Cyber Weekly Digest - Week #14
In this week's digest, we talk about the latest in the DDoS extortion trend and how a ransomware gang is going to be refunding it is victims, no this is not an April Fools joke. To get up to date on the latest and biggest cyber security stories, keep reading.
Not often do you hear of threat actors regretting their actions, which is why this week it was surprising to hear that the Ziggy ransomware admin would be refunding victims ransom payments. Ziggy ransomware shut down in early February and had decided to publish all decryption keys. Victims who paid a ransom just need to email the Ziggy admin with proof of payment, and their money will be returned to their BitCoin wallet in around two weeks. The admin claims they had to sell their house to refund victims and plan to become a ransomware hunter after returning the money.
At the beginning of the week, the Harris Federation was hit by a ransomware attack which led to the compromise and encryption of their IT systems. As a precaution, they temporarily disabled their email system; in-person teaching has resumed, so students could still attend lessons. In the UK, the number of schools being targeted in attacks is rapidly increasing as at least the four multi-academy trusts have been targeted in March.
In another supply-chain attack, hackers attempted to compromise the PHP codebase; two malicious commits were pushed to the official PHP Git repository this week. The two malicious commits were pushed to the self-hosted "PHP-src" repository hosted on the git.php.net server, illicitly using the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains. PHP remains the server-side programming language to power over 79% of the websites on the Internet, making the attack even more concerning.
Earlier this year, Ubiquiti, a cloud-enabled Internet of Things vendor, disclosed a breach involving a third-party cloud provider. However, a source revealed that the third-party cloud provider claim was a fabrication, and the incident was "It was catastrophically worse than reported". The anonymous source said attackers gained administrative access, which could have allowed them to authenticate to countless Ubiquiti cloud-based devices around the world remotely. Ubiquiti has since confirmed that it was the target of an extortion attempt following the January security breach. However, it did not verify the claims that user data was accessed during the incident or that the attackers stole any Ubiquiti source code.
Distributed Denial of Service (DDoS) attacks are becoming increasingly more complex and have been setting new records and taking the extortion trend, which started last August to the next level. Akamai says that in February, they dealt with "three of the six biggest volumetric DDoS attacks" the company has ever recorded. Two of the attacks were the largest known ransom DDoS attacks, and the most recent of them peaked at 800Gbps; it targeted a gambling company in Europe and was also the most complex Akamai has seen since extortion DDoS started.