Security Incident Overview from June 29 to July 5, 2020
Extortion is gaining popularity among cybercriminals, and the events of the past week are a vivid example of this. In addition, the problems of data leaks and cyber attacks on critical infrastructure remain relevant. Read about these and other security incidents from June 29 to July 5 this year.
As reported last week, the Brazilian electricity company Light S.A. was the victim of the acclaimed extortionist software Sodinokibi (REvil). According to the researchers, the attack looks very “professional”, and on the page where the link presented in the ransom request leads, there is even a chat for direct communication with malware operators.
Sodinokibi’s operators also excelled last week in selling sensitive data previously stolen from law firm Grubman Shire Meiselas & Sacks. This time, cybercriminals are offering documents belonging to pop stars Mariah Carey and Nicky Minaj, as well as basketball player LeBron James. Documents are presented in the form of auction lots, and the starting price of each is $ 600 thousand.
Last week, unknown cybercriminals began distributing the new Avaddon ransomware using a long-forgotten technique. To directly download to the attacked system, the malware uses Excel 4.0 macros. Avaddon encrypts files on victims' computers using strong encryption, and it is impossible to recover them without a cryptographic key. At least one ransomware option requires a ransom of $ 900.
In addition to ransomware, cybercriminals actively use another method of extortion. According to GDI Foundation specialist Victor Gevers, an unknown cybercriminal gained unauthorized access to 29 thousand MongoDB databases accessible via the Internet without any password and left a ransom note in them. The victims are given two days to fulfill the requirement, after which the attacker threatens to publish the stolen data (tactics clearly borrowed from Sodinokibi operators) and report the leak to the local authority responsible for complying with the “General Data Protection Regulation (GDPR).”
A similar campaign launched a group that calls itself Cl0ud SecuritY. Attackers hack into legacy LenovoEMC Network Attached Storage (NAS) (formerly Iomega), erase all files and require $ 200-275 for their return. According to cybercriminals, they copy the data stored in online storage before deleting it and intend to publish it in the public domain if the ransom is not paid within five days.
At one of the hacker forums, stolen user databases of 14 companies were put up for sale, which were supposedly hacked in 2020. The stolen databases contain a total of 132 957 579 user records that can be used by attackers to carry out attacks.
An array of internal documentation of the Medical and Legal Company LLC, operating under the brand of PrizvaNet.ru, also appeared on the Web. The information was posted on a page in Pastebin containing links to 15 archives with a total volume of approximately 60 GB. The documentation covers the period from 2015 to mid-2020 and contains accounting information, personal information of clients, including scans of medical documents and passports, addresses, phone numbers, links to pages on social networks and profiles in instant messengers, screenshots of correspondence on VKontakte, bank card information and loan agreements.
Malwarebytes experts discovered a malicious campaign in which cybercriminals injected skimmers into the EXIF metadata of the favicon (website icon) and secretly downloaded it to the pages of compromised online stores. Some facts indicate that the skimmer may be associated with the cybercriminal group Magecart Group 9.
Last week there were attacks on critical infrastructure. On July 2, one of Iran’s nuclear facilities in the city of Natanz underwent a cyber attack, which resulted in a fire and explosion. Responsibility for the incident was claimed by the cybercrime group Cheetahs of the Homeland, allegedly consisting of “former members of the Iranian security forces who decided to fight against the authorities.”