In the spotlight this week:
Indian pharmaceutical giant reports security breach
Ragnar Ransomware gang takes out Facebook ads to demand ransom
Swedish firm Gunnebo breached, security blueprint leak
RansomEEX trojan attacks Linux systems
Microsoft announced that it discovered three state-sponsored hacking operations against at least seven prominent companies involved in COVID-19 vaccines research and treatments. Microsoft traced the attacks back to one threat actor in Russia and two North Korean hacking groups.
Known as Strontium (aka Fancy Bear, APT28), the Russian group has employed password spraying and brute-force login attempts to obtain login credentials, break into victim accounts and steal sensitive information.
The first North Korean hacking group, Zinc (or the Lazarus Group), has primarily relied on spear-phishing email campaigns by sending messages with fabricated job descriptions pretending to be recruiters eyeing on employees working at the targeted companies.
The second North Korean threat actor, known as Cerium, appears to be a new group. Microsoft says Cerium engaged in spear-phishing attacks with email lures using COVID-19 themes while purporting to be representatives from the World Health Organization.
The number of phishing attempts related to COVID-19 is on the rise. Blackpanda encourages heightened vigilance during this time. Learn more about business email compromise here.
Indian pharmaceutical company Lupin has confirmed an ‘information security incident’ that affected multiple internal systems. This comes two weeks after a ransomware attack on another health company in India, Dr. Reddy’s Laboratories. Pharmaceutical companies have become more vulnerable to cyber attacks due to the global pandemic as data breach costs in the healthcare sector average USD 7.3M according to IBM reports. This figure sees a 10% increase from 2019 and is 84% higher than the global average.
The Ragnar ransomware group has started to run Facebook advertisements to pressure victims to pay the ransom. In November 2019, a new double-extortion strategy was adopted by ransomware gangs that involve hackers stealing unencrypted files before encrypting devices. The attackers then threatened to release these stolen files on ransomware data leak sites if a ransom is not paid. Ransomware gangs have become media savvy since then, posting press releases or contacting journalists to share their latest exploits to exert pressure on victims. In its latest attack, the Ragnar Locker ransomware group has bought Facebook ads threatening to release 2TB of sensitive data from Italian liquor conglomerate Campari that they stole during the November 3 attack—unless a USD 15 million ransom is paid in Bitcoin.
Earlier this year, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers broke into its network and sold the access to a criminal group that specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack. However, it was revealed this week that the intruders stole and published sensitive documents of 38,000 people—including schematics of client bank vaults and surveillance systems. It remains unclear whether the stolen RDP credentials were a factor in this incident. But the password to the Gunnebo RDP account,“password01”, suggests the security of its IT systems may have been lacking in other areas as well.
Kaspersky recently discovered a new file-encrypting Trojan built as an ELF executable that intended to encrypt data on machines controlled by Linux-based operating systems. Initial analysis noticed that the code of the Trojan, the text of the ransom notes, and the general approach to extortion are similar to that of the previously known ransomware family, RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year. RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.
A new mercenary hacker group, CostaRicto, is selling its services to entities requiring APT-level hacking expertise in cyber-espionage campaigns spanning the globe and targeting a multitude of industry sectors. This hacker-for-hire group's toolset includes custom and never-before-seen malware. It also uses SSH tunnels to be set up on their victims' networks and VPN proxies, enabling them to avoid detection and hide their malicious activity. The APT mercenaries have targeted organizations from almost all continents including Europe (France, Netherlands, Austria), Asia (China), the Americas (U.S.), and Australia, with a focus on targets from South Asia (India, Bangladesh, Singapore). This mix of targets from different countries can be explained by the various assignments commissioned by a diverse range of entities potentially including large organizations and even governments.
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.