Last week, more cyberattacks and data breaches occurred across several industries. In particular, the government, public, and healthcare sectors have been particularly affected. New ransomwares, adware, phishing campaigns and patches have also been found. Read on to receive a quick summary of what happened this week in the space of cybersecurity. The Police Service of Northern Ireland suffered ‘critical’ data breaches. The Police Service of Northern Ireland (PSNI) suffered a “monumental” data breach on 8 August, after their employees’ personal identifying information was published online. The data published included the surname, initials, rank/grade, role and location of more than 100,000 serving officers and staff of the PSNI. This data breach occurred when data was accidentally posted online after a Freedom of Information (FoI) request. The data was accessible for 3 hours before it was taken down. In a statement, Chris Todd, the assistant chief constable, stated that this incident was “unacceptable” and it was due to “human error”. The Information Commissioner’s Office (ICO) was alerted to the breach and an investigation into this incident has been launched. On 9 August, it was revealed that PSNI is also investigating a secondary data breach following the theft of a spreadsheet that contains the names of more than 200 serving officers and staff, as well as police-issue radio and laptop, from a private vehicle on 6 July. EY breach exposed over 30,000 Bank of America customers. EY has stated that 30,210 Bank of America customers have been exposed due to the MOVEit Transfer attacks. EY’s US branch has started contacting individuals impacted by the recent data breach. According to EY’s letter that was sent on 9 August to impacted individuals, they learned about the incident on 31 May and launched an investigation to understand the scope of the issue. From the investigation, they found that neither EY nor Bank of America’s internal systems were affected, but a massive amount of sensitive data were exposed. The exposed data includes full names, addresses, financial account information, debit or credit card numbers, social security numbers and government-issued ID numbers. EY stated that the Bank of America will provide exposed clients with a “complimentary 2-year membership in an identity theft protection service.” Cyberattack caused the suspension of Gemini North Observatory. The U.S National Optical-Infrared Astronomy Research Laboratory (NOIRLab) detected a cyber incident on their computer systems on 1 August 2023. For precaution, the Gemini Observatory computer systems were shut down. The Gemini website and proposal tools are also currently offline. Both telescopes will be closed while NOIRLab IT team conducts an investigation and develops a recovery plan with NSF’s cyber specialists.On 9 August 2023, it was updated that as a precautionary measure, they have also disconnected the Mid-Scale Observatories (MSO) network on Cerro Tololo and at SOAR. Hence, the Victor M. Blanco 4-meter Telescope and SOAR Telescope are unavailable. Missouri’s Department of Social Services disclosed that healthcare information was exposed in a data breach. Missouri’s Department of Social Services (DSS) disclosed that protected Medicaid healthcare information was exposed in a data breach after IBM suffered the MOVEit transfer theft attack. The information exposed may include impacted people names, department client number, birth date, benefit eligibility status or coverage, and medical claims information. DSS stated they are currently reviewing the files associated with this data breach, and it will take some time to analyze the data and fully determine the scope of this breach. DSS also said that the investigation so far has shown that only 2 social security numbers were exposed, and no banking information has been identified. DSS is sending out notifications to all Missouri Medicaid participants that were enrolled in May 2023 as a precaution, and suggests that individuals freeze their credit to prevent cyber criminals from opening new accounts or borrowing money under their name. DSS also highly recommends monitoring credit reports for unusual activity. The UK Electoral Commission disclosed a data breach that exposed 8 years of voter data. The UK Electoral Commission disclosed a massive data breach that exposed the personal information of registered voters in the United Kingdom between 2014 and 2022, as well as the names of those registered as overseas voters. Threat actors had accessed the government agency’s servers that held its email, control systems, and copies of electoral registers. However, those that voted anonymously, were not included in the exposed election registers. The exposed voter information includes (1) personal data contained in the email system of the Commission: full name, email address, home address (if included in a webform or email), personal and/or business contact number, content of the webform and email that may contain personal data, any personal images sent to the Commission; (2)and also the personal data contained in Electoral Register entries: full name, home address in register entries, and date on which a person achieves voting age that year. Furthermore, the threat actors also had access to the Commission’s email server, exposing any internal and external communications with the agency. It is highly recommended for all UK voters to be aware of targeted phishing emails that attempt to gather more sensitive information such as passwords, financial information, or account numbers. If any suspicious emails are received, do NOT click on any links. Knight ransomware distributed via fake TripAdvisor complaints. The Knight ransomware, a recent rebrand of the Cyclop Ransomware-as-a-Service, is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints. Felix, the Sophos researcher who discovered this campaign, said that the emails included ZIP file attachments named “TripAdvisorComplaint.zip”. A newer version of this campaign was spotted, which now includes an HTML attachment. When the HTML file is opened, it will open what appears to be a browser window to TripAdvisor. The fake browser window pretends to be a complaint submitted to a restaurant, asking the user to review it. However, clicking the ‘Read Complaint’ button will ultimately lead to the opening of a malware. The ransomware will also create a ransom note that demands $5,000. Industrial PLCs globally impacted by CODESYS V3 RCE flaws. Millions of PLC (programmable logic controllers) used in industrial environments globally are at risk to 15 vulnerabilities in the CODESYS V3 software development kit. This will allow remote code execution (RCE) and denial of service (DoS) attacks. This could allow threat actors to shut down power plants or even steal information from critical infrastructure environments. According to the IEC 61131-13 standard, over 500 device manufacturers use the CODESYS V3 SDK for programming on more than 1000 PLC models. The vendor has released security updates to address the identified vulnerabilities in April 2023. However, due to the nature of those devices, they are not frequently updated to fix security issues. It is highly recommended for administrators to upgrade to CODESYS V3 V3.5.19.0 as soon as possible. Microsoft also recommends disconnecting POLCs and other critical industrial devices from the internet. Google Play apps with 2.5 million installs secretly load advertisements when the phone's screen is off. Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements when a phone’s screen is off. McAfee’s Mobile Research Team discovered these malicious Android apps and reported them to Google, which Google subsequently removed from Google Play store. These apps were mainly media streaming apps and news aggregators, and the target audience were predominantly Korean. Although these apps are considered adware, they can still pose potential user profiling risks, exhaust battery life, consume significant internet data, and perpetuate fraud against advertisers. Rhysida ransomware operation behind recent attacks on healthcare. The Rhysida ransomware operation is gaining reputation after recent attacks on healthcare and public health sector organizations. Rhysida is a relatively new Ransomware-as-a-Service group, which prior were mainly focused on entities in other industries. A bulletin published by the U.S. The Department of Health and Human Services (HHS) last week warned that the Rhysidia scale of activities has grown to dangerous proportions, and recently demonstrated a focus on the healthcare and public sector. Rhysida’s victims are distributed globally, with victims across Western Europe, Australia, North and South Australia. Code leaks are resulting in an increase in new ransomware actors. When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the expertise to develop their own ransomware variants. This has led to more actors entering the space, and an increasing emergence in the number of ransomware variants. This has led to more frequent attacks, and new challenges for cybersecurity professionals. Talos has consistently found various malicious campaigns since the start of 2023 where cybercriminals have used new ransomware variants based on leaked source code or builders. Google to combat threat actors with weekly security updates. Google has changed the bi-weekly security update schedule to weekly for Google Chrome. This is to address the growing patch gap problem that allows cybercriminals extra time to exploit published zero-day and n-day (the exploitation of a known and patched security issue) flaws. This is due to the transparency of Chromium, an open-source project, that allows anyone to view its source code and scrutinize developer fixes. Hence, this allows cybercriminals to identify flaws before fixes reach the massive user base of stable Chrome releases and exploit them. With weekly updates, Google will further minimize the patch gap and reduce the window of n-day exploitation opportunity to a single week. Although this is not perfect, this will definitely positively affect Chrome security. EvilProxy phishing campaign: 120,000 phishing emails sent to over a hundred organizations Microsoft 365 accounts. Researchers from Proofpoint found that 120,000 phishing emails were sent to over a hundred organizations in an attempt to steal Microsoft 365 accounts. EvilProxy has become one of the more popular phishing platforms to target MFA-protected accounts. Researchers warned of the surge in successful cloud accounts takeover incidents in the past 5 months, which primarily impacts high-ranking executives. They found that attackers tend to prioritize “VIP” targets, and ignore those lower in the hierarchy. Of those accounts breached, 39% were C-level executives, 9% were CEOs and vice-presidents, 16% were chief financial officers, and the rest were employees with access to sensitive information or financial assets. Proofpoint has observed a very large-scale campaign supported by EvilProxy, which combines brand impersonation, bot detection evasion and open redirections. EvilProxy service has been observed to send emails that impersonate popular brands like Adobe, DocuSign and Concur. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|