At a glance.
- Russia targets embassies with ISP-level attacks.
- Second Tea data breach exposes user chats.
- Russian airlines and pharmacies disrupted by cyberattacks.
- Minnesota activates National Guard following St. Paul cyberattack.
- Cybercriminals planted Raspberry Pi in attempt to hack ATMs.
- ShinyHunters was reportedly behind attacks on Qantas, Allianz Life, Adidas, and LVMH.
Russia targets embassies with ISP-level attacks.
Microsoft has published a report on a Russian cyberespionage campaign targeting foreign embassies in Moscow with the ApolloShadow malware. Microsoft attributes the campaign to the FSB-linked threat actor Secret Blizzard (also known as "Turla"). The researchers note, "While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level. This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within those services."
Second Tea data breach exposes user chats.
404 Media reports that a researcher discovered a second exposed database containing data from the Tea app. Tea is a women-only app that allows users to review dates and share safety tips. The app requires users to upload selfies for verification, which were posted on 4chan last week following the initial breach.
The newly discovered database contains more than a million user messages sent from 2023 up until last week. The messages contain extremely sensitive data involving abortions, cheating partners, and personal information that can be used to dox users. Any Tea user could access this database using their API key.
Tea has since disabled its messaging functionality, and told 404 Media that it is in contact with law enforcement.
Russian airlines and pharmacies disrupted by cyberattacks.
Aeroflot, Russia's largest airline, cancelled dozens of flights on Monday following IT issues that were reportedly caused by a hacktivist attack. Reuters says the Silent Crow and Cyberpartisans BY hacktivist groups claimed responsibility for the attack, stating on Telegram that they compromised the airline's systems over a year ago and destroyed thousands of servers. It's worth noting that these claims are unverified, and hacktivists tend to exaggerate. These two groups claim to act in the interests of Ukraine and Belarus, respectively.
A separate cyberattack shut down hundreds of pharmacies across Russia this week, the Record reports. The attacks hit Stolichki, which operates approximately one-thousand pharmacies across the country, and Neofarm, which runs more than a hundred pharmacies in Moscow and St. Petersburg. Both chains are owned by the same holding company. The nature of the attack is unclear, but Russia's internet watchdog said DDoS attacks were not involved.
Minnesota activates National Guard following St. Paul cyberattack.
Minnesota has activated its National Guard in response to a disruptive cyberattack that hit the City of St. Paul last week, Reuters reports. The incident forced the city to shut down many of its digital systems, and online payment systems remain offline. 911 and emergency systems are operational. St. Paul Mayor Melvin Carter declared a state of emergency, calling the incident a "deliberate, coordinated, digital attack." The nature of the incident hasn't been disclosed, but Reuters says the city's response suggests ransomware was involved.
Cybercriminals planted Raspberry Pi in attempt to hack ATMs.
Group-IB reports that a cybercriminal group physically planted a Raspberry Pi inside the network of an Indonesian bank in order to withdraw cash from ATMs. The researchers note, "This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data."
Group-IB says the crooks' "ultimate target was the ATM switching server, with the intent to deploy CAKETAP – a rootkit designed to manipulate HSM responses – and spoof authorization messages to facilitate fraudulent ATM cash withdrawals." The campaign was disrupted before they succeeded.
The researchers also discovered a new Linux anti-forensics tactic used in the campaign, which is now catalogued by MITRE ATT&CK. MITRE explains, "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities."
ShinyHunters was reportedly behind attacks on Qantas, Allianz Life, Adidas, and LVMH.
BleepingComputer reports that the ShinyHunters extortion group was behind recent attacks on Qantas, Allianz Life, Adidas, and LVMH. While some reports have attributed the hacks to the Scattered Spider criminal gang, BleepingComputer says this is likely due to the two groups sharing members and using similar tactics. Allan Liska, an intelligence analyst at Recorded Future, told the publication, "[T]he overlapping TTPs between known Scattered Spider and ShinyHunters attacks indicate likely some crossover between the two groups."
BleepingComputer says ShinyHunters used social engineering to compromise the victim organizations' Salesforce instances, tying the attacks to a campaign described by Google in June.
