The past week saw many cyberattacks disrupting organizational systems across the globe. Without adequate anti-phishing protection in place today, it isn’t easy to ensure that such an incident does not happen at your organization. The following are this week’s major cyberattack headlines to help plan your cybersecurity moves better:


Data Breach Hits Icare

In a recent data breach at the state insurer Icare, the personal details of over 200,000 injured workers were shared with 587 insurance brokers and employers. Reportedly, a database containing the details of 193,000 employees was sent as an email attachment to the wrong employers. Mary Maini (workers’ compensation group executive) apologized on behalf of Icare for this human error, and the company is now notifying victims.

As part of its phishing attack prevention measures, Icare informed the Information and Privacy Commission of NSW and the State Insurance Regulatory Authority about the breach. Furthermore, it asked the employers who received the unintentional email to delete it. The data leaked in this incident include workers’ names, DOBs, claims history, and injury categories. Fortunately, no contact or banking details were involved. Other reports indicate that the exposed database also contained workers’ policy numbers, claim costs, a breakdown of weekly payments, and gross amounts paid.

Icare is currently working on reviewing its systems so that such an unfortunate incident doesn’t happen again. The State Insurance Regulatory Authority is also investigating whether the incident led to a breach of workers’ compensation legislation. However, the good thing is that Icare realized its mistake and is making provisions for offering support to the affected workers.


Data Breach Hits Foxconn Baja California

A data breach recently targeted Foxconn Baja California, and the adversaries are now threatening to leak all the stolen files if the company fails to meet ransom demands. With around 5,000 employees, Foxconn Baja is a leading consumer electronics, medical devices, and industrial operations manufacturer. A threat actor group using the LockBit 2.0 ransomware has claimed responsibility for launching the attack on Foxconn Baja. It has given Foxconn time until 11th June to pay the ransom and has threatened to leak the data after that.

Whether the attack affected Foxconn’s operational technology (OT) systems is not clear at the moment. It was only in December 2020 that the DoppelPaymer ransomware group targeted some Foxconn systems in the US. While the company had claimed that the incident affected US systems alone, a facility in Mexico was also affected. LockBit 2.0 has been widely used in recent attacks, and it was only in February that the FBI released indicators of compromise (IoCs) for LockBit 2.0 attacks. Organizations should take phishing prevention measures well in advance because LockBit 2.0 operators often breach enterprise networks by purchasing access through insider access or exploiting unpatched vulnerabilities.


Phishing Actors Target Telegram’s Blogging Platform-Telegraph

Telegraph, the anonymous blogging platform owned by Telegram, recently underwent a data breach where adversaries exploited its lax policies to create phishing pages to steal users’ account credentials. The fact that Telegraph lets us post anonymously is the biggest advantage for the attackers, as they can easily run their malicious campaigns without being identified. The links generated on Telegraph can be circulated on the go, making it a fast and simple platform—an ideal attack vector for adversaries.

In addition, Telegraph supports including links, images, login forms, and other elements such as text formatting options that could make a blog post look like a web page. Hackers frequently use Telegraph to create phishing sites impersonating legitimate login portals and website landing pages. Researchers note that from the end of 2019 until May 2022, there has been a 90% increase in using Telegraph links in phishing emails. Because these links are hosted on Telegraph, a platform known to be safe, people usually do not doubt the credibility of phishing emails, giving them a higher success rate. Further, experts also mention that most phishing emails come from hijacked email accounts, enabling them to bypass spam filters swiftly.

These phishing emails mainly try to conduct cryptocurrency scams or steal account credentials. To protect yourself from phishing attacks, consider assessing the credibility of an email that makes it to your mailbox. Despite knowing that there is probably a spam filter doing its job, this simple exercise saves us from a lot of unnecessary trouble.


NOCCCD Notifies of Ransomware Attack it Underwent in January

In January, the North Orange County Community College District (NOCCCD) in California underwent a cyberattack that affected over 19,000 individuals. However, the college informed the California Attorney General’s Office about it only recently. Although the notification to the Attorney General’s office went in late, NOCCCD did post about the ransomware attack on its website. It was mentioned in the post that the attack targeted Fullerton College and Cypress College, and the institutions took immediate anti-phishing protection measures to secure their IT systems. The NOCCCD deployed advanced threat protection and monitoring tool to strengthen its security systems.

The notice posted on the Fullerton College for International Students website mentioned the types of information exposed in the attack. These include students’ names, social security numbers or driver’s licenses, passport numbers, medical details, and financial account information. The breach notification posted on the Cypress College on-campus Dental Hygiene Clinic website noted that the NOCCCD was unable to identify whether the adversaries accessed any patient data. The adversaries probably accessed patients’ names, dental hygiene treatment records, and driver’s license numbers.


Data Breach Hits Spirit Super

In a recent phishing campaign, an employee email account belonging to Spirit Super was compromised, which compromised 50,000 member records. These records date back to 2019–20 and include personal details that usually appear on annual statements, including members’ names, ages, telephone numbers, email addresses, member account numbers, and member balances. Fortunately, the breach did not affect dates of birth, bank details, and government identification numbers.

Reportedly, the breach was not triggered by a technical failure or material security weakness but by a human error. The adversaries posed as official correspondence and tricked an employee into giving away his email credentials. The unfortunate incident took place on 19th May 2022 when the phishing actors compromised the account of a Spirit Super staff member. As part of its measures for protection against phishing, Spirit Super contained the account, began an investigation into the breach, and took steps to strengthen its IT systems. Spirit Super recommends that users remain vigilant and look out for suspicious messages.


Cyberattack Targets CCSS

A cyberattack recently targeted the Costa Rican Social Security Fund (CCSS), which brought down its digital record-keeping system. Consequently, over 1200 hospitals and clinics underwent service disruptions, potentially affecting patient care for thousands.

The CCSS President Alvaro Ramos said in a statement that while the attack was a violent one, so far, they have no evidence to prove the compromise of any critical systems or databases. He further noted that the breach affected 30 of the 1,500 servers owned by CCSS; therefore, the national health platform will likely be down for a couple of days. Ramos added that no threat actor group has taken ownership of the attack yet and that this attack is just one of the many attacks targeting the Costa Rica government recently. The CCSS is taking measures for protection from phishing and has requested patients’ and stakeholders’ cooperation as they work on restoring their systems.


Misconfigured AWS Bucket Causes Data Breach at Turkish Airline

Owing to a misconfigured AWS bucket, a low-cost Turkish airline recently leaked the personal information of several flight crew members along with the flight data and source code. Cybersecurity experts discovered the publicly exposed cloud data store on 28th February and traced the information to the Electronic Flight Bag (EFB) software developed by Pegasus Airlines.

EFBs are information management tools that enhance the productivity of airline crews and provide necessary reference materials for flights. The researchers recovered around 23 million files (6.5 TB of exposed data), including over three million files with sensitive and confidential flight information like insurance documents, flight charts, revisions, details of crew shifts, issues found during pre-flight checks, etc.

More than 1.6 million files containing personally identifiable information (PII) belonging to airline crew members were exposed, including their photos and signatures. Furthermore, the source code from Pegasus’s EFB software, secret keys, and plain text passwords were also exposed. If adversaries access the information, they will become equipped with highly sensitive data on Pegasus Airlines. Fortunately, the airline quickly adopted anti-phishing solutions and secured the AWS bucket within three weeks of being notified.