Last week has once again been dominated by MOVEit data-theft attacks - the list of victims is growing and it includes the U.S. government, universities, private companies and hospitals. Not only that, impersonation campaigns are rampant, from impersonating brands to cybersecurity researchers that publish fake POC to push malware to impersonating popular web portals. Additionally, Capita has been sent their 1st letter of claim, Chilean Army’s documents leaked and a joint advisory from 7 nations were issued warning about LockBit, the world’s top ransomware threat.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Clop ransomware gang has started to exploit MOVEit data-theft victims. The Clop ransomware gang has listed 13 companies on a data leak site but it was not stated if they were related to the MOVEit transfer attacks or were ransomware encryption attacks. 5 of the listed companies, Shell, United Healthcare Student Resources (UHSR), Landal Greenparks, Heidelberger Druck the University of Georgia (UGA) and University System of Georgia (USG) have confirmed that they were impacted by the MOVEit attacks. Shell stated only a small number of employees and customers were impacted, and Landal stated that approximately 12,000 guests’ names and contact information were accessed. UGA, USG and UHSR stated they are still investigating the attack, and will disclose any discovered breaches. Heidelberger Druck, a German printing company, stated their analysis indicated no data breach had occurred. Putnam Investments, also listed on the data leak site, stated they were still looking into the matter. Other companies that had already disclosed MOVEit Transfer breaches include, Zellis (which impacted BBC, Aer Lingus, Boots and Ireland’s HSE), the University of Rochester, the government of Nova Scotia, the U.S. state of Missouri, the U.S. state of Illinois, Ofcam, BORN Ontario, Extreme Networks and the American Board of Internal Medicine. However, the Clop ransomware gang has stated that any data from the military, children’s hospitals and the government has been erased. Millions of Oregon and Louisiana state IDs accessed in MOVEit breach. The Oregon Department of Transportation stated that threat actors have accessed about 3.5 million residents’ personal information. They have stated that this has impacted individuals who have an active Oregon ID or driver’s license. The Louisiana Office of Motor Vehicles have announced that they believe all residents with a Louisiana driver’s license, ID or car registration likely had their data exposed. They stated that personal information accessed includes the name, address, social security number, birth date, height, eye color, driver’s license number, vehicle registration information and handicap placard information. However, the agency did state that there is no indication that Clop used, sold, shared or released any of the stolen data, and must have deleted the stolen data as Clop ransomware gang promised in their earlier announcement to erase any stolen government data. The U.S. Energy Department got 2 ransom notices due to MOVEit data-theft attack. The U.S. Department of Energy has received ransom requests from the Clop ransomware gang at both their nuclear waste facility and scientific education facility. The DOE contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant, which is the New Mexico-based facility for disposal of defense-related radioactive nuclear waste were hit in the MOVEit data-theft attack. The ransom requests to DOE were via emails, and were sent to each facility. However, the Clop ransomware gang has stated that any data from the military, children’s hospitals and the government has been erased. First legal Letter of Claim has been sent over Capita’s mega breach. Barings Law has stated they have sent a Letter of Claim to Capita last week which outlines their clients’ case and their list of worries. This was due to the high profile data-theft attack in late March that exposed some of their customers’ personal data such as, their passports, emails and home addresses, to threat actors. About 250 people, who suspect that they were victims of the data breach, have signed up the class action, and Barings stated they have been receiving up to 40 calls a day from concerned parties, including local councils. A Barings spokesman stated that Capita has 3 months to reply to the Letter of Claim, and no papers have been served with a court yet. Chilean Army’s documents leaked by Rhysida ransomware gang. Rhysida’s ransomware gang have leaked what they claim to be documents stolen from the network of the Chilean Army. The leak occurred after the Chilean Army confirmed on 29 May that their systems were impacted in a security incident during the weekend. The Rhysida ransomware gang has published 30% of the data (about 360,000 documents) they claimed to have stolen from the Chilean Army’s network. U.S LockBit victims alone paid over $90m in ransoms since 2020. In a joint security advisory issued by cybersecurity authorities in the U.S., Australia, Germany, France, the UK, Canada and New Zealand, have placed an alert on LockBit, a ransomware-as-a-service gang as well as protection tips. The nations also urged victims not to give into the ransomware gang’s demands. LockBit was globally the most used ransomware in 2022, and as of 2023 so far. It was found that LockBit has cost U.S. victims alone more than $90 million from around 1,700 attacks since 2020. Additionally, LockBit made up 18% of reported Australian ransomware incidents, 22% of Canada’s attributed ransomware incidents, 23% of New Zealand’s reported ransomware incidents, and 16% of the U.S. State, Local, Tribal and Tribunal government ransomware incidents. Massive impersonation campaign targets over 100 brands including Nike, Puma and Doc Martens. A massive brand impersonation campaign that targets over 100 popular apparel, clothing and footwear brands has begun since June 2022. It has tricked people into entering their account credentials and financial information on fake websites. Brands affected by this campaign include but not limited to Nike, Pima, Adidas, Casio, Crocs, New Balance, Tommy Hilfiger, Reebok, Doc Marten, and others. Peak phishing activity occurred between November 2022 - February 2023, but the campaign is still ongoing. Perpetrators registered thousands of domains to target unsuspecting customers, and trick them to make purchases on their websites. Victims either never received the promised products or are sent cheap quality knock-offs. Furthermore, the victim's personal information was also compromised. North Korean hackers mimic popular web portal. North Korean hackers have created a fake website that looks almost exactly like the popular South Korean web portal, Naver. The National Intelligence Service (NIS) issued a warning last week, urging people to refrain from accessing the website called “Naver Portal”' and are currently working with overseas organization to track down the activity of the group. NIS did not disclose how many people have fallen victim t Fake POC exploits for zero-day vulnerabilities published on GitHub that push Windows and Linux malware. Hackers are impersonating cybersecurity researchers on GitHub and Twitter to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware. These fake POC are published by “researchers” at a fake cybersecurity company called “High Sierra Cyber Security’ who promote the GitHub repositories on Twitter to target cybersecurity researchers and firms that do vulnerability research. These repositories look legitimate and they impersonate real security researchers from security firms such as Rapid7, even using their headshots. They maintain accounts on Twitter to help increase their legitimacy to their research and their GitHub repositories, and also to attract more victims via social media platforms. VulnCheck discovered this campaign, and reported that it has started at least since May 2023. They have promoted supposed exploits for zero-day flaws in Chrome, Whatsapp, Discord, Microsoft Exchange and Signal. All repositories host a Python script that acts as a malware downloader for Linux and Window systems. Success of this campaign is unclear, however VulnCheck stated that the threat actors appear persistent, whereby they will create new accounts and repositories when the existing ones get reported and removed. As for the time of writing, these Github repositories should be avoided:
Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|