Blog entry by Les Bell

Les Bell
Security News: 2023-06-12
by Les Bell - Monday, 12 June 2023, 11:37 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

ALPHV Claims Two Australian Scalps

Australian companies continue to fall victim to ransomware attacks, with financial services firm FIIG Securities the latest to be affected. The Ransomware-as-a-Service threat actor ALPHV claims to have exfiltrated 385 GB of data from the firm, including internal company data (employee identity information, accounting data and financial reports, etc.) as well as client documentation and some database contents, according to threat analyst Brett Callow, who tweeted a screenshot from the ALPHV web site. The FIIG Securities web site confirms the breach.

Meanwhile, ALPHV's breach of law firm HWL Ebsworth, which we reported back in early May, continues to reverberate. ALPHV has now posted a claimed 1.45 TB of exfiltrated data, apparently holding back a further 2.55 TB. HWL Ebsworth had previously refused to pay a ransom; holding back some of the data may be a strategy to raise the stakes.

The ramifications of this breach continue to grow, since the Commonwealth Government is a client of the firm, as are the South Australian, Queensland and ACT governments, the Australian Taxation Office and ANZ Bank.

Callow, Brett, "#ALPHV has listed FIIG...", tweet, 11 June 2023. Available online at https://twitter.com/BrettCallow/status/1667565008874803200.

McCombie, Helen and Joanna McCarthy, FIIG Securities Response to Cyber Incident, information page, undated. Available online at https://www.fiig.com.au/research-and-education/credit-research/company-updates/fiig-securities-cyber-incident.

Cyberknow, "AlphV #ransomware gang has now posted...", tweet, 8 June 2023. Available online at https://twitter.com/Cyberknow20/status/1666801872555102208.

Tran, Danny and James Dunlevie, Russian-linked hackers taunt HWL Ebsworth over data breach, claim to have published files to dark web, ABC News, 9 June 2023. Available online at https://www.abc.net.au/news/2023-06-09/russian-linked-hackers-taunt-hwl-ebsworth-over-data-breach/102461608.

BEC Scammers Net $US19 Million Through Australian Bank and Stolen Australian Identities

Unidentified hackers have pulled off a $US19 million ($A25 million) business email compromise scam using the stolen identities of Australian individuals to set up Australian companies and then moving the funds through an account opened with National Australia Bank.

The scam plot started when the hackers gained access to the email system of Terra Global Capital LLC, an Oakland CA investment house which wanted to move the $US19 million out of San Francisco's First Republic Bank over fears the bank might collapse. To accomplish this, it turned to its investment partner, Anew Climate, which is majority owned by a division of TPG Capital (no connection to the similarly-named Australian telco).

Anew agreed to stash Terra Global's money in its Bank of America accounts, returning it at a later date. However, the companies did not realise that the hackers had already penetrated Terra Global's email system and were preparing to strike. In preparation to intercept the funds' return, the hackers had used stolen identity informtion for several Australians to establish companies - first, Terra Global Capital LLC, registered to a Melbourne man named "Jason", then Terra Global Capital LL, registered by "Allan" from Peakhurst in Sydney, and finally, using the stolen identity of "Michael" from Maitland, Terra Global Capital Pty Ltd. This last company opened an account with National Australia Bank.

The hackers now added a mail forwarding rule in Terra Global's email system, causing emails between Anew and Terra Global's CEO and CFO to be redirected to a third-party email service. Having taken over the email account, the hackers emailed Anew:

"Please find revised wire instructions for the return of funds we have better insurance with the Australian bank than with First Republic bank to cover the funds. Feel free to use 'return of funds' as descrption. Amounts and bank information can be found in email string below. Copying for your convenience."

with wire transfer instructions to the National Australia Bank. Two days later, Anew received another email from the hackers:

"We confirm safe receipt of the funds in our Australian bank, Thank you. Have a good easter weekend."

It took ten days for the scam to be discovered, at which point lawyers, the FBI and the US Secret Service all got involved. An order was obtained from the Victorian Supreme Court to freeze the funds held in the NAB account, but only $US1.8 million remained, the rest having been moved to bank accounts in China and Turkey. Apart from the loss of funds, the scam has also distressed the identity theft victims who have received court documents although they allegedly played no part in the scam and were completely unaware.

There's a lesson here about securing and monitoring your email filtering and forwarding rules - not to mention the perils of identity theft.

Danckert, Sarah, The perfect fall guy: How hackers used stolen Australian IDs to pull off a major US fraud, The Age, 9 June 2023. Available online at https://www.theage.com.au/business/banking-and-finance/the-perfect-fall-guy-how-hackers-used-stolen-australian-ids-to-pull-off-a-major-us-fraud-20230606-p5dece.html.

Sharepoint Online Ransomware Operating in the Wild

A report from SaaS application security specialists Obsidian details a SaaS ransomware attack against a company's Microsoft 365 Sharepoint Online service. Unlike previous attacks, in which the attackers first encrypted files on a compromised user's machine or mapped drive and then synchronized them to Sharepoint, in this case there was no compromised endpoint.

The attack started with the compromise of credentials for a Microsoft Global admin service account which did not have MFA/2FA enabled and could be accessed from the public internet. This account was then accessed from a virtual private server hosted by VDSinra.ru, and used to create a new Active Directory user called 0mega, then grant 0mega elevated permissions including Global Administrator, SharePoint Administrator, Exchange Administrator, & Teams Administrator.

The admin service account then granted 0mega site collection administrator capabilities, while removing over 200 existing administrators within a two-hour period. From this point, the VPS endpoint used a Node.js module to exfiltrate hundreds of files, then uploaded thousands of files, each called PREVENT-LEAKAGE.txt, containing the ransom demand.

Obsidian's blog post provides full details, along with IOC's and suggested mitigations.

Obsidian Threat Research Team, SaaS Ransomware Observed in the Wild for Sharepoint in Microsoft 365, blog post, 6 June 2023. Available online at https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink