This week saw cybercriminals target famous car brand BMW and data protection vendor Acronis among others, hinting at the need for more effective phishing protection services. Here are this week’s phishing and data breach-related updates to help you stay informed and take proactive measures to secure your information assets.
Hospital In Brussels Becomes The Latest Victim of Cyber Attack Amidst Growing Attacks on European Healthcare
A university hospital in Brussels became the latest institution targeted by cybercriminals in growing cyberattacks against European hospitals. The Centre Hospitalier Universitaire (CHU) Saint-Pierre diverted the ambulances following a cyberattack in the wee hours of Friday.
Pierre Leroy, CHU Saint-Pierre’s chief executive, said the hospital followed an emergency plan “particularly designed for such a situation” following the earlier attacks on other Belgian hospitals. While the staff had to start working with paper records, the hospital disconnected its servers and restarted them by Saturday afternoon, said Leroy. He further added that the servers remain offline.
“We are hopeful that it will continue like this, but we can now see the benefits of an emergency plan against such cyberattacks,” he added. He added that 100% of the hospital’s IT applications were operational again, although “emergency dispatchers diverted ambulances to other hospitals for several hours to avoid overloading the hospital.” Leroy said. An investigation into the incident is on, Leroy said.
“FakeGPT”: New Fake-ChatGPT Chrome Extension Steals Facebook Ad Accounts
Security researchers at Guardio discovered a Chrome Extension offering quick access to fake ChatGPT functionality, hijacking Facebook accounts, and installing hidden account backdoors. What gathered the security teams’ attention was hackers using a silently forced Facebook app “backdoor” that gave them super-admin permissions.
The threat actors hijack high-profile Facebook business accounts and create an elite army of Facebook bots. Furthermore, they use a malicious paid media apparatus to push Facebook paid ads. They do it at the expense of the victims and in a self-propagating worm-like manner.
Cybercriminals promote the malicious stealer extension, “Quick access to Chat GPT,” on Facebook-sponsored posts as a quick way for users to get started with ChatGPT directly from their browser. Although the extension connects to the official ChatGPT’s API, it also harvests information from the victim’s browser, steals cookies of their authorized, active sessions, and employs tailored tactics to take over their Facebook account.
AI-Generated YouTube Video Tutorials Pushing Info Stealer Malware
Security researchers are increasingly observing threat actors using AI-generated YouTube Videos and spreading various stealer malware like Raccoon, RedLine, and Vidar.
Pavan Karthick M, a CloudSEK researcher, said, “The videos lure victims by pretending to be tutorials on downloading cracked software versions like Photoshop, Autodesk 3ds Max, AutoCAD, Premiere Pro, and other licensed products available only to paid users.”
YouTube is one of the popular malware distribution channels. The CloudSEK security team witnessed a 200-300% M-o-M (month-over-month) increase in videos with links to stealer malware in the description section. Threat actors often obfuscate these links using URL shorteners like Bitly and Cuttly or host them on Discord, GitHub, MediaFire, Google Drive, and Telegram’s Telegra.ph.
In a few instances, threat actors leverage social engineering and data leaks to hijack legitimate YouTube accounts and push stealer malware, often targeting popular accounts to reach large audiences quickly.
BMW Exposes Data of Italian Clients: Experts
BMW, the famous German manufacturer of luxury vehicles delivering over 2.5 million cars a year, exposed its client data and business secrets, experts are saying. If a cybercriminal discovers the flaw, they could exploit it to steal the company’s source code, access customer data, and look for other vulnerabilities to exploit.
Cybernews researchers were exploring the official BMW Italy website in February when they discovered an unprotected environment (.env) and .git configuration files. The Environment files (.env) were meant to be stored locally and included data on BMW’s production and development environments.
Researchers opined that while this information is insufficient for threat actors to compromise BMW’s website, they can use it for reconnaissance (covertly discovering and collecting information regarding a system). Thus, it can lead to the website getting compromised or point the cybercriminals toward customer information storage and how to access it.
Xenomorph Android Banking Trojan Returns with a New and More Powerful Variant
The latest findings from ThreatFabric reveal that a new variant of the Android banking trojan Xenomorph has surfaced in the wild. The Hadoken Security Group has named it “Xenomorph 3rd generation“; the updated version has new features enabling it to perform financial fraud seamlessly.
The Dutch security firm reported, “The latest malware version adds new capabilities to the feature-rich Android banker. The notable ones are an extensive runtime engine powered by Accessibility services, used by the cybercriminals to implement a complete ATS framework”.
Xenomorph first surfaced a year ago, in February 2022, when researchers discovered it targeting 56 European banks using dropper apps published on the Google Play Store. In contrast, the latest iteration of the banking trojan – which has a dedicated website displaying its features – can target over 400 banking and financial institutions, including several crypto wallets.
AT&T Issues Alerts to 9 Million Customers Regarding a Data Breach After Vendor Hack
AT&T notified roughly 9 million customers that some personal data might be exposed after threat actors hacked a marketing vendor in January. “Customer Proprietary Network Information from a few wireless accounts was exposed, like the wireless rate plan or the number of lines on an account,” AT&T told BleepingComputer.
“The leaked information did not include credit card information, account passwords, Social Security Number, or other sensitive personal information. Currently, we are notifying impacted customers.”
While the data breach notification does not mention the number of affected customers, AT&T says that “hackers accessed Customer Proprietary Network Information of approximately 9 million wireless accounts.” Exposed CPNI data contains customer first names, wireless phone numbers, wireless account numbers, and email addresses.
“A small percentage of affected customers also had exposure to the rate plan name, monthly payment amount, past due amount, various monthly charges, and minutes used. The information was a few years old,” AT&T said.
The company added the vendor security incident did not compromise its systems and that the exposed data is mainly linked to device upgrade eligibility.
Acronis Downplays Intrusion After 12GB Leaked Data Found Online
The CISO of Acronis downplayed an intrusion into its systems, insisting only one customer was impacted using the stolen credentials, and all other data remains safe.
A Thursday thread on BreachedForums brought news of the theft. In the post, a hacker named kernelware (he also cracked Acer) claimed he had accessed Acronis and stolen the leaked certificate files, system configurations, command logs, python scripts for an Acronis database, system information logs, archives of their filesystem, and backup configuration, plus numerous screenshots of backup operations.
Kernelware mentioned that although the $120 million company boasts of the data protection and infosec standards, it had “dogshit security” and that he was bored, so he decided to “humiliate” the data protection giant. Kernelware shared the archive containing 12.2GB of stolen files. Acronis security chief Kevin Reed took to LinkedIn to dispute the details of the intrusion.
Acronis tweeted that no Acronis products were impacted or exploited. Instead, someone managed to steal an Acronis customer’s account login info and used it to siphon off their files, we’re told. “On March 9, a BreachedForums post mentioned Acronis. We immediately started an investigation,” a spokesperson for Acronis said.
“Through the investigation, we inferred that no Acronis products were impacted. However, based on the information, hackers compromised the credentials used by a particular customer for uploading diagnostic data to Acronis Support. We are working with the customer and have suspended the account access as we are resolving the issue.”
Qilin Ransomware Attack: Hackers Breach an Elderly Care Facility And Leak Confidential Data Online
Last month, the notorious Qilin ransomware group hacked a care facility in Gelderland, Attent Zorg en Behandeling. It led to the hackers stealing the passports of physicians, nurses, and physiotherapists, which they later published on the internet. The cyberattack occurred on February 17, leading to technical difficulties for the facility.
The institution announced the breach through its website and attributed the attack to a group that gained unauthorized access to its network. In a statement, Attent Zorg en Behandeling said that it restored a significant portion of the impacted systems three days after the attack. Additionally, the facility resumed its telephone services and access to its client dossier, personnel, and financial systems by February 20.
The Qilin group claims it exploited an unpatched vulnerability to gain, resulting in the theft of hundreds of gigabytes of data, like non-disclosure agreements, confidential internal communication, and salary statements. The group asked the facility to pay a ransom and threatened to release the data.