This month’s cyberattack roundup proves that cybersecurity is only as good as the weakest link in your organization. Whether that’s someone accidentally clicking on the wrong link and downloading malware or a customer service representative falling victim to social engineering and giving threat actors the upper hand.
The more threat intelligence we share as a community, the better off we all are to protect ourselves from these types of attacks. In this blog, we share three of the cyber incidents in November to raise awareness and share our tips to best protect your organization from these types of threats.
Robinhood Customer Data Breach
At the beginning of November, Robinhood experienced a social engineering incident involving a customer support representative. The threat actor gained access to Robinhood systems and stole details of 7 million customers. The actor took a list of email addresses of about 5 million customers and a list of names of a different set of 2 million customers. Once the threat actor obtained the lists, the actor demanded a ransom payment.
It may not seem like that much to go off of, but with just names and email addresses, threat actors can cause a lot of harm. These details can be sold on the dark web or leveraged for targeted phishing emails. Cybercriminals can collect the missing pieces from the data with the help of information from marketing firms.
If you are a Robinhood customer, we recommend changing passwords on all accounts using the email address you associate with the account and applying two-factor authentication to reduce the impact of this breach.
Attack Discovered: November 3, 2021
Impact: More than 5 million email addresses and a separate group of 2 million names of customers were taken in the data breach.
Learn more about the Robinhood data breach and its impact in this TechRadar article.
New Ransomware Group — Karakurt Lair
A “new” ransomware group called Karakurt Lair is actively breaching organizations to steal data and hold it for ransom. There is not much published about this threat actor yet, but we’ve seen reports of the group’s activities and it seems to use similar infrastructure as Ryuk. Some think this might be an affiliate group or a rebrand, or it could be an entirely new threat actor.
Karakurt has been seen exploiting virtual private network (VPN) appliances for initial access into environments. It was reported that the group often uses CVE-2021-20016, which is a flaw in SonicWall VPN appliances.
Like most threat actors, once the group gains entry, it moves laterally to the domain controller. The objective seems to be exfiltrating data through copies of backups moved to its own environment so it can then ransom the data.
First Seen: August 2021 (created a Twitter account that is now deactivated)
Impact: Ransom demands can be costly, and it’s best to protect your environment now before a threat actor can do damage.
While there is not much published information online about this group, we recommend ensuring that your domain controller is protected. Read our whitepaper The Domain Controller…An Achilles Heel.
Foreign Threat Actors Breach Defense Contractors
Palo Alto Networks reported that nine organizations in the defense, energy, health care, technology, and education sectors have been breached by a foreign threat actor with potential ties to China. Cybersecurity researchers, partnered with the National Security Agency (NSA), discovered the threat actors stole passwords from organizations with the goal of moving laterally within their networks to establish long-term access. It is believed to be a spying campaign, and while the group seems to be from China, it’s unclear who is responsible.
The CISA, FBI, and NSA published a joint alert warning of the threat of ransomware and sharing tips for organizations to implement to protect themselves including using multifactor authentication and monitoring traffic for anomalies.
Threat Discovered: September 2021
Impact: The growth of a ransomware-as-a-service group like FIN7 could increase ransomware attacks.
Learn more about the threat actors in Palo Alto Networks’ blog.
Threat actors are creative and intelligent individuals who are persistent when they want to get into an organization’s environment. The best way to defend against these human attackers is with real-life human cybersecurity experts like those at a managed detection and response provider (MDR).