News Items

Western Digital recently confirmed that cybercriminals have stolen customer and other information after breaching its systems. According to the digital storage giant, a security breach was discovered on March 26. The company noted that it shut down some services in early April as part of its incident response activities and informed customers about a cyberattack. However, it did not share any updates until May 5. Western Digital's second public statement comes just days after a ransomware group known as Alphv/BlackCat started publishing screenshots showing the extent of their access. The screenshots appear to show video calls, emails, and internal documents discussing the cyberattack, as well as internal tools, invoices, and confidential communications. The adversaries have threatened to make public customers' personal information, firmware, code signing certificates, and intellectual property if they do not pay up. In the statement issued on Friday, WD confirmed that the hackers accessed a database associated with its online store that contained customers' personal information, including names, billing and shipping addresses, phone numbers, email addresses, hashed and salted passwords, and partial credit card numbers. The impacted online store is expected to be restored in the week of May 15. The My Cloud service, which was also shut down following the hack, was restored in mid-April. The company said it's still investigating the validity of the other data made public by the ransomware group.

SecurityWeek reports: "Western Digital Confirms Ransomware Group Stole Customer Information"

The Alphv/BlackCat ransomware group has recently claimed responsibility for a cyberattack that Canadian software company Constellation Software disclosed last week. Toronto-based Constellation Software is a company specializing in the acquisition of vertical market software firms. On May 4, Constellation Software revealed that it fell victim to a cyberattack that impacted "a limited number of its IT infrastructure systems." The attack occurred on April 3, 2023. According to the company, the compromised systems were "related to internal financial reporting and related data storage by the operating groups and businesses of Constellation." The company noted that the attack did not impact the IT systems of its operating groups and businesses and did not affect its business operations. The company says that a limited amount of personal information was compromised during the incident, along with a limited amount of business partner data. The Alphv/BlackCat ransomware gang last week posted on its leak site an entry about the incident, claiming to have stolen over one terabyte of data from the company. The company has not shared information on the number of potentially impacted individuals.

SecurityWeek reports: "Ransomware Group Claims Attack on Constellation Software"

CyberGhost VPN, a popular provider of Virtual Private Network (VPN) solutions, has patched a recently discovered command injection vulnerability that left Windows users' systems exposed to potential compromise. The difficulty with which the researcher who discovered the vulnerability disclosed it also adds intrigue to the bug's discovery. Ceri Coburn of the UK-based security research company Pen Test Partners found that the CyberGhost VPN client is vulnerable to an elevation of privilege flaw, stating the vulnerability affects roughly 3 million CyberGhost customers. The latest 8.3.10.10015 version of CyberGhost, released on February 24, 2023, addresses this issue. It is unknown if the patch was pushed to endpoints operating previous versions of the software or if customers must manually update instances of the software. According to Coburn, a specially crafted JSON payload sent to the CyberGhost Remote Procedure Call (RPC) service can lead to command line injection when the OpenVPN process is launched, resulting in full system compromise. This article continues to discuss the command injection vulnerability patched by CyberGhost VPN.

SC Magazine reports "CyberGhost VPN Patches Command Injection Vulnerability"

Healthcare solutions provider NextGen Healthcare has recently started informing roughly one million individuals that their personal information was compromised in a data breach. The company makes and sells electronic health records software and provides doctors and medical professionals with practice management services. NextGen Healthcare first identified suspicious activity on its systems on March 30, 2023. The investigation launched into the matter revealed that an unauthorized party had access to those systems between March 29 and April 14, 2023. The company noted that during that time, the attackers accessed personal information such as names, addresses, birth dates, and Social Security numbers. The company says it has no evidence that the unauthorized party had access to health or medical records and data. NextGen Healthcare noted that the attackers accessed its database using "client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen." The company stated that it reset passwords to contain the incident and informed law enforcement of the breach, and has been working with them throughout the investigation.

SecurityWeek reports: "1 Million Impacted by Data Breach at NextGen Healthcare"

In 2021, a ransomware attack on Colonial Pipeline made news worldwide. Since then, the Biden-Harris Administration has taken significant steps in US cyber defense, leveraging the strength of the US government to address the full spectrum of the threat. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has made efforts to improve resilience across the nation's critical infrastructure. Recognizing the need for organizations to have easy access to actionable and timely cybersecurity information, CISA created a website resource to serve as a hub for warnings and guidance for businesses and individuals. As only cohesive cross-government collaboration can scale to meet the threat, CISA formed the Joint Ransomware Task Force (JRTF) with its FBI partners to coordinate the federal government's response to the ransomware outbreak. Due to the need to bring industry, government, and internal partners together and break down siloes that create gaps for the adversary, CISA established the Joint Cyber Defense Collaborative (JCDC). This concept stemmed from the US Cyberspace Solarium Commission, catalyzing a community of experts on the front lines of cyber defense, from across the public and private sectors, to share insights and information in real-time. This article continues to discuss lessons learned from the cyberattack on Colonial Pipeline and what CISA has done to help combat the ransomware threat.

CISA reports "The Attack on Colonial Pipeline: What We've Learned & What We've Done Over the Past Two Years"

Cactus, a new ransomware operation, has been exploiting Virtual Private Network (VPN) appliance vulnerabilities to gain initial access to the networks of "large commercial entities." The Cactus ransomware operation has been active since at least March and seeks significant payments from its victims. Although the new threat actor used the standard ransomware techniques of file-encrypting and data theft, it added a unique twist to avoid detection. Researchers at the corporate investigation and risk consulting company Kroll suspect that Cactus exploits known vulnerabilities in Fortinet VPN appliances to gain initial access to victim networks. The assessment is based on the observation that the hacker pivoted inside from a VPN server using a VPN service account in all incidents observed. Cactus is different from other operations because of its use of encryption to protect the ransomware binary. The threat actor behind Cactus uses a batch script to get the encryptor binary using 7-Zip. The original ZIP archive is removed, and the binary is launched with a specific execution flag. This article continues to discuss researchers' findings regarding the new Cactus ransomware operation.

Bleeping Computer reports "New Cactus Ransomware Encrypts Itself to Evade Antivirus"

Experts warn that efforts to counter the potentially crippling ransomware threat to US critical infrastructure have been insufficient. The cyberattack on Colonial Pipeline's Information Technology (IT) infrastructure caused it to cease operations for the first time, resulting in a fuel shortage and price increases that prompted four East Coast states to declare a state of emergency. The incident elevated ransomware to a threat to national security and called for coordinated action throughout the government. Since the attack and a following one on JBS that threatened domestic meat shortages, the US government has stated that it will treat ransomware attacks on critical infrastructure as acts of terrorism. Just days after the attack on the Colonial Pipeline, President Biden signed an Executive Order mandating new security requirements for critical infrastructure organizations. There have also been numerous federal and regulatory initiatives to strengthen the resilience of US critical infrastructure against attacks. However, the ransomware threat to critical infrastructure remains elevated, as demonstrated by a recent attack on Americold, the largest cold-storage provider in the US. Similar to the attack on Colonial Pipeline, the attack forced Americold to stop cold-storage operations while it worked to address the threat. 870 of the 2,385 ransomware complaints received by the FBI in 2017 were from critical infrastructure organizations. According to FBI data, 14 of the 16 designated critical infrastructure sectors had at least one victim of ransomware. This article continues to discuss US critical infrastructure still not being ready for ransomware attacks.

Dark Reading reports "2 Years After Colonial Pipeline, US Critical Infrastructure Still Not Ready for Ransomware"

Data sharing is an essential component of ransomware defense. However, a new report shows that private sector organizations, governments, and cryptocurrency entities still need to cooperate to share information about security events. The Ransomware Task Force (RTF) of the Institute for Security and Technology, a coalition of over 60 industry, government, and law enforcement experts, recently posted an update on the progress made regarding the 48 recommendations they made in 2021 for disrupting the ransomware threat ecosystem. Several victories were highlighted in the report. As of May, 92 percent of the 48 suggestions had resulted in some action, with around half having made "significant progress" in the form of policy implementation. According to the RTF, there have been increasing public-private partnerships and government collaboration in order to carry out investigations against ransomware operators. At the same time, the US government is engaged in different cryptocurrency regulations, with recent sanctions of exchanges and mixers involved in ransomware operations. While there has been progress in cyber incident reporting, RTF stated that the industry still lacks a complete understanding of the scope, scale, and effects of ransomware attacks. As the ecosystem evolves, governments must continue to collect and process incident data, work to create target decks of ransomware developers, criminal affiliates, and ransomware variants, as well as share information with relevant stakeholders promptly. This article continues to discuss the RTF and the importance of data sharing in defending against ransomware.

Decipher reports "Ransomware Task Force: Data Sharing Needed to 'Build a Clear Picture'"

On May 3, Google launched passkeys for user accounts to provide secure access to its services without the need for passwords. Passkeys are intended to eventually replace passwords because they are regarded as a more secure authentication technique. The method allows users to sign into apps and websites with the same authentication they use to unlock devices (e.g., facial scan, fingerprint, or PIN). Since the transition to passwordless authentication will take time, passwords and two-step verification (2SV) will continue to work on Google accounts for now. Administrators of Google Workspace accounts will be able to enable passkeys for end-users at sign-on. Last year, Google revealed plans to roll out passkeys in partnership with the FIDO Alliance, Apple, and Microsoft. The passkey project aimed to integrate the authentication technique into Chrome and Android, as well as services such as Docusign, Kayak, PayPal, Shopify, and Yahoo! Japan. According to Christiaan Brand, the passkey project lead and Google's identity and security product manager, the goal of passkeys is to mirror the way everyone uses transport layer encryption. This article continues to discuss Google's introduction of passkey authentication for its user accounts to access its platforms without using passwords.

SC Media reports "Google Adds Passkeys for User Accounts; 'Passwords Are Dead,' Official Says"

United HealthCare recently made customers aware of a data breach, which temporarily allowed access to personal information for those enrolled in the company's healthcare plans. According to the company, "suspicious activity" was noticed on the UHC mobile application "that may have led to the disclosure of member information." The company says the breach happened between February 19 and February 25, and it was determined on April 10 that some member information was impacted. They believe that information including members' first and last names, health insurance member identification numbers, dates of birth, addresses, dates of service, provider names, claim information, and group name and number may have been available. The company noted that this incident did not involve the disclosure of Social Security numbers or driver's license numbers. Members who had their information impacted were contacted directly by UHS via mail. The company explained that upon discovery, they took prompt action to investigate the matter. The portal account for members was locked to prevent any further access, and they initiated a forced password reset. During the investigation, the company determined that the application was the target of a credential stuffing attack. The company noted that they have no evidence that member login credentials used during the attack were accessed or obtained from any UnitedHealthcare system.

CBS Los Angeles reports: "United HealthCare Reports Data Breach That May Have Revealed Customers' Personal Information"

A bipartisan pair of senators have reintroduced legislation that would require the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) to provide streamlined information and resources to commercial satellite owners and operators to help them better defend against cyberattacks on their systems. The bill aims to improve commercial satellite digital security by offering stronger strategies and suggestions for protecting critical operations from attacks. The Satellite Cybersecurity Act would require CISA to unify voluntary satellite cybersecurity guidelines, including guidance targeted for small businesses, to help companies understand how to better secure their systems. The agency would be expected to create "a publicly available, online resource" that gives commercial satellite owners and operators access to "satellite-specific cybersecurity resources and recommendations to secure their networks." In recent years, US officials have warned of the growing cyber threat that hostile nation-states pose to the operations of critical commercial and government satellites. For example, Russian hackers launched a cyberattack against a satellite broadband service used by the Ukrainian military as part of an effort to disrupt their communications networks. This article continues to discuss the bipartisan proposal that directs CISA to provide commercial satellite owners and operators with more resources and recommendations to improve their cyber protections.

NextGov reports "Lawmakers Reintroduce Legislation to Bolster Satellite Cybersecurity"

The Ponemon Institute surveyed organizations in North America, Europe, the Middle East, Africa, and Asia-Pacific for its new report on insider threats. Researchers interviewed 1,004 Information Technology (IT) and IT security professionals from 278 organizations that experienced at least one insider-caused incident. In 2022, the total number of insider-led cyber incidents was 6,803, with an average annual cost of $15.4 million. The company with the greatest number of reported insider incidents was 46. In addition, 67 percent of businesses experienced 21 to over 40 incidents annually. According to a report by Verizon, about 200 million records have been compromised by external threats. In cases involving an insider actor, the number of exposed records exceeds one billion. The Ponemon report categorizes insider threats as negligent, malicious, and credential. Insider threats have increased in all three threat categories, but those resulting from employee negligence are the most prevalent. According to the study, more than half of the incidents reported in the survey were due to negligence. The average annual cost of negligent breaches was $6.6 million. This article continues to discuss new findings and observations regarding insider threats.

Security Intelligence reports "Insider Hacks Exfiltrate Five Times As Many Records"

A researcher has found that the London-based outsourcing company Capita left a large amount of data exposed online for seven years, just weeks after the company admitted to having experienced a data breach that could have affected customer information. The unprotected Amazon-hosted storage container discovered by a security researcher has now been secured by Capita. According to the researcher, the AWS bucket had been exposed to the Internet since 2016 and contained about 3,000 files estimated to be 655 GB in total size. The lack of a password on the bucket enabled anyone with the easy-to-guess web address to access the files. GrayHatWarfare, a searchable database that indexes publicly accessible cloud storage, also captured the exposed cloud server's information. According to a sample of filenames reviewed by TechCrunch, the exposed data included software files, server images, and a multitude of Excel spreadsheets, PowerPoint presentations, and text files. The security researcher told TechCrunch that one of the text files contained login credentials for one of Capita's systems, as well as filenames indicating that data was uploaded to the exposed container as recently as this year. This article continues to discuss the discovery of data exposed by Capita.

TechCrunch reports "Security Researcher Finds Trove of Capita Data Exposed Online"

Fleckpe, a new Android subscription malware, has been downloaded over 620,000 times. According to researchers, Fleckpe is now among other infamous Android spyware, such as Jocker and Harly, that enrolls users in premium services to generate illegal payments. Threat actors profit from illicit subscriptions by receiving a portion of the premium services' monthly or one-time membership payments. Most of Fleckpe's victims are in Thailand, Malaysia, Indonesia, Singapore, and Poland. Eleven Fleckpe Trojan apps masquerading as image editors, photo libraries, and premium wallpapers were discovered on Google Play. The malicious apps demand access to notification content in order to get subscription confirmation codes for various premium services. When a Fleckpe app is launched, a payload containing malicious code is decoded and executed. This payload sends the Mobile Country Code (MCC) and Mobile Network Code (MNC) of the newly infected device, along with other basic information, to the threat actor's command-and-control (C2) server. Then, in an unnoticed web browser window, the malware visits the URL supplied by the C2 and registers the victim for a premium service. If a confirmation code is needed to finalize the subscription, the malware will retrieve it from the device's notifications and insert it on the hidden screen. The app provides users with the advertised functionality while concealing malicious intent and reducing the likelihood of suspicion. This article continues to discuss findings regarding the new Android subscription malware Fleckpe.

CyberIntelMag reports "Google Play Witnessed 600K Installations of New Android Malware Fleckpe"

Researchers have discovered leaked firmware image signing keys and Intel Boot Guard keys for MSI products. According to Alex Matrosov, CEO of the firmware supply chain security platform Binarly, the leaked firmware keys impact 57 MSI products, while the leaked Boot Guard keys affect 166 MSI products. Firmware image signing keys are an integral component of the hardware's security infrastructure. The keys provide trust that the firmware is authentic and has not been modified by anyone other than the software developer or device manufacturer. Similarly, Intel Boot Guard is a processor safeguard that prevents the computer from executing firmware images that the system manufacturer has not published. Exposure of the keys poses a significant risk to users, as attackers with access to leaked keys can push malware-infected firmware images or updates as legitimate. Since firmware is typically launched before the operating system, malicious code may evade detection by antivirus software and other security measures. Attackers could also use the keys to modify the device's firmware, severely compromising its reliability. According to Binarly, the exposed devices include many models of MSI's Stealth, Creator, Crosshair, Prestige, Pulse, Modern, Raider, Sword, Summit, Vector, and Katana series laptops. This article continues to discuss the discovery and potential impact of the leaked firmware image signing keys.

Cybernews reports "MSI's Leaked Firmware Keys Endanger Hundreds of Devices"

Since at least 2019, Italian corporate banking clients have been the target of an ongoing financial fraud campaign involving a new web-inject toolkit called drIBAN. According to Cleafy researchers, the primary objective of drIBAN fraud operations is to infect Windows workstations within corporate environments in an attempt to alter legitimate banking transfers performed by victims by changing the beneficiary and transferring money to an illegitimate bank account. The bank accounts are either controlled by the threat actors or their affiliates, who are then tasked with laundering the stolen funds. Web-injects are a time-tested technique that allows malware to inject custom scripts on the client side via a man-in-the-browser (MitB) attack and intercept traffic to the server. This article continues to discuss the ongoing financial fraud campaign leveraging the new drIBAN web-inject toolkit.

THN reports "Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit drIBAN"

After a cyberattack by the Royal ransomware group, city government systems in Dallas are still not entirely functional. The City of Dallas has confirmed the ransomware attack, but has assured residents that police and fire rescue services will continue as usual. It has been announced that ransomware has compromised a number of servers, impacting multiple functional areas, including the Dallas Police Department website, according to a city statement. One person shared a copy of a ransom note churned out of printers across the Dallas city network, which threatened to leak data stolen from Dallas City systems. The Royal ransomware group has ties to the defunct Conti gang and has previously targeted the healthcare industry. This article continues to discuss the Royal ransomware attack that has impacted Dallas city government systems.

Dark Reading reports "Dallas City Systems Taken Down by Royal Ransomware"

Malicious open-source Python .whl (Wheel) files were distributing a new malware called KEKW, which can steal sensitive data from infected systems by combining clipper activities with infostealers to take over cryptocurrency transactions. Cyble Research and Intelligence Labs (CRIL) noted that the Python packages under investigation were absent from the actual Python Package Index (PyPI) repository, suggesting that the Python security team removed the malicious packages. CRIL also confirmed with the Python security team that the malicious packages were removed within 48 hours of their upload. Due to the quick removal of the malicious packages, CRIL said it is impossible to determine how many people downloaded them. However, they suspect that the incident's impact was likely minimal. The incident highlights a persistent issue within the open-source community. PyPI has become a popular repository for software packages using Python. As developers use it to share and download Python code, PyPI has become an attractive target for threat actors seeking to attack developers due to its pervasive adoption. This article continues to discuss the new KEKW malware and its distribution via malicious open-source Python .whl files.

SC Magazine reports "New KEKW Malware Infects Open-Source Python Wheel Files via a PyPI Distribution"

OpenAI offered free credits to users interested in trying its open Artificial Intelligence (AI) projects. However, Checkmarx discovered a vulnerability that allowed users to abuse the trial and get unlimited credit on new accounts. The researchers were able to circumvent restrictions by intercepting and modifying an OpenAI Application Programming Interface (API) request. According to the researchers, this allowed them to create a number of user accounts using the same phone number, receiving as many free credits as they desired. A user had to enter their email address, click on the activation link sent to their inbox, enter a phone number, and then enter the validation code received via SMS in order to register for the trial. Both the user's email address and phone number had to be unique for them to receive free credits. Researchers found it difficult to bypass the phone number limitation. They attempted to alter the phone number subtly, such as by adding the country code. Ultimately, they avoided the requirement by using multiple variants of the same phone number. This article continues to discuss the flaw that allowed Checkmarx researchers to get unlimited credits for testing different OpenAI projects such as ChatGPT.

Cybernews reports "OpenAI Flaw Allows Unlimited Credit on New Accounts"

Pediatric mental health provider Brightline has recently warned patients that it suffered a data breach on January 30, impacting 783,606 people. Brightline said the breach was related to a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform. Through its investigation, Fortra states that it identified a previously-unknown vulnerability which an unauthorized party used to gain access to certain Fortra customers' accounts and download files, including Brightline's. Brightline said its investigation determined the incident was limited to the Fortra service and did not impact its network. However, the data stolen from the breach included patients' confidential information. Data impacted could consist of some combination of the following data elements: individuals' names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names. According to Bleeping Computer, these attacks were conducted by the Clop ransomware gang using the command injection vulnerability CVE-2023-0669.

Infosecurity reports: "Brightline Hack Exposes Data of Over 780,000 Child Mental Health Patients"

Apple has recently released the first-ever security updates for its Beats and AirPods products to patch a vulnerability that can be exploited to gain access to headphones through a Bluetooth attack. The flaw is tracked as CVE-2023-27964, and it was reported to Apple by Yun-hao Chung and Archie Pusaka of Google ChromeOS. The vulnerability has been described as an authentication issue. Apple noted that when your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones. The firmware update for AirPods (5E133), including the Pro and Max models, was made available on April 11, while the Beats firmware update (5B66), including for Powerbeats Pro and Beats Fit Pro, was released on May 2. Apple stated that firmware updates are delivered automatically to AirPods and Beats headphones while they are charging and in Bluetooth range of the user's iPhone, iPad, or Mac. Users can check whether their headset is running the latest firmware version.

SecurityWeek reports: "Apple Releases First-Ever Security Updates for Beats, AirPods Headphones"

Researchers from the Oregon State University (OSU) College of Engineering have demonstrated that hackers can destabilize a power transmission grid by manipulating smart meters to cause an oscillation in electricity demand. A smart meter is a digital device that captures electricity usage data and transmits it via a telecommunications connection to a local utility. The meters can be used to remotely shut off customers' power, such as in the case of unpaid bills, as well as to provide customers with more information about their electricity consumption. Similar to circuit breakers in a home's electrical panel, power grid components can "trip" and shut off when demand or load is excessive or otherwise problematic. The load is then transferred to other grid network components, which may also shut down, creating the potential for a domino effect that can cause a blackout. In this study, conducted with OSU College of Engineering associate professor Jinsub Kim, researchers used a time-domain grid protection simulator model to show how a load oscillation attack can compromise transmission. This article continues to discuss the research on load oscillating attacks on smart grids.

Oregon State University reports "OSU Research Shows How Hackers Can Target Smart Meters to Destabilize Electricity Grid"

The US government recently claimed it had dismantled another popular cybercrime service after unsealing a four-count indictment against its alleged Russian operator. Try2Check played a vital role in the online fraud supply chain by enabling cybercriminals who bought stolen cards on underground sites to test how many were still active and could therefore be used to commit fraud. According to the US Attorney's Office, the site processed a minimum of tens of millions of cards each year since it was founded in 2005 and supported carding shops like the infamous Joker's Stash that made hundreds of millions of dollars in profits annually. Try2Check's websites have now been taken offline, and the State Department has issued a $10m reward for information leading to the capture of the man accused of running the platform. Russian resident Denis Gennadievich Kulkov (aka "Kreenjo," "Nordex," and "Nordexin") is accused of access device fraud, computer intrusion, and money laundering in connection with Try2Check. If found and convicted, he could face a 20-year stretch behind bars.

Infosecurity reports: "US Authorities Dismantle Dark Web Card Checking Platform"

According to Check Point researchers, from the beginning of 2023 until the end of April, one out of every 25 newly created domains related to ChatGPT or OpenAI was malicious or potentially malicious. In addition, Meta has stated that, since March 2023, they have prevented the sharing of over 1,000 malicious links using ChatGPT as a lure across their platforms. Typically, threat actors hide malware within files that appear harmless and offer nonexistent ChatGPT desktop and mobile apps or browser extensions in official app stores. Fake ChatGPT Chrome extensions that steal Facebook session cookies to compromise personal and business Facebook accounts are common. Threat actors may customize their malware to a specific online platform, including incorporating more sophisticated account compromise techniques than expected from common malware. Malware families have been observed attempting to circumvent two-factor authentication (2FA) or automatically scanning for and detecting connections between a compromised account and a business account. The malware they use, such as DuckTail, NodeStealer, and others, are after almost any login credentials or session cookies they can get, which they will use to take over accounts on various social media platforms and online services in order to spread and host malware. This article continues to discuss key findings on the malware threat landscape.

Help Net Security reports "ChatGPT and Other AI-Themed Lures Used to Deliver Malicious Software"