
Black Basta Ransomware Continues to Wreak Havoc: Top Cybersecurity News from the Week of May 8th
What’s in the paper for this week’s top cybersecurity news? This week has seen a barrage of new ransomware attacks as threat actors are doubling down on the critical vulnerabilities of remote access systems. Here are the top cybersecurity stories from the week:
Black Basta ransomware claims latest victim
The Swiss multinational corporation ABB, a leading provider of electrification and automation technologies, has fallen prey to the notorious Black Basta ransomware group.
Boasting a workforce of over 105,000 and a revenue of $29.4 billion in 2022, ABB was struck by the attack on May 7, 2023, causing notable disruptions in the company’s operations.
BleepingComputer, a leading source of cybersecurity news, reported the attack. They detailed the severity of the breach, which affected ABB’s Windows Active Directory and infected hundreds of devices.
The repercussions of the attack were significant, causing delays in various projects and impacting several company factories. In an attempt to contain the breach, ABB severed VPN connections with its customers to prevent further propagation of the threat.
The Black Basta ransomware group has been active since April 2022, operating under a double-extortion attack model, similar to other ransomware operations. Notably, in November 2022, Sentinel Labs researchers found evidence linking Black Basta to the financially motivated hacking group FIN7.
New ransomware attacks targeting the US education sector
The United States’ intelligence and cybersecurity agencies are alerting the public to a series of cyberattacks orchestrated by a group known as the Bl00dy Ransomware Gang. The group has been exploiting vulnerable PaperCut servers within the education sector across the nation.
These attacks occurred in early May 2023, according to a joint cybersecurity advisory issued on Thursday by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
The agencies stated, “The Bl00dy Ransomware Gang infiltrated victim networks within the Education Facilities Subsector that had PaperCut servers, vulnerable to CVE-2023-27350, exposed to the internet.”
Regrettably, these operations resulted in data exfiltration and system encryption in several instances. The Bl00dy Ransomware Gang left ransom notes on the compromised systems, demanding payment in return for the decryption of the encrypted files.
CVE-2023-27350 refers to a critical security flaw, now patched, which affected certain versions of PaperCut MF and NG. This flaw allowed a remote actor to bypass authentication and conduct remote code execution on affected installations.
Since mid-April 2023, there have been malicious exploitations of this vulnerability. The attackers primarily utilized it to deploy legitimate remote management and maintenance (RMM) software, which was then used to install additional payloads such as Cobalt Strike Beacons, DiceLoader, and TrueBot on the compromised systems.
Spanish police take down massive cybercrime syndicate
Spain’s National Police have detained 40 individuals associated with the organised crime gang known as Trinitarians, among them two hackers accused of orchestrating bank fraud through phishing and smishing tactics. An additional 15 syndicate members face charges including bank fraud, document forgery, identity theft, and money laundering.
The elaborate fraud operation is believed to have ensnared more than 300,000 victims, resulting in financial losses exceeding €700,000.
According to officials, “The criminal organisation employed hacking tools and sophisticated logistical operations to execute their computer scams.”
The cybercriminals reportedly sent deceptive SMS links, which redirected users to a fraudulent banking interface. This phishing scheme was designed to steal login credentials, enabling criminals to request loans and link stolen cards to cryptocurrency wallets under their control.
The fraudulent SMS messages were crafted to incite urgency and enhance the likelihood of the scam’s success. They typically instructed recipients to click the provided link to address a supposed security issue with their bank accounts.
The illicitly obtained cards were used to purchase digital assets, which were subsequently liquidated to finance the group’s activities. This included covering legal costs, sending funds to incarcerated members, and buying narcotics and weapons.
Toyota faces major data leak
Toyota Motor Corp disclosed on Friday that data pertaining to 2.15 million users in Japan had been inadvertently made publicly accessible for nearly a decade due to an oversight. The error affected almost all the customers who had registered for its primary cloud service platforms since 2012, including those of its high-end Lexus brand.
The disclosure comes at a crucial time as Toyota, the global leader in auto sales, is intensifying its efforts towards vehicle connectivity and cloud-based data management. These initiatives are considered critical for the introduction of autonomous driving and other artificial intelligence-enabled features.
According to a Toyota spokesperson, the incident, which started in November 2013 and continued until mid-April, was due to human error that caused a cloud system to be publicly accessible rather than private. This could potentially expose details such as vehicle locations and identification numbers of vehicle devices. However, the automaker confirmed there were no reports of this data being maliciously exploited.
For more cybersecurity news, insights and analysis, follow Code Red on Twitter and LinkedIn.