Resources

March 2023 security round-up

Written by Will Shaw | Mar 30, 2023 3:31:58 PM

It’s time for our monthly cybercrime roundup and, as usual, there are plenty of threats and breaches making the news.

Essendant

First off, let’s start with Essendant. Essendant is a wholesale distributor of stationery and office supplies owned by Staples. In March, they experienced a multi-day system outage which prevented their customers and suppliers placing and completing orders online.

The impact this had on the customers and suppliers of Essendant was significant, and freight carriers were even told to wait on any more pick-ups until further notice. The disruption is understood to have begun on the evening of 6th March. The company contacted customers to inform them of the outage the next day.

The company did not reveal the cause but, a week later, the notorious LockBit ransomware group claimed credit. LockBit is the same group that claimed the cyberattack on Royal Mail at the start of 2023.

Hitachi Energy

Hitachi Energy suffered a data breach this month which affected employees. The company blamed the exploitation of a recently disclosed zero-day vulnerability in Fortra’s GoAnywhere managed file transfer software (a zero-day vulnerability is one that is unknown to the vendor or developers).

Hitachi released a statement on the 17th of March, stating that the Cl0p ransomware gang targeted the GoAnywhere product, and possibly gained unauthorised access to employee data from some countries.

Hitachi has initiated its own investigation into the breach and plans to analyse the scope of the attack. Any affected parties were informed by the company.

Ring

Ring is a home security and smart home company owned by Amazon. This month it has been reported that they’ve suffered a ransomware attack by the Russia-linked ALPHV group, also known as BlackCat. The group posted the company’s logo on their website with a message threatening to leak their data if a ransom is not paid.

It is not yet clear what data was stolen or the amount of the ransom. However, the impact on customers has the potential to be severe. Customer recorded footage, personal information, credit card numbers, addresses, phone numbers, names and passwords could all potentially have been compromised.

Although BlackCat has posted about the attack, it is yet to be confirmed as a direct attack by Ring or Amazon.

The Museum of Gloucester

The lesson from this one: cyberattacks are not just over and done with quickly. This month, the Museum of Gloucester has reported that they’re still being affected by a cyberattack that breached their systems over a year ago. This is a result of an attack on Gloucester City Council in 2021, which initially meant benefit payments, planning applications and house sales were delayed. However, the Council has now revealed that the museum continues to be affected.

The museum’s database, which it uses to create exhibitions, was damaged by the malware, and remains inaccessible. In addition, Gloucester City Council has had to rebuild all of their servers since the attack. The attack originated with malware emailed to a council official.

UK crypto startup Euler Labs

Euler Labs is a UK crypto start-up that has suffered a damaging cyberattack this month. Threat actors have managed to steal around $200million from its Decentralised Finance (DeFi) lending protocol.

Euler provides a DeFi protocol on Ethereum which claims to allow users to lend and borrow any crypto asset. Hackers managed to enact a “flash loan attack”, which enabled them to steal the large sum of money in various currencies.

Euler says it acted immediately to contain the attack, and shared information with UK and US law enforcement.

3CX

On Thursday 30th March, 3CX CEO Nick Galea confirmed the 3CX desktop app had been comprised in a supply chain attack. The trojanised version of the 3CX VoIP desktop client is being used to target the company’s customers.

More than 600,000 companies use the 3CX phone system, including many high-profile organisations such as, American Express, Coca-Cola and the NHS. The malware is able to collect system info and steal data and credentials from Chrome, Edge, Brave and Firefox user profiles.

It’s been reported that Windows and macOS users are both being targeted. The malicious activity is said to include a beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands on keyboard activity has been reported in a small number of cases. 

Security software, CrowdStrike suspect the attack is the work of a North Korean hacking group named Labyrinth Collima, but Sophos researchers are unable to verify this with full confidence.

Investigations into the attack are ongoing, and Nick Galea has recommended customers uninstall the app and switch to the PWA client.

Staying secure

This month we have continued to see a whole array of attacks and breaches that continue to target any organisation and business, no matter what their size or where they are.

Attacks happening now have long-lasting implications for the businesses and people involved, as we have seen from the Gloucester City Council breach. It’s a stark reminder that cybercrime isn’t something that’s going away, and it’s the responsibility of everyone to keep data and networks secure.

All businesses should be aiming for robust protection. We will continue to keep you up to date with the latest threats in the coming months.

If you want to find out how we could help with your organisation’s cybersecurity needs, get in contact.