Resources

February’s Security round up

Written by Will Shaw | Feb 28, 2023 9:00:00 AM

As the second month of 2023 comes to a close, there is no let up on cyber breaches and attacks targeting large and small organisations. In our January round up we saw how big organisations like Royal Mail, T- Mobile, MailChimp and JD Sports had come under attack by Ransomware groups such as PLAY and LockBit. With the knock-on effects still being felt for some, let's start off with the latest from the Royal Mail breach.

Royal Mail

6 weeks after Royal Mail’s cyber incident in which their international mail service was severely disrupted, they have battled to get the service back up and running again. In their latest update on the 23rd February, the organisation have finally restarted the international parcel and letter delivery service through Post Office branches. Royal Mail refused to pay a £67million ransom sought by the hackers which is why 11,500 post office branches could not handle international mail or parcels for weeks.

Reddit

Social Media platform Reddit confirmed early on in February that hackers accessed its source code, internal documents and internal dashboards and systems. This was a result of a successful phishing cyberattack a couple of days earlier which obtained a single employee’s credentials. Hundreds of current and former employees’ details were exposed as well as advertiser information.

Reddit’s chief technology officer said that their systems were hacked by a sophisticated and highly targeted phishing attack. He also said that there was no indication of a breach to their primary production systems.

Google Ads phishing campaign

A new phishing campaign has come to light this month that was designed to abuse Google Ads and harvest Amazon Web Services (AWS) login credentials by sneaking phishing sites into Google Search. The malicious ads ranked second when AWS was searched, directly behind Amazon’s own genuine ad.

To start with, the ad was directly linked to the phishing page, but this later changed and a redirection step was added. This was put in place most likely to escape Google’s ad fraud detection system.

The malicious ad took victims to a blogger website under the attacker’s control which is a copy of a real food blog. Victims were then automatically redirected to a new site that hosts the fake AWS login page and asked to enter their login details.

Google Ads has come under attack recently from cybercriminals of all kinds because of the alternative route it is offering to find potential victims.

GoDaddy

This month web hosting and domain registrar firm GoDaddy revealed they were targeted by a security breach that was part of a multi-year campaign. The breach enabled cybercriminals to gain access to the company’s systems, steal code and install malware. The company believe the attack was performed by a sophisticated threat actor.

The organisation started receiving customer complaints in December 2022 saying their websites were intermittently being redirected. Analysis showed that hackers had breached the company’s cPanel shared hosting environment and installed malware. This is what caused customer websites to redirect visitors to their sites.

GoDaddy have disclosed that the latest attack was linked to a series of other incidents dating back to 2020.

ESXiArgs ransomware campaign

In the past few weeks there has been a surge in ransomware attacks on systems running VMware ESXi. The unidentified group of hackers are thought to have targeted nearly 5000 victims across the US and Europe. Newly infected targets who have been hit with the ESXiArgs ransomware are mostly in France, Germany, the Netherlands and the UK. It remains unclear how the victims were chosen by the hackers. The ransomware is deemed unusual in that it is only targeting hosts that run VMware ESXi.

Other attacks

Cyber attacks are taking victims globally. Here are some of the other breaches that have happened in February around the world.

FBI – the FBI released a brief statement on a cyber incident which occurred in one of its high-profile offices. It is thought the malicious incident impacted part of the FBIs network used for investigations of images of child exploitation. The FBI claims its now under control.

Weee! data breach - Over 1 million customers of the Asian and Hispanic food delivery service Weee! had personal information exposed. The threat actor, IntelBroker posted some of the leaked data on the hacking forum Breached. Weee! have said no customer payment data was uncovered.

Sharp HealthCare data breach – The largest healthcare provider in San Diego, California had to notify 62,777 patients that their personal information had been exposed. The information included social security numbers, health insurance data and health records.

Atlassian data breach – The Australian software company suffered a serious data breach. The hacking group known as ‘SiegedSec’ claimed they got into the system and stole data relating to staff and floor plans for offices. Emails, names, and departments staff work in were all part of the extracted data.

Keeping up to date

Keeping data secure and cybersecurity up to date is an ongoing battle for any business and you can see that even the top organisations don’t have their networks completely locked down and secure.

This is why its so important to keep up to date with the latest breaches and attacks. Understanding what threats are out there can educate organisations on what to look out for and what steps they should have in place to avoid falling victim to a cyber-attack.

We recommend that all businesses implement layered security. No organisation is immune from attacks, and robust protections are always advisable.

We will continue to keep you up to date with the latest security breaches in the coming months. If you want to find out how we could help with your organisations cybersecurity needs, get in contact.