CyberWatch

Ransomware, Supply Chain Attacks, and Nation-State Threats

By

By

Access Point Consulting

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.

Ransomware Attacks on the Rise

Casio Faces Prolonged Ransomware Attack

Casio has been grappling with a ransomware attack since October 5th, showing no signs of resolution. According to TechCrunch, a Casio spokesperson stated that the company sees no immediate prospect of recovery from the attack, which has significantly impacted its ability to receive and place orders with suppliers and schedule product shipments to customers.

While Casio operates globally, the attack appears to have primarily affected its operations in Japan. The company swiftly pulled multiple servers offline to prevent the lateral spread of the malicious payload. Despite these efforts, sensitive company data and personal information of employees, contractors, business partners, and job applicants have been compromised. The underground ransomware group claiming responsibility is linked to the Russia-supported cybercriminal organization known as RomCom or Storm-978.

Nidec Hit by Ransomware and Data Leak

In another incident affecting Japanese firms, Nidec—a global leader in precision motors, automotive components, industrial parts, home appliance parts, and robotic systems—was targeted by a ransomware attack earlier this year. As reported by BleepingComputer, the attack focused on Nidec Precision's division based in Vietnam.

Unlike typical ransomware attacks that encrypt data, this assault involved exfiltrating sensitive and confidential information, which was later released on the dark web when the company refused to pay the ransom. The EightBase ransomware gang claimed responsibility, seemingly collaborating with the Everest Group to demand payment. Both groups are believed to be Russian-affiliated.

Expert Recommendations

In response to these incidents, cybersecurity analysts emphasize the importance of:

  • Rapid Software Patching and Updating: Regularly update systems to mitigate vulnerabilities.
  • Password and Credential Hygiene: Implement strong password policies and change credentials routinely.
  • Multi-Factor Authentication (MFA): Use MFA wherever possible to add an extra layer of security.
  • Employee Training: Provide continuous cybersecurity awareness training.
  • Robust Incident Response Plan: Develop and maintain a strong incident response strategy.

Supply Chain Attacks Remain a Significant Threat

ESET's Israeli Distributor Compromised

Cybersecurity vendor ESET faced a supply chain attack when its distribution partner in Israel was hacked. According to BleepingComputer, attackers used the distributor's email servers to send highly convincing phishing emails to Israeli businesses, distributing data wipers disguised as antivirus software.

These malicious emails leveraged the distributor's legitimate servers and hosted the harmful payloads on their servers. The malware exhibited sophisticated obfuscation and anti-detection techniques, refusing to run on virtual machines or systems with forensic tools enabled. No group has claimed responsibility, but historically, nation-state-associated groups have used such malware as weapons against Israel.

Fake Google Meet Pages Deliver Malware

The Hacker News reports that attackers are exploiting fake Google Meet pages to deliver info-stealer malware to both Windows and macOS users. The campaign uses deceptive error messages to trick users into copying and executing malicious PowerShell scripts in terminal windows, effectively bypassing many traditional security measures.

The malware, associated with the Russian-based criminal network trafficking group known as "LukFix," highlights the rise of open-source malware. This trend makes it easier and cheaper for cybercriminals to conduct widespread attacks, posing significant risks to organizations.

Mitigation Strategies

Analysts recommend the following measures to combat supply chain attacks:

  • Employee Training: Educate staff to recognize phishing attempts and suspicious activities.
  • Micro-Segmentation: Implement network segmentation to limit the spread of malware.
  • Adherence to Best Practices: Follow industry-standard cybersecurity protocols.
  • Architectural Enhancements: Strengthen system architectures to reduce vulnerabilities.

Nation-State Attacks Target New Victims

APT34 Targets Middle Eastern Entities

APT34, a group openly sponsored by Iran, has launched a new wave of attacks against targets primarily in the United Arab Emirates and the Persian Gulf region. According to Cybersecurity News, the group employs a new backdoor to target Microsoft Exchange servers and steal passwords. They also exploit the Windows CVE-2024-30088 vulnerability to escalate privileges on affected devices.

The attackers download and install Ngrok, a remote monitoring and management application that enables covert communications via secure tunnels. This allows them to intercept plaintext credentials, which are then emailed back to themselves using the victim's own email servers.

Preventative Measures

To defend against such attacks, organizations should:

  • Proactive Patching and Updating: Regularly address known vulnerabilities by updating systems.
  • Advanced Security Monitoring: Implement threat detection and monitoring solutions.
  • Strict Access Controls: Limit administrative privileges and enforce the principle of least privilege.

Positive Developments in Cybersecurity

Amid the concerning news, there is a silver lining. The Register reports that Microsoft has observed an increasing percentage of ransomware attacks being stopped before they can encrypt victims' data. This positive trend is attributed to:

  • Automatic Attack Detection and Disruption: Security solutions effectively identifying and neutralizing threats.
  • Improved Backup and Recovery Strategies: Organizations better prepared to restore data without paying ransoms.
  • Wider Adoption of Best Practices: Enhanced implementation of cybersecurity protocols.
  • Enhanced Employee Training: Users are more vigilant and better equipped to handle threats.

However, Microsoft also notes that the overall number of attacks continues to rise, emphasizing the need for ongoing vigilance.

Cybersecurity Awareness Month Tip

In honor of Cybersecurity Awareness Month, we offer this crucial tip:

Understand and Implement Best Security Practices

  • Know the Standards: Familiarize yourself with the best security practices relevant to your organization's size and industry.
  • Tailor Implementation: Not every practice applies universally. Assess which strategies offer the best return on investment for your specific situation.
  • Resource Allocation: Recognize practical, financial, and human limits. Focus on practices that provide significant risk reduction.

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more
October 3, 2024

Vulnerability in SolarWinds Managed File Transfer Server Actively Exploited

CVE-2024-28995 SolarWinds has issued a critical update for a zero-day vulnerability in its Serv-U MFT Server, allowing attackers to bypass security and access restricted files without authentication. Actively exploited, this flaw poses a significant risk for businesses that delay applying the fix.

Find out more