At a glance.
- Qilin ransomware gang claims responsibility for attack against Lee Enterprises.
- JavaGhost uses compromised AWS environments to launch phishing campaigns.
- Thai police arrest suspected hacker behind more than 90 data leaks.
- Lotus Blossum cyberespionage campaigns target Southeast Asia.
Qilin ransomware gang claims responsibility for attack against Lee Enterprises.
The Qilin ransomware group yesterday claimed responsibility for an attack against Iowa-based newspaper publisher Lee Enterprises, SecurityWeek reports. The group claims to have stolen around 350 GB of data, including "investor records, financial arrangements that raise questions, payments to journalists and publishers, funding for tailored news stories, and approaches to obtaining insider information." Qilin is threatening to publish the data on March 5th unless the company pays the ransom.
Lee Enterprises, which publishes more than 350 newspapers across 25 US states, sustained a "cyber incident" on February 3rd which disrupted at least 75 of its publications. The company has avoided using the term "ransomware" but it did mention in an SEC filing that the attackers "encrypted critical applications and exfiltrated certain files."
JavaGhost uses compromised AWS environments to launch phishing campaigns.
Palo Alto Networks' Unit 42 warns that the JavaGhost threat actor is compromising misconfigured AWS environments and using them to launch phishing campaigns. The group gains entry to the AWS environments via exposed long-term access keys. Once they've gained access, the attackers use the victim's Amazon Simple Email Service (SES) and WorkMail services to send out phishing emails. Since the emails are sent from a legitimate source, they're more likely to bypass security filters.
To defend against these attacks, Unit 42 recommends that AWS users limit access to administrative rights, rotate IAM credentials regularly, use short term/just-in-time access tokens, and enable multi-factor authentication.
Thai police arrest suspected hacker behind more than 90 data leaks.
Police in Thailand have arrested a 39-year-old Singaporean man suspected of involvement in over ninety data leaks. Group-IB, which assisted in the joint operation between the Royal Thai Police and the Singapore Police Force, said in a press release, "Operating under aliases ALTDOS, DESORDEN, GHOSTR and 0mid16B, the arrested individual was one of the most active cybercriminals in the Asia-Pacific since 2021, targeting companies and businesses in Thailand, Singapore, Malaysia, Indonesia, India, and many more."
The security firm added, "The main goal of his attacks was to exfiltrate the compromised databases containing personal data and to demand payment for not disclosing it to the public. If the victim refused to pay, he did not announce the leaks on dark web forums. Instead he notified the media or personal data protection regulators, with the aim of inflicting greater reputational and financial damage on his victims. Later he also asserted pressure on his victims by sending direct customer notifications via email or via instant messengers to force them into submission."
Lotus Blossum cyberespionage campaigns target Southeast Asia.
Cisco Talos is tracking multiple cyberespionage campaigns by the Lotus Blossom threat actor targeting government, manufacturing, telecommunications, and media entities in Vietnam, Taiwan, Hong Kong, and the Philippines. The researchers note that the operation "appears to have achieved significant success." The campaigns involve the Sagerunex remote access tool, which is exclusively used by Lotus Blossom. The Sagerunex backdoor abuses legitimate cloud services such as Dropbox, Twitter (now X), and Zimbra for its C2 communication.
Talos doesn't attribute LotusBlossom to any particular nation-state, but Microsoft has previously linked the group to China.
