29 January 2021 | Asia Cyber Summary

Updated: May 19, 2021

In the Spotlight This Week

  • Retail giant Dairy Farm suffers REvil ransomware attack

  • Palfinger Group suffers major cyber disruption

  • Wormable Android malware spreads via WhatsApp messages

  • North Korean hackers posing as security analysts exposed

  • Ransomware Disrupts Operations at Packaging Giant WestRock

Pan-Asian Retail Giant Dairy Farm Suffers REvil Ransomware Attack

Pan-Asian retail chain operator Dairy Farm Group was attacked on the 14th of January by REvil ransomware. The attackers claim to have demanded a $30 million ransom. The Dairy Farm Group operates over 10,000 outlets and has 230,000 employees throughout Asia. To prove they had access to the Dairy Farm network, the threat actor shared a screenshot of the Active Directory Users and Computers MMC. The attackers claim to still have access to the network including full control over Dairy Farm's corporate email, which they state will be used for phishing attacks. A Dairy Farm spokesperson said that they have identified the breach and have taken all affected servers offline while working with an external security specialist to improve their security posture.

Manufacturing Giant Palfinger Suffers Major Cyber-Disruption

Leading global manufacturer of cranes Palfinger Group has been hit by what appears to be a ransomware attack disrupting IT operations globally. The firm issued a brief statement on Monday revealing it is the target of an ongoing global cyber-attack. The statement noted the disruption of their IT infrastructure, including compromised emails and ERP systems. Palfinger Group is still working on determining the extent and duration of the attack as well as the consequences.

Wormable Android Malware Spreads via WhatsApp Messages

Android users should watch out for new wormable malware that spreads through WhatsApp and lures the prospective victims into downloading an app from a website masquerading as Google Play. This malware spreads via the victim’s WhatsApp, automatically replying to any WhatsApp message notification with a link to a fake and malicious mobile app. In order to install the malicious app, users are prompted to allow the installation of apps from places other than the official Google Play store, thus disabling a key setting that is enabled-by-default as a security precaution on Android devices. Once the installation process is completed, the app goes on to request a number of permissions, including Notification Access, which in combination with Android’s Direct Reply function is used to achieve wormability. The malware, which was first reported by Twitter user @ReBensk, appears to be mainly intended to generate fraudulent advertising revenue for its operators.

Google highlights North Korean Hackers Posing as Security Analysts

Google unveiled a new report from its Threat Analysis Group on Monday highlighting the work of a group of cyberattackers associated with the government of North Korea that sought to impersonate cybersecurity researchers in an effort to target those working on vulnerability research and development at different companies and organizations. The attackers used a variety of fake blogs, Twitter accounts, and LinkedIn profiles to make themselves look legitimate and communicate with researchers and analysts they were targeting. ZDNet noted that the malware associated with the attack was tied to a notorious North Korean government-backed organization called the Lazarus Group.

Ransomware Disrupts Operations at Packaging Giant WestRock

Operations at WestRock were disrupted on Saturday by a ransomware attack that impacted both its IT and operational technology (OT) networks. The attack has already caused, and will likely continue to cause, delays in some parts of the company's business. No further details on the nature of the attack or disruptions have been released.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.