Content 

01. News Bites
  • Microsoft confirms nine-hour global outage was caused by DDoS Attack
  • Fortune 50 company pays record $75 million Ransom to Dark Angels ransomware gang
  • CrowdStrike faces legal action and market losses after global outage, but may be shielded from major financial impact
  • North Korean malware campaign expands to target Windows, Linux, and macOS systems with advanced tactic
  • Chinese APT10 targets Japanese organisations with stealthy malware campaign, stays undetected for years
02. Conclusion

Quick News Bites

Microsoft confirms nine-hour global outage was caused by DDoS Attack

Microsoft confirmed that a nine-hour outage on Tuesday, affecting Microsoft 365 and Azure services worldwide, was caused by a distributed denial-of-service (DDoS) attack. The outage impacted Microsoft Entra, various Microsoft 365 services, and several Azure services, including App Services, Azure IoT Central, and the Azure portal.

In a statement, Microsoft revealed that the DDoS attack triggered their protection mechanisms, but an error in their implementation worsened the impact instead of mitigating it. After identifying the issue, Microsoft made networking configuration changes and performed failovers to restore service.

Microsoft promised to release a Preliminary Post-Incident Review within 72 hours and a Final Review within two weeks. This incident follows several other major outages affecting Microsoft services, including attacks linked to Anonymous Sudan and issues caused by configuration changes.

Fortune 50 company pays record $75 million Ransom to Dark Angels ransomware gang

A Fortune 50 company reportedly paid a record-breaking $75 million ransom to the Dark Angels ransomware gang, according to Zscaler ThreatLabz. This is the highest known ransom payment, surpassing the previous $40 million paid by insurance giant CNA after an Evil Corp ransomware attack.

Zscaler did not disclose the name of the company but mentioned it was a Fortune 50 firm targeted in early 2024. Pharmaceutical giant Cencora, ranked #10 on the Fortune 50 list, experienced a cyberattack in February 2024, though no ransomware group claimed responsibility, suggesting a ransom may have been paid.

Dark Angels, a ransomware group active since May 2022, employs a "Big Game Hunting" strategy, targeting large companies for significant payouts. They use advanced tactics, including Linux encryptors, to breach networks and encrypt devices, demanding large ransoms. This approach contrasts with other ransomware groups that attack indiscriminately.

CrowdStrike faces legal action and market losses after global outage, but may be shielded from major financial impact

CrowdStrike is facing lawsuits from both investors and customers following the significant incident that caused global outages, though the company may be shielded from legal consequences. On July 19th, an update pushed by CrowdStrike led to around 8.5 million Windows devices entering a Blue Screen of Death (BSOD) loop, impacting sectors like aviation, finance, healthcare, and education.

Insurer Parametrix estimates the total direct financial loss for U.S. Fortune 500 companies, excluding Microsoft, at $5.4 billion, with overall losses reaching $15 billion. Airlines were hit hardest, with Delta losing an estimated $350 million to $500 million.

 

Despite these legal challenges, CrowdStrike might avoid major financial impacts due to liability limitations and insurance. The company’s shares have dropped by 25%, reducing its market value by over $20 billion.

North Korean malware campaign expands to target Windows, Linux, and macOS systems with advanced tactic

The threat actors behind an ongoing malware campaign targeting software developers have expanded their focus to include Windows, Linux, and macOS systems, revealing new tactics and malware variants. The campaign, known as DEV#POPPER and linked to North Korea, has targeted victims across South Korea, North America, Europe, and the Middle East.

Security researchers reported that this advanced social engineering attack manipulates developers into downloading malicious software disguised as a job interview task. The campaign tricks victims into installing malware from GitHub, including an obfuscated JavaScript named BeaverTail, which determines the operating system and exfiltrates data.

The attack chain also deploys a Python backdoor called InvisibleFerret, which collects system metadata, browser cookies, and more. Recent updates to the malware include enhanced obfuscation, remote monitoring software for persistence, and improved data exfiltration mechanisms, demonstrating the increasing sophistication of the DEV#POPPER campaign.

Chinese APT10 targets Japanese organisations with stealthy malware campaign, stays undetected for years

Japanese organisations have become the target of a Chinese nation-state threat actor, identified as APT10 (also known as Bronze Riverside, ChessMaster, and other aliases), which is leveraging malware families like LODEINFO and NOOPDOOR to steal sensitive information. This ongoing cyber campaign, tracked by Israeli cyber security company Cybereason under the name Cuckoo Spear, has been active for up to three years, often remaining undetected.

The campaign primarily uses spear-phishing emails to distribute these malware strains. LODEINFO functions as a primary backdoor, capable of executing shellcode, logging keystrokes, and exfiltrating files, while NOOPDOOR serves as a secondary backdoor, maintaining persistence by exploiting public-facing applications with unpatched vulnerabilities.

This sophisticated attack has been targeting Japanese entities across various sectors. Earlier warnings from JPCERT/CC and disclosures from ITOCHU Cyber & Intelligence highlight the evolving nature of these threats, emphasising the need for heightened cyber security measures within the affected organisations.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.