22 January 2021 | Asia Cyber Summary

Updated: May 19, 2021

In the Spotlight This Week

  • Blackpanda Advisory: MAS Incident Response guidelines

  • Fourth malware strain discovered in SolarWinds incident

  • Crypto exchange firm Livecoin shuts its doors after cyber attack

  • Health insurer Excellus penalized $5.1M by HHS for data breach

  • New FreakOut botnet targets Linux systems

  • Vishing attacks conducted to steal corporate accounts, FBI warns

Blackpanda Advisory: MAS Incident Response Guidelines

On January 18th, 2021, the Monetary Authority of Singapore (MAS) released its latest revision to The Notice on Technology Risk Management (TRM). Key to this update are the requirements to investigate and report certain cyber incidents to the MAS within 14 days.

With Incident Response and Reporting now mandatory for compliance with MAS guidelines, Blackpanda has produced an advisory covering reporting requirements and the capabilities needed to support an investigation.

Fourth Malware Strain Discovered in SolarWinds Incident

Cyber-security firm Symantec has identified another malware strain that was used during the SolarWinds supply chain attack, bringing the total number to four, after the likes of Sunspot, Sunburst (Solorigate), and Teardrop.

Named Raindrop, Symantec said the malware was used only during the very last stages of an intrusion, deployed on the networks of very few selected targets.

Symantec notes that, in some cases, the hackers chose to deploy the Raindrop malware strain instead of the more widely used Teardrop. Despite being different strains, the two backdoors had similar functionality, which the company described as being "a loader for [the] Cobalt Strike Beacon," which the intruders later used to escalate and broaden their access inside a hacked IT network.

Crypto Exchange Firm Livecoin Shuts its Doors After Cyber Attack

Russian cryptocurrency exchange Livecoin has announced its closure following a cyberattack that allegedly compromised the firm's infrastructure and exchange rate setup. Livecoin was hacked on the 23rd of December, with hackers managing to change the rates of cryptocurrencies traded on the service to earn quick profits.

In the hack, the company lost control over all its servers, back ends, and nodes. Clients were asked to stop using the service, including not depositing funds, trading, or using the site’s application programming interface.

Although it has not been a full month since the alleged cyberattack, Livecoin is closing its doors permanently, citing damage in "technical and financial ways" for the decision, but noted that any "remaining funds" will be paid to customers.

Health Insurer Excellus penalized $5.1M by HHS for data breach

The Department of Health and Human Services says New York health insurer Excellus has agreed to pay a multimillion-dollar penalty after a data breach exposed sensitive information about more than 9 million people between late 2013 and May 2015.

The USD 5.1M fine is for violations of privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA), according to the department’s Office for Civil Rights (OCR).

New FreakOut Botnet Targets Linux Systems, Running Unpatched Software

A newly identified botnet is targeting unpatched applications running on top of Linux systems, Check Point security researchers said in a report today. First seen in November 2020, the FreakOut botnet has surfaced again in a new series of attacks this month.

Its current targets include TerraMaster data storage units, web applications built on top of the Zend PHP Framework, and websites running the Liferay Portal content management system.

Once the FreakOut bot gains access to a system, it downloads and runs a Python script that connects the infected devices to a remote IRC channel where the attacker can send commands and orchestrate a varied list of attacks using the enslaved devices.

Vishing Attacks Conducted to Steal Corporate Accounts, FBI Warns

The Federal Bureau of Investigation (FBI) has issued a notification warning of ongoing vishing attacks attempting to steal corporate accounts. The threat actors are using Voice over Internet Protocol (VoIP) platforms to obtain employees’ credentials.

The alert highlights that during the COVID-19 pandemic, organizations are more exposed to these attacks because companies had quickly changed their working processes and shifted to remote to maintain social distancing. As a result, network access and privilege escalation may not be fully monitored.

This is the second warning alerting of active vishing attacks targeting employees issued by the FBI since the start of the pandemic after an increasing number of them have become teleworkers. Blackpanda echoes the sentiment in this warning and asks its readers and clients alike to enable basic security measures (such as MFA) and have in place an incident response plan in the event of a breach.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.