Daily Threat Briefing: March 10th 2024

Welcome to the Daily Threat Briefing for March 10, 2024. Today's briefing explores three stories: the release of Lithuanias' ninth yearly threat report covering high-level geopolitical assessments, a Microsoft update on their early January 2023 Midnight Blizard breach, and the Stormous ransomware gang claims the recent Belgium brewery Duvel Moortgat cyber attack

Executive Summary

1?? Republic of Lithuania Faces Complex Threats

?? Actionable Takeaway:?Understanding the geopolitical landscape is crucial for cybersecurity professionals. It's vital to implement advanced security measures, foster cyber awareness, and strengthen infrastructure to protect against the sophisticated techniques employed by state-sponsored actors.

2???Midnight Blizzard Targets Microsoft

?? Actionable Takeaway:?This incident serves as a stark reminder of the persistence of cyber adversaries. Organizations should adopt a zero-trust architecture, enhance internal security practices, and prepare for sophisticated phishing and espionage tactics to safeguard sensitive information.

3?? Duvel Moortgat Brewery Hit by Stormous Ransomware

???Actionable Takeaway:?The prompt action taken by Duvel Moortgat underscores the importance of rapid response protocols. Ensuring regular data backups, conducting frequent security audits, and fostering a culture of cybersecurity awareness are paramount in mitigating the impact of ransomware attacks.

Republic of Lithuania Releases National Defence Report 2024

On March 7, 2024, the Defence Intelligence and Security Service under the Ministry of National Defence of Lithuania and the State Security Department released a technical report assessing threats to Lithuania's national security.?

• Russia's commitment to the war in Ukraine, showcasing no signs of de-escalation, and its preparation for a long-term confrontation with NATO, alongside a significant reform of its Armed Forces.
• The sustainability of the Russian economy amidst sanctions, high oil prices, and investments in the military industry has become a critical economic driver.
• The internal political landscape in Russia highlights the Wagner mutiny, the significance of the upcoming presidential election, and the portrayal of widespread support for Putin's regime.
• Russia's foreign policy is characterized by attempts to undermine Western support for Ukraine, its increasing international isolation, and efforts to build alliances with the Global South.
• Belarus intensified intelligence operations against Lithuania, leveraging the Belarusian diaspora and travellers for espionage activities and bolstering its military capabilities through Russian support.
• China's escalated intelligence activities target Lithuania, focusing on cyber espionage and gathering information on Lithuania's internal affairs, political landscape, and foreign policy.
• The growing threat of Islamist terrorism in Europe is fueled by international terrorist propaganda and the increasing likelihood of attacks by lone radicalized individuals.

Insights and Analysis

Russia's ongoing military engagement and economic resilience in the face of sanctions are pivotal in understanding the regional security dynamics.

• The human element in cybersecurity becomes apparent with Russia's and China's increased use of cyber espionage and information operations targeting Lithuania.?
• These actions emphasize the importance of cyber hygiene and awareness among citizens and officials to mitigate such threats.
• Secure code practices and infrastructure hardening are critical in defending against the sophisticated cyber-espionage techniques employed by foreign intelligence services, highlighting the need for ongoing investment in cybersecurity capabilities.
• Using social networks and cyber methods by foreign intelligence services to gather information and influence political processes in Lithuania emphasizes the evolving nature of cyber threats and the importance of comprehensive cyber defence strategies.
• This is a high-level, non-technical report with no Indicators of Compromise (IoCs)

Microsoft Releases Midnight Blizard Updates

On March 8, 2024, Microsoft released a technical report on the nation-state attack detected by its security team on January 12, 2024. The attack targeted Microsoft's corporate email systems, detected on January 19, and was linked to the Russian state-sponsored actor known as Midnight Blizzard, or NOBELIUM.

• The investigation into the attack is ongoing, with Microsoft providing updates as new information becomes available.
• Evidence suggests Midnight Blizzard has been using information exfiltrated from Microsoft's corporate email systems to attempt unauthorized access to the company's source code repositories and internal systems.
• Despite these efforts, no evidence exists that Microsoft-hosted customer-facing systems have been compromised.
• Microsoft has identified and is assisting customers whose secrets may have been compromised in the emails exfiltrated by Midnight Blizzard.
• The volume of attack techniques, such as password sprays, increased tenfold in February 2024, indicating a significant escalation in the threat actor's activities.
• Microsoft has responded by increasing security investments, enhancing cross-enterprise coordination, and implementing additional security controls, detections, and monitoring to defend against this advanced persistent threat.

Insights and Analysis

The sophisticated nature of the Midnight Blizzard attack highlights the increasing complexity of the global threat landscape, especially from nation-state actors.

• Using exfiltrated information to gain further unauthorized access emphasizes the importance of securing communication channels and internal systems against espionage and cyber attacks.
• The escalation in attack volume, such as the tenfold increase in password sprays, underscores the persistent and evolving threat of nation-state actors. Organizations must continuously adapt their defensive strategies to these changing tactics.
• Microsoft's response, including enhanced security controls and cross-enterprise coordination, illustrates the critical role of organizational resilience and proactive security measures in defending against advanced persistent threats.
• The human element of cybersecurity, such as the potential for compromised secrets shared via email, stresses the need for robust, secure communication practices and ongoing vigilance in detecting and mitigating such risks.
• Secure code practices are implicitly critical in preventing unauthorized access to source code repositories, as seen in this incident. This incident highlights the necessity for stringent access controls and code security measures.
• This short, non-technical report does not contain Indicators of Compromise (IoCs)

Duvel Moortgat Brewery Cybersecurity Breach Claimed By Stormous Ransomware Gang.

On March 6, 2024, Duvel Moortgat Brewery faced a significant cybersecurity breach when the Stormous ransomware gang targeted the Belgian beer producer. The company's IT department first detected the incident, leading to an immediate shutdown of production lines to mitigate further damage.?

• Local news and BleepingComputer reported that the ransomware attack had halted operations for several days.
• Duvel Moortgat's spokesperson, Ellen Aerts, announced that servers were shut off across all Belgian sites and a site in the United States, effectively stopping production.
• The company was later listed on Stormous' leak site, with the group claiming to have exfiltrated 88 gigabytes of data and setting a ransom deadline of March 25.
• The attack is part of a concerning trend involving the Stormous ransomware gang and their collaboration with GhostSec, a group known for its single- and double-extortion tactics. Cisco Talos' recent report highlighted these groups' alliances and increased activities across numerous countries.

Insights and Analysis

The collaboration between Stormous and GhostSec represents a significant evolution in the ransomware threat landscape, showcasing the ability of these groups to execute sophisticated and disruptive attacks. This incident provides several important insights:

• The decision by Duvel Moortgat to shut down its servers promptly upon detection of the attack underlines the critical role that human decision-making plays in the immediate response to cyber threats. Training and preparedness can significantly mitigate the impact of such attacks.
• Ransomware groups often exploit vulnerabilities in software and systems to gain unauthorized access. This incident highlights the importance of secure coding practices and regular vulnerability assessments to prevent similar attacks.
• The alliance between Stormous and GhostSec points to a worrying trend of ransomware groups pooling resources and expertise to enhance the effectiveness of their campaigns. This collaboration increases the threat level to global targets, making it harder for individual organizations to defend against these attacks.
• This report is non-technical and has no indicators of compromise.

Purpose and Disclaimer.

Welcome to my daily threat insights and Analysis as a threat intelligence professional. Here, I present three key stories that captured my attention. Please note that these reports are not affiliated with any organization, and my insights should be considered as opinions or a starting point for navigating the vast sea of public reporting. Conduct a thorough impact analysis specific to your business needs before taking action. Follow me for more content and stay ahead in the ever-evolving world of threat intelligence.

References:

Story 1:

https://www.vsd.lt/en/reports/national-threat-assessment-2024/

Story 2:

https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Story 3:

https://therecord.media/stormous-claims-duvel-beer-attack