Keep up to date with the biggest cyber security news in our latest Cyber Weekly Digest. This week we dive into a failed ransomware attack on a cyber security company and how law enforcement took down the infrastructure for malware operated by the Russian Federal Security Service.
An advanced persistent threat (APT) adversary named Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism. “The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time,” according to researchers. “The latest campaigns add a twist in which a first-stage clean application side-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload.” The initial vector of compromise is a fake website hosting an installer for Telegram that, when opened, creates a desktop shortcut designed to load malicious components behind the scenes upon launch while also displaying to the victim the Telegram app user interface.
Intel is investigating alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices. In March, the Money Message extortion gang attacked computer hardware maker MSI, claiming to have stolen 1.5TB of data during the attack, including firmware, source code, and databases. The ransomware gang demanded a $4,000,000 ransom and, after not being paid, began leaking the data for MSI on their data leak site. Last week, the threat actors started leaking MSI’s stolen data, including the source code for firmware used by the company’s motherboards. The CEO of firmware supply chain platform Binarly, Alex Matrosov, warned that the leaked source code contains the image signing private keys for 57 MSI products and Intel Boot Guard private keys for 116 MSI products. “Intel is aware of these reports and actively investigating”, Intel stated. Binarly has released a list of impacted MSI hardware, compromising 116 MSI devices reportedly compromised by the leaked Intel Boot Guard keys.
Cybersecurity intelligence agencies from all Five Eyes member nations took down the infrastructure used by the Snake cyber-espionage malware operated by Russia’s Federal Security Service (FSB). The development of the Snake malware started under the name “Uroburos” in late 2003, while the first versions of the implant were seemingly finalized by early 2004, with Russian state hackers deploying the malware in attacks immediately after. The malware is linked to a unit within the Centre 16 of the FSB, the notorious Russian Turla hacking group, and was disrupted following a coordinated efforted named Operation MEDUSA. Among the computers abused in the Snake peer-to-peer botnet, the FBI also found devices belonging to NATO member governments. The FBI dismantled the malicious operation by identifying a module within the Snake malware called PERSUS, which is used to establish communication sessions with the Snake malware implant on a particular computer and issued commands that cause the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer.
A leading food distribution company, Sysco, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data. In an internal memo sent to employees on May 3, the company revealed that customer and supplier data in the US and Canada and personal information belonging to US employees may have been impacted in the incident. “On March 5, 2023, Sysco became aware of a cybersecurity event perpetrated by a threat actor believed to have begun on January 14, 2023, in which the threat actor gained access to our systems without authorization and claimed to have acquired certain data” Sysco added in a data breach notification letter sent to some of the affected individuals. The incident has not impacted its business operations, and customer service has not been interrupted, according to the 10-Q SEC filing. Sysco also told affected individuals that there is no ongoing threat to its network and that its security team implemented additional safeguards to prevent a similar breach from occurring in the future.
Attackers compromised the personal email of a new Dragos employee this week and attempted through socially engineered messages to get the company to pay them off when the initial attack failed. The attack occurred May 8, with attackers gaining access to SharePoint and the Dragos contract management system by compromising the personal email address of a new sales employee before their start date. The attacker then used stolen personal information from the attack to impersonate the employee and complete the initial steps in Dragos’ employee-onboarding process. However, Dragos prevented the attackers from deploying ransomware or carrying out any further activities. Despite this, attackers quickly pivoted to attempting to extort Dragos by threatening to reveal the attack publically. Dragos decided not to engage with the attackers.