At a glance.
- Chinese espionage in Southeast Asia.
- The C-suite's awareness of ransomware attacks.
- New cybercriminal group conducts data-theft extortion.
Chinese espionage in Southeast Asia.
Researchers at Recorded Future are tracking Chinese state-sponsored cyberespionage campaigns primarily targeting Malaysia, Indonesia, and Vietnam, as well as the Philippines, Laos, Cambodia, and Thailand. The operations appear to be in support of China's Belt and Road Initiative:
"The identified intrusion campaigns almost certainly support key strategic aims of the Chinese government, such as gathering intelligence on countries engaged in South China Sea territorial disputes or related to projects and countries strategically important to the Belt and Road Initiative (BRI). The activity highlighted includes a group we track as Threat Activity Group 16 (TAG-161), which has compromised several high-profile military and government organizations across Southeast Asia throughout 2021 using custom malware families such as FunnyDream and Chinoxy. Many of the governments targeted by TAG-16 are engaged in ongoing disputes with China over territorial claims in the South China Sea."
The C-suite's awareness of ransomware attacks.
(ISC)² has published a study looking at executives' view of ransomware and the ways in which security teams can improve communication with the C-suite:
"Respondents were asked to rate their awareness of ransomware prior to high-profile 2021 breaches. 55% described themselves as very aware, and 40% said they were only somewhat aware. 59% of executives rated the communications they received from their cybersecurity teams about ransomware threats and mitigation tactics as excellent or good. Nearly one in five respondents (18%) rated those communications as either poor or very poor. The executives were also asked how those communications have changed in the months following 2021’s high-profile wave of ransomware attacks. While the percentage of those who indicated that the updates are excellent or good increased by 5%, that is still fewer than two-thirds of executives (64%) who highly rate those interactions."
The study also found that most executives were interested in backup and recovery plans in case of a ransomware attack:
"When asked about the most critical information they need from the cybersecurity team, the biggest priority cited by 38% of respondents was for information on strategies to prevent ransomware from impacting data backup and restoration plans. Executives also want to know what it will take to restore minimal operations after compromise (33%), how prepared the organization is to engage law enforcement in the event of an attack (32%), and how prepared it is to engage cybersecurity investigators (30%)."
New cybercriminal group conducts data-theft extortion.
Accenture describes a newly-observed cybercriminal group calling itself "Karakurt" that's conducting data theft and extortion attacks. Notably, the threat actor doesn't deploy ransomware and typically targets "smaller companies or corporate subsidiaries versus the alternative big game hunting approach." Karakurt primarily uses stolen credentials for VPNs to gain initial access:
"Based on our collection sources, Accenture Security is currently aware of over 40 victims spanning multiple industry verticals and sizes. The Karakurt group does not appear to focus on a specific industry vertical or size. Of known victims, 95% are based in North America with the remaining 5% in Europe. From our investigations into the group’s activity, we determined that it typically uses credential access as the initial vector into victims’ networks and utilizes applications already installed to move laterally and exfiltrate data, if available. In addition, the threat group will typically contact the victim multiple times, using different communication methods, to apply additional pressure during extortion attempts."