Release Date:

Cyber Security Brief - October 2022

Download

Executive summary

  • We analysed 231 open source reports for this Cyber Security Brief.1

  • Relating to cyber policy and law enforcement, in Europe, the German government dismissed the head of Germany's national cyber security agency (BSI), for collusion with Russian contacts, France fined two US companies for data protection issues, and the police authorities in several countries arrested a number of cybercriminals for various motives (phishing, keyless car hacking, malware service, hacking and data theft).

  • On the cyberespionage front, in Europe, a new report exposed a North Korea linked operation against the aerospace sector. Globally, public reports detailed operations by 2 North Korean (codenamed Lazarus and Kimsuky), 6 Chinese (codenamed Mustang Panda, Taidoor, WIP19, APT10, APT41, and DiceyF), 1 Lebanese (codemaned Polonium), Iranian (governmental services deploying mobile surveillance devices against citizens), and 1 Indian (codenamed SideWinder) threat actors.

  • Relating to cybercrime, ransomware attacks continue to target organisations in all businesses. In Europe, the 3 most active ransomware operations in October have been Lockbit, Karakurt, and Vice Society. In the public sector, ransomware threat actors target in particular municipalities or regional administrations. Threat actors breached organisations in some critical sectors like transportation, healthcare, defence and education.

  • Regarding data exposure and leaks, in Europe, incidents affected the military sector in Portugal as well as IT companies in the Netherlands and Italy. On the global level large incidents, exposing sometimes the data of millions of users, affected miscellaneous sectors including social media (Meta), telecommunications, gaming, finance (credit cards), IT, automotive, healthcare, secret services, or energy.

  • In Europe, we noticed information operations with a cyber component following the Nord Stream pipeline incident and another one using deepfake technology to impersonate Ukrainian Prime Minister to undermine cooperation between Ukraine and Turkey.

  • On the hacktivism front, in Europe, most activity is related to Russia’s war in Ukraine. Pro-Russia hacktivists attacked several targets in Ukraine with DDoS or leaks in the government, telecoms, cyber defence and healthcare sectors. In the EU, pro-Russia hacktivists targeted entities in Poland, Slovakia, Estonia and the Czech Republic.

  • Regarding disruptive operations, in Europe we noted reporting of a German energy company suffering a cyberattack which caused customer service to be unavailable. The pro-Ukraine actor TeamOneFist claimed a new series of disruptive or hijacking attacks in Russia (mobile phone operator, research programmes and routers).

  • We included several significant vulnerabilities and associated advisories, reported in October 2022.

Europe

Cyber policy and law enforcement

EU ban Russia from cryptocurrency services
On October 6, the EU adopted a sanctions package against Russia that includes a full ban on cryptocurrency-related services to Russian nationals or residents in addition to further restrictions impacting the energy, technology, and defence sectors. The EUʼs sanctions in part were a response to Russiaʼs claimed annexation of the occupied Ukrainian territories Luhansk, Donetsk, Kherson, and Zaporizhzhya.
Sanctions
Arne Schoenbohm, head of German national cyber security dismissed
The German government has dismissed Arne Schoenbohm, the head of Germany's national cyber security agency (BSI), for collusion with Russian contacts.
Dismiss
France’s data protection authority warns about using Google Analytics
The French data protection authority (CNIL) issued a warning, on October 11, to three press publishers for continuing to use Google Analytics. The development follows upon a February ruling, in which the same authority had deemed Google Analytics to be exposing citizens' data, due to unauthorised transfers of personal data to the US in breach of EU privacy law.
Data protection
France fines Clearview facial recognition company
The French CNIL fined the US-based facial recognition company Clearview AI with 20 million euro for illegal collection and processing of biometric data belonging to French citizens. The amount is the maximum financial penalty the company could receive as per GDPR Article 83. Clearview AI received the same fine from Italian and Greek data protection authorities for the same violations in March and July.
Data protection
Police tricks DeadBolt ransomware out of 155 decryption keys
The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, tricked the DeadBolt ransomware gang into handing over 155 decryption keys by faking ransom payments.
Decryption keys
French police arrests five people with stealing 2.5 million euro in NFT
French authorities arrested seven individuals for their alleged involvement in a non-fungible token (NFT)-phishing scheme, but indicted only five of them. According to police, the threat actors caused 2.5 million euro in damages. Media reports suggest the threat actors gained access to the NFTs via a phishing link posted on Discord and then sold the NFTs online immediately following the theft.
Arrest
German Police arrest one individual for a role in a phishing scam
The German Federal Criminal Police (BKA) arrested one individual for his involvement in a phishing scheme that led to the theft of 4.000.000 euro. The BKA also suggested the suspect engaged in DDoS attacks against different banks to hide the fraudulent transactions.
Arrest
Police dismantles criminal ring that hacked keyless cars
Authorities from France, Latvia, and Spain arrested 31 suspects believed to be part of a car theft ring that targeted vehicles from two French car manufacturers. The criminals only targeted cars that use keyless entry and start systems and stole them after exploiting their keyless technology to unlock the doors and start the engines without having to use the key fobs.
Arrest
Spain National Police arrest eight for alleged involvement in a phishing scheme
The Spanish National Police arrested eight people allegedly connected to a criminal organisation behind an SMS and voice phishing ("vishing") scheme. The police reported that the eight individuals imitated bank employees to gain access to victimsʼ login credentials and bank accounts.
Arrest
Dutch police arrest hacker who breached a healthcare software vendor
The Dutch police arrested a 19-year-old man suspected of breaching the systems of a healthcare software vendor in the country, and stealing tens of thousands of documents. These documents might contain sensitive personal and medical data of patients of healthcare providers using the company's systems.
Arrest
German student arrested for operating a darknet market
The Federal Criminal Police Office in Germany arrested a student suspected of being the administrator of Deutschland im Deep Web, one of the largest darknet markets in the country.
Arrest
Ukrainian charged for operating Raccoon Stealer malware service
US authorities charged 26-year-old Ukrainian national Mark Sokolovsky for involvement in the Raccoon Stealer malware-as-a-service (MaaS) cybercrime operation. The Dutch police had arrested him in March 2022 and he is currently jailed in the Netherlands while waiting to be extradited to the US.
Arrest,
Charge

Cyberespionage

Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
ESET uncovered a set of malicious tools that the North Korean threat actor used in attacks during the autumn of 2021. The campaign started with spearphishing emails containing malicious Amazon-themed documents and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium.
Analyst note: We observe Amazon-theme phishing emails on regularly in our constituency. Most of the time these phishing emails are from low sophistication cybercrime actors.
North Korean threat actor
Former British Prime Minister Liz Truss ‘s phone allegedly hacked by Russian threat actors
According to the Daily Mail tabloid, threat actors suspected of working for the Kremlin hacked the personal mobile phone of British Prime Minister Liz Truss. Reportedly, the threat actors compromised Truss’s phone during the summer’s Tory leadership campaign when Ms Truss was Foreign Secretary.
Russian threat actor

Cybercrime

Ransomware

Municipality in Portugal hit with ransomware
The ransomware threat actor HiveLeak claimed responsibility for an attack targeting the Portuguese municipality of Louros. The attack reportedly took place on September 22 and the threat actor released stolen data between October 9 and 10.
Analyst note: We observe that the majority of ransomware attacks against public administrations in Europe target local administrations (municipalities, regions, etc.). We assess that this due in part to the extended attack surface they offer and the limited resources they have to secure their networks.
Public administration
French department services hit with ransomware
On October 10, authorities of the French department of Seine-Maritime issued a press release announcing that they would cut off networks and be forced to degrade services severely. The cybercrime prosecutor's office has opened an investigation. Although no ransom demand has been communicated for the moment, the modus operandi of the attack strongly suggests ransomware.
Public administration
French city of Chaville targeted with ransomware
During the night of October 14 to 15, a large-scale cyberattack targeted the servers of the Chaville Town Hall. The cyberattack caused the interruption of the main services associated with the Town Hall. The cybercriminal group Cuba claimed responsibility for the attack on October 18.
Public administration
French municipality victim of a cyberattack
The French town of Maison Alfort in the Paris region has announced that it has been the victim of a cyberattack. The attack would have blocked the internet and telephone network maintained by the town. The modus operandi of the attack strongly suggests ransomware.
Public administration
German regional administration suffers cyberattack
On October 24, the district administration of Rhein-Pfalz in Germany requested an investigation after a cyberattack paralysed them. Users could not access the services provided by the Ludwigshafen authorities. The administration shutdown IT resources, forcing civil servants to work without them.
Public administration
Snatch ransomware threat actor adds Hendsoldt France to their victim list
On October 30, the Snatch ransomware group claimed to have attacked the Hensoldt France company. Hensold is a leading company in the European defence industry, particularly in the areas of cyber, data management and electronic product development.
Defence
UK IT service provider confirms incident
Advanced, an IT service provider of the UK's National Health Service (NHS), confirmed that an August 2022 cyber incident resulted from ransomware. Advanced also confirmed that the attackers stole data during the incident. However, the company has not disclosed whether this information includes patient data.
Healthcare
Hospitals hit with ransomware in Barcelona
On October 8, a ransomware attack targeted the computer systems of three hospitals in Barcelona. The attack affected the computer systems of all departments of the Consorci Sanitari Integral (CSI), which includes several health centres, nursing homes and hospitals.
Healthcare
Portugal-based hospital hit with Everest ransomware
The threat actor Everest Ransom Team named a Portugal-based hospital as a victim on their data leak site (DLS). The threat actor claimed to have access to 37 GB of customer and employee data and other hospital documents. The threat actor also provided a password-protected link to access the allegedly stolen files.
Healthcare
French maternity hospital hit
On October 9, the threat actor Vice Society breached the French maternity hospital Les Bluets in Paris. At time of writing, the impact is still unknown.
Healthcare
Prestige ransomware targets Ukrainian and Polish organisations
Microsoft said threat actors used the new Prestige ransomware to target transportation and logistics organisations in Ukraine and Poland. The threat actors first used this new ransomware in the wild on October 11, in attacks detected within an hour of each other.
Transportation
German educational institute breached
On October 19, the ransomware threat actor Ragnar Locker claimed responsibility for an attack on the German Leibniz Institute for Educational Research and Information. Ragnar Locker made approximately 241 GB of the company's data publicly available. The organisation provides empirical educational research, digital infrastructure and targeted knowledge transfer, thus helping to address educational challenges.
Education
German university hit
On October 20, the German University of Ansbach was the target of a cyberattack. As part of the response, the university blocked all access for staff and students. The university partially cancelled virtual seminars. The modus operandi of the attack strongly suggests ransomware.
Education
UK high school hit
The Bishop of Herefordʼs Bluecoat School (BHBS), a UK-based high school, experienced a cybersecurity incident that disrupted the schoolʼs IT systems. According to a school spokesperson, there is no evidence that incident has compromised personal data of students or staff. On October 28 cybercriminals operating the Vice Society ransomware named BHBS as a victim on their DLS.
Education
Newspaper's printing system disrupted by ransomware
A ransomware attack impacted the printing system of the Baden-Wurttemberg, Germany-based Heilbronn Stimme newspaper on October 14 and forced the victim to release a 28-page e-paper. The newspaper issued a six-page "emergency" edition on October 15 and posted obituaries on its website as a workaround.
Newspaper

Other cybercrime

Ticketing service discloses 2,5 year-long breach
The Europe-based ticketing service provider See Tickets disclosed a data breach and informed customers that cybercriminals might have accessed their payment card details via a skimmer on its website. The investigation showed that the infection happened on June 25, 2019, so the total duration of the exposure was just over 2,5 years.
Payment cards
Spain's Telefonica breached
The Spanish telecommunication's company Telefonica issued notices to customers, on October 28, stating that it had suffered an intrusion. The incident allowed access to technical data or configurations of customer equipment.
Telecoms,
End user equipment

Hacktivism

Pro-Russia hacktivists target Slovakia
On October 4 and 5, We Are Clowns, Anonymous Russia and Killnet, three supposed pro-Russia hacktivists, claimed cyberattacks against Slovakian targets. These cyberattacks in reality only consisted of DDoS attacks. DDoS attacks were operated against the websites of some government institutions such as the Slovak Ministry of Defence, the Human Rights Centre in Slovakia, airports, web hosting companies and airport taxi companies.
Analyst note: We assess a huge part of cyberattacks claimed by pro-Russia hacktivists aims to gather public attention and causes only limited damages.
Government,
Transportation,
Web hosting
Pro-Russia hacktivists target Estonia
On October 8, supposed pro-Russia hacktivists such as Anonymous Russia and Cyber Army of Russia, claimed to have conducted DDoS attacks against Estonian government websites in retaliation for the Estonian Foreign Minister congratulating Ukrainian special forces for damaging the Crimean Bridge.
Government
Pro-Russia hacktivists target Czech Republic
On October 21, the supposed pro-Russia hacktivist group Cyber army of Russia reborn claimed to have conducted a DDoS attack against the Pardubice airport in the Czech Republic.
_ ,
_
Pro-Russia hacktivists target Poland
On October 24, Killnet claimed to have conducted a DDoS attack on the Polish stock exchange in Warsaw.
Finance
Pro-Russia hacktivists attack Polish and Slovakian Parliaments
A spokesperson for the Polish Senate confirmed service disruptions, on October 28, due to DDoS attacks. According to news reports, similar attacks also blocked the Slovakian Parliament. Both parliamentary sessions had planned votes in which they would declare Russia a terrorist regime.
Legislature
Pro-Russia hacktivists target Ukraine telecoms
On October 5, Xaknet, a supposed pro-Russia hacktivist, claimed be leaking data belonging to Kyivstar. Kyivstar us a Ukrainian telecom operator. The exposed data appears to contain big data analysis, contracts and mobile identities but it is unclear if they are authentic and belong to Kyivstar or not.
Telecoms
Pro-Russia hacktivists target Ukraine Ministry of Social Policy
On October 12, Zarya, a supposed pro-Russia hacktivist affiliated with Killnet, leaked data supposedly belonging to the Ukrainian Ministry of Social Policy. The data contained names, email addresses, postal addresses and phone numbers.
Government
Pro-Russia hacktivists claim intent to target Ukraine energy producer
On October 12, Cyber Army of Ukraine, a supposed pro-Russia hacktivist, claimed it would conduct unspecified cyber operations against Naftogaz is a Ukrainian energy producer involved in the transportation of natural gas, as well as the extraction, refining and transportation of oil. The threats coincided with Russian missile strikes on Ukraine.
Energy
Pro-Russia hacktivists target Ukraine cyber defence
On October 20, Ukrainian Ministry of National Defence cancelled a hackathon following DDoS attacks by the group Noname057. A hackaton is a social computer programmers' event. Noname057 is a supposed pro-Russia hacktivist.
Cyber defence
Pro-Russia hacktivists target Ukrainian hospital
On October 31, the pro-Russian hacktivist groups Phoenix and WeAreClown claimed responsibility for an attack on a Ukrainian hospital in Kiev. The threat actors claim to have caused damage to the hospital's systems.
Analyst note: The impact of the attack is currently unknown to us. As in most previous cyberattacks by pro-Russia hacktivists, it is likely that the attack was a DDoS attack on websites.
Healthcare

Disruption and hijacking

German energy company suffers cyberattack
On October 27, Enercity, a German company in the energy sector suffered a cyberattack. The incident caused customer service to be unavailable. There is no indication that the incident has impacted power grids and related power plants.
Energy
Operations disrupted at copper smelter
Europe's largest copper smelter, the German company Aurubis, reported, on October 28, that a cyberattack had resulted in the shutdown of its IT systems. It is possible the attack had a Russian origin due to statements by Aurubis, prompting the Western industry to ban the use of Russian metal.
Industry

Information operations

Nord Stream pipeline disinformation
Within hours of Nord Stream pipeline explosion, Russian officials, Twitter users and Tucker Carlson began circulating disinformation suggesting that the Biden administration was responsible for the apparent act of sabotage. Some viral tweets included old footage of US military jets flying over Germany to support Russia’s claims that the US was the culprit. While there is not yet evidence to say exactly who is responsible for the Nord Stream attack, however, plenty of officials are pointing at Russia.
Energy
Deepfake impersonation of Ukrainian Prime Minister
On October 9, the Ukrainian Defense Ministry’s Main Intelligence Directorate (GUR) announced it disrupted an operation utilising deepfake technology to impersonate Ukrainian Prime Minister Denys Shmyhal. The imposter posing as Shmyhal purportedly believed they had contacted the founding director of a major private Turkish defence company specialising in unmanned aerial vehicles (UAVs). However, the imposter apparently spoke with GUR operatives. The GUR claimed the threat actor sought to undermine cooperation between Ukraine and Turkey.
Ukraine,
Government

Data exposure and leaks

NATO confidential data leak
In early August, a cyberattack against the Portuguese army allowed an unknown actor to steal hundreds of confidential NATO files. According to the Portuguese TV station, a second attack took place in the last week of September, creating a new leak of sensitive data, without specifying the nature of the data.
Hack and leak
IT service provider to Dutch government suffers leak
ID-ware, an IT service provider who produces access badges, suffered a data leak in September. The company services the Dutch government, including the first and second chamber of Parliament, with the Rijkspas, an access card.
IT service provider
Italian WIFI provider reportedly suffers data leak
On October 25, Kelvinsecurity leaked data purportedly belonging to Italian organisation Filomeno WIFI on a dark web forum.
IT service provider
Dutch software vendor discloses data breach
Dutch technology vendor Nedap disclosed a data breach related to Carenzorgt, a Dutch medical portal with more than 9 000 affiliated healthcare providers and 497 000 active users. Nedap clarified that the threat actor exploited an unidentified vulnerability to access and download documents from the portal
IT service provider

World

Cyber policy and law enforcement

Interpol arrests Black Axe members
Interpol has arrested over 70 suspected members of the Black Axe cybercrime syndicate, with two believed to be responsible for 1,8 million US dollar in financial fraud. An international law enforcement operation arrested the suspects between September 26 and 30 in South Africa.
Arrest
Brazil arrests suspect linked to the Lapsus$ group
As part of Operation Dark Cloud launched in August, the Brazilian Federal Police arrested a Brazilian suspect in Feira de Santana, Bahia, believed to be part of the Lapsus$ extortion gang. The police suspects the individual to have participated in the December 2021 breach of the Brazilian Ministry of Health. In this incident Lapsus$ deleted files and defaced the Ministry of Health website to display a message where the group claimed it had stolen data from the ministry's network.
Analyst note: Lapsus$ is a group that has conducted data theft extortion operations since mid-2021. They are motivated by both financial gain and a desire for notoriety. They breach IT systems, exfiltrate data and threaten to publish on their Telegram channels. They use such channels to both shame victims and leak information when they are unsuccessful in coercing a victim.
Arrest
Operator of darkweb marketplace arraigned
On October 26, the US Department of Justice arraigned a British citizen for allegedly running The Real Deal, a darkweb marketplace. The allegations relate to illicit services conducted in 2015 and 2016. Threat actors used this platform to sell stolen data and hacking tools as well as drug and weapons.
Charges
Malware-as-a-service operator extradition from NL to US granted
On October 25, the US Department of Justice unsealed an indictment containing charges against a Ukrainian national for developing and operating the Raccoon Stealer Malware-as-a-Service (MaaS). The individual is being held in the Netherlands and is awaiting extradition to the United States. The Amsterdam District Court granted extradition on September 13.
Charges
US government indicts for violating sanctions
On October 19, the US Department of Justice announced charges and arrests in two cases involving export violation schemes to aid the Russian military. The charges involved a dozen individuals and several corporate entities for participating in unlawful schemes to export powerful, civil-military, dual-use technologies to Russia.
Sanctions
Google Translate is disappearing from China
Google has decided to shut down Google Translate services in China. The translator was one of the few digital services still operating in China, which has now censored and blocked access to it. The Google Translate website and mobile app, as well as the Chrome extension, when accessed from mainland China, redirect users to the Hong Kong-based Google Translate website, which is blocked in the People's Republic of China.
Censorship
FBI and CISA say cyberattacks targeting election systems unlikely to affect results
In the US, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a public announcement in which they assess that any attempts by cyber actors to compromise election infrastructure are unlikely to result in large-scale disruptions or prevent voting.
Elections
US administration announces cybersecurity labelling for IoT devices
The US government announced on October 11 its plans to develop a cybersecurity labelling programme for internet-of-things (IoT) devices. The programme aims to improve digital safeguards for such devices. The programme will be followed by three to four recommendations that will be developed in consultation with the private sector.
Regulation
Google sued over biometric data collection without consent
In the US, Texas attorney general has sued Google for allegedly collecting and using biometric data belonging to millions of Texans without proper consent.
Data protection

Cyberespionage

Kimsuky targeting Android devices with newly discovered mobile malware
Security researchers found three new types of malware that target Android devices. They named the malicious APKs FastFire, FastViewer, and FastSpy. They attributed the malware to the North Korea-linked actor Kimsuky and they asses that Kimsuky’s mobile targeting strategy is getting more advanced.
North Korean threat actor
China-linked Mustang Panda targets Myanmar
Researchers at BlackBerry uncovered a campaign by the China-linked Mustang Panda threat actor that is leveraging the PlugX malware family to target the Southeast Asian state of Myanmar.
Chinese threat actor
TrendMicro detail malicious toolset used by cyberespionage threat actor Earth Aughisky
According to TrendMicro, the China-linked threat actor named Earth Aughisky (aka Taidoor) has been using an increasingly sophisticated toolset in cyberespionage attacks targeting entities in Taiwan and Japan.
Chinese threat actor
New Chinese APT targets IT service providers
A new threat cluster tracked as WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia. According to SentinelLab, it is highly likely espionage-related and WIP19 appears to be a Chinese-speaking threat group. WIP19 utilises a legitimate, stolen certificate to sign novel malware, including SQLMaggie, ScreenCap and a credential dumper.
Chinese threat actor
Chinese APT continues to target Hong Kong
Researchers at Symantec reported a likely continuation of a cyberespionage campaign against Hong Kong dubbed Operation CuckooBees, which they attribute to the Chinese cyberespionage threat actor APT41. Cyberreason first reported on this campaign in May 2022. In Operation CuckooBee, the threat actors breached government agencies in Hong Kong and remained undetected for a year in some cases.
Chinese threat actor
Likely Chinese APT targets casinos in Southeast Asia for cyberespionage purpose
According to researchers at Kaspersky Lab, a threat actor named DiceyF has been targeting online casinos based in Southeast Asia since at least November 2021. DiceyF does not appear to be targeting financial gains from the casinos but instead conducting stealthy cyberespionage and intellectual property theft. DiceyF activity aligns with Operation Earth Berberoka reported by Trend Micro in March 2022, both pointing to the threat actor being of Chinese origin.
Chinese threat actor
APT10 continues targeting Japan
Researchers from cybersecurity company Kaspesky uncovered new activity and techniques by the Chinese APT10 threat actor against Japanese organisations. The threat actor abused security software to install a new version of their LODEINFO malware.
Chinese threat actor
Lebanon-based Polonium threat actor targets Israel with new malware
According to cybersecurity firm ESET, the Lebanon-linked Polonium threat actor has targeted more than a dozen organisations in Israel since at least September 2021 and until September 2022. Sectors targeted by this threat actor include engineering, information technology, law, communications, marketing, media, insurance, and social services.
Lebanese threat actor
Iranian services install malware on phones of Iranian protesters following their arrest
Germany's cybersecurity agency reportedly took down a web server used to control malware deployed by the Iranian government. The government used the malware, an Android remote access trojan dubbed L3MON, to monitor opposition supporters. The Iranian military manually installed the malware on the phones of arrested protesters. Although the German authorities have decommissioned the server used by the malware, they say the danger remains and potential targets should reset their smartphones, as the trojan does not have a persistence feature.
Iranian threat actor
Android malware for surveillance operations against Iranian citizens
Researchers from ESET identified a new version of the Android malware FurBall which the threat actor Domestic Kitten uses to conduct mobile surveillance operations against Iranian citizens. Since June 2021, the threat actors are reportedly distributing the malware as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books. The Domestic Kitten campaign is still ongoing, dating to at least 2016.
Iranian threat actor
Indian threat actor targets Pakistan
Researchers at Zscaler discovered that the India-linked SideWinder threat actor is using a new malware, dubbed WarHaw, in campaigns targeting Pakistan. SideWinder has been active since at least 2012, with a history of targeting government, military, and businesses throughout Asia, particularly Pakistan.
Indian threat actor
Suspicious activities of France-based company
News outlet Mediapart uncovered that a France-based private company called Avisa Partners is involved in misinformation activities on behalf of miscellaneous public or private customers in France and in foreign countries. Mediapart also says that the company is involved in the hack of an African telecommunication operator. The cyberattack reportedly aimed to spy on communications of opponents to the regime in Chad. Avisa Partners claims, however, that the Chadian government hacked the phone system and Avisa Partners were only a recipient of the report.
PSOA
State-backed hackers stole data from US defence organisation
On October 4, the US government released an alert about state-backed hackers using a custom CovalentStealer malware and the Impacket framework to steal sensitive data from a US organisation in the Defense Industrial Base sector. The compromise lasted for about ten months and it is likely that multiple advanced persistent threat groups likely compromised the organisation, some of them gaining initial access through the victim’s Microsoft Exchange Server in January last year.
Unspecified threat actor
Budworm returns to targeting in the Middle East, Asia and US
According to Symantec, a threat actor dubbed Budworm has mounted attacks over the past six months against strategically significant targets, including the government of a Middle Eastern country, a multinational electronics manufacturer, and a US state legislature. The latter attack is the first time in some years Budworm is targeting a US-based entity. Along with the above targets, the group also conducted an attack against a hospital in South-East Asia.
Unspecified threat actor
Cyberespionage campaign targeting Russian companies
The Russian company Kaspersky Lab found that a large-scale cyberespionage campaign is targeting Russia. The attackers use phishing techniques with malicious Word documents sent by email to employees of Russian companies.
Unspecified threat actor

Cybercrime

Ransomware

Decryptor for Hades
The Antivirus company Avast released, on October 4, a free decryptor for variants of the Hades ransomware. The decryptor operates thanks to a flaw discovered in the encryption scheme.
Decryptor
Guatemala Ministry of Foreign Affairs breached by ransomware
Onyx, a ransomware threat actor, claimed responsibility for the breach of Guatemalaʼs Ministry of Foreign Affairs. The incident caused temporary system outages. The threat actor offered a link to leaked files.
Diplomacy
Cybercriminals hit Australian Defence communications platform with ransomware
Cybercriminals hit the Australian Defence's ForceNet external service, which Australian military personnel and defence staff use, with a ransomware attack. According to Assistant Minister for Defence Matt Thistlethwaite, the incident has not compromised data. Reporting from the Australian Broadcasting Corporation, however, cites an unidentified source with knowledge of the investigation who asserts that some private information such as dates of birth and enlistment information belonging to military personnel may have been stolen.
Defence
Large Brazilian health insurance provider breached
On October 18, the ransomware threat actor RansomEXX named Unimed Belem, one of the largest health insurance networks in Brazil, as a victim. The threat actor posted the announcement to their site along with 12 ZIP file links containing data allegedly obtained from the company. On October 13, Unimed Belem had announced it was the victim of a cyberattack and its internal monitoring detected a system breach.
Healthcare,
Insurance
Brazil's government services portal breached
The threat actor Everest Ransom Team claimed the breach of Brazilʼs federal government service portal and offered 3 TB of data up for sale. The data included documents and personal data of employees as well as VPN login details, credentials, and RDP access. Additionally, the post offers access to a company that serves 5.5 million users.
Government
Vice Society targets the education sector with multiple ransomware families
Vice Society's ransomware and extortion campaigns impact the global education sector, particularly in the US. Their ransomware payloads have shifted over time from BlackCat, QuantumLocker, and Zeppelin to a Zeppelin variant.
Education
Microsoft Exchange servers exploitation led to LockBit ransomware
The South Korea-based firm AhnLab reported that cybercriminals compromised Microsoft Exchange servers through ProxyNotShell with a then zero day vulnerability and deployed the Lockbit ransomware on the victim's network.
ProxyNotShell
Links between Ransom Cartel and the REvil gang
Security researchers report links between the Ransom Cartel ransomware operation and the REvil gang. The researchers make this assessment based on code similarities in both operations' encryptors. The REvil gang had shut down in October 2021 following intense pressure from law enforcement. Ransom Cartel emerged in December 2021.
Ransomware rebranding
US government warns of ransomware attacks against public health sector
CISA, the FBI, and the US Department of Health and Human Services warned that a cybercrime group known as Daixin Team is actively targeting the US Healthcare and Public Health sector with ransomware attacks.
Healthcare

Other cybercrime

Live support service spreads malware in supply chain attack
As part of a new supply chain attack, threat actors trojanised the official installer for the Comm100 Live Chat application, a widely deployed SaaS which businesses use for customer communication and website visitors.
Supply chain attack
Cybercriminals built a credential-stealing enterprise on code hosting platform
LofyGang, a cybercrime group, conducted stole credentials by distributing 200 malicious packages and fake hacking tools on code hosting platforms. The code hosting platforms included NPM and GitHub. Many of the malicious packages have removed, but others are still available for download at the time of writing.
Supply chain attack
Private npm packages disclosed via timing attacks
A new form of supply chain attack leverages npm (Node Package Manager) packages. Npm is a package manager for the JavaScript programming language. Using a technique called timing attack, threat actors detect organisation-scoped private packages and then masquerade public packages, tricking employees and users into downloading them.
Supply chain attack,
Timing attack
Hundreds of Microsoft SQL servers backdoored
Security researchers have found a new piece of malware targeting Microsoft SQL servers. Maggie, the backdoor, has already infected hundreds of machines all over the world. Threat actors controlled Maggie through SQL queries which instruct it to run commands and interact with files. Its capabilities extend to brute-forcing administrator logins to other Microsoft SQL servers and doubling as a bridge head into the server's network environment
Backdoor
Cybercrime group stole 2 million Binance Coins
A cybercrime group stole 2 million Binance Coins (BNB), worth 566 million US dollar, from the Binance Bridge. On October 6, the attacker's wallet received two transactions, each consisting of 1.000.000 BNB. A few hours later, the CEO of Binance tweeted that the cybercriminals had used an exploit in the BSC Token Hub to transfer the BNB to threat actor controlled accounts.
Cryptocurrency
Cryptocurrency platform reportedly suffered a loss of 14,5 million US dollar in cryptocurrency
A threat actor reportedly abused the cryptocurrency platform Team Finance. The incident resulted in reportedly 14,5 million dollar of stolen cryptocurrency.
Cryptocurrency
Threat actors steal 100 million US dollar from Mango Markets DeFi trading platform
Solana-based cryptocurrency trading platform Mango Markets confirmed a cybersecurity incident resulting in the theft of 100 million US dollar. Mango Markets reported via Twitter that the threat actors drove up the price by 5 to 10 times in a matter of minutes using an Oracle pricing manipulation and then extracted 100 million US dollar, which was the total equity available on the platform.
Cryptocurrency
Fake WhatsApp distributed through legitimate apps
An unofficial WhatsApp Android application named YoWhatsApp reportedly stole access keys for users' accounts. YoWhatsApp is a messenger app that uses the same permissions as the standard WhatsApp app and is promoted through advertisements on popular Android applications like Snaptube and Vidmate.
Mobile app
Hackers hit cybersecurity conference
Threat actors reportedly targeted the online cyber conference organised by the Australian Institute of Company Directors and forced the organisers to cancel the event. Participants attempted to access the conference via the LinkedIn video streaming service on October 24, but the conference never went live. Instead, participants received an Eventbrite link via the messaging section of the LinkedIn video streaming platform. The link directed individuals to a likely phishing page, asking participants to input their credit card details.
Phishing
Caffeine PhaaS platform provides to target Russian and Chinese-speaking individuals
Caffeine, a phishing-as-a-service (PhaaS) platform, reportedly is providing phishing templates designed to target Russian and Chinese end users. Caffeine allegedly has subscriptions ranging from 250 US dollar for one month to 850 US dollar for six months. The PhaaS kit reportedly can also generate lures imitating a Microsoft 365 login page, which aims to steal Microsoft 365 account credentials.
Phishing as a service

Disruption and hijacking

Hacktivists claim to compromise Russian mobile phone operator's routers
On October 10, TeamOneFist, a supposed pro-Ukraine hacktivist, claimed to have concluded Operation Cataclysm. The operation reportedly targeted Megafon. Megafon is a Russian mobile phone operator that aims to provide data access to on-the-ground users from low-earth orbit satellites. This is the third time that TeamOneFist claims to have attacked Russian satellite systems. They claim to have disrupted two Moscow-based satellite ground stations by sending a high volume of cellular traffic to both satellite constellations in three attack waves. They claim to have caused day-long outage to have compromised the configuration of the underlying routers.
_Analyst note: These are unverified claims
Satcoms
Pro-Ukraine TeamOneFist targets Russian research programmes
On October 16, TeamOneFist claimed to have launched a new operation against several research programmes of the Russian Academy of Sciences in Moscow. TeamOneFist claims that one of the routers connected to the academy's network was misconfigured and connected to the internet, which allowed them to access the Russian network.
Research
Pro-Ukraine TeamOneFist targets Russian routers
On October 27, TeamOneFist announced that it was conducting a cyber operation called Kazimierz Pulaski. The aim of the operation was reportedly to destruct 224 Russian routers. The team claims to have developed a technique to monitor compromised routers to help confirm their destruction. To do this, the hacktivists claim to have exploited a zero day vulnerability which makes it impossible to fully boot up the router, thus rendering it irreparable. TeamOneFist also announces that for this operation, two Polish cyber actors helped.
Analyst note: None of these claims are confirmed or corroborated.
Routers
2,5 Tbps DDoS attack against Minecraft server
A DDoS attack against Minecraft servers reached a rate of 2,5 Tbps, which lasted for about two minutes and consisted of UDP and TCP packets.
Gaming
Indian energy company Tata Power's IT infrastructure hit by cyberattack
A cyberattack targeted Mumbai-based Tata Power Limited and affected some of its IT systems. According to a Tata Power filing with the National Stock Exchange of India, in response to the attack, the power company took steps to restore impacted systems and implemented improved security procedures for customer-facing portals in an effort to prevent further unauthorised access.
Energy
Data wiper pretends to be ransomware, frames security researchers
According to news media, on October 30, an unspecified threat actor was using the SmokeLoader malware botnet to deliver a new wiper, called Azov. The wiper pretends to be a Ukrainian-origin ransomware. It also mentions a number of known security researchers as contact points, in an effort to frame them. There is no known decryption method, making the malware a wiper.
Data wiper

Information operations

Disinformation before 2022 US midterm elections
The US FBI issued a warning, on October 6, on foreign influence operations that intend to spread disinformation to influence the November 2022 US midterm elections. The agency pointed to the use of spoofed websites, fake social media personas, and publicly available media channels to spread and amplify the intended messages
Elections
Chinese disinformation operation targeting the US elections
Mandiant has reported, on October 26, that they observed an influence campaign targeting the US political system, to promote narratives favourable for China (PRC). The campaign aimed to compromise US interests and affect the US midterm elections.
Political system,
Elections

Data exposure and leaks

Large data leak dubbed BlueBeed caused by misconfigured data buckets
SOCRadar discovered six large public buckets, containing information of more than 150.000 companies in 123 different countries. SOCRadar dubbed the leaks BlueBleed. The first part of the collection (BlueBleed Part I) is due to a misconfigured Azure Blob Storage (an optimised data depository for storing big volumes of unstructured data).
Microsoft Azure
Modified apps stealing user data
Meta sued Chinese software development companies for allegedly using unofficial WhatsApp Android apps to steal over one million user accounts from Meta's platform. The operation, which started in May 2022, was using modified versions of WhatsApp, delivered outside Google's Play store and reportedly managed to steal more than one million WhatsApp accounts.
Social media
Optus confirms data breach exposed the ID numbers of 2,1 million customers
Optus, an Australian telecom provider, disclosed a cybersecurity incident in September. The company has now confirmed that the incident caused unauthorised access to approximately 2,1 million customer identification numbers.
Telecommunications
2K Games user data for sale online
Video game publisher 2K warned users that threat actors leaked personal and put them up for sale online following a September 19 security breach.
Gaming
Darkweb marketplace releases massive dump of credit cards to promote its operations
A darkweb marketplace named BidenCash has released 1.221.551 credit card numbers, aiming to promote its position in the cybercriminal market.
Credit cards
Intel's Alder Lake BIOS source code leaked
Intel has confirmed that a source code leak for the UEFI BIOS of Alder Lake CPUs is authentic. Alder Lake is the name of Intel's 12th generation Intel Core processors, released in November 2021. The leak contains 5.97 GB of files, source code, private keys, change logs, and compilation tools.
Analyst note: According to researchers, the data can help the security researchers, bug hunters (and the attackers) find the vulnerability and understand the result of reverse engineering easily, which adds to the long-term risk to the users.
IT
Toyota customers’ personal data exposed
Toyota discovered that a portion of the T-Connect site source code was mistakenly publicly available on GitHub for almost five years. Toyota T-Connect is the carmaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system. The published source code contained an access key to the data server that stored customer email addresses and management numbers. The company warned that the incident may have exposed data of more than 296.000 customers.
Automotive
Personal data of 3 million patients exposed
Advocate Aurora Health (AAH), a healthcare IT system used by 26 hospitals in the US notified its patients of a data breach that exposed the personal data of 3.000.000 patients. An improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information, was the cause of the incident. Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements.
Healthcare
Australian Clinical Lab suffers data breach
Australian Clinical Labs disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223.000 people.
Healthcare
Australian police secret agents reportedly exposed in Colombian data leak
Threat actors leaked documents stolen from the Colombian government, which caused the exposure of identities of secret agents working for the Australian Federal Police (AFP).
Government
Iranian government suffers data leak
The Iranian Atomic Energy Organisation reportedly confirmed that one of its subsidiaries' email servers suffered a data leak.
Energy
Singaporean online marketplace suffers data leak
Cybercriminals are selling data of 2,6 million Carousell accounts on the darkweb. Carousell is a Singaporean online consumer-to-consumer and business-to-consumer marketplace.
Online marketplace
Large personal and health data breach affecting Australian insurance firm
Australian insurance firm Medibank confirmed that hackers accessed all of its customers' personal data and a large amount of health claims data during a recent ransomware attack.
Insurance,
Health
Amazon leaks data of viewing habits for Prime service
A security researcher discovered a database of user viewing habits in the Amazon Prime service to be accessible over the internet. According to news reports, on October 27, the database contained about 215 million entries but data was anonymised.
Steaming platforms

Significant vulnerabilities

New Microsoft Exchange Zero Day Vulnerabilities
The security researchers at Vietnamese cybersecurity vendor GTSC published a blog post claiming they have discovered an attack campaign which utilised two zero day bugs in Microsoft Exchange that could allow an attacker a remote code execution. The attackers are chaining the pair of zero day to deploy web shells, notably China Choppers, on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks. Microsoft had identified the vulnerabilities as CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. See CERT-EU’s SA 2022-068.
Microsoft Exchange
Update: Remote Code Execution in Zimbra Collaboration Suite
A remote code execution vulnerability similar to CVE-2022-30333 (SA2022-063) was reported for Zimbra Collaboration Suite. Tracked as CVE-2022-41352 since September 25, this yet-unpatched flaw is due to an unsafe use of a vulnerable "cpio" utility by the Zimbra's antivirus engine Amavis. The exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary code on a vulnerable Zimbra instance. Proofs of Concepts (POC) are publicly available for this vulnerability and reported actively exploited. See CERT-EU’s SA 2022-069.
Zimbra
Update: FortiOS and FortiProxy Critical Vulnerability
Fortinet released a security advisory to warn about a critical vulnerability (CVSS v3 score: 9.6), tracked as CVE-2022-40684, impacting the FortiOS, FortiProxy and FortiSwitchManager. The exploitation of this vulnerability allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Fortinet is aware of at least one instance where this vulnerability was exploited and hence it is recommended to remediate this vulnerability with the utmost urgency. A proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability has been published by the Horizon3.ai security researchers. See CERT-EU’s SA 2022-070.
Fortinet
Junos OS: Multiple Vulnerabilities in J-Web
Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorised local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion. See CERT-EU’s SA 2022-071.
Junos OS,
J-Web
Apache Commons Text Vulnerability
Apache
* OpenSSL Critical Vulnerability*
On October 25, the OpenSSL project team announced the upcoming release of OpenSSL version 3.0.7, planned to be available on November 1. This version will fix a critical vulnerability. While there is no technical details about this vulnerability, the team urged organisations to inventory systems using OpenSSL and prepare for immediate patching when the fix is released. See CERT-EU’s SA 2022-073.
OpenSSL
DoS Vulnerabilities in Pulse Secure Products
On October 13, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited. It is recommended to upgrade to the latest version of these products. See CERT-EU’s SA 2022-074.
Ivanti Connect Pulse Secure
Type Confusion Vulnerability in Chrome Browser
On October 27, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by "CVE-2022-3723". Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild. It is highly recommended to apply the update. See CERT-EU’s SA 2022-075.
Chrome
Critical Vulnerability in VMware Cloud Foundation
On October 25, 2022, VMWare released a new version of Cloud Foundation (NSX-V) fixing a critical Remote Code Execution vulnerability. VMware has confirmed that exploit code leveraging "CVE-2021-39144" against impacted products has been published. It is highly recommended applying the last version. See CERT-EU’s SA 2022-076.
VMware Cloud Foundation

  1. Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not necessarily reflect our stance. 

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.