Being abreast of the latest phishing tactics and updates is pivotal to establishing effective anti-phishing solutions to safeguard critical organizational information. Here are the phishing news headlines in the limelight this week.


Cyberattack Targeting Global Energy Firms

A cybersecurity expert recently discovered a cyber-espionage campaign that has been active since 2019 and has targeted over 15 industrial technology and renewable energy entities so far. The researcher further revealed that the adversaries used a custom Mailbox toolkit for the attacks. The campaign steals the login credentials of employees of renewable energy and industrial technology firms and environmental protection organizations. Its victims include Huawei, Schneider Electric, HiSilicon, Honeywell, Telekom Romania, CEZ Electro, Taiwan Forestry Research Institute, Sorema etc. Investigations traced most compromised sites back to *[.]com[.]br (Brazil) and the phishing pages were primarily hosted on domains like *[.]eu5[.]net, *[.]eu3[.]org and *[.]eu3[.]biz.

While no sample phishing emails have come to light, the emails believably used a subject line similar to ‘Your Mail Box storage is full.’ No hacker group has owned up to the attack, but evidence points fingers at North Korean Actors – Konni and the APT28 group. The researcher could gather samples of activities used in a series of attacks on Bulgarian banks in 2019. Thus renewable energy firms must take enough precaution and have robust anti-phishing protection measures in place as APT groups frequently target these firms with various means of network penetration.


LockBit 2.0 Ransomware Targets French Ministry of Justice

Ransomware operators recently used LockBit2.0 to target France’s Ministry of Justice. The adversaries stole sensitive files from the government organization and have now taken to its Tor-based leak website to threaten the ministry of making those files public. As part of its phishing prevention measures, the ministry has collaborated with external experts and investigated the breach.

The hackers stated they would make the stolen information public within ten days, that is, by 10th February 2022. Reportedly, the government agency had inadequate security measures for its BIG-IP instances, and the adversaries exploited the CVE-2021-22986 vulnerability to execute a remote command on its systems.


Misconfigured California Public Office Database Exposes Citizens’ Data

An unnamed third-party contractor working with the County of Kings in mid-California left one of its databases misconfigured online, exposing citizens’ sensitive medical information. The County of Kings first discovered the breach on 24th November 2021, but further investigations into the incident revealed that the information has been public since 15th February 2021 and remained so till 6th December 2021 when the error was finally corrected. Among the compromised details were records obtained from the County healthcare providers and the California Department of Public Health.

The California public office mentioned that citizens’ names, addresses, DOBs, and COVID-19 related health details were compromised in its public notice. However, the government department took all necessary phishing protection measures and had no evidence supporting the misuse of any compromised information. 


Memorial Health System Patients Receive Breach Notifications After Months

Ohio-based Memorial Health System underwent a cyberattack on 10th July 2021, which compromised the protected health information (PHI) of 216,478 patients. While the health system detected the attack vector on 15th August and took immediate phishing attack prevention measures to contain the attack, there was still a lot of commotion regarding the radiology exams and surgical cases. Staff at the Selby and Sistersville General Hospital and Marietta Memorial branches took to traditional methods of registering patients because online systems were brought down.

In September, Memorial Health System’s investigations revealed that the adversaries probably accessed patient data within the one month between July and August when they had not deployed the ransomware. The hospital confirmed on 9th December that patients’ names, social security numbers, addresses, medical details and health insurance details were accessed and stolen in the breach. Finally, on 12th January 2022, the health system sent out breach notifications to affected patients offering them a year of free credit monitoring service.


Cyberattack Hits Global Affairs Canada

A cyberattack recently hit the Canadian government’s foreign and consular relations department – Global Affairs Canada(GAC) was hit by a cyberattack last week. Consequently, some of its online services remain unavailable. Fortunately, no critical services were impacted by the incident. The attack vector was first discovered on 19th January and then confirmed by Shared Services Canada, Treasury Board of Canada Secretariat (TBS), Band Communications Security Establishment.

In its statement, the Canadian government mentioned that it is taking necessary measures to ensure protection from phishing and that critical services can still be accessed on its Global Affairs’ online systems. The Canadian government confirmed that the breach affected no other government departments. The government further assured the robust attack detection system it has in place to detect and neutralize attack vectors as and when they occur.

An interesting thing to note is the time at which the attack on GAC occurred. The attack occurred just when the tensions between Russia and Ukraine began to escalate. The timing also coincides with the warning issued by the Canadian Centre for Cyber Security asking critical infrastructure operators to be cautious and adopt necessary preventive measures against cyberthreats from Russia. The attackers responsible for the attack have not been identified so far, and the TBS has refrained from commenting further until they land some concrete evidence.


Hackers Steal $80 Million From Qubit Finance

The decentralized finance (DeFi) platform Qubit Finance recently underwent a cyberattack where adversaries stole $80 million worth of users’ cryptocurrency. Qubit Finance allows users to speculate and loan on cryptocurrency price variations, and the attack on its platform took place on 27th January 2022. Qubit was quick to acknowledge the attack formally and launched its investigations immediately. Hackers reportedly stole 206,809 Binance coins (BNB) from Qubit’s wallet by exploiting a vulnerability in an Ethereum blockchain contract it uses to process users’ transactions.

The investigations revealed that the funds are still in the attackers’ possession. Since there is no way to retrieve the funds directly, Qubit has sent a private note to the adversaries offering to pay them a bug bounty reward if they return the stolen funds. Qubit posted the same on its Twitter account, giving an open proposal to the hackers. If the hackers refuse to return the funds as per the offer, then this Qubit hack will be listed on the Top 10 largest hacks on a DeFi platform (of all times). Attacks on cryptocurrency platforms are becoming increasingly common. Therefore, crypto platforms need to adopt robust cybersecurity measures.


Ransomware Hits Delta Electronics

The Taiwanese electronics company – Delta Electronics, which is renowned as the provider for known brands like Tesla, Apple, Dell and HP, recently underwent a cyberattack. With sales exceeding $9 billion in 2021, Delta is one of the largest providers of switching power supplies globally. While the attack did not affect the operations of this giant, some non-critical systems were impacted. The attack was first spotted by the AdvIntel “Andariel” platform on 18th January. While Delta is working on restoring its systems independently, external security experts also have been engaged to quicken the process.

As per reports, government law enforcement agencies have been informed, but Delta has not mentioned the attackers responsible for the breach anywhere in its statement. However, an anonymous information security company found evidence suggesting that the Conti ransomware might be the threat actor behind this Delta attack. Of the 65,000 devices on Delta’s network, 12,000 computers and 1,500 servers were encrypted by Conti, and the gang has demanded a $15 million ransom for the decryptor.

Reportedly, Delta is working with Trend and Microsoft’s security teams to get to the roots of the attack. But its website continues to be down even after a week of the attack. As Delta adopts necessary measures for protection against phishing,  it advises customers to use the alternate domain it has shared, at least until its website is up and running again.