Cyber Security Headlines: First American cyberattack, Iran APT campaign, ransomware victims spike
December 26, 2023
First American suffers cyberattack
California-based First American, which provides title insurance and settlement services for real estate companies and mortgage providers, confirmed the cyberattack on Thursday. As of this recording its website remains inaccessible, and the company is using a temporary site at firstamupdate.com. The company joins a number of its industry peers, including Fidelity National Financial, MeridianLink, Tipalti, Moneris, ICBC, and Mr. Cooper, which have suffered ransomware, data breaches, or incidents in recent months.
Iran-linked group targets defense contractors worldwide
Microsoft states that the Iranian cyber-espionage group APT33 also known as Peach Sandstorm is using a recently discovered FalseFont backdoor malware to attack organizations in the defense industrial base sector. According to Microsoft, “The custom backdoor supports a wide range of functionalities that allow attackers to remotely control infected systems and harvest sensitive information.” The group is known for using password spray attacks in its initial access campaigns.
November saw record numbers of ransomware leak site victims
According to a report from Corvus Insurance, its Threat Intel group observed 484 new ransomware victims posted on leak sites in November. This represents a 39% increase from October and a 110% increase compared with November 2022. The report suggests the uptick was in large part due to LockBit, specifically in relation to the CitrixBleed vulnerability.
Cloud Atlas targets Russian companies
Cloud Atlas is a threat actor group whose origins are unknown, but who has been waging attacks on Russia, Belarus, Azerbaijan, Turkey, and Slovenia for a decade. This most recent spearfishing attack is focusing on a Russian agro-industrial enterprise and a state-owned research company, according to a report from a cybersecurity company F.A.C.C.T., a Russia-based spin-off group of Singapore-based Group-IB. Cloud Atlas has also been studied by Kaspersky and Positive Technologies, who described some of its methods including “hiding their malware from researchers by using one-time payload requests” and “avoiding network and file attack detection tools by using legitimate cloud storage and well-documented software features, in particular in Microsoft Office.”
Akira takes credit for Nissan Oceania breach
Following up on a story we brought you on December 7, the cyberattack on Nissan’s Oceania group, which covers Australia and New Zealand, has now become a threat from the ransomware group Akira, to post part of a 100GB haul of documents obtained during that breach. Nissan has refused to pay the ransom, and so Akira stated on Friday that it would reveal some of the material, which includes employee data, project data, clients’ and partners’ information, and NDAs.
Kazakhstan to extradite Russian cyber expert to Moscow despite US requests
In another story featuring the Group-IB spinoff company F.A.C.C.T., its head of network security, Nikita Kislitsin, will be extradited to Moscow to face hacking and extortion charges for breaking into a commercial enterprise and holding its data for ransom. The extradition comes in spite of a request made by the US Department of Justice who wants Kislitsin moved stateside to face charges related to a cyberattack and data theft on the social media company Formspring in 2012. According to The Record, “Kislitsin’s case [is] the latest dispute between Moscow and Washington over accused Russian cybercriminals and spies held in other countries at the request of the U.S. authorities.
Toronto Public Library remains ‘crime scene’ after ransomware attack
This follows an attack that occurred in late October. The library, far from being a single building, has 100 branches across the city and employs a staff of 5,000. City Librarian Vickery Bowles stated in a year-end blog post that although certain services have been restored, the library remains a “crime scene” given that employee data was stolen, and a great many computer systems are out of operation. This, she says, has impacted Toronto’s most needy citizens who rely on the library for access to computers and to the internet. Bowles also explained that the lengthy recovery is taking months because “the library needs to bring everything back in a way that allows it to prevent future attacks.”
Last week in ransomware
One of the biggest stories of the past couple of weeks has been the FBI raid on ALPHV/BlackCat which resulted in the retrieval of a number of decryption and Tor private keys that were then used to decrypt 400 victims for free. As a result of the tug of war between the FBI and Black Cat who now effectively share the decryptors, some affiliates are choosing to work with LockBit. In addition to those companies already mentioned in this episode, last week saw the University of Buenos Aires suffer a ransomware attack, as well as VF Corporation, the owner of brands like Supreme, Vans, Timberland, and The North Face, which has disclosed not a ransomware attack, but a security incident that caused operational disruptions.