Cyber Round-up

Cyber Round-up for 28th April

April 27, 2023

Cyber Round-up for 28th April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Personal Data of 300M Ukrainian People Sold to Russia

The Ukrainian cyber police have arrested the 36-year-old responsible for selling personal data to Russian citizens. The personal data of more than 300 million people, mostly Ukrainian, was compromised and sold by the culprit. The police were able to find the criminal after buyers payed for the stolen data using a currency prohibited in Ukraine. The arrest was followed by a raid of the attacker’s property, which led to the confiscation of 36 hard drives, computers, and server equipment. Investigation into this equipment is still underway, but the culprit is expected to face up to a five-year sentence.


RTM Locker Group Use New Babuk Inspired Ransomware Strain to Infect Linux, NAS, and ESXi Hosts

The RTM Locker operators have developed a new strain of ransomware that targets Linux machines. This new strain is designed to infect Linux, NAS and ESXi hosts, and marks the group’s first venture into Linux focused attacks. It is currently unknown how the group is delivering the ransomware to their victim’s machines but is believed to “single out ESXi hosts by terminating all virtual machines running on a compromised host prior to commencing the encryption process”. We will closely monitor the activities of this new strain and provide updates as we learn more about its capabilities and tendencies.


Latest Update To Google Authenticator Removes End-To-End Encryption

Googles Authenticator's new update now allows users to sync secrets across devices. This concept sounds great, however the stored secrets that are used to generate OTPs are no longer encrypted as it would be for just one device. This allows both Google and any unwanted party to observe all secrets if they gain access to your Google account or where it is stored by Google. Users are advised to keep this option turned off and only use one device with Google Authenticator till this security issue is resolved.


Millions Being Lost To ATM Criminals

The European Association of Secure Transactions (EAST), comprised of banks and ATM vendors, reported €211 million in losses from a variety of attacks by criminals. The leading cause of loss terminal-related fraud attacks where €200 million was lost in 2022, of which €167 million was believed to originate from card skimming. Interestingly only 31 malware and logical-related attacks were recorded in 2022, down from 52 the previous year. ATM users are advised to conduct a visual and physical check before swiping or inserting a card to help protect against card skimming.


Security Concerns Raised for Metaverse Dark Web Activity

A metaverse, a virtual space where individuals can interact in a computer-generated version of the physical world, is the next evolution of the dark web. Researchers have put forth their concerns about this “Darkverse” and its potential security and legal concerns it might have included acting as a haven for criminals and extremists. Research has also identified how this darkverse might make it harder for law enforcement to infiltrate criminal space by requiring that users be inside a designated physical location in a specific time frame to receive an authentication token. Proximity and location-based restrictions for accessing the space could also be introduced making it harder to effectively introduce reactive measures such as sinkholing and URL blocking.


Vulnerabilities & Updates

PaperCut Servers Exploited to Deliver Cl0p and LockBit Ransomware

This week, Microsoft confirmed that PaperCut servers are being actively exploited as part of ransomware attacks, and are being used to deliver the Cl0p and LockBit ransomware strains. The group responsible for the attacks is being tracked as Lace Tempest, and is believed to be a financially motivated team of cybercriminals with ties to FIN11, TA505, and Evil Corp. Two vulnerabilities in the PaperCut software made these attacks possible (CVE-2023-27350 & CVE-2023-27351), with successful exploitation granting an unauthenticated attacker permission to remotely execute arbitrary code, and access sensitive information on the target system.


And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #232 – 28th April 2023


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi