Wednesday 13th November 2024

Good morning everyone and thank you for joining me for the latest instalment of Cyber Daily. Today we're looking at Amazon’s recent data breach and an audacious IP spoofing attack on the Tor network prove that cyber threats are as persistent as ever. From privacy-protecting networks being targeted to employee info floating around BreachForums, it’s a reminder of the cat-and-mouse game between hackers and defenders. And while Amazon reassures us their systems remain untouched, the Tor Project is busy reinforcing its defenses, proving that even the most secure systems sometimes need a little backup.

Ymir ransomware debuts with a twist, aiming to redefine stealthy attacks

Cybersecurity researchers are sounding the alarm on Ymir, a new ransomware family designed with a mix of unconventional memory management tactics, according to Kaspersky. This fresh ransomware surfaced in a recent Colombian cyberattack following an initial breach by RustyStealer malware, which gathered credentials that attackers used to infiltrate networks. Ymir sets itself apart by loading code directly into memory using a unique blend of malloc, memmove, and memcmp functions, which makes it harder to detect.

Beyond its stealth, Ymir ransomware is selective: attackers can define specific directories to target while skipping whitelisted files. With the stream cipher ChaCha20 to encrypt files, Ymir leaves its mark by appending a distinct ".6C5oy2dVr6" extension to compromised files.

This evolution in ransomware mirrors broader trends. Some ransomware groups, like Black Basta, have recently deployed novel tactics, using Microsoft Teams and malicious QR codes to initiate breaches, while others pose as IT support staff to lure victims. These evolving techniques are part of a fast-splintering ransomware landscape, which saw 31 new groups emerge over the past year, challenging companies globally.

Amazon data breach exposes employee info through third-party vulnerability

Amazon recently disclosed a data breach affecting employee records, allegedly linked to the MOVEit attacks from May 2023. While Amazon systems were not directly compromised, the breach occurred through a third-party vendor, exposing over 2.8 million employee records, according to a leak on BreachForums by a threat actor named "Nam3L3ss."

Compromised data includes work-related contact details, such as names, email addresses, desk phone numbers, and building locations—but excludes sensitive data like Social Security numbers or financial information. Amazon clarified, “Amazon and AWS systems remain secure,” noting that only employee work contact information was affected.

The breach appears part of a larger incident affecting 25 major organizations. Cybersecurity firm Hudson Rock reports that Nam3L3ss may have acted independently or as an affiliate of the CL0P ransomware group, known for MOVEit exploits. The breach underscores the risks third-party vendors pose to enterprise security, even for tech giants like Amazon.

Tor Network Hit by Coordinated IP Spoofing Attack

The Tor anonymity network recently faced an IP spoofing attack aimed at undermining its infrastructure, according to the Tor Project and relay operators. Beginning October 20, Tor directory authorities—the backbone of Tor’s network management—were targeted by automated abuse complaints, falsely implicating their IPs in malicious port scanning activities. As a result, some relays were briefly shut down, disrupting network stability.

Attackers used spoofed SYN packets to make it appear as if non-exit Tor relays were conducting the scans, triggering complaints to ISPs and placing these IPs on blocklists. The Tor Project reassured users that the attack did not impact their privacy or security. However, it posed significant challenges for relay operators, who had to address the mounting complaints.

Though the source of the attack remains unknown, the Tor Project and researchers believe government actors, hacktivists, or cybercriminals may have wanted to disrupt Tor, a crucial tool for bypassing censorship and ensuring privacy. After the Tor community joined forces with InterSecLab and GreyNoise, the attack was shut down on November 7.