Threat actors continue to target organizations worldwide to get access to their information assets. It may be challenging to anticipate a phishing attack, but one can surely learn from the attacks that have taken place to understand how these malicious actors operate and adopt anti-phishing measures accordingly. To that end, here are the phishing and breach-related updates for the week.
Newly Discovered Crimson Kingsnake Threat Group Impersonates Law Firms in BEC Attacks
Researchers discovered a new business email compromise (BEC) group called ‘Crimson Kingsnake,’ which impersonates famous international law firms to trick users into approving overdue invoice payments. The cybercriminals impersonate lawyers sending invoices for payment of services they supposedly provided to the target firms a year ago. The approach creates a solid attack vector for the BEC attack, as recipients get intimidated when receiving emails from reputed law firms like the ones threat actors impersonated in the scams.
Analysts at Abnormal Security first discovered the Crimson Kingsnake campaign in March 2022 and reported they identified 92 domains linked to the group, all impersonating genuine law firm sites. The typosquatting approach allows the BEC actors to send emails to victims through an address appearing authentic at first glance. The emails have the impersonated entities’ letterheads and logos, and the threat group crafts them professionally, featuring punctual writing.
LockBit Ransomware Gang Claims to be Behind The Attack on Continental Automotive Group
The LockBit ransomware gang announced they recently hacked Continental, the German automotive parts manufacturing company. The threat group added the name of the automotive group to its Tor leak site and threatened to publish the data if the manufacturer did not pay the ransom.
The cybercriminals fixed the deadline of November 4, 2022, 15:45:36 UTC, for paying the ransom. The circumstances suggest the automotive major had not negotiated with the criminals yet or refused to pay the ransom. However, it is still unclear if the LockBit 3.0 ransomware group was behind the attack that Continental discovered on August 24, 2022.
“In a recent cyberattack, attackers infiltrated some of Continental’s IT systems. We detected the attack in early August and averted it. Continental’s business activities were not affected at any point, and the technology group maintains complete control over its IT systems. Current information suggests the IT systems of third parties were not affected,” astatement published by Continental mentioned.
Hackers Take Down Alma Radio Telescope in Chile
The ALMA observatory in Chile had to shut down after threat actors targeted its computer systems. One of the world’s most advanced and largest telescopes had to suspend operations following the cyberattack. The Atacama Large Millimeter/submillimeter Array (ALMA), located in Northern Chile’s Atacama Desert, said that an attack targeting its systems last weekend compelled it to shut down its public website and suspend operations.
The attack also affected the email services at the observatory, consisting of a group of 66 radio telescopes that study planet formations and star births.
“We contained the threat, and the specialists are working to restore affected systems. The cyberattack did not compromise any ALMA antennas or scientific data,” the observatory tweeted. The incident inconvenienced researchers worldwide who rely on ALMA experts and the telescope.
Updated Drinik Malware Targets 18 Indian Banks
An upgraded variant of the Drinik Android trojan recently targeted 18 Indian banks and stole the victims’ personal and bank account information. Drinik has a circulation history in India and has operated as an SMS stealer since 2016,
In the latest campaign, Drinik impersonated the Income Tax Department of India and potentially targeted victims in 18 Indian banks for stealing their income tax credentials. The malware’s latest variant, found in August, is distributed in an APK file (iAssist.apk), integrated into Android’s iAssist app. It lures users to claim an instant tax refund and tricks them into submitting personal details like full name, PAN number, Aadhar number, and financial information.
The phishing scam abuses the Accessibility Service and obtains the required permissions to control the compromised systems. The latest malware can perform keylogging and screen recording to harvest credentials. Furthermore, it manages incoming calls by abusing the CallScreeningService.
US Govt Employees are Vulnerable to Mobile Attacks Because of Outdated Android, iOS
According to a recent report by the cybersecurity firm Lookout, almost half of Android mobile phones used by the US state and local government employees were running outdated versions of the OS, exposing them to numerous vulnerabilities that hackers can leverage for attacks.
The report analyzed 175 million applications and 200 million devices from 2021 to H2 2022. It warns about an uptrend in all threat metrics, including reliance on unmanaged mobile devices, attempted cyberattacks against government employees, and liability bottlenecks in mission-critical networks.
The CISA (Cybersecurity & Infrastructure Agency) published a ‘Known Exploited Vulnerabilities Catalog’ containing the vulnerabilities’ list that hackers actively exploited in attacks and a date by which federal agencies must patch them. However, while CISA advises state and local governments to follow the guidelines, it is not mandatory to do so under this directive.
Furthermore, the report arrives days before the US midterm elections, with FBI and Trellix reporting that election officials and workers are getting targeted with phishing campaigns to steal credentials or install malware.
Leaked Amazon Server Exposes Viewing Habits of Amazon Prime Customers
“An Elasticsearch database called Sauron remained unprotected without any security authentication.” According to researcher Anurag Sen, the internal Amazon server storing the database contained Prime Video viewing habits.
The server remained accessible over the internet because it had no password protection. Hence, anyone could enter an IP address in a web browser and access the available data. The database contained pseudonymized viewing data’s 215 million records, including the streaming movie’s or show’s name, the device used, and similar internal data like network quality and subscription information.
While the database contains Amazon Prime customers’ information, hackers cannot use it to identify the customers by name. However, the security lapse highlights the dangers and drawbacks of misconfigured internet-facing servers without password protection.
Amazon spokesperson Adam Montgomery said ‘deployment glitches with a Prime Video analytics server’ caused the issue. When Amazon was notified about the exposed database, it took adequate steps to make it inaccessible.
Osaka Hospital Forced to Suspend Services After Ransomware Cyberattack
A hospital in Osaka disclosed that it suspended non-emergency outpatient operations and services following a ransomware attack on its electronic medical record system. The medical facility has 36 departments with 865 beds. Osaka General Medical Center‘s staff told reporters that the system failed around 7 am, and they could not access it. They added that a contractor examining the failure said that a ransomware computer virus had attacked the system.
The threat actor reportedly sent an English-written email to the hospital’s server, saying they had encrypted all its files. They are demanding the hospital pay a ransom and warned the amount would depend on how soon the officials respond. Interestingly, the hackers are demanding Bitcoins as ransom.
The officials said they were now using paper medical records and expressed uncertainty about the resumption of normal operations. Shimazu Takeshi, the hospital’s director, said hospital staff worked hard to restore the system and apologized to patients and stakeholders for the inconvenience and trouble.
Label Printing Giant Discloses a Data Breach
Label printing major Multi-Color Corporation (MCC) started informing employees that a recent cyberattack might have compromised their personal information. Supplying premium label solutions worldwide, MCC employs nearly 10,000 employees and operates 100 label-producing operations.
It offers label solutions to organizations in the chemicals, food, healthcare, automotive, beverage, technical, and other industries. In a data breach notification recently, MCC announced that it discovered unauthorized access to its network on September 29, 2022.
An investigation into the incident revealed that sensitive HR data might be compromised, including “employee files and enrolment information in our benefits programs.” MCC further added that it collected and retained “personal details to facilitate payroll, administer the health and wellness program, and complete other critical business functions.” Both former and current MCC employees got impacted.
Additionally, the data breach can impact the information related to employee partners, spouses, or dependents enrolled in the benefits programs. The company said the incident did not impact its suppliers and customers, as it did not collect or save their personal information.
MCC did not detail the type of cyberattack it became a target of. Still, it appears the company might be in contact with the attackers, likely to pay a ransom to ensure they destroy any stolen data.
“However, based on the measures we implemented and the actions we undertook, there is no indication that any personal information related to the cybersecurity incident has been misused or will get misused in the future,” the company said.