In today’s episode, we cover China’s cyberespionage leadership, Balada Injector’s WordPress targeting, Curl library updates, ConnectedIO’s critical flaws, and Triada malware in US schools.
Recent developments encompass a cyberattack exposing 837K Flagstar Bank customers, a credential stuffing attack revealing 23andMe user data, Melbourne’s Royal Women’s Hospital facing a data breach crisis, a data breach exposing 900 Hongkongers through a WhatsApp hack targeting social services and schools, and the DC Board of Elections investigating a voter data leak.
We witness a Gaza-based threat actor targeting Israeli organizations, the Lazarus Group’s $900 million crypto laundering scheme, privacy scrutiny by a UK watchdog for Snap AI chatbot, hospital lobbyists challenging online tracking rules, and Blackbaud’s $49.5 million settlement for a ransomware data breach.
🚨 Cyber Alerts
1. Microsoft Warns of Surging Espionage
Microsoft’s annual Digital Defense Report has highlighted a concerning surge in government-sponsored cyberespionage and information operations. While ransomware attacks often dominate headlines, governments are increasingly focusing on stealthy cyberespionage efforts. According to Microsoft’s findings, highly capable Chinese actors, particularly in the Asia-Pacific region, are leading this aggressive trend. The report also underscores that nation-states like Russia, China, Iran, and North Korea continue to improve the scale and sophistication of their cyber operations, targeting both adversaries and allies for information theft and influence campaigns.
2. Balada Injector Campaign Threatens Websites
Sucuri’s recent research reveals an alarming trend in the ongoing Balada Injector campaign, targeting websites using the tagDiv Composer plugin, primarily in association with popular themes like Newspaper and Newsmag. This Unauthenticated Stored XSS vulnerability, first disclosed in September 2023, has sparked a surge in Balada malware injections, affecting thousands of websites. Balada Injector’s determination to maintain unauthorized access and control over compromised sites poses a significant challenge to site administrators, requiring vigilant cybersecurity measures.
3. Curl Library Faces Security Vulnerabilities
The maintainers of the Curl library have issued a warning regarding two forthcoming security vulnerabilities set to be addressed in an update on October 11, 2023. One of these vulnerabilities is rated as high-severity, while the other is low-severity. While specific details about the issues are being withheld to prevent premature problem identification, it is essential for organizations to prepare by inventorying and scanning systems that use curl and libcurl, as these vulnerabilities could impact versions spanning several years.
4. High-Sev Security Flaws in ConnectedIO ER2000
Multiple high-severity security flaws have been revealed in ConnectedIO’s ER2000 edge routers and the associated cloud platform, potentially enabling attackers to compromise cloud infrastructure, remotely execute code, and access sensitive data. These vulnerabilities could expose thousands of internal networks to severe threats, allowing malicious actors to take control, intercept traffic, and infiltrate Extended Internet of Things (XIoT) devices. The flaws impact ConnectedIO platform versions v2.1.0 and earlier, posing significant risks to businesses and their network security.
5. Triada Malware Hits 70,000 Devices
A sophisticated campaign involving malicious Python packages has been discovered by Checkmarx’s Supply Chain Security team, with over 272 packages designed to steal sensitive data. These packages, which have evolved significantly over time, have been downloaded approximately 75,000 times from open-source platforms.
💥 Cyber Incidents
6. Election Authority Probes Voter Data Breach
In a recent security incident, the District of Columbia Board of Elections is investigating a potential data leak involving voter records following claims made by a threat actor known as RansomedVC. The breach occurred through the web server of DataNet, the hosting provider for Washington D.C.’s election authority, without directly compromising DCBOE’s servers. DCBOE has taken down its website and conducted a comprehensive security assessment in collaboration with security experts, the FBI, and DHS. RansomedVC alleges the theft of over 600,000 lines of U.S. voter data and has offered the information for sale on the dark web.
7. Fiserv Attack Exposes Flagstar Clients
Flagstar Bank’s vendor, Fiserv, fell victim to a MOVEit Transfer attack, potentially compromising the personal information of hundreds of thousands of the bank’s clients. The breach occurred between May 27th and 31st, 2023, before the vulnerability was publicly disclosed, allowing unauthorized actors to access customer data, including Social Security numbers. With SSNs at risk, individuals are advised to stay vigilant, monitor their credit history, and take advantage of Flagstar Bank’s complimentary identity monitoring service to safeguard against identity theft.
8. 23andMe Data Breach Sparks Security Concerns
Genetics company 23andMe acknowledges that user data has been stolen and appeared on hacker forums, attributing the breach to a credential stuffing attack. A threat actor initially leaked genetic data limited to Ashkenazi individuals but later offered to sell data profiles from 23andMe customers in bulk. While the compromised accounts had opted into the ‘DNA Relatives’ feature, 23andMe encourages users to enable two-factor authentication and practice strong, unique passwords for online security.
9. Melbourne Hospital Faces Patient Data Breach
In a concerning incident, Melbourne’s Royal Women’s Hospital has experienced a data breach potentially impacting 192 patients. Cybercriminals gained unauthorized access to a staff member’s private email account, used for patient appointments and care coordination, prompting a forensic investigation. While electronic medical records remain secure, affected patients are being offered support and counseling services, with the hospital taking immediate measures to address the situation and prevent future breaches.
10. Hong Kong Suffers WhatsApp Data Breaches
Almost 900 residents of Hong Kong fell victim to data breaches within the past month as cybercriminals targeted the WhatsApp accounts of social services and schools, as disclosed by the city’s privacy commissioner. These attackers infiltrated the accounts of five social welfare services and schools, assuming the identity of these organizations to deceive individuals listed in their contact lists. Concurrently, the Hong Kong Computer Emergency Response Team Coordination Centre issued a warning about an increase in phishing schemes, particularly targeting messaging platforms like WhatsApp.
📢 Cyber News
11. Gaza-Based Cyber Threat Targeting Israel
A Gaza-based threat actor, known as Storm-1133, has been identified in a series of cyberattacks on Israeli energy, defense, and telecommunications companies. Microsoft revealed these details in its Digital Defense Report, linking the group to activities furthering the interests of Hamas, the governing authority in Gaza. Storm-1133 uses social engineering and fake LinkedIn profiles impersonating Israeli professionals to contact targets, conduct reconnaissance, and deliver malware. The group also attempts to infiltrate third-party organizations related to Israeli targets, utilizing dynamic command-and-control infrastructure hosted on Google Drive.
12. Lazarus Group’s $900M Crypto Laundering
A recent report reveals that the North Korea-linked Lazarus Group has laundered approximately $900 million in cryptocurrency between July 2022 and July of this year, out of a total of $7 billion in illicitly laundered cryptocurrency. This cybercriminal activity involves cross-chain crime, where stolen crypto assets are rapidly converted from one token or blockchain to another to obscure their origin. Elliptic, a blockchain analytics firm, notes that this method has seen a 111% increase in the proportion of funds sent via such services, partly due to Lazarus Group’s use of cross-chain bridges.
13. UK Watchdog Investigates Snap’s AI
Snap Inc. is currently under investigation by the UK’s Information Commissioner’s Office over concerns regarding the data privacy practices of its “My AI” chatbot, specifically in relation to minors aged 13 to 17. The ICO’s preliminary enforcement notice serves as an early warning, outlining potential actions that Snap may need to take. If a final enforcement notice is issued, Snap could be required to cease data processing related to “My AI” in the UK, impacting UK users’ access to the feature. Snap emphasizes that “My AI” underwent a thorough legal and privacy review before its public launch.
14. Hospital Lobbyists Seek HIPAA Clarification
Healthcare lobby groups are urging Congress to compel health regulators to retract a warning regarding the use of online trackers in patient portals that could potentially violate medical privacy laws. The American Hospital Association is pushing for the withdrawal of the December 2022 bulletin, which was issued after major health organizations started treating the use of web user tracking code by Facebook and Google as a reportable data breach.
15. Blackbaud Settles $49.5M for 2020 Ransomware
Cloud computing provider Blackbaud has reached a $49.5 million settlement with attorneys general from 49 U.S. states to resolve a multi-state investigation into a ransomware attack and data breach that occurred in May 2020. The attack exposed highly sensitive data from over 13,000 Blackbaud business customers and their clients across the U.S., Canada, the U.K., and the Netherlands. This settlement addresses allegations of Blackbaud violating state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act.
Copyright © 2023 CyberMaterial. All Rights Reserved.