This month in security: January 2022

REvil gang busted by Russian authorities

The infamous REvil ransomware gang has been raided by the Russian authorities in a move that may prove a key moment in the battle against cybercrime. Russia’s FSB security service arrested 14 members, raided 25 locations and seized the equivalent of $7.5 million.

Perspective
REvil’s attacks have hit meat processing firm JBS, electronics firm ACER and Lady Gaga, making them the most notorious ransomware group in history. The US has for some years suggested that the gang had been given safe harbour in Russia, but this is the first time the Russian authorities have taken action. The immediate results – arrests, the seizure of cash, cryptocurrency and luxury assets including 20 cars – are significant, and may mean the end of REvil. But, perhaps more importantly, the arrests may indicate a thawing in US-Russian relations over cybercrime – a shift that may leave more criminal gangs with nowhere to hide.

Breach exposes Bunnings customers’ personal details

Thousands of Bunnings shoppers may have had their personal details stolen after a third-party data breach. The breach exposed the data of customers who booked drive-and-collect orders, with the DIY giant quick to reassure shoppers that password and credit card data were not compromised.

Perspective
Names and email addresses were among the data exposed by a breach at US-based booking provider Flexbooker. The incident was resolved within a few hours, but affected some 3.7 million customers around the world – shoppers at NZ gardening chain Kings Plant Barn were also hit. “We're reaching out directly to any customers whose name or email address may have been accessed,” said Bunnings Chief Information Officer Leah Balter. Bunnings has encouraged customers to look out for unusual email and change passwords regularly. It’s a reminder for organisations that guarding your own data isn’t enough – partner leaks can hit your customers and damage your reputation.

Red Cross attack exposes data of half-a-million vulnerable people

A major cyberattack has compromised the data of over 515,000 vulnerable people. The attack hit the Central Tracing Agency (CTA), a database used to help search for missing and detained people around the world.

Perspective
The people affected include individuals separated from their families due to conflict, migration and disaster. “An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure,” said Robert Mardini, the Director General of the International Community (ICRC). “We are all appalled and perplexed that this humanitarian information would be targeted and compromised.” The attack hit an external company in Switzerland that stores the ICRC’s data. The hack has prompted Red Cross employees in New Zealand to change their passwords. It’s a reminder that cybercriminals are guided by profits, not morals – charities should be on their guard.

$64 million stolen in crypto exchange hack

A major hack has seen $64 million stolen from cryptocurrency exchange Crypto.com. The news comes after several users spotted unauthorised withdrawals. Crypto.com underlined that no customers lost money in the attack and announced changes to its security protocols.

Perspective
Crypto.com is the world’s fourth-largest cryptocurrency exchange, and has been expanding in recent years. On 17 January several users spotted unauthorised withdrawals from their accounts. In response, Crypto.com suspended deposits and withdrawals. Three days later, the company announced it had prevented most fraudulent withdrawals, and fully reimbursed other customers.

In total 483 users were affected. The hack appears to have been facilitated by a problem with two-factor authentication, and Crypto.com has announced it will move to “true multi-factor authentication” and revise its payment protection. Crypto-hacks have hit several exchanges in recent years, and since the space remains only loosely regulated, customers aren’t always guaranteed to get all their funds reimbursed.

Telstra collaborates with banks in SIM-swapping clampdown

Telstra has announced that it will work to clamp down on SIM-swapping attacks by sharing information with banks. The banks can now check with Telstra when a new phone number is registered, allowing them to see a risk rating based on recent changes to the customer’s mobile service.

Perspective
SIM swaps, in which a phone number is transferred from one SIM to another, are vital for customers who may have lost or damaged their SIM card. But SIM-swapping attacks, in which criminals convince a mobile operator to switch a victim’s phone number to a SIM card they own, are a serious problem, allowing criminals to bypass the two-step verification used by banks and other services. The scheme will initially focus on the banking sector, and it’s hoped that the risk rating will prompt banks to investigate further in cases where a SIM may have been compromised. SIM-swapping scams are unusual in that they allow criminals to bypass their victims entirely, making this a welcome measure.

Trickbot and Emotet top Australian threat index

Trickbot and Emotet were the most prevalent forms of malware in Australia last month, according to Check Point Research (CPR). Formbook, Dridex and Darkside followed close behind.

Perspective
Trickbot topped the threats chart for December. The Windows-targeting botnet featured in 2.42% of incidents –a decline of almost 50% from November, when it impacted 4.75% of incidents. Emotet, meanwhile, has returned with a bang. The botnet’s infrastructure was compromised by Europol a year ago, but it returned in November and has been spread widely via spam emails.

Credential harvester FormBook, banking Trojan Dridex and ransomware-as-a-service malware DarkSide all sit at between 1 and 2% of incidents. Malware is a constant threat: organisations can manage risks by fighting back against spoofing, baking cyberawareness into company culture, and moving to zero-trust security models.