Cyber Weekly Digest - Week #44

Updated: Nov 12


This week's Cyber Weekly Digest explores another critical infrastructure attack, this time affecting the Iranian fuel distribution networks. We also discuss the latest ransomware attack hitting the US National Rifle Association and how German investigators identified a core member of the REvil gang. Keep reading to stay up to date with the biggest cyber security stories from the week.


1. Grief ransomware gang claims to have attacked US National Rifle Association.

This week, the Grief ransomware gang added the NRA as a new victim on their data leak site while displaying screenshots of Excel spreadsheets containing US tax information and investments amounts. The threat actors also leaked a 2.7 MB archive titled 'National Grants.zip' containing alleged NRA grant applications. The Grief ransomware gang is believed to be tied to a Russian hacking group known as Evil Corp, which has been active since at least 2009. The NRA has not yet commented on the alleged attack.


2. Cyber attack hit Iranian fuel distribution network.

An attack on the fuel distribution chain in Iran has forced the shutdown of a network of filling stations on Tuesday, leaving many stranded across the country and unable to fill up their tanks. The filling stations targeted in the attack belong to the National Iranian Oil Products Distribution Company, with more than 3,500 stations across Iran. Tuesday's attack displayed a message reading "cyberattack 64411" on gas pumps, echoing another critical-infrastructure attack that occurred in July against the Iran rail transportation system, which also displayed the number.


3. German investigators have identified REvil ransomware core gang member.

German investigators have reportedly identified a Russian man whom they believe to be one of the REvil ransomware gang's core members. While the suspect's real identity has not been revealed, German media refers to him as 'Nikolay K' and report that investigators linked him to Bitcoin ransom payments associated with the GandCrab ransomware group, which is strongly linked to REvil. Police were able to find Nikolay's email address, which he used to register to over 60 websites and a phone number that he used for his Telegram account. The account was supposedly used for legit crypto-trading, but the police were reportedly able to link multiple transactions worth over 400,000 Euros in crypto to ransom payment events.


4. CISA is urging admins to patch a critical Discourse remote code execution bug.

Discourse, the widely deployed open-source community forum and mailing list management platform, has a critical remote code execution vulnerability that CISA urges administrators to patch. The flaw is found in Discourse versions 2.7.8 and earlier. It's rated with a CVSS severity score of 10, so it is considered an emergency fix, especially considering how popular the platform is.


5. A new malware threat namedSquirrelWaffle is being used in spam campaigns.

A new malware threat named Squirrelwaffle has emerged in the wild, which is being spread via spam campaigns dropping Qakbot and Cobalt Strike. The spam campaigns were first seen in mid-September 2021 using laced Microsoft Office documents that triggers an infection chain that leads to the machines getting infected with SquirrelWaffle malware. Researchers noted that following the Emotet botnet disruption earlier this year, threat actors filled the void using SquirrelWaffle.