MSP cybersecurity news digest, July 16, 2024

Indonesia’s national data center has been attacked by a ransomware group demanding an $8 million ransom, which the government has refused to pay.

The cyberattack has disrupted services of over 200 government agencies nationwide. While some services, like airport immigration, have been restored, efforts are ongoing to recover other services such as investment licensing. The attackers have offered a key for data access in exchange for the ransom. 

Indonesia’s Communication and Informatics Minister confirmed that the government will not pay the ransom, adding that the National Cyber and Crypto Agency is conducting forensics. The ransomware group responsible for the attack is named Brain Cipher. They used the leaked LockBit 3.0 builder with minor modifications, and their ransomware samples have been uploaded to various malware-sharing sites over the past two weeks.

Crown Equipment, a major forklift manufacturer with annual revenue of $3.6 billion, confirmed a cyberattack earlier this month that disrupted its manufacturing operations. The company employs 19,600 people and operates 24 plants worldwide.

Employees have reported IT system shutdowns, preventing them from clocking hours, accessing manuals and delivering machinery. Crown confirmed the attack was by an "international cybercriminal organization" and involved a breach due to an employee falling for a social engineering attack. 

The company is working with cybersecurity experts and the FBI, and stated that no personal employee data seems to have been compromised. Crown is gradually restoring systems and allowing employees to make up for lost hours, while also working to minimize the impact on customers.

Threat actors are enticing users with free or pirated commercial software versions to deploy a malware loader called Hijack Loader, leading to the installation of Vidar Stealer.

According to researchers, users were tricked into downloading password-protected archive files containing trojanized copies of the Cisco Webex Meetings App (ptService.exe). Upon extraction and execution of 'Setup.exe,' the Webex application covertly loaded the malware, launching an information-stealing module. Notably, the campaign employs DLL side-loading to stealthily initiate Hijack Loader, facilitating the deployment of Vidar Stealer via an AutoIt script. The malware employs techniques like UAC bypass and CMSTPLUA COM interface exploitation for privilege escalation, subsequently evading Windows Defender. Besides capturing browser credentials with Vidar Stealer, the attack chain includes deploying a cryptocurrency miner on compromised hosts. 

This disclosure follows an increase in ClearFake campaigns using PowerShell scripts to distribute Lumma Stealer, Amadey Loader, XMRig miner and a clipper malware.

Sicoob, one of the largest financial cooperatives in Brazil, with $11.2 billion in assets, has fallen victim to the RansomHub ransomware group, which allegedly accessed over 1 TB of the Brazilian cooperative's data.

The leaked files reportedly include NDAs, personal information of customers and employees and financial statements. The attack was announced via social media accounts like TMRansomMonitor, and the group claims to have attached a sample of the stolen data. RansomHub operates as ransomware as a service (RaaS) and has targeted other notable entities, including Christie's and YKP. 

The group demanded that Sicoob's management contact them within 72 hours to reclaim the data, threatening further exposure and attacks otherwise. Sicoob reported a cyber incident in one of its cooperatives, stating it notified the authorities and worked with experts to investigate the scope of the incident. Sicoob claimed that financial information remains secure, with operations continuing as normal. 

ONNX Store, a new phishing-as-a-service (PhaaS) platform, is targeting Microsoft 365 accounts at financial firms using QR codes in PDF attachments. The platform targets both Microsoft 365 and Office 365 email accounts and uses Telegram bots along with 2FA bypass mechanisms. 

Researchers believe ONNX is a rebranded version of the Caffeine phishing kit managed by MRxC0DER. ONNX attacks, first observed in February 2024, involve phishing emails with PDFs containing QR codes, impersonating HR departments to lure victims into entering their credentials on fake Microsoft 365 login pages. The stolen credentials and 2FA tokens are sent to attackers in real time, allowing them to hijack accounts and exfiltrate sensitive information. 

ONNX is a robust platform, offering customizable phishing templates, encrypted JavaScript for obfuscation and Cloudflare services to prevent takedowns, with four subscription tiers catering to various phishing needs. The four subscription tiers are: Webmail Normal ($150 per month), Office Normal ($200 per month), Office Redirect ($200 per month), and Office 2FA Cookie Stealer ($400 per month), each providing various phishing features. These tiers include customizable elements, 2FA bypass, dynamic codes and Telegram integration.