Data security incidents are on the rise and are impacting organizations across various sectors, regardless of their size. With vast amounts of personal and sensitive information being stored online, the ramifications of a data breach can be detrimental to both individuals and businesses. Here are this week’s headlines to keep you updated on the latest data breaches and security incidents highlighting the importance of phishing protection.

 

Researchers Discover Multiple Vulnerabilities IN Healthcare Software OpenEMR

Security experts found three vulnerabilities in OpenEMR, the open-source software for medical practice management and electronic health records. Sonar clean code experts published an advisory about the flaws discovered by security researcher Dennis Brinkrolf.

Brinkrolf wrote, “During our research of popular web applications, we recently discovered several code vulnerabilities in OpenEMR.”

These vulnerabilities allow remote hackers to execute arbitrary system commands on OpenEMR servers and steal sensitive patient data. In the worst-case scenario, they can compromise the entire critical infrastructure.

The security expert added that Sonar’s static application security testing (SAST) engine found that two combined vulnerabilities can cause unauthenticated remote code execution (RCE).

 

Latest Database Injection Attacks Compromise WordPress Sites

A massive campaign leveraged hacked WordPress sites and redirected victims to tech support scams, phishing, adult dating, or drive-by-downloads attacks. The cybercriminals ensured that their malicious payloads remained undetected through multiple redirects and legitimate downloads.

 

WordPress Database Injection

 

Sucuri researchers say that they noticed a rise in WordPress infections linked to the malicious domain violetlovelines[.]com. They added that the campaign has been active since December 26, 2022, impacting 5,600 websites.

The campaign evolved recently, and cybercriminals switched to black hat ad networks from fake CAPTCHA push notification scam pages. The malicious ad networks redirect targets to legitimate, malicious, or shady websites and trick them into downloading malware. 

Different attack levels:

  • The campaign uses various stages for deploying a Traffic Direction System (TDS), script injections, redirect chains, and ad networks.
  • Threat actors use two common injection types – an obfuscated JavaScript injection or a simple script tag injection.
  • Users get redirected to a script on other attacker-operated subdomains, further leading to the malicious ad network’s multiple domains.

 

Cyberattacks Targeting German Airports’ Websites

The German airports’ websites, financial sector organizations, and public administration bodies became the latest target of cyberattacks initiated by a Russian “hacker group,” according to the authorities. A spokesman said that the Federal Cyber Security Authority (BSI) was aware of the DDoS attacks against targets in Germany.

Cybercriminals design a DDoS (distributed denial-of-service) attack to overwhelm the victim with a deluge of internet traffic, preventing their system from functioning normally.

 

Cybercriminals design a DDoS

 

Threat actors aimed the attacks “in particular at the airports’ websites” and some “financial sector targets” and “federal and state administrations‘ websites,” the spokesman said.

The BSI spokesman further added that the Russian hacker group Killnet had announced the attack. The group’s call was a response to Chancellor Olaf Scholz’s recent announcement that Germany will send Leopard 2 tanks to Ukraine to help it repel the Russian invasion, financial daily Handelsblatt quoted. However, the BSI spokesman said it was “particularly hard” to attribute Thursday’s attacks directly to the hacker group.

 

CVE-2023-23560 Vulnerability Exposes 100 Lexmark Printer Models to Hack

Lexmark recently released a security firmware update for removing a remote code execution vulnerability (tracked as CVE-2023-23560) that impacted over 100 printer models. The CVE-2023-23560 vulnerability is a server-side request forgery (SSRF) in Lexmark printers‘ Web Services feature, which received a CVSS score of 9.0.

Threat actors can exploit the compromise of a vulnerable printer to gain unauthorized access to the target network. After compromising the printer, the hacker can access the printer spooler, obtain the credentials of the connected network or expose sensitive documents.

However, users can rest assured that Lexmark did not discover any attacks in the wild where hackers exploited the CVE-2023-23560 vulnerability.

To check if your device has the vulnerable firmware version, go to “Settings” -> “Reports” ->” Menu Setting Page” from the operator panel. If the firmware level in the “Device Information” matches the “Affected Releases” reported in the advisory, you must upgrade to a “Fixed Release.”

 

CISA: Hackers Use Legitimate Remote Desktop Tools to Hack Federal Agencies

CISA, the NSA, and MS-ISAC issued a joint advisory warning that attackers are using legitimate remote monitoring and management (RMM) apps to fulfill their malicious purposes. CISA recently used the EINSTEIN intrusion detection system and discovered malicious activity within various federal civilian executive branch (FCEB) agencies’ networks. It acted after the Silent Push report released in mid-October 2022.

 

Remote Desktop Tools

 

The researchers linked the activity to a “widespread and financially motivated phishing campaign” that Silent Push reported. “The authoring organizations assessed that since June 2022, threat actors have sent help desk-themed phishing messages to the FCEB federal staff’s personal and official email addresses,” the advisory reads.

“The emails either contained a link to a ‘first-stage’ malicious domain or prompted the recipients to call the cyber criminals, who tried to convince the victims to visit the first-stage malicious domain.” The malicious actors used portable remote desktop software executables, allowing them to gain access to the victim’s system as an admin without a complete software installation or admin permissions.

 

Ticketmaster Blames Bots for Taylor Swift ‘The Eras’ Tour Debacle

When armies of Taylor Swift fans got locked out in November and could not purchase tickets for her “The Eras” tour, the “Swifties” demanded answers, and the Senate agreed. Ticketmaster parent Live Nation executives testified in Senate Judiciary Committee hearings against criticism that its market position reduced its accountability to fans, leading to its unpreparedness for the anticipated demand.

The Executives insisted that Ticketmaster’s live music market dominance did not cause the Swift sales collapse — but it was a cyberattack. “There was an unprecedented demand for Taylor Swift’s event tickets,” according to the Ticketmaster’s opening testimony. “We were aware that the bots would attack the on-sale and planned accordingly.”

 

cyberattack on sales

 

However, the testimony says that Ticketmaster experienced a triple amount of bots, with bots both attempting to compromise the ticket sales servers for access codes and purchase tickets.

“While the bots could not acquire any tickets or penetrate our systems, the attack pushed us to slow down and pause our sales,” the company said, further adding that the difference was that this time, instead of the bots attempting to buy the tickets, they were attacking the system.

 

Hackers Impersonate Chinese Ministry in a QR Code-Based Phishing Attack

FortiGuard Labs recently found a phishing campaign using multiple QR codes to target Chinese users to steal their credentials.

The email consists of an attached Word document, which spoofs the Chinese Ministry of Finance. The document presents some Chinese text and a large QR code in the center when the user opens the document. After scanning the code, the user gets redirected to a URL, which leads to a hacker-controlled website. The website is a DingTalk instance (an enterprise communication platform) spoof that prompts users to key in their details to steal them.

Why does the attack matter?

Threat actors consider user credentials valuable because they can gain direct access to a victim’s environment or applications. An attacker can directly use the credentials or sell them to another group for their operations. The above phishing campaign highlights that attackers are leveraging new ways to target users and lure them into sharing confidential information.

 

GTA 5 Players Warned ‘To Not Play At All’ as Hacks Worsen

 In the past few days, GTA Online‘s PC version was targeted by some of the most malicious exploits and hacks the platform has ever seen. GTA Online hacks were an ongoing and troublesome issue for past years, but the latest wave that’s reportedly driven by the 2022 GTA 5 source code leak is on another level entirely.

Players logging in without a firewall can face various issues. Their stats can be modified, data corrupted, accounts banned, and an aggressive cheat engine can impact their PC.

 

GTA 5 source code leak

 

When the news describing the new wave of hacks and exploits surfaced on Twitter, players immediately started advising gamers not to log into GTA Online. As the ‘partial remote code execution‘ hacks circulate, mod menus are getting delivered, allowing hackers to manipulate critical aspects of the game.

Last year, GTA 5 faced one of the most significant breaches in gaming history when hackers stole its source code and distributed it, along with 100 GB of content from Rockstar’s upcoming GTA 6 project.