Top five Cyber Threat Intel stories of the week: 12/05 to 12/09/2022
Top 5 general threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share with anyone inside or outside the company you think would benefit and enjoy reading about these events. Please reach out if you have any questions on any of these events. Thank you!
General Worldwide activity:
1st: ‘The world should be prepared’ — Microsoft issues warning about Russian cyberattacks over winter
Overview: Microsoft has warned that “the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter,” referencing both destructive cyber operations and those designed to exacerbate social tensions. The company said Russia’s military cyber operations have now expanded beyond Ukraine to hit Poland, referencing the ‘Prestige’ ransomware attacks which recently targeted the country’s transport and logistics sector. Microsoft last month attributed these attacks to the Iridium hacking group associated with the GRU, Russia’s military intelligence agency.
Breakdown: As we continue to watch the activity out of Russia tied to hacking/cyber-attacks, mainly still focused on Ukraine, but also reaching out to NATO and Western “allies”, we have this latest update. It’s a great overview of recent activity while also being a heads-up on expected actions over the next few months. The links in the article are also great resources to read through if you have the time, listing details of certain threat groups and their activities as it ties into the on-going conflict.
2nd: Microsoft: Hackers target cryptocurrency firms over Telegram
Overview: Microsoft says that cryptocurrency investment companies have been targeted by a threat group it tracks as DEV-0139 via Telegram groups used to communicate with the firms’ VIP customers. “Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies,” the company’s Security Threat Intelligence team revealed. “DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members.”
Breakdown: Here we have research on attacks to cryptocurrency companies broken down in a wonderful overview. If you have any interest in the technical details, the blog post directly from Microsoft’s MSTIC team that is linked in the article is an amazing breakdown of the entire process they were able to follow for this attack. Cryptocurrency, with the assumptions made around its general anonymity, while still being an item of value transferrable to cash, is going to continue to be a primary focus of attacker threat groups around the world. Research like this is a valuable piece of knowledge to at least be reasonably familiar with in the aggregate.
3rd: On hacking forums, even the scammers aren’t safe
Overview: Cybercriminals use a range of techniques to steal victims’ money — from developing malicious software to siphon financial data to old-fashioned “rip-and-runs” — but that doesn’t mean they’re immune to falling for these scams themselves. Scammers scamming scammers, including sometimes the scammers who have scammed them, is “an entire sub-economy” on darknet marketplaces, according to Matt Wixey, a senior threat researcher at Sophos. In a presentation at Black Hat Europe on Wednesday, to be followed by a four-part series of online posts over the coming weeks, Wixey detailed Sophos’ in-depth investigation into roughly 600 scams across three major criminal forums.
Breakdown: It is great to see scammers getting attacked by other scammers — any criminals that spend time attacking each other is less time they have to attack real innocent victims. Sadly, the reason they are usually good targets is their continued success against real victims which means they have things of real value to steal. This is a fascinating look into the actual scammer activity, and I look forward to all the details being released from the promised blog posts here soon.
4th: Rackspace Confirms Ransomware Attack as It Tries to Determine If Data Was Stolen
Overview: Cloud company Rackspace has confirmed being targeted in a ransomware attack after it was forced to shut down its Hosted Exchange environment. Rackspace’s hosted Microsoft Exchange service started experiencing problems on Friday, December 2. The company shut down the impacted environment and confirmed on Saturday that it was a security incident. On Tuesday morning, the company confirmed that the suspicious activity causing the disruption was the result of a ransomware attack. SecurityWeek has checked the leak websites of several major ransomware groups, but has not seen any mention of Rackspace. However, since the incident is very recent, the cybercriminals are likely still trying to negotiate with the company before listing it on their site and threatening to leak stolen data.
Breakdown: Details on this attack have been slowly released over the last week since this was first detected as an attack. It is always interesting to watch these events as they occur, especially over such a well known system as Microsoft Exchange which has had several 0day vulnerability issues with active attacks in the recent past. There have been discussions around the response to this attack, with a very negative spin on Rackspace’s response actions and how their statements have not been fully truthful or reflect the real technical problems. Several comments around Rackspace stating impact was less than the reality customers were experiencing, as well as saying systems were functional when they were not. There has also been discussion around migrating customers from hosted Exchange to Office365 instead of fixing the hosted Exchange environment for impacted companies. Once this has been resolved and more details are available from everyone involved, it will be an interesting case to use to discuss incident response and how to communicate externally with customers who have been impacted by an attack.
5th: Shootings at power substations cause North Carolina outages
Overview: Two power substations in a North Carolina county were damaged by gunfire in what is being investigated as a criminal act, causing damage that could take days to repair and leaving tens of thousands of people without electricity, authorities said Sunday. In response to ongoing outages, which began just after 7 p.m. Saturday across Moore County, officials announced a state of emergency that included a curfew from 9 p.m. Sunday to 5 a.m. Monday. Also, county schools will be closed Monday.
Breakdown: This attack is obviously not cyber security related, but I included it for a very specific reason. This is what an attack on critical infrastruture looks like, and it shows the exact impact we would see if someone had destroyed this equipment with malware instead of physically attacking it. The destruction of critical equipment and time to repair may actually be larger during a cyber-attack depending on which systems they are able to break into and abuse. This attack serves as a perfect warning on what critical infrastructure attacks can look like, and the amount of people impacted from even a “small” attack compared to the potential targets that would affect a much larger amount of people personally as well as the business impacts for all companies trying to still function without power to their offices.
Contact Us
contact@hunterstrategy.net
