Take a look at our Cyber Weekly Digest to find out about the biggest cyber security news from the week. As 2023 begins, attackers continue to target critical services around the globe, including an attack on the UK's postal service this week. Keep reading to stay up to date on the latest cyber security stories.
The Five Guys burger fast food giant has been under fire for what has been stated as a “smash-and-grab” operation. Threat actors have broken into a file server and made off with the personally identifiable information of people who applied to work at the fast-food chain. Chief Operating Officer noted that “unauthorised access to files” was discovered in September and was blocked on the same day. He mentioned that the data that was leaked was “variable”, which investigators state contains Social Security Numbers and driver’s license data. There has been only one server compromised by the adversaries and no lateral movement has been detected, likely because the adversaries were financially motivated and looking for low-hanging fruit. This breach could have been avoided by making servers that should only be accessible by employees private access. The HR server which should have never been accessible from an internet perspective was open to anything on the internet, relying on the safety of the server itself rather than hiding it from hackers on the internet.
Attackers are using a well-crafted Pokemon NFT card game website to distribute the NetSupport remote access tool and take control over victims’ devices. The website, “pokemon-go[.]io”, is still being hosted but the main index site cannot be accessed. However, it claims to be a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits. NFT malware scams like this are usually spread using viral marketing on social media platforms such as Twitter, Discord, and Reddit. On their website, the user is prompted to download the “game” for windows, however, the user is actually tricked into installing a Remote Access Tool called NetSupport which is a legitimate piece of software that is being used in a malicious way in the hopes of avoiding AC detection as it is a commonly used tool for managing devices in organisations. NetSupport Manager supports remote screen control, screen recording, system monitoring, and even network encryption control. The consequences of such an infection are broad and severe, mainly concerning unauthorized access to sensitive user data and downloading further malware.
Leveraging known weaknesses in container images and misconfigured, exposed PostgreSQL containers, the Kinsing malware is now actively breaching Kubernetes clusters. Kinsing is a Linux malware with a history of targeting containerised environments for crypto mining, using the breached server’s hardware resources to generate revenue for the threat actors. The threat actors behind Kinsing are known for exploiting known vulnerabilities like Log4Shell, and, more recently, an Atlassian Confluence RCE to breach targets and establish persistence. Microsoft has seen an uptick in methods used by Kinsing operators to gain initial access to Linux servers – exploiting a vulnerability in container images or misconfigured PostgreSQL database servers. When exploiting image vulnerabilities, the threat actors hunt for remote code execution flaws that enable them to push their payloads.
A new Advanced Persistent threat actor that leverages custom malware to steal confidential information has been targeting government agencies and military bodies in multiple countries in the APAC region. This APT, Dark Pink, has been noted as using uncommon tactics, techniques, and procedures (TTPs) by security researchers. Their custom toolkit has been observed to leverage DLL side-loading and event-triggered execution methods to run its payloads on compromised systems, it steals information and can be spread via USB drives. Since June, Dark Pink has launched at least seven successful attacks between June and December last year. Dark Pink gains initial access using spear-phishing emails disguised as job applications, which tricks the victim into downloading a malicious ISO image file. This ISO file contains two infostealers called KamiKataBot and Cucky Ctealer which are written in .NET. Security researchers have informed all seven organisations of the threat actor’s compromise activity and will continue to track Dark Pink’s operations.
The Russia-backed LockBit ransomware group has been identified as a potential culprit behind the recent cyber incident involving the UK's postal service, Royal Mail. At the beginning of this week, Royal Mail's international deliveries were severely disrupted due to a cyber incident. At the same time, the UK’s postal service in Belfast, Northern Ireland, started printing ransom notes. The note apparently stated, “Lockbit Black Ransomware. Your data are stolen and encrypted”. The ransom note printed at the Royal Mail site in Belfast also contained multiple links to the LockBit ransomware operation's Tor data leak sites and negotiation sites, including a 'Decryption ID' required to log in to chat with the threat actors. Royal Mail’s international deliveries are still on hold, and the postal service has not indicated when they expect them to resume.