More ransomware and MOVEit attack numbers, and an attack on a Rust repository.
Welcome to Cyber Security Today. It’s Wednesday, August 30th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
A ransomware gang calling itself Ransomed has come up with a new brand: As of Monday they began describing themselves as the “Leading Company in Digital Peace Tax.” Researchers at Flashpoint, who discovered the new head on the gang’s blog, say other ransomware groups are puckishly doing the same, like saying their hacking is a “post-paid penetration testing service.”
Separately, Flashpoint issued an analysis of statistics it gathered in the first half of the year. There were 1,615 ransomware attacks around the world up to August 24th. About one-third of them were claimed by the LockBit group. And of those 1,600-odd attacks, just over 1,000 hit organizations in the U.S. The next biggest target was the United Kingdom with 119, followed by Canada with 93. There were 2,893 data breaches in the first half of the year, says Flashpoint. Perhaps as many as 600 of them were related to the Clop gang’s exploitation of a vulnerability in the MOVEit file transfer application.
Speaking of the MOVEit hacks, cybersecurity researcher Bert Kondruss calculates the number of victim organizations is now over 1,000. Eight hundred and thirty-five of them are in the U.S. Sixty per cent of all data stolen came in attacks on the organizations’ suppliers or partners, like data processing, accounting or consulting firms, that use MOVEit.
Among the latest American firms to publicly acknowledge being victimized is Hilltop Securities, a Texas company. It says some of its personal information was stolen indirectly. The data was held by an unnamed supplier or processor used by Hilltop Securities’ bank. That vendor uses MOVEit for file transfers between it and the bank.
As part of your organization’s regular security awareness training, employees need to be reminded that QR Codes are being weaponized by attackers. In phishing emails infected versions of these scanable images for smartphones are being used to hide malicious links. According to Trustwave, a common lure is an email claiming the QR code has to be scanned for multifactor authentication. Employees should be reminded to be suspicious of QR codes they get in email claiming to be from IT support staff — or anyone — unless they are a result of a request.
I’ve reported before about hackers depositing malware packages in the GitHub, NPM JavaScript and PyPI Python open-source registries. Now there’s a report from Phylum that an attacker this month tried to do the same on the Rust language repository called Crates.io. Like attacks on other repositories, the threat actor gave their package a similar name to a legitimate module. This is a reminder that developers have to be very careful before downloading any open source code for their projects.
On Monday’s podcast I told you about the disruption of train service in Poland after a compromise of the radio signaling network. Two people have been arrested with radio transmitting equipment. Meanwhile Poland’s Warsaw Stock Exchange, several banks and the government’s website for public services were knocked offline apparently by a pro-Russian hacktivist group called NoName.
Finally, for those trying to use Meta’s Threads social media platform in place of Twitter (or X, as its now called), Kaspersky issued a reminder: To use Threads you need an Instagram account, which then links to a user’s Threads profile. That means one password for both. So, enable two-factor authentication or you’ll be in trouble if the account is hacked. Threads has a Security Checkup feature that tells whether 2FA is turned on.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.