Thursday, November 30th, 2023
Cybersecurity Week in Review (01/12/2023)
US Car Dealer Admits Data Breach
Berglund Management Group has disclosed a data breach that may have affected more than 50,000 people in the US.
The Virginia firm submitted a report to the Attorney General’s Office in Maine, which imposes strict reporting requirements on cyberattacks affecting its residents, which was published on November 29th. The Roanoke-based motor dealer had already written to potentially affected customers a week before.
It’s believed that the compromised data includes names and Social Security numbers, although Berglund claimed in its letter that “there is no indication this information has been misused.”
The company said it had concluded an investigation in October after first detecting “certain unauthorized activity within its network” in May.
“Following a thorough investigation, we discovered that a limited amount of personal information may have been accessed by an unauthorized third party in connection with this incident,” it added.
According to Maine, Berglund told it 51,514 people, including a small number of residents of that state, had been affected.
Berglund says it has beefed up its security systems in light of the incident and offered affected parties free credit monitoring services.
Source – https://cybernews.com/news/berglund-virginia-car-dealer-data-breach/
Dollar Tree Impacted by ZeroedIn Data Breach Affecting 2 Million Individuals
Workforce analytics services provider ZeroedIn is notifying roughly two million individuals that their personal information was compromised in an August 2023 data breach.
In a filing with the Maine Attorney General’s Office, the company revealed that the incident was identified on August 8, and that a threat actor had unauthorized access to certain systems between August 7 and 8.
The company immediately launched an investigation into the incident, which determined that some of the files accessed or stolen by the attackers contained personal information.
After conducting a review of the files on the compromised systems, ZeroedIn discovered that the accessed data pertained to certain customers, including US variety store chains Dollar Tree and Family Dollar.
ZeroedIn says it notified Dollar Tree of the incident after determining that some of the compromised information pertained to “certain individuals associated with them”.
The attackers, the company says, accessed or stole files containing names, dates of birth, and Social Security numbers.
In the sample notification letter submitted to the Maine Attorney General’s Office, ZeroedIn notes that the compromised information is related to “applicants and current and former employees of its clients”.
The company told the Maine Attorney General’s Office that close to two million individuals were impacted by the incident, with the filing suggesting that only individuals related to Dollar Tree and Family Dollar might have been impacted.
Per Dollar Tree’s latest 10-Q filing with the US Securities and Exchange Commission, more than 16,600 retail discount stores and 17 distribution centers in the US and Canada operate under the Dollar Tree and Family Dollar brands.
ZeroedIn may face a class action suit over the incident, as data breach lawyers at Console & Associates, P.C. announced they are investigating the matter on behalf of the impacted individuals.
Fortune-telling Website Exposes 13M+ User Records
WeMystic, a website on astrology, numerology, tarot, and spiritual orientation, left an open database exposing 34GB of sensitive data about the platforms’ users.
WeMystic offers its users astrology, spiritual well-being, and esotericism alongside an online shop for natural stones, chakras, tarot cards, bracelets, and other products. The platform primarily serves Brazilian, Spanish, French, and English speakers.
WeMystic left an open and passwordless MongoDB database containing 34 gigabytes of data related to the service as part of the MongoDB infrastructure.
Businesses employ MongoDB to organize and store large swaths of document-oriented information. While WeMystic has since closed the database, researchers said that the data was accessible for at least five days.
One of the data collections in the exposed instance, named “users,” contained a whopping 13.3 million records. The exposed records include:
- Names
- Email addresses
- Dates of birth
- IP addresses
- Gender
- Horoscope signs
- User system data
Researchers explain that the exposure of personal user data poses security risks for those involved since attackers may build on collected data to carry out targeted attacks, even getting creative with seemingly superstitious data.
“Threat actors could potentially exploit information for malicious activities such as identity theft, phishing, spamming, and targeted advertising. Attackers could try manipulating individuals based on their spiritual and astrological beliefs, posing serious risks to users’ privacy and security,” researchers said.
Source – https://cybernews.com/security/wemystic-data-leak/
Okta Discloses Broader Impact Linked to October 2023 Support System Breach
Identity services provider Okta has disclosed that it detected “additional threat actor activity” in connection with the October 2023 breach of its support case management system.
“The threat actor downloaded the names and email addresses of all Okta customer support system users,” the company said in a statement.
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was not impacted by this incident.”
On top of that, the adversary is believed to have accessed reports containing contact information of all Okta certified users, some Okta Customer Identity Cloud (CIC) customers, and unspecified Okta employee information. However, it emphasized that the data does not include user credentials or sensitive personal data.
News of the expanded scope of the breach was first reported by Bloomberg.
The company also told the publication that while it does not have any evidence of the stolen information being actively misused, it has taken the step of notifying all customers of potential phishing and social engineering risks.
It also stated that it “pushed new security features to our platforms and provided customers with specific recommendations to defend against potential targeted attacks against their Okta administrators.”
Okta, which has enlisted the help of a digital forensics firm to support its investigation, further said it “will also notify individuals that have had their information downloaded.”
The development comes more than three weeks after the identity and authentication management provider said the breach, which took place between September 28 to October 17, 2023, affected 1% – i.e., 134 – of its 18,400 customers.
The identity of the threat actors behind the attack against Okta’s systems is currently not known, although a notorious cybercrime group called Scattered Spider has targeted the company as recently as August 2023 to obtain elevated administrator permissions by pulling off sophisticated social engineering attacks.
According to a report published last week, Scattered Spider infiltrated an unnamed company and gained access to an IT administrator’s account via Okta single sign-on (SSO), followed by laterally moving from the identity-as-a-service (IDaaS) provider to their on-premises assets in less than one hour.
The formidable and nimble adversary, in recent months, has also evolved into an affiliate for the BlackCat ransomware operation, breaking into cloud and on-premises environments to deploy file-encrypting malware for generating illicit profits.
Source – https://thehackernews.com/2023/11/okta-discloses-additional-data-breach.html
Russia-linked Black Basta ransomware has extorted at least $100 million
Black Basta, which is believed to be a faction of the notorious Russian Conti ransomware gang, has raked in at least $107 million in Bitcoin ransom payments since its inception in early 2022, joint research has revealed.
Capita, a technology outsourcer with billions of dollars in UK government contracts, ABB, an industrial automation company, and Dish Networks, an American television provider, are two high-profile victims among 329 identified intrusions by Black Basta. Neither company has publicly disclosed whether they paid a ransom.
Researchers tracked the movements of funds using crypto investigations tools and uncovered some unique patterns in the group’s activity by timing peaks of ransom payments with the timing of attacks.
Analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million.
Those figures are a lower estimate, as there may be other ransom payments that researchers were unable to identify, especially the latest. Despite the relative transparency of blockchains, ransomware groups do not rely on a single wallet to receive payments, and victims rarely share details about where they transferred the ransom to.
Ransom groups also use complex money laundering techniques to cover their tracks on the blockchain and conceal illicit sources of profits. Researchers demonstrated an overlap between the funds of Black Basta and Conti. Therefore, some payments may relate to now-defunct Conti ransomware attacks.
Based on the number of known victims listed on Black Basta’s leak site through Q3 of 2023, data indicates that at least 35% of known Black Basta victims paid a ransom. This is consistent with reports that 41% of all ransomware victims paid a ransom in 2022,” the researchers explained.
Also, Black Basta commonly used the Qakbot malware, which infected victims’ computers through email phishing attacks and helped to deploy ransomware. On the blockchain, approximately 10% of Black Basta’s ransom amount was forwarded to Qakbot wallets, researchers showed.
The US government sanctioned Garantex in April 2022. The multinational law enforcement operation disrupted Qakbot in August 2023, partially explaining the recent reduction in Black Basta attacks.
Black Basta has targeted businesses in a wide variety of sectors, including construction (10% of victims), law practices (4%), and real estate (3%), mostly in the US, a trait that also resembled Conti.
Source – https://cybernews.com/security/russia-linked-black-basta-ransomware-extorted-100-million/
CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack
After hackers compromised an industrial control system (ICS) at a water utility in the United States, the cybersecurity agency CISA issued an alert over the exploitation of the targeted device.
The target of the attack was the Municipal Water Authority of Aliquippa in Pennsylvania, which confirmed that hackers took control of a system associated with a station where water pressure is monitored and regulated, but said there was no risk to the water supply or drinking water.
Based on publicly available information, the hackers targeted an Unitronics Vision system, which is a programmable logic controller (PLC) with an integrated human-machine interface (HMI).
A hacktivist group called Cyber Av3ngers, known to be anti-Israel and possibly linked to Iran, has taken credit for the attack, apparently targeting the Israel-made Unitronics PLC.
Unitronics Vision products have been known to be affected by critical vulnerabilities that could expose devices to attacks. However, HMIs are often accessible from the internet without authentication, making them an easy target even for low-skilled threat actors.
In the case of the Municipal Water Authority of Aliquippa, CISA noted that the attackers likely accessed the ICS device “by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet”.
This statement suggests that the attackers likely leveraged the fact that the device was insecurely configured, rather than exploiting an actual vulnerability. This would not be surprising for a hacktivist group as these types of threat actors mostly target low-hanging fruit and do not waste time and energy creating sophisticated exploits.
In order to protect their Unitronics PLCs against potential attacks, organizations have been urged by CISA to change the default ‘1111’ password, require multi-factor authentication for remote access to OT systems, ensure that the controller is not directly exposed to the internet, create backups for the PLC’s logic and configuration in case it gets compromised, change the default port, and update the device to the latest version.
Such PLCs are used by organizations in the water and wastewater sector to control and monitor processes. An attack on these systems could threaten the ability of facilities to provide clean water and effectively manage wastewater, CISA warned.
Cyberattacks aimed at the water sector are increasingly common and there have been some confirmed reports of attacks impacting ICS at water facilities. In an effort to help organizations in this sector protect their systems, CISA has been offering a free vulnerability scanning service.
Source – https://www.securityweek.com/cisa-warns-of-unitronics-plc-exploitation-following-water-utility-hack/
Qilin Ransomware Claims Attack on Automotive Giant Yanfeng
The Qilin ransomware group has claimed responsibility for a cyber attack on Yanfeng Automotive Interiors (Yanfeng), one of the world’s largest automotive parts suppliers.
Yanfeng is a Chinese automotive parts developer and manufacturer focused on interior components and employs over 57,000 people in 240 locations worldwide.
It sells interior components to General Motors, the Volkswagen Group, Ford, Stellantis (Fiat, Chrysler, Jeep, Dodge), BMW, Daimler AG, Toyota, Honda, Nissan, and SAIC Motor. The company constitutes a crucial part of the supply chain for these automakers.
Earlier this month, it was reported that Yanfeng was impacted by a cyberattack that directly affected Stellantis, forcing the car company to stop production at its North American plants.
The Chinese company remained unresponsive to inquiries for comments regarding the situation. However, its main website was inaccessible until yesterday, when it returned online without any statements regarding the outage.
“Due to an issue with an external supplier, production at some of Stellantis’ North America assembly plants was disrupted the week of November 13,” Stellantis shared in a statement.
“Full production at all impacted plants had resumed by November 16.”
The Qilin ransomware group, also known as “Agenda,” claimed the attack on Yanfeng by adding them to their Tor data leak extortion site yesterday.
The threat actors published multiple samples to prove their alleged access to Yanfeng systems and files, including financial documents, non-disclosure agreements, quotation files, technical data sheets, and internal reports.
Qilin has threatened to release all data in their possession in the coming days, but no specific deadline was set. The Qilin ransomware gang launched its RaaS (ransomware as a service) platform at the end of August 2022 under the name ‘Agenda.’
In 2023, the threat actors rebranded their ransomware under the name ‘Qilin,’ which they operate under today. The threat actors target companies in all sectors, and many attacks feature customization in the process termination and file extension changes to maximize impact.
Healthcare Giant Henry Schein Hit Twice by BlackCat Ransomware
American healthcare company Henry Schein has reported a second cyberattack this month by the BlackCat/ALPHV ransomware gang, who also breached their network in October.
Henry Schein is a Fortune 500 healthcare products and services provider with operations and affiliates in 32 countries and a revenue of over $12 billion reported in 2022.
It first disclosed on October 15 that it had to take some systems offline to contain another cyberattack that impacted its business one day before.
More than a month later, on November 22, the company said that some of its apps and the e-commerce platform were again taken down following another attack claimed by BlackCat ransomware.
“Certain Henry Schein applications, including its ecommerce platform, are currently unavailable. The Company continues to take orders using alternate means and continues to ship to its customers,” it said.
“Henry Schein has identified the cause of the occurrence. The threat actor from the previously disclosed cyber incident has claimed responsibility.”
Today, the company revealed that it has now restored its U.S. e-commerce platform, and it’s expecting that its platforms in Canada and Europe will also be back online shortly.
Across impacted areas, the healthcare services provider is reportedly still receiving orders through alternative channels and shipping to customers.
The BlackCat ransomware gang added Henry Schein to its dark web leak site, saying it breached the company’s network and allegedly stole 35 terabytes of sensitive data. According to the cybercrime operation, they re-encrypted the company’s devices after negotiations faltered towards the end of October while Henry Schein was on the verge of restoring its systems.
This would make this month’s incident the third time since October 15 that BlackCat encrypted Henry Schein’s systems after breaching its network.
“Despite ongoing discussions with Henry’s team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network,” the threat actors said.
“As of midnight today, a portion of their internal payroll data and shareholder folders will be published on our collections blog. We will continue to release more data daily.”
BlackCat emerged in November 2021 and is believed to be a rebrand of the infamous DarkSide/BlackMatter gang. Known initially as DarkSide, the gang garnered global attention after hitting Colonial Pipeline, prompting extensive law enforcement probes.
The FBI connected the ransomware group to over 60 breaches affecting organizations globally between November 2021 and March 2022.
Ardent Hospital ERs Disrupted in 6 States After Ransomware Attack
Ardent Health Services, a healthcare provider operating 30 hospitals across six U.S. states, disclosed today that its systems were hit by a ransomware attack on Thursday. After the incident, it had to take its entire network offline, notify law enforcement, and hire external experts to investigate the attack’s extent and impact.
“Ardent Health Services and its affiliated entities (“Ardent”) became aware of an information technology cybersecurity incident on the morning of November 23, 2023, which has since been determined to be a ransomware attack,” the organization said on Monday.
“As a result, Ardent proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs.”
Impacted hospitals are currently diverting all patients requiring emergency care to other hospitals in their area. However, they can still provide medical screening and stabilizing care to patients arriving at their emergency rooms.
“Each Ardent hospital continues to evaluate its ability to safely care for critically ill patients in its Emergency Room as we work to bring hospital systems back online. This is rapidly changing, and the status of each hospital will be updated as the situation improves,” Ardent added.
Patient care services are still active in Ardent’s clinics, though certain non-urgent elective surgeries have been temporarily halted as the organization is working to restore encrypted systems.
Ardent’s teams will directly contact individuals requiring rescheduling of appointments or procedures. Despite its IT teams’ efforts to reinstate access to impacted services, Ardent cannot provide a definitive timeline for the restoration process.
The health provider has yet to confirm if any patient health or financial data has been compromised during the attack and the extent of a potential data breach.
“Ardent has also implemented additional information technology security protocols and is working with specialist cybersecurity partners to restore its information technology operations and capabilities as quickly as possible,” Ardent said today.
“The investigation and restoration of access to electronic medical records and other clinical systems is ongoing.
“Ardent is still determining the full impact of this event and it is too soon to know how long this will take or what data may be involved in this incident.”
With a workforce comprising 23,000 employees, Ardent oversees operations across 30 hospitals and more than 200 care facilities in Texas, Oklahoma, New Mexico, Kansas, New Jersey, and Idaho and collaborates with over 1,400 affiliated healthcare providers spanning these six states.
Slovenia’s Largest Power Provider HSE hit by Ransomware Attack
Slovenian power company Holding Slovenske Elektrarne (HSE) has suffered a ransomware attack that compromised its systems and encrypted files, yet the company says the incident did not disrupt electric power production.
HSE is Slovenia’s largest power generation company, accounting for roughly 60% of domestic production, and it is considered critical infrastructure in the country. Founded in 2001 by the Government of Slovenia and owned by the state, the firm operates several hydroelectric, thermal, and solar power plants as well as coal mines across the country, while it also owns subsidiaries in Italy, Serbia, and Hungary.
As first reported by local news outlet 24ur.com on Saturday, HSE suffered a ransomware attack last Wednesday, with the company finally containing it on Friday, November 24. The Director of the Information Security Office, Uroš Svete, told the media that all power generation operations remained unaffected by the large-scale cyber attack. Still, IT systems and files were “locked” by the “crypto virus.”
The organization immediately informed the National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration and engaged with external experts to mitigate the attack and prevent the virus from spreading to other systems across Slovenia.
So far, the organization has not received a ransom demand but stated that it might be too early for this, so they remain on high alert as system cleanup is still underway.
Today, Uroš Svete has issued a joint statement with the General Manager of HSE, Tomaž Štokelj, assuring the public that the situation is under control and that no operational disruption or significant economic damage is expected due to this incident.
According to the spokespersons, the impairment is limited to the websites of Šoštanj Thermal Power Plants and the Velenje Coal Mine.
Unofficial information shared with local media attributes the attack to the Rhysida ransomware gang, which has been active lately, prompting the FBI and CISA to issue a warning highlighting the group’s TTPs (Techniques, Tactics, and Procedures).
If Rhysida is behind the attack, it would also explain why HSE is stating they did not receive a ransom demand, as Rhysida ransom notes only contain an email address to contact the threat actors without specifying any monetary demands.
Reportedly, the ransomware operators breached HSE by stealing passwords for HSE’s systems from an unprotected cloud storage instance.
Rhysida first launched in May 2023, quickly targeting organizations in high-profile attacks, including ones on the Chilean Army, Prospect Medical, and the British Library.
The threat actors’ attacks on healthcare prompted the U.S. Department of Health and Human Services (HHS) to issue an advisory warning about the ransomware gang.
More recently, Rhysida listed a Chinese state-owned electric power conglomerate on its data leak site, auctioning allegedly stolen data for 50 BTC ($1,840,000).
Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale
More details have emerged about a malicious Telegram bot called Telekopye that’s used by threat actors to pull off large-scale phishing scams with websites, emails, SMS messages, and more.
The threat actors behind the operation – codenamed Neanderthals – are known to run the criminal enterprise as a legitimate company, spawning a hierarchical structure that encompasses different members who take on various roles.
Once aspiring Neanderthals are recruited via advertisements on underground forums, they are invited to join designated Telegram channels that are used for communicating with other Neanderthals and keeping track of transaction logs.
The ultimate goal of the operation is to pull off one of the three types of scams: seller, buyer, or refund.
In the case of the former, Neanderthals pose as sellers and try to lure unwary Mammoths into purchasing a non-existent item. Buyer scams entail the Neaderthals masquerading as buyers so as to dupe the Mammoths (i.e., merchants) into entering their financial details to part with their funds.
Other scenarios fall into a category called refund scams wherein Neaderthals trick the Mammoths a second time under the pretext of offering a refund, only to deduct the same amount of money again.
Researchers stated that the activity tracked as Telekopye is the same as Classiscam, which refers to a scam-as-a-service program that has netted the criminal actors $64.5 million in illicit profits since its emergence in 2019.
For the Seller scam scenario, Neanderthals are advised to prepare additional photos of the item to be ready if Mammoths ask for additional details. If Neanderthals are using pictures they downloaded online, they are supposed to edit them to make image search more difficult.
Choosing a Mammoth for a buyer scam is a deliberate process that takes into account the victim’s gender, age, experience in online marketplaces, rating, reviews, number of completed trades, and the type of items they are selling, indicating a preparatory stage that involves extensive market research.
Also utilized by Neanderthals are web scrapers to sift through online marketplace listings and pick an ideal Mammoth who is likely to fall for the bogus scheme.
Should a Mammoth prefer in-person payment and in-person delivery for sold goods, the Neanderthals claim “they are too far away or that they are leaving the city for a business trip for a few days,” while simultaneously demonstrating heightened interest in the item to increase the likelihood of success of the scam.
Neanderthals have also been observed use VPNs, proxies, and TOR to stay anonymous, while also exploring real estate scams wherein they create bogus websites with apartment listings and entice Mammoths into paying for a reservation fee by clicking on a link that points to a phishing website.
The disclosure comes as details emerged of a rug pull scam that managed to pilfer nearly $1 million by luring unsuspecting victims into investing in fake tokens and executing simulated trades to create a veneer of legitimacy.
Source – https://thehackernews.com/2023/11/cybercriminals-using-telekopye-telegram.html
Hamas-Linked Cyberattacks Using Rust-Powered SysJoker Backdoor Against Israel
Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region.
Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs.
SysJoker was publicly documented in January 2022, describing it as a C++ backdoor capable of gathering system information and establishing contact with an attacker-controlled server by accessing a text file hosted on Google Drive that contains a hard-coded URL.
The discovery of a Rust variant of SysJoker points to an evolution of the cross-platform threat, with the implant employing random sleep intervals at various stages of its execution, likely in an effort to evade sandboxes.
One noteworthy shift is the use of OneDrive to retrieve the encrypted and encoded C2 server address, which is subsequently parsed to extract the IP address and port to be used.
After establishing connections with the server, the artifact awaits further additional payloads that are then executed on the compromised host. Also discovered were two never-before-seen SysJoker samples designed for Windows that are significantly more complex, one of which utilizing a multi-stage execution process to launch the malware.
SysJoker has not yet been formally attributed to any threat actor or group. But newly gathered evidence shows overlaps between the backdoor and malware samples used in connection with Operation Electric Powder, which refers to a targeted campaign against Israeli organizations between April 2016 and February 2017.
This activity was linked to a Hamas-affiliated threat actor known as Molerats (aka Extreme Jackal, Gaza Cyber Gang, and TA402).
Both campaigns used API-themed URLs and implemented script commands in a similar fashion, raising the possibility that the same actor is responsible for both attacks, despite the large time gap between the operations.
Source – https://thehackernews.com/2023/11/hamas-linked-cyberattacks-using-rust.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.