As threat actors continue evolving their methods to lure their next targets, one needs to be aware of these methods to thwart malicious actors’ intrusion attempts successfully. Here are this week’s headlines to help you plan your cyber hygiene measures.
Over 80 Organizations Worldwide were Impacted by a Backdoored Version of a Popular Network Admin Tool
According to research by Kaspersky, a malicious version of a popular network administrators’ tool used to manage LANs (local area networks) provided backdoor access to the attacker and impacted at least 80 organizations globally.
Although software supply chain attacks are becoming common among cybercriminals, the AdvancedIPSpyware case is unique because researchers say they encountered a signed backdoored binary. It is possible attackers used a stolen certificate to sign the malware-laced version.
Kaspersky’s Jornt van der Wiel noted that large organizations use the Advanced IP Scanner to provide system administrators with an overview of the network and insight into device operations in their home network to security enthusiasts.
“Since it is anonymous, we cannot detect organizations having the tool’s backdoored version installed,” he said. However, the report states that the tool’s malicious version has infected over 80 entities globally, including Western Europe, Africa, South Asia, Latin America, and countries in the Commonwealth of Independent States.
US Agencies Publish a Report on Top CVEs Exploited by Chinese State-Sponsored Cyber Actors
NSA, CISA, and FBI continuously assess PRC (People’s Republic of China) state-sponsored cyber activities because they are the most dynamic and largest threats to civilian networks and the US government.
PRC state-sponsored threat actors continue to target critical government infrastructure networks with increasingly sophisticated and adaptive techniques—which pose a significant risk to Information Defense Industrial Base (DIB) organizations, Technology Sector organizations (including telecommunications providers), and other critical infrastructure organizations.
The US agencies recently published a report on the actively exploited CVEs by the Chinese threat actors. The report states that threat actors continue exploiting vulnerabilities and targeting networks of interest using publicly available tools. The report adds that PRC state-sponsored actors actively target the US and allied networks, including software and hardware enterprises, to steal intellectual property.
Ikea’s Smart Light System: Attackers Can Exploit a Flaw and Turn Bulbs on Full Blast
Researchers recently demonstrated how a cybercriminal could gain control of light Ikea Trådfri smart lighting system’s light bulbs and turn them up to full brightness. The users cannot reduce the brightness through the remote control or app. Cybersecurity researchers at Synopsys CyRC discovered that if the attackers repeatedly re-send the malformed Zigbee frame, they can exploit the two vulnerabilities (tracked CVE-2022-39064 and CVE-2022-39065) in the Ikea’s Trådfri smart lighting system.
According to the Synopsys report, the malformed Zigbee frame is a malicious and unauthenticated broadcast message, meaning all vulnerable devices within the radio range get affected. The result of the IoT (Internet of things) security flaw is that it leads to a lighting system factory reset, and the user loses control over their bulbs through the companion Trådfri remote control and the Ikea Smart Home application, Syopsys added. It starts with a flicker and permanently leaves the lights on at full brightness.
Family Medical: Possible Data Compromise Affecting 234k Patients
Family Medical Center Services informed 233,948 patients that their data might be compromised after a “network data security incident.” FMC comprises the network of 75 primary healthcare clinics in Canyon and Amarillo, Texas.
After discovering the incident, FMC launched an investigation and took immediate measures to stop the proliferation. Although the forensics did not confirm if hackers specifically accessed any information for misuse, FMC informed the patients that their data might have got exposed because of the “attack.”
The compromised data includes names, contact details, Social Security numbers, and protected health information. FMC said all impacted patients would soon receive identity monitoring services. The brief notice does not provide further details on the threat actors behind the attack. FMC “continuously enhances the security of its network environment by monitoring the evolving threat landscape and taking appropriate actions.”
Tucson, Arizona Discloses Data Breach Impacting Over 123,000 People
As revealed in a notice informing about the data breach affecting people, a threat actor breached the city’s network and accessed an undisclosed number of files with sensitive information. The attackers had accessed the network from May 17 to May 31 and might have stolen or accessed documents with information of 123,513 individuals.
“On May 29, 2022, the City learned about suspicious activity involving a resident’s network account credential,” according to the data breach notification.
“On August 4, 2022, the City discovered that certain files might be copied and exfiltrated from the City’s network.”
The potentially accessed files contain information like certain individuals’ names, Social Security numbers, passport numbers, driver’s licenses, or state identification numbers. The notification sent to affected individuals also adds that there is no evidence that the attackers misused the personal information until now.
Russian-Speaking Hackers Strike The US State Government Websites
Russian-speaking hackers claimed responsibility for knocking state government websites offline in Colorado, Mississippi, and Kentucky, among other states. It is the latest example of a politically motivated hacking attempt following Russia’s invasion of Ukraine.
The Kentucky Board of Elections website, which posts information for users on how to register to vote, was temporarily offline, but it was not clear what caused the outage. The Kentucky government manages The board of elections’ website, though the attackers did not specifically list it as a target.
The websites in Colorado, Mississippi, and Kentucky came back online sporadically, and administrators appeared to try to bring them online. Although the campaign does not appear to target US elections infrastructure particularly, election-related websites were indirectly or directly impacted through the hacking attempt, the EI-ISAC (Elections Infrastructure Information Sharing & Analysis Center), a nonprofit-linked threat-sharing center, shared in an email to CNN.
The hacking group claiming responsibility for the outage is called Killnet, and it stepped up activity after Russia invaded Ukraine to target enterprises in NATO countries. They are a band of “hacktivists” — politically motivated threat actors who support the Kremlin, but their ties to the government are unknown.
Fake LinkedIn Profiles a Major Headache for HR
A recent deluge of phony executive LinkedIn profiles created an identity crisis for the business networking site and organizations relying on it to screen and hire prospective employees. The fake LinkedIn identities — which combine AI-generated profile pics and descriptions from legitimate accounts — are becoming major headaches for HR departments and users managing invite-only LinkedIn groups.
KrebsOnSecurity examined numerous inauthentic LinkedIn profiles last week, all claiming CISO (Chief Information Security Officer) roles at Fortune 500 companies, including Chevron, ExxonMobil, Biogen, and Hewlett Packard.
After the response from LinkedIn readers and users, it is clear that fake profiles are coming up en masse for most executive roles, particularly for industries and jobs adjacent to recent global news trends and events.
Hamish Taylor, who runs the LinkedIn Sustainability Professionals group, having over 300,000 members, said they have blocked over 12,700 suspected phony profiles this year. He describes various recent accounts as “attempts to exploit Crisis Relief and Humanitarian Relief experts.”
New Zealand: Cyber Attack on Healthcare Services Provider Pinnacle a ‘Wake Up Call’
A top doctor recently called the cyberattack on a major primary health provider that potentially compromised the details of thousands of patients a “wake-up call to the healthcare sector.”
Health workers are scrambling to manage a campaign that compromised details of Pinnacle, a Waikato and Bay of Plenty health provider, operating dozens of GP practices.
Dr. Bryan Betty, Director of the Royal New Zealand College, said the attack was concerning. Still, he got reassurance that Pinnacle was taking appropriate steps to deal with the cyber incident. He added the attack targeted “topline data” and didn’t impact patient records.
“They will need to put in more effort to unpack that.”
But, he added that the incident must serve as a “wake-up call” to the sector. In a statement, Pinnacle said the impacted services include the regional offices of Pinnacle Group and Primary Health Care Ltd (PHCL) services across Taranaki, Rotorua, Thames-Coromandel, Taupō-Tūrangi, and Waikato.
Chief executive Justin Butcher commented that while investigations were underway before the attack got notified and Pinnacle secured the IT systems, the malicious actors accessed system information, including personal and commercial details.