Welcome to your weekly cybersecurity update. In the current edition, you will find information on a new campaign by the group of threats behind the attack on the SolarWinds supply chain, with Belgian authorities closing a campaign they claim originated in China, and information on a new cybersecurity directive for pipeline operators.
Read on for the news!
SolarWinds hackers behind massive phishing campaign masquerading as USAID, Microsoft says – The same opposing group behind the SolarWinds supply chain attack is now sending phishing emails masquerading as USAID, Microsoft said in a new report. The threat group targets 150 organizations in 24 countries and has targeted 3,000 individual accounts in a phishing email blitz since May 25. They are currently using a hacked email that USAID uses to send marketing emails; a USAID spokesperson said their forensic investigation into the violation was ongoing. At least one of the posts purports to relate to “election fraud” documents published by former US President Trump. Experts have called it another example of Russian disinformation aimed at stoking division in the US election. The success of the phishing campaign is unclear at this time.
DHS orders pipeline operators to report cyber attacks and review their security status – The United States government issued a new directive to pipeline operators in light of the ransomware attack on Colonial Pipeline that halted gas transportation in the Southeastern United States. The directive, issued by the TSA, requires pipeline operators to “report all confirmed and potential cyber attacks, improve their incident response by assigning a cybersecurity coordinator, and create a cybersecurity plan based on the results of an assessment. comprehensive threats conducted within the next 30 days. According to Dark Reading. DHS Secretary Alexander Mayorkas said in a statement that the new directive will allow DHS to better identify and respond to threats to pipeline infrastructure.
Belgium uproots cyberespionage campaign with suspected China links – The Federal Public Service of the Interior in Belgium recently declared that it was the victim of a cyberespionage campaign that began two years ago, according to the CyberScoop report. The Belgian government agency launched the investigation in March following news from Microsoft about the Exchange Server hack. So far, there has been no confirmation that the campaign against the Federal Public Internal Service has taken advantage of any of the Microsoft Exchange zero days or that the revelation of the exploits only sparked interest in investigating. Regardless, the Belgian authorities said the campaign against the Interior FPS was of Chinese origin. So far, FPS Interior has claimed that the damage to their systems was minimal and is now contained.
New Iranian threat actor using ransomware and wipers in destructive attacks – A threatening new group, presumably backed by Iran, called Argius, is targeting the Middle East and Israel with destructive wiper attacks. The group has been active since at least November 2020 and initially appeared to focus on cyber espionage before moving on to more destructive attacks. The Argius Group’s preferred tactic for initial access is to try and exploit known vulnerabilities in an organization’s public web applications, according to Dark Reading.
VMware issues ransomware alarm on critical severity bug – VMware fixed a critical severity bug in its vCenter Server virtualization management platform that it urges customers to fix as soon as possible. The flaw, if left unchecked, could allow a remote attacker to exploit vCenter Server and take control of the affected system. The encouragement for the patch comes in light of the rise in ransomware attacks around the world.
Canada Post victim of data breach after vendor ransomware attack – Canada Post has informed 44 of its large commercial customers that a ransomware attack against a third-party service provider has revealed shipping information for its customers, according to Bleeping Computer. Threat actors accessed Commport Communications’ database using Lorenz ransomware and exfiltrated shipping and receiving information for 44 business customers and 950,000 recipient customers. Canada Post hired an outside security investigator to investigate the breach.
Hackers target Japanese government and transport companies – According to local reports, threat actors have targeted government agencies and transport organizations in Japan in recent days. Fujitsu’s software-as-a-service platform, ProjectWEB, has been infiltrated and 76,000 Ministry of Lands, Infrastructure and Transportation email addresses have been disclosed. Narita Airport was also a target, the goal being to exfiltrate air traffic control data. The attacks come ahead of the Tokyo Summer Olympics, which were delayed from last year due to the COVID-19 pandemic.
Air India confirms data of 4.5 million travelers compromised – Air India has confirmed the data exfiltration of 4.5 million passengers worldwide following a breach of the passenger service system of aviation IT provider SITA in early March, according to Dark Reading. SITA PSS processes and stores personal data of Air India customers; the breach impacted personal data recorded between August 26, 2011 and February 3, 2021 and includes name, date of birth, contact details and passport details, among others, for the 4.5 million people . Air India learned of the breach on February 25.