A financially motivated threat actor known as UNC3944 has been identified as using SIM swapping attacks to gain access to Microsoft Azure administrator accounts. Mandiant researchers have been tracking the group since May 2022, and claim that UNC3944 heavily relies on SMS and email phishing attacks. The attackers utilise compromised accounts to gain initial access and build persistence whilst avoiding security measures and maintaining access using commercial off-the-shelf tools and reverse SSH tunnels. Mandiant recommends organisations restrict access to remote administration channels and disable SMS as a multifactor authentication method.
In other news, a joint advisory report from Five Eyes has revealed reports of a major cyber-espionage operation from China, referred to as Volt Typhoon, which has managed to gain access to several US critical infrastructure sectors. Targets of the spying have ranged from the communications, transportation, maritime, and government sectors to utility, construction, education, and the manufacturing sectors. Microsoft stated that the group has been active since at least the middle of 2021, and its observed behaviour suggests that the threat actor intends to perform espionage and maintain access for as long as possible.
Researchers at Mandiant have discovered a newly identified OT and ICS malware that specialises in disrupting electricity supply and critical infrastructure. Named CosmicEnergy, the malware appears to have been designed to interact with IEC 60870-5-104 (IEC-104) devices that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia. Attribution is inconclusive, although researchers suggest that this malware could have been created as a Russian red-teaming tool used in exercises to simulate an electric infrastructure attack.
Iranian threat actor Agrius has been seen continuing to target entities in Israel, with destructive ransomware attacks masking influence operations. APT group, now calling both itself and its newest ransomware strain “Moneybird,” has deployed a new unseen ransomware written in C++, although the researchers did not elaborate on what organisations were victimised. Meanwhile, another Iranian threat group has been attacking Israeli shipping and logistics companies to lift customers’ data.
The double-extortion ransomware gang, BlackBasta, has shown its predilection for attacking industrial firms, with the publication on its extortion site of data stolen from Rheinmetall. The data was discovered on the site last Saturday, with samples including non-disclosure agreements, technical schematics, passport scans and purchase orders. Meanwhile, Polish news agencies were taken offline by DDoS attacks, which the Polish government attributed to Russian hacktivists.