Your Daily Decrypt

8/24/2023 - Today’s news and insights for cybersecurity pros and leaders

📰 Top Stories 

Summary

Who's Affected: Danish hosting firms CloudNordic and AzeroCloud, part of the same company.

What Happened: A ransomware attack unfolded last Friday night, leading to a loss of the majority of customer data. The attack encrypted all server disks, including primary and secondary backups, corrupting everything and leaving no recovery opportunity.

How It Happened: During a data center migration, some infected servers were connected to the broader network, allowing attackers access to critical systems, data storage silos, and backup systems.

Response: The hosting providers shut down all systems and have engaged with security experts and reported the incident to the police. They've refused to pay the ransom and are working on restoring what they can.

Impact: "Several hundred Danish companies" have been impacted, losing everything stored in the cloud, including websites, emails, documents, etc. Many data appear to be irrecoverable.

Recommendation to Customers: The hosting firms have recommended that heavily impacted customers move to other providers.

Why it’s important to you

Understand Your Risk: If you're a customer of CloudNordic or AzeroCloud, assess the impact on your data and follow the provided instructions for recovery.

Stay Vigilant: Hosting providers are becoming attractive targets for ransomware gangs, causing large-scale damage.

Consider Backup Strategies: This event highlights the importance of having robust backup strategies, including off-site backups, to mitigate the risks of ransomware attacks.

Learn from Others: Other hosting providers should take this incident as a warning and ensure that their security measures, including firewalls and antivirus, are in place and effective, especially during critical operations like data center migrations.

Summary

Who's Behind the Attacks: Unknown, but the activity aligns with the interests of the People's Republic of China.

What They Did: Resumed a hacking campaign called HiatusRAT, targeting U.S. Department of Defense (DoD) procurement sites and organizations in Taiwan.

How They Did It: Leveraged compromised routers in Europe and Latin America, focusing on more than 100 edge routers. The new campaign targeted a DoD server containing information on military contracts and used edge devices mainly made by Ruckus.

Previous Operations: HiatusRAT was initially disclosed in March with two malicious binaries. It shares similarities to other campaigns like Volt Typhoon but involves separate threat actors.

Why it’s important to you

Stay Alert: Companies doing business with the DoD, especially smaller firms and those supporting Taiwan, should monitor their networking devices for the presence of HiatusRAT.

Understand the Threat Landscape: This campaign aligns with broader efforts to gather intelligence on defense contracts and manufacturing related to Taiwan.

Consider Security Measures: Organizations must ensure their networking devices, including routers and firewalls, are secure against potential compromise.

Recognize Global Implications: The targeting of U.S. defense and Taiwan's manufacturing sectors indicates a coordinated effort that may have geopolitical implications.

🚨 Threat Alerts

Summary

What's the Vulnerability: A zero-day vulnerability in WinRAR, tracked as CVE-2023-38831.

How It's Exploited: The vulnerability has been exploited since April 2023 to create malicious .RAR and .ZIP archives that display seemingly harmless files like images or PDFs. When a user opens these files, a script executes to install malware, including DarkMe, GuLoader, and Remcos RAT.

What's Been Affected: Cryptocurrency and stock trading forums were targeted, with at least 130 traders' devices confirmed infected. The total number of victims and financial losses are unknown.

How the Attack Works: Attackers shared seemingly legitimate trading strategies via malicious archives on trading forums. When users opened a PDF or other file within the archive, a script was executed to install malware, while simultaneously loading a decoy document.

Actions Taken: WinRAR released version 6.23 on August 2, 2023, which fixed this and other vulnerabilities. Users are urged to upgrade to the latest version.

Why it’s important to you

Stay Informed: If you are a user of WinRAR, especially in the trading community, be aware of this vulnerability.

Be Proactive: Updating to the latest version of WinRAR can protect you from this threat.

Consider Implications: The targeted nature of this campaign against traders indicates a focused attempt to steal crypto assets or conduct espionage, highlighting the need for vigilance in the trading community.

Summary

Who's Behind the Hack: Two British teenagers, members of the Lapsus$ extortion gang.

What They Did: Convicted for hacking, blackmail, and fraud, targeting companies like Nvidia, Uber, Rockstar Games, Samsung, Revolut, Okta, and Microsoft.

How They Did It: The duo utilized techniques such as gaining remote access to corporate networks, social engineering, and SIM swapping. They also purchased access credentials from initial access brokers and leveraged phishing techniques.

What's Been Affected: Well-known organizations were breached, with information leaks, ransom demands, and cryptocurrency theft. They even hacked into the City of London Police servers.

What Actions Were Taken: Both teenagers were arrested in January 2022, charged in April 2022, and later convicted on multiple counts. A case review for one of the teens is scheduled for Sept. 21, and the other will return to court on Nov. 9 for possible sentencing.

Why it’s important to you

Stay Informed: If your organization is in sectors like gaming, fintech, or technology, understanding the tactics of hacking groups like Lapsus$ can aid in defense.

Be Proactive: The use of simple techniques like phishing emphasizes the need for robust cybersecurity awareness training.

Consider Implications: The conviction of these individuals sets a precedent for law enforcement action against young hackers, but the low complexity of their attacks indicates that organizations must remain vigilant against even seemingly unsophisticated threats.

⚖️ Regulatory Updates

Summary

The U.S. National Security Agency (NSA) and other defense intelligence agencies have been given the ability to offer higher pay for cyber and STEM (Science, Technology, Engineering, and Math) roles. The new pay system was quietly approved in May, allowing a “targeted local market supplement” for 23 occupational series within the defense civilian intelligence personnel system (DCIPS).

Key Details:

  • New Pay Scales: New employees with a bachelor's degree can be paid a minimum salary of $76,156, while those with a master's degree could be offered a minimum of $88,250. The highest salary caps at $183,500.

  • Who's Covered: The DCIPS includes agencies like the NSA, the National Geospatial-Intelligence Agency, the Defense Intelligence Agency, and intelligence branches of the military services.

  • Goal: The new supplemental salary rates aim to make defense intelligence agencies more competitive in the tight labor market for technical talent.

  • Previous System: This new system replaces a special pay rate structure offered only by the NSA.

  • Possible Impact: Some agencies could offer up to a 35% pay bump, stemming regrettable losses of highly skilled employees to the private sector.

  • Ongoing Review: The Pentagon plans to review the new pay system twice a year for alignment with labor market rates.

  • Wider Implications: This move comes amid a more fractured cyber and IT pay system across government. While the Defense Department and the Department of Homeland Security have had pay flexibilities, most other agencies don't offer such benefits.

Why it’s important to you

The ability to offer higher pay rates for cyber and STEM roles will enable defense intelligence agencies to attract and retain talent in these critical areas. The move recognizes the importance of competitive compensation in retaining skilled professionals, particularly at a time when private sector compensation is far outpacing government rates for similar roles. However, it also highlights the disparate pay structures across different government departments and the challenges that may pose for talent retention in non-defense agencies.

👀 Curated Finds

Summary

Who's Behind the Activity: North Korean hackers, affiliated with the Democratic People's Republic of Korea (DPRK) and known as Lazarus Group or APT38, operating under the campaign named "TraderTraitor."

What They Did: Stole cryptocurrency assets worth hundreds of millions of dollars from various exchanges and platforms.

How They Did It: The hackers carried out cyber attacks on entities like Alphapo, CoinsPaid, and Atomic Wallet, and moved the stolen funds to six identified crypto wallets.

What's Been Affected: Roughly 1,580 Bitcoin (worth over $40 million) are believed to be held in these wallets, originating from recent thefts.

What Actions Were Taken: The FBI has published information on the six cryptocurrency wallets and urged private sector entities to be vigilant against transactions involving these addresses.

Why it’s important to you

Stay Informed: Understanding the tactics and methods of the Lazarus Group can help in safeguarding against potential threats.

Be Proactive: If engaged in the cryptocurrency industry, monitoring the provided addresses can prevent transactions with compromised wallets.

Consider Implications: North Korea's continued aggressive cyber operations targeting the cryptocurrency sector indicate a broader strategic focus on financial theft and manipulation, which could have wider geopolitical and security implications.

Please let me know if you have any comments or feedback by replying to this email or messaging me on X!

Thank you 🙏
Ali Abidi