Ransomware gangs continue to target organizations worldwide, leaking users’ personal information only, which could be used to launch further phishing attacks, identity thefts, and other cyber attacks. Here is this week’s phishing news to help you learn how threat actors operate and the importance of adopting anti-phishing measures.


Data Breach Hits Electronic Warfare Associates

The popular US defense contractor Electronic Warfare Associates (EWA) recently notified clients of a data breach that exposed a database containing users’ personally identifiable information (PII). The adversaries accessed the email system of the company and stole the files containing sensitive information. EWA first discovered the breach on 2nd August 2021 and notified the  Montana Attorney General’s office soon after. The attack came to the notice of EWA when the adversaries attempted wire fraud. Therefore the company believes that stealing PII was perhaps not the attackers’ intention, but they ended up doing that anyway.

Since EWA makes products for highly sensitive customers like the Department of Justice, and Homeland Security (DHS), this breach is bad news. The compromised user information includes names, driver’s license numbers, and social security numbers. Details about the nature of the attack and whether it affects only EWA employees are yet to be known. However, the attack is said to have had a limited impact. As part of its measures to prevent phishing attacks, the company is offering two years of complimentary identity theft monitoring to victims. The breach notification further instructs victims to look out for suspicious activities in their financial accounts.


Black Shadow Group Attacks CyberServe

The Iranian hacking groupBlack Shadow group recently targeted an Israeli LGBTQ site called CyberServe. Consequently, the personal information of hundreds of thousands of CyberServe members was compromised. The Black Shadow group had demanded a ransom of $1 million for the decryption key, but the website kept refusing to pay. This resistance, while a good move in itself, caused the public release of the medical records of around 290,000 patients.

Patients of Israel’s Machon Mor institute were the victims of this unfortunate attack. The compromised information included their blood test reports, CT scans, ultrasounds, vaccinations, and colonoscopies. In addition, an entire database containing the PII of the users of an Israeli LGBTQ dating service called Atraf was compromised. The exposed details of these dating service members included their names, locations, and even their HIV status. The breach was quite massive as it also affected other customers of CyberServe, like transportation companies, museums, and tourism firms. The adversaries reportedly leaked the user details on a Telegram channel. As it turns out, the Israel National Cyber Directorate has given multiple warnings to CyberServe to work on its anti-phishing solutions. Although the site had resisted the ransom demands, there is never an assurance that the adversaries would have kept their promise of not exposing their data later.


Cyberattack Hits Colleton County School District

South Carolina-based Colleton County School District recently underwent a cyberattack that affected hundreds of its staff computers. The attack took place on 4th October when some of the school’s networks stopped functioning. The district’s IT staff detected the attack and immediately began its investigation and measures for protection against phishing. The school also hired a third-party Incident Response and Recovery team to quicken the recovery process. As per Colleton County’s breach notification, communication systems for the community remain unaffected by the breach.

Although the breach details remain undisclosed, the district did mention that the physical security measures remain intact. The school district has kept three cybersecurity companies (Dell Support Services, Carbon Black, and Red Cloak) on the payroll to investigate the breach and recover all compromised networks. Unlike other school districts which do not make their cybersecurity measures known, Colleton County has disclosed its plan of investing $200,000 on engaging these three cybersecurity firms for around 480 hours to work on fixing the issue.


Phlebotomy Training Specialists Leaves Amazon S3 Bucket Unsecured Online

The Los Angeles-based medical training school – Phlebotomy Training Specialists recently left an unsecured bucket exposed online, which affected the PII of thousands of students. The database contained 157 GB of data (around 200,000 files), including the names, DOBs, phone numbers, email addresses, addresses, ID cards, driver licenses, CVs, genders, photos, educational and professional summaries of students. In addition, the database contained more than 27,000 tracking forms which included student transcripts, training certificates, and the last four digits of their Social Security numbers.

Phlebotomy Training Specialists has branches across Arizona, Texas, Michigan, Utah, and California, and this breach affected at least 27,000 to 50,000 of its course applicants and attendees. The breach was first discovered by researchers at vpnMentor, who found that the database contained data backed up from and before September 2020. Of the two buckets found online, one has been recovered, and perhaps the medical school is incorporating phishing prevention measures to secure the other bucket as well.


Ransomware Hits Las Vegas Cancer Center

The Las Vegas Cancer Center (LVCC) recently underwent a data breach that affected the personal information of its current and former patients. The adversaries compromised the center’s servers on the Labour Day weekend and accessed its encrypted data. The breach was discovered on 7th September when LVCC’s staff returned to work after the holiday. While LVCC has a multi-layered anti-phishing protection scheme that uses firewalls and anti-malware software, the adversaries may still have been able to access patients’ personal information. The compromised patient data includes their names, DOBs, addresses, social security numbers, insurance details, medical records, etc.

Fortunately, the hospital could restore all compromised information, and there is no evidence of the misuse of this data, but there is always the risk of the data being sold or used later. LVCC has not received any ransom demands so far, but it still advises patients (present or past) and employees to monitor their financial statements closely.


Conti Ransomware Targets High Society Jeweller Graff

The high society jeweler Graff, which has world leaders, tycoons, and actors like Donald Trump, Sir Philip Green, David Beckham, Samuel L Jackson, Tom Hanks, and Alec Baldwin as its customers, was recently targeted by the Conti ransomware gang. Now the threat actors are demanding a multi-million-dollar ransom in exchange for not leaking the sensitive information of these renowned Graff customers.

The Russian threat actor has already leaked 69,000 confidential documents belonging to Graff. This vast expanse of data involves the personal information of over 11,000 Graff clients, and the ransomware gang claims that this is just one percent of all the stolen files. This breach is a threat to the reputation of Graff customers.

As part of its anti-phishing measures, Graff has sent out breach notifications and advisories to all victims and informed the British authorities and the ICO about the incident. The company is trying hard to recover its systems, but even if it decides to pay off the ransom, there is no way to ensure that the adversaries won’t misuse the stolen information, especially in this case where many distinguished world figures are involved.


Ransomware Hits Toronto Transit Commission

The Toronto Transit Commission (TTC) was recently hit by a ransomware attack that brought down its computer systems. An internal investigation by TTC reveals that the attack did not lead to significant disruptions in its transit service or pose a threat to employees and the public.

Further, they have informed that the breach impacted only computer displays and apps of route information; transit vehicles continue to service their routes. TTC is yet to provide an estimated time frame for the recovery process, but it is in constant touch with cybersecurity experts and law enforcement. It is adopting the recovery measures to get systems restored at the earliest.