Blog Post
September 1, 2022
A threat actor which Cisco Talos tie to the Yanluowang ransomware group managed to gain access to the Cisco network through social engineering of a Cisco employee in May 2022. The threat actor first used compromised credentials belonging to the employee, and then socially engineered the employee into accepting an MFA push notification, enabling the attacker to access the company network. Cisco report they have contained the attack, and no ransomware was deployed.
As we have reported before, compromised credentials are an easy and effective source for initial access, which can be combined with additional social engineering techniques, and lead to financial losses for targeted victims.
Over 9,000 VNC servers were found exposed online without a password, including VNC servers belonging to industrial control systems, which should not have any exposed online access. Virtual Network Computing (VNC) is a platform-independent remote monitoring system which allows remote access and control of devices. Access to such systems is desired by attackers, as it can allow them to infiltrate and control organizations and devices remotely.
From Kovrr’s threat intelligence data, we have found that VNC attack attempts seem to be on the rise since the start of the year. The chart below shows the new observed attack attempts per month, in relation to the observed attack attempts in January 2022. It can be seen that there is almost a 10-fold increase in attack attempts since the start of Q3.
South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water confirmed on August 15th that it suffered a ransomware attack, attributed to the Clop ransomware group. Clop ransomware claimed the attack was on another, larger water supplier, however it seems Clop had mistaken the identity of their target. The attacked supplier updated that its ability to supply water has not been affected, but data containing information on the water suppliers employees and customers has been leaked.
From Kovrr’s cyber incidents database we learn that around 2% of the known ransomware attacks in 2022 have been attributed to Clop, and that along with critical infrastructure services, Clop commonly targets companies in the legal services and education industries.
A massive phishing campaign, dubbed 0ktapus, which impersonated Okta has compromised thousands of accounts belonging to 130 organizations, which are mostly based in the United States. These attacks have already led to several reported breaches at Twilio, MailChimp and Klaviyo, and to supply chain attacks against customers of these services.
As we have reported before and can be seen once again in this case, compromised credentials are an easy and effective source for initial access, and these can be obtained on a massive scale through successful phishing.