Cyber Weekly Digest - Week #28
In this week’s digest read more about the investment banking firm Morgan Stanley data breach and the Kaseya supply-chain attack which has affected approximately 1500 businesses. Keep reading to find out the latest cyber security stories from across the globe.
Morgan Stanley is a leading global financial services firm providing investment banking, securities, wealth and investment management services worldwide. This week the investment banking firm has confirmed it had suffered a data breach following attackers who had hacked into the Accellion FTA server of a third-party vendor. It is believed the server was breached in January when attackers exploited the Accellion server vulnerability before the vendor patched the flaw. The information stolen included the names of stock plan participants, addresses and social security numbers.
Microsoft has released an emergency patch for PrintNightmare, a set of two critical remote code-execution vulnerabilities in the Windows Print Spooler service that attackers could use to take over an infected system. However, this latest fix only appears to address the remote code-execution variants of PrintNightmare, and not the local privilege escalation variant. On top of this the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched later. In cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is to stop and disable the Print Spooler service and the ability to print both locally and remotely, the second is to disable inbound remote printing through Group Policy by disabling the “Allow Print Spooler to accept client connections” policy.
Enterprise tech firm Kaseya has confirmed that around than 1,500 businesses were impacted as a result of an attack on its remote device management software, which was used to spread ransomware. Attackers carried out a supply-chain ransomware attack by exploiting a vulnerability in Kaseya’s VSA software which is used by multiple managed service providers, affecting their customers. The attackers are demanding $70 million to decrypt all the Kaseya attack victims, which they are refusing to pay. One of the victims includes Swedish supermarket chain Coop, which had to shut down around 500 stores.
On Thursday the New South Wales Department of Education confirmed it had suffered a cyber attack. The department said a number of its internal systems were deactivated on Wednesday as a precaution and are working to ensure normal access will resume in time for the start of the student’s Term 3. Most of New South Wales is currently in week two of a three-week lockdown in response to the COVID-19 outbreak. So far, the department has not confirmed whether student or staff data has been affected.
The SideCopy group has been observed to be targeting Indian government personnel as part of a new campaign to infect victims with as many as four new custom remote access trojans. Researchers have said that the targeting tactics and themes observed in SideCopy campaigns indicate a "high degree of similarity to the Transparent Tribe APT (APT36)" also targeting India. The tactics include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.