Multiple car dealers report disruptions to SEC due to cyberattack on software company

Several large car-dealership companies in the U.S. filed notices with regulators on Friday in relation to a ransomware attack on CDK Global that has stymied work at thousands of dealers across North America over the last week.

Lithia Motors, Group 1 Automotive, Penske and Sonic Automotive warned the U.S. Securities Exchange Commission (SEC) that they are all facing disruptions because CDK Global had to shut down its systems in response to the attack, which began last Tuesday.

Source: https://therecord.media/car-dealerships-reports-sec-cdk-software-ransomware

Red Tape Is Making Hospital Ransomware Attacks Worse

With cyberattacks increasingly targeting health care providers, an arduous bureaucratic process meant to address legal risk is keeping hospitals offline longer, potentially risking lives.

Crippling ransomware attacks against hospitals and health care providers are on the rise. These ruthless cyberattacks can take medical systems offline for weeks—canceling appointments and surgeries and causing harm to patients. Doctors and nurses are plunged into crisis situations where they resort to using pen and paper, while IT staff work to make systems safe and bring them back online. The recovery can be long-lasting and brutal.

Source: https://www.wired.com/story/ransomware-health-care-assurance-letters/

‘ChamelGang’ APT Disguises Espionage Activities with Ransomware

A likely China-backed advanced persistent threat (APT) group has been systematically using ransomware as a means to disguise its relatively prolific cyberespionage operations for the past three years, at least. The China-nexus cyberthreat actor has been operating since at least 2019 and has notched victims in multiple countries.

The threat actor, whom researchers at SentinelOne are tracking as ChamelGang (aka CamoFei), has recently targeted critical infrastructure organizations in East Asia and India.

Source: https://www.darkreading.com/ics-ot-security/china-nexus-group-using-ransomware-to-disguise-cyber-espionage-activities

French police shut down chat website reviled as ‘den of predators’

French law enforcement has shut down the chat website Coco, which authorities said has allowed offenders to coordinate child sexual abuse, rapes, homicides and other serious crimes. As of Tuesday, the website is no longer available and only displays a seizure notice from the French national police.

Coco is called “a den of predators” in France and has previously raised concerns among human rights organizations, LGBTQ+ activists, and child protection associations.

Last year, the French organization SOS Homophobie called for the police to shut down the website, as it was reportedly used by criminals to organize attacks targeting the local gay community, including the brutal ambush of a man with bats and sticks.

Source: https://therecord.media/coco-website-takedown-cybercrime-france

New Attack Technique Exploits Microsoft Management Console Files

Threat actors are exploiting a novel attack technique in the wild that leverages specially crafted management saved console (MSC) files to gain full code execution using Microsoft Management Console (MMC) and evade security defenses.

Elastic Security Labs has codenamed the approach GrimResource after identifying an artifact (“sccm-updater.msc”) that was uploaded to the VirusTotal malware scanning platform on June 6, 2024.

The technique not only bypasses ActiveX warnings, it can be combined with DotNetToJScript to gain arbitrary code execution. The analyzed sample uses this approach to launch a .NET loader component dubbed PASTALOADER that ultimately paves the way for Cobalt Strike.

Source: https://thehackernews.com/2024/06/new-attack-technique-exploits-microsoft.html

Polyfill.io JavaScript supply chain attack impacts over 100K sites

Over 100,000 sites have been impacted in a supply chain attack by the Polyfill.io service after a Chinese company acquired the domain and the script was modified to redirect users to malicious and scam sites.

A polyfill is code, such as JavaScript, that adds modern functionality to older browsers that do not usually support it. For example, it adds JavaScript functions that are not available for older browsers but are present in modern ones.

The polyfill.io service is used by hundreds of thousands of sites to allow all visitors to use the same codebase, even if their browsers do not support the same modern features as newer ones.

Source: https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

New Medusa Android Trojan Targets Banking Users Across 7 Countries

Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S.

The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, cybersecurity firm Cleafy said in an analysis published last week.

The new Medusa samples feature a “lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications,” security researchers Simone Mattia and Federico Valentini said.

Source: https://thehackernews.com/2024/06/new-medusa-android-trojan-targets.html

4 FIN9-linked Vietnamese Hackers Indicted in $71M U.S. Cybercrime Spree

Four Vietnamese nationals with ties to the FIN9 cybercrime group have been indicted in the U.S. for their involvement in a series of computer intrusions that caused over $71 million in losses to companies.

The defendants, Ta Van Tai (aka Quynh Hoa and Bich Thuy), Nguyen Viet Quoc (aka Tien Nguyen), Nguyen Trang Xuyen, and Nguyen Van Truong (aka Chung Nguyen), have been accused of conducting phishing campaigns and supply chain compromises to orchestrate cyber attacks and steal millions of dollars.

Source: https://thehackernews.com/2024/06/4-fin9-linked-vietnamese-hackers.html

Los Angeles County says 25 departments affected by February phishing incident

Multiple departments of Los Angeles County’s government were successfully breached as part of a wide-ranging phishing campaign conducted in February, officials told Recorded Future News.

Overall, 25 of the county’s 38 departments were affected, but only two health-related agencies have released public notices. They were the only ones required to do so under California state law, according to a spokesperson for the county, because the personal or health information of more than 500 people was compromised in each incident.

Source: https://therecord.media/los-angeles-county-25-departments-february-phishing-campaign

Russia-Linked CopyCop Expands to Cover US Elections, Target Political Leaders

CopyCop, a likely Russian government-aligned influence network, has shifted its focus to the 2024 US elections. Using AI and inauthentic websites, CopyCop creates and spreads political content. The network registered 120 new websites between May 10 and May 12, 2024, amplifying targeted content through platforms like YouTube. Despite a focus shift to US elections, CopyCop’s AI-generated content has seen limited social media amplification.

CopyCop has expanded its sources for influence content to include mainstream news outlets in the US and UK, conservative-leaning US media, and Russian state-affiliated media. Within 24 hours of the original articles being posted, CopyCop scrapes, modifies, and disseminates them to US election-themed websites using over 1,000 fake journalist personas.

Source: https://www.recordedfuture.com/copycop-expands-to-cover-us-elections-target-political-leaders?__hstc=156209188.4ac62263e2b2c32e170ae907060dcf0a.1712654837379.1718721815426.1719399225790.6&__hssc=156209188.6.1719399225790&__hsfp=3981457101

Smarttech247