Cybersecurity researchers found that North Korean hackers pretend to work for a think tank to obtain opinions and reports from foreign experts to better understand Western policy on North Korea. According to Reuters, some of the issues raised in the emails concerned China’s reaction to North Korea’s nuclear tests, while researchers dubbed Thallium to be among these hacking groups, which have been targeting government employees, think tanks, academics, and human rights organisations. Microsoft Threat Intelligence Center (MSTIC) told Reuters that the impersonation tactic appears to be quicker than hacking someone’s account, but makes it harder for defenders to stop the emails as it is up to the recipient to identify them most of the time.
Cybercrime
Increased Truebot Malware infection identified by threat intelligence research group CISCO
CISCO identified an increased infection of Truebot malware, with a high possibility of its association with the Evil Corp threat actor. CISCO also found that attackers shifted their malicious delivery methods among various techniques. In October 2022, many infections used Raspberry Robin, a recent malware spread through USB drives, as a delivery vector. One of these attacks had a fully featured custom data exfiltration tool named Teleport, which was used to steal information. So far, two Truebot botnets have been identified. The first is distributed online, focusing on Mexico, Pakistan, and Brazil. In contrast, the second mainly focuses on the USA and is almost exclusively composed of Windows servers.
Hospital in France forced to go offline and cancel all operations
A hospital in the Parisian suburb of Versailles, France, has been the victim of a cyberattack which led to the cancellation of all operations and transfer of patients to other hospitals. It appears that the attack was led by ransomware actors, but it is yet unclear whether data was stolen.
Amnesty International Canada target of sophisticated cyberattack
In October 2022, Amnesty International Canada detected and investigated a sophisticated digital security breach. The organisation announced that, according to forensic experts at the cybersecurity firm Secureworks, the attack was likely orchestrated by ‘a threat group sponsored or tasked by the Chinese state’. The conclusion was based ‘on the nature of the targeted information as well as the observed tools and behaviors, which are consistent with those associated with Chinese cyberespionage threat groups’. China’s embassy in Ottawa denied the allegations.
Ransomware attack forces French hospital to transfer patients
A ransomware attack affecting phone and computer systems of the André-Mignot teaching hospital in the suburbs of Paris forced the institution to shut down. While a ransom of an unspecified amount has been demanded, a spokesperson for the hospital had stated that they have no intention of paying it. The attack has caused the hospital to cancel operations and transfer six patients from its neonatal and intensive care units to other health facilities. The attack is currently being investigated by the French National Authority for Security and Defense of Information Systems (ANSSI).
Cybercrime-as-a-service, ransomware still on the rise
Cybercrime-as-a-service is expanding, given its lucrative business model that requires basic technical skills. This is among the key findings highlighted in the 2023 Threat Report issued by cybersecurity company Sophos.
The report also notes that, in addition to the usual malware, scamming and phishing kits, cybercriminals are now selling tools and capabilities that were once reserved for the most skilled and sophisticated attackers. Ransomware-as-a-service has gotten particularly popular among threat actors, leading to a lower entry barrier for would-be criminals. As a mitigation tool, IT managers are looking at Managed Detection and Response (MDR) services to spearhead early detection and interception of attacks.
New guidance note by Council of Europe’s Cybercrime Convention Committee (T-CY) on ransomware
The Council of Europe’s Cybercrime Convention Committee (T-CY) has adopted a guidance note (GN) on ransomware, which outlines how the Budapest Convention and its Second Additional Protocol could be used to criminalise, investigate, and prosecute ransomware-related offences. The GN follows statements from the Convention’s Parties and Observers regarding the surge of major ransomware attacks in recent months.
Belgian police faced with major data leak
The RagnarLocker ransomware has been linked to an incident in which a ransomware organisation began leaking highly sensitive data stolen from a Belgian police force in Antwerp, in what is being characterised as one of the country’s largest breaches.
‘This is a case of human error, and this is how crime reports and fine notices, but also photographs of child abuse have been leaked’, stated Chief Commissioner of Police Zwijndrecht, Marc Snels.
The number of citizens affected by the breach is unknown, but they include victims, perpetrators, witnesses, and those under surveillance, with potentially serious implications if their identities are revealed.
Spoofing services website causing worldwide loss has been taken down
In an internationally coordinated action led by the UK and supported by Europol and Eurojust, 142 suspects have been arrested for allegedly running a website that offered spoofing services. These services allowed cybercriminals to impersonate trusted corporations such as banks, retail companies, and government institutions and then access sensitive information. Evidence shows that the estimated worldwide loss has been more than EUR 115 million. National authorities from the EU, Australia, and Canada supported the investigation. At the same time, Europol’s European Cybercrime Centre (EC3) provided a secure platform and was thus able to identify additional users of spoofing services.
Killnet hits EU Parliament website with DDoS attack
The European Parliament website has been taken down by a DDoS attack claimed by Anonymous Russia, a member of the pro-Russian hacktivist group Killnet.
The President of the European Parliament confirmed the event, saying that the Parliament’s ‘IT experts are pushing back against it and protecting our systems’.
The attack occurred after the European Parliament designated Russia a state sponsor of terrorism and members advocated that Russia be more isolated internationally.