Anti-phishing measures do not ensure 100% protection against ransomware and other social engineering attacks, but they do create additional protective shields and notification systems which gives the incident response teams enough time to detect and tackle the attack vector. Here are the major ransomware attack news headlines this week to help you protect your organization better. 

Head to HIBP to Check Whether Your Email Was Affected by Recent RedLine Attack

The RedLine malware, which is known for its destructive ways of getting into IT systems and stealing their information, recently stole the account details of 441,657 users. Cybersecurity researcher Bob Diachenko recently found a server used by the threat actors spreading RedLine and recovered 6 million RedLine logs which were collected between August and September 2021. Although some of the email addresses in these logs were repeated, the data is still valuable as any threat actor in possession of this can launch targeted phishing and financial theft attacks on the victims. Diachenko further reported that the server is still accessible, but it’s unlikely that RedLine is still using it as the number of logs has not increased.

To ensure protection against phishing, Diachenko shared a copy of the 441,657 unique email addresses retrieved from the RedLine server with Have I Been Pwned (HIBP). Now users can head to HIBP to check if RedLine compromised their email address and if yes, then merely changing the password won’t suffice. It is recommended to change passwords for all accounts accessed through the system. Users should also withdraw or transfer all crypto tokens to another waller, as RedLine targets cryptocurrency wallets.


RIPTA Finally Reveals Data Breach After Month

A data breach occurred at the Rhode Island Public Transit Authority (RIPTA) between 3rd and 5th August 2021. This led to the compromise of patients’ addresses, social security numbers, RIPTA health plans, DOBs, health plan membership, etc. However, the data of people outside the agency was also affected by this incident. This caused much outrage among people. RIPTA reported to the US Department of Health and Human Services that only 5015 people were affected by the breach, but in reality, it sent out breach notifications to 17,378 people. RIPTA is accused of downplaying the damages done by the attack and for keeping victims in the dark until four months after the security breach.

In its defense, RIPTA said that it had access to information of people who were not directly associated with the agency because a provider had shared their details. This is why (RIPTA claims) it needed more time than usual to identify the attack victims and send out breach notifications. Peter Neronha – Rhode Island Attorney General, shall now look into the breach and analyze whether RIPTA had taken the necessary phishing prevention measures and followed the protocol of sending breach notifications within 45 days of an attack.


Cyberattack Hits T-Mobile

After undergoing a massive data breach in August 2021, T-Mobile was recently hit by another cyber-attack. The T-Mo report states that adversaries accessed only a small customer data set in the latest breach. The report further states that customers either had their sensitive information exposed or became prey to a SIM swapping attack or both because of the attack. Customer information accessed in the T-Mobile breach includes their names, account numbers, contact numbers, plan details, etc.

The T-Mobile breach from August had exposed the details of over 50 million customers, but this time around, the impact was fairly less. T-Mobile announced this breach on Twitter and mentioned that it is taking necessary anti-phishing protection measures to contain the breach and restore systems.


Cyberattack Hits Norwegian News Publisher Amedia

One of the largest local media companies in Norway – Amedia, recently underwent a major cyberattack. Consequently, many of Amedia’s central computer systems went offline, and printing the next day’s physical newspapers was disrupted. Unfortunately, the press will remain nonoperational until the issue is fixed. The attack also affected the organization’s subscription and advertising system, which prevented subscribers from canceling or ordering subscriptions and advertisers from purchasing ads.

Amedia is still unsure whether any personal information of subscribers or employees was affected, but if subscription information were compromised, it would expose customers’ names, contact numbers, addresses, subscription details, etc. However, Amedia believes that no financial data or passwords could have been affected. The media enterprise has adopted measures to prevent phishing attacks and is doing its best to restore operations at the earliest.


Vulnerabilities Detected in SanDisk PrivateAccess

Cybersecurity researcher Sylvain Pelissier recently detected two vulnerabilities in SanDisk PrivateAccess (previously known as SanDisk SecureAccess), allowing adversaries to access user passwords. Recently, Western Digital released patches for some vulnerabilities in its encryption software, allowing attackers to access user data through brute force attacks.

But Pelissier’s findings suggest that vulnerabilities exist in ENC Security’s DataVault encryption software. DataVault’s users include Western Digital (owner of SanDisk), Lexar, and Sony; the products of all these companies were affected by these vulnerabilities. The DataVault vulnerabilities were dubbed CVE-2021-36750, and CVE-2021-36751 were said to be patched soon after. All customer companies released their breach notifications as part of their measures for protection from phishing. ENC was notified of the flaws in May, and it released the patches with DataVault 7.2 in early December.


Cyberattack Hits Vietnamese Crypto Trading Platform ONUS

The renowned Vietnamese crypto trading platform ONUS recently underwent a cyber-attack that affected its payment system. Reportedly, the payment system was running with a vulnerable Log4j version. Soon after the attack, the adversaries approached ONUS with a $5 million ransom demand and threatened to leak customer data on non-compliance. ONUS refused to pay the ransom, and therefore the adversaries put up a database with 2 million ONUS customer records for sale.

The exposed data includes the hashed passwords, personal information (names, contact numbers, email addresses, addresses, transaction histories), and eKYC data of 2 million customers. In its defense, ONUS said that it prioritizes customers’ safety and is therefore informing the ONUS community about the unfortunate incident. ONUS also extended its apology for the incident and sought people’s cooperation. The cybersecurity organization looking after ONUS – CyStack, investigated the breach and released its findings shortly after.

CyStack recommends ONUS follow the vendor’s instructions and patch the Log4J Shell vulnerability. It further asks ONUS to reconfigure AWS access permissions, deactivate leaked AWS credentials, block public access to sensitive S3 buckets, and adopt other measures for protection against phishing attacks.


Five Eyes Releases joint Cybersecurity Advisory

Government agencies from the United States, the United Kingdom, Canada,  Australia, and New Zealand—which constitute the “Five Eyes” intelligence alliance have jointly issued a Cybersecurity Advisory. This advisory provides phishing protection guidance to those recently hit by attacks caused by vulnerabilities like Log4 Shell in the Apache Log4j software library. Researchers believe that the adversaries are already exploiting such vulnerabilities for remote code execution.

The Director of the US Cybersecurity and Infrastructure Security Agency (CISA) – Jen Easterly, called the Log4j vulnerabilities the most dangerous she has encountered in her career. She also highlighted the global nature of the Log4j risk. She mentioned that CISA is working proactively to provide organizations with phishing prevention measures. Users are advised to upgrade all Log4j assets and products as soon as patches are released.


QNAPCrypt targets QNAP NAS Devices

The QNAPCrypt or eCh0raix ransomware is targeting users of QNAP network-attached storage (NAS) devices. The threat actors reportedly intensified their attempts before Christmas by compromising administrator privileges. Users of Synology and QNAP have constantly reported such attack attempts by eCh0raix, but these reports increased manifold around 20th December and again subsided by 26th December.

The initial attack vector remains unclear at the moment as some users believe that it was a result of their own negligence in securing devices, and others think it’s because of an unpatched vulnerability in QNAP’s Photo Station.

Researchers believe that the eCh0raix ransomware operators encrypt all files on the NAS system by creating a user in the administrator group. Many users have reported that the malware encrypted documents and pictures. Interestingly, the attackers mistyped the extension in the ransom note and used the “.TXT” extension. Because of this, some users may have to view the instructions on specific programs like Notepad.

Many users have claimed to not have any backups, because of which they were compelled to pay the ransom. Resultantly, the ech0raix ransomware demands have increased significantly from .024 (about $1,200) to .06 bitcoins (about $3,000) in recent times. Users are advised to follow QNAP’s recommendations and adopt necessary anti-phishing solutions.