Healthcare firm HealthEquity disclosed a data breach caused by a partner’s compromised account that exposed protected health information.
Healthcare fintech firm HealthEquity disclosed a data breach after a partner’s compromised account was used to access its systems. The intruders have stolen protected health information from the company systems. The company discovered an anomalous behavior from the partner’s personal device and immediately launched an investigation that led to the discovery of the security breach.
“The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems.” reads the FORM 8-K filed with SEC. “The Company has taken steps to strengthen its security environment, including with respect to the compromised Partner account and the recommended actions of its incident response firm. The investigation did not find placement of malicious code on any Company systems. There has been no interruption to the Company’s systems, services, or business operations.”
HealthEquity is a leading financial technology company that specializes in administering health savings accounts (HSAs) and other consumer-directed benefits. Some key facts about HealthEquity:
As of July 2022, HealthEquity managed 7.5 million HSA accounts with $20.5 billion in assets, plus an additional 7 million other consumer-directed benefit accounts for a total of 14.5 million accounts.
The company is notifying its partners and clients, as well as identifying and notifying impacted individual members.
HealthEquity will offer complimentary credit monitoring and identity restoration services. The investigation is still ongoing and the healthcare fintech firm has yet to determine the fill impact of the incident.
“The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results.” continues the Form 8-K.
“The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner.”
Brazil’s data protection authority temporarily banned Meta from using data originating in the country to train its artificial intelligence.
Brazil’s data protection authority, Autoridade Nacional de Proteção de Dados (ANPD), has imposed a temporary ban on Meta from processing users’ personal data for training its artificial intelligence (AI) models.
“The National Data Protection Authority (ANPD) issued today a Preventive Measure determining the immediate suspension, in Brazil, of the validity of the new privacy policy of the company Meta , which authorized the use of personal data published on its platforms for the purpose of training artificial intelligence (AI) systems.” reads the announcement published by ANPD.
ANPD also announced a daily fine of R$50,000 for non-compliance.
The Board of Directors issued a Preventive Measure due to the “use of an inadequate legal basis for data processing, insufficient disclosure of clear and accessible information about privacy policy changes and data processing, excessive limitations on the exercise of data subjects’ rights, and processing of children’s and adolescents’ personal data without proper safeguards.”
Meta’s updated privacy policy allows the social media giant to use public posts for its AI systems.
Meta expressed disappointment with the decision, claiming its practices comply with Brazilian privacy laws.
“This is a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil,” the spokesperson said.
Human Rights Watch recently published a report revealing that LAION-5B, a major image-text dataset used for training AI models, includes identifiable photos of Brazilian children. These models can be used by tools employed to create malicious deepfakes that put even more children at risk of exploitation,
In June, Meta announced it is delaying the training of its large language models (LLMs) using public content shared by adults on Facebook and Instagram following the Irish Data Protection Commission (DPC) request.
Meta added it is disappointed by request from the Irish Data Protection Commission (DPC), the social network giant pointed out that this is a step “backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.”
“We’re disappointed by the request from the Irish Data Protection Commission (DPC), our lead regulator, on behalf of the European DPAs, to delay training our large language models (LLMs) using public content shared by adults on Facebook and Instagram — particularly since we incorporated regulatory feedback and the European DPAs have been informed since March.” reads the statement from Meta. “This is a step backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.”
The company explained that its AI, including Llama LLM, is already available in other parts of the world. Meta explained that to provide a better service to its European communities, it needs to train the models on relevant information that reflects the diverse languages, geography and cultural references of the people in Europe. For this reason, the company initially planned to train its large language models using the content that its European users in the EU have publicly stated on its products and services.
Meta added that the delay will allow it to address requests from the U.K. Information Commissioner’s Office (ICO) before starting the training.
Technology company Splunk released security updates to address 16 vulnerabilities in Splunk Enterprise and Cloud Platform.
Technology company Splunk addressed 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including four high-severity flaws.
The vulnerability CVE-2024-36985 is a Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise.
“In Splunk Enterprise versions below 9.0.10, 9.1.5, and 9.2.2, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could cause a Remote Code Execution through an external lookup that likely references the “splunk_archiver“ application.” reads the advisory. “The “splunk_archiver“ application likely contains a script called “copybuckets.py“ that itself references a file called “erp_launcher.py“, which would likely execute a script called “sudobash. The “sudobash“ script does not perform any input checking. Therefore it runs a bash shell with arguments supplied by the “erp_launcher.py“ file. This can lead to an RCE.”
Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue, the company also recommends disabling the “splunk_archiver“ application to temporarily mitigate the issue.
The company addressed another high-serverity bug, tracked as CVE-2024-36984, which is a Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows.
“In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.” reads the advisory. “The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload.”
Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue.
If users do not log in to Splunk Web on indexers in a distributed environment, disabling Splunk Web on those indexers can mitigate the issue.
Twilio states that threat actors have identified the phone numbers of users of its two-factor authentication app, Authy, TechCrunch reported.
Last week, the notorious hacker ShinyHunters claimed to have stolen 33 million phone numbers from Twilio. This week the messaging firm told TechCrunch that “threat actors” identified data of Authy users, a two-factor authentication app owned by Twilio, including their phone numbers.
Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.
The company has more than 5,000 employees in 17 countries, and its revenues in 2021 are US$2.84 billion.
A company spokesperson told TechCrunch that the hackers obtained the data from an unauthenticated endpoint. The company confirmed it has already secured the vulnerable endpoint.
Twilio stated there is no evidence that the threat actors accessed its systems or other sensitive data. As a precaution, the company is urging all Authy users to update their Android and iOS apps and remain vigilant against phishing and smishing attacks.
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.” reads a security update published by the company. “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”
In August 2022, Twilio disclosed a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack.
“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.” Twilio said over the weekend.” reads the incident report published by Twilio.
The company did not disclose the number of affected employees and customers.
In October 2022, the Communications company announced that it suffered another “brief security incident” on June 29, 2022, the attack was conducted by the same threat actor that in August compromised the company and gained access to customers’ and employees’ information.
An international law enforcement operation code-named Operation Morpheus led to the takedown of 593 Cobalt Strike servers used by crooks.
An international law enforcement operation, code-named Operation Morpheus, aimed at combatting the criminal abuse of an older, unlicensed version of the Cobalt Strike red teaming tool.
The Cobalt Strike platform was developed for Adversary Simulations and Red Team Operations, currently provided by the cybersecurity software company Fortra. It has also become popular among threat actors over the past years, including APT29, FIN7, RYUK, Trickbot and Conti.
It is quite easy to find pirated versions of the software that were used by attackers in the wild.
Operation MORPHEUS, led by the UK National Crime Agency, included law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. This disruptive action, which concluded a complex investigation, began in 2021.
The operation took place between June 24 and 28 and was coordinated by Europol, which also collaborated with private partners, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation. These partners used enhanced scanning, telemetry, and analytical capabilities to identify malicious activities and cybercriminal use.
The law enforcement experts identified 690 IP addresses and various domain names associated with criminal activities. The operation led to the takedown of 593 of these IP addresses across 27 countries.
“Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools. However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.” reads the press release published by Europol.
“Law enforcement used a platform, known as the Malware Information Sharing Platform, to allow the private sector to share real-time threat intelligence with law enforcement. Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise.” concludes the press release. “Europol’s EC3 organised over 40 coordination meetings between the law enforcement agencies and the private partners. During the week of action, Europol set up a virtual command post to coordinate law enforcement action across the globe.”
In April 2023, Microsoft Digital Crimes Unit (DCU) announced that had collaborated with Fortra, the company that develops and maintains the tool, and Health Information Sharing and Analysis Center (Health-ISAC) to curb the abuse of Cobalt Strike by cybercriminals.
The Microsoft DCU secured a court order in the U.S. to remove cracked versions of Cobalt Strike (“refer to stolen, unlicensed, or otherwise unauthorized versions or copies of the tool”) so they can no longer be used by cybercriminals.
Threat actors, including ransomware groups and nation-state actors, use Cobalt Strike after obtaining initial access to a target network. The tool is used to conduct multiple malicious activities, including escalating privileges, lateral movements, and deploying additional malicious payloads.
“More specifically, cracked versions of Cobalt Strike allow Defendants to gain control of their victim’s machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware like Conti, LockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat and PlayCrypt, to arrest access to the systems. In essence, Defendants are able to leverage cracked versions of Cobalt Strike to brutally force their way into victim machines and deploy malware.” reads the court order. “Additionally, once the Defendants deploy the malware or ransomware onto computers running Microsoft’s Window operating system, Defendants are able to execute a series of actions involving abuse of Microsoft’s copyrighted declaring code.”
Example of an attack flow by threat actor DEV-0243.
Microsoft observed more than 68 ransomware attacks, involving the use of cracked copies of Cobalt Strike, against healthcare organizations in more than 19 countries around the world.
The attacks caused huge financial damages to the attacked hospitals in recovery and repair costs, plus interruptions to critical patient care services.
Microsoft also observed nation-state actors, including APT groups from Russia, China, Vietnam, and Iran, using cracked copies of Cobalt Strike.
“Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case. While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done.” concludes the report.
In November 2022, Google Cloud researchers announced the discovery of 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.
Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries
The LockBit ransomware group breached another hospital in the United States, the victim is the Fairfield Memorial Hospital in Illinois.
It has happened again, another US healthcare organization suffered a security breach, this time the victim is the Fairfield Memorial Hospital in Illinois.
Fairfield Memorial Hospital is a not-for-profit critical access hospital located in Fairfield, Illinois. It has 25 acute-care beds and a workforce of over 400 employees.
It offers a wide range of medical services, including Emergency Services, General Surgical Services, Intensive Care Unit (ICU), Medical Surgical Unit, Orthopedic Surgical Services, and Urgent Care.
The hospital is fully accredited and has been recognized for its quality of care, with high patient experience and medical/surgical ICU ratings.
The Lockbit ransomware gang claimed the hack of the healthcare structure and added it to its Tor leak site.
The extortion group claimed the theft of data and announced it would leak it on July 17, 2024.
LockBit breached another United States hospital this time in Fairfield, Illinois.
Unfortunately, the ransomware group claimed the hack of other hospitals as reported by researchers at Hack Manack. The extortion group also claimed the hack of the Merryman House Domestic Crisis Center, and the Florida Department of Health.
“Today, cybercriminals have hit rock bottom, claiming to have attacked Fairfield Memorial Hospital, Merryman House Domestic Crisis Center, and the Florida Department of Health. What makes the situation critical is not only the highly sensitive data being stolen but also the repercussions that a ransomware attack can have on critical infrastructures, such as hospitals, which put people’s lives at risk. Hackers targeting these infrastructures are no longer just money-hungry “nerds”; they are becoming murderers.” wrote the experts.
#USA: Today, cybercriminals have hit rock bottom, claiming to have attacked Fairfield Memorial Hospital, Merryman House Domestic Crisis Center, and the Florida Department of Health.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
In early November 2023, the Cogdell Memorial Hospital (Scurry County Hospital District) announced it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.
The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas.
Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.
The American credit union Patelco Credit Union shut down several of its banking systems to contain a ransomware attack.
Patelco Credit Union is a member-owned, not-for-profit credit union that serves Northern California, particularly the San Francisco Bay Area. Founded in 1936, it is one of the oldest and largest credit unions in the country. With more than $9 billion in assets, it is the 22nd largest credit union in the country.
In a service update provided by the company, Patelco disclosed it had suffered a ransomware attack on June 29, 2024.
“On June 29, 2024, Patelco Credit Union experienced a ransomware attack.” reads the update.
The company is working with leading third-party cybersecurity experts to investigate and contain the attack, it also reported the incident to regulators and law enforcement.
According to the “Services Updates” page the following services are still unavailable:
Available
Limited Functionality
Unavailable
Check and Cash Deposits
Patelco Branches
Online Banking
ATM Withdrawals
Call Center
Mobile App
External ACH1
Live Chat
Outgoing Wire Transfers
ACH for Bills2
Debit Card Transactions
Monthly Statements
In-Branch Loan Payments
Credit Card Transactions
Zelle
–
Direct Deposit
Balance Inquiries
–
–
Online Bill Pay
Customers can perform cash withdrawals and deposits using Patelco ATMs and over 30,000 shared branch ATMs in the U.S.
The company did not reveal the family of ransomware that infected its systems and at the time of this writing, no ransomware groups have claimed responsibility for the security breach.
It’s unclear if threat actors have stolen data from the impacted systems.
The Polish government is investigating a potential connection between Russia and a cyberattack on the country’s state news agency.
The Polish government is investigating a suspected link between Russia and the cyberattack on the country’s state news agency Polish Press Agency (PAP).
“The Polish Press Agency (PAP) has been hit by a cyberattack; all pertinent information regarding this critical incident is currently being provided to the relevant authorities,” PAP’s liquidator Marek Blonski and PAP’s editor-in-chief Wojciech Tumidalski wrote in a joint statement. “We are working to strengthen the security of all our systems and services,” Blonski and Tumidalski added.
The attack on the Polish Press Agency (PAP) occurred in May and aimed at spreading disinformation and destabilizing the country.
Authorities believe that a fake news report on Poland’s national news agency, claiming that Prime Minister Donald Tusk was mobilizing 200,000 men starting on July 1, was likely created by Russia-sponsored hackers. The attack appeared to be an attempt to interfere with the upcoming European Parliament election.
“Everything indicates that we are dealing with a cyberattack directed from the Russian side,” said Krzysztof Gawkowski, a deputy prime minister who also holds the digital affairs portfolio. “The goal is disinformation ahead of (European Parliament) elections and a paralysis of the society.”
Two fabricated reports about a partial mobilization in Poland starting on July 1, 2024, were released on the PAP service on a Friday afternoon. PAP clarified that they were not the source of these reports, and promptly annulled and withdrawn them.
Polish authorities suspect that Russia carried out the attack.
PAP CEO Marek Błoński condemned the attack.
“We are committed to clarifying the issue in collaboration with the appropriate state services”, Błoński said.
Polish media outlets, including Polskie Radio, have reported frequent targeting by Russian hackers, with Polish companies experiencing over 1,400 attacks weekly.
The Russian embassy in Warsaw told Reuters it had no knowledge of the incident and declined further comment.
In May, CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28 group.
The attribution of the attacks to the Russian APT is based on similarities with TTPs employed by APT28 in attacks against Ukrainian entities.
“the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions.” reads the alert. “Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”
Fintech firms Wise and Affirm confirmed they were both impacted by the recent data breach suffered by Evolve Bank.
Fintech companies Wise and Affirm have confirmed that they were both affected by the recent data breach at Evolve Bank.
At the end of June, the LockBit gang announced that it had breached the systems of the Federal Reserve of the United States and exfiltrated 33 TB of sensitive data, including “Americans’ banking secrets.”
Despite the announcement, data leaked data from the group belongs to the Arkansas-based financial organization Evolve Bank & Trust.
The analysis of the data leaked by the LockBit group on its Tor leak site on June 26 confirmed the documents belong to the Evolve Bank & Trust.
Evolve Bank & Trust published a notice on its website to confirm the security breach and announced it has launched an investigation into the incident. The financial organization confirmed that certain personal information may have been compromised. The financial organization refused to pay the ransom and the gang leaked the stolen data.
“Evolve Bank & Trust is making retail bank customers and financial technology partners’ customers (end users) aware of a cybersecurity incident that may involve certain personal information, as well as the actions we have taken in response, and additional steps individuals may take.” reads the notice of Cybersecurity Incident. “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users). We take this matter extremely seriously and are working diligently to address the situation.”
Evolve has reported the incident to law enforcement, it also added that the incident has been completely contained.
An update published on June 26, 2024 12:00pm confirmed that the company’s retail banking customers’ debit cards, online, and digital banking credentials do not appear to be impacted.
Evolve will directly contact impacted customers and financial technology partners.
The fintech firm Wise announced that the Evolve data breach impacted some of its customers. Despote Wise is no longer collaborating with Evolve, the bank was still storing some Wise data.
Wise was sharing data with Evolve Bank & Trust to receive USD account details from the bank, including name, address, date of birth, contact details, SSN or EIN for US customers, or another identity document number for non-US customers. Evolve has not yet reveal which Wise data has been compromised by the security incident.
Wise pointed out that the data breach has not impacted their systems.
“For Evolve Bank & Trust to provide USD account details to Wise customers, they were required to hold identifying information. The information that we shared with Evolve Bank & Trust to provide USD account details included name, address, date of birth, contact details, SSN or EIN for US customers, or another identity document number for non-US customers. Evolve has not yet confirmed to us what data has been impacted.” reads the statement published by Wise. “We no longer work with Evolve Bank & Trust, and USD account details are provided by a different bank.”
The fintech firm will contact customers whose data may have been compromised.
Affirm, a fintech firm with a buy now, pay later service for online and in-store shopping, also confirmed that Evolve Bank data breach impacted some of its customers.
“On June 25, 2024, Evolve Bank & Trust (“Evolve”), the third-party issuer of the Affirm Card, notified the Company that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information (“Personal Information”) of Evolve retail banking customers and the customers of its financial technology partners.” reads the FORM 8-K filed by with SEC. “Because the Company shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.”
The company added that its information systems were not compromised.
Prudential Financial confirmed that more than 2.5 million individuals were affected by the data breach it suffered in February 2024.
The insurance company Prudential Financial confirmed that the data breach it suffered in February 2024 affected over 2.5 million individuals. The incident occurred on February 4, 2024, and was discovered on February 5, 2024.
The company did not share details of the cyber attack, however, the Alphv/BlackCat ransomware gang claimed responsibility for the security breach.
The company initially announced in March that the security incident had impacted more than 36,000individuals. The compromised data included names, addresses, driver’s license numbers, and non-driver identification card numbers.
In an update provided by Prudential Financial, the company revealed that the incident impacted 2,556,210 individuals.
The company is offering two years of free credit monitoring services to the affected individuals.
An Australian man has been charged with carrying out ‘Evil Twin’ Wi-Fi attack during a domestic flight to steal user credentials and data.
An Evil Twin Wi-Fi attack is a type of cyberattack where a threat actor sets up a rogue wireless access point that mimics a legitimate one. The goal is to trick users into connecting to the fake access point, thereby allowing the attacker to intercept, capture, and manipulate data transmitted by the victim.
The AFP charged an Australian man (42) with operating a fake Wi-Fi access point on a domestic flight to steal user credentials and data.
“The AFP has charged a West Australian man who allegedly established fake free WiFi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them.” reads the press release published by AFP. “The man, 42, is expected to appear in Perth Magistrates Court today (28 June, 2024) to face nine charges for alleged cybercrime offences.”
The defendant faces charges of three counts of unauthorized impairment of electronic communication and three counts of possession or control of data to commit a serious offense.
The man is also charged with unauthorized access or modification of restricted data, dishonestly obtaining or dealing in personal financial information, and possession of identification information. If convicted, he faces a maximum sentence of 23 years in prison.
The analysis of the seized data and devices from the Australian man revealed dozens of personal credentials and fraudulent WiFi pages. The man was charged in May 2024 following an investigation launched in April 2024 after an airline reported a suspicious WiFi network during a domestic flight. The investigators found a portable wireless access device, a laptop, and a mobile phone in the man’s luggage at Perth Airport. The Australian police also searched the man’s home in Palmyra. A second search warrant on May 8, 2024, led to his arrest and charges. Police allege he created ‘evil twin’ WiFi networks to lure users into entering their credentials on fake webpages, which he then stored. These harvested cfedentials could be used to access victims’ personal information and bank details.
AFP cybercrime investigators collected evidence that indicates the use of fraudulent WiFi pages at airports in Perth, Melbourne, and Adelaide, on domestic flights, and at locations associated with the man’s previous employment.
“To connect to a free WiFi network, you shouldn’t have to enter any personal details– such as logging in through an email or social media account,”
“If you do want to use public WiFi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet.” AFP Western Command Cybercrime Detective Inspector Andrea Coleman said.
“When using a public network, disable file sharing, don’t do anything sensitive – such as banking -while connected to it and once you finish using it, change your device settings to ‘forget network’.
“We also recommend turning off the WiFi on your phone or other electronic devices before going out in public, to prevent your device from automatically connecting to a hotspot.”
Cisco fixed an actively exploited NX-OS zero-day, the flaw was exploited to install previously unknown malware as root on vulnerable switches.
Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches.
The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as root on the underlying operating system of an affected device.
“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”
The IT giant pointed out that only attackers with Administrator credentials can successfully exploit this vulnerability on a Cisco NX-OS device.
In April 2024, researchers reported to the Cisco Product Security Incident Response Team (PSIRT) that the issue was actively exploited in the wild.
Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.
“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a ‘zero-day’ and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group – dubbed ‘Velvet Ant’ – successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.“
The vulnerability impacts the following devices:
MDS 9000 Series Multilayer Switches (CSCwj97007)
Nexus 3000 Series Switches (CSCwj97009)
Nexus 5500 Platform Switches (CSCwj97011)
Nexus 5600 Platform Switches (CSCwj97011)
Nexus 6000 Series Switches (CSCwj97011)
Nexus 7000 Series Switches (CSCwj94682) *
Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)
Cisco recommends customers monitor the use of credentials for the administrative users network-admin and vdc-admin.
Cisco provides the Cisco Software Checker to help customers determine if their devices are vulnerable to this flaw.
In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to the same China-linked threat actor ‘Velvet Ant.’
The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.
A critical flaw in the OpenSSH server can be exploited to achieve unauthenticated remote code execution with root privileges in glibc-based Linux systems.
OpenSSH maintainers addressed a critical vulnerability, tracked as CVE-2024-6387, that can lead to unauthenticated remote code execution with root privileges in glibc-based Linux systems.
OpenSSH maintained have addressed the vulnerability with the release of version 9.8 on July 01, 2024.
“A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon.” reads the advisory. “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes – this is a thing, no – we don’t understand why) may potentially have an easier path to exploitation.”
The Qualys Threat Research Unit (TRU) has discovered the Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.
The issue is due to a signal handler race condition, Qualys researchers state that the flaw poses a considerable risk because it affects sshd in its default configuration.
“The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.” reported Qualys.
Searches using Censys and Shodan have revealed over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. Data from Qualys CSAM 3.0 shows that around 700,000 of these are external internet-facing instances, representing 31% of all such instances in their global customer base. Notably, over 0.14% of these vulnerable instances are running an End-Of-Life/End-Of-Support version of OpenSSH.
The flaw was introduced with the fix for another vulnerability, tracked as CVE-2006-5051. This is a case of regression of a previously patched flaw, which means that a previously fixed bug has resurfaced in a later software release, often due to updates that unintentionally reintroduce the issue. The regression was introduced in October 2020 with the release of OpenSSH 8.5p1.
Maintainers pointed out that OpenBSD systems are not impacted by this vulnerability. The latest release also addressed a Logic error in ssh(1) ObscureKeystrokeTiming. The flaw was discovered by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab.
“In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective – a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally.” states the advisory.
Wayne Memorial Hospital in Pennsylvania was the victim of a cyber attack, Monti gang claimed to have hacked the healthcare infrastructure.
Another critical infrastructure healthcare suffered a security breach, this time the victim is the Wayne Memorial Hospital in Pennsylvania. Wayne Memorial Hospital is a 114-bed not-for-profit hospital located in Honesdale, Pennsylvania, United States.
The Monti ransomware gang claimed the hack of the healthcare structure and added it to its Tor leak site.
The extortion group claimed the theft of data and announced it would leak it at 07.8 2024.
Another critical infrastructure healthcare cyber incident.
Wayne Memorial Hospital in Pennsylvania has allegedly been breached by Monti.
The Monti group has been active since June 2022, shortly after the Conti ransomware gang shut down its operations. Researchers noticed multiple similarities between the TTPs of the two gangs, Monti operators also based their encryptor on the Conti’s leaked source code.
In August 2023, the Monti ransomware operators returned, after a two-month break, with a new Linux version of the encryptor. The variant was employed in attacks aimed at organizations in government and legal sectors.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
In early November 2023, the Cogdell Memorial Hospital (Scurry County Hospital District) announced it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.
The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas.
Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.
Juniper Networks released out-of-band security updates to address a critical authentication bypass vulnerability impacting some of its routers.
Juniper Networks has released out-of-band security updates to address a critical vulnerability, tracked as CVE-2024-2973 (CVSS score of 10.0), that could lead to an authentication bypass in some of its routers. The company discovered the vulnerability during internal product security testing or research.
The flaw in Juniper Networks Session Smart Router or Conductor with a redundant peer allows a network-based attacker to bypass authentication and gain full control of the device.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device.” reads the advisory.
The vulnerability only impacts routers or conductors that are running in high-availability redundant configurations.
This vulnerability impacts:
Session Smart Router:
All versions before 5.6.15,
from 6.0 before 6.1.9-lts,
from 6.2 before 6.2.5-sts.
Session Smart Conductor:
All versions before 5.6.15,
from 6.0 before 6.1.9-lts,
from 6.2 before 6.2.5-sts.
WAN Assurance Router:
6.0 versions before 6.1.9-lts,
6.2 versions before 6.2.5-sts.
According to the advisory, there are no workarounds that address the flaw.
The company SIRT states that they are unaware of any malicious exploitation of the vulnerability CVE-2024-2973.
“This vulnerability has been patched automatically on affected devices for MIST managed WAN Assurance routers connected to the Mist Cloud.” concludes the advisory. “It is important to note that the fix is applied automatically on managed routers by a Conductor or on WAN assurance routers has no impact on data-plane functions of the router. The application of the fix is non-disruptive to production traffic. There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs however this will resolve quickly.”
In January, Juniper Networks released security updates to address a critical pre-auth remote code execution (RCE) vulnerability, tracked as CVE-2024-21591, that resides in SRX Series firewalls and EX Series switches.
The vulnerability resides in the devices’ J-Web configuration interfaces, an unauthenticated attacker can exploit the vulnerability to get root privileges or launch denial-of-service (DoS) attacks against unpatched devices.
In the same month, Juniper Networks also released other out-of-band updates to address two high-severity flaws, tracked as CVE-2024-21619 and CVE-2024-21620, in SRX Series and EX Series.
The flaws could be exploited by a threat actor to take control of susceptible systems.
The flaw CVE-2024-21619 (CVSS score: 5.3) is a Missing Authentication for Critical Function vulnerability. An unauthenticated, network-based attacker can chain this issue with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series to access sensitive system information.
The flaw CVE-2024-21620 (CVSS score: 8.8) is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series. An attacker can trigger the flaw to craft a URL that when visited by another user enables the attacker to execute commands with the target’s permissions, including an administrator.
Experts spotted threat actors exploiting the critical vulnerability CVE-2024-0769 affects all D-Link DIR-859 WiFi routers.
Researchers from cybersecurity firm GreyNoise have spotted exploitation attempts for the critical vulnerability CVE-2024-0769 (CVSS score 9.8) impacting all D-Link DIR-859 WiFi routers.
The vulnerability is a path traversal issue that can lead to information disclosure. Threat actors are exploiting the flaw to collect account information, including user passwords, from the vulnerable D-Link DIR-859 WiFi routers.
The vendor states that the DIR-859 family of routers has reached their End of Life (“EOL”)/End of Service Life (“EOS”) life-cycle, and for this reason, the flaw will likely not be addressed.
GreyNoise observed hackers targeting the ‘DEVICE.ACCOUNT.xml’ file to extract all account names, passwords, user groups, and user descriptions on the device. The attackers use a modified version of the public exploit.
“GreyNoise observed a slight variation in-the-wild which leverages the vulnerability to render a different PHP file to dump account names, passwords, groups, and descriptions for all users of the device. At the time of writing we are not aware of the motivations to disclose/collect this information and are actively monitoring it” reads the analysis published by GreyNoise.
“In the variation as observed by GreyNoise DEVICE.ACCOUNT.xml is utilized. We went ahead and retrieved this file in full. While the exploit conditions are the same as the public PoC, the variation as observed by GreyNoise is dumping all name, password, group, and description for all users of the device.”
The hackers are exploiting the flaw by sending a malicious POST request to ‘/hedwig.cgi,’ to access sensitive configuration files (‘getcfg’) via the ‘fatlady.php’ file, potentially leasing to the exposure of the user credentials.
Once the attackers have obtained the credentials, they can potentially take full control of the device.
“It is unclear at this time what the intended use of this disclosed information is, it should be noted that these devices will never receive a patch. Any information disclosed from the device will remain valuable to attackers for the lifetime of the device as long as it remains internet facing.” concludes GreyNoise. “These attributes make for the potential of a long-tail of exploitation that may come to a head at a later date, such as through a currently unknown authenticated RCE vulnerability in the affected device.”
The researchers pointed out that the public PoC exploit targets the ‘DHCPS6.BRIDGE-1.xml’ file instead of ‘DEVICE.ACCOUNT.xml’, for this reason, attackers can use it to attack other files.
The GreyNoise post include a list of possible variations of other getcfg files that can be invoked using CVE-2024-0769.
D-Link customers are recommended to replace the EoL devices as soon as possible.
Microsoft warned more customers about email theft linked to the previously reported Midnight Blizzard hacking campaign.
The Russia-linked cyberespionage group Midnight Blizzard continues to target Microsoft users to steal other emails, warn the IT giant.
The company is identifying more customers targeted by the Midnight Blizzard hacking campaign following Microsoft’s corporate infrastructure breach.
In January, Microsoft warned that some of its corporate email accounts were compromised by a Russia-linked cyberespionage group known as Midnight Blizzard. The company notified law enforcement and relevant regulatory authorities.
Microsoft also announced that the Russia-linked APT Midnight Blizzard that hit the company in late November 2023 has been targeting organizations worldwide as part of a large-scale cyberespionage campaign.
Now Microsoft’s incident response team is contacting customer administrators to provide a secure portal that allows them to view emails stolen by the Russia-linked Midnight Blizzard APT group.
Below is the text of the message "Action Required – Microsoft Email Data Sharing Request":
"This notification is related to the prior attack against Microsoft by the threat actor known as Midnight Blizzard, as disclosed through our 8-K filings and our Microsoft blog .
You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyber-attack on Microsoft.
As part of our commitment to transparency, we are proactively sharing these emails. We have custom built a secure system to enable the approved members of your organization to review the exfiltrated emails between Microsoft and your company.
In order to grant access to the above-referenced emails, you are required to identify authorized individuals within your organization who can nominate reviewers. As needed, please reach out to the appropriate parties in your organization who have the authority to nominate reviewers to view these emails.
At the bottom of this email is a link which will take you to a secure form where you will be asked to provide the following information:
• Your organization’s TenantID o If you do not know or are unsure of your TenantID, please follow the steps outlined here: https://aka.ms/gettenantid • The access code located at the bottom of this email • The email addresses for individuals within your organization who can nominate reviewers who will be granted access to the set of exfiltrated emails.
Once you complete this form, Microsoft will contact those who have been identified with instructions on how to identify reviewers.
Should you or your organization require support during this process please work with your Customer Success Account Manager (CSAM) or account representative(s) to open a support case and reference Microsoft Email Data Sharing. Microsoft continues to prioritize transparency and learnings from events like these to help protect customers and our own enterprise.
Our investigation is ongoing, if we discover new information, we will tell you as soon as practicable."
The unauthorized access to the IT infrastructure of the company occurred on June 26, threat actors used the credentials of a standard employee account within its IT environment.
The unauthorized access to the IT infrastructure of the company occurred on June 26, threat actors used the credentials of a standard employee account within its IT environment.
Upon detecting the suspicious activity by this account, the company immediately started the incident response measures.
“A comprehensive taskforce consisting of TeamViewer’s security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.” reads the statement published by the company.
“Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.”
An update published by TeamViewer states that findings confirmed that the attack on its infrastructure was limited to its internal corporate IT environment and did not affect the product environment, connectivity platform, or any customer data.
The popular Ars Technica reporter Dan Goodin reported that an alert issued by security firm NCC Group reports a “significant compromise of the TeamViewer remote access and support platform by an APT group.”
In May 2019, the German newspaper Der Spiegel revealed that the German software company behind TeamViewer was compromised in 2016 by Chinese hackers.
According to the media outlet, Chinese state-sponsored hackers used the Winnti trojan malware to infect the systems of the Company.
The Winnti group was first spotted by Kaspersky in 2013, according to the researchers, the nation-state actor has been active since at least 2007.
The gang is financially-motivated and was mostly involved in cyber espionage campaigns. The hackers were known for targeting companies in the online gaming industry, the majority of the victims are located in Southeast Asia.
The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.
According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.
TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.
Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.
“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.
“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”
At the time the company published a statement to exclude it was breached by hackers:
“Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.
Only in 2019, the company admitted it was breached in 2016.
Infosys McCamish Systems (IMS) revealed that the 2023 data breach following the LockBit ransomware attack impacted 6 million individuals.
IMS specializes in providing business process outsourcing (BPO) and information technology (IT) services specifically tailored for the insurance and financial services industries.
Infosys McCamish Systems (IMS) disclosed the security breach on November 3, 2023, in a filing with SEC, the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.
McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.
At the time, the company did not reveal the type of attack it suffered, however, on November 4, the LockBit ransomware gang claimed responsibility for the attack.
The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least $30 million.
“On the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages/claims, which are indeterminable at this time.” reads the statement sent to the SEC. “Infosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.”
In February, Bank of America began notifying some customers following the IMS data breach. The bank sent notification letters to 57,000 customers, informing them that their personal information has been compromised
Now the company revealed that the 2023 data breach after the LockBit ransomware attack impacted 6 million individuals.
The investigation determined that threat actors gained access to the company systems between October 29, 2023, and November 2, 2023.
“The in-depth cyber forensic investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023.” reads the data breach notification sent by the company to the impacted individuals. “Through the investigation, it was also determined that data was subject to unauthorized access and acquisition. With the assistance of third-party eDiscovery experts, retained through outside counsel, IMS proceeded to conduct a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and acquisition and determine to whom the personal information relates. IMS has notified its impacted organizations of the Incident and of the compromise of any personal information pertaining to them.”
“The sensitive personal data of 6,078,263 people has been compromised. Now, victims’ names, Social Security numbers, financial information, and medical information may be in the hands of criminals, putting victims at a greater risk of identity theft and other frauds.” reads a press release published by the company.
“On June 27, 2024, Infosys McCamish filed a notice with the Attorney General of Maine describing a data breach affecting consumers nationwide. In this notice, Infosys McCamish explains that customers of Oceanview Life & Annuity Company were among those affected. However, in previous filings, Infosys McCamish has indicated that customers of other companies were also affected, including Union Labor Life Insurance, Newport Group, Inc., and more.”
IMS determined that exposed data includes:
Names,
Social Security numbers,
Medical information,
Biometric data,
Financial account information, and
Passport numbers.
The company is not aware of any abuses of the exposed data, however, it offered twenty-four months of complimentary credit monitoring to current customers for individuals associated with those customers
“Although we are unaware of any instances since the Incident occurred in which the personal information has been fraudulently used, IMS is nevertheless offering impacted individuals complimentary credit monitoring for twenty-four (24) months and dedicated call center services as well as providing guidance on how to protect against identity theft and fraud, including advising individuals to report any suspected identity theft or fraud to their financial institutions.” concludes the notification. “IMS is also providing individuals with information on how to place a fraud alert and security freeze on one’s credit file, information on protecting against tax fraud, the contact details for the national credit reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for fraud and identity theft by reviewing account statements and monitoring credit reports, and encouragement to contact the Federal Trade Commission, their Attorney General, and law enforcement to report attempted or actual identity theft and fraud.”
Login
