In this week’s Cyber Weekly Digest we delve into some of the latest cyber security news including cyber attacks on publishing giant Macmillan and IT services provider SHI. Keep reading to stay up to date on the biggest cyber security stories from across the work.
Publishing giant Macmillan has disabled its network and office connections to recover from a security incident that is likely to be a ransomware attack. It is currently unclear what ransomware gang was behind the attack and if any sensitive data was stolen. If data was held as ransom and not paid, it is very likely that there will be a ransomware operation that publishes the stolen data in the next few weeks. Macmillan editors have been somewhat untransparent about the incident, however, they are starting to reenable core systems in their network.
Multiple booking websites’ servers have been seized by The Privacy Protection Authority in Israel after their operators failed to address critical security issues that enabled attackers to breach the data of more than 300,000 individuals. At least 10 websites managed by Gol Tours LTD in Israel were shut down. The Privacy Protection Authority confirmed the cyber-attack, and it is believed that an Iranian threat actor, called Sharp Boys, is responsible. The Sharp Boys threat group claimed the attack in June and leaked 300,000 records of customer data a few days later. The group also shared a screenshot from a remote desktop connection showing that they had access to more than two dozen domains allegedly owned by Gol Tours.
“SessionManager” is being used against NGOs, government, military and industrial organisations in Africa, South America, Asia, Europe, Russia, and the Middle East, from at least March 2021. Developed in C++, SessionManager is a malicious native-code IIS module loaded by some IIS applications, to process legitimate HTTP requests that are sent to the server. SessionManager has the capabilities to do remote code execution and connect to arbitrary network endpoints that the infected server is connected to, as well as reading and writing in such connections.
An NPM supply-chain attack all the way from December 2021 leveraged malicious NPM modules containing obfuscated Javascript code to leave hundreds of downstream desktop apps and websites vulnerable. Supply-chain security firm ReversingLabs discovered that the threat actors behind this campaign were using “typosquatting” to infect the developers looking for popular packages. If the developers accidentally used a typo in their module name, and it’s the same module name as one of the fake ones created by the threat actor, then the desktop app could be fully compromised. Over 17000 downloads of the malicious packages have been used to exfiltrate serialized form data to several attacker-controlled domains.
New Jersey-based IT products and services provider, SHI, has confirmed that their network was hit with a malware attack over the weekend. SHI claims to be one of North America’s largest IT solutions providers with 5000 employees and $12.3 billion in revenue in 2021. They also have operations around the world in USA, UK, and the Netherlands. The company stated that they are currently working with federal bodies including the FBI and CISA. They claim that there is no evidence to suggest that customer data was exfiltrated during the attack.
Comments