Cyber Weekly Digest - 2022 Week #33

Updated: Aug 26


In this week's Cyber Weekly Digest we take a look at a ransomware attack targeting a UK water supplier and the latest zero-day vulnerability patched by Apple. Keep reading to stay up to date on the latest cyber security news from around the world.


1. Ransomware group attacks a UK water supplier but misidentifies the victim.

South Staffordshire Water, a company supplying 330 million litres of drinking water to 1.6m consumers daily, has issued a statement confirming IT disruption from a cyberattack. The safety and water distribution systems are still operational, so the disruption of the IT systems doesn’t impact the supply of safe water to its customers. However, the Clop ransomware gang claimed Thames Water as their victim via an announcement on their onion site. Clop alleges to have informed Thames Water of its network security inadequacies and claims that they acted responsibly by not encrypting their data and only exfiltrating 5TB from the compromised systems. Thames Water disputed Clop’s claims, calling it a “cyber-hoax”. Clop has since corrected their error and now lists South Staffordshire Water as the victim on the extortion site.


2. Apple releases a security update which patches two zero-day vulnerabilities.

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The first is an out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing specially crafted web content. The second is an out-of-bounds issue in the operating system's Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges. Apple said it addressed both the issues with improved bounds checking, adding it's aware the vulnerabilities "may have been actively exploited." This latest update brings the total number of zero-days patched by Apple to six since the start of 2022.


3. CS:GO trading site breached to steal $6 million worth of virtual items.

CS.MONEY, one of the biggest platforms for selling and trading CS:GO virtual items known as “Skins”, has taken its website offline after a cyberattack allowed threat actors to loot 20,000 items, worth approximately $6,000,000. CS:GO (Counter-Strike: Global Offensive) is the fourth version of the Counter-Strike series that became free-to-play in 2018 with a big professional E-Sports scene. It allows gamers to buy and sell cosmetic skins for items in-game, some of these items can cost up to hundreds of thousands of dollars. The skins that CS.MONEY had hosted on their site and was stored in “Trade-Bots” on steam accounts. Steam requires 2FA on accounts to trade items, however, attackers have either bypassed this or gained access to the 2FA mobile authenticators correlated to the accounts. Valve, creator of Steam and Counter-Strike have not commented nor made action on any of the events.


4. The Lazarus group is using a fake job posting for Coinbase in a new campaign targeting Apple users.

The North Korean APT Lazarus is targeting engineers with a fake job posting that attempts to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems. Named Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase.” Malware is compiled for both Intel and Apple Silicon,” according to researchers and “it drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http[://]FinderFontsUpdater[.]app and a downloader safarifontagent.” The malware is similar to a sample discovered by researchers in May, however, the most recent malware is signed July 21.


5. Argentina's Judiciary of Córdoba hit by PLAY ransomware attack.

Argentina's Judiciary of Córdoba has shut down its IT systems after suffering a ransomware attack, which has been attributed to the new PLAY ransomware operation. The attack occurred Saturday and caused the Judiciary to shut down IT systems and their online portal. The outage is also forcing the use of pen and paper for submitting official documents. While the Judiciary has not disclosed details of the attack, researchers noted that they were hit by ransomware that appends the ".Play" extension to encrypted files.


17 views