AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/28/2021

NRA responds to reports of Grief ransomware attack

The National Rifle Association (NRA) has released a statement today after a ransomware gang claimed to have attacked the organization. The Grief ransomware gang — which has ties to the prolific Russian cybercrime group Evil Corp — posted about the NRA on its leak site, setting off hours of headlines and concerns from members of the group. By Wednesday afternoon, NRA Public Affairs managing director Andrew Arulanandam took to Twitter to say the group is doing what it can to protect the data of its members. “NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.” Arulanandam said. Cybersecurity researchers began posting about the incident on Wednesday after Grief said it had 13 files allegedly from the NRA’s databases. Analysis of the released documents show it is minutes from a recent NRA board meeting as well as documents related to grants. It threatened to leak more files if the NRA did not pay an undisclosed ransom. 


These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords

Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns. Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. One recent campaign detailed by cybersecurity researchers at Abnormal Security sent hundreds of phishing emails that attempted to use QR codes designed to bypass email protections and steal login information. This is known as a “quishing” attack. QR codes can be useful in attempts at malicious activity because standard email security protections like URL scanners won’t pick up any indication of a suspicious link or attachment in the message. 


North Korean state hackers start targeting the IT supply chain

North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities. Lazarus used a new variant of the BLINDINGCAN backdoor to target a South Korean think tank in June after deploying it to breach a Latvian IT vendor in May. “In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload,” the researchers said. “In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload,” the researchers said.



Police forces across the world have arrested 150 alleged suspects involved in buying or selling illicit goods on the dark web as part of a coordinated international operation involving nine countries. More than €26.7 million (USD 31 million) in cash and virtual currencies have been seized in this operation, as well as 234 kg of drugs and 45 firearms. The seized drugs include 152 kg of amphetamine, 27 kg of opioids and over 25 000 ecstasy pills. This operation, known as Dark HunTOR, was composed of a series of separate but complementary actions in Australia, Bulgaria, France, Germany, Italy, the Netherlands, Switzerland, the United Kingdom and the United States, with coordination efforts led by Europol and Eurojust. Operation Dark HunTOR stems from the takedown earlier this year of DarkMarket, the world’s then-largest illegal marketplace on the dark web. At the time, German authorities arrested the marketplace’s alleged operator and seized the criminal infrastructure, providing investigators across the world with a trove of evidence. Europol’s European Cybercrime Centre (EC3) has since been compiling intelligence packages to identify the key targets. 


Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk. The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats. The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to PHI to be tracked. Passwords are required to authenticate users, with the HIPAA Security Rule requiring HIPAA-regulated entities to implement, “procedures for creating, changing, and safeguarding passwords.”


Workers sent home after ransomware attack on major automotive parts manufacturer

German multinational company Eberspächer Group has sent a part of its factory workforce home on paid leave while its management and IT teams are dealing with a ransomware attack that crippled its IT systems over the weekend. The Eberspächer Group currently employs more than 10,000 workers, operates production plants in 80 locations across 28 countries, and is known for building air conditioning, heating, and exhaust systems, which it supplies to almost all of today’s top car brands.“Eberspächer Group was the target of an organized cyberattack. The IT infrastructure is affected,” the company said in a message posted on its website on Monday [archived]. “To protect our customers, employees and partners, the necessary steps were taken immediately to counter the attack with targeted measures,” Eberspächer added. The company’s official websites, email systems, office networks, customer portals, and production systems were taken down in the aftermath of the attack, which was detected on Sunday morning.

Related Posts