Threat actors are not leaving any industry behind when it comes to stealing users’ digital assets. Here are this week’s phishing and breach-related stories to keep you updated on the latest cyber developments.
Zurich University Targeted in a ‘Professional’ Cyberattack
The university said it is battling to keep cyber criminals out of critical zones by isolating its IT system’s parts. While the university’s move has restricted access to its systems, it has prevented attackers from extracting or encrypting data. The university alerted the Swiss authorities, students, and employees, advising them to change their passwords.
“The perpetrators are acting in a very professional manner, and the attack appears to be a part of a wider accumulation of attacks targeting educational and health institutions,” the University of Zurich stated.
“Hackers have recently carried out several attacks on universities in German-speaking countries, leading to suspension of their IT services for extended periods.” Last year, attackers used malicious software to hack the University of Neuchâtel in a cyberattack, forcing a temporary shutdown of its IT systems.
Other global educational establishments targeted by cybercriminals in recent years include Universities in Germany and Austria. In 2021, cybercriminals hacked the Swiss town of Rolle, resulting in data getting posted on the Darknet. The ‘Vice Society’ group claimed responsibility, threatening to target other hospitals and municipalities. It is unclear who is behind the attack on the University of Zurich.
India’s One of The Largest Truck Brokerage Company Leaks 140GB Data
India’s largest freight delivery and truck brokerage company, FR8, recently faced a severe data leak problem. According to phishing protection researcher Anurag Sen who works with Italian cyber security firm FlashStart, FR8 exposed over 140 gigabytes of data, which anyone can access without a password or security authentication.
According to a post on Hackread.com, the leaked data contains sensitive information like customer records, payment details, and invoices across India. It also includes other personal data like employees’ and customers’ names, addresses, and contact numbers. FR8 claims that it is “India’s largest truck and transport service company” and operates in more than 60 cities.
On January 30, 2023, Anurag discovered the server on Shodan while searching for misconfigured cloud databases. The security researchers informed FR8 regarding the leak but received no response. FR8’s only e-mail address available to the public is bouncing back with every e-mail. The leaked data contains:
- Full name
- Mobile number
- Internal document
- Delivery Full address
- Bank payment details
- Delivery Vehicle Details
- Internal employee details
PixPirate: Latest Android Banking Trojan Targets Brazilian Financial Institutions
A new Android banking trojan is leveraging the PIX payments platform and is targeting Brazilian financial institutions for committing fraud. Italian cybersecurity firm Cleafy discovered the malware between 2022 end and 2023 beginning and is tracking it under the name PixPirate.
“PixPirate is part of the latest generation of Android banking trojan, and it can perform ATS (Automatic Transfer System). It enables cybercriminals to automate the insertion of malicious money transfers over the Instant Payment platform Pix. Multiple Brazilian banks have adopted the Pix payment platform,” researchers Alessandro Strino and Francesco Iubatti said.
The trojan is the latest addition in a long Android banking malware list to abuse the system’s accessibility services API and carry out its nefarious functions. These include intercepting SMS messages, disabling Google Play Protect, serving rogue ads through push notifications, and preventing uninstallation.
Crypto Hacks Led by North Korean Groups Stole a Record $3.8 Billion In 2022
Last year set a new record for cryptocurrency heists, with attackers stealing over $3.8 billion. The heists were led by attackers linked to North Korea, who grabbed more than ever before, says a report by U.S.-based blockchain analytics.
The report by Chainalysis found a malicious activity that “ebbed and flowed” around the year, with “large spikes” in March and October. The report said October saw the most cryptocurrency hacking, experiencing 32 separate attacks and $775.7 million worth of stolen cryptocurrency.
With diminishing risk appetite and various crypto firms collapsing, the crypto market floundered in 2022. Regulators stepped up calls for greater consumer protection, and investors experienced considerable losses. At the time, Chainalysis and other firms confirmed that North Korean-related accounts lost millions of dollars in value. But it did not deter the threat actors.
The report added that North Korea-linked attackers like those in the cybercriminal syndicate Lazarus Group had become the most prolific cryptocurrency hackers, stealing over $1.7 billion worth of cryptocurrency in multiple attacks last year. According to an expert panel monitoring United Nations sanctions, North Korea is increasingly relying on hacking to fund its missile and nuclear weapons programs, specifically as publicly declared trade collapsed under sanctions and COVID-19 lockdowns.
CISA Alert: Exploitable Vulnerabilities in Oracle E-Business Suite and SugarCRM
The US CISA (Cybersecurity and Infrastructure Security Agency) added two security flaws to its KEV (Known Exploited Vulnerabilities) Catalog, citing evidence of active exploitation. CVE-2022-21587 (CVSS score: 9.8) is the first of the two vulnerabilities. It is a critical issue that impacts versions 12.2.3 to 12.2.11 of Oracle Web Applications Desktop Integrator.
CISA said, “Oracle E-Business Suite has an unspecified vulnerability that enables an unauthenticated hacker with network access through HTTP to compromise Oracle Web Applications Desktop Integrator.”
Oracle addressed the issue in October 2022 as part of its Critical Patch Update. There is little knowledge regarding the nature of attacks that exploit the vulnerability. Still, the development comes after the cybersecurity firm Viettel published a proof-of-concept (PoC) on January 16, 2023.
The second security flaw is CVE-2023-22952 (CVSS score: 8.8), relating to a missing input validation in SugarCRM which could lead to the injection of arbitrary PHP code. SugarCRM versions 11.0.5 and 12.0.2 have fixed the bug.
Updated Variants of Prilex Can Block Contactless NFC Transactions
Researchers recently identified three new variants of Prilex, the advanced Point-of-Sales (PoS) malware. The latest variants block contactless NFC (Near-Field Communication) transactions, forcing customers to insert the card into the compromised device physically.
First sighted in 2014, the Prilex malware has evolved from ATM-focused malware to full-fledged PoS malware.
Variants And Capabilities:
- Kaspersky researchers link the Prilex malware to Brazilian threat actors who have updated their malware with new capabilities.
- 06.03.8080, 06.03.8070, and 06.03.8072 are the three new Prilex versions.
- These latest Prilex variants can restrict contactless payment transactions.
- Another feature added to the recent Prilex update is the ability to filter credit cards based on their segment and create separate rules for them. For example, an attacker can configure the Prilex malware to capture card data only if it detects a Black/Infinite or Corporate card.
EV Charging Management System Flaws Allow Disruption, Energy Theft
Researchers warn that there are vulnerabilities in many electric vehicles (EV) charging management systems that could allow hackers to steal energy, cause disruption, or obtain driver information.
Researchers working for an Israel-based company SaiFlow discovered the vulnerabilities. SaiFlow specializes in protecting distributed energy resources and EV charging infrastructure. The security holes are linked to the communications between the EV charge point (CP) and charging system management service (CSMS), specifically the usage of the Open Charge Port Protocol (OCPP). The researchers confirmed that the flaws impact the CSMS offered by multiple vendors.
According to SaiFlow, a cybercriminal can exploit the weaknesses and launch a distributed denial-of-service (DDoS) attack, disrupting the electric vehicle supply equipment (EVSE) network. Additionally, if the attacker manages to connect to the CSMS, they can obtain drivers’ personal information like payment card data and other sensitive data like server credentials.
Pro-Russian Hackers Target Dutch and European Hospitals
Dutch cyber authorities said that several hospital websites in Europe and the Netherlands likely became targets of a pro-Kremlin hacking group because their countries supported Ukraine. The UMCG hospital located in Groningen, the northern Dutch city, is one of the largest in the country, and hackers crashed its website in a cyberattack on Saturday.
The Dutch National Cyber Security Centre (NCSC) said, “European hospitals, including the ones in the Netherlands, have most likely been targeted by the pro-Russian hacking group Killnet.” The group announced DDoS attacks on hospitals (in countries) helping Ukraine in the Russia-Ukraine conflict.”
A distributed denial-of-service (DDoS) attack overwhelms the target with a deluge of internet traffic, disrupting the system’s normal functioning. Although reports say Killnet threatened to target 31 hospitals throughout the Netherlands, only the UMCG got affected so far. The NCSC said, “Currently, we successfully mitigated the DDoS attacks, and its impact is limited.”