Home
cover of episode Risky Biz News: Ransom campaign hits cloud servers

Risky Biz News: Ransom campaign hits cloud servers

2024/8/15
logo of podcast Risky Business News

Risky Business News

Chapters

An attacker has been accessing cloud environments by scanning for .end files and extracting login credentials, leading to data theft and ransom demands.

Shownotes Transcript

A data extortion campaign hits misconfigured cloud servers. Iranian hackers targeted the Harris campaign as well. Germany wants to limit Windows kernel access for security products. And 2024 is set to become the highest grossing year for ransomware. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 16th of August and this podcast episode is brought to you by CoreLite.

In today's top story, security firm Palo Alto says an attacker has been accessing cloud environments by scanning the internet for .end files and extracting login credentials from them. .end files act as centralized locations for storing configuration data for cloud software. The attacker has scanned more than 230 million servers and extracted around 7,000 cloud access keys.

In some instances, the attacker used the keys to steal data, delete it, and then asked for a ransom to return the stolen files. It's unclear if any victim has paid.

In other news, the Iranian hackers who breached the Trump campaign earlier this year also targeted the Biden-Harris camp. The group attempted to fish the Democratic campaign in May and June. Google tracks the group as APT42 and says the threat actor has a long history of going after high-ranking government officials in both the US and Israel. The FBI also told the Harris presidential campaign it was the target of a foreign actor's influence operation.

Meta says it's seeing an increased number of private companies running disinformation and influence operations on behalf of the Russian government. These private contractors usually run low-quality, high-volume campaigns centred around Russia's war in Ukraine.

Meta says the contractors struggle to engage authentic audiences and are often called out as trolls by users. The social media giant expects more private companies to join the disinformation-for-hire scene as Russia's info-op needs grow.

Two Russian state-sponsored groups have launched spear phishing campaigns targeting Western and Russian civil society. The attacks were discovered by security researchers from Access Now and Citizen Lab. The malicious emails have targeted Russian and Belarusian non-profits, Russian independent media, international NGOs in Eastern Europe and the former US ambassador to Ukraine.

Citizen Lab tied one of the campaigns to a group known as Cold River and Callisto, who were linked to Russia's FSB intelligence service. The second campaign was the work of a new group named Cold Wastrel, also believed to be linked to the Russian government.

Australian security firm CyberCX has identified a network of at least 5,000 X accounts involved in a large-scale disinformation campaign. The Green Cicada network is one of the largest X disinformation efforts ever discovered. It's been active since late last year and predominantly engages with US political and cultural issues.

Researchers say the green Cicada accounts appear to be controlled by a large language model AI system. CyberCX has found clues to link the network to Chinese AI company Xipu AI and an AI researcher affiliated with Tsinghua University in Beijing.

Germany's cybersecurity agency wants to limit the ability of cybersecurity tools to access the Windows kernel. The Federal Office for Information Security is exploring the idea after a CrowdStrike update bricked 8.5 million Windows systems in July.

Microsoft can't limit security tools from accessing the Windows kernel due to a previous agreement with European antitrust regulators. The agency, the BSI, is planning a conference later this week with major tech firms where it hopes they'll commit to restricting access to the kernel in a way that satisfies competition concerns.

India's telecom watchdog has ordered service providers to take measures to block unwanted spam and promotional calls from unregistered telemarketing numbers. Providers are required to create block lists and share blocked numbers with each other no more than 24 hours after a number's been banned. Providers that fail to comply with the new rules risk being disconnected from the national network for up to two years.

The Texas Attorney General has sued General Motors for illegally collecting and selling drivers' data to insurance companies. Texas officials say the carmaker used dark patterns to trick car owners into consenting to having their data collected and sold to third parties.

This data was later used to create driving scores that helped vehicle insurers charge larger fees. GM is the first car manufacturer to be hit with a lawsuit for selling driver data. The Texas OAG says it's also investigating other car makers for the same practice.

Biotech company Enzo Biochem will pay $4.5 million to settle regulatory charges from a 2023 ransomware attack that exposed the personal data of 2.4 million patients. The sum will be shared by patients in Connecticut, New York and New Jersey. Attorneys General from the three states sued the company for its lax security.

Officials said hackers breached Enzo Biochem after getting hold of login credentials shared by multiple employees that had not been changed for more than a decade. Car dealership chain Auto Canada was hit by hackers last weekend. The company says it shut down systems after a breach of its internal IT systems on Sunday. Auto Canada says it expects the attacks to cause disruptions to its operations until systems are restored.

Italian police have detained two suspects believed to have stolen $14.4 million from cryptocurrency platform Holograph. The company filed a complaint with French authorities after being hacked in June. Holograph's token lost 80% of its market value after the incident. The two suspects are set to be extradited to France to face charges.

A threat actor has stolen $1.2 million worth of assets from the VAL cryptocurrency project. VAL says the attacker exploited a recent change in its conversion rate to receive 100 times the funds they were entitled to. The project is looking at ways to recover the funds. A judge has sentenced a Russian national to 40 months in prison for selling stolen financial data and login credentials to an underground forum known as Slilpp.

Officials say Georgi Kavzharadze was one of the site's most prolific vendors, going by the name of TerraPP. He made over $1.2 million selling stolen data and credentials on the site. The FBI tracked down Kavzharadze after it seized SlilPP in June 2021. He's been in custody since May 2022.

Security firm iVerify has found that an app pre-installed on millions of Google Pixel devices exposes users to attacks. iVerify says an app named Showcase APK has extensive system privileges that can allow traffic interception, code injection and remote code execution attacks. Google says it plans to remove the app in a future update.

CISA says that threat actors are exploiting a recently patched vulnerability in SolarWinds web help desk servers. The vulnerability was classified as under exploitation a day after a patch was made available. The Java deserialization flaw affects all versions of the software. It has a severity score of 9.8 out of 10 and allows remote attackers to take over servers without authentication.

2024 is on track to become the highest grossing year ever for ransomware gangs. Organizations have paid almost $460 million in ransom payments in the first half of the year. Chainalysis says the number of attacks and payments are down, but threat actors are collecting larger payments than ever before. The best example of this is a huge $75 million ransom paid to the Dark Angels group at the

Chainalysis estimates this year's median ransom payment is $1.5 million, up from $200,000 at the start of 2023.

And finally, around 40% of all cyber insurance claims filed this year were caused by a failure at a third-party vendor. Cyber risk company Resilience says that vendor-driven claims are the fastest-growing area in its portfolio. The company warns that over-reliance on a small number of ubiquitous software vendors is creating huge opportunities for threat actors, especially ransomware gangs.

And that is all for this podcast edition. Today's show is brought to you by our sponsor, CoreLite. Find them at corelite.com. Thanks for your company.