Welcome to your weekly roundup of cybersecurity news. In the current edition, you’ll find information about a new campaign by the threat group behind the SolarWinds supply chain attack, Belgian authorities closing a campaign they think originated in China, and information on a new cybersecurity directive for pipeline operators.
Read on for the news!
SolarWinds hackers are behind a widespread phishing campaign impersonating USAID, Microsoft says -- The same adversary group behind the SolarWinds supply chain attack is now sending out phishing emails masquerading as USAID, Microsoft said in a new report. The threat group is targeting 150 organizations across 24 countries and has targeted 3,000 individual accounts in a blitz of phishing emails since May 25. They’re currently using a hacked email that USAID uses to send marketing emails; a USAID spokesperson said their forensic investigation into the breach is ongoing. At least one of the messages purports to be about “election fraud” documents released by former U.S. President Trump. Experts have called this yet another example of Russian disinformation designed to stoke division in the U.S. electoral. It’s unclear at this time how successful the phishing campaign was.
DHS Orders Pipeline Operators to Report Cyberattacks, Review Security Posture -- The United States government issued a new directive to pipeline operators in light of the ransomware attack against Colonial Pipeline that shut down gas transmission across the Southeast United States. The directive, issued by the TSA, requires pipeline operators “to report all confirmed and potential cyberattacks, improve their incident response by assigning a cybersecurity coordinator, and create a cybersecurity plan based on the results of a comprehensive threat assessment conducted within the next 30 days,” according to Dark Reading. DHS Secretary Alexander Mayorkas said in a statement that the new directive will allow DHS to better identify and react to threats against the pipeline infrastructure.
Belgium uproots cyber-espionage campaign with suspected ties to China -- The Federal Public Service Interior in Belgium said recently that it was the victim of a cyberespionage campaign that began two years ago, according to CyberScoop reporting. The Belgian government agency kicked off the investigation in March following news from Microsoft about the Exchange Server hack. So far there has been no confirmation that the campaign against the Federal Public Service Interior leveraged one of the Microsoft Exchange zero-days or that the revelation of the exploits merely sparked interest in investigating. Regardless, Belgian authorities said the campaign against FPS Interior was Chinese in origin. Thus far, FPS Interior has claimed the damage in their systems was minimal and is now contained.
New Iranian Threat Actor Using Ransomware, Wipers in Destructive Attacks -- A new, likely Iran-backed threat group called Argius is targeting the Middle East and Israel with destructive wiper attacks. The group has been active since at least November 2020, and initially appeared to focus on cyberespionage before shifting to more destructive attacks. The Argius group's preferred tactic for initial access is to try and exploit known vulnerabilities in an organization's public-facing Web applications, according to Dark Reading.
VMware Ransomware Alarm Over Critical Severity Bug -- VMware has patched a critical severity bug in its vCenter Server virtualization management platform that it urges customers to patch as soon as possible. The flaw, if left unpatched, could allow a remote attacker to exploit the vCenter Server and take control of the affected system. The encouragement to patch comes in light of the rise of ransomware attacks worldwide.
Canada Post hit by data breach after supplier ransomware attack -- Canada Post informed 44 of its large commercial customers that a ransomware attack on a third-party service provider exposed shipping information for their customers, according to Bleeping Computer. Threat actors accessed the database of Commport Communications using the Lorenz ransomware and exfiltrated shipping and receiving information for 44 commercial customers and 950,000 receiving customers. Canada Post has hired an external security investigator to look into the breach.
Hackers target Japanese government, transportation entities -- According to local reporting, threat actors have targeted government agencies and transportation organizations in Japan in recent days. Fujitsu’s software-as-a-service platform, ProjectWEB, was infiltrated and 76,000 email addresses from the land, infrastructure and transport ministry were leaked as a result. Narita Airport was also a target, with the goal being to exfiltrate air traffic control data. The attacks come in the run up to the Tokyo Summer Olympics, which were delayed from last year because of the COVID-19 pandemic.
Air India Confirms Data of 4.5M Travelers Compromised -- Air India has confirmed the exfiltration of data from 4.5 million global passengers following a breach of aviation IT provider SITA's Passenger Service System in early March, according to Dark Reading. SITA PSS processes and stores the personal data of Air India customers; the breach impacted personal data registered between Aug. 26, 2011, and Feb. 3, 2021, and includes name, date of birth, contact information, and passport details among others for the 4.5 million individuals. Air India learned of the breach on February 25.