GEOPOLITICAL AND CYBERSECURITY RISK WEEKLY BRIEF 5 JULY 2021
On 2 July, multiple reports emerged of a REvil ransomware incident and suspected supply-chain attack on US-based firm Kaseya – a remote management and monitoring (RMM) tool used by multiple managed service providers (MSPs). Kaseya has since appeared on the Happy Blog – REvil’s darknet leak site – and the ransomware gang is demanding a USD70 million ransom in Bitcoin for a universal decryptor. Antivirus firms’ telemetry shows most victim reports are coming from the United Kingdom, South Africa, Canada, Germany, the United States, and Colombia.
The NSA this week issued a security advisory regarding a credential brute-forcing campaign that has been ongoing since at least mid-2019. The campaign, which lasted until early 2021, has been attributed to the Russian GRU Unit 26165, a well-known APT tracked as FancyBear.In the Americas, the US Department of State announced sanctions against 55 current and former officials in El Salvador, Guatemala and Honduras accused of corruption, obstructing justice or undermining democracy. US-based automotive giant Ford announced temporary production suspensions at two plants in July due to an ongoing global shortage of semiconductors.
In Asia, fake news about COVID-19 vaccines features most prominently in recent Chinese disinformation campaigns targeting Taiwan, according to Information Operations Research Group (IORG), a non-governmental group that monitors Chinese information warfare against Taiwan. Reuters news agency reported that a complaint has been filed against the US-based Twitter social media company for its use of a map that did not incorporate disputed territory claimed by India.
In Europe, German authorities thwarted a cyber-attack on a data service provider used by federal agencies and challenged reports that a major assault targeted critical national infrastructure and banks. Croatia became a member of the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) – an international organisation focused on countering cyber threats.
A new proof-of-concept exploit, dubbed PrintNightmare, has recently been shared publicly on GitHub. Successful exploitation of the vulnerability can lead to both local privilege escalation (LPE) and remote code execution (RCE). The issue affects the Windows Print Spooler component in every modern version of Windows and Windows Server. The vulnerability was fixed three weeks earlier in Microsoft’s June 2021 Patch Tuesday. However, security researchers said a new PoC exploit can bypass the patch. Others shared the exploit code publicly on GitHub. Attacks leveraging PrintNightmare are highly anticipated.