Threat actors are leveraging the ongoing Russian-Ukrainian tensions to launch cyberattacks worldwide. Organizations need to be more vigilant than ever to keep their information assets from falling into the hands of cyber adversaries. Here are this week’s phishing and data breach updates from around the world.
Avast Release Free Decrypter For Files Encrypted By The HermeticRansom
Avast has finally released a decryptor for the HermeticRansom, which recently launched several attacks on Ukraine. The free decryptor released by Avast is one of the many attempts security firms make to help Ukrainians recover their files from these attacks for free.
The HermeticRansomware attacks involved the HermeticWiper, HermeticWizard, and the HermeticRansom. However, the ransomware creators didn’t do a thorough job as experts at Crowdstrike could locate a logic flaw in its encryption which could easily be broken. This was probably because their primary intention behind ransomware creation was not encryption. While reporting the findings of Crowdstrike’s Intelligence Team, Avast mentioned that HermeticRansom’s crypto schema could be decrypted for free. Avast is helping people with the free decryptor on its websites. As part of its phishing attack prevention measures, Avast urges victims of HermeticRansom to use the same facility to recover their files.
Data Stolen in T-Mobile Data Breach Circulating Online: Warn Law Enforcement Agencies
In the aftermath of a cyberattack on T-Mobile in August 2021, law enforcement officials from several states are now alerting people of the possible circulation of their data on dark web platforms. Letitia James – New York Attorney General, along with officials from Florida, California, and other states, recently announced that because of the massive data breach on T-Mobile last year, their personal information has fallen into the wrong hands and is now circulating in cybercrime forums online.
This breach compromised the data of millions of former, current, and prospective T-Mobile customers and could easily be used for financial and identity theft, among other crimes. In August, the attackers announced that T-Mobile’s phishing protection measures were miserable, and law enforcement is prying into the matter for further details.
The compromised data include customers’ names, social security numbers, DOBs, ID numbers, driver’s licenses, international mobile subscriber identities, international mobile equipment identities (IMEIs), etc. The last two from this list are unique to each device and cannot be reset, increasing the threat factor. Identity protection services have already notified affected customers, and despite the increased implementation of cybersecurity measures, data breaches continue happening. The states request people to remain vigilant and report any suspicious activity witnessed in their accounts.
Data Breach Hits Monongalia Health System
A data breach recently hit the Monongalia Health System (Mon Health), which may have compromised data belonging to partners, employees, and patients. The attack was first discovered on 18th December when some of Mon Health’s IT systems were disrupted. Reportedly, the adversaries were inside the healthcare system’s network between 8th December and 19th December. However, the data theft was spotted much later, and fortunately, the attackers could not access its health electronic records systems.
The affected data includes victims’ names, DOBs, addresses, social security numbers, medical record numbers, health insurance claim numbers, medical treatment information, patient account numbers, etc. As part of its measures to prevent phishing attacks, Mon Health brought down and hardened its network, notified relevant authorities, and reset enterprise-wide passwords. So far, Mon Health has not disclosed the number of affected individuals, but it has begun notifying them of the breach via email.
Cyberattack Hits Logan Health Medical Center
Following a sophisticated cyberattack on its IT systems, Logan Health Medical Center is notifying 213,543 patients, business associates, and employees of the possible compromise of their personal and health data. Logan Health first detected suspicious activity in one of its eight servers on 22nd November 2021. These servers were used to store protected health information and conduct other business operations. It soon launched an investigation into the incident and found that certain files, including employee PHI, were accessed by unauthorized third parties. Fortunately, the electronic medical records were not affected by the breach.
Reportedly, the data stolen varied by individual and could include all or some of these – names, DOBs, social security numbers, email addresses, contact details, etc. To ensure anti-phishing protection for all, the medical provider is extending one year of free identity monitoring service for all affected individuals. Logan Health’s CEO – Craig Lambrecht, reminded employees of the importance of protecting patients’ PHI. He extended tips of the phishing prevention best practices and will soon launch a program to train employees in cybersecurity.
Cyberattack Hits Insurance and Professional Services Giant AON
A cyberattack recently hit the insurance and professional services giant AON, which affected a limited number of its systems. AON provides a range of professional solutions, including reinsurance, business insurance, cybersecurity consulting, healthcare insurance, risk solutions, and wealth management products. With operations in 120 countries and over 50,000 employees, AON generated annual revenue of $12.2 billion in 2021. The firm filed an 8-K form with the Securities and Exchange Commission (SEC) reporting a cyberattack that affected its systems on 25th February 2022.
AON has not mentioned any significant details about the breach, such as the attacker details, and only stated that a limited number of systems were affected. Soon after detecting the attack, AON launched its internal investigation and hired third-party cybersecurity experts for a detailed analysis and better deployment of anti-phishing solutions. Reportedly, the incident did not significantly impact the company’s operations.
Because AON is a reinsurance company, meaning it insures the insurance companies (thereby receiving substantial data dumps of insurers’ clients), it becomes an attractive target for the adversaries. A thing to note about attacks on insurance companies comes from one of the interviews of the REvil gang where it called insurers one of the tastiest morsels because they become a source of possible targets who can pay the ransom since they have cyber insurance policies.
A Game of Attacks Between Lapsus$ and Nvidia
Although there isn’t any evidence of it yet, many online security groups claim that the South American hacker group Lapsus$ had attacked Nvidia. They also reported that Nvidia responded to the Lapsus$ attack with an attack in return. Reportedly, Nvidia also encrypted the stolen data and ransomed back Lapsus$ machines.
Nvidia is investigating the attack, which supposedly compromised all of Nvidia’s internal systems. Around the same time, Lapsus$ confessed to stealing 1TB of data from Nvidia. The former is now threatening Nvidia to leak the stolen data (including Nvidia employees’ security details and passwords). Lapsus$ provided some screenshots to support its claims, but they cannot be considered concrete proof, and Lapsus$ may or may not have Nvidia’s data. Lapsus$ later confirmed that Nvidia had hacked it in return using a virtual machine it left enrolled in Nvidia’s mobile device management program, thereby enabling the latter to use it as a backdoor. It further mentioned that Nvidia remotely encrypted the data Lapsus$ had stolen and removed the latter’s access to the Nvidia network.
Yet other sources claim that Lapsus$ had already circulated Nvidia employees’ security details on Telegram, but this information remains to be verified. But if the initial reports are accurate, then Nvidia probably had enough time to update its employees’ security details and dissolve the hacked data.
Cyberattack Hits Camera Maker Axis
A cyberattack hit the IT systems of the Swedish Camera maker Axis on 20th February. The attack was first detected by Axis’s cybersecurity and intrusion detection system, and soon after noticing the attack, the company shut down all its global services. So far, Axis has no reason to believe that customer or partner data was affected in the incident. They were able to stop and contain the attack before its completion.
Axis has restored its high-priority external services and is in the process of restoring the rest without jeopardizing security. It apologized for the disruption in connection caused by the attack and justified it as a necessary measure to ensure minimal loss to everyone and adequate protection against phishing. While Axis tweeted about the attack, it did not respond to further comments and said that the Camera Station License System and its Case Insight tool in the US were dealing with the outages.