The Good, the Bad and the Ugly in Cybersecurity – Week 3

The Good

This week, it was announced that several members of the ‘SilverTerrier’ group have been arrested. The Nigerian Police Force, along with Interpol, took down eleven members of the criminal outfit as part of Operation Falcon II.

The SilverTerrier group is tied to massive BEC (Business Email Compromise) campaigns across the region. BEC involves target organizations being tricked into making wire transfers or other payments to a malicious 3rd party rather than the intended recipient.

The operation was carried out in late December 2021, with the resulting arrests taking place across Lagos and Asaba. This is not the first time this group has been disrupted. Many additional members of the SilverTerrier group were arrested back in 2020 as part of Operation Falcon I.

The current operation discovered more than 50,000 possible targets within the group’s crosshairs. One of the suspects was in possession of over 800,000 sets of stolen credentials, said to have been obtained as per the group’s standard, malicious operations. At present, the IGFCTF (INTERPOL’s Global Financial Crime Taskforce) is working towards seizing or freezing the bank accounts and additional assets tied to the group.

It’s no surprise that email and spam are still the number one attack vectors out there. Criminals know that large corporations are still largely email-dependent when it comes to commerce with 3rd parties, and it is exactly this scenario that they target. It can not be said enough: be careful what you open and be cautious of what you click. The full Operation Falcon II release can be found here.

The Bad

This week it was disclosed that Italian fashion company, Moncler, was the target of a large-scale ransomware attack. The attack took place in the last weeks of 2021 and appears to have been the handiwork of BlackCat, a relatively new RaaS delivering payloads written in Rust.

The reveal comes on the heels of the BlackCat group publishing some of the pilfered data on their TOR-based victim blog. This includes all of “the logistics activities related to the shipping of final products”. In addition, the company has stated that unauthorized access to potentially sensitive personal information did occur, including information related to employees, consultants, and customers that appeared on the BlackCat leaks site.

The company has admirably taken a firm stance against paying ransoms. In addition, the company has issued a stern warning with regards to the holding and distribution of any of their stolen data.

“Moncler reminds all that information in the possession of cybercriminals is the result of illegal activities and that consequently, the acquisition, use and dissemination of the same constitutes a criminal offense.”

The company also stated that no payment or credit card data was compromised during the attack.

The Ugly

This week, it was revealed that the personal data of over a half-million individuals may have been exposed due to a large-scale cyberattack on a Red Cross contractor, according to an announcement from the ICRC (International Committee of the Red Cross).

The impacted data is highly sensitive as it pertains to the ‘Restoring Family Links’ program. This program is responsible for assisting the reunification of families that have been separated due to extraordinary factors such as natural disasters, war and conflict. The loss or leak of this type of data could be potentially devastating to those involved in the program. The director-general of the ICRC (Robert Martdini) was quoted as saying

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

It is stated that the attack, in total, affected data from at least sixty Red Cross and Red Crescent National Societies locations around the world.

While further details of the attack have not yet been released, it is likely that the attack mirrors other attacks by ransomware operators. As such, strong hygiene and prevention are the only means of risk avoidance here.