[German]The last few hours have seen another rash of cyber attacks on companies and government agencies. Semikron, a German manufacturer of power semiconductor components has fallen victim to a ransomware attack. Peter Berghaus GmbH, a manufacturer of traffic technology and signaling systems, may also have fallen victim to a cyber attack (fraud emails are sent in the company's name). Furthermore, the Spanish Ministry of Science has become a victim of a cyber attack and the European missile manufacturer MBDA as well. Here is a summary of various security incidents.
Advertising
Ransomware at Semikron
The Nuremberg-based manufacturer of power semiconductor components, fell victim to a ransomware attack on Monday, August 1, 2022. The following tweet points to the incident, which the manufacturer describes in this message like this.
SEMIKRON Group has become a victim of a cyber attack by a professional hacker group. As part of this attack, the perpetrators have claimed to have stolen data from our system. Whether this is the case and exactly what data it is is currently being investigated. The authorities responsible for Group headquarters have been informed. As soon as more precise information is available about any data leakage, the affected customers and contractual partners will be informed.
The attack has also led to a partial encryption of our IT systems and files. The entire network is currently being forensically examined and cleaned up.
We immediately initiated all necessary measures to limit potential damage. With the support of external cyber security and forensics experts, we are conducting an investigation into the incident. At the same time, we are working to restore the ability to work in order to minimize the disruption to our employees, customers and contractual partners and to ensure the security of our IT systems as best as possible. In addition, we are being supported by the relevant authorities in the investigation and the coordination of further measures.
Colleagues at Bleeping Computer have elicited that the company was a victim of the LV ransomware. According to a warning issued by the German Federal Office for Information Security (BSI) (which Bleeping Computer probably has), the operators of the ransomware are blackmailing the company and threatening to publish the allegedly stolen data. The company is currently unable or unwilling to say anything about whether and what data was stolen. Bleeping Computer colleagues claimed to have viewed a document with a ransom note from one of the encrypted Semikron systems. According to the document, it was an LV ransomware attack and the group claims to have siphoned off 2TB worth of documents.
Semikron employs more than 3,000 people worldwide in 24 offices and 8 production facilities in Germany, Brazil, China, France, India, Italy, Slovakia, and the U.S., and has 2020 revenues of about 461 million Dollars.
Cyber attack on Peter Berghaus GmbH?
The manufacturer of traffic technology and signaling systems, Peter Berghaus GmbH in Kürten (German), may also have been the victim of a cyber attack. A series of tweets came to my attention on Twitter that suggest abuse.
Advertising
Mails are sent to various recipients (could be a press address list) in the name of Peter Berghaus GmbH, which contains a ZIP file with a fictitious transfer confirmation in the attachment. There is probably a malicious program in the archive. The sent mails do not mean that Peter Berghaus GmbH is involved, because the sender could be fake.
However, their website berghaus-verkehrstechnik[.]de (currently difficult to reach) shows the above notice that fraudulent e-mails are sent in the name of the company. Please do not open the attachments, but delete them. However, the note "We will fix the problem immediately" indicates that their email system, at least for one user account, might be compromised – i.e. a cyber attack has taken place.
Ransomware attack on Spanish ministry
The Spanish Ministry of Science and Innovation had to admit to a successful ransomware attack on its IT systems, as can be seen from the following tweet entnehmen. The ministry's website states that the Spanish National Research Council (CSIC), an organization dependent on the Ministry of Science and Innovation, was the victim of a ransomware-like cyberattack.
What is piquant about the August 2 announcement, in my opinion, is that the attack took place on July 16-17, 2022, and was discovered as early as July 18. The protocol established by the Cybersecurity Operations Centre (COCS) and the National Cryptologic Centre (CCN) was activated immediately. But the notification did not occur until a little over 2 weeks later.
Measures to control and remediate the attack consisted of disrupting access to the network at several centers and following the strict international protocol required to manage the incident and prevent the spread of the attack to centers not directly affected. So far, just over a quarter of CSIC's centers are connected to the network, and the entire network of centers will be restored in the next few days.
He said this attack is comparable to attacks on other research centers such as the Max Planck Institute and the U.S. National Aeronautics and Space Administration (NASA). In the absence of a final investigative report, experts believe the origin of the cyberattack is in Russia and note that no loss or hijacking of sensitive or confidential data has been detected so far.
MBDA confirms data theft
EU missile manufacturer MBDA confirms extortion by cyber criminals following a data theft, but denies a security incident from a hack. Colleagues at Bleeping Computer have revealed some information about this on Twitter and here.
In a statement the manufacturer denies the alleged hack of IT and has filed a report with the police for an extortion attempt. The company writes that MBDA has been the victim of an extortion attempt by a criminal group that falsely claims to have hacked the company's information networks. After the company refused to give in to this extortion threat and pay a ransom, the criminal group disseminated the information on the Internet and made it available for payment.
The investigation by the Italian authorities is ongoing. The origin of the published data has already been clarified: it came from an external hard drive. It had also been confirmed that the company's secured networks had not been hacked. The company's internal review processes have so far shown that the data made available online is neither classified information nor sensitive data.
Cyber attack on German Chambers of Industry and Commerce
German German Chambers of Industry and Commerce (IHK) has been a victim of a cyber attack, as I've reported in the article IHK Opfer eines massiven Cyberangriffs (4.8.2022) within my German blog. All TI systems of the IHK organization has been shut down as a precaution due to a "possible" cyber attack, for security reasons. Currently, intensive work is being done on a solution and defense.
The employees of the 79 chambers of industry and commerce located in Germany cannot work with this because the systems are not available. Bleeping Computer has also an article about this incident here.
Manjusaka as a complement to Cobalt Strike
Cobalt Strike is a framework with flexible features to simulate industrial espionage on one's network, test defenses and increase one's computer security. However, it is also frequently used by real attackers such as APT groups or ransomware gangs.
Above tweet points to this article from Talos, whose security researchers recently discovered a new attack framework called "Manjusaka." This is being used by Chinese groups in the wild in parallel to Cobalt Strike or as a replacement, and is said to have the potential to make its way into the threat landscape. This framework is being promoted as an imitation of the Cobalt Strike framework. Implants for the new malware family are written in the Rust language for Windows and Linux.
A fully functional version of the command and control (C2) server, written in GoLang, with a user interface in simplified Chinese, is freely available. It can be used to easily generate new implants with custom configurations. This increases the likelihood that this framework will be used more widely by malicious actors.
