Overview of security incidents for the period 5-11 June 2021

The past week was marked by a number of interesting events that deserve attention, including zero-day vulnerabilities in Windows OS and the Google Chrome browser, theft of source code and internal tools from the gaming giant Electronic Arts, the emergence of new APT groups and, of course, the already familiar messages about ransomware.

Microsoft has released a planned security patch that fixes six zero-day vulnerabilities in various Windows components and the Kerberos network authentication protocol. Although the tech giant did not provide details about the attacks, according to Kaspersky Lab, two zero-day vulnerabilities in Windows (CVE-2021-31955 and CVE-2021-31956) were used in attacks by the previously unknown PuzzleMaker group, along with a chain of vulnerabilities in the Google Chrome browser. …

Following Microsoft, Google also updated its browser, eliminating the zero-day vulnerability (CVE-2021-30551), used by the same group that exploited the CVE-2021-33742 vulnerability in Windows. Whether these attacks are related to PuzzleMaker is not yet clear.

Electronic Arts has suffered at the hands of hackers who stole 780 GB of information, including the source code for FIFA 21 and the Frostbite engine, as well as internal development tools (SDK). The company itself stated that the incident was not related to ransomware, and did not affect the data of the players. The cybercriminals did not make the stolen data publicly available and, apparently, intend to sell it.

This week on one of the underground forums the source codes of the computer game Cyberpunk 2077 were published. According to the dates of the files in the archive, the data was stolen on February 5, 2021, from the servers of the CD Projekt Red studio developers.

Another interesting development this week was the announcement of a 1.2 TB database containing information stolen from millions of Microsoft-based computers. The information was collected using some kind of malware and included 6.6 million files, 26 million credentials and 2 billion authorization cookies, and at the time the database was discovered, 400 million of them were valid.

On June 8, more than a dozen social networks and major international media outlets crashed. The cause of the incident was an error in the software of the Fastly CDN provider, which went unnoticed until one of the clients made changes to the settings.

Cybersecurity company ESET announced a new APT group called BackdoorDiplomacy, which has been attacking foreign ministries in Africa, Asia, Europe and the Middle East for the last four years with the aim of espionage. Basically, the grouping compromises corporate networks using vulnerabilities in web servers and administrative interfaces of network equipment (F5 BIG-IP devices, Microsoft Exchange mail servers, Plesk control panels).

The Dutch edition de Volkskrant published a material in which it reported that the hackers who attacked the country’s police in 2017 during the investigation of the crash of the Malaysian Boeing MH17, allegedly could be connected with the Russian Foreign Intelligence Service (SVR). It is noted that the break-in was discovered by the Netherlands General Intelligence and Security Service (AIVD). Whether the hackers were able to gain access to information related to the investigation, the journalists were unable to establish.

Information security specialists from the American company Sentinel Labs analyzed a number of cyberattacks on government bodies of the Russian Federation and suggested that the hacking could be the work of the Chinese ThunderCats group, associated with the larger TA428 group, which is mainly engaged in hacking Russian and East Asian resources. To penetrate the computer networks of government agencies, cybercriminals used phishing, exploited vulnerabilities in web applications, and hacked contractors’ infrastructures. Then the hackers stole confidential information from mail servers, electronic document management servers, file servers and workstations of managers of different levels.

Microsoft has warned of a new malicious campaign targeting Kubeflow production clusters. Criminals install TensorFlow modules for cryptocurrency mining. As part of the attacks, attackers used to access to the centralized Kubeflow dashboard to create a new machine learning process using the Kubeflow Pipelines platform. TensorFlow images were installed in containers for cryptocurrency mining.

One of the high-profile news of the week was the announcement of a three-year joint operation by the FBI and Australian police, in which law enforcement officers operated the secure chat platform Anøm (AN0M) to intercept criminals’ messages. As a result of Operation Ironside, law enforcement officials in Australia, Europe and the United States conducted a series of searches and arrested hundreds of alleged members of various criminal organizations, ranging from Australian biker gangs to drug cartels in Asia and South America, as well as arms and human traffickers in Europe.

As part of a joint operation, law enforcement agencies from the United States, Germany, the Netherlands and Romania disabled the infrastructure of the underground Slilpp marketplace. The site has been operating since 2012 and has specialized in the sale of stolen credentials, including logins and passwords for bank accounts, accounts for online payments, online stores, etc. Currently, more than a dozen people have been arrested on suspicion of involvement in the Slilpp market. The damage from the site is estimated at $ 200 million.

Ransomware groups continue to actively add to the list of their victims, despite the hype caused by recent high-profile incidents. Thus, one of the largest manufacturers of memory cards and solid-state drives, the Taiwanese company ADATA, was forced to shut down part of its systems due to an attack by the extortionist group Ragnar Locker. On its site of leaks on the darknet, Ragnar Locker reported that it was able to steal 1.5 TB of important data, including business information, financial data, schemas, Gitlab and SVN source codes, etc.

As it became known, the JBS USA company (the structure of the world’s largest meat producer JBS SA) paid the hackers a ransom in the amount of $ 11 million after a ransomware attack. The attack, the organizer of which is considered to be the REvil group (aka Sodinokibi), occurred on May 30 this year and caused serious disruptions in the operation of the IT systems of the North American and Australian divisions of the company.

In addition, the US Department of Justice returned 63.7 bitcoins (approximately $ 2.3 million) that the fuel giant Colonial Pipeline paid to the ransomware operators DarkSide. Law enforcement officials tracked several bitcoin transfers and identified an email address to which approximately 63.7 bitcoins were transferred. With the help of a special “key”, the FBI specialists were able to gain access to the assets of the criminals.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts