Cybersecurity Digest #29: 12/07/2021 – 23/07/2021

Cybersecurity News

  • Websites run by the ransomware gang REvil suddenly became unreachable, sparking widespread speculation that the group had been knocked offline. The Russia-linked cybercrime ring has collected tens of millions of dollars in ransom payments in return for restoring computer systems it has hacked. In recent weeks it claimed responsibility for a sprawling ransomware outbreak that affected an estimated 800 to 1,500 businesses worldwide.
  • Kaspersky researchers recently came across unusual APT activity observed in South East Asia and dates back to at least October 2020. Most of the early sightings were in Myanmar, but it now appears the attackers are much more active in the Philippines, where there are more than 10 times as many known targets. Further analysis revealed that the underlying actor, dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.
  • Human rights non-governmental organization Amnesty International and non-profit project Forbidden Stories revealed in a recent report that they found spyware made by Israeli surveillance firm NSO Group deployed on iPhones running Apple’s latest iOS release, hacked using zero-day zero-click iMessage exploits.
  • Microsoft spent $ 500 million to buy the popular cloud security company RiskIQ. RiskIQ said last year that its cybersecurity programs are used by 30% of the Fortune 500 and more than 6,000 total organizations across the world. RiskIQ co-founder and CEO Elias Manousos said RiskIQ’s Attack Surface and Threat Intelligence solutions will be added to the Microsoft Security portfolio, which include Microsoft 365 Defender, Microsoft Azure Defender, and Microsoft Azure Sentine.
  • Security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrend service and advise users not to expose the service to the Internet. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery solution that is offered as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.

Cybersecurity Blog Posts

Research and Analytics

  • Sophos’s new report, The State of Ransomware in Education, reveals the extent and impact of ransomware attacks on the education sector worldwide during 2020. It was a tough year for the education sector which, together with retail, faced the highest level of ransomware attacks with 44% of organizations hit (compared to 37% across all industry sectors). What’s more, 58% of the education organizations hit by ransomware said the attackers had succeeded in encrypting their data.
  • Starting from the second half of 2020, PRODAFT Threat Intelligence team witnessed a rising trend of mobile banking malware attacks against the European countries. In the [TODDLER] Mobile Banking Botnet Analysis Report, they presented a behind-the-scenes analysis of this newly emerging Android malware, which is also known as Teabot or Anatsa.
  • According to Cybersecurity threatscape: Q1 2021 performed by Positive Technologies, the number of attacks increased by 17% compared to Q1 2020, and compared to Q4 2020, the increase was 1.2%, with 77% being targeted attacks. Incidents involving individuals accounted for 12% of the total.
  • The last ESG Research Insights Paper revealed why yesterday’s tools no longer meet the needs of today’s dev and security professionals. The industry has seen an explosion of web API usage over the last few years. Specifically, while 42% of organizations report that most or all of their internal applications rely on APIs today, this number is expected to rise to 64% two years from now.
  • According to the data presented by the Atlas VPN team, 63% of Android applications had known security vulnerabilities in Q1 2021, with an average of 39 vulnerabilities per app. The figures are based on the Peril in a Pandemic: The State of Mobile Application Security report by the Synopsys Cybersecurity Research Center (CyRC).  Gaming apps had the most vulnerabilities out of all Android app categories. A whopping 96% of top free games apps were found to contain vulnerable components.
  • This quarter, the Spamhaus researchers have observed a 12% reduction in newly observed botnet command and controllers (C&Cs), which is good news. However, it’s not good news for everyone; more than one industry-leading provider is suffering under the weight of active botnet C&Cs on their networks. Welcome to the Spamhaus Botnet Threat Update Q2 2021.

Major Cyber Incidents

  • Hacker stole identities of multiple victims killed in Miami condo collapse as death toll nears 100. The mayor of Surfside, Florida, has since warned victims’ relatives of the condominium collapse to keep a close eye on all credit accounts of their loved ones after the hacker or hackers reportedly stole some of their identities.
  • CISA and FBI provided information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies. CISA released technical information, including indicators of compromise (IOCs), provided in this advisory in 2012 to affected organizations and stakeholders.
  • Attackers have stolen 1 TB of proprietary data belonging to Saudi Aramco – the Saudi Arabian Oil Company – and are offering it for sale on the darknet. The threat actors are offering Saudi Aramco’s data starting at a negotiable price of $5 million. Saudi Aramco has pinned this data incident on third-party contractors and tells that the incident had no impact on Aramco’s operations.
  • Northern’s ticket machines hit by ransomware cyber attack. It comes just two months after 621 of the touch-screen units were installed at 420 stations across the north of England at a cost of £17m. The government-run operator said it had taken “swift action” along with its supplier, Flowbird, and customer and payment data had not been compromised.
  • The district of Anhalt-Bitterfeld in the eastern German state of Saxony-Anhalt says it was the victim of a cyberattack and has formally declared disaster after hackers infiltrated its computer systems. Anhalt-Bitterfeld says it has been “paralyzed” by hackers and could be offline for a week or more. Declaring disaster gives it access to federal aid to help its citizens, restore its systems and find the perpetrators.