations in Brisbane and Perth, so stayed tuned for updates for those locations. The simulation will run for 2 hours with an opportunity to network before and after the session.
Australia
Signing of MOU between CI-ISAC Australia and Health ISAC
Australian Cyber Security Magazine – 28 March 2024
This article explains that Critical Infrastructure Information Sharing and Analysis Center (CI-ISAC) has signed a Memorandum of Understanding (MOU) with the Global Health Information Sharing and Analysis Center (Health ISAC) to increase the sharing of cyber threat intelligence between members. The partnership will provide a value-for-money and commercially safe environment for companies to share insights for a stronger, collective response to cyber attacks. The MOU includes arrangements for sharing information on cyber threats targeted at the health sector and other CI-sectors in Australia. This partnership seeks to reinforce the cross-sectoral approach to collectively uplift Australian CI’s cyber defences.
Leaked documents reveal Australia targeted by Chinese hackers
AFR – 26 March 2024
This article discusses how a Chinese cybersecurity company with links to the Communist Party government, i-Soon, used its guns-for-hire hacking operation to target Australia, according to leaked documents. The leaked documents detail insights into the day-to-day operations of I-Soon as an IT training security company that facilitates Chinese government-backed cyberattack and espionage campaigns. The company breached agencies such as Britain's Home Office and National Crime Agency, India's Ministry of Foreign Affairs, the Thai Prime Minister's Office, Vietnam's Supreme Court, and South Africa Special Forces. Australia is mentioned twice in the leaked documents, but there are no details of specific targets of Australia. This revelation comes as the Albanese government condemned another state-affiliated hacking group in China that targeted UK politicians and compromised Britain's Electoral Commission.
Coalition calls for sanctions against China after Beijing accused of cyber espionage in US and UK
ABC News – 26 March 2024
This article provides how the Coalition has urged the Federal Government to sanction China after the US and UK accused Beijing of coordinating cyber espionage campaigns targeting voters, parliamentarians and companies in the West. The UK and US have unveiled sanctions on state-backed hackers they accuse of being behind "malicious" cyber-attacks. New Zealand's Defence Minister Judith Collins also announced that hackers from a group linked to China's Ministry of State Security gained access to the country's Parliamentary Service and the Parliamentary Counsel Office. The Australian Foreign Affairs Minister Penny Wong and Home Affairs Minister Clare O'Neil issued a joint statement backing claims holding China responsible. See also AFR article (26 March).
Australia gov backs election system security after “highly likely” UK compromise
IT News – 26 March 2024
This article explores claims made by the UK government that attributes two malicious cyber campaigns targeting democratic institutions and parliamentarians to China-affiliated threat groups. In response to questions around the safety of Australia’s electoral system, the Australian government has assured the public that the current framework is secure. The UK has summoned the Chinese Ambassador to the UK and sanctioned two individuals who are members of APT31. The US has also accused China of a vast illegal hacking operation that targeted sensitive data from US elected and government officials, journalists and academics.
Risk environment rapidly changing, government cyber honcho warns
Government News – 20 March 2024
This article details comments made by Deputy Secretary of the Cyber and Infrastructure Group Hamish Hansford at the Gartner Security and Risk Management Summit. Mr Hansford discussed the 2023-2030 Cyber Security Strategy and the plan to make Australia the most cyber secure nation in the world by 2030. Notably, Mr Hansford flagged the first leg of the Strategy as focussed on securing critical infrastructure providers, while naming the Chinese state-backed Volt Typhoon threat group as an example of hackers attacking critical infrastructure. See also Cyber Daily article (21 March).
Mr Hansford was also the first guest on HSF’s newest podcast series, Cross Examining Cyber. Take a listen to episode 1 and 2 here.
Australia’s cyber security spending to grow 11.5% this year
Computer Weekly – 19 March 2024
This article provides that Australian organisations are expected to spend over $7.3 billion on security and risk management products and services this year, up 11.5% from 2023. Gartner predicts that cyber security will receive the largest increase in technology investment in 2024, with 87% of ANZ respondents indicating a focus on cyber security. Security services, including consulting, hardware support implementation, and outsourcing services, will remain the largest end user spending category in Australia. The use of GenAI is also projected to cause a spike in cyber security resources required to secure it by 2025, causing a 15% incremental spend on application and data security.
ASD taps Microsoft Sentinel’s threat intelligence feed
IT News – 19 March 2024
This article discusses how the Australian Signals Directorate (ASD) has added Microsoft Sentinel to its cyber threat intelligence sharing platform, enabling access to 65 trillion signals of global threat intelligence. The partnership agreement was struck in October last year, and the connection also allows Microsoft customers to share cyber threat information at the speed and scale required to mitigate against growing threats.
‘Tip of the iceberg’: new cyber tsar issues warning on attacks
Australian Financial Review – 18 March 2024
This article explores comments made by Australia’s new National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, who has warned that cybercrime and cyberattacks are being underreported. As a response, the National Office of Cyber Security is progressing with a cybersecurity advertising campaign with three key messages: using passphrases (as opposed to passwords), multifactor authentication, and regularly updating software. The campaign aims to change habits and behaviours to make Australians understand that cybersecurity falls on individuals, and not just businesses.
Losses halve as government touts success in combating scams
Cyber Daily – 13 March 2024
This article highlights key findings from the National Anti-Scam Centre’s (NASC) second quarterly report which shows a decline in scam losses in the last quarter of 2023. The report also showed a drop of 37% in losses to investment scams, 31% to bank transfer scams, and 74% in crypto scams. The Federal Government invested $86.5 million in last year’s budget to establish the NASC, and Assistant Treasurer Stephen Jones also forecasted the introduction of mandatory industry codes to impose tough new obligations on banks, telcos and social media platforms.
Australian government announces consultation period on anti-doxxing laws
Cyber Daily – 11 March 2024
This article details the Albanese Government’s intention to introduce new regulations prohibiting the act of doxxing, the practice of maliciously sharing personal information online. Doxxing has gained prominence in recent decades as a tool of online revenge, and comes in three distinct forms: de-anonymising, targeting, and delegitimising. The Government is proposing a new statutory tort to provide victims with greater control over how their private data is used and accessed, while criminal reforms to target those who engage in doxxing are also under consultation.
International
Why cyber indictments and sanctions matter
Australian Strategic Policy Institute – 27 March 2024
This article examines the utility of cyber indictments and sanctions as a response to mitigating against cyber threats on both a national and international level. Cyber attributions, sanctions, and indictments are largely strategic communication exercises, and Australia and its partners have taken a proactive approach to imposing these punitive measures. This is especially important against the backdrop of growing cyber espionage from nation-state actors backed by China and Russia, and the increasing rates of attack against critical infrastructure.
Data privacy and the banning of TikTok
Asia IP Law Magazine – 25 March 2024
This article gives a broad overview of the US government’s banning of TikTok due to data privacy and security concerns. Throughout the article, several lawyers from across APAC give their views on TikTok’s use of data and the potential responses which governments in different jurisdictions may adopt to regulating the social media app. There is also a detailed consideration of whether individual consumers should be empowered to make their own decision as to whether they are comfortable with TikTok’s data collection policies, or if governments should be able to intervene to restrict the app’s operation.
UN adopts first resolution on artificial intelligence
AP News – 22 March 2024
This article details the UN General Assembly’s approval of their first resolution on AI. The resolution’s purpose is to ensure that AI benefits all nations, respects human rights, and is safe, secure, and trustworthy. It also aims to close the digital divide between rich and poor countries, and make sure that every nation is able to participate in AI discussions and planning. The resolution stresses the urgency of achieving global consensus on safe and secure artificial intelligence systems, and is binding on all 193 UN member nations.
New cyber security rules force carmakers to discontinue models
Cyber Daily – 22 March 2024
This article explores how European car manufacturers have been forced to discontinue car models due to new cyber security standards imposed in the EU commencing on 7 July. The new standards were initially announced in 2022, and car builders were given two years to prepare for them. Volkswagen, Porsche, Renault, Mercedes-Benz and Audi are phasing out older models in preparation for the new standards. After 7 July, car manufacturers will be mandated to prove they had a certified management system in place during model development.
The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats
Security Affairs – 18 March 2024
This article issues a warning about the intensified risk of cyber threats to the aviation industry and aerospace sector given a rise in geopolitical tensions. Prominent ransomware group LockBit 3.0 have targeted numerous companies in the aerospace sector since 2021, including Bangkok Airways, Kuwait Airlines, and Air Albania.
World’s first AI Act passes final hurdle
Innovation Australia – 14 March 2024
This article explores the European Parliament’s passing of the EU’s AI Act which bans high-risk use cases such as predictive policing and social scoring systems. The law is expected to be in place by June, but is currently undergoing final procedural checks. The law will be fully applicable 24 months after being put into force, with additional risk mitigation obligations necessary for higher-risk cases such as education, healthcare, banking, and critical infrastructure. See also Cyber Daily article (14 March 2024).
Russia claims US and ‘Western countries’ are trying to hack its presidential election
The Record – 14 March 2024
This article details allegations made by Russia’s Ministry of Foreign Affairs claiming that hackers from “Western countries” are orchestrating against them in the lead-up to Russia’s presidential election. The head of the Russian election commission accused Russian "enemies" of meddling with the election process. The Russian National Computer Incident Coordination Center issued a warning to online voters about the escalating cyber threats, including those that could originate from Ukraine and its allied countries. The White House has denied these allegations, instead arguing that Russia has a long history of targeting US and other democratic elections.
US government sets aside US$27.5bn for cyber security spending
Cyber Daily – 12 March 2024
This article unpacks the US Government’s budget for cyber security spending in 2025, totally US$27.5 billion. The Department of Defence will spend US$14.5 billion on general cyber operations, while US$7.4 billion will go directly to the American armed forces. The Cybersecurity and Infrastructure Security Agency (CISA) will receive an additional US$103 million in funding. The Secretary of Homeland Security, Alejandro N. Mayorkas, said the budget is about staying ahead of the curve when it comes to facing complex threats.
FBI: U.S. lost record $12.5 billion to online crime in 2023
Bleeping Computer – 7 March 2024
This article identifies findings from the 2023 Internet Crime Report which showed a 22% increase in reported losses to online crime as compared to 2022. The number of complaints submitted to the FBI in 2023 also increased by 10%, and the four online crimes that caused the most financial losses in 2023 were Business Email Compromise (BEC), investment fraud, ransomware, and tech/customer support and government impersonation scams. For ransomware attacks, LockBit had the highest reported attacks in 2023 at 175, followed by ALPHV/BlackCat (100) and Akira (95).
The EU Cyber Solidarity Act | Shaping Europe's digital future
European Commission – 6 March 2024
This article discusses the EU Cyber Solidary Act which is aimed at strengthening the capacities of EU entities to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks. The Act introduces a European Cybersecurity Alert System, Cybersecurity Emergency Mechanism, and Cybersecurity Incident Review Mechanism. The total budget includes an increase of €100 million, bringing the new total amount available for cybersecurity actions under the Digital Europe Programme to €842.8 million.
BlackCat ransomware shuts down in exit scam, blames the “feds”
Bleeping Computer – 5 March 2024
This article describes how the BlackCat ransomware gang is pulling an exit scam by pretending the FBI seized their site and infrastructure. BlackCat announced they are selling the source code for their malware for US$5 million. The administrators of the operation said that they "decided to completely close the project" and "we can officially declare that the feds screwed us over”. See also Bleeping Computer article (4 March).
APAC Cyberattacks Up 15%
Asia Pacific Security Magazine – 28 March 2024
The Financial Services Information Sharing and Analysis Center released its annual Global Intelligence Office report, ‘Navigating Cyber 2024’. Most notably, the report found that APAC organisations were impacted significantly by cyber attacks in 2023, with an average of 1,963 entities being hit per week. Other key findings from the report include:
- Increase geopolitical hacktivism: threat actors are launching more misinformation campaigns and DDOs attacks against critical infrastructure.
- New extortion tactics in response to global regulations: an increase in cybersecurity legislation and monitoring has resulted in cybercriminals weaponizing new disclosure requirements to push companies to fulfil extortion demands before the required reporting deadline.
- Improvement of supply chain’s cybersecurity posture: industries are working closely with suppliers to establish communication channels for incident response to bolster the overall cybersecurity posture in supply chains.
What the Latest Ransomware Attacks Teach About Defending Networks
Bleeping Computer – 21 March 2024
Bleeping Computer provides a breakdown of recent ransomware attacks, lessons worth learning from these examples, and tips to help limit ransomware risk. Amongst these recommendations, organisations should ensure they have effective email security and endpoint security solutions such as firewalls, intrusion prevent systems, and advanced threat detection capabilities. Encrypting sensitive data also remains crucial to protect against data-exfiltrating attacks, while endpoint security solutions help identify and block ransomware before it executes on a user’s device.
Malicious Use Cases for AI
Australian Cyber Security Magazine – 20 March 2024
Recorded Future has published a threat intelligence report which analyses four malicious use cases of AI for threat actor exploitation:
- Using deepfakes to impersonate executives;
- Influencing operations by impersonating legitimate websites;
- Leveraging generative AI to augment source codes of small malware variants to lower detection rates; and
- Identifying industry control system equipment to conduct aerial imagery reconnaissance.
The report tested a mix of off-the-shelf and open-source models to simulate realistic threat actor access. The limitations and capabilities of current AI models were tested, ranging from large multimodal image and text-to-speech (TTS) models. For example, multimodal AI can be used to process public imagery and videos to geolocate facilities and identify industry control system equipment. However, the report notes that translating AI information into actionable targeting data scale remains challenging and requires further development.
Cybercriminals capitalise on business flaw: Human risk
Australian Cyber Security Magazine – 13 March 2024
Mimecast has published its report on ‘The State of Email and Collaboration Security 2024’, which explores the growing rate of cyber threats, especially due to the rise in AI and deepfake technology. Key areas addressed in the report include:
- Human risk is the main security threat where IT teams must provide employees with adequate training.
- Emergence of AI is increasing the occurrence of phishing and ransomware.
- Companies are now viewing cyber risks as important business problems, and not just an issue for their IT teams to deal with.
- Email is still the main way in which cyber threats occur.
Cyber security for charities and not-for-profits
ACSC – 12 March 2024
The ACSC has released guidance for charities and not-for-profit organisations on how to adequately protect their entities despite a lack of financial and technological resources at their disposal. Along with the guidance, the ACSC has also provided cases studies and resources which charities and not-for-profits can integrate into their businesses to ensure a resilient cybersecurity posture.
Australia
Australia and Five Eyes allies issue new Volt Typhoon advisory
Cyber Daily – 21 March 2024
This article provides that Australia, along with the US Cybersecurity and Infrastructure Security Agency, has released a new advisory on behalf of the Five Eyes intelligence alliance, warning of the “urgent risk” posed by the state-backed Chinese hacking group Volt Typhoon. The group’s targets and tactics differ from typical activities, suggesting their espionage goals are to obtain access to operational technology (OT) assets which can be exploited to disrupt critical infrastructure. See also Bleeping Computer article (19 March).
Nissan Oceania Data Breach Impacted Roughly 100,000 People
Security Affairs – 14 March 2024
This article confirms that at least 100,000 Nissan Oceania customers and employees have been impacted by Nissan’s December 2023 cyber-attack by the Akira ransomware group. Akira stole 100 GB of corporate files and personal information from Nissan Oceania, which includes Medicare cards, passports, drivers’ licenses, and tax file numbers. Nissan refused to pay Akira’s demands, leading them to publicly publish the stolen information.
11k cyber incidents linked to Medibank cyber attack discovered by Australian police
Cyber Daily – 13 March 2024
This article highlights that Australian law enforcement detected over 11,000 cyber incidents linked to the Medibank breach in 2022. Operation Guardian, a union of federal, state and territory police, was established to monitor and disrupt attempts to leverage cyber-attacks as opportunities for further scam attacks. The Operation was initially launched to protect Optus, though was expanded to include other prominent entities such as Medibank, Latitude, MyDeal, and GoAnywhere.
BlackBasta names nearly a dozen Australian companies in data leak
Cyber Daily – 12 March 2024
This article confirms that the BlackBasta hacking group has leaked over 700 gigabytes of data belonging to 12 Australian companies. The hackers have not claimed responsibility for hacking the affected entities, but instead stated they exfiltrated the data from a compromised cloud hosting service. One of the compromised businesses, Optimum Health Services, have had employee passports and ID documents leaked.
14m Australian emails and addresses for sale on clear web hacking forum
Cyber Daily – 11 March 2024
This article details that a hacker has offered 14 million Australian emails and addresses for sale on a hacking forum for US$7,000. The data set appears to be a mix of previously leaked information and newly acquired material. The seller has essentially combined previously exfiltrated information and some new data to create a new dataset to sell on the hacking forum.
International
AT&T Confirmed That A Data Breach Impacted 73 Million Customers
Security Affairs – 31 March 2024
This article states that AT&T has confirmed their recent data breach as affecting 73 million customers after data was leaked on a cybercrime forum. Researchers confirmed that the data is legitimate, but it is unclear if it was stolen from a third-party organization. ShinyHunters, a hacking crew, claimed to have a database containing private information on roughly 70 million AT&T customers in August 2021. The company initially denied any data breach, but later retracted its initial denial and confirmed the data breach. Over 70 million records were released, with information including customer names, phone numbers, email addresses, social security numbers, and dates of birth. See also Security Affairs article (17 March).
Russian-backed hackers caught targeting German political parties
Cyber Daily – 25 March 2024
This article outlines that Russian-backed hackers linked to the APT29 adversary group have been observed using phishing techniques to target German political parties. The campaign uses fake email invites to a dinner reception featuring the logo of the German Christian Democratic Union political party. The invite then sends the victim to a compromised WordPress website, where the threat actor’s first stage payload is initiated. Mandiant has reported that APT29 was responsible for hacks against the Pentagon back in 2015 and the US Democratic National Committee in 2016.
Cybercriminals Accelerate Online Scams During Ramadan and Eid Fitr
Resecurity – 22 March 2024
This article unpacks research conducted by Resecurity which has identified a significant increase in fraudulent activities and scams during Ramadan, particularly in the Middle East. The most emerging types of fraudulent activity observed in the region during this time of year are gift, charity and donations fraud, as well as phishing and smishing activity. Resecurity noted a rising trend in scams involving bogus notifications from well-known shipping companies, with messages falsely claiming that a parcel delivery is pending due to unpaid fees.
403,000 people’s personal information taken in MediaWorks cyberattack
RNZ – 22 March 2024
This article confirms that New Zealand-based company MediaWorks has suffered a cyber-attack that has affected over 400,000 people. Hackers stole information from a database of online competitions from as far back as 2016, which included names, dates of birth, gender, addresses, email addresses, and phone numbers. The company is reviewing its IT systems and cyber security protections, while the NZ Privacy Commissioner and police have been notified.
Nation-state actors have their sights on the cloud
Technology Decisions – 21 March 2024
This article unpacks a recent cyber-attack orchestrated by the Russian-backed Midnight Blizzard adversary group against Microsoft which exploited a vulnerability in Microsoft’s security infrastructure and targeted an internal service account lacking multi-factor authentication. This comes as nation-state threat actors have begun to shift towards cloud computing which has provided attackers with new opportunities to exploit vulnerabilities at scale.
Anonymous Sudan Claims “Massive Cyber-Attack” On US DoJ
Cyber Daily – 20 March 2024
This article details that the Anonymous Sudan hacking group successfully launched a DDoS attack on the United States Department of Justice (DoJ). It is unknown how long the attack brought the DoJ's systems offline for, and the group has not provided evidence of the attack on its Telegram. Anonymous Sudan is also pushing its new DDoS as a service, InfraShutdown, which it says is used for all of its attacks.
Chinese Earth Krahang hackers breach 70 orgs in 23 countries
Bleeping Computer – 18 March 2024
This article outlines the rise of a Chinese APT group called ‘Earth Krahang’ who has breached 70 organisations and targeted at least 116 entities across 45 countries. Earth Krahang’s campaign has been underway since early 2022 and focusses primarily on government organisations. The attackers routinely exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage. The group has also been observed building VPN servers on compromised systems and performing brute-force attacks to crack passwords in order to access email accounts.
Fujitsu Suffered a Malware Attack and Probably a Data Breach
Security Affairs – 18 March 2024
This article highlights that Fujitsu has suffered a malware attack that may have resulted in the theft of customer information. Multiple computers were infected with malware, and the company launched an investigation into the incident. Fujitsu has reported the impacted individuals and has notified the Personal Information Protection Commission in anticipation of a data breach. This incident follows a previous breach in May 2021, where Fujitsu’s enterprise collaboration and file-sharing platform was targeted.
Exclusive: After LockBit’s takedown, its purported leader vows to hack on
The Record – 16 March 2024
This article offers a fascinating podcast interview with LockBitSupp, the purported leader of the LockBit ransomware group, who details the events leading up to the seizure of the threat group’s platform under an international police operation, and offers insights into the hacking tools and source code used by the notorious cyber gang. LockBit has been rendered effectively redundant according to the UK’s National Crime Agency, though law enforcement officials and cybersecurity experts believe that LockBitSupp may be protected from arrest despite several individuals linked to the gang being reprimanded in Ukraine and Poland. The conversation was conducted over an encrypted messaging app and translated from Russian.
43M affected in French government agency cyber attack
Cyber Daily – 15 March 2024
This article details that France Travail, a government agency tasked with assisting the unemployed, issued a statement announcing that the data of people registered for the agency over the last 20 years may have been compromised. This comes after a “suspicious” attack in their servers, where names, social security numbers, and other personal details were exposed. See also Security Affairs article (16 March).
SIM swappers hijacking phone numbers in eSIM attacks
Bleeping Computer – 14 March 2024
This article unpacks how SIM swappers are using eSIM cards to steal phone numbers and access bank accounts. Attackers breach a user’s mobile account with stolen, brute-forced, or leaked credentials to initiate porting the victim’s number to another device. To defend against eSIM-swapping attacks, users should use complex and unique passwords for their cellular service provider account.
Hackers use TMChecker remote access tool to attack popular VPN & mail servers
CyberSecurityNews – 14 March 2024
This article explores the way TMChecker, a new tool on the dark web, is being used to target corporate networks though remote-access services and e-commerce applications. Developed by threat actor M762, the application combines login checking capabilities with a brute-force attack kit and is available for a US$200 monthly subscription.
LockBit ransomware affiliate gets four years in jail, to pay $860k
Bleeping Computer – 13 March 2024
This article provides that Russian-Canadian national Mikhail Vasiliev has been sentenced to four years in prison for his involvement in the LockBit ransomware operation. Vasiliev pleaded guilty to eight separate charges and was ordered to pay CAD$860,000 in restitution to his Canadian victims. Despite recent disruption led by an international law enforcement operation, LockBit remains one of the most active ransomware-as-a-service (RaaS) gangs engaging in data theft and encryption, followed by extortion and data leaks on a dedicated darknet portal.
Under Increasing Federal Scrutiny, BlackCat Ransomware Gang Pulls Exit Scam on Its Way Out
CPO Magazine – 12 March 2024
This article considers the BlackCat ransomware gang’s exist scam on its affiliates after a December takedown of its data site by international law enforcement, and discusses the future of the threat actor group. Despite BlackCat’s continued high activity in January and February, the late 2023 law enforcement operation appeared to rattle BlackCat, forcing the group to quickly shift to new infrastructure. The malware may continue to cause trouble due to stealth features that prevent researchers from analysing code samples using conventional methods. The ransomware gang may have trouble trading on their former name, and security researchers are usually able to note when former members (and malware tools) have resurfaced in a new gang. See also ARS Technica article (6 March).
US Cybersecurity and Infrastructure Security Agency hacked
Cyber Daily – 12 March 2024
This article confirms that the US Cybersecurity and Infrastructure Security Agency (CISA) has been compromised by an unidentified hacker. The hackers took advantage of known vulnerabilities in a pair of Ivanti products. CISA had released an advisory on the vulnerabilities and questioned the efficacy of the tool in a separate advisory.
Russia designates US government as APT Sand Eagle, claims it launched attack on Russian devices
Cyber Daily – 11 March 2024
This article states that Russia has claimed that the United States, or its governmental agencies, have launched cyberattacks against Russian Federation targets. Russia alleged that the US infected thousands of iPhones, including diplomatic missions, using the TriangleDB malware.
Switzerland: Play ransomware leaked 65,000 government documents
Bleeping Computer – 7 March 2024
This article details how the National Cyber Security Centre of Switzerland has released a report on a data breach following a ransomware attack on Xplain, an IT services firm, which impacted thousands of sensitive Federal government files. The Play ransomware gang breached the company in May 2023, and published the stolen data on its darknet portal. The Swiss government confirmed that 65,000 government documents were leaked in the breach which contained sensitive personal information including personal data, technical details, classified information and account passwords. See also Cyber Daily article (8 March).
Medusa Ransomware strikes US Federal Credit Union with cyberattacks
Cyber Security Peek – 8 March 2024
This article provides that the Medusa ransomware gang has leaked personal information, including names, date of births, passports, email addresses, and bank account numbers from the US Federal Credit Union. The attack on the credit union coincided with technical issues in late February, but the US Federal Credit Union has not addressed the breach or initiated ransom discussions. This incident underscores the persistent threat of ransomware attacks against financial institutions, emphasising the critical need for robust cybersecurity measures to safeguard sensitive data.
Google engineer caught stealing AI tech secrets for Chinese firms
Bleeping Computer – 7 March 2024
This article discusses how a former software engineer at Google, Linwei Ding, has been charged with stealing Google’s AI trade secrets and transferring them to two Chinese companies. The alleged theft involved crucial technology underpinning Google’s advanced supercomputing data centres. Ding was arrested on March 5 in California and faces a maximum penalty of 10 years in prison plus a fine of up to US$250,000 for each count of trade secret theft.
After collecting $22 million, AlphV ransomware group stages FBI takedown
ARS Technica – 6 March 2024
This article outlines that the AlphV/BlackCat ransomware gang received nearly US$22 million in cryptocurrency in exchange for decrypting its data and promising to delete it. AlphV posted a message on its public dark web site that it had been seized by the FBI as part of an international law enforcement action; however, the FBI denied involvement, and the seizure notice was copied from a different site and pasted into the AlphV one. Multiple researchers suggest that AlphV decided to retire or go on a temporary hiatus before reforming as a new group, a common move among ransomware groups when in the sights of law enforcement. Instead, they posted a fake seizure notice to give the appearance of being shut down by law enforcement, leading to speculation that they staged the takedown and took the entire payment for themselves. See also CPO Magazine article (12 March).
The rise of RansomHub: Uncovering a new ransomware-as-a-service operation
Cyber Daily – 5 March 2024
This article explores the activities of a new ransomware-as-a-service operator, RansomHub. Of the five victims currently listed on RansomHub, one has had their data published, while another victim’s data was sold online. The gang does not allow attacks against certain targets and has strict rules for its affiliates, including a ban on attacks against countries such as China, North Korea, and Cuba.
Suspected Chinese hackers breach Taiwan’s largest Telco, selling stolen government data
Teiss – 5 March 2024
This article highlights that Chunghwa Telecom has been hacked by suspected Chinese hackers, and 1.7TB of data of government-related information has been leaked. The breach is the latest of cybersecurity issues Taiwan faces in its complex relationship with China.
Ukraine’s Gur Hacked The Russian Ministry of Defense
Security Affairs – 5 March 2024
This article details that the Main Intelligence Directorate (GUR) of Ukraine’s Ministry of Defence’s claims to have breached Russian Ministry of Defences servers. The GUR alleges they gained access to confidential Russian documents, encryption software, and secret service data.
Note: The articles above are a selection of cyber related media reports during the month of September 2023. The linked articles are provided for convenience. The headlines, summaries and articles themselves do not represent the views or opinions of HSF.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.