Latest Cybersecurity News 2021-05-31 Edition

may 31st ISA Cyber News

Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news

Canada Post informs 44 large business customers of third-party data breach 

On May 26, Canada Post disclosed that the shipping manifest data for 44 of its large business customers was compromised in a November 2020 cyberattack at Commport Communications, one of its third-party suppliers. The contact information for over 950,000 mail recipients was involved.

Shipping manifests typically include the sender and receiver contact information found on shipping labels, such as names and addresses. In their press release, the Crown corporation advised they conducted a detailed forensic investigation and thorough review of the shipping manifest files disclosed, and determined that:

– The information is from July 2016 to March 2019

– The vast majority (97%) contained the name and address of the receiving customer

– The remainder (3%) contained an email address and/or phone number

Though Canada Post’s investigation found no evidence that any financial information was breached, the disclosed data could be used for targeted social engineering attacks. Canada Post continues to work closely with Commport and external cybersecurity experts to assess further actions.

Canada Post said that Commport Communications, an Aurora, Ontario-based data exchange solution provider, provided notice on May 19 of the data breach. Commport had initially notified Canada Post when it suffered a ransomware attack last fall, but had reassured them that there was no evidence of data disclosure at the time. No details were provided as to what new information had emerged since the initial report.

Canada Post Truck

Researchers from Proofpoint reveal elaborate fake streaming site  

In a fascinating May 26 report, Proofpoint details an elaborate phishing scam that involves broadcast emails, fake call centres, a completely fictitious video streaming website and service.

Launched in early May 2021, the complex scam worked like this: An initial phishing email advised targets that their free trial period on a (fake) streaming service called BravoMovies was coming to an end, and that their credit cards were going to be charged $39.99 per month for an extended, premium plan. The emails provided a contact address in Burbank, California (perhaps mimicking the address of BravoTV, a legitimate site, which is based in suburban Los Angeles), and one of a variety of customer service hotline numbers. The area codes for the numbers reportedly ranged from Pennsylvania to Texas.

The hotlines were staffed by confederates in the scam, who directed callers back to the FAQ section of the fake website. Here, the directions in the “Subscribtion” [sic] section explained how to cancel an account. Clicking the “Cancel” button, in reality, downloaded an Excel file to the user’s computer, at which point the target was instructed to permit editing and allow macros. This, in turn, installed BazaLoader malware on the target machine.

Remarkably, after all the effort expended in coercing the victim to fall for the scam, the Proofpoint researchers said that they found no evidence of a second stage of malware to take advantage of the exploit – a feature commonly found with BazaLoader attacks.

Fake or spoofed sites are commonplace, but the BravoMovies site was particularly elaborate, featuring a host of bogus movie titles and reviews. According to the Proofpoint report, “The threat actors used fake movie posters obtained from various open-source resources including an advertising agency, the creative social network Behance, and the book How to Steal a Dog.”

The fake site has now been shut down.

streaming service on laptop

Tampa Bay area teen crashes Internet service for Pinellas school system 

The constant threat to educational institutions was illustrated yet again on May 26 with a cyber attack on Pinellas County Schools, the board representing schools in the St. Petersburg/Clearwater area in Florida.

According to the Tampa Bay Register, a 17-year-old student launched the attack on the system. The teenager, who cannot be identified, reportedly become “fixated” on the idea of hacking the school district’s network after seeing an online video showcasing the vulnerability of school networks.

Internet service for all 145 schools in the PCS system were knocked offline for two days by the denial of service attack. No data breach or ransomware was involved. The 17-year-old was arrested on a felony computer crimes charge and expelled.

Pinellas Schools said they paid Charter-Spectrum, their internet service provider, to provide defenses against this type of denial-of-service attack. However, when the school board’s security system was upgraded in 2020, Charter-Spectrum had inadvertently forgotten to continue a key layer of protection. The ISP acknowledged responsibility for the oversight (which has now been corrected), and provided the school with a $23,000 (USD) compensatory credit.

teens looking at a laptop

Microsoft issues advisory about new Nobelium hacking campaign 

Microsoft has issued a bulletin about a recently identified wide-scale malicious email campaign launched by Nobelium, the notorious threat actors behind the recent SolarWinds breach.

Microsoft has been tracking the campaign since January 2021. The May 27 advisory describes how the campaign has evolved and been refined over the last few months, culminating in a large coordinated attack leveraging the widely-used “Constant Contact” broadcast email service. The latest campaign contained messages purportedly sent from a US-based development organization, intended to distribute malicious links to a wide variety of organizations and industries.

If any of the links are opened by the intended victim, JavaScript code within the destination web page attempts to write an ISO file to the local computer and encourages the target to open it. When launched, the ISO is mounted on the local computer much like an external or network drive, and Cobalt Strike “Beacon” malware is installed and activated.

“Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below,” advised the article.

Microsoft’s blog provides additional background and details, and they have developed an extensive list of mitigation strategies and IOCs to monitor. Educate your staff, and review/implement these strategies as appropriate to avoid this latest widespread attack.

microsoft computer booting up

Related Articles

Cookie Notice
We use cookies to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted advertisements. If you continue to use this site, you consent to our use of cookies.

Technology Partners

Thanks for reaching out, we’d love to hear from you. Fill out the form below and we’ll get back.

Become an Infinity Partner

Thanks for reaching out, we’d love to hear from you. Fill out the form below and we’ll get back.