Healthcare firm HealthEquity disclosed a data breach caused by a partner’s compromised account that exposed protected health information.
Healthcare fintech firm HealthEquity disclosed a data breach after a partner’s compromised account was used to access its systems. The intruders have stolen protected health information from the company systems. The company discovered an anomalous behavior from the partner’s personal device and immediately launched an investigation that led to the discovery of the security breach.
“The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems.” reads the FORM 8-K filed with SEC. “The Company has taken steps to strengthen its security environment, including with respect to the compromised Partner account and the recommended actions of its incident response firm. The investigation did not find placement of malicious code on any Company systems. There has been no interruption to the Company’s systems, services, or business operations.”
HealthEquity is a leading financial technology company that specializes in administering health savings accounts (HSAs) and other consumer-directed benefits. Some key facts about HealthEquity:
As of July 2022, HealthEquity managed 7.5 million HSA accounts with $20.5 billion in assets, plus an additional 7 million other consumer-directed benefit accounts for a total of 14.5 million accounts.
The company is notifying its partners and clients, as well as identifying and notifying impacted individual members.
HealthEquity will offer complimentary credit monitoring and identity restoration services. The investigation is still ongoing and the healthcare fintech firm has yet to determine the fill impact of the incident.
“The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results.” continues the Form 8-K.
“The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner.”
Brazil’s data protection authority temporarily banned Meta from using data originating in the country to train its artificial intelligence.
Brazil’s data protection authority, Autoridade Nacional de Proteção de Dados (ANPD), has imposed a temporary ban on Meta from processing users’ personal data for training its artificial intelligence (AI) models.
“The National Data Protection Authority (ANPD) issued today a Preventive Measure determining the immediate suspension, in Brazil, of the validity of the new privacy policy of the company Meta , which authorized the use of personal data published on its platforms for the purpose of training artificial intelligence (AI) systems.” reads the announcement published by ANPD.
ANPD also announced a daily fine of R$50,000 for non-compliance.
The Board of Directors issued a Preventive Measure due to the “use of an inadequate legal basis for data processing, insufficient disclosure of clear and accessible information about privacy policy changes and data processing, excessive limitations on the exercise of data subjects’ rights, and processing of children’s and adolescents’ personal data without proper safeguards.”
Meta’s updated privacy policy allows the social media giant to use public posts for its AI systems.
Meta expressed disappointment with the decision, claiming its practices comply with Brazilian privacy laws.
“This is a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil,” the spokesperson said.
Human Rights Watch recently published a report revealing that LAION-5B, a major image-text dataset used for training AI models, includes identifiable photos of Brazilian children. These models can be used by tools employed to create malicious deepfakes that put even more children at risk of exploitation,
In June, Meta announced it is delaying the training of its large language models (LLMs) using public content shared by adults on Facebook and Instagram following the Irish Data Protection Commission (DPC) request.
Meta added it is disappointed by request from the Irish Data Protection Commission (DPC), the social network giant pointed out that this is a step “backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.”
“We’re disappointed by the request from the Irish Data Protection Commission (DPC), our lead regulator, on behalf of the European DPAs, to delay training our large language models (LLMs) using public content shared by adults on Facebook and Instagram — particularly since we incorporated regulatory feedback and the European DPAs have been informed since March.” reads the statement from Meta. “This is a step backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.”
The company explained that its AI, including Llama LLM, is already available in other parts of the world. Meta explained that to provide a better service to its European communities, it needs to train the models on relevant information that reflects the diverse languages, geography and cultural references of the people in Europe. For this reason, the company initially planned to train its large language models using the content that its European users in the EU have publicly stated on its products and services.
Meta added that the delay will allow it to address requests from the U.K. Information Commissioner’s Office (ICO) before starting the training.
Technology company Splunk released security updates to address 16 vulnerabilities in Splunk Enterprise and Cloud Platform.
Technology company Splunk addressed 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including four high-severity flaws.
The vulnerability CVE-2024-36985 is a Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise.
“In Splunk Enterprise versions below 9.0.10, 9.1.5, and 9.2.2, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could cause a Remote Code Execution through an external lookup that likely references the “splunk_archiver“ application.” reads the advisory. “The “splunk_archiver“ application likely contains a script called “copybuckets.py“ that itself references a file called “erp_launcher.py“, which would likely execute a script called “sudobash. The “sudobash“ script does not perform any input checking. Therefore it runs a bash shell with arguments supplied by the “erp_launcher.py“ file. This can lead to an RCE.”
Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue, the company also recommends disabling the “splunk_archiver“ application to temporarily mitigate the issue.
The company addressed another high-serverity bug, tracked as CVE-2024-36984, which is a Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows.
“In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.” reads the advisory. “The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload.”
Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue.
If users do not log in to Splunk Web on indexers in a distributed environment, disabling Splunk Web on those indexers can mitigate the issue.
Twilio states that threat actors have identified the phone numbers of users of its two-factor authentication app, Authy, TechCrunch reported.
Last week, the notorious hacker ShinyHunters claimed to have stolen 33 million phone numbers from Twilio. This week the messaging firm told TechCrunch that “threat actors” identified data of Authy users, a two-factor authentication app owned by Twilio, including their phone numbers.
Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.
The company has more than 5,000 employees in 17 countries, and its revenues in 2021 are US$2.84 billion.
A company spokesperson told TechCrunch that the hackers obtained the data from an unauthenticated endpoint. The company confirmed it has already secured the vulnerable endpoint.
Twilio stated there is no evidence that the threat actors accessed its systems or other sensitive data. As a precaution, the company is urging all Authy users to update their Android and iOS apps and remain vigilant against phishing and smishing attacks.
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.” reads a security update published by the company. “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”
In August 2022, Twilio disclosed a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack.
“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.” Twilio said over the weekend.” reads the incident report published by Twilio.
The company did not disclose the number of affected employees and customers.
In October 2022, the Communications company announced that it suffered another “brief security incident” on June 29, 2022, the attack was conducted by the same threat actor that in August compromised the company and gained access to customers’ and employees’ information.
An international law enforcement operation code-named Operation Morpheus led to the takedown of 593 Cobalt Strike servers used by crooks.
An international law enforcement operation, code-named Operation Morpheus, aimed at combatting the criminal abuse of an older, unlicensed version of the Cobalt Strike red teaming tool.
The Cobalt Strike platform was developed for Adversary Simulations and Red Team Operations, currently provided by the cybersecurity software company Fortra. It has also become popular among threat actors over the past years, including APT29, FIN7, RYUK, Trickbot and Conti.
It is quite easy to find pirated versions of the software that were used by attackers in the wild.
Operation MORPHEUS, led by the UK National Crime Agency, included law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. This disruptive action, which concluded a complex investigation, began in 2021.
The operation took place between June 24 and 28 and was coordinated by Europol, which also collaborated with private partners, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation. These partners used enhanced scanning, telemetry, and analytical capabilities to identify malicious activities and cybercriminal use.
The law enforcement experts identified 690 IP addresses and various domain names associated with criminal activities. The operation led to the takedown of 593 of these IP addresses across 27 countries.
“Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools. However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.” reads the press release published by Europol.
“Law enforcement used a platform, known as the Malware Information Sharing Platform, to allow the private sector to share real-time threat intelligence with law enforcement. Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise.” concludes the press release. “Europol’s EC3 organised over 40 coordination meetings between the law enforcement agencies and the private partners. During the week of action, Europol set up a virtual command post to coordinate law enforcement action across the globe.”
In April 2023, Microsoft Digital Crimes Unit (DCU) announced that had collaborated with Fortra, the company that develops and maintains the tool, and Health Information Sharing and Analysis Center (Health-ISAC) to curb the abuse of Cobalt Strike by cybercriminals.
The Microsoft DCU secured a court order in the U.S. to remove cracked versions of Cobalt Strike (“refer to stolen, unlicensed, or otherwise unauthorized versions or copies of the tool”) so they can no longer be used by cybercriminals.
Threat actors, including ransomware groups and nation-state actors, use Cobalt Strike after obtaining initial access to a target network. The tool is used to conduct multiple malicious activities, including escalating privileges, lateral movements, and deploying additional malicious payloads.
“More specifically, cracked versions of Cobalt Strike allow Defendants to gain control of their victim’s machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware like Conti, LockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat and PlayCrypt, to arrest access to the systems. In essence, Defendants are able to leverage cracked versions of Cobalt Strike to brutally force their way into victim machines and deploy malware.” reads the court order. “Additionally, once the Defendants deploy the malware or ransomware onto computers running Microsoft’s Window operating system, Defendants are able to execute a series of actions involving abuse of Microsoft’s copyrighted declaring code.”
Example of an attack flow by threat actor DEV-0243.
Microsoft observed more than 68 ransomware attacks, involving the use of cracked copies of Cobalt Strike, against healthcare organizations in more than 19 countries around the world.
The attacks caused huge financial damages to the attacked hospitals in recovery and repair costs, plus interruptions to critical patient care services.
Microsoft also observed nation-state actors, including APT groups from Russia, China, Vietnam, and Iran, using cracked copies of Cobalt Strike.
“Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case. While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done.” concludes the report.
In November 2022, Google Cloud researchers announced the discovery of 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.
Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries
The LockBit ransomware group breached another hospital in the United States, the victim is the Fairfield Memorial Hospital in Illinois.
It has happened again, another US healthcare organization suffered a security breach, this time the victim is the Fairfield Memorial Hospital in Illinois.
Fairfield Memorial Hospital is a not-for-profit critical access hospital located in Fairfield, Illinois. It has 25 acute-care beds and a workforce of over 400 employees.
It offers a wide range of medical services, including Emergency Services, General Surgical Services, Intensive Care Unit (ICU), Medical Surgical Unit, Orthopedic Surgical Services, and Urgent Care.
The hospital is fully accredited and has been recognized for its quality of care, with high patient experience and medical/surgical ICU ratings.
The Lockbit ransomware gang claimed the hack of the healthcare structure and added it to its Tor leak site.
The extortion group claimed the theft of data and announced it would leak it on July 17, 2024.
LockBit breached another United States hospital this time in Fairfield, Illinois.
Unfortunately, the ransomware group claimed the hack of other hospitals as reported by researchers at Hack Manack. The extortion group also claimed the hack of the Merryman House Domestic Crisis Center, and the Florida Department of Health.
“Today, cybercriminals have hit rock bottom, claiming to have attacked Fairfield Memorial Hospital, Merryman House Domestic Crisis Center, and the Florida Department of Health. What makes the situation critical is not only the highly sensitive data being stolen but also the repercussions that a ransomware attack can have on critical infrastructures, such as hospitals, which put people’s lives at risk. Hackers targeting these infrastructures are no longer just money-hungry “nerds”; they are becoming murderers.” wrote the experts.
#USA: Today, cybercriminals have hit rock bottom, claiming to have attacked Fairfield Memorial Hospital, Merryman House Domestic Crisis Center, and the Florida Department of Health.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
In early November 2023, the Cogdell Memorial Hospital (Scurry County Hospital District) announced it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.
The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas.
Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.
The American credit union Patelco Credit Union shut down several of its banking systems to contain a ransomware attack.
Patelco Credit Union is a member-owned, not-for-profit credit union that serves Northern California, particularly the San Francisco Bay Area. Founded in 1936, it is one of the oldest and largest credit unions in the country. With more than $9 billion in assets, it is the 22nd largest credit union in the country.
In a service update provided by the company, Patelco disclosed it had suffered a ransomware attack on June 29, 2024.
“On June 29, 2024, Patelco Credit Union experienced a ransomware attack.” reads the update.
The company is working with leading third-party cybersecurity experts to investigate and contain the attack, it also reported the incident to regulators and law enforcement.
According to the “Services Updates” page the following services are still unavailable:
Available
Limited Functionality
Unavailable
Check and Cash Deposits
Patelco Branches
Online Banking
ATM Withdrawals
Call Center
Mobile App
External ACH1
Live Chat
Outgoing Wire Transfers
ACH for Bills2
Debit Card Transactions
Monthly Statements
In-Branch Loan Payments
Credit Card Transactions
Zelle
–
Direct Deposit
Balance Inquiries
–
–
Online Bill Pay
Customers can perform cash withdrawals and deposits using Patelco ATMs and over 30,000 shared branch ATMs in the U.S.
The company did not reveal the family of ransomware that infected its systems and at the time of this writing, no ransomware groups have claimed responsibility for the security breach.
It’s unclear if threat actors have stolen data from the impacted systems.
The Polish government is investigating a potential connection between Russia and a cyberattack on the country’s state news agency.
The Polish government is investigating a suspected link between Russia and the cyberattack on the country’s state news agency Polish Press Agency (PAP).
“The Polish Press Agency (PAP) has been hit by a cyberattack; all pertinent information regarding this critical incident is currently being provided to the relevant authorities,” PAP’s liquidator Marek Blonski and PAP’s editor-in-chief Wojciech Tumidalski wrote in a joint statement. “We are working to strengthen the security of all our systems and services,” Blonski and Tumidalski added.
The attack on the Polish Press Agency (PAP) occurred in May and aimed at spreading disinformation and destabilizing the country.
Authorities believe that a fake news report on Poland’s national news agency, claiming that Prime Minister Donald Tusk was mobilizing 200,000 men starting on July 1, was likely created by Russia-sponsored hackers. The attack appeared to be an attempt to interfere with the upcoming European Parliament election.
“Everything indicates that we are dealing with a cyberattack directed from the Russian side,” said Krzysztof Gawkowski, a deputy prime minister who also holds the digital affairs portfolio. “The goal is disinformation ahead of (European Parliament) elections and a paralysis of the society.”
Two fabricated reports about a partial mobilization in Poland starting on July 1, 2024, were released on the PAP service on a Friday afternoon. PAP clarified that they were not the source of these reports, and promptly annulled and withdrawn them.
Polish authorities suspect that Russia carried out the attack.
PAP CEO Marek Błoński condemned the attack.
“We are committed to clarifying the issue in collaboration with the appropriate state services”, Błoński said.
Polish media outlets, including Polskie Radio, have reported frequent targeting by Russian hackers, with Polish companies experiencing over 1,400 attacks weekly.
The Russian embassy in Warsaw told Reuters it had no knowledge of the incident and declined further comment.
In May, CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28 group.
The attribution of the attacks to the Russian APT is based on similarities with TTPs employed by APT28 in attacks against Ukrainian entities.
“the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions.” reads the alert. “Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”
Fintech firms Wise and Affirm confirmed they were both impacted by the recent data breach suffered by Evolve Bank.
Fintech companies Wise and Affirm have confirmed that they were both affected by the recent data breach at Evolve Bank.
At the end of June, the LockBit gang announced that it had breached the systems of the Federal Reserve of the United States and exfiltrated 33 TB of sensitive data, including “Americans’ banking secrets.”
Despite the announcement, data leaked data from the group belongs to the Arkansas-based financial organization Evolve Bank & Trust.
The analysis of the data leaked by the LockBit group on its Tor leak site on June 26 confirmed the documents belong to the Evolve Bank & Trust.
Evolve Bank & Trust published a notice on its website to confirm the security breach and announced it has launched an investigation into the incident. The financial organization confirmed that certain personal information may have been compromised. The financial organization refused to pay the ransom and the gang leaked the stolen data.
“Evolve Bank & Trust is making retail bank customers and financial technology partners’ customers (end users) aware of a cybersecurity incident that may involve certain personal information, as well as the actions we have taken in response, and additional steps individuals may take.” reads the notice of Cybersecurity Incident. “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users). We take this matter extremely seriously and are working diligently to address the situation.”
Evolve has reported the incident to law enforcement, it also added that the incident has been completely contained.
An update published on June 26, 2024 12:00pm confirmed that the company’s retail banking customers’ debit cards, online, and digital banking credentials do not appear to be impacted.
Evolve will directly contact impacted customers and financial technology partners.
The fintech firm Wise announced that the Evolve data breach impacted some of its customers. Despote Wise is no longer collaborating with Evolve, the bank was still storing some Wise data.
Wise was sharing data with Evolve Bank & Trust to receive USD account details from the bank, including name, address, date of birth, contact details, SSN or EIN for US customers, or another identity document number for non-US customers. Evolve has not yet reveal which Wise data has been compromised by the security incident.
Wise pointed out that the data breach has not impacted their systems.
“For Evolve Bank & Trust to provide USD account details to Wise customers, they were required to hold identifying information. The information that we shared with Evolve Bank & Trust to provide USD account details included name, address, date of birth, contact details, SSN or EIN for US customers, or another identity document number for non-US customers. Evolve has not yet confirmed to us what data has been impacted.” reads the statement published by Wise. “We no longer work with Evolve Bank & Trust, and USD account details are provided by a different bank.”
The fintech firm will contact customers whose data may have been compromised.
Affirm, a fintech firm with a buy now, pay later service for online and in-store shopping, also confirmed that Evolve Bank data breach impacted some of its customers.
“On June 25, 2024, Evolve Bank & Trust (“Evolve”), the third-party issuer of the Affirm Card, notified the Company that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information (“Personal Information”) of Evolve retail banking customers and the customers of its financial technology partners.” reads the FORM 8-K filed by with SEC. “Because the Company shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.”
The company added that its information systems were not compromised.
Prudential Financial confirmed that more than 2.5 million individuals were affected by the data breach it suffered in February 2024.
The insurance company Prudential Financial confirmed that the data breach it suffered in February 2024 affected over 2.5 million individuals. The incident occurred on February 4, 2024, and was discovered on February 5, 2024.
The company did not share details of the cyber attack, however, the Alphv/BlackCat ransomware gang claimed responsibility for the security breach.
The company initially announced in March that the security incident had impacted more than 36,000individuals. The compromised data included names, addresses, driver’s license numbers, and non-driver identification card numbers.
In an update provided by Prudential Financial, the company revealed that the incident impacted 2,556,210 individuals.
The company is offering two years of free credit monitoring services to the affected individuals.
An Australian man has been charged with carrying out ‘Evil Twin’ Wi-Fi attack during a domestic flight to steal user credentials and data.
An Evil Twin Wi-Fi attack is a type of cyberattack where a threat actor sets up a rogue wireless access point that mimics a legitimate one. The goal is to trick users into connecting to the fake access point, thereby allowing the attacker to intercept, capture, and manipulate data transmitted by the victim.
The AFP charged an Australian man (42) with operating a fake Wi-Fi access point on a domestic flight to steal user credentials and data.
“The AFP has charged a West Australian man who allegedly established fake free WiFi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them.” reads the press release published by AFP. “The man, 42, is expected to appear in Perth Magistrates Court today (28 June, 2024) to face nine charges for alleged cybercrime offences.”
The defendant faces charges of three counts of unauthorized impairment of electronic communication and three counts of possession or control of data to commit a serious offense.
The man is also charged with unauthorized access or modification of restricted data, dishonestly obtaining or dealing in personal financial information, and possession of identification information. If convicted, he faces a maximum sentence of 23 years in prison.
The analysis of the seized data and devices from the Australian man revealed dozens of personal credentials and fraudulent WiFi pages. The man was charged in May 2024 following an investigation launched in April 2024 after an airline reported a suspicious WiFi network during a domestic flight. The investigators found a portable wireless access device, a laptop, and a mobile phone in the man’s luggage at Perth Airport. The Australian police also searched the man’s home in Palmyra. A second search warrant on May 8, 2024, led to his arrest and charges. Police allege he created ‘evil twin’ WiFi networks to lure users into entering their credentials on fake webpages, which he then stored. These harvested cfedentials could be used to access victims’ personal information and bank details.
AFP cybercrime investigators collected evidence that indicates the use of fraudulent WiFi pages at airports in Perth, Melbourne, and Adelaide, on domestic flights, and at locations associated with the man’s previous employment.
“To connect to a free WiFi network, you shouldn’t have to enter any personal details– such as logging in through an email or social media account,”
“If you do want to use public WiFi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet.” AFP Western Command Cybercrime Detective Inspector Andrea Coleman said.
“When using a public network, disable file sharing, don’t do anything sensitive – such as banking -while connected to it and once you finish using it, change your device settings to ‘forget network’.
“We also recommend turning off the WiFi on your phone or other electronic devices before going out in public, to prevent your device from automatically connecting to a hotspot.”
Cisco fixed an actively exploited NX-OS zero-day, the flaw was exploited to install previously unknown malware as root on vulnerable switches.
Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches.
The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as root on the underlying operating system of an affected device.
“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”
The IT giant pointed out that only attackers with Administrator credentials can successfully exploit this vulnerability on a Cisco NX-OS device.
In April 2024, researchers reported to the Cisco Product Security Incident Response Team (PSIRT) that the issue was actively exploited in the wild.
Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.
“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a ‘zero-day’ and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group – dubbed ‘Velvet Ant’ – successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.“
The vulnerability impacts the following devices:
MDS 9000 Series Multilayer Switches (CSCwj97007)
Nexus 3000 Series Switches (CSCwj97009)
Nexus 5500 Platform Switches (CSCwj97011)
Nexus 5600 Platform Switches (CSCwj97011)
Nexus 6000 Series Switches (CSCwj97011)
Nexus 7000 Series Switches (CSCwj94682) *
Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)
Cisco recommends customers monitor the use of credentials for the administrative users network-admin and vdc-admin.
Cisco provides the Cisco Software Checker to help customers determine if their devices are vulnerable to this flaw.
In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to the same China-linked threat actor ‘Velvet Ant.’
The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.
A critical flaw in the OpenSSH server can be exploited to achieve unauthenticated remote code execution with root privileges in glibc-based Linux systems.
OpenSSH maintainers addressed a critical vulnerability, tracked as CVE-2024-6387, that can lead to unauthenticated remote code execution with root privileges in glibc-based Linux systems.
OpenSSH maintained have addressed the vulnerability with the release of version 9.8 on July 01, 2024.
“A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon.” reads the advisory. “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes – this is a thing, no – we don’t understand why) may potentially have an easier path to exploitation.”
The Qualys Threat Research Unit (TRU) has discovered the Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.
The issue is due to a signal handler race condition, Qualys researchers state that the flaw poses a considerable risk because it affects sshd in its default configuration.
“The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.” reported Qualys.
Searches using Censys and Shodan have revealed over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. Data from Qualys CSAM 3.0 shows that around 700,000 of these are external internet-facing instances, representing 31% of all such instances in their global customer base. Notably, over 0.14% of these vulnerable instances are running an End-Of-Life/End-Of-Support version of OpenSSH.
The flaw was introduced with the fix for another vulnerability, tracked as CVE-2006-5051. This is a case of regression of a previously patched flaw, which means that a previously fixed bug has resurfaced in a later software release, often due to updates that unintentionally reintroduce the issue. The regression was introduced in October 2020 with the release of OpenSSH 8.5p1.
Maintainers pointed out that OpenBSD systems are not impacted by this vulnerability. The latest release also addressed a Logic error in ssh(1) ObscureKeystrokeTiming. The flaw was discovered by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab.
“In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective – a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally.” states the advisory.
Wayne Memorial Hospital in Pennsylvania was the victim of a cyber attack, Monti gang claimed to have hacked the healthcare infrastructure.
Another critical infrastructure healthcare suffered a security breach, this time the victim is the Wayne Memorial Hospital in Pennsylvania. Wayne Memorial Hospital is a 114-bed not-for-profit hospital located in Honesdale, Pennsylvania, United States.
The Monti ransomware gang claimed the hack of the healthcare structure and added it to its Tor leak site.
The extortion group claimed the theft of data and announced it would leak it at 07.8 2024.
Another critical infrastructure healthcare cyber incident.
Wayne Memorial Hospital in Pennsylvania has allegedly been breached by Monti.
The Monti group has been active since June 2022, shortly after the Conti ransomware gang shut down its operations. Researchers noticed multiple similarities between the TTPs of the two gangs, Monti operators also based their encryptor on the Conti’s leaked source code.
In August 2023, the Monti ransomware operators returned, after a two-month break, with a new Linux version of the encryptor. The variant was employed in attacks aimed at organizations in government and legal sectors.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
In early November 2023, the Cogdell Memorial Hospital (Scurry County Hospital District) announced it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.
The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas.
Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.
Juniper Networks released out-of-band security updates to address a critical authentication bypass vulnerability impacting some of its routers.
Juniper Networks has released out-of-band security updates to address a critical vulnerability, tracked as CVE-2024-2973 (CVSS score of 10.0), that could lead to an authentication bypass in some of its routers. The company discovered the vulnerability during internal product security testing or research.
The flaw in Juniper Networks Session Smart Router or Conductor with a redundant peer allows a network-based attacker to bypass authentication and gain full control of the device.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device.” reads the advisory.
The vulnerability only impacts routers or conductors that are running in high-availability redundant configurations.
This vulnerability impacts:
Session Smart Router:
All versions before 5.6.15,
from 6.0 before 6.1.9-lts,
from 6.2 before 6.2.5-sts.
Session Smart Conductor:
All versions before 5.6.15,
from 6.0 before 6.1.9-lts,
from 6.2 before 6.2.5-sts.
WAN Assurance Router:
6.0 versions before 6.1.9-lts,
6.2 versions before 6.2.5-sts.
According to the advisory, there are no workarounds that address the flaw.
The company SIRT states that they are unaware of any malicious exploitation of the vulnerability CVE-2024-2973.
“This vulnerability has been patched automatically on affected devices for MIST managed WAN Assurance routers connected to the Mist Cloud.” concludes the advisory. “It is important to note that the fix is applied automatically on managed routers by a Conductor or on WAN assurance routers has no impact on data-plane functions of the router. The application of the fix is non-disruptive to production traffic. There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs however this will resolve quickly.”
In January, Juniper Networks released security updates to address a critical pre-auth remote code execution (RCE) vulnerability, tracked as CVE-2024-21591, that resides in SRX Series firewalls and EX Series switches.
The vulnerability resides in the devices’ J-Web configuration interfaces, an unauthenticated attacker can exploit the vulnerability to get root privileges or launch denial-of-service (DoS) attacks against unpatched devices.
In the same month, Juniper Networks also released other out-of-band updates to address two high-severity flaws, tracked as CVE-2024-21619 and CVE-2024-21620, in SRX Series and EX Series.
The flaws could be exploited by a threat actor to take control of susceptible systems.
The flaw CVE-2024-21619 (CVSS score: 5.3) is a Missing Authentication for Critical Function vulnerability. An unauthenticated, network-based attacker can chain this issue with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series to access sensitive system information.
The flaw CVE-2024-21620 (CVSS score: 8.8) is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series. An attacker can trigger the flaw to craft a URL that when visited by another user enables the attacker to execute commands with the target’s permissions, including an administrator.
Experts spotted threat actors exploiting the critical vulnerability CVE-2024-0769 affects all D-Link DIR-859 WiFi routers.
Researchers from cybersecurity firm GreyNoise have spotted exploitation attempts for the critical vulnerability CVE-2024-0769 (CVSS score 9.8) impacting all D-Link DIR-859 WiFi routers.
The vulnerability is a path traversal issue that can lead to information disclosure. Threat actors are exploiting the flaw to collect account information, including user passwords, from the vulnerable D-Link DIR-859 WiFi routers.
The vendor states that the DIR-859 family of routers has reached their End of Life (“EOL”)/End of Service Life (“EOS”) life-cycle, and for this reason, the flaw will likely not be addressed.
GreyNoise observed hackers targeting the ‘DEVICE.ACCOUNT.xml’ file to extract all account names, passwords, user groups, and user descriptions on the device. The attackers use a modified version of the public exploit.
“GreyNoise observed a slight variation in-the-wild which leverages the vulnerability to render a different PHP file to dump account names, passwords, groups, and descriptions for all users of the device. At the time of writing we are not aware of the motivations to disclose/collect this information and are actively monitoring it” reads the analysis published by GreyNoise.
“In the variation as observed by GreyNoise DEVICE.ACCOUNT.xml is utilized. We went ahead and retrieved this file in full. While the exploit conditions are the same as the public PoC, the variation as observed by GreyNoise is dumping all name, password, group, and description for all users of the device.”
The hackers are exploiting the flaw by sending a malicious POST request to ‘/hedwig.cgi,’ to access sensitive configuration files (‘getcfg’) via the ‘fatlady.php’ file, potentially leasing to the exposure of the user credentials.
Once the attackers have obtained the credentials, they can potentially take full control of the device.
“It is unclear at this time what the intended use of this disclosed information is, it should be noted that these devices will never receive a patch. Any information disclosed from the device will remain valuable to attackers for the lifetime of the device as long as it remains internet facing.” concludes GreyNoise. “These attributes make for the potential of a long-tail of exploitation that may come to a head at a later date, such as through a currently unknown authenticated RCE vulnerability in the affected device.”
The researchers pointed out that the public PoC exploit targets the ‘DHCPS6.BRIDGE-1.xml’ file instead of ‘DEVICE.ACCOUNT.xml’, for this reason, attackers can use it to attack other files.
The GreyNoise post include a list of possible variations of other getcfg files that can be invoked using CVE-2024-0769.
D-Link customers are recommended to replace the EoL devices as soon as possible.
Microsoft warned more customers about email theft linked to the previously reported Midnight Blizzard hacking campaign.
The Russia-linked cyberespionage group Midnight Blizzard continues to target Microsoft users to steal other emails, warn the IT giant.
The company is identifying more customers targeted by the Midnight Blizzard hacking campaign following Microsoft’s corporate infrastructure breach.
In January, Microsoft warned that some of its corporate email accounts were compromised by a Russia-linked cyberespionage group known as Midnight Blizzard. The company notified law enforcement and relevant regulatory authorities.
Microsoft also announced that the Russia-linked APT Midnight Blizzard that hit the company in late November 2023 has been targeting organizations worldwide as part of a large-scale cyberespionage campaign.
Now Microsoft’s incident response team is contacting customer administrators to provide a secure portal that allows them to view emails stolen by the Russia-linked Midnight Blizzard APT group.
Below is the text of the message "Action Required – Microsoft Email Data Sharing Request":
"This notification is related to the prior attack against Microsoft by the threat actor known as Midnight Blizzard, as disclosed through our 8-K filings and our Microsoft blog .
You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyber-attack on Microsoft.
As part of our commitment to transparency, we are proactively sharing these emails. We have custom built a secure system to enable the approved members of your organization to review the exfiltrated emails between Microsoft and your company.
In order to grant access to the above-referenced emails, you are required to identify authorized individuals within your organization who can nominate reviewers. As needed, please reach out to the appropriate parties in your organization who have the authority to nominate reviewers to view these emails.
At the bottom of this email is a link which will take you to a secure form where you will be asked to provide the following information:
• Your organization’s TenantID o If you do not know or are unsure of your TenantID, please follow the steps outlined here: https://aka.ms/gettenantid • The access code located at the bottom of this email • The email addresses for individuals within your organization who can nominate reviewers who will be granted access to the set of exfiltrated emails.
Once you complete this form, Microsoft will contact those who have been identified with instructions on how to identify reviewers.
Should you or your organization require support during this process please work with your Customer Success Account Manager (CSAM) or account representative(s) to open a support case and reference Microsoft Email Data Sharing. Microsoft continues to prioritize transparency and learnings from events like these to help protect customers and our own enterprise.
Our investigation is ongoing, if we discover new information, we will tell you as soon as practicable."
The unauthorized access to the IT infrastructure of the company occurred on June 26, threat actors used the credentials of a standard employee account within its IT environment.
The unauthorized access to the IT infrastructure of the company occurred on June 26, threat actors used the credentials of a standard employee account within its IT environment.
Upon detecting the suspicious activity by this account, the company immediately started the incident response measures.
“A comprehensive taskforce consisting of TeamViewer’s security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.” reads the statement published by the company.
“Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.”
An update published by TeamViewer states that findings confirmed that the attack on its infrastructure was limited to its internal corporate IT environment and did not affect the product environment, connectivity platform, or any customer data.
The popular Ars Technica reporter Dan Goodin reported that an alert issued by security firm NCC Group reports a “significant compromise of the TeamViewer remote access and support platform by an APT group.”
In May 2019, the German newspaper Der Spiegel revealed that the German software company behind TeamViewer was compromised in 2016 by Chinese hackers.
According to the media outlet, Chinese state-sponsored hackers used the Winnti trojan malware to infect the systems of the Company.
The Winnti group was first spotted by Kaspersky in 2013, according to the researchers, the nation-state actor has been active since at least 2007.
The gang is financially-motivated and was mostly involved in cyber espionage campaigns. The hackers were known for targeting companies in the online gaming industry, the majority of the victims are located in Southeast Asia.
The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.
According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.
TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.
Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.
“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.
“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”
At the time the company published a statement to exclude it was breached by hackers:
“Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.
Only in 2019, the company admitted it was breached in 2016.
Infosys McCamish Systems (IMS) revealed that the 2023 data breach following the LockBit ransomware attack impacted 6 million individuals.
IMS specializes in providing business process outsourcing (BPO) and information technology (IT) services specifically tailored for the insurance and financial services industries.
Infosys McCamish Systems (IMS) disclosed the security breach on November 3, 2023, in a filing with SEC, the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.
McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.
At the time, the company did not reveal the type of attack it suffered, however, on November 4, the LockBit ransomware gang claimed responsibility for the attack.
The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least $30 million.
“On the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages/claims, which are indeterminable at this time.” reads the statement sent to the SEC. “Infosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.”
In February, Bank of America began notifying some customers following the IMS data breach. The bank sent notification letters to 57,000 customers, informing them that their personal information has been compromised
Now the company revealed that the 2023 data breach after the LockBit ransomware attack impacted 6 million individuals.
The investigation determined that threat actors gained access to the company systems between October 29, 2023, and November 2, 2023.
“The in-depth cyber forensic investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023.” reads the data breach notification sent by the company to the impacted individuals. “Through the investigation, it was also determined that data was subject to unauthorized access and acquisition. With the assistance of third-party eDiscovery experts, retained through outside counsel, IMS proceeded to conduct a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and acquisition and determine to whom the personal information relates. IMS has notified its impacted organizations of the Incident and of the compromise of any personal information pertaining to them.”
“The sensitive personal data of 6,078,263 people has been compromised. Now, victims’ names, Social Security numbers, financial information, and medical information may be in the hands of criminals, putting victims at a greater risk of identity theft and other frauds.” reads a press release published by the company.
“On June 27, 2024, Infosys McCamish filed a notice with the Attorney General of Maine describing a data breach affecting consumers nationwide. In this notice, Infosys McCamish explains that customers of Oceanview Life & Annuity Company were among those affected. However, in previous filings, Infosys McCamish has indicated that customers of other companies were also affected, including Union Labor Life Insurance, Newport Group, Inc., and more.”
IMS determined that exposed data includes:
Names,
Social Security numbers,
Medical information,
Biometric data,
Financial account information, and
Passport numbers.
The company is not aware of any abuses of the exposed data, however, it offered twenty-four months of complimentary credit monitoring to current customers for individuals associated with those customers
“Although we are unaware of any instances since the Incident occurred in which the personal information has been fraudulently used, IMS is nevertheless offering impacted individuals complimentary credit monitoring for twenty-four (24) months and dedicated call center services as well as providing guidance on how to protect against identity theft and fraud, including advising individuals to report any suspected identity theft or fraud to their financial institutions.” concludes the notification. “IMS is also providing individuals with information on how to place a fraud alert and security freeze on one’s credit file, information on protecting against tax fraud, the contact details for the national credit reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for fraud and identity theft by reviewing account statements and monitoring credit reports, and encouragement to contact the Federal Trade Commission, their Attorney General, and law enforcement to report attempted or actual identity theft and fraud.”
A cyber attack started targeting the University Hospital Centre Zagreb (KBC Zagreb) on Wednesday night, reported the Croatian Radiotelevision.
A cyber attack began targeting the University Hospital Centre Zagreb (KBC Zagreb), the largest Croatian hospital, on Wednesday night, according to a report by Croatian Radiotelevision.
The hospital has shut down its IT infrastructure in response to the cyber attack.
Milivoj Novak, assistant director of health care quality and supervision of KBC Zagreb, said in tonight’s show “Otvoreno” that the shutdown of the IT system took the hospital back 50 years – to paper and pencil. It’s unclear if the hospital was victim of a ransomware attack.
Later Novak said in a press conference that all the services, including the hospital’s emergency service and medical laboratories, were fully recovered.
However, the temporary impossibility of printing out medical reports and staff having to write them by hand caused significant delays. It’s also confirmed that some patients will be redirected to other hospitals.
Initial investigation confirmed that patients’ medical records were not exfiltrated.
The hospital did not reveal the type of attack that hit its systems, however, HelpnetSecurity reported that this week a series of DDoS attacks targeted the websites of several Croatian government and financial institutions, including the Ministry of Finance, the Tax Administration, the Croatian National Bank, the Economic Bank of Zagreb, and the Zagreb Stock Exchange.
The pro-Russia group NoName claimed responsibility for the attack but declared that the collective is not involved in attacks on Croatian medical facilities.
“We are not involved in attacking medical facilities in Croatia or any other country. We have a principle of not touching medical facilities. We are at war with russophobic authorities, not civilians!”
“And the fact that Croatian officials can’t protect their internet infrastructure in the medical field, but find money to sponsor the banderaites, should really raise questions from Croatian citizens to their russophobic government.”
The US DoJ announced charges against a member of Russia’s military intelligence service GRU for conducting wiper attacks on Ukraine in 2022.
The US Department of Justice (DoJ) announced charges against Russian national Amin Timovich Stigal, who is a member of Russia’s military intelligence service GRU, for conducting wiper attacks on Ukraine in 2022.
The man is accused of having a significant role in wiper attacks targeting the Ukrainian government computer networks in 2022.
“A federal grand jury in Maryland returned an indictment yesterday charging Amin Timovich Stigal (Амин Тимович Стигал), 22, a Russian citizen, with conspiracy to hack into and destroy computer systems and data. In advance of the full-scale Russian invasion of Ukraine, targets included Ukrainian Government systems and data with no military or defense-related roles.” reads the press release published by DoJ “Later targets included computer systems in countries that were providing support to Ukraine, including the United States.”
In January 2022 Stigal and other members of the GRU employed the WhisperGate wiper in a series of attacks against Ukraine to aid the Russian military invasion of the country.
The Russian hacker used a U.S.-based company to drop the WhisperGate malware into dozens of Ukrainian government entities.
Microsoft first spotted the destructive malware WhisperGate on January 13, 2022, it was used to target government, non-profit, and IT entities in Ukraine with a wiper disguised as ransomware.
Microsoft attributed the attack to an emerging threat cluster tracked as “DEV-0586.” The experts pointed out that the operation has not overlapped with TTPs associated with past campaigns.
“MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.” reads the post published by the Microsoft Threat Intelligence Center.
“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues.”
However, Reuters in an exclusive reported that the Belarus-linked APT group tracked as UNC1151 (aka Ghostwriter) was behind the attacks.
According to Symantec, the WhisperGate wiper may have been employed in attacks against unknown victims since at least October 2021.
The conspirators also exfiltrated sensitive data from the Ukrainian computer systems, including patient health records. The DoJ reported that the state-sponsored hackers also defaced websites with threatening messages to instill fear among Ukrainians. They also offered the stolen data for sale online. In August 2022, they hacked the transportation infrastructure of a Central European country supporting Ukraine. From August 5, 2021, to February 3, 2022, they used the same infrastructure to probe computers of a federal government agency in Maryland, similar to their initial attacks on Ukrainian networks.
The Russian citizen remains at large, however, if convicted, Stigal faces a maximum penalty of five years in prison.
“As early as 2021, digital environments managed by Amin Stigal were used to stage malicious payloads used in various WhisperGate malware campaigns. Stigal is linked to WhisperGate operations against Ukrainian, NATO, and U.S. computer networks and has conspired with others to establish accounts on a social communications platform for use in WhisperGate operations.
The Rewards for Justice also announced a reward up to $10 million for information leading to the identification or location of the man.
“As early as 2021, digital environments managed by Amin Stigal were used to stage malicious payloads used in various WhisperGate malware campaigns. Stigal is linked to WhisperGate operations against Ukrainian, NATO, and U.S. computer networks and has conspired with others to establish accounts on a social communications platform for use in WhisperGate operations.” reported the Rewards for Justice.
The LockBit ransomware group seems to have lied when they announced the hack of the US Federal Reserve. The real victim is the Evolve Bank.
The LockBit ransomware group hasn’t hacked the Federal Reserve as it has recently claimed, the real victim is the Evolve Bank.
Last week, the LockBit gang announced that it had breached the systems of the Federal Reserve of the United States and exfiltrated 33 TB of sensitive data, including “Americans’ banking secrets.”
The Lockbit ransomware group added the Federal Reserve to the list of victims on its Tor data leak site and threatened to leak the stolen data on 25 June, 2024 20:27:10 UTC.
The group hasn’t published any sample of the stolen data.
“Federal banking is the term for the way the Federal Reserve of the United States distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City, and San Francisco.” reads the announcement published by the group on its leak site.
“33 terabytes of juicy banking information containing Americans’ banking secrets. You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans’ bank secrecy at $50,000.”
Despite the announcement, data leaked data from the group belongs to the Arkansas-based financial organization Evolve Bank & Trust.
The analysis of the data leaked by the group on its Tor leak site on June 26 confirmed the documents belong to the Evolve Bank & Trust.
Evolve Bank & Trust this week published a notice on its website to confirm the security breach and announced it has launched an investigation into the incident. The financial organization confirmed that certain personal information may have been compromised.
“Evolve Bank & Trust is making retail bank customers and financial technology partners’ customers (end users) aware of a cybersecurity incident that may involve certain personal information, as well as the actions we have taken in response, and additional steps individuals may take.” reads the notice of Cybersecurity Incident. “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users). We take this matter extremely seriously and are working diligently to address the situation.”
Evolve has reported the incident to law enforcement, it also added that the incident has been completely contained.
An update published on June 26, 2024 12:00pm confirmed that the company’s retail banking customers’ debit cards, online, and digital banking credentials do not appear to be impacted.
Evolve will directly contact impacted customers and financial technology partners.
“It appears these bad actors have released illegally obtained data, including Personal Identification Information (PII), on the dark web. The data varies by individual but may include your name, Social Security Number, date of birth, account information and/or other personal information.” continues the report.
Several media reported that the Federal Reserve had penalized Evolve Bank & Trust over multiple “deficiencies” identified in how the bank conducted risk management, anti-money laundering (AML), and compliance practices.
Several media outlets reported [1, 2, 3] that the Federal Reserve penalized Evolve Bank & Trust for various “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices.
Some experts believe the ransomware gang made an error, but many researchers argue that the announcement is a desperate tentative to gain relevance.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds GeoSolutionsGroup JAI-EXT, Linux Kernel, and Roundcube Webmail bugs to its Known Exploited Vulnerabilities catalog.
Below are the descriptions of the flaws added to the KEV catalog:
GeoServer Flaw CVE-2022-24816 (CVSS score of 9.8) is a code injection issue in the Jai-Ext open source project. The flaw can be exploited to achieve remote code execution, it exploits Jiffle scripts compiled into Java code via Janino. The flaw was addressed with the release of GeoServer version 1.2.22 in April 2022. Technical details and PoC exploit code are publicly available since August 2022.
Linux Kernel Flaw CVE-2022-2586 (CVSS score of 7.8) is a use-after-free vulnerability in nft tables, that can lead to privilege escalation. White hat hackers demonstrated an exploit for this issue during the Pwn2Own Vancouver 2022. The vulnerability was fixed in August 2022, however technical details and PoC were published a few weeks later.
Roundcube Webmail CVE-2020-13965 (CVSS score of 6.1) is a cross-site scripting (XSS) issue. The vulnerability affects versions before 1.4.5 and 1.3.12. Successful exploitation of the flaw can lead to arbitrary JavaScript code execution. Roundcube addressed the flaw in June 2020, and PoC code was released shortly thereafter.
Researchers warn that the P2Pinfect worm is targeting Redis servers with ransomware and cryptocurrency mining payloads.
Cado Security researchers warned that the P2Pinfect worm is employed in attacks against Redis servers, aimed at deploying both ransomware and cryptocurrency mining payloads.
In July 2023, Palo Alto Networks Unit 42 researchers first discovered the P2P worm P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.
In December 2023, Cado Security Labs discovered a new variant of the P2Pinfect botnet that targeted routers, IoT devices, and other embedded devices. This variant has been compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.
The new bot supports updated evasion mechanisms, can avoid execution in a Virtual Machine (VM) and a debugger and supports anti-forensics on Linux hosts.
The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).
In September 2023, Cado Security Labs reported that it had witnessed a 600x increase in P2Pinfect traffic since August 28th.
Researchers pointed out that the malware ultimately did not seem to have an objective other than to spread, however, a new update to P2Pinfect has introduced a ransomware and crypto miner payload.
The most recent campaign began on June 23, based on the TLS certificate used for C2 communications.
The malware spreads by exploiting Redis’s replication features, where nodes in a distributed cluster follow a leader/follower topology. Attackers abused this feature by making follower nodes load arbitrary modules, enabling code execution on these nodes. P2Pinfect uses the SLAVEOF command to turn open Redis nodes into followers of a server under the control of its operators. It then writes a shared object (.so) file to the follower and instructs it to load the file, allowing the attacker to send and execute arbitrary commands on the follower nodes.
P2Pinfect was also spotted relying on another initial access vector to Redis server by abusing the config commands to write a cron job to the cron directory.
“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated.” reads the report published by Cado. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”
The main binary of the war appears to have been rewritten, it is now using the Tokio async framework for Rust and packed with UPX. The malware internals have been deeply rewritten, the experts noticed that the binary was stripped and partially obfuscated to make it harder for the static analysis. Previously, P2Pinfect maintained persistence by adding it to .bash_logout and using a cron job, but it no longer employs these methods. Other behaviors, such as the initial setup, remain unchanged.
In recent campaign, the main binary dropped the miner binary to a mktmp file (mktmp creates a file in /tmp with some random characters as the name) and executed it. The miner binary features a built-in configuration, with the monero wallet and pool preconfigured. The miner is only activated after approximately five minutes has elapsed since the main payload was started.
To date, the miner has made approximately £9,660.
The new P2Pinfect version also receives a command instructing it to download and run the rsagen binary, which is a new ransomware payload.
“The ransomware stores a database of the files it encrypted in a mktmp file with .lockedfiles appended.” continues the report.
“As the ransomware runs with the privilege level of its parent, it is likely that it will be running as the Redis user in the wild since the main initial access vector is Redis. In a typical deployment, this user has limited permissions and will only be able to access files saved by Redis. It also should not have sudo privileges, so would not be able to use it for privilege escalation. Redis by default doesn’t save any data to disk and is typically used for in-memory only caching or key value store, so it’s unclear what exactly the ransomware could ransom other than its config files. Redis can be configured to save data to files – but the extension for this is typically rdb, which is not included in the list of extensions that P2Pinfect will ransom.”
The experts explained that it’s unclear why the ransomware was designed in this way.
P2Pinfect also includes a user-mode rootkit that modifies .bashrc files in user home directories by appending export LD_PRELOAD=/home/<user>/.lib/libs.so.1. This causes the libs.so.1 file to be preloaded whenever a linkable executable, like ls or cat, is run.
“Like the ransomware, the usermode rootkit suffers from a fatal flaw; if the initial access is Redis, it is likely that it will only affect the Redis user as the Redis user is only used to run the Redis server and won’t have access to other user’s home directories.” continues the report.
The researchers believe P2Pinfect might be a botnet for hire that allows its customers to deploy their payloads.
Experts warn of active exploitation of a critical authentication bypass vulnerability in MOVEit Transfer file transfer software.
Progress Software addressed two critical authentication bypass vulnerabilities, tracked as CVE-2024-5805 and CVE-2024-5806, affecting its MOVEit Transfer file transfer software.
The vulnerability CVE-2024-5805 (CVSS score 9.1) is an improper authentication vulnerability in Progress MOVEit Gateway (SFTP module) that allows authentication bypass. The vulnerability was discovered by Max Hase, it impacts MOVEit Gateway: 2024.0.0.
The vulnerability CVE-2024-5806 (CVSS score 9.1) is also an improper authentication vulnerability that resides in the Progress MOVEit Transfer (SFTP module) that can lead to authentication bypass.
This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
The flaw CVE-2024-5806 was addressed with the release of versions 2023.0.11, 2023.1.6, and 2024.0.2. CVE-2024-5805 has been addressed with the release of version 2024.0.1.
Progress highlighted that a recently discovered vulnerability in a third-party component raises the risk level for this CVE.
“We have addressed the MOVEit Transfer vulnerability and the Progress MOVEit team strongly recommends performing an upgrade to the latest version listed in the table below.” reads the advisory published Progress Software. “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability.”
The company recommends customers mitigate third-party vulnerability by verifying they have blocked public inbound RDP access to MOVEit Transfer server(s), and limiting outbound access to only known trusted endpoints from MOVEit Transfer server(s).
Experts warned of exploitation attempts targeting the vulnerability CVE-2024-5806.
WatchTowr researchers published a detailed analysis of the flaw CVE-2024-5806, they added that Progress has been proactively contacting customers for weeks or months to ensure they address the CVE-2024-5806.
“Clearly, this is a serious vulnerability. It is also somewhat difficult to diagnose, given the knowledge of the SSH protocol and a considerable .NET reverse-engineering effort required.” reads the advisory published by WatchTowr. “However, the presence of the Illegal characters in path exception should grab the attention of any other researchers who are searching for the vulnerability, and the relative simplicity of exploitation lends itself to ‘accidental’ discovery.”
Researchers at Shadowserver Foundation also reported observing exploitation attempts for CVE-2024-5806 and urge customers to address it.
Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet – please do so now: https://t.co/AenLgqg1wM
— The Shadowserver Foundation (@Shadowserver) June 25, 2024
Users can track Progress MOVEit Transfer exposed instances through the Shadowserver dashboard. At the time of this writing, there are more than 1,700 internet-facing instances, most of them in the US.
A new e-skimmer called Caesar Cipher Skimmer is used to compromise multiple CMS, including WordPress, Magento, and OpenCart.
Sucuri researchers discovered a new e-skimmer, called Caesar Cipher Skimmer, that was used in recent weeks to target users of e-stores based on popular CMS, including WordPress, Magento, and OpenCart.
Over the past several weeks, the experts noticed a new variation of the “gtag” credit card skimming attack with a high number of detections, they called it ‘Caesar Cipher Skimmer.’ While it’s common to see malware from one CMS recycled for use on another, it’s notable that this new skimmer is being deployed across various platforms simultaneously.
The latest campaign involves malicious modifications to the checkout PHP page (“form-checkout.php”) of the WooCommerce plugin for WordPress to steal credit card data.
In recent months, injections have been modified to appear less suspicious by mimicking Google Analytics and Google Tag Manager. The scripts employed in the attack often include obfuscated strings and the usage of String.fromCharCode, a common tactic among threat actors to conceal their code.
The researchers noticed that threat actors used the substitution mechanism of the Caesar cipher to encode the part of the malware into a string and conceal the domain hosting the malicious payload.
“What the malware does to hide its payload is to subtract the value of each unicode character by three. So it’s essentially using a Caesar Cipher on the unicode values, rather than simply just letters.” reads the post published by Sucuri.
The domain hosting the malicious code was likely compromised in previous attacks, but experts also observed the use of rogue sites that were set up by the attackers.
The attackers registered some domains with intentional spelling mistakes (like “gooogle”) over the past few months and likely swapped out when discovered by security vendors. The scripts used in the campaign load another layer of obfuscated skimmer JavaScript, which creates a WebSocket, connects to a remote server, and waits to receive yet another layer of the skimmer.
“The script sends the URL of the current webpages, which allows the attackers to send customized responses for each infected site. Some versions of the second layer script even check if it is loaded by a logged-in WordPress user and modify the response for them.” continues the post.
The researchers noticed comments written in Russian in older versions of the second-layer script.
The experts also observed attackers misusing the Insert Headers and Footers WPCode plugin to insert malware into WooCommerce websites. This plugin has become popular among attackers for inserting server-side redirects. On Magento websites, attackers frequently use the core_config_data database table to store credit card skimming JavaScript. However, for OpenCart, there have been no specific cases yet, and the exact location of the infection in the backend is still unknown.
Below are some steps users can take to protect their e-commerce site from credit card skimmers:
Keep your site up to date.
Review admin accounts and keep passwords updated.
Leverage file integrity and website monitoring.
Protect your site with a web application firewall.
Researchers warn that a Mirai-based botnet is exploiting a recently disclosed critical vulnerability in EoL Zyxel NAS devices.
Researchers at the Shadowserver Foundation warn that a Mirai-based botnet has started exploiting a recently disclosed vulnerability tracked as CVE-2024-29973 (CVSS score 9.8) in end-of-life NAS devices Zyxel NAS products.
The flaw is a command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0. An unauthenticated attacker can exploit the flaw to execute some operating system (OS) commands by sending a crafted HTTP POST request.
The vulnerability affects NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.
The vulnerability stems from the fix for another code injection issue tracked as CVE-2023-27992 that was addressed in June 2023.
Now the researchers at the Shadowserver Foundation reported that they have started observing exploitation attempts for this vulnerability by a Mirai-like botnet. The experts urge a replacement of the EoL devices and pointed out that PoC exploit code is publicly available.
… and consider a replacement for these now unsupported devices!
WikiLeaks founder Julian Assange has been released in the U.K. and has left the country after five years in Belmarsh prison.
Julian Assange is free after five years in Belmarsh prison, the WikiLeaks founder has been released in the U.K. and is flying to the island of Saipan in the Northern Mariana Islands, to make a brief court appearance before flying to Australia where he will be a free man in Australia.
JULIAN ASSANGE IS FREE
Julian Assange is free. He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there. He was granted bail by the High Court in London and was released at Stansted airport during the afternoon, where he boarded a…
Assange accepted Saipan as the location due to its “opposition to traveling to the continental U.S.” and the court’s proximity to the defendant’s country of citizenship, Australia.
Assange faced multiple criminal charges under America’s Espionage Act and Computer Fraud and Abuse Act.
Wikileaks founder was facing extradition to the United States for his role in one of the largest compromises of classified information in the history of the United States. He published thousands of classified diplomatic and military documents on WikiLeaks in 2010.
For the first time, US DoJ charges an individual under the 102-year-old Act that persecutes the disclosure of national defense information that could be used against the United States.
According to the DoJ, the WikiLeaks founder conspired and tried to recruit Anonymous and LulzSec hacker to steal confidential and secret data on his behalf. In 2010, Assange gained unauthorized access to a government computer system of a NATO country and years later he contacted a LulzSec leader who was working for the FBI and provided him a list of targets.
The US authorities also accuse Assange of having conspired with Army intelligence analyst Chelsea Manning to crack a password hash for an Army computer to access classified documents that were later published on the WikiLeaks website.
In April 2019, WikiLeaks founder Julian Assange has been arrested at the Ecuadorian Embassy in London after Ecuador withdrew asylum after seven years.
In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.
In May 2019, the WikiLeaks founder was sentenced to 50 weeks in prison for breaching his bail conditions in 2012 and finding asylum in Ecuador’s London embassy for more than seven years.
A few weeks later, the United States Department of Justice charged Assange with 18 counts of the alleged violation of the Espionage Act.
Assange now pleaded guilty to a criminal charge of conspiring to obtain and disclose classified U.S. national defense documents. He is scheduled to be sentenced to 62 months of time already served in Saipan later this week.
Assange’s wife Stella thanked her husband’s supporters on X.
Julian is free!!!!
Words cannot express our immense gratitude to YOU- yes YOU, who have all mobilised for years and years to make this come true. THANK YOU. tHANK YOU. THANK YOU.
CISA warned chemical facilities that its Chemical Security Assessment Tool (CSAT) environment was compromised in January.
CISA warns chemical facilities that its Chemical Security Assessment Tool (CSAT) environment was breached in January.
In March, the Recorded Future News first reported that the US Cybersecurity and Infrastructure Security Agency (CISA) agency was hacked in February. In response to the security breach, the agency had to shut down two crucial systems, as reported by a CISA spokesperson and US officials with knowledge of the incident, according to CNN.
One of the systems impacted by the incident is used to facilitate the sharing of cyber and physical security assessment tools among federal, state, and local officials. The second system was holding information related to the security assessment of chemical facilities.
Recorded Future News, citing a source with knowledge of the situation, reported that the hacked systems were the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT).
The CSAT hosts sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.
A CISA spokesperson told Recorded Future News that the initial investigation conducted by the government experts revealed that the attackers exploited vulnerabilities in Ivanti products used by the agency.
“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.
“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”
Ironically, CISA warned US organizations about attacks exploiting vulnerabilities in Ivanti software. On February 1st, for the first time since its establishment, CISA ordered federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.
On February 29, CISA warned organizations again that threat actors are exploiting multiple vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) in Ivanti Connect Secure and Policy Secure Gateways.
The agency did not provide details about the attack or attribute it to a specific threat actor.
CISA has confirmed that threat actors hacked into the CSAT Ivanti Connect Secure appliance on January 23, 2024, and uploaded a web shell. The US agency confirmed that the threat actor accessed the web shell several times over two days.
“On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance. During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system.” reads the advisory published by CISA. “Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment.”
CISA confirmed that the CSAT user accounts contained at minimum, information provided under Personnel Surety Program that must have included an individual’s name, date of birth, and citizenship or gender. Facilities may have chosen to provide additional PII, including aliases, place of birth, passport number, redress number, Global Entry ID number, or Transportation Worker Identification Credential (TWIC) ID number.
CISA immediately took the impacted system offline, isolated the application from the rest of the network, and launched a forensic investigation involving the CISA’s Office of the Chief Information Officer, the Cybersecurity Division’s Threat Hunting team, and the Department of Homeland Security’s Network Operations Center.
The experts did not find evidence of attackers’ access beyond the Ivanti device or data exfiltration from the CSAT environment. All CSAT information was encrypted with AES 256 encryption, however encryption keys were inaccessible to the attackers.
CISA does not have any evidence of data exfiltration, however, the US Agency is notifying all impacted participants in the CFATS program out of an abundance of caution.
“Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).” concludes the advisory.
Login
