ISA is committed to keeping the security community up to date with the latest cybersecurity news.
Counterfeit CERB Cheques Appearing on the Dark Web
Israel-based security firm KELA has reported examples of counterfeit Canada Emergency Relief Benefit (CERB) cheques available on the dark web. KELA’s cyber intelligence security team identified a number of services selling image files that look just like the CERB relief cheques. After purchasing the bogus cheque files, a fellow cybercriminal can then take the image and customize it by inserting a payee name themselves, or having the service do the graphic editing on their behalf. Once the fake cheque is complete, it can then be deposited into a “drop account.” (Drop accounts are created by cybercriminals, often using stolen or forged credentials, as a clearing station for cashing fake cheques.) The deposits are usually done using mobile deposit services, which sidesteps the need to simulate printed cheque stock and physical counterfeit protection methods.
Dark web sites offered the fake cheques in the amount of $2000 for as a little as $60-$75 (all amounts in Canadian dollars). A third site offered fake cheques in “(ANY) BANK ACCOUNTS WITH ANY AMOUNT YOU REQUEST”, but specifically highlighted that “CANADIAN CERB GOVERNMENT CHEQUES [ARE] ALSO AVAILABLE” for $500.
With the emphasis on processing payments now, and following up on fraudulent transactions later, the exposure for financial institutions is heightened. According to a report by the Canadian Broadcasting Company (CBC), behind-the-scenes validation of CERB claims will not begin in earnest until 2021. Given the passage of time and the anonymity of the “drop accounts”, bad actors will be particularly difficult to track down.
Celebrity Law Firm Facing $42M Ransomware Demands
New York-based law firm Grubman Shire Meiselas and Sacks (GSMS) has been hit by a REvil ransomware attack, and has received escalating demands now reaching $42M (US). According to reports in Variety, GSMS’ servers were compromised on May 11, with an estimated 756 Gb of data exfiltrated. The law firm received an original ransom demand of $21M (US) to unlock systems and return the stolen data. To support their demands, the hackers released an excerpt from a contract with performer Madonna, along with a detailed listing of file folders containing contracts, NDAs, private correspondence, and personal contact information. The firm reportedly declined to negotiate with the hackers; in response, over 1 Gb of files relating to the firm’s business with singer/actress Lady Gaga were released to the dark web, and the ransom demands were doubled to $42M. If the demands are not met within a week, the cyberattackers are threatening to release all of the materials in a series of nine instalments.
The law firm describes itself as “universally recognized as one of the premier entertainment and media law firms” in the United States, and is known for representing some of the highest-profile celebrity clients in the world including Bruce Springsteen, U2, Madonna, and Mariah Carey. As of May 18, the firm’s website was still down, only displaying a single page with their corporate logo.
REvil ransomware (also known as Sodinokibi or Sodin) is a sophisticated strain of malware that was first reported in April 2019. Variants of the malware exploit vulnerabilities in the Microsoft operating system and Oracle WebLogic servers to elevate an attacker to admin permissions, disrupt server operations, wipe/encrypt file contents, and/or exfiltrate server data.
Australian Steel Manufacturer Hit by Cyber Attack
On May 15, BlueScope Steel Limited confirmed that its IT systems were affected by a cyber incident. BlueScope, with roots dating back to the 1880s, is headquartered in Melbourne, Australia and maintains operations around the world. BlueScope advised in a media release that the incident was initially identified by one of the company’s American businesses. The company “has reverted to manual operations where possible while it fully assesses the impact and remediates as required.” The company’s Asian, New Zealand, and Ohio-based North Star operations were “largely unaffected” by the incident. However, Tania Archibald, Chief Financial Officer advised that Australian sales and manufacturing operations had been affected, with “some processes paused” and other business continuing with “some manual processes and workarounds.”
In the release, Ms Archibald, who joined BlueScope in 1996 and has been CFO since March 2018, stated, “We are taking this event extremely seriously. Our people are working diligently to protect and restore our systems, and we are working with external providers to assist us. Our focus remains on being able to service our customers and to maintain safe and reliable operations.” No details on the specific nature of the attack were provided at the time.