Cyber Threat Report | February 2024

The month of February saw a fantastic achievement on the cybersecurity front. In a joint operation, the UK National Crime Agency, the FBI, the US Justice Department, and other police agencies, were able to disrupt the LockBit ransomware group, taking down the gang's website.

In other news:

• Interpol's Operation Synergia identified 1,300 suspicious IP addresses or URLs;
• FBI shut down the China-state-sponsored "Volt Typhoon";
• The FTC charged Avast with a $16.5 million fine;
• Man on FBI's most wanted pleads guilty to disseminating Zeus and IcedID.

Discover more about the cyberattacks on Change Healthcare, Infosys McCamish Systems (a Bank of America third-party vendor), and AnyDesk Software GmbH.

As well, we look more in-depth into spyware and a major data breach:

• the countries and industries targeted by an Iranian cyber-espionage campaign;
• NSO Group's Pegasus spyware's targets;
• the cyberattack that may have compromised the data of half of France's population.

Cybercrime Breaking News

A report is released about the Iranian cyber-espionage campaign that has been targeting Middle Eastern aerospace, aviation, and defense companies. The activity has been carried out against mainly countries like Israel and the UAE, and - potentially - Turkey, India, and Albania.

A new report discloses how NSO Group's Pegasus spyware is said to have targeted +30 Jordanian journalists, activists, human rights lawyers, and civil society members.

Change Healthcare, the multibillion-dollar healthcare conglomerate that processes half of all U.S. medical claims, fell victim to a cyberattack. Due to the incident, US pharmacies have struggled to fill prescriptions. The Blackcat/AlphV ransomware group is believed to be behind the attack.

AnyDesk Software GmbH, the company behind the remote desktop application, became a victim of a cyberattack that compromised its production systems.

Vulnerabilities and cyber risk tracker

• Cybersecurity researchers release information about GoldPickaxe.iOS? - a mobile Trojan targeting iOS users. The threat actor is targeting victims in the Asia-Pacific, collecting their facial recognition data and identity documents, and intercepting their SMS communication.
• Google’s Threat Analysis Group (TAG) released "Buying Spying, an in-depth report with our insights into Commercial Surveillance Vendors (CSVs)", targeting roughly 40 CSVs. Key findings include that dozens of CSVs have stayed below the radar, yet have played an integral role in spyware development.? Also, CSVs are behind half of known zero-day exploits targeting Google products and Android devices.

Cyberwar between Russia and Ukraine: Updates

Denmark, Italy, and Canada signed a 10-year bilateral security agreement with Ukraine, that the UK, Germany, and France have already entered. The agreement comes from a Group of Seven nations pledge for? "long term security commitments and arrangements" with Ukraine.?

Russian malicious actors hacked several Ukrainian media (e.g. Pravda, one of Ukraine's largest online newspapers and business media site Liga.net) to spread fake news of how Russia destroyed a Ukrainian special forces unit in Avdiivka.

Cybersecurity and AI

Partnering with Microsoft Threat Intelligence, OpenAI takes down accounts of five state-affiliated threat actors.

Cybersecurity Justice

The U.K.’s National Crime Agency, the FBI, the Justice Department, and several international police agencies' joint operation disrupted LockBit ransomware activity by taking down the gang's website. This action has crippled LockBit's ability to attack and encrypt networks and threaten to publish stolen data. The Justice Department also unsealed an indictment charging perpetrators, who are said to have deployed LockBit ransomware against numerous victims. LockBit has so far “targeted over 2,000 victims, received more than $120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars”. Ukrainian police arrested two alleged LockBit members; a third said member was arrested by Polish police forces. At the end of the month, the believed LockBit admins are said to have resurfaced, utilizing a brand-new infrastructure.

Operation Synergia, a global INTERPOL operation, has so far identified 1,300 suspicious IP addresses or URLs, taken down 70% of the command-and-control (C2) servers, and arrested 26 believed perpetrators. The operation ran between September and November 2023 and was aimed to answer "the need for coordinated action against new cyber threats".

FBI shuts down the "Volt Typhoon", a China-state-sponsored group, targeting US power grids, pipelines, and other key infrastructures.

The U.S. Treasury Department's Office of Foreign Assets Control sanctioned six officials, said to be associated with the Iranian intelligence agency, for "malicious cyber activities" against critical infrastructures.

The US Justice Department disrupted the operation of a botnet said to be used by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) to "conceal and otherwise enable a variety of crimes".

A man on the FBI's most wanted list pleaded guilty in front of the Department of Justice for his supposed role in distributing the Zeus banking trojan and the IcedID or Bokbot malware.?

The US Department of State offers a reward of up to $10 million for information about Hive ransomware gang key leaders and up to $5 million for information about individuals who participate (or are attempting to) in Hive ransomware. The Department of State is also offering a reward of up to $15 million for information on ALPHV/Blackcat ransomware members.

The Federal Trade Commission (FTC) bans Avast from selling or licensing web browsing data to be used for advertising. It was revealed that the company used its extension and antivirus software to collect data, which it stored and sold without consumer consent. The FTC charged Avast with a fine of $16.5 million.

The Federal Trade Commission announced a settlement with Blackbaud, which will require the data and software services company to delete any personal data that isn't necessary or needed. Blackbaud was breached in February 2020 due to poor data practices, which allowed hackers to gain access to the personal data of millions of its customers.?

FinTech Updates

The Department of Justice unsealed an indictment charging an individual with "money laundering conspiracy and operation of an unlicensed money services business". The believed perpetrator is said to have controlled the digital currency exchange BTC-e: a platform, whose customers were involved in criminal activity and allowed a certain level of anonymity when trading bitcoin.?

Bank of America warns its customers about a potential data breach, after one of its service providers, Infosys McCamish Systems (IMS), fell victim to a cyberattack in November 2023.

Due to a data breach, the decentralized cryptocurrency exchange platform FixedFloat lost around $26 million in Ethereum and Bitcoin.?

Prudential Finance, the US’s second-largest insurance company, became a victim of a cyberattack, where a threat actor accessed the organization's administrative and user data, and very few user accounts.

Cybersecurity News Across The Globe

• Varta AG's, the German battery manufacturer, operations were put on hold after a cyberattack.
• Investigation finds how scammers in Myanmar have been operating via pig butchering (romance scams) to extort around $100 million in cryptocurrency, in the last two years, from victims.
• Albania's Institute of Statistics's email server and website were targeted by a cyberattack. An Iran-linked hacking group has claimed responsibility for the attack.
• A cyberattack at the end of January may have compromised the data of over 33 million people living in France.

Want to find out more about data security:

• Data Protection: How to Decide Which Types of Data to Secure
• Security Breaches: All You Need to Know About Them | Part 1
• Data Breaches: All You Need to Know About Them | Part 2
• The Power of CREST-Certified Penetration Testing?

AMATAS NEWS

Register for AMATAS and ConnectWise on-demand webinar on the benefits of SOC as a service and get a free risk assessment as well as 30-day-long trail period of our MXDR offering!

The webinar aims to encourage discussion and to shed light on the transformative impact of Security Operations Center (SOC) as a service. Whether you’re exploring the idea of establishing a SOC for the first time or considering a switch from your current SOC provider, this session promises valuable insights into how SOC as a service can?enhance your organization’s security posture and help you deal with the human resource challenges that it poses.

Our cybersecurity experts Miroslav Naydenov and Andre Lynch delve into the myriad benefits of adopting SOC as a service, including?scalable security solutions, access to cutting-edge technologies, and the expertise of seasoned security professionals. They also cover the main business perspective –?how SOC as a service can provide a more flexible and cost-effective approach to cybersecurity, enabling organizations to focus on their core activities while ensuring robust security measures are in place.

AMATAS will continue to monitor this space and deliver salient information regularly.?

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing [email protected].

As always – be vigilant, stay alert, and think twice.