15 April 2022 | Asia Cyber Summary

In the Spotlight this Week:

  • Panasonic confirms cyber attack after Conti leaks data

  • Chinese scientists build system “to identify satellite security flaws”

  • Cyber security service providers must apply for a license by the 11th of October

  • Ransomware payments in Australia and Hong Kong hit new records as Dark Web leaks climb

  • Tarrask malware uses scheduled tasks for defense evasion

Panasonic Confirms Cyber Attack After Conti Leaks Data

Japanese electronics giant Panasonic has confirmed that its Canadian division suffered a cyber attack in February, after ransomware-as-a-service (RaaS) gang Conti leaked data to its dark web site last week. It is the third high-profile cyber attack that Panasonic has suffered in the past 18 months, a sign that global conglomerates can be a soft target.

In a statement, Panasonic confirmed that its Canadian operations had been breached in a “targeted cyber security attack” in February.

“We took immediate action to address the issue with assistance from cyber security experts and our service providers,” the company said. “This included identifying the scope of impact, containing the malware, cleaning and restoring servers, rebuilding applications and communicating rapidly with affected customers and relevant authorities.”

On April 5th, Conti shared a number of files, ostensibly stolen from Panasonic Canada, on its dark web leak site. A screen shot seen by Tech Monitor appears to show folders containing HR documents and other potentially sensitive files.

Chinese Scientists Build System “To Identify Satellite Security Flaws"

China has built a new cyber defense infrastructure that can automatically detect security weaknesses in orbiting satellites, according to military scientists involved in the project.

There are thousands of satellites in space, each containing hundreds of components with potential software or hardware loopholes that can be exploited by hackers.

The Ontology of Cyber Situational Awareness for Satellites (OntoCSA4Sat), a computer system jointly developed by the National University of Defence Technology in Changsha and Beijing Aerospace Control Centre, maintains a detailed database of satellites, according to the researchers.

Unlike other openly reported databases, the new system can discover a satellite’s possible weaknesses, determine the most efficient ways to hack it or recommend countermeasures.

Cyber Security Service Providers Must Apply for a License by the 11th of October

With cyber attacks on the rise during the Covid-19 pandemic and concerns over unethical or incompetent cyber security service providers, there is a demand for credible providers to manage such risks.

Service providers, which verify if businesses are vulnerable to hacking and monitor information technology systems for suspicious activities, have to apply to be licensed by the 11th of October 2022.

This requirement seeks to safeguard the interests of customers, help them identify credible providers and, with time, improve quality. It also covers resellers of licensable services.

Singapore is believed to be one of the first countries globally to introduce licensing for cyber security service providers.

Ransomware Payments in Australia and Hong Kong hit New Records as Dark Web Leaks Climb

Ransomware payments hit new records in 2021 as cybercriminals increasingly turned to Dark Web leak sites where they pressured victims to pay up by threatening to release sensitive data.

The average ransom demand rose 144% in 2021 to USD 2.2 million, while the average payment climbed 78% to USD 541,010, the report found.

Globally, the Conti ransomware group was responsible for the most activity, accounting for more than 1 in 5 of cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was No. 2 at 7.1%, followed by Hello Kitty and Phobos (4.8% each). Conti also posted the names of 511 organizations on its Dark Web leak site, the most of any group. In Asia Pacific, Lockbit2.0 (28%) and Conti (11%) were the most active ransomware groups.

Australia ranks #1, and Hong Kong #10 in Asia Pacific for the number of ransomware attacks, with hospitals and professional organizations being targeted by threat actors. Each attack poses threats to private data and the operation of critical citizen services.

Tarrask Malware uses Scheduled Tasks for Defense Evasion

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties.

Microsoft observed HAFNIUM from August 2021 to February 2022, targeting those in the telecommunication, internet service provider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in Spring 2021.

Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.