Last week, more data breaches, cyberattacks and ransomware attacks occurred across several industries, with some having even more devastating consequences. Multiple class action lawsuits have been filed against MGM Resorts and Caesars Entertainment. Furthermore, new malware, phishing campaigns, vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. MGM Resorts and Caesars Entertainment face 6 class action lawsuits over September cyberattacks. 6 class action lawsuits have been filed against MGM Resorts and Caesars Entertainment. The lawsuits alleged that MGM and Caesars failed to protect the personal identifiable information of their customers due to their negligence. The lawsuits allege that MGM and Caesars know they should have protected their customers’ personal information, and that they failed to comply with Federal Trade Commission guidelines and the industry standards. The plaintiffs contend that they are now more vulnerable to identity theft. In another case involving MGM only, another class action lawsuit was filed. The plaintiff, Tonya Owens of Mississippi, filed the class action lawsuit contending that MGM was negligent in failing to prevent the cyberattack which resulted in the data breach, as well as negligent in protecting their consumers' sensitive data. Owens wants to represent a nationwide class of consumers who had their personal information such as their names, birthdates, addresses and social security numbers, exposed in the MGM data breach. The MGM class action states that MGM “failed to adequately protect Plaintiff’s and Class members PII - and failed to even encrypt or redact this highly sensitive information”. DarkBeam exposed billions of users' emails and passwords. DarkBeam, a digital risk protection firm, left an Elasticsearch and Kibana interface unprotected, exposing billions of records of their users’ emails and passwords from previously reported and non-reported data breaches. According to Bob Diancenko, the researcher that identified the leak, said over 3.8 billion records were exposed. The data leak, identified on 18 September, was closed instantly after Diancenko informed the company about the leak. Exposing the collections of users’ emails and passwords is very dangerous as it provides cybercriminals with the ability to easily use these accounts to carry out cyber attacks. Johnson Controls, a building automation giant, suffers a ransomware attack. Johnson Controls International, a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment, has been hit by a massive ransomware attack that encrypted the company’s VMWare ESXi virtual machines during the attack, impacting the company’s and their subsidiaries’ operations. A source told BleepingComputer that the company was initially breached at its Asia offices, and was cyberattacked over the weekend, which caused the company to shut down a portion of its IT systems. Many of its subsidiaries, including York, Simplex and Ruskin, have begun to display technical outrage messages on website login pages and customer portals. BleepingComputer was told that the ransomware gang demands $51million to provide a decryptor and to delete stolen data. The threat actors have claimed to have stolen over 27TB of corporate data. Johnson Controls in a SEC filing have stated they are working with external cybersecurity experts to investigate the incident and are also coordinating with their insurers. Sony allegedly been data breached: Multiple hackers claim responsibility. Sony has allegedly been the victim of a data breach, and multiple hackers have claimed responsibility for this alleged attack. On Monday, Ransomed.vc, a relatively new hacking group, claimed that they had successfully compromised “all” of the company’s systems. They posed a 2MB compressed data sample containing some Java source code files, Eclipse IDE screenshots and a Powerpoint presentation. The gang also claimed that they have stolen 260 GB of data from Sony, and were attempting to sell the data for US$2.5million. However, a second threat actor, MajorNelson, has leaked “for free” a sample of the data believed to be in Ransomed.vc’s possession via a 2.4GB compressed archive containing 3.14GB of Sony’s data. MajorNelson also calls Ransomed.vc “scammers” that are trying to “chase influence”. MajorNelson claimed the stolen data contained “a lot” of credentials for online systems, SonarQube, Creators Cloud, Sony’s certificates, a device emulator for generating licences, Qasop security, and incident response policies. It has been observed that the data posted by MajorNelson contained all the files posted by RansomedVC. Hence, it is unsure which malicious actors are responsible for the data breach. Sony is currently investigating the situation. BORN Ontario child registry has been data breached: 3.4 million people impacted. The Better Outcomes Registry & Network (BORN), a government funded healthcare organisation in Ontario, has announced that they have been impacted by the MOVEit Transfer attacks. BORN became aware of the security breach on 31 May, and posted a public notice on their site, and notified the relevant authorities. The firm also engaged with external cybersecurity experts to investigate this breach. The investigation revealed that the threat actors copied files containing sensitive information of approximately 3.4 million people, primarily newborns and pregnancy care patients, between January 2010 and May 2023. The exposed data includes full name, birth date, home address, postal code and health card number. Furthermore, depending on the type of care received by BORN, these additional data may have been exposed as well: dates of service/care, lab test results, pregnancy risk factors, type of birth, procedures, pregnancy and birth outcomes. Although there was a data breach, BORN states that there has been no evidence that any stolen data is being circulated on the dark web yet, and “misused for any fraudulent purposes”. T-Mobile US system glitch exposes some customer account data. According to customers who complained about the issue on X (formerly known as Twitter) and Reddit, the T-Mobile app was displaying other customers’ data instead of their own . This included other customers’ purchase history, credit card information and address. In a statement, Telco stated that this was not a data breach, but rather it was a “temporary system glitch which resulted because of a planned overnight technology update that involved limited account information for fewer than 100 customers”. At least 60,000 emails stolen from Microsoft breach. During a recent Senate staff briefing, the US State Department officials disclosed that the Chinese attackers stole at least 60,000 emails from Outlook accounts belonging to State Department Officials stationed in East Asia, the Pacific, and Europe. The attackers also managed to obtain a list of all the department’s email accounts. The compromised State Department personnel primarily focused on Indo-Pacific diplomacy efforts. The State Department spokesperson, Matthew Miller, did tell reporters that no classified systems were hacked. In July, Microsoft disclosed that on 15 May 2023, threat actors managed to successfully breach Outlook accounts associated with approximately 25 organisations - which includes the US State and Commerce Departments. Earlier this month, Microsoft disclosed that the threat group obtained a consumer signing key from a Windows crash dump, by compromising the corporate account of a Microsoft engineer, which then enabled access to the government email accounts. The stolen key allowed them to exploit a vulnerability, which allowed the hackers to generate counterfeit signed access tokens - allowing them to impersonate accounts within the targeted organisations. SickKids impacted by the BORN Ontario data breach that impacted 3.4 million people. The Hospital for Sick Children, more commonly known as SickKids, has been impacted by the MOVEit attack, as they share the sensitive health information with BORN Ontario “related to pregnancy, birth and newborn care”, which has been a victim of the MOVEit attack that impacted 3.4 million people. AS SickKids shares this information with BORN Ontario, a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in Ontario. SickKids warns that its patients and associates may also have been affected. It is worthy to note that SickKids may not be the only hospital affected by the BORN Ontario security incident, and similar disclosures may come from other healthcare providers in the upcoming weeks. Microsoft Bing Chat pushes malware via bad ads. Malicious advertisements are being injected into Microsoft’s AI-powered Bing Chat responses, which are promoting fake download sites that distribute malware. Bing Chat, introduced in February 2023, aimed to make online searches more intuitive and search friendly. Malwarebytes, a security outfit, said on Thursday that they have detected harmful ads distributed via Bing Chat conversations. The victims have to click on the ad, which will take them to other sites, which could attempt to phish their login details for a more legit service, push a malware download onto them, or exploit a bug to hijack their computer. For example, clicking on a deceptive link might take the Bing Chat user to a website designed to separate potential victims from bots, security researchers and sandboxes. Those deemed to be valid targets will be redirected to a typo-differentiated fake website, designed to resemble a legitimate one, where they are then invited to download and run a malicious installer. FBI warns of new trend in dual ransomware attacks: Victims now get hit again within 48 hours. The FBI has warned about a new trend in ransomware attacks whereby multiple strains are deployed on victims’ networks to encrypt systems in under 2 days. Ransomware affiliates and operators have been observed using 2 distinct variants when targeting organisations. The FBI said that “the use of dual ransomware variants results in a combination of data encryption, exfiltration and financial losses from ransom payments”. And that “a second ransomware attack against an already compromised system can significantly harm victim entities.” Ransomware groups used to typically require a minimum of 10 days to execute dual attacks, however presently the majority of the ransomware incidents target the same victim within 48 hours of each other. The FBI also said that multiple ransomware gangs, since early 2022, have been adding new code to evade detection. In some other incidents, malware that contained data-wiping functionality was set up in such a way that it was to remain dormant on compromised systems until a predetermined time. At which, the malware would destroy data on the victims’ networks at periodic intervals. New hacking group, AtlasCross, impersonates the American Red Cross as a phishing lure. A new APT hacking group, AtlasCross, are impersonating the American Red Cross as a phishing lure to deliver backdoor malware to organisations. NSFocus reports that the AtlasCross hackers are sophisticated and evasive, preventing researchers from finding out their origin. AtlasCross attacks begin with a phishing message pretending to be from the American Red Cross, requesting the recipient to participate in a “September 2023 Blood Drive”. These emails contain a macro-enabled Word doc attachment that urgest the victim to click “Enable Content” to view the hidden content. By doing so, this will let the malicious macros infect the Windows device with DangerAds and AtlasAgent malware. The prior malware functions as a loader which assists in hackers selective targeting, and the latter malware extracts host and process details. What makes it harder is that they also use discreet infection methods over efficiency, which allows the hackers to operate undetected for an undefined duration. Fake Bitwarden sites pushing ZenRAT, a new password-stealing malware. Fake Bitwarden sites are pushing installers supposedly for the open-source password manager that carry a new password-stealing malware called ZenRAT. The malware is distributed to Windows users through sites that imitate the legitimate Bitwarden site (and it’s a very convincing lookalike), and rely on common misspellings of legitimate websites to fool potential victims (domain name of fake site was bitwariden[.]com). The purpose of ZenRAT is to collect browser data and credentials along with details about the infected host - basically stealing information. Cybercriminals can then use these details to basically access an account as if the legitimate user logged in. Budworm hackers target telcos and government organisations with custom malware. Budworm, a Chinese cyber-espionage hacking group, has been observed targeting a telecommunication firm and a government entity in the Middle East and Asia respectively, with a custom variant of ‘SysUpdate’ backdoor. The newest variant can evade detection from security tools running on the compromised host. Symantec also reports seeing other publicly available tools used in Budworm’s latest attacks like AdFind, SecretsDump, PasswordDumper, and Curl. These tools help to credential dump, network map, spread laterally on a compromised network, and steal data. Hackers are actively exploiting a high-severity vulnerability in Openfire to encrypt servers. Hackers are actively exploiting a high-severity vulnerability (tracked as CVE-2023-32315) in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers. The flaw is an authentication bypass which allows unauthenticated attackers to create new admin accounts on vulnerable servers. This flaw impacts all Openfire versions from 3.10.0 to up to 4.6.7 and from 4.7.0 to 4.7.4. Although Openfire fixed the flaw with versions 4.6.8, 4.7.5 and 4.8.0, which were released in May 2023, over 3,000 Openfire servers were still running a vulnerable version in Mid-August 2023. Dr.Web has reported that signs of active exploitation have been detected, with hackers taking advantage of the flaws for their malicious campaigns. In total, Dr.Web observed 4 distinct attack scenarios which leveraged this flaw. It is highly crucial to apply all security updates for your servers immediately to avoid being exploited by these attackers. Google assigns new 10/10 severity ratings to libwebp security vulnerability exploited in attacks. Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in cyberattacks, which has been patched 2 weeks ago. This newly assigned CVE marks it as a critical issue in libwebp with a maximum 10/10 severity rating. This vulnerability basically enables attackers to execute out-of-bounds memory writes using malicious HTML pages. This type of exploit can have dire consequences from crashes to arbitrary code execution and unauthorised access to sensitive information. Google fixes 5th actively exploited Chrome zero-day of 2023. Google has patched the 5th Chrome zero-day vulnerability that was exploited in attacks since the beginning of 2023 in emergency security updates released today. This vulnerability was exploited to install spyware. The security vulnerability is addressed in Google Chrome 117.0.5938.132, which is rolled out worldwide to Windows, Mac, and Linux users in the Stable Desktop Channel. Google Chrome will auto-check for new updates and automatically install them after the next launch. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|