11 December 2020 | Asia Cyber Summary

In the spotlight this week:

  • U.S. cyber firm FireEye breached by nation-state hackers

  • Hackers leak data from Embraer, world’s third largest airplane maker

  • Healthcare giant Johnson & Johnson sees 30% increase in cyber attacks

  • Ransomware gangs cold call victims who restore backups without paying ransom

  • Credit card stealer discovered in social media buttons

  • Iranian RANA android malware also spies on instant messaging apps

U.S. Cyber Firm FireEye Breached by Nation-State Hackers

Earlier this week, cyber firm FireEye revealed that its own systems were infiltrated by “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world. FireEye has engaged the FBI in this matter. FireEye and the FBI believe that the hackers were after what the company calls “Red Team tools” used to replicate the most sophisticated hacking mechanisms in the world to look for vulnerabilities in their systems.

Hackers Leak Data from Embraer, World's Third-Largest Airplane Maker

Brazilian company Embraer, considered as the third-largest airplane maker after Boeing and Airbus, was the victim of a ransomware attack last month. The hackers leaked private files on the Dark Web as revenge after the airplane maker refused to negotiate and instead chose to restore systems from backups without paying their ransom demand.

Data uploaded on this site included samples of employee details, business contracts, photos of flight simulations, and source code, among others. The airplane maker said the attackers had "access to only a single environment," and that the incident caused only a temporary impact on "some of its operations."

Ransomware Gangs Cold-Call Victims Who Restore Backups Without Paying

In the latest attempt to put pressure on victims, ransomware gangs have escalated their tactics and are now cold-calling victims if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands. This newest tactic has been used since August by ransomware gangs like Sekhmet, Maze, Conti, and Ryuk. Outsourced call center groups are being rewarded handsomely for working for ransomware gangs, using a standard template and script.

Healthcare Giant Johnson & Johnson Sees 30% Increase in Cyber Attacks

Healthcare research giant Johnson & Johnson have observed a surge of cyber attacks carried out by state-sponsored hackers during the COVID-19 pandemic, with targeted attacks aimed at information about the vaccine. Johnson & Johnson, along with other COVID-19 research companies, have been recently hit by North Korea-linked hackers.

North Korean hackers have targeted at least six pharmaceutical companies in the U.S., the U.K., and South Korea working on Covid-19 treatments, further delaying the release of the vaccine. C-Suite executives at pharmaceutical companies have called upon their vendors in the supply chain to invest in “strong defenses against cyber attacks” for the greater good.

Credit Card Stealer Discovered in Social Media Buttons

Cyber criminals have created a new type of web malware that hides inside images used for social media sharing buttons in order to steal credit card information entered in payment forms on online stores. The malware, known as a web skimmer, or Magecart script, was spotted on online stores in June this year. While this particular form isn't widely deployed as of yet, its discovery suggests that Magecart gangs are constantly evolving their bag of tricks.

Iranian RANA Android Malware Also Spies On Instant Messenger Apps

A team of researchers unveiled previously undisclosed capabilities of an Android spyware implant developed by a sanctioned Iranian threat actor. The spyware could let attackers spy on private chats from popular instant messaging apps, force assign Wi-Fi connections, and auto-answer calls from specific numbers to eavesdrop on conversations.

Earlier this year, the US Department of the Treasury imposed sanctions on APT39 (aka Chafer, ITG07, or Remix Kitten) — an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) — for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. Coinciding with the sanctions, the US Federal Bureau of Investigation (FBI) released a public threat analysis report describing several tools used by Rana Intelligence Computing Company, which operated as a front for the malicious cyber activities conducted by the APT39 group.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.