Cyber Round-up for 20th May
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The PRODAFT Threat Intelligence team has produced a technical report of the Russian-linked cybercrime gang, Wizard Spider. Wizard Spider are known for being the group behind the Conti, Ryuk, and Trickbot malware attacks and have grown to be one of the most high-profile criminal groups in the world. PRODAFT’s report provides “unprecedented visibility into the structure, background, and motivations of Wizard Spider.” and gives an in-depth analysis of their operations as what has been describe as “corporate-like”.
The full report from PRODAFT can be found here.
A number of Google Play Store apps have been identified as malicious, with some designed to steal user credentials for platforms such as Facebook. Other apps, that appear to be cryptocurrency miners, have been seen stealing private keys mnemonic phrases used to recover cryptocurrency wallets.
We strongly advise all android users to be cautious and avoid these applications; some known malicious apps have been identified here, so this list may give you an idea of what you should be looking out for.
Central Bedfordshire Council in the UK has been labelled as “incompetent” after failing to redact the personal information of pupils with special educational needs. The details were published on a public website by Council staff, who have released a statement apologising for the incident. The council claims they are “making changes to its procedures to avoid a repeat of the incident in the future”. We hope the safeguarding of personal information is taken more seriously from now on, and that staff are trained on the importance of data confidentiality.
The BlackByte group has become increasingly popular recently due to its ransomware-as-a-service activities. BlackByte offer their services to criminals all around the world, and have been linked to attacks everywhere, from North America to Europe and parts of Asia. Their attacks typically begin with phishing attempts or exploitation of unpatched services, most notably the recent SonicWall VPN and ProxyShell flaws. With one of the largest ransomware groups in the world primarily targeting unpatched systems, we advise everyone around the world to keep up with security updates and patch management.
Cyber security has been a constant battle in the digital age, and the European Parliament has endorsed plans to introduce the Networks and Information Security 2 (NIS2) directive to boost cyber security efforts across Europe. This newly revised directive aims to build upon its predecessor, NIS, by requiring energy, transport, financial markets, health, and digital infrastructure sectors to appropriately introduce and maintain defined risk management measures reporting security incidents. Failure to conduct these actions appropriately could incur a monetary charge. Along with this “The directive will formally establish the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents,” the Council of the European Union said.
This year Italy hosted Eurovision 2022, with a spectacular display from the Ukrainian band Kalush Orchestra. Sadly, things were not so joyous behind the scenes. During the grand final on Saturday, pro-Russian hacking group Killnet and their affiliate Legion were caught attempting to hack infrastructure used by Eurovision. Italian authorities became aware of the attack before it began as police infiltrated telegram channels used by the hackers to plan their attack. A successful attack could have meant broadcast outages or vote manipulation, however planning from the Italian authorities thwarted this attack before any damage could be done.
Vulnerabilities & Updates
Tatsu Builder Plugin, a front-end and fully visual page builder has been exploited by hackers. The vulnerability stated as CVE-2021-25094 is a remote code execution vulnerability that has been reported to be exploited to inject dropper malware onto a website. Approximately 20,000 to 50,000 utilise the Tatsu builder plugin with around a quarter still vulnerable. Users are advised to install the latest update to be protected from this attack.
More details on this flaw can be found here.
A flaw discovered by the NCC Group has shown that Bluetooth low energy isn’t as secure as originally thought. BLE uses proximity as a means of authenticating the user if near another device, NCC Group has created a proof of concept that exploiting this trust could allow hackers to bypass known protection mechanisms. BLE is used for things such as smart locks and automobiles, being able to exploit this potentially means these devices could be put at risk. People are advised to disable passive unlock functions and disable Bluetooth on mobile devices when not needed.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #190 – 20th May 2022
Why not follow us on social media:
Ironshare – Security Simplified