Threat actors continue to compromise organizations’ information assets through new and innovative ways of phishing. Here are this week’s headlines to help you stay better prepared.
Amnesty International Canada Alleges a Hack by Beijing
Amnesty International’s Canadian branch said it became the target of a China-sponsored cyberattack. The human rights organization discovered the breach on October 5 and hired cybersecurity experts and forensic investigators to investigate it. Ketty Nivyabandi, Secretary General at Amnesty International Canada, said investigators linked the searches in their systems to China and Hong Kong, including a few prominent Chinese activists. The attack took Amnesty’s systems offline for nearly three weeks.
According to the US cybersecurity firm Secureworks, attackers did not attempt to monetize the access, and it was the job of a threat group tasked or sponsored by the Chinese state. They could establish the role of the Chinese state because of the nature of the searches, the use of specific tools, and the level of sophistication distinctive of China-sponsored actors.
“As an organization dedicated to human rights globally, we know we can become the target of state-sponsored attacks to disrupt or surveil our work. Such incidents will not intimidate us, and the privacy and security of our activists, staff, stakeholders, and donors, remain our topmost priority,” Nivyabandi said.
San Diego Unified Computer Network Hit by a ‘Cybersecurity Incident’
The San Diego Unified School District offices recently experienced a computer-network security breach, according to SDUSD officials. Lamont Jackson, District Superintendent, sent a letter to the families of students and his staff attending SDUSD campuses, alerting them about what they describe as a “cybersecurity incident.”
Jackson wrote, “After learning about the incident, we acted quickly to secure our network, launched an investigation, and prevented disruptions to the (information technology) operations. Additionally, we engaged cybersecurity professionals and notified law enforcement to assist.”
Although the SDUSD officials did not reveal if there was misappropriation of sensitive data or if the breach involved any ransom demands, Jackson ensured that all the “critical systems are operational, and the incident did not impact the safety and emergency mechanisms at schools and offices.”
“Out of caution, we changed all staff passwords and continue the process of changing student account passwords to strengthen our IT system,” the superintendent asserted. “The coming days will see our school staff providing new passwords for students on a district-prepared schedule.”
Android Malware Apps with 2 Million Installs Spotted on Google Play
Security researchers recently discovered a new set of Android adware, malware, and phishing apps on the Google Play store, which tricked over 2 million users into installing them. Dr. Web antivirus discovered the apps which pretend to be system optimizers and useful utilities but cause performance hiccups and user experience degradation.
One app that the researcher illustrated was TubeBox, which amassed one million downloads. TubeBox promises monetary rewards to users for watching videos on the app but never delivers on the promises, displaying various errors when they try to redeem the collected rewards. Even people who complete the final withdrawal step never receive the funds because it’s a trick to keep them on the app for longer, watching ads and generating profit for the developers.
Other adware apps which appeared on Google Play in October 2022 but got removed are:
- Bluetooth device auto-connect (the bt auto-connect group) – 1,000,000 downloads
- Bluetooth & USB & Wi-Fi driver (simple things for all) – 100,000 downloads
- Volume and Music Equalizer (the bt auto-connect group) – 50,000 downloads
- Fast Cleaner and Cooling Master (Hippo VPN LLC) – 500 downloads
Mitsubishi Electric PLCs Exposed to Attacks by Engineering Software Flaws
Researchers at Nozomi Networks, an industrial cybersecurity firm, recently discovered three vulnerabilities in Mitsubishi Electric’s engineering workstation software that attackers can exploit to hack safety systems. The software in question is GX Works3, a Mitsubishi Electric configuration and programming software MELSEC iQ-F and iQ-R PLCs (programmable logic controllers).
Nozomi researchers identified three vulnerabilities in the Mitsubishi Electric PLC — tracked as CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833 — which enabled attackers to obtain information from the GX Works3 project files and compromise connected CPU safety modules.
The project files for the modules are password-encrypted and require a user-configured username and password to open them. However, researchers discovered cleartext storage, hardcoded password, and insufficient credential protection, potentially exposing these credentials and other sensitive information.
An attacker could obtain a project file from a shared computer, a misconfigured file server, or intercept unprotected communications. After they obtain the file, they exploit the vulnerabilities to gather information required to hack industrial control systems (ICS).
Millions of WhatsApp File Records For Sale on the Dark Web
In mid-November, a malicious actor posted on a dark web forum, claiming that he stole the personal information of over 500 million WhatsApp users. Check Point Research (CPR) recently published an advisory that analyzed the exposed files and confirmed the leak, including 360 million phone numbers across 108 countries.
While CPR researchers could not confirm that the leaked phone numbers belonged to WhatsApp users, they said that the phone numbers varied among countries, ranging from 604 in Herzegovina and Bosnia to 35 million in Italy. According to the advisory, the list was on sale for four days, and threat actors are now distributing it free of cost among dark web users.
Deryck Mitchelson, field CISO, EMEA at CPR, said, “While the leaked information does not expose the message content, it is worrying to see such a massive volume of phone numbers up for sale on the Dark Web. We believe that hackers can use this information to carry out tailored phishing attacks in the future.”
Furthermore, Karol Paciorek, a security researcher working with the Polish financial sector (CSIRT KNF), said that the exposed database is a re-use of the 2019 Facebook breach.
Vatican Website Down in Suspected Hacking Attack
The Holy See said that the official Vatican website went offline recently following an apparent hacking attempt. “Technical investigations are on because we discovered abnormal attempts to access the website,” Vatican spokesperson Matteo Bruni said without divulging further details.
The suspected attack came a day after Moscow criticized Pope Francis for his latest condemnation of Russia’s invasion of Ukraine. In a Jesuit magazine interview, the pope had singled out Chechnya and other ethnic minority troops in Russia for their “cruelty” during the war.
Connexin Software Breach Impacts Over 2.2M Pediatric Patients
According to HealthITSecurity, Over 2.2 million patients across 120 pediatric physician practices and groups in the US might have compromised their data in August during a breach targeting Connexin Software, a pediatric health IT vendor. Connexin sent a data breach notification letter to impacted individuals. It states that after infiltrating Connexin’s internal network, cybercriminals removed specific parts of a patient dataset online that they leverage for troubleshooting and data conversion.
The incident might not affect pediatric patients’ demographic data, Social Security numbers, treatment details, billing and claims data, and health insurance information. The breach impacted data from guarantors, parents, and guardians, but Connexin emphasized that its physician practices’ systems, live electronic record systems, and medical records systems were unaffected.
Fake Security App Abusing Japanese Payment System
McAfee’s Mobile Research team analyzed new malware targeting Japanese mobile payment users. The malware, distributed on the Google Play store, looks like a legitimate mobile security app, but it is a payment fraud malware abusing reverse proxy and stealing passwords.
McAfee researchers notified Google about the malicious apps, ‘Smartphone Anshin Security’ and packages named ‘com.z.px.appx’ and ‘com.z.cloud.px.app’. The applications got removed from the Google Play store, and Google Play Protect also took steps to disable the apps and protect the users. McAfee Mobile Security products can detect the threat as Android/ProxySpy.
The threat actor continues to publish such apps on the Google Play Store from various developer accounts. According to a Security Researcher at Yahoo! Japan, Yusuke Osumi, the threat actor, sends an SMS from overseas containing a Google Play link to lure users into installing the malware. The message entices targets to update their security software, attracting more users.
When a user installs and launches the malware, it asks for a Service password. Cleverly, it shows incorrect password messages for collecting more specific passwords. It does not matter if the password is correct; it is a technique to get the Service password.