Imagine returning to the office after the Christmas and New Year holidays and finding your systems locked by notorious ransomware. Many organizations across the globe have endured a similar fate, and here are the updates of those attacks to help you plan your phishing prevention strategies.

State Officials Confirm Ransomware Attack on Maryland

The attack vector which disrupted Maryland Health Department’s reporting of COVID-19 data last month has been confirmed to be a ransomware attack. The attack began on 4th December 2021, and as per the state’s CISO- Chip Stewart, extortion demands have been resisted so far.

Stewart confirmed the attack in a statement recently where he said that investigations into the breach accompany the restoration efforts and that it’s undoubtedly a ransomware attack. While confirming the breach, Stewart refused to talk about the adversaries’ motive behind attacking the state health department. Fortunately, MDH quickly implemented its phishing attack prevention measures and isolated the infected systems within the initial hours of detecting the attack. Because of this containment measure, some MDH services may remain offline or unavailable for some time. Stewart assured that the state and CISO are doing everything in their capacity to eliminate the risk of reinfection in the future.


Sygnia Researchers Warn of a New Threat Actor – Elephant Beetle

Cyber experts recently located a hitherto undiscovered threat actor called Elephant Beetle at Sygnia. Elephant Beetle is a rather unusual attack vector that has been in operation across Latin America for at least four years now and can wreak havoc if gone international. The threat actor is unique because it doesn’t create or invest in zero-day vulnerabilities. It instead lives in hiding within the victim’s network and adapts accordingly until it understands all their means of conducting financial transactions and finds some unpatched vulnerability to exploit. Sygnia reports suggest that Elephant Beetle waits for months before attacking an organization, and that is because of the study time needed to access the victim’s network for vulnerabilities.

Sygnia reports suggest that Elephant Beetle targets legacy Java applications on Linux systems to enter a network and usually do so through common unpatched flaws. The threat actor is also known for deploying its Java Web Application in the background when a victim machine runs the intentional application. Elephant Beetle uses over 80 tools and scripts to attack its victims by staying in hiding throughout the process.

Elephant Beetle can inject fraudulent transactions among regular activity and steal millions of dollars over time using malicious techniques. The group resembles the Mexico-based threat actor FIN13 group; Sygnia has released a set of do’s and don’ts to prevent phishing attacks.


Data Breach at Ciox Health Exposed Customers’ PHI

A cyberattack recently hit the Georgia-based healthcare information management enterprise Ciox Health. Consequently, thousands of individuals’ protected health information (PHI) was compromised. It also stole the patient’s social security numbers and treatment information. Ciox Health is known for providing its services of medical record retrieval, information release, and health information management to over 30 healthcare providers. Investigations revealed that an unknown third party accessed a Ciox employee’s email account between 24th June and 2nd July last year. The threat actor downloaded copies of the emails and attachments stored on the compromised email account and later exposed these details.

It was only on 24th September that Ciox learned the nature of patient data stored on its compromised employee email account. The compromised information stored in the account included customer service requests and Ciox billing inquiries. In its statement, Ciox lists a section called very limited instances of exposure, and this includes patients’ names, social security numbers, DOBs, driver’s license numbers, provider details, dates of service, clinical information, health insurance information etc.

While Ciox was taking anti-phishing measures at its level, the US Department of Health and Human Services’ Office for Civil Rights was informed about the breach only on 30th December 2021. The healthcare facility reported that the attack affected 12,493 individuals. Ciox Health mentioned that it began notifying its healthcare provider customers about the breach on 23rd November. A joint notification was released on Ciox Health’s website by the 32 involved healthcare providers. These include Niagara Falls Memorial Medical Center Health System, Children’s Healthcare of Atlanta, Sarasota County Public Hospital District and Indiana University Health.


Data Breach Hits French Cosmetics Organization Clarins

The French cosmetics enterprise Clarins recently underwent a cyberattack that may have affected the personal information of its Singaporean customers. In its statement, Clarins mentioned that the attack was caused by a critical vulnerability in the Log4j software. Log4j is an open-source software that supports activity-logging in several Java-based applications. Clarins used the same software to manage its database, which stored the personal information of its Singapore customers. The attack came to light when a Clarins employee tried to access the database and couldn’t do so.

Clarins was quick to adopt measures for protection against phishing and patch the vulnerability affecting its database. However, it looks like now the server has been compromised. The customer data compromised in the breach includes their names, email addresses, residential addresses, contact numbers, Clarins loyalty program status etc. Fortunately, no passwords and payment card information were compromised.

Last month, Josephine Teo (minister for Communications and Information) said that Singapore authorities are on a mission to patch all government systems affected by the Log4j vulnerability. On the other hand, Clarins expressed its regret for the unfortunate incident and assured people of its security measures. Clarins is now working closely with security and law experts to investigate the attack and secure its systems from similar attacks in the future. The Singapore Personal Data Protection Commission (PDPC) has also been informed about the breach. Clarins recommended all affected customers change their passwords and receive unknown calls and messages with caution.


Cyberattack Hits Medical Review Institute of America (MRIoA)

A cyberattack recently hit the Medical Review Institute of America (MRIoA), and it is now informing all affected individuals about the compromise of their personal information. The attack was discovered on 9th November 2021, and the initial investigations revealed that protected health information was exposed in the incident. By 16th November 2021, MRIoA retrieved all the stolen data, including names, email addresses, contact numbers, gender, social security numbers, residential addresses, clinical details, medical history, financial details, health insurance information, etc.

MRIoA has adopted measures for protection from phishing attacks such as enabling multi-factor authentication, replacing old servers with new ones, revising its cybersecurity policies, creating backups, rendering enhanced employee training etc. In its data breach notification to the Maine Attorney General’s Office, MRIoA mentions that more than 134,000 individuals were affected by this security incident. While details about the type of attack aren’t disclosed, the MRIoA attack notification statement seemed to suggest that it’s a ransomware attack.


Commission on Elections (Comelec) Server Hacked

Cyber adversaries recently compromised the servers of the Commission on Elections (Comelec) and downloaded over 60 GB of sensitive voter information, which could easily be used to affect the May 2022 elections. The attack was first discovered by the Technews Team at Manila Bulletin (MB) on 8th January 2022 when an unknown informant tipped it about an ongoing hack of Comelec servers. To expedite phishing protection measures, MBTechnews conducted an initial investigation which revealed that the Comelec servers were indeed being exploited. The threat actors could download files containing the usernames and PINS of vote-counting machines (VCM), among other details.

The MB Technews team reported its findings to the Comelec Spokesperson James Jimenez who then passed the information to the Comelec Steering Committee. Two days later, Jimenez reverted to MBTechnews, saying he is yet to hear back from the Comelec Steering Committee. The other files affected by the attack include IP addresses, network diagrams, access to the ballot handling dashboard, domain admin credentials, list of all privileged users, domain policies and passwords etc. The breach also affected the location of all voting precincts, details of the board of canvassers, a list of overseas absentee voters, and a list of all user accounts of Comelec personnel.


Y2K22 Bug Hits SonicWall and Others

The Y2K22 bug is on a mission to disrupt operations at as many organizations as possible. Starting with 1st January 2022, the bug has attacked SonicWall, Microsoft, and several Honda and Acura car owners. In its statement, SonicWall mentions that some of its firewall and email security products were affected by the Y2K22 bug. Consequently, people are experiencing junk box and message log update failures. This means that email administrators and users might face issues in un-junking newly received emails or even accessing the junk box on affected systems. In addition, they might face difficulties in tracing outgoing and incoming emails as the message log won’t be updated.

After detecting the issue on 1st January 2022, SonicWall launched updates for their cloud email security service in North American and European regions. It proactively deployed anti-phishing solutions for the on-premise Email Security Appliance (ES 10.0.15). SonicWall advised admins to download the latest Junk Store version 7.6.9 for maximum protection. This updated version can be found under the SonicOS 6.5.x firmware in the MySonicWall downloads section. The instructions remain the same for NSA, TZ, NMand SOHO platforms. SonicWall confirmed that the SonicOS 7.x was not affected by the bug.