There is no end to cyberattacks as the world continues to shift towards an online environment. The best preventive measure against online threat actors is to keep yourself updated on how they plan their attacks and target their next victims. Here are this week’s top phishing, ransomware, and data breach headlines.
BSI Warns Citizens of Increased Cyberthreats Ahead of Christmas
The German cybersecurity authority BSI is sending out warnings of ransomware threats to organizations as Christmas and end-of-year holidays approach. They suspect a return of the Emotet botnet and subsequent attacks on Microsoft Exchange servers. Because all employees are at home during the holidays, threat actors have greater chances of surpassing office firewalls and security systems.
BSI advises all German organizations to patch their systems and have backup files. The revival of Emotet coincides with Conti recruiting more and more affiliates through its ransomware-as-a-service (RaaS) operations. BSI has joined CISA and FBI in releasing warning notifications to prepare organizations for ransomware attacks in the holiday season. While none of these security bodies have evidence of an oncoming threat, they make this speculation based on experience and current attack trends where attackers wait for holidays and weekends to compromise networks. Adopting anti-phishing solutions at this time is the best act of preparedness organizations can engage in.
Ransomware Hits Frontier Software, Affects South Australian Govt. Data
Rob Lucas – the Treasurer of South Australia, recently announced that a ransomware attack hit its payroll provider Frontier Software, and consequently, some state employee data may have been compromised. Soon after detecting the attack, the breached organization informed the government of the same. It mentioned that data belonging to around 38,000-80,000 government employees (which was published online) was possibly affected.
The employee data stored on the database include their names, home addresses, bank details, DOBs, payroll period, tax file numbers, date of joining, remuneration, and other payroll details. Treasurer Lucas specified that no employee data from the Department for Education was compromised.
The South Australian government has been working with Frontier Software since 2001, and the organization is taking all measures for protection against phishing to assist the affected employees. The enterprise underwent an attack on 13th November and was able to restore its systems by the fourth day. It assured stakeholders that no customer data was stolen, but now Frontier Software is suggesting a possible data breach at its corporate systems.
Ransomware Hits Atalanta
Renowned North American food importer Atalanta recently announced that it underwent a ransomware attack back in July 2021, which led to a data breach affecting its employees. Immediately after discovering the attack, Atalanta hired third-party experts to investigate the breach and restore its systems. Forensic investigation revealed that data belonging to some of Atalanta’s current and former employees and visitors were compromised. However, this finding isn’t supported by any evidence of the data being misused.
Atalanta claims to have adopted measures to prevent phishing attacks soon after enduring this unfortunate cyber-attack. The most prominent private North American specialty food importer is circulating advisories among customers and stakeholders to minimize the breach’s impact. Specific details about the incident are yet to be revealed – such as the exact number of records affected, the nature of personal information exposed, the attack vector, ransomware operator, etc.
French Transportation Giant RATP Leaves HTTP Server Unsecured Online
Cybersecurity experts at vpnMentor recently found Régie Autonome des Transports Parisiens (RATP) – a state-owned French transportation giant exposing the personal information of around 60,000 employees through an unsecured HTTP server. The researchers first discovered the server on 13th October and informed RATP – the organization running public transport across France. When vpnMentor received no response from RATP, it approached the French CERT that took the matter seriously and shut down RATP.
The transportation organization had left its server unprotected and publicly available online, enabling anybody with basic web browsing skills to access it. The server contained an SQL database backup from 2018 with more than 3 million records of over 57,000 RATP employees. This contained the details, including the cybersecurity team and senior executives, including their names, email addresses, MD5-hashed passwords, and login details for their RATP employee accounts. The problem is that converting plaintext passwords to MD5 hashes is a matter of seconds for any basic commercial laptop. Adversaries could easily use the data obtained from this unsecured server to launch targeted phishing attacks. Therefore, RATP employees are advised to adopt anti-phishing measures at the earliest.
FBI Releases Notice Explaining Actions of the Cuba Ransomware Gang
Cuba ransomware is creating havoc in the financial, manufacturing, healthcare, government, and IT sectors. This has compelled the FBI to release a notice informing people of its malicious actions. The FBI informs that the ransomware group had targeted over 49 entities in 5 sectors and made more than $43.9 million through ransom payments.
Cuba operators use the Hancitor malware to gain initial access to Windows systems. The FBI circular notes that all Cuba encrypted files come with the “.cuba” extension. Cuba attacks happen in two cycles – first, the deployment of the Hancitor malware, which uses phishing emails, compromised credentials, or Microsoft Exchange vulnerabilities. Second, the deployment of genuine Windows services like PsExec, PowerShell, etc., by Cuba operators to gain Admin access and infect the system with the ransomware.
The FBI notice informs that once Cuba compromises a device, it installs ransomware and executes a CobaltStrike beacon. It further downloads two executable files that attackers access passwords. Cuba attacks also use the MimiKatz malware to steal data and RDP to access the compromised network with a specific user account.
Since Cuba has acquired a lot of money, surpassing that amount collected by several other prominent ransomware groups, the FBI warns organizations to take adequate phishing prevention measures.
Gale Healthcare Solutions Leaves Database Unprotected Online
Cybersecurity researcher Jeremiah Fowler and a team from Website Planet recently found an unencrypted online database exposing the personal information of over 30,000 US healthcare workers. Further investigation revealed that the database belonged to Gale Healthcare Solutions and exposed 170,239 records, including the names, addresses, email IDs, photos, tax documents, and Social Security Numbers. The Tampa-based tech enterprise Gale Healthcare connects aspiring healthcare workers with prospective hirers or healthcare organizations.
Fowler’s research findings reveal that the database also contained additional information related to specific incidents, terminations, and disciplines. So far, the researchers’ team has reviewed only a sample of the exposed documents hosted on an AWS cloud server. While the image of workers only contained their faces, the URL revealed their names and SSNs. When Fowler tried cross-checking the authenticity of these URLs and contacted the involved people, he found that the information was indeed genuine.
Fowler concluded that someone at Gale probably thought that having all information about a worker in the URL would make things easier – but this employee clearly missed out on the security element. Gale Healthcare initially remained unresponsive to all comment requests but later responded to dispute some of the statements made by Fowler and the team. Gale notified that the database was temporary and created for an internal system test in its defense. It is unclear how long the database has been publicly available online, nor are Gale’s phishing attack prevention measures known.
Threat Actors Steal $120 Million from DeFi Platform Badger
The decentralized platform Badger allows users to loan, borrow and predict cryptocurrency price variations. Recently, attackers stole Badger’s $120 million worth of Ether and Bitcoin assets. The platform announced the attack through a Tweet and shut down its platform for investigation as part of its anti-phishing protection measures.
The hack was first discovered by the blockchain analysis organization PeckShield, which claims that adversaries stole over 151 Ether and 2,100 Bitcoin from Badger users. This amounted to over $120.3 million and one particular user lost over 900 Bitcoin ($50.5 million). While Badger has not responded to comment requests, its users claim adversaries gained access to user accounts through a platform vulnerability. This marks the third-largest cryptocurrency platform hack this year after Cream Finance and PolyNetwork.