Cyber Security Headlines – November 22, 2021

US banks will be required to report cyberattacks within 36 hours

The FDIC and Federal Reserve devised rule takes effect April 1, 2022, although enforcement will not begin until May 1. FDIC-supervised financial organizations will need to notify the FDIC-designated point of contact via email, telephone, or other similar methods “as soon as possible and no later than 36 hours” after the organization has determined that a security incident “that rises to the level of a notification incident” has occurred. Bank service providers will also be required to report incidents to banks in case of incidents where banking services are disrupted for more than four hours. Under this rule, “security incidents” refer to any event that result in actual harm to the confidentiality, integrity or availability of information systems. 

(Darkreading)

Microsoft Exchange malware campaign uses stolen internal reply-chain emails

The attacks were orchestrated by ‘TR’, a known threat actor who distributes emails with malicious attachments that drop malware, including Qbot, IcedID, Cobalt Strike, and SquirrelWaffle. Sending the messages from within the organizations allows the attacker to bypass detection since they appear to be a continuation of a previous discussion between two employees. The Excel sheets used in this campaign contain malicious Excel 4.0 macros used to download and execute the malicious DLL.

(Security Affairs and Bleeping Computer)

Conti ransomware group suffers a data breach

Researchers at security firm Prodaft were able to identify the real IP address of one of the servers used by the Conti ransomware group and then access the console for more than a month. The exposed server was hosting the payment portal used by the gang for ransom negotiation with victims. The security firm shared its findings including password files with law enforcement authorities. The PTI team also discovered multiple victim chat sessions and login credentials for MEGA accounts used while contacting the victims. The Conti operators have taken their payment portal offline.

(Security Affairs)

Some Tesla owners unable to unlock cars due to server errors

An outage of the company’s servers that occurred around 4 PM EST on Friday left Tesla owners with a “500 server error” when attempting to communicate with their cars. The outage prevented owners from using the app to get into the car and also reported an incorrect location of the car. Tesla owners reported the issue directly to Elon Musk via Twitter, who replied he was looking into the matter. The outage affected users in USA, South Korea, Australia, and Europe. Users were still able to access their cars using their FOB or card key.

(The Guardian)

Thanks to our episode sponsor, deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

UK fighting hacking epidemic as Russian ransomware attacks increase

The National Cyber Security Centre (NCSC) said it tackled a record number of cyber incidents in the UK over the last year, with ransomware attacks originating from Russia dominating its activities. The cybersecurity agency said it had helped deal with a 7.5% increase in cases in the year to August, fueled by the surge of criminal hackers seizing control of corporate data and demanding payment in cryptocurrency for its return. The impact on the British economy is estimated to run into the hundreds of millions of pounds, mostly stemming from the costs of immobilizing businesses.

(The Guardian)

SharkBot Android trojan stealing banking and cryptocurrency accounts

A new Android trojan is taking advantage of accessibility features on mobile devices to siphon credentials from banking and cryptocurrency services in Italy, the U.K., and the U.S. Its main goal is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms, said researchers. The technique allows the operators to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices to a money mule network controlled by the threat actor.

(The Hacker News)

US SEC warns investors of ongoing govt impersonation attacks

The Securities and Exchange Commission (SEC) has warned US investors of scammers impersonating SEC officials in government impersonator schemes via phone calls, voicemails, emails, and letters. The SEC’s Office of Investor Education and Advocacy stated that the calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients’ checking or cryptocurrency accounts and appeared to be from an SEC phone number and in some cases include the names of real SEC employees for added credibility.

(Bleeping Computer)

Canadian teen arrested for alleged theft of $36.5 million in cryptocurrency

The news of the arrest was disclosed by the Hamilton Police in Ontario, Canada, as a result of a joint investigation conducted by the FBI and the United States Secret Service Electronic Crimes Task Force that started in March 2020. The cryptocurrency has been stolen through a SIM swapping attack that allowed the attackers to bypass 2FA used to protect the wallets containing the funds. “As a result of the SIM swap attack, approximately $46 million CAD worth of cryptocurrency was stolen from a single victim. This is currently the biggest cryptocurrency theft reported from one person.”

(Security Affairs)