Updated: May 18
In the Spotlight This Week
Ransomware gang leaks data from military contractor, PDI Group
Harris Federation hit by ransomware attack
PHP's Git server compromised by supply chain attack
German parliament targeted again by Russian state hackers
MobiKwik investigating data breach after 100 million user records disclosed
Microsoft: Firmware attacks are on the rise
Major supplier of military equipment to the US Air Force and militaries across the globe, PDI Group, appears to have fallen victim to a ransomware attack. On Tuesday, the criminal group behind the Babuk Locker ransomware created a page on their “leak site” under the company’s name threatening to leak more than 700 GB of data they claim to have stolen from PDI’s internal network unless the company gave in to its ransom demands.
To prove their claims, the Babuk Locker operators posted a series of screenshots of several internal documents they claim to have stolen from PDI’s internal network, including schematics, one of which appears to describe one of PDI’s aircraft engine trailers.
A ransomware attack hit the IT systems of London-based nonprofit multi-academy trust Harris Federation on Saturday, March 27. Once discovered the ransomware infection, the IT staff at the nonprofit organization has taken its systems offline along with the email and landline phone systems, as well as students’ devices. All phone calls were being redirected to mobile phones. Deemed as a “highly sophisticated attack”, Harris Federation is investigating the incident with the support of the National Crime Agency, the National Cyber Security Centre, and experts from a cybersecurity firm.
In the latest instance of software supply chain attack, PHP’s Git repository has been hacked and the codebase was tampered with. The malicious activity originated from the compromised git[.]php[.]net server, instead of an individual Git account compromise.
To compromise the PHP codebase, two malicious commits were pushed to a Git repository maintained by the PHP team. The attackers had signed off on these commits, in a way that seems to spoof known PHP developers and maintainers. The first commit was discovered as a routine post-commit code review, a couple of hours after it was created. The changes were malicious and reverted immediately.
Email accounts of multiple German Parliament members were targeted in a spearphishing attack. It is not yet known if any data was stolen during the incident. It is believed that the attackers were able to gain access to the email accounts of seven members of the German federal parliament and 31 members of German regional parliaments.
German security authorities suspect that a Russian military intelligence hacking group dubbed Ghostwriter is behind the attack. According to FireEye, Ghostwriter has been running "information operations" pushing narratives aligned with Russian security interests since March 2017.
MobiKwik said on Tuesday it was investigating claims of a data breach after a website claimed to have 8.2 terabytes of MobiKwik user data. The data included phone numbers, email addresses, scrambled passwords, transaction logs, and partial payment card numbers. The dark web site features a searchable database that allows users to look up their phone number or email to verify the authenticity of the data breach claim. A seller on a well-known cybercrime forum claims to be selling access to the database for 1.2 bitcoin — about USD 70,000.
Microsoft's inaugural Security Signals report for March 2021 shows that 80% of enterprises have experienced one firmware attack during the past two years, but less than a third of security budgets are dedicated to protecting firmware. The study showed that current investment is going to security updates, vulnerability scanning, and advanced threat protection solutions. Despite the rising threat, many organizations are concerned about malware accessing their system as well as the difficulty in detecting threats, suggesting that firmware is more difficult to monitor and control.
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.