The cybersecurity stories below were reported in the last week ending on 5 October 2024.
Headlines
Cyber Cops Stopped 500 Ransomware Hacks Since 2021,DHS Says
A cybercrime-focused division of the US Department of Homeland Security says it has disrupted more than 500 ransomware attacks and seized billions of dollars in cryptocurrency since 2021.
The ongoing effort from Homeland Security Investigations, which investigates cybercrime and illicit transnational activity, involves proactively notifying government agencies, companies andother potential victims that an extortion event is imminent, said Mike Prado, deputy assistant director of HSI’s Cyber Crimes Center. Read the full story.
Five percent of all Adobe Commerce and Magento stores hacked, researchers say
Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway are among the victims of a hacking campaign targeting merchants. The Sansec Forensics Team reported that attackers have already breached 4,275 online stores by exploiting a critical vulnerability affecting Adobe Commerce and Magento software.
Seven distinct threat actors are already profiting from an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability dubbed “CosmicSting,” which affects unpatched Adome Commerce and Magento versions. According to NIST, thisvulnerability, with a severity score of 9.8 out of 10, results in arbitrary code execution without user interaction when the attacker sends a crafted XML document that references external entities. Read the full story.
Sensitive data on 61K+ patients accessed in Alabama hospital cyberattack
An Alabama hospital is officially informing more than 61,000 patients that their personal data was accessed by a miscreant during a cyberattack in October 2023.
Lawyers representing the 74-bed facility based in Eufaula – the largest city in Barbour County – said in a letter that names, dates of birth, home addresses, health insurance information, medical information, and driver’s licenses or state IDs may have been pored over by the unauthorized intruder.
The information comes after Medical Center Barbour (MCB) filed adata breach notificationwith Maine’s attorney general on Tuesday, although the details in the sample letter included in that filing were much sparser. Read the full story.
Alaska Corrections contractor denies ACLU claim of ‘massive’ prisoner health data breach
The American Civil Liberties Union of Alaska said that it uncovered a “massive” violation of medical privacy laws by a software company used by the Alaska Department of Corrections. But the software company at the center of the complaint claims that’s “false and misleading,” and that there was no breach of data privacy.
The ACLU asserts that the electronic health record system used by DOC was displaying private health information of dozens of incarcerated Alaskans on a training website since at least November 2023. In a written statement Wednesday, the software company NaphCare said that the health-related information displayed on the training site was fictitious data put there for training purposes. Read the full story.
White House official says insurance companies must stop funding ransomware payments
Insurance companies must stop issuing policies that incentivize making extortion payments in ransomware attacks, a senior White House official said on Friday. Writing anopinion piecein the Financial Times newspaper, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, warned that ransomware was “wreaking havoc around the world.”
The call for the practice to end, which was made without any indication the White House was formally proposing to ban the practice, follows the fourth annual International Counter Ransomware Initiative (CRI) summit in the United States this week, where the 68 members of the CRIdiscussed tackling the problem. Read the full story.
China-Backed APT Group Culling Thai Government Data
An emergent China-aligned threat actor called CeranaKeeper has orchestrated a massive data exfiltration effort across Southeast Asia, most recently launching a barrage of cyberattacks against government institutions of Thailand.
The group has been working since early 2022, according to ESET researchers. CeranaKeeper broke into Thai government systems through a brute-force attack against a local area network domain control server in mid-2023, ESET said. From there the group was able to get privileged access, deploy the Toneshell backdoor and a credential dumping tool, and also abuse a legitimate Avast driver to disable security protections. Read the full story.
Russia Arrests 96 People Tied to US-Disrupted Cryptocurrency Exchanges
Russian authorities this week announced the arrest of 96 individuals for their suspected ties with recently disrupted anonymous cryptocurrency exchanges.
Law enforcement agencies in over a dozen regions across the country conducted 148 searches and seized more than 1.5 billion rubles (roughly $16 million), the Investigative Committee of Russia (ICR)announced. The suspects also owned luxury cars, helicopters, and boats, ICRtoldmedia outlets.
The arrested individuals are believed to be linked to the UAPS and Cryptex exchanges, which were disrupted last week by law enforcement in the US and the Netherlands. Read the full story.
OCR Imposes $240,000 HIPAA Fine on Californian Healthcare Provider
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $240,000 civil monetary penalty on Providence Medical Institute to resolve potential violations of two provisions of the HIPAA Security Rule. This is the fifth investigation of a ransomware attack to result in a penalty for noncompliance with the HIPAA Rules.
Providence Medical Institute (PMI) is a Californian healthcare provider that acquired a full-scope orthopedic medical service provider – Center for Orthopaedic Specialists (COS) – in July 2016.
PMI planned to fully integrate COS as a PMI unit within 2 years, although the integration was delayed until May 2019. On February 18, 2018, a ransomware group encrypted files on COS systems. The threat actor gained a foothold in the network after an employee responded to a phishing email and disclosed their credentials.Read the full story on HIPAA Journal.
Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant
An extortionist armed with a new variant of MedusaLocker ransomware has infected more than 100 organizations a month since at least 2022, according to Cisco Talos, which recently discovered a “substantial” Windows credential data dump that sheds light on the criminal and their victims.
The miscreant, whom Talos has dubbed “PaidMemes,” uses a recent MedusaLocker variant called “BabyLockerKZ,” and inserts the words “paid_memes” into the malware plus other tools used during the attacks. Read the full story.
Dutch Government Blames a ‘State Actor’ for Hacking a Police Network
A cyberattack that broke into a police account and accessed work-related contact details of all Dutch police officers was almost certainly carried out by hackers working for a foreign government, the justice minister told lawmakers.
Dutch intelligence agencies “consider it highly likely that a state actor is responsible,” Justice and Security Minister David van Weel wrote in a letter to lawmakers on Wednesday night about the breach, which was first revealed last Friday.
The government said last week that the hack did not reveal personal details of police officers beyond their names or details about ongoing investigations. Read the full story.
UK – Sellafield fined £332,500 for cyber security breaches
The company which runs the Sellafield nuclear site has been fined £332,500 for cyber security shortfalls. The nuclear regulator found the Cumbrian facility “persistently” breached security regulations, meaning its IT systems were vulnerable to unauthorised access and loss of data.
Sellafield is one of Europe’s largest industrial complexes, managing more radioactive waste in one place than any other nuclear facility in the world. The companypleaded guilty to three offices in June, relating to its failure to comply with approved security plans to protect sensitive information between 2019 to 2023.Sellafield Ltd was ordered to pay a fine of £332,500, along with prosecution costs of £53,253.20 at Westminster Magistrates Court. Read the full story.
Wayne County, Michigan is dealing with a cyberattack that has shut down all government websites and limited the operations of several offices.Home to Detroit, the county is the largest in the state with more than 1.75 million residents.
County spokesperson Doda Lulgjuraj told Recorded Future News that the investigation into the cyber incident is ongoing.
“Impacted services have been transitioned to backup processes to maintain operations. Barring any unforeseen issues, we expect the county website to be fully operational by the start of business on Friday,” he said. “This will restore access to online property tax payments and property records.” Read the full story.
Thousands of Adobe Commerce e-stores hacked by exploiting the CosmicSting bug
Sansec researchers reported that multiple threat actors have exploited a critical Adobe Commerce vulnerability, tracked asCVE-2024-34102(aka CosmicSting, CVSS score of 9.8), to compromise more than 4,000 e-stores over the past three months.
The flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this issue by sending a crafted XML document that references external entities. Read the full story.
DOJ, Microsoft seize 107 domains used in Russia’s Star Blizzard phishing attacks
The US Department of Justice and Microsoft have seized 107 websites used by Russian cyberspies in a phishing campaign to steal sensitive information from US government agencies, think tanks, and other victims. According to the DOJ’s warrant [PDF], the 41 seized domains “were used or intended to be used by members of the Callisto Group in an ongoing and sophisticated spear phishing campaign with the goal of gaining unauthorized access to the computers and email accounts of victims, to then steal valuable information and sensitive United States government intelligence.”
“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” US Deputy Attorney General Lisa Monaco said in a statement today announcing the FSB infrastructure disruption. Read the full story.
Investigation continues into Idaho hospital allegedly dealing with data breach
An alleged cyber-security incident at a healthcare institution in Idaho has been ongoing for roughly a month.
Weiser Memorial Hospital(WMH) in Weiser, Idaho, said it has been experiencing issues with its computer systems. The issues were first announced on Sept. 5 in aFacebook poststating the computer systems were down, and some delays could be expected for some services.
WMH provided similar updates in additional Facebook posts on Sept. 6 and Sept.19, ensuring patients they were still working to restore their systems fully.
They initially described the incident as network issues and now say they are still in the process of fully understanding the situation. WHM clarified that the investigation is still ongoing. WHM stated “We are aware that a cyber actor group has claimed responsibility for this incident, and to be in possession of WMH data.” Read the full story.
MI6 and CIA using generative AI to combat tech-driven threat actors
CIA director Bill Burns and UK Secret Intelligence Service (SIS) chief Richard Moore have for the first time penned a joint opinion piece in which the two spookmasters reveal their agencies have adopted generative AI.
“We are now using AI, including generative AI, to enable and improve intelligence activities – from summarization to ideation to helping identify key information in a sea of data,” the pairwrotein the Financial Times. The Ukraine war has highlighted how technology, when deployed alongside traditional weaponry, “can alter the course of war,” according to Moore and Burns. Read the full story.
U.S. CISA adds Ivanti Endpoint Manager (EPM)flaw to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)addedthe Ivanti Virtual Traffic Manager authentication bypass vulnerabilityCVE-2024-29824(CVSS score of 9.6) to itsKnown Exploited Vulnerabilities (KEV) catalog. In May, Ivantirolled outsecurity patches to address multiple critical vulnerabilities in the Endpoint Manager (EPM), including CVE-2024-29824.
The vulnerabilityCVE-2024-29824is an unspecified SQL Injection issue in Core server of Ivanti EPM2022 SU5 and prior. An unauthenticated attacker within the same network could exploit the vulnerability to execute arbitrary code. At the time of its disclosure, the company reported that it was not aware of attacks in the wild exploiting the vulnerability. Read the full story.
Jenkins Patches High-Impact Vulnerabilities in Server and Plugins
Open source CI/CD automation tool Jenkins has released patches for multiple high- and medium-severity vulnerabilities in the server and several plugins. Patches were rolled out for two medium-severity flaws in Jenkins, one leading to the exposure of multi-line secrets and another to creation restriction bypass.
These patches have been released for CVE-2024-47803 and CVE-2024-47804. Apart form these, fixes have been rolled out for vulnerabilities CVE-2024-47805, CVE-2024-47806 and CVE-2024-47807. Read the full story.
As ransomware attacks surge, UK privacy regulator investigating fewer incidents than ever
As ransomware data breaches reach record high levels across the United Kingdom, the number of incidents being investigated by the country’s data protection regulator is dwindling to record lows.
Of the 1,253 incidents reported to the Information Commissioner’s Office (ICO) last year, only 87 were investigated — fewer than 7% — and just 19 of the 440 incidents reported in the first half of this year have been subjected to an investigation, fewer than 5%. Those numbers stand in contrast to data published for 2019 and 2020, when the privacy watchdog investigated more than 99% of the 605 ransomware incidents, probing all but three cases. Read the full story.
UK – PSNI ‘disappointed’ as £750k data breach fine upheld
The Police Service of Northern Ireland (PSNI) has said it is “extremely disappointed” after failing to have a £750,000 fine reduced over last year’s major data breach. It had made representations to the Information Commissioner’s Office (ICO)who first announced the penalty in May.
Chief Constable Jon Boutcher said the fine was “regrettable” given the PSNI’s budget problems. The breachinvolved accidentally releasing some personal details on all 9,400 officers and staffin August last year. Read the full story.
Evil Corp’s deep ties with Russia and NATO member attacks exposed
The relationship between infamous cybercrime outfit Evil Corp and the Russian state is thought to be extraordinarily close, so close that intelligence officials allegedly ordered the criminals to carry out cyberattacks on NATO members.
That’s according to National Crime Agency (NCA) officials who are close to the ongoing investigation into Evil Corp and its members. Sources claim there were multiple instances in which Russian intelligence services were working directly with Evil Corp members on state-sponsored cyberattacks before the 2019 disruption of the group. Read the full story.
Royal Mail impersonated in Prince ransomware campaign
Companies in the UK and the US have been targeted in a new campaign impersonating the British postal carrier Royal Mail to deliver ransomware that’s freely available on GitHub.
The campaign, discovered by cybersecurity firm Proofpoint in mid-September, was described as “low-volume” but potentially “destructive.” While it affected only a small number of individuals and companies, the campaign used emails that contained a unique PDF attachment impersonating Royal Mail. Read the full story.
CISA’s platform receives 2,400 unique vulnerability disclosures, researchers paid $335K
During its two years of operation, the Vulnerability Disclosure Policy (VDP) Platform, operated by the Cybersecurity and Infrastructure Security Agency (CISA), onboarded 51 agency programs and received over 12,000 submissions for vulnerabilities.
The platform helped to identify over 2,400 unique, valid vulnerability disclosures in 2022 and 2023. Nearly 2,000 of them have been remediated by agencies, according to the newreport. Over 3,200 security researchers have participated in the program, and CISA highlighted the most productive ones. ‘Frostb1te’ filed the most valid submissions (104), while the top researcher for the most critical and severe findings was ‘mouka,’ with 51 valid findings. In total, 307 critical and severe vulnerabilities were identified last year. Read the full story.
Data leak hits Latin America’s financial institutions, leads point to fintech app
On May 24th, the Cybernews research team identified seven Azure Blob Storage buckets without proper authentication. The misconfiguration exposed the personal data of nearly 135,000 clients across Latin America to anyone online.
Citizens from the Dominican Republic, Mexico, Ecuador, El Salvador, Bolivia, and Costa Rica are among those impacted, with the majority of victims – nearly 100,000 individuals – being from the Dominican Republic. The leak was linked to Bankingly, a fintech platform that provides web services and mobile applications to financial institutions in Latin America. Read the full story.
Cloudflare reports thwarting the largest-ever publicly disclosed DDoS attack
Content distribution network Cloudflare has reported mitigating the largest distributed denial-of-service (DDoS) attack seen to date. The attack by unknown perpetrators, observed in September, constantly exceeded three terabits per second (Tbps) and peaked at 3.8 Tbps.
Cloudflare described the September attacks as hyper-volumetric, meaning the attackers were focused on the number, or volume, of packets being sent rather than their size. Read the full story.
Legal Battle Brews Over 23andMe’s Customer Data Breach Settlement And Arbitration Claimants
Last year,23andMeHolding Co.(NASDAQ:ME) said the company learned that a threat actor accessed several individual 23andMe.com accounts through credential stuffing. The data breachoccurredin April 2023, and the company learned about the incident in October 2023. The companysettledthe lawsuits with $30 million related to the breach.
A law firm representing around 5,000 customers of genetic testing company 23andMe has raised objections to a proposed $30 million class action settlement. Read the full story.
Zero-Day Breach at Rackspace Sparks Vendor Blame Game
Enterprise cloud host Rackspace has been hacked via a zero-day flaw in ScienceLogic’s monitoring app, with ScienceLogic shifting the blame to an undocumented vulnerability in a different bundled third-party utility.
The breach, flagged on September 24, was traced back to a zero-day in ScienceLogic’s flagship SL1 software but a company spokesperson tellsSecurityWeekthe remote code execution exploit actually hit a “non-ScienceLogic third-party utility that is delivered with the SL1 package.” Read the full story.
Report Provides Insights into the Financial Impact of Cyberattacks
A new report from the cyber-physical systems (CPS) protection company, Claroty, provides insights into the financial impact of cyberattacks and reveals one in four CPS-enabled organizations lost more than $1 million due to cyberattacks in the past 12 months.
45% of surveyed cybersecurity professionals said they suffered losses of $500,000 or more in the past 12 months due to cyberattacks, with 27% suffering losses of $1 million or more. Aside from the ransom payment, the main factors that contributed to the losses were loss of revenue, reported by 39% of organizations, followed by recovery costs (35%), employee overtime (33%), legal costs (31%), and the loss of customers/partners (30%). Read the full story.
‘Patch yesterday’: Zimbra mail servers under siege through RCE vulnerability
“Patch yesterday” is the advice from infosec researchers as the latest critical vulnerability affecting Zimbra mail servers is now being mass-exploited. The remote code execution vulnerability (CVE-2024-45519) was disclosed on September 27, along with a proof of concept (PoC) exploit, and Proofpoint reports that attacks using it began the following day.
According to Project Discovery’sanalysisof the issue, the fault lies in Zimbra’s postjournal library and can be attributed to inadequate user input sanitization.
Attackers can, and evidently are, adding bogus CC addresses to emails that spoofGmail. Instead of legitimate email addresses, CC fields are populated with base64 strings, which are then parsed and executed by Zimbra’s mail servers. Read the full story.
NIST’s security flaw database still backlogged with 17K+ unprocessed bugs.
NIST has made some progress clearing its backlog of security vulnerability reports to process – though it’s not quite on target as hoped.
The US government standards body just blew its self-imposed September 30 deadline to bring the speed at which its National Vulnerability Database (NVD) processes new flaws up to its pre-February rate, following a decline in output this year.
Patrick Garrity of infosec intelligence outfit VulnCheck, pored over the CVE-labeled bugs successfully analyzed by the NVD between February 12 and September 21, and reported “mixed” results. Read the full story.
A sanctioned group of hackers working for the North Korean government appears to be continuing its attacks on U.S. organizations, targeting at least three in August. Researchers at Symantecsaidthey found evidence that APT45, also known as Andariel and Stonefly, conducted intrusions at three different organizations just one month after the Justice Department published an indictment of a member of the group.
The Justice Departmentissued an arrest warrantfor Rim Jong Hyok in July for his alleged role in using ransomware against U.S. hospitals and healthcare companies. He is accused of being an alleged member of theAndariel Unitwithin the country’s intelligence agency, the Reconnaissance General Bureau (RGB). The full group wassanctionedin 2019 by the U.S. Treasury. Read the full story.
DrayTek fixed critical flaws in over 700,000 exposed routers
DrayTek has released security updates for multiple router models to address 14 vulnerabilities of varying severity, including a remote code execution flaw that received the maximum CVSS score of 10. The flaws, which Forescout Research – Vedere Labs discovered, impact both actively supported and models that have reached end-of-life. However, due to the severity, DrayTek has providedfixes for routers in both categories.
The researchers warned that their scans revealed that approximately 785,000 DrayTek routers might be vulnerable to the newly discovered set of flaws, with over 704,500 having their web interface exposed to the internet. Read the full story.
Russian Cyber Offensive Shifts Focus to Ukraine’s Military Infrastructure
Recent reports from Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) reveal a significant shift in Russian cyber operations against Ukraine in the first half of 2024. The new strategy marks a departure from previous broad-spectrum attacks to a more targeted approach focusing on Ukraine’s military and defence sectors.
According to the SSSCIP’s “Russian Cyber Operations (H1 2024)”report, cyber attacks targeting Ukraine’s defence industries more than doubled from 111 to 276 from the latter half of 2023 to the former half of 2024. This surge reflects a concerted effort by Russian-aligned threat actors to gather intelligence directly related to the ongoing conflict. Read the full story.
Microsoft blocks Windows 11 24H2 on some Intel PCs over BSOD issues
Microsoft is blocking Windows 24H2 upgrades on systems with incompatible Intel Smart Sound Technology (SST) audio drivers due to blue screen of death (BSOD) issues. Intel SSTis an integrated audio DSP (Digital Signal Processor) that handles audio, voice, and speech interactions on devices with Intel Core and Intel Atom processors.
The companysaidin a new entry on the Windows health dashboard that the affected driver “is listed under System Devices in Device Manager and is found with the file name ‘IntcAudioBus.sys’. If this file is version 10.29.0.5152 or 10.30.0.5152, this issue can occur.” Read the full story.
The Community Clinic of Maui warned more than 123,000 people that their information was accessed by hackers during a cyberattack in May. The clinic, also known as Mālama, said the hackers had access to personal data between May 4 and May 7, stealing information including Social Security numbers, passport numbers, financial account numbers with CVV numbers and expiration dates as well as troves of data on medical treatments.
The hackers also stole routing numbers, bank names, financial account numbers and some biometric data. A total of 123,882 were impacted by the attack, which forced the clinic to take servers offline. Read the full story.
Thousands of vulnerabilities were identified and remediated through a government clearinghouse in 2023, according to anew reportfrom the nation’s top cybersecurity agency.
The Cybersecurity and Infrastructure Security Agency (CISA) published its second report on the Vulnerability Disclosure Policy (VDP) Platform, whichlaunchedin 2021 as an organized way for federal civilian agencies to take in bug discoveries from researchers and resolve them. CISA said through VDP, it triaged more than 7,000 submissions in 2023 on behalf of 51 federal agencies.Read the full story.
Regulators’ “strong message” over multiple T-Mobile breaches: 14 cents per exposed user
T-Mobile has agreed to pay a fine of over $15 million for a series of data breaches spanning several years. Tens of millions were exposed, pushing down the fine’s value per person to less than a dime and a nickel.
T-Mobile, one of the largest US mobile carriers, agreed to pay $15.75 million to the US Treasury after multiple data breaches between 2021 and 2023 rocked the company and its customers. The Deutsche Telekom-owned brand also agreed to spend a further $15.75 million strengthening its cybersecurity posture to protect against future attacks.
Thesettlementcovers four different incidents, two of which exposed tens of millions of the carriers’ customers. TheAugust 2021attack exposed 76.6 million T-Mobile customers, whilethe January 2023attack revealed details of 37 million individuals. Read the full story.
Australian police seize $6.4 million in crypto in international operation
The Australian Federal Police (AFP) has announced that it seized AUD 9.3 million (USD 6.4 million) following the arrest of the alleged mastermind behind Ghost, an encrypted communication platform used by criminals.
Policestatedthat they were able to decipher the codes required to access crypto assets after obtaining access to “digital devices” found in the arrested man’s home. The 32-year-old was taken into custody on September 17th and charged with five offenses, including supporting a criminal organization. Read the full story.
Fan forum leaks Miami Dolphins supporters’ private messages
The Cybernews research team has found that FinHeaven, a forum uniting hundreds of thousands of Miami Dolphins fans (DolFans), exposed a database backup with sensitive information about its users. An open and freely accessible web directory revealed data of over 140,000 DolFans.
The backup, created on July 6th, 2024, revealed details such as usernames, dates of birth, email addresses, and private user messages exchanged on the forum. The database also included user passwords. However, passwords were hashed, providing an additional layer of security. Read the full story.
More LockBit Hackers Arrested, Unmasked as Law Enforcement Seizes Servers
Europol, the UK and the US have all issued press releases in addition to the announcements made on the formerLockBitsites.Europolannounced new law enforcement actions, including the arrest of an alleged LockBit developer at the request of France while he was vacationing outside of Russia, and the arrests of two individuals in the UK for supporting the activity of a LockBit affiliate.
According to government agencies, the LockBit operation hit over 2,500 entities across more than 120 countries.Read the full story.
Police unmask Aleksandr Ryzhenkov as Evil Corp member and LockBit affiliate
Western authorities on Tuesday named Russian national Aleksandr Ryzhenkov as one of the main members of the Evil Corp cybercrime group, as well as identifying him as an affiliate of the LockBit group. The U.S. also charged him with using BitPaymer ransomware.
“Aleksandr Ryzhenkov extorted victim businesses throughout the United States by encrypting their confidential information and holding it for ransom,”saidNicole Argentieri, head of the DOJ’s Criminal Division.
“Addressing the threat from ransomware groups is one of the Criminal Division’s highest priorities. The coordinated actions announced today demonstrate, yet again, that the Justice Department is committed to working with its partners to take an all-tools approach to protecting victims and holding cybercriminals accountable.” Read the full story.
Western authorities link Russian intelligence officer to Evil Corp cybercrime empire
Eduard Benderskiy, a former high-ranking official within the Russian intelligence services, was named and sanctioned by Western authorities on Tuesday in a move describing him as a key enabler and protector for the Evil Corp cybercrime group.
Evil Corp is an organized crime group that was sanctioned and indicted by the U.S. back in 2019. The gang has perpetrated numerous criminal campaigns over the past decade including theGameOverZeusandDridexbanking trojans and botnets. It is believed to have stolen hundreds of millions of dollars from victims worldwide. Read the full story.
Seized LockBit site reappears as Operation Cronos teases new arrests
Global law enforcement has seemingly resurrected the seized dark web leak site of the LockBit ransomware gang once again, teasing new arrests and information. LockBit was seized as part of Operation Cronos in February this year, an international sting led by the National Crime Agency of the UK alongside law enforcement agencies from the US, Germany, Canada, and Australia.
Cyber Daily has observed that LockBit’s seized site now contains new posts, all dated yesterday (30 September 2024), which tease new information about the group. Like the original takedown, law enforcement is using the group’s own site design language and operation against it and has set countdown times for the release of this information, which includes new arrests.
These include “Arrest of a major LockBit actor”, “LockBit linked UK arrests”, “LockBit infrastructure monitored and disrupted”, the demise of LockBit since February 2024”, and “Member of Evil Corp identified as LockBit affiliate”. Read the full story.
Patelco Credit Union data breach impacted over 1 million people
At the end of June, the Americancredit union Patelco Credit Union shut down several of its banking systems to contain a ransomware attack. The credit union investigated the security breach and discovered that threat actors first gained access to its systems on May 23, 2024, and exfiltrated a database containing personal information.
The company initiallyreportedto the Maine Attorney General’s Office that the security breach impacted 726,000 customers and employees. The company offered impacted individuals two years of free identity protection services. Patelco Credit Union now provides an update on the incident anddisclosesthat the data breach impacted 1,009,472 people following the July ransomware attack. Read the full story.
North Korean Hackers Attempted To Steal Sensitive Military Data
North Korean hackers conducted a months-long cyberattack targeting a German arms company with the aim of acquiring sensitive information regarding their military technology. North Korean hacker group Kimsuky, working for the military intelligence service, employed phishing tactics to distribute spyware-laden fake job offers.
Mandiant’s IT security experts detected the “Kimsuky” hackers targeting specific geographic areas in Germany during the first quarter of 2024. Read the full story.
Google Workspace Announced New Password Policies, What is Changing
Google Workspace will no longer support the sign-in method forthird-party appsor devices that require users to share their Google username and password. This method, known as Less Secure Apps (LSAs), poses a security risk by requiring users to share their credentials with third-party apps, potentially allowing unauthorized access.
Instead, Google is encouraging the use of “Sign-In with Google,” which utilizes the more secure OAuth authentication method.Read the full story.
Hackers Exploiting Critical SolarWinds Serv-U Vulnerability In The Wild
GreyNoise Labs researchers recently discovered that hackers had been actively exploitingSolarWinds Serv-Uvulnerability CVE-2024-28995 in the wild. In June 2024, SolarWinds’ “Serv-U” file transfer product was found to have a “critical path-traversal” vulnerability.
This flawallowed attackersto read arbitrary files by manipulating the “InternalDir” and “InternalFile” parameters in ‘HTTP’ requests. A honeypot mimicking this vulnerability was deployed to study exploit attempts. Read the full story.
UAE, Saudi Arabia Become Plum Cyberattack Targets
Cyberattackers and hacktivists are increasingly targeting the United Arab Emirates, the Kingdom of Saudi Arabia, and other nations in the Gulf Cooperative Council (GCC) region.
That’s according to 18 months of Dark Web data compiled by Moscow-based threat research firm Positive Technologies.The report statedthat the first half of the year, the number of distributed denial-of-service (DDoS) attacks in the region rose 70%, compared with the same period in the previous year. Both Saudi Arabia and the UAE topped the chart of targeted nations ina March analysis of two years of attacks in the region. The UAE alone facesan average of 50,000 cyberattacks every day. Read the full story.
Verizon outage: Network now ‘fully restored’
Verizon has restored its cellular network after an outage Monday left tens of thousands of customers unable to make calls, text or access mobile data.
“Verizon engineers have fully restored today’s network disruption that impacted some customers. Service has returned to normal levels. If you are still having issues, we recommend restarting your device,” the companysaid in a statementlate Monday. “We know how much people rely on Verizon and apologize for any inconvenience.” Read the full story.
Rackspace internal monitoring web servers hit by zero-day
Rackspace has told customers intruders exploited a zero-day bug in a third-party application it was using, and abused that vulnerability to break into its internal performance monitoring environment. That intrusion forced the cloud-hosting outfit to temporarily take its monitoring dashboard offline for customers.
Rackspace uses a ScienceLogic-powered monitoring dashboard on its internal servers. Abusing the zero-day vulnerability in Science Logic gave the criminals access to three of Rackspace’s internal monitoring web servers, “and some limited monitoring information,” a Rackspace spokesperson stated.
Customers could not access their monitoring dashboards during the incident. There was no further impact on other services provided by Rackspace. Read the full story.
JPCERT shares Windows Event Log tips to detect ransomware attacks
Japan’s Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang’s attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network. JPCERT/CC says the technique can be valuable when responding to ransomware attacks, and identifying the attack vector among various possibilities is crucial for timely mitigation.
JPCERT/CC notes that older ransomware strains such as WannaCry and Petya did not leave traces in Windows logs, but the situation has changed on modern malware, so the technique is now considered effective. Read the full story.
Only 2% of Firms Have Full Cyber Resilience
The average cost of a data breach now exceeds £2 million, but only 2% of businesses have implemented firm-wide cyber resilience, according to PwC. The survey, polling over 4,000 business and tech executives across 77 countries and territories, revealed that just 2% of companies have adopted cyber resilience throughout their organisation. That’s despite 66% of tech leaders identifying cyber-attacks as the top risk to mitigate in the coming year.
Although many CEOs and executives understand the importance of evaluating cyber risks, fewer than half are doing so effectively. Only 15% are measuring the financial impact of these risks, despite the average cost of a data breach rising to $3.3 million (£2.47 million). Read the full story.
Critical printing system bugs affect hundreds of thousands of Linux machines
Linux systems running a printing system CUPS (Common Unix Printing System) are vulnerable to a critical exploit, enabling attackers to run remote code. Some initial assessments indicated a severity score of 9.9 out of 10. The NIST’s National Vulnerability Database assigned scores ranging from 8.6 to 9 out of 10.
Security researcher Simone Margaritelli warns that at least 200-300,000 unique Internet-facing systems could become targets. The CUPS components are widespread and vulnerabilities affect most GNU/Linux distributions and some other UNIX systems. Read the full story.
Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature
The European Center for Digital Rights (NOYB) based in Vienna, Austria has lodged a formal complaint against Mozilla, accusing the company of turning its Firefox browser into a “tracking tool” through the introduction of a privacy feature known as Privacy Preserving Attribution (PPA).
The advocacy group claims that PPA effectively turns Firefox into a tool that enables tracking, simply moving the data collection from websites to the browser itself. According to NOYB’sreport, the PPA feature violates users’ rights under the European Union’s General Data Protection Regulation (GDPR), as it involves data processing without obtaining explicit user consent. Read the full story.
digiDirect Australia suffers data breach
Melbourne based digiDirect has been targeted in a purported data breach. A Breach Forums user ‘Tanaka’ has claimed the breach of customer information of 304,000 customers. It remains unclear if the breach affects any financial information of the customers. The company has yet to confirm the data breach. Read the full story.
Hacker charged for breaching 5 companies for insider trading
The U.S. Securities and Exchange Commission (SEC) charged Robert B. Westbrook, a U.K. citizen, with hacking into the computer systems of five U.S. public companies to access confidential earnings information and conduct insider trading.
Westbrook then used this nonpublic information to make trades ahead of 14 earnings announcements between January 2019 and August 2020, earning approximately $3,750,000 in illicit profits. Read the full story.
T-Mobile to pay $31.5 million to resolve data breach charges
T-Mobile would pay $31.5 million to the Federal Communications Commission to settle data breach claims reported in 2021, 2022, and 2023. The settlement amount pertains to multiple data breaches reported between 2021 and 2023. The company has agreed to use half the amount of FCC charges to improve its cybersecurity infrastructure. Read the full story.
Verizon outage: iPhones, Android devices stuck in SOS mode
A widespread Verizon outage is causing iPhones and Android devices to enter SOS mode, preventing them from making mobile calls unless they use WiFi calling. The Verizon wireless outage started at approximately 9:30 AM ET, with the outagetracking siteDowndetectorreporting that approximately 100,000 users are impacted by the issue.
When a phone enters SOS mode, it means it cannot connect to a cellular network and only allows the making of emergency calls. Read the full story.
Ransomware attack continues at UMC hospital in Lubbock
University Medical Center was still experiencing an IT outage Sunday caused by a ransomware attack, which was blamed for forcing the hospital to divert patients to other local hospitals and clinics since last Thursday. The ransomware attack was first reported on Thursday morning, and according to UMC’s websites, it is still impacting hospital operations.
UMC Health System reported that the attack “affected multiple systems” and “affected its phone system, and it has not been possible to view messages in the patient portal.” The website reads, “out of an abundance of caution, we are temporarily diverting incoming emergency and non-emergency patients via ambulance to nearby health facilities until we restore access to our systems.” Read the full story.
Pennsylvania’s amendments to data breach notification law take effect
The Commonwealth of Pennsylvania has amended its Breach of Personal Information Notification Act. The amendments, available here2024 Act 33 – PA General Assembly (state.pa.us), took effect last week, on September 26.
These amendments bring the Pennsylvania statute into line with other state data breach statutes. However, Pennsylvania’s inclusion of driver’s license, state identification number, and bank account numbers as elements of personal information that require credit monitoring is unique. Along with the amendments to the statute, the Office of the Attorney General has established a newonline reporting portal. Read the full story.
China to roll out cybersecurity rules covering generative AI
China will implement a string of new cybersecurity rules next year, authorities announced Monday, placing an emphasis on national security and requiring companies providing generative artificial intelligence services to add extra data protection.
Under the new rules, companies that provide services related to generative AI must enhance their training in data processing and other areas. They are also required to take steps to prepare for data breach risks. Non-Chinese operators must establish data processing centers within China if they handle personal data originating from the country. Read the full story.
Israel army hacked the communication network of the Beirut Airport control tower
The Israeli cyber army on Saturday hacked into the control tower of Beirut Airport, the Rafic Hariri International Airport. The IDF breached the communication network of the control tower and threatened an Iranian civilian plane attempting to land,reportedthe MiddleEastMonitor website.
Lebanon’s Transport Minister, Ali Hamieh, told the Lebanese newspaper “An-Nahar” that Israel’s IDF intercepted the airport’s control tower radio, threatening to attack the infrastructure if the Iranian plane landed. Read the full story.
MoneyGram under investigation by ICO following data breach
UK data protection regulator the Information Commissioner’s Office (ICO) has launched an investigation into MoneyGram International, the world’s second-largest money transfer provider, following a data breach reported by the company.
The ICO’s investigation will focus on determining the nature of the breach, the extent of the data compromised, and whether MoneyGram has complied with data protection laws. The regulator has the power to impose significant fines on companies that fail to protect customer data. Read the full story.
Hawaii Health Center Discloses Data Breach After Ransomware Attack
The Community Clinic of Maui in Hawaii, a nonprofit healthcare organization doing business as Malama I Ke Ola Health Center, informed authorities in the US last week that a cyberattack suffered earlier this year has resulted in a data breach impacting over 120,000 individuals. In May, the Community Clinic of Maui had been breached by Lockbit.
The organization last week finally published adata breach noticeon its website, informing customers that it detected a cybersecurity incident on May 7 and later determined that the attackers may have stolen personal data between May 4 and May 7. Read the full story.
KB5043145 causing boot loops on Windows 11
The preview update KB5043145 for Windows 11 versions 22H2 and 23H2 was released on 26 September 2024. Post-installation of KB5043145, some administrators and Windows 11 users have reported indefinite restart loops on the computer. Some users have also reported blue or green screen on Windows 11 computers. Read the full story.
FBI warns of sophisticated Iranian hackers
The FBI has released an advisory about protecting personal accounts from sophisticated Iranian hackers. The advisory includes proposed enterprise-level mitigation measures, such as user training, email security controls, and multi-factor authentication. Senior officials, current or former, journalists, activists, lobbyists, and senior think tank personnel are all targets of cyber threat actors working on behalf of the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Read the summary.
French News Agency AFP experiences a cyber incident
The French News Agency AFP has been hit by a cyber attack. The news agency confirmed the attack was detected on Friday and the technical team is looking into the issue. The operations remain unaffected as the news agency’s newsroom services continue to be conducted normally. Read the full story.
10 lessons from the ransomware attack on the British Library
The British Library experienced a ransomware attack in October 2023. Over 600 GB data was exfiltrated from the British Library network by Rhysida ransomware operator. The British library did not pay the ransom and 90 percent of the data was dumped online by the threat actor. Read about the impactful learnings from this ransomware attack. Read the summary.
Cameroon’s pension fund downplays ransomware attack
Cameroon’s National Social Insurance Fund,CNPS, suffered a ransomware attack this month. The threat actor Storm Bears had given 10 days for meeting ransom demands. However, the Director General of the CNPS has stated that the CNPS information systems are operating normally. Read the summary.
California Governor Vetoes Bill to Create AI Safety Measures
California Gov. Gavin Newsom vetoed a landmark bill aimed at establishing first-in-the-nation safety measures for large artificial intelligence models Sunday. The proposal, which drew fierce opposition from startups, tech giants and several Democratic House members, could have hurt the homegrown industry by establishing rigid requirements, Newsom said. Read the summary.
WordPress – CVSS 10 vulnerability in GiveWP Plugin
CVE-2024-8353 is a CVSS 10 CRITICAL vulnerability reported on 27 September 2024. The vulnerability affects the GiveWP Plugin. This plugin is deployed on over 100,000 WordPress sites. The threat is a PHP object injection flaw that affects versions 3.16.1 and older releases of the GiveWP Plugin. The fix has been made available in the GiveWP’s latest release version 3.16.2. Read the full story.
Google’s Gemini for Workspace Vulnerable to Prompt Injection Attacks
A recent investigation has revealed that Google’s Gemini for Workspace, a versatile AI assistant integrated across various Google products, is susceptible to indirect prompt injection attacks. Gemini for Workspace is designed to boost productivity by integrating AI-powered tools into Google products such as Gmail, Google Slides, and Google Drive.
However, Hidden Layer researchers havedemonstrated throughdetailed proof-of-concept examples that attackers can exploit indirect prompt injection vulnerabilities to compromise the integrity of the responses generated by the target Gemini instance. Read the full story.
A U.K. national is facing charges for allegedly hacking into five public companies and stealing information about corporate earnings that helped him net about $3.75 million from stock trades. Robert Westbrook, 39, was arrested in the U.K. this week, according to the Justice Department.
He is accused of breaking into the companies’ systems between January 2019 and August 2020 and stealing information ahead of 14 different earnings announcements.He allegedly broke into the systems by resetting the passwords of Office365 email accounts owned by senior-level executives, according to a correspondingcivil filingby the Securities and Exchange Commission (SEC).Read the full story.
US charges three Iranians allegedly behind Trump campaign hack
The Justice Department on Friday unsealed indictments of Seyyed Ali Aghamiri, Yasar Balaghi, and Masoud Jalili — three alleged hackers believed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
The indictment covers their activities from 2020 to September 2024, alleging that in addition to hacking and stealing documents from Trump’s campaign, they targeted current and former U.S. officials and members of the U.S. media “all in an attempt… to undermine our democracy,” FBI Director Christopher Wray said. Read the full story.
NIST Recommends New Rules for Password Security
The National Institute of Standards and Technology (NIST) has released updated guidelines forpassword security, marking a significant shift from traditional password practices.
NIST no longer recommends enforcing arbitrary password complexity requirements such as mixing uppercase and lowercase letters, numbers, and special characters. Instead, the focus has shifted to password length as the primary factor in password strength.
NIST nowrecommendsa minimum password length of 8 characters, with a strong preference for even longer passwords. Organizations are advised to allow passwords up to at least 64 characters to accommodate passphrases. Read the full story.