Cyble-Italy-Cyberattacks

Cyberattacks on Italy – A growing concern

Threat Actors shifting focus to critical Vulnerabilities in supply chains  

Cyble Research & Intelligence Labs (CRIL) have recently seen a rise in cyberattacks targeting Italian companies and government/public entities. The 8th largest economy in the world and 4th in the EU, Italy is bound to be a lucrative target for cybercriminals. On top of this, the ever-increasing threat landscape due to the Russia-Ukraine conflict has fundamentally transformed the attack surface due to frequently disclosed vulnerabilities and exposures. Meanwhile, the increasing complexity of tools and techniques adopted by the threat actors has revealed the gaps in the cybersecurity infrastructure of Italian organizations and entities.

Recently, in September 2022, the Italian government was unnerved because of cyberattacks targeting their Energy sector at a time when the entire European Union battled energy concerns. As per economic indicators, Italy is among the top 10 exporters of services and manufacturing goods worldwide, making it essential to the entire value chain, further incentivizing threat actors to carry out larger cyberattacks.

CRIL’s research from underground forums observed a 10% increase in data breaches due to Initial access sales and data leaks in 2022.

We’ve compiled a roundup of some notable data breaches from the underground forums observed by CRIL below:

BidenCash Leaks

There were two leaks by the cybercrime marketplace known as BidenCash, which sells stolen payment cards. The shop initially leaked 1 million credit cards in June 2022 to advertise its marketplace.

Again, in October 2022, the BidenCash shop leaked two datasets of 1.2 million credit and debit card information on a notorious cybercrime forum. There were around 13,391 of these cards belonged to the consumers of prominent banks in Italy.

Automobile Sector Value-Chain DataBreach

As highlighted earlier, Italy-based entities are suppliers to various larger organizations worldwide. In one such attack observed on October 7, 2022, an Italian entity involved in the manufacturing and distribution of electronic products and software for Automotive manufacturing and quality control was allegedly breached.

The attackers allegedly stole nearly 900 GB of supplier data, supposedly impacting the entire value chain of certain renowned automobile manufacturers. 

Figure 1 – TA claiming to have compromised an Italian Automobile supplier

MBDA Data Breach

On July 30, 2022, CRIL observed a Threat Actor (TA) advertising the sale of data of a European defense manufacturer MBDA and the Italian Ministry of Defense. The TA claimed to have compromised 60 GB of data from these organizations. The breach is reported to have revealed confidential data belonging to MBDA and Italian defense programs.

Figure 2 – MBDA data breach announced by a TA on a cybercrime forum

Telecom Data Breaches

In June 2022, we observed a TA selling an exploit related to Local File Disclosure (LDF) vulnerability for Vodafone Italia S.p.A. Later, in September, a prominent and nefarious threat actor group, KelvinSecurity, was observed to be auctioning data of Vodafone Italia S.p.A. However, KelvinSecurity denied using LDF as their exploitation method.

The Vodafone breach exposed several users’ sensitive PII (Personally-Identifiable Information), such as ID cards, driving licenses, addresses, phone numbers, email addresses, dates of birth, etc. The data allegedly comprised 309 GB and included 295,969 files, mainly images, and documents.

Vodafone Italia S.p.A acknowledged the breach recently in November 2022 and attributed the source of the breach to one of its resellers.

KelvinSecurity was also observed auctioning a Central Italian Internet Service Provider’s data in October 2022.

Figure 3 – TA selling data for Central-Italy-based ISP in October 2022

This follows a pattern observed by CRIL, wherein TAs compromise B2B companies and MSPs (Managed Service Providers) and obtain data from their clients, which tend to be larger companies.

In a similar scenario, data that could be attributed to a US-based telecommunication company was observed in a darknet filesharing service in August 2022. The dataset had several markers which identified it as likely belonging to the telecom.

However, the company denied any responsibility for the leak and did not confirm nor deny whether it originated from a third party. This raises the question of where accountability of the leaks falls: on the third-party data processor which mishandled the data or the company that entrusted them with it, and how consumers should respond to such events.

Ransomware attacks

CRIL’s ransomware monitoring data indicates that Italy was the third most-targeted country in 2022 in the European region after Germany and France. So far in 2022, the country has suffered 7% more ransomware attacks viz-a-viz same period in 2021. The manufacturing and Professional Services sector were among the worst-hit sectors in 2022.

Figure 4 – Sectoral Impact – Ransomware Attacks 2022

Preventing Future Cyberattacks

CRIL also observed an alarming number of vulnerable instances in Italy that can add to the turmoil. The most notable being the:

CVE-2022-32548: It affects different models of DrayTek Vigor router models used by small/medium-scale organizations. The flaw can allow a remote, unauthenticated attacker to execute arbitrary code and take complete control of a vulnerable device. The attacker can then leverage the compromised device to access the organization’s network and internal resources. Nearly 9500 such instances exist in Italy.

CVE-2022-40684: An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. There are over 5300 instances impacted in Italy.

CVE-2021-31206: Microsoft Exchange Server Remote Code Execution Vulnerability.

CVE-2021-26855: The Microsoft Exchange Server vulnerability, also known as a server-side-request-forgery (SSRF) vulnerability, when exploited, HTTPS connections are established to authenticate user access. Abuse of CVE-2021-26855 leads to exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

References

SMBs Exposed to Attacks by Critical Vulnerability in DrayTek Vigor Routers | SecurityWeek.Com

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top