Industrial Cyber Attacks - Attacks against industries, productive infrastructures and OT

This week, data leaks of industrial companies that recently suffered ransomware attack include:

• Schramm, a hydraulic drilling manufacturer was attacked by Sodinokibi ransomware
• Indoco Remedies Ltd, an Indian manufacturer of pharmaceutical products was hit by maze ransomware

Non-Industrial Cyber Attacks - Covering notable, interesting attacks worldwide

Orange, the giant French telecommunications company has confirmed that it suffered a “Nephilim” ransomware attack exposing the data of twenty of their enterprise customers.

Throughout 2020, APT29, which is part of the Russian intelligence services, has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States, and the United Kingdom. APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ that is designed to execute arbitrary shell commands, upload, and download files.

3 cybersecurity companies have recently suffered security incidents:

• Cybersoft technologies suffered a maze ransomware attack.
• 8,200 databases of Night Lion, a US cybersecurity firm have been breached.
• Unauthorized access to the database of Cybersecurity Company Cyberia Group offered for sale in the dark web information including customer information, invoices & company details.

ICS Vulnerabilities

New ICS-cert advisories this week include Moxa EDR Routers and 16 advisories for different Siemens products. The most critical vulnerabilities within these advisories are remote code executions with cvss score 9.8 in Siemens SICAM and Siemens LOGO! Web Server. Another CVE can lead to a denial of service condition in Siemens PCS7 DCS.

IOT

Trend Micro Research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The three main source codebases that have spawned numerous pieces of botnet malware are Mirai, Kaiten, and Qbot and users need to protect their routers and other connected devices from these malwares.

IT Vulnerabilities

Microsoft patch Tuesday for July includes CVE-2020-1350, a remote code execution vulnerability in the Windows DNS server with CVSS score of 10. Dubbed SIGRed, this vulnerability affects all Windows Server versions 2003 through 2019 and if exploited, could be used to compromise a company’s entire IT infrastructure. The vulnerability was classified as “wormable” which means it has the potential to spread between vulnerable computers without user interaction.

Breaches & Credential Leaks

A malicious actor called “cryptan” put up for sale unauthorized access to a mining company in a dark web forum. The actor claims to have obtained unauthorized access to the network through VPN.

Advanced Reading Suggestions of the Week

Cybereason team investigated the emergence of a new “Bazar” loader and backdoor that first emerged in April 2020 and has evolved continuously since. Bazar can be used to deploy additional malware, ransomware, and ultimately steal sensitive data from organizations. It appears to have strong ties to Trickbot campaigns and is delivered by the same infection chain. “Bazar” infections are targeting healthcare, manufacturing, logistics, and some more sectors across the US and Europe.

IBM's X-Force got hold of nearly five hours worth of video recordings of the Iranian state-sponsored group - APT35 that provide a rare insight into the "behind-the-scenes" of their methods. 

New PhishingKitTracker repository holds a collection of Phishing Kits used by criminals to steal user information.

Ran Finkelstein
Threat Intelligence Researcher

For more information contact us at [email protected].