Not a week passes by when we don’t hear about cybercriminals targeting various organizations worldwide. From compromising government websites to crippling large healthcare organizations, the following are the recent phishing and breach-related updates of this week.
Indiana Health Entity Reports a Data Breach Involving Tracking Code
An Indiana healthcare network became the latest medical entity to classify the usage of online tracking code as a data breach, reporting it to federal regulators. Community Health Network recently reported an unauthorized access/disclosure breach to the U.S. Department of Health and Human Services that affected 1.5 million individuals involving the website tracking code.
The nonprofit health system, having over 200 sites and affiliates across Central Indiana, said it recently learned about a few third-party tracking technologies on its websites – including from Google and Facebook – transmitting patient information to the tracking technology vendors. From August to November, the Community Health Network began investigating, removing, or disabling the “problematic technologies” from its website.
“We are in the process of better understanding the extent and nature of patient information that got transmitted,” the statement says.
The health system started using tracking technologies on April 6, 2017. It said that any user scheduling an appointment on the eCommunity.com website or visiting the Community Health Network patient portal from that time might be at risk of data theft.
Greater Toronto School Goes Offline Following a ‘Cyber Incident’
A cyber-attack targeting a school district in Toronto’s outer suburbs plunged school administration into the pre-digital era by disabling online learning for its students. The Durham District School Board, serving over 74,000-day students, disclosed that the incident targeted phone, email services, and “most” student Chromebooks.
“Schools are open, but they will take attendance manually, and the parents will not get a notification if their child is absent.”
The eastern Toronto exurbs district caters to public education in 136 elementary and secondary schools. It employs over 7,000 educational services and teaching staff. According to the district school board, they notified law enforcement and took steps to retain outside assistance and secure its network.
The school district’s notification doesn’t mention “ransomware,” and when asked whether the systems got maliciously encrypted, the district spokesperson declined to comment. He clarified that “the network is down, and hence, we cannot authenticate people on the network, making the Chromebooks inoperational.”
Hackers Exploit Critical Flaw to Bypass Fortinet Products
Cyble’s Global Sensor Intelligence (GIS) recently discovered a threat actor while performing routine monitoring, who was distributing unauthorized access to Fortinet VPNs on a Russian cybercrime forum. Upon evaluating the access, researchers discovered that the cybercriminal tried adding a public key to the user’s account. Further investigation revealed that the targeted businesses used outdated FortiOS software.
The researchers tracked the vulnerability as CVE-2022-40684 in FortiOS, which hackers exploited to manage authentication bypass. The flaw lets an unauthorized individual exploit the administrative interface. According to Cyble’s November 24, 2022 research, multiple Fortinet versions got affected by the flaw, including FortiOS, FortiSwitchManager, and FortiProxy.
Cyble’s advisory says that the vulnerability allows cybercriminals to change the “administrative interface” through specially designed HTTP or HTTPS requests. According to the advisory, the following are the FortinetOS impacted versions:
- FortiProxy version 7.2.0
- FortiSwitchManager version 7.2.0
- FortiSwitchManager version 7.0.0
- FortiOS version 7.0.0 through 7.0.6
- FortiOS version 7.2.0 through 7.2.1
- FortiProxy version 7.0.0 through 7.0.6
Scammers Use FC Barcelona’s Website for Fraud
In a sophisticated third-party fraud campaign, scammers used FC Barcelona, the Top European football club’s official website. According to Adex, the ad fraud monitoring platform, the cybercriminals used the website to increase traffic to a fraudulent iGaming website.
Over 5.4 million people visit FC Barcelona’s website monthly, which ranks among the most visited websites of football clubs. The investigators discovered the suspicious-looking link to the Barca website and started probing the matter.
The link leads to an online gambling portal meant for the Indonesian market, experts opine. After an analysis, they spotted a nameserver (NS) record mismatch in the second and third-level domains. The investigators noticed that the attackers housed the NS records of the subdomain on Google Cloud DNS, but the official website is hosted on Amazon Web Services (AWS). The researchers quickly informed FC Barcelona about the issue, who likely did not notice the suspicious activity.
Ransomware Gang Targets Belgian Municipality, Misses and Hits Police Instead
The Ragnar Locker ransomware gang recently published stolen data allegedly from the municipality of Zwijndrecht, but it was stolen from a local police unit in Antwerp, Belgium, Zwijndrecht police. The leaked data exposed numerous car number plates, crime report files, fines, investigation reports, personnel details, and more.
Such data leaks can potentially expose citizens who report crimes and compromise the ongoing law enforcement investigations and operations. Belgian media outlets are calling the data leak one of the biggest of a kind that impacted public service in the country. It exposed all data maintained by the Zwijndrecht police from 2006 till September 2022.
Zwijndrecht police responded by downplaying the impact of the cyber incident and saying that the attackers only accessed the network where they held administrative data. Thus, by saying that the cybercriminals could only access the administrative network, the police agreed that the incident affected police personnel.
Sonder Confirms Data Breach Impacting PII of its Guests
Hospitality firm Sonder recently confirmed a data breach that potentially compromised guest records. According to a recent security update published on its website on November 23, 2022, Sonder learned about unauthorized access to its systems on November 14.
“Sonder believes the incident involved guest records created before October 1, 2021,” the company wrote. Furthermore, it added that there was no evidence indicating involvement of accounts created after November 14, 2022.
“This suggests that the company improved their security stance since last October, and the attacker accessed an old backup or copy of the data,” according to Mark Warren, the product specialist at Osirium.
The compromised data reportedly includes usernames and encrypted passwords, phone numbers, names, email addresses, dates of birth, and addresses. Specific guest transaction receipts, including transaction amounts and credit card numbers, could also be compromised, including dates booked for stays at the Sonder properties.
“Additionally, Sonder believes that attackers might have accessed government-issued identification copies like driver’s licenses or passports for a few guest records,” the company added. Sonder explained that after discovering the breach, it took immediate steps to contain it, including ensuring the unauthorized individual could no longer access the systems.
“We ensured that operations did not get affected and are investigating the scope of the incident,” the company said.
India: Ransomware Attack Cripples AIIMS
The AIIMS New Delhi’s National Informatics Centre (NIC) said that a ransomware attack impacted the hospital server, crippling its day-to-day activities like OPD registrations and blood sample reports. Patients and Doctors complained of the facility’s online server going unresponsive, which confirmed a ransomware attack.
The Institute issued a statement, “Today, the National Informatics Centre’s server used at AIlMS, New Delhi, was down, affecting the digital hospital services in outpatient and inpatient departments. These include smart lab, report generation, billing, the appointment system, etc. Currently, these services are running on manual mode.”
“We are taking measures to restore the digital services and seeking support from National Informatics Centre (NIC) and Indian Computer Emergency Response Team (CERT-In). AlIMS and NIC are taking due precautions to prevent such attacks in the future,” the statement added. According to doctors, they could not generate barcodes to send samples and could not see patients’ imaging and reports.
EU Parliament Website Down After MEPs Pass a Crucial Russian Resolution
The European Parliament’s official website became victim to a “sophisticated cyberattack” hours after MEPs passed a strong-worded resolution against Russia, terming it a “state sponsor of terrorism.” European Parliament President Roberta Metsola said, “The (European Parliament) is facing a sophisticated cyberattack, and a pro-Kremlin group claimed responsibility.”
“Our IT experts are resisting it and protecting our systems. It happened after we termed Russia as a State-sponsor of terrorism.” “My response is #SlavaUkraini,” Metsola added, invoking the slogan “Glory to Ukraine.” Jaume Duch, The European Parliament’s chief spokesperson, said the outage was because of “high external network traffic levels,” without naming a culprit.
“This traffic is similar to a DDOS (Distributed Denial of Service) event,” Duch added. Hackers use malicious DDoS attacks to flood networks with high data volumes that they cannot handle, paralyzing the network or disrupting regular traffic.