WebTPA, a third-party administrator that provides healthcare management and administrative services, disclosed a data breach.

WebTPA is a third-party administrator that provides healthcare management and administrative services. The US company disclosed a data breach that impacted almost 2.5 million people. According to the report sent by the WebTPA to the U.S. Department of Health and Human Services on May 8, the incident affected 2,429,175 individuals.

According to the notice published by the company, WebTPA acts as an administrative services provider to certain benefit plans and insurance companies whose information was impacted in this incident.

WebTPA discovered suspicious activity on its network on December 28, 2023 and launched an investigation with the help of third-party cybersecurity experts. The investigation revealed that an unauthorized actor may have obtained personal information between April 18 and April 23, 2023.

The company also notified federal law enforcement.

“On December 28, 2023, we detected evidence of suspicious activity on the WebTPA network that prompted us to launch an investigation. Upon detecting the incident, we promptly initiated measures to mitigate the threat and further secure our network.” reads the notice published by the company. “The investigation concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023.”

WebTPA promptly notified benefit plans and insurance companies about the incident and the potential exposure of personal information. They worked diligently to determine the extent of the impacted data and provided this information to the benefit plans and insurance companies on March 25, 2024.

Exposed information may include name, contact information, date of birth, date of death, Social Security number, and insurance information. The exposed data may vary for each individual. The company pointed out that financial account information, credit card numbers, and treatment or diagnostic information were not impacted.

WebTPA is offering individuals two years of complimentary identity monitoring services through Kroll. They have also implemented additional security measures to enhance their network’s security. The company added that it is not aware of any misuse of benefit plan member information due to this incident.

The company recommends the impacted individuals stay vigilant against identity theft or fraud and carefully review credit reports and Explanations of Benefits (EOBs) for suspicious activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

A new Grandoreiro banking trojan campaign has been ongoing since March 2024, following the disruption by law enforcement in January.

IBM X-Force warns of a new Grandoreiro banking trojan campaign that has been ongoing since March 2024. Operators behind the Grandoreiro banking trojan have resumed operations following a law enforcement takedown in January.

The recent campaign is targeting over 1,500 banks in more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific. The banking Trojan is likely operated as a Malware-as-a-Service (MaaS).

Grandoreiro is a modular backdoor that supports the following capabilities:

• Keylogging
• Auto-Updation for newer versions and modules
• Web-Injects and restricting access to specific websites
• Command execution
• Manipulating windows
• Guiding the victim’s browser to a certain URL
• C2 Domain Generation via DGA (Domain Generation Algorithm)
• Imitating mouse and keyboard movements

The latest version shows major updates within the string decryption and domain generating algorithm (DGA), it can also use Microsoft Outlook clients on infected hosts to spread further phishing emails.

Traditionally limited to Latin America, Spain, and Portugal, recent Grandoreiro campaigns have expanded their targets to include entities such as Mexico’s Tax Administration Service (SAT), Federal Electricity Commission (CFE), Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS). The recent campaign demonstrates that operators are expanding the malware’s deployment globally, starting with South Africa.

In each attack observed by the experts, threat actors instructed recipients to click on a link to view an invoice, fee, account statement, or make a payment, depending on the impersonated entity. If the user is in a targeted country (Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a PDF icon, while a ZIP file is downloaded in the background. These ZIP files contain a large executable disguised as a PDF icon, created the day before or the day of the email being sent.

The loader bloated to a size of more than 100MB to prevent automatic anti-virus scanning. To circumvent automated execution, it displays a small CAPTCHA pop-up imitating Adobe PDF reader, which requires a click to continue with the execution.

The loader prevents the execution in a sandbox by verifying if the client is a legitimate victim, it enumerates basic victim data and sends it back to its C2. Finally the loader downloads, decrypts and executes the Grandoreiro banking trojan.

The malware doesn’t continue execution if the public IP associated with infected systems was from Russia, Czechia, Poland, or the Netherlands. It also prevented infections on Windows 7 machines in the US without antivirus.

The banking Trojan establishes persistence via the Windows registry, then it uses a reworked DGA to connect with a C2 server awaiting further instructions.

“One of Grandoreiro’s most interesting features is its capability to spread by harvesting data from Outlook and using the victim’s account to send out spam emails. There are at least 3 mechanisms implemented in Grandoreiro to harvest and exfiltrate email addresses, with each using a different DGA seed.” states the report. “By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”

To interact with the local Outlook client, the malware relies on the Outlook Security Manager tool, preventing that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.

“The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, banking Trojan)