Originally posted in ERPScan
Bears awoke from winter slumber
by SC Media – 19 November 2018
Experts believe that the recent spear phishing activity may be caused by the Russian APT group Cozy Bear that may have become active once again. Last week, CrowdStrike and FireEye cybersecurity compamies published warnings referencing a widespread phishing campaign that affected several industry sectors. The campaign implemented tactics and techniques that resembled the ones of Cozy Bear, aka APT29. Believed Cozy Bear is now associated with Russian intelligence and considered responsible for hacking the Democratic National Committee along with another Russian APT group Fancy Bear back in 2016 at the time of U.S. elections. Not a long ago, the threat actor has been accused of targeting Norwegian and Dutch ministries and U.S.-based think tanks and NGOs, still it had seemingly remain in hibernation in 2018. CrowdStrike’s Vice President of Intelligence Adam Meyers said that the campaign was detected by his firm on Nov. 14. The malicious emails “purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website.” The officials of FireEye commented that the attackers “compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails.”
Two TalkTalk hackers sentenced
by The Telegraph – 19 November 2018
Two young men have been sentenced to a combined sentence of 20 months for their involvement in the October 2015 TalkTalk cyber attack. Matthew Hanley, 23, and Connor Allsopp, 21. As a result of the attack, thousands of customers’ data has been affected. The malefactors managed to access personal information, financial detals and other sensitive data of 156,959 customers. The hack lasted seven days and its final cost is estimated to be £77 million. This sum also includes the £400,000 fine from the Information Commissioner’s Office for security vulnerabilities that were used by attackers. Hanley was sentenced for 12 months and Allsopp was sentenced for eight months. Judge Anuja Dhir QC commented that it was a tragedy to find “two individuals of such extraordinary talent” in the dock. “Your actions, the actions of others, resulted in the then-CEO of TalkTalk being subjected to repeated attempts to blackmail her for money. You were not personally involved in making those attempts but your actions helped facilitate it,” Judge Dhir said.
Charitable organization is affected by cryptojacking
by SC Media – 19 November 2018
The website of the Make-A-Wish charitable organization became affected by a cryptojacking operation. Make-A-Wish foundation is aimed to fulfill the wishes of children diagnosed with critical illnesses. Researchers believe that malicious actors injected a CoinImp browser-based cryptomining script. The malware was able to harness the processing power of any computer whose browsers visited the domain worldwish.org. It is possible that the website may have had the Drupalgeddon 2 vulnerability as the mining script was hosted by the domain drupalupdates.tk. It is also possible that drupalupdates.tk is part of a larger campaign known to exploit Drupalgeddon 2. Currently, the injected script has been removed from the website.
Thousands of Italian email accounts targeted
by iTnews – 20 November 2018
In a major cyber attack, thousands of Italian certified email accounts have been targeted recently. Hackers also managed to attack those of magistrates and security officials. That attack started on November 12 and targeted a server near Rome; the server gave the malefactors access to certified email accounts for the public administration. Finally, data from around 500,000 accounts, including some 9000 ones of magistrates as well as members of a top inter-governmental security agency, have been affected. There is no evidence that the accounts of any ministers, spy chiefs or military bigwigs had been compromised. As all the targeted emails were certified, they guarantee the validity of a sender’s identity. This also provides the information on the date and time of sending and receiving the email. “This was the worst attack we have had since January this year and it has had important repercussions, but the situation is under control,” commented Roberto Baldoni, state cyber security expert, “The only thing we know for sure is that this attack was not launched from Italy.”