03 May 2023

MICROSOFT EMAIL ENCRYPTION VULNERABLE TO STRUCTURAL LEAKS

Email security 101 lists encryption of email contents as a best practice – an absolutely true statement that should be embraced whenever possible. However, the security realm is always evolving to offset hacker’s ability to crack algorithms with their always-improving hacking tools. One of the world’s most popular email platforms is under the microscope for its use of an algorithm that the NIST says contains a “severe security vulnerability” – an adversary who collects a vast amount of encrypted emails can crack its key. https://www.bankinfosecurity.com/microsoft-email-encryption-vulnerable-to-structural-leaks-a-20262?&web_view=true

RANSOMEXX LEAKS 52GB OF BARCELONA HEALTH CENTERS' DATA

Last week, unnamed hackers penetrated the network defenses of the “Consorci Sanitari Integral”, which is one of Barcelona, Spain’s largest healthcare entities who treats over one million patients each year. Hackers leveraged a social engineering attack against an employee and provided access to the hospital network (presumably via an IT/helpdesk scam). A few days later, the ransomware actor(s) leaked 52GB of data presumably stolen from the hospital’s network. Hospital IT staff are restoring systems from backups. https://www.bankinfosecurity.com/ransomexx-leaks-52-gb-barcelona-health-centers-data-a-20260?&web_view=true

LOCKBIT 3.0 MALWARE FORCED NHS TECH SUPPLIER TO SHUT DOWN SITES

Increasingly, ransomware actors are targeting/breaching companies who provide goods/services to a wider range of entities (i.e. industry, government agencies). This time around, the infamous Lockbit ransomware crew infiltrated the network of a software provider firm who is relied upon by United Kingdom’s “National Health Service”. The intrusion forced healthcare professionals to revert back to typewriters, pens and paper to continue treating British citizens. https://www.theregister.com/2022/10/14/nhs_software_hosting_provider_advanced_ransomware_lockb it/?&web_view=true

BEWARE OF FAKE UPDATE NOTIFICATIONS HITTING YOUR INBOX

Even though every modern operating system (and most applications) can update themselves (if you activate automatic updates), ransomware groups have begun targeting home computer users with related scams. The phishing/ransomware campaign (coined Magniber) purports to deliver a software update for the victim’s computer if they click an embedded hyperlink. Once clicked, ransomware is promptly installed onto the computer and the extortion ploy is then executed. https://www.zdnet.com/article/this-unusual-ransomware-attack-targets-home-pcs-so-beware/?web_view=true

09 September 2022

WARNING ISSUED FOR IRANIAN HACKING GROUP “PHOSPHORUS”

Phosphorus, also known as “Charming Kitten” and “APT35”, is perhaps best known for its attacks levied against the U.S. presidential campaign in 2019. The state-sponsored group is both technically capable and relentless, with a diverse portfolio of hacking ploys, to include social media and smartphone campaigns. Yesterday, the cyber intelligence division within the world’s largest software company issued an alert which documents Phosphorus members moonlighting for personal gain. https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html?&web_view=true

POPULAR OUTDOOR APPAREL COMPANY HACKED

“Credential Stuffing” has nothing to do with Thanksgiving meals – instead, the term describes a criminal practice of purchasing stolen user credentials (typically from the Dark Web) and then leveraging computer systems against the account information to hack their way into a network. One of merica’s most popular outdoor apparel companies recently fell victim to this style of attack, and recently divulged that 194,905 customer accounts had been

hacked via the company’s website. https://www.bleepingcomputer.com/news/security/200-000-north-face-accounts-hacked-in-credentialstuffing-attack/?&web_view=true 

AMERICAN LAPTOP/PRINTER COMPANY ISSUES SECURITY ADVISORY

Perhaps best known for its printers that are a staple of home offices and businesses around the world, the U.S. company appears to have resolved a bug within a ‘Support Assistant’ app identified within CVE-2022-38395. The bug was identified within a troubleshooting application, typically installed onto a client’s machine as part of the device driver installation suite, which could permit an attacker to escalate their privileges on the system via a DLL hijacking exploit. Users should evaluate the patch to the ‘Support Assistant’ application to protect their systems from potentially being hacked. https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-installed-support-assistant-tool/?&web_view=true

IOT TESTING/VALIDATION GUIDE RELEASED

As Internet of Thing (IOT) devices become increasingly commonplace across government agencies, laboratory spaces and private businesses, ensuring they are safe to integrate into a network environment is problematic at best. An anti-malware non-profit has released a guide to aid with IOT device vetting to minimize risks associated with these sometimes-challenging devices. https://www.securityweek.com/amtso-publishes-guidance-testing-iot-securityproducts?&web_view=true

07 September 2022

NEW SOCIAL MEDIA PHISHING CAMPAIGN IDENTIFIED

A hugely popular U.S. based photo & video sharing social network platform, who boasts 1.2 billion active users, is a frequent target of criminals seeking to make a quick buck. The platform assigns a coveted ‘blue badge’, which signifies the platform has verified the account belongs to a celebrity, company or brand (and therefore is trustworthy). The phishing message claims the recipient’s account is eligible to receive a blue badge by filling out/submitting a (bogus) form.

https://www.bleepingcomputer.com/news/security/thousands-lured-with-blue-badges-in-instagram-phishing-attack

RECENTLY PASSED CHIPS BILL HAS MANUFACTURING “GOTCHA”

The recently passed US Chips and Science Act has several goals in mind: address semiconductor supply chain issues (a national security concern), bring back manufacturing jobs to America and reduce our nation’s reliance on Asian produced semiconductors. The $50 billion initiative also stipulates that U.S. tech companies, who receive federal funding, are prohibited from building ‘advanced technology’ facilities inside of China for the next 10 years – which could result in pushback from the Chinese government via tariffs on American exports and/or restricting the flow of Chinese goods that reach American docks. https://news.yahoo.com/us-bars-advanced-tech-firms-032226056.html

IRANIAN CYBER ATTACK RESULTS IN POLITICAL DISCORD

Two months ago, Albania’s computer network that its government employees rely on was hacked, with data exfiltrated, ransomware deposited on servers and public services impacted. Forensic examiners dubbed the new ransomware “ROADSWEEP” and linked it to Iran state-sponsored hackers. Fallout over the event continues – yesterday, Albania announced it will cut diplomatic ties to Iran and has ordered its diplomats to leave Iran within 24 hours. The White House National Security Council also announced that the United States will pursue further action against Iran (NFI). https://news.yahoo.com/albania-cuts-iran-ties-orders-104851580.html

30 August 2022

LIBRARY BOOK DISTRIBUTOR BROUGHT DOWN BY RANSOMWARE

A 190 year old North Carolina-based company who proclaims to be the world’s largest supplier of library books was recently hit with a ransomware attack that crippled its business. On 23 Aug 2022, the company’s network was taken over by hackers, bringing down its servers, phone lines and service centers. The ransomware actor has yet to be identified; services to 5000+ libraries are currently impacted. https://www.bleepingcomputer.com/news/security/leading-library-services-firm-baker-and-taylor-hit-by-ransomware/?&web_view=true

STUDENT LOAN MIDDLEMAN COMPANY IS BLEEDING STUDENT PII

An Oklahoma-based private company which assists students in processing/obtaining student loans is currently dealing with a hacking problem. On 22 July 2022, hackers infiltrated a 3rd party’s network that housed 2,501,324 student records after locating, and then exploiting, a network vulnerability. PII, including the student’s SSN, were exposed. A class action lawsuit is being considered by a law firm. https://www.bleepingcomputer.com/news/security/nelnet-servicing-breach-exposes-data-of-25m-student-loan-accounts/?&web_view=true

IMPACT OF MARKETING COMPANY BREACH WAS UNDERESTIMATED

Back on 28 April 2022, a Wisconsin-based company who specializes in custom printing solutions for 3000+ customers was hit by a cyber-attack. Unlike a corner packing/printing store, this one accommodates a vast number of medical and government customers, which made the hack significant. Several states’ Attorney General offices are investigating the data breach, which has swelled to over 2.7 million victims whose medical data was likely compromised.

FTC SUES IDAHO COMPANY FOR COLLECTING/SELLING GEODATA

In the 21st century, technology continually tracks consumer’s whereabouts – and cellular phones are amongst the worst offenders thanks to its embedded GPS functionality. Making matters worse are companies who collect, and then sell, this geographic location data, which can expose an American citizen to stalking, potential physical violence and more. The FTC has filed a lawsuit against an Idaho-based company who collects 94 billion geodata transactions month and sells access to the collected information to other companies via a $27k subscription – which the FTC argues is an invasion of privacy issue. https://www.bleepingcomputer.com/news/security/us-govt-sues-kochava-for-selling-sensitive-geolocation[1]data/?&web_view=true

23 August 2022

Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems

A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices. https://www.securityweek.com/ethernet-leds-can-be-used-exfiltrate-data-air-gapped-systems

Indexsinas SMB Worm Campaign Infests Whole Enterprises 

The Indexsinas SMB worm is on the hunt for vulnerable environments to self-propagate into, researchers warned – with a particular focus on the healthcare, hospitality, education and telecommunications sectors. Its end goal is to drop cryptominers on compromised machine. https://threatpost.com/indexsinas-smb-worm-enterprises/167455/?web_view=true

3 June 2022

INTERNATIONAL EFFORT BRINGS DOWN MOBILE MALWARE GROUP  

An 11-country law enforcement effort recently chalked up a rare win in the cyberwar fight by taking down the FluBot crew. The malware affected an operating system found in millions of smartphones, tablets, IoT devices and other electronics, and was designed to locate/steal stored financial credentials once it infected a device. FluBot was identified as the world’s second most active banking Trojan. https://thehackernews.com/2022/06/flubot-android-spyware-taken-down-by.html

COSTA RICA STILL BEING TARGETED BY CYBER-ATTACKS  

The past few weeks have been very problematic for Costa Rica’s computer networks – and hackers have turned their aggression towards the country’s hospitals and clinics. A cyber-attack against the country’s “Costa Rican Social Security Fund” resulted in its digital record-keeping system being taken offline, which immediately rippled across 1200+ medical facilities and thousands of patients. The Costa Rican President had declared a national emergency on 8 May 2022 because of severe cyber-attacks attributed to Conti, a Russian-based hacking crew that pledged to overthrow Costa Rica’s government. https://news.yahoo.com/latest-cyberattack-costa-rica-targets-210813525.html    

THE DOJ SEIZES THREE MALICIOUS INTERNET DOMAINS  

Last week, the Department of Justice (DOJ) seized three Internet domains that were being used by cybercriminals via a warrant issued by the District of Columbia. The websites were used to peddle stolen PII and offered DDOS services to hackers to “rent”.  One of the online databases possessed over seven billion entries culled from over 10,000 data breaches. https://thehackernews.com/2022/06/doj-seizes-3-web-domains-used-to-sell.html

GERMAN AGENCY ISSUES WARNING OF LOOMING CYBER-ATTACKS  

BaFin is Germany’s financial regulatory authority which falls under Germany’s Federal Ministry of Finance. This past Monday, its leadership issued a cybersecurity warning to the country’s financial institutions which have experienced an uptick in DDOS attacks that are attributed to Germany’s support of Ukraine. https://news.yahoo.com/1-germany-issues-fresh-warning-151906843.html

ISRAELI COMPANY IDENTIFIES SMARTPHONE VULNERABILITY 

Smartphones, like computers, possess firmware chips inside of their case which store rudimentary (but vital) code required for the device to function. An Israeli cybersecurity firm has identified an exploitable vulnerability within a smartphone’s modem firmware chip – and millions of devices are affected. The chips are manufactured by UNISOC – a semi-conductor company based in Shanghai, China. A security patch is pending release. https://thehackernews.com/2022/06/critical-unisoc-chip-vulnerability.html

PORTLAND CITY GOVERNMENT SCAMMED OUT OF $1.4 MILLION 

A cybersecurity breach has proven costly for the city of Portland, OR, who fell victim to a Business Email Compromise (BEC) scam that netted attackers a $1.4 payday. Last month, the FBI issued an alert regarding BEC scams that have conned businesses out of an astounding $43 billion between June 2016 and December 2021. In this latest incident, cybercriminals compromised a city government email account and ultimately conducted the fraudulent financial transaction. In 2019, Portland’s public school district

was scammed out of nearly $2.9 million via a BEC scam. https://therecord.media/cybercriminal-scams-city-of-portland-ore-for-1-4-million/?web_view=true

PROOF OF CONCEPT IOT RANSOMWARE MADE PUBLIC

Cybersecurity researchers love to publish proof of concept papers to spotlight their skills – but they can be a double edged sword, as they can also “steer” cyber-criminals

attention to an exploit they hadn’t previously considered. Internet of Thing (IoT) devices give cybersecurity/IT professionals headaches – primarily because many IoT manufacturers pay little attention to securing the devices. The proof of concept, aptly coined “Ransomware for IoT”, seeks out and then attacks IoT devices to enable the attacker to move laterally across a network. https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.html

02 July 2021 

COMPLEX MALWARE WORM TARGETING INFRASTRUCTURE

The Indexsinas worm is particularly complex malware that incorporates code previously stolen from the NSA that first surfaced in 2019. Hackers are now leveraging the worm with over 1300 attack machines to infiltrate computer networks – favoring the healthcare, hospitality, education and telecommunications sectors. The malware disguises itself when operational by cloning names one typically sees within the operating system to explore running processes within memory. Cybersecurity researchers have documented roughly 2000 attacks that leveraged the Indexsinas worm. https://threatpost.com/indexsinas-smb-worm-enterprises/167455/?web_view=true

RANSOMWARE AUDIT TOOL RELEASED BY CISA

CISA’s “Cyber Security Evaluation Tool” has been amended to include a new ransomware audit component coined “Ransomware Readiness Assessment”. The tool helps cybersecurity personnel evaluate their computer network for their cybersecurity posture to defend against ransomware malware. https://www.bleepingcomputer.com/news/security/cisa-releases-new-ransomware-self-assessment-security-audit-tool/?&web_view=true

DHL DELIVERY SCAMS CONTINUE TO REAP PROFIT

DHL, a Germany parcel delivery company that is widely uses to transport packages to/from Europe, continues to be leveraged by cybercriminals for spear phishing and SMS phishing campaigns. Recipients receive an email or SMS text message that is personalized, displays the DHL logo and claims the potential victim is receiving a package but needs to first log into an online account to update the system to ensure delivery – and personal information is then requested that leads to identify theft. Although the current bout of DHL phishing is primarily affecting Malta and England, these scams are quite common in the U.S. – it is a best practice to manually check the status of a shipping number via the shipper’s website. https://timesofmalta.com/articles/view/parcel-delivery-scams-at-least-20-people-a-day-are-falling-victim.879662

GERMAN INDUSTRIAL SECTOR EQUIPMENT REQUIRES PATCHING

Weidmueller, a Germany company specializing in industrial solutions equipment, has issued emergency patches for their wireless LAN equipment that is popular within the machinery, energy, manufacturing, transportation, and building infrastructure sectors. CISA has previously issued security advisories for Weidmueller’s products. https://www.securityweek.com/weidmueller-patches-dozen-vulnerabilities-industrial-wlan-devices?&web_view=true