Last Week in Infosec

1st July – 8th July 2022

Wether you’re a CISO, Ethical Hacker or part of a security team – staying on top of the latest news is likey part of your responsibilities. To make it easier and less time consuming, we’ve went ahead and compiled the most interesting events of last week for you.

News on Vulnerabilities & Attacks

Phishing scams impersonating the UAE Ministry of Human Resources target the Middle East

Researchers from CloudSEK have discovered a widespread phishing campaign in which threat actors pretended to be the UAE Ministry of Human Resources. [1]

The new threat will target numerous government and corporate entities in the banking, travel, healthcare, legal, oil and gas, and consulting industries. According to the security experts’ assessment, this is a significant phishing effort that primarily targets businesses and job seekers, by faking sites that belong to the Ministry of Human Resources.

These phishing schemes could also be used as templates by other threat actors to target individuals and steal their passwords, documents, cryptocurrency wallets, and other sensitive data.

Phishing is still one of the most reliable ways for hackers to gain unauthorized access to companies and while attacks against high value organizations become more targeted, smaller companies still need to ensure, they don't get caught in big Phishing nets. 🎣

Contact LastBreach for security training and simulated Phishing attacks to make sure, you're on the safe side. 🛡️

News on Threat Actors & Campaigns

Cyber Criminals Claim to have Stolen Data of a Billion Chinese Residents

A new data leak was announced last week in an online cybercrime forum and it’s a big one. According to an anonymous source, the person or group claiming responsibility for the attack has offered to sell more than 23 terabytes of stolen data. [2]

The database includes names, addresses, birthplaces, national IDs, phone numbers, and information about criminal cases and was apparently stolen from the Shanghai National Police. According to the post, the threat actor demanded ten bitcoins, or about $200,000, which is a surprisingly small amount for this much data.

The Shanghai government has not publicly reacted to the purported cyberattack.

LockBit 3.0 Ransomware targets Organizations worldwide

The LockBit organization is back and has released LockBit 3.0, a new variant of their ransomware. The group named their most recent product LockBit Black, improving it with new extortion strategies and adding a Zcash payment option to the already-existing Bitcoin and Monero payment options. [3]

LockBit was the RaaS (Ransomware-as-a-Service) with the highest activity in June, continuing on their way to the top. Other than the ransomware group Conti, which split up into smaller groups after it gained to much spotlight and garnered the attention of law enforcement, LockBit seems to continue pursuing becoming a household name in the ransomware sector.

This time, LockBit hackers are in the news for starting the first-ever bug bounty program to be started by a criminal organization. Adversaries provide a financial reward for submitting a bug or enhancement idea that ranges from $1,000 to $1,000,000 in their pitch to hackers of all stripes. Additionally, the most significant reward is given to the first person to identify the affiliate manager, also known as LockBitSupp, correctly. This is believed to be mainly a PR stunt to raise the groups name and recognition.

Marriott’s Been Hacked — Again!

A report from DataBreaches claims that hackers could access almost 20GB of private data, including reservation and credit card information, from a hotel server at the BWI Airport Marriott in Maryland. [4]

According to Engadget, Marriott claims that most of the information compromised was “non-sensitive internal business files”. The hackers gained access to a Marriott employee’s computer to retrieve the information and collected the files from a shared file server.

“There is no evidence that the threat actor had access beyond the files that were accessible to this one associate”, Marriott continued. Nevertheless, the 300 to 400 people, the majority of whom were former workers, whose personal information was compromised during the incident will be informed, according to Marriott, the hotel operator told Engadget.

Other News on Business, Politics, and Culture

Increasing Cyber Espionage Efforts by China Against Russia

According to investigations by security companies and Ukraine’s Computer Emergency Response Team, a campaign linked to China began targeting businesses connected to Russia in June using malware to gather information on government activities (CERT). [5]

Since the start of the conflict in Ukraine, the group known as Mustang Panda has targeted Russian organizations, while a new cyber gang known as “Space Pirates” has infiltrated Russia’s space technology sector.

According to a recent investigation, infected Microsoft Office documents were used to distribute Remote Access Trojans (RATs). The most recent operations have used two malware sets connected to Chinese advanced persistent threat (APT) groups: the Royal Road Toolkit for creating malicious documents and the Bisonal Remote Access Trojan (RAT) created by Chinese operators.

The Tonto Team, also known as Karma Panda and Bronze Huntley, has typically concentrated on countries in other parts of Asia, including South Korea, Japan, the US, and Taiwan. The organization has recently expanded its operations to include Pakistan, Russia, and other countries. 

Attack on QNAP Devices by Raspberry Robin Worm

Microsoft reports that hundreds of businesses from various industry sectors have lately discovered Windows worms on their networks.[6]

The Raspberry Robin campaign, also known as the “LNK Worm,” is the subject of an investigation by the Cybereason team. A worm called Raspberry Robin uses infected QNAP (Network Attached Storage or NAS) devices as stages to spread via USB devices or shared folders. It draws victims with the help of “LNK” shortcut files, an old-fashioned but still powerful technique.

Security experts who discovered Raspberry Robin in the wild have not yet assigned the virus to a threat organization and are attempting to determine its operators’ ultimate objective.

Microsoft has labeled this effort as high-risk, nevertheless, because the attackers might download and use more malware inside the victims’ networks and increase their rights anytime.

That’s all for today – leave a comment if you have any feedback or think we missed something. See you next week!