While there are various types of data breaches, one can always attribute them to a vulnerability or a security posture gap that cybercriminals exploit to gain access to the organization’s systems. Here are this week’s phishing-related news headlines, so you can plug the vulnerabilities and prevent cybersecurity breaches.
A New Clicker Android Malware Infects over 20 Million Devices
A newly discovered Android malware might have infected over 20 million users. Hackers sneaked the malware, called Clicker, into the Google Play Store through 16 different malicious applications.
Researchers from McAfee said that the malware was masquerading as legitimate utility tools to target Android mobile users. The tools include QR readers, Flashlight (Torch), Camera, Task Managers and Unit Converters.
At first look, the apps look like genuine Android software. However, they contain ad fraud features, equipped with Firebase Cloud Messaging (FCM) and remote configuration techniques. Once the victims download and open the malicious applications, they send an HTTP request to launch remote configurations, and the Clicker Android malware gets downloaded.
Researchers opine that Android malware disrupts the mobile advertising ecosystem and enables threat actors to generate revenue by showing fraudulent ads on victims’ devices.
Installing security software on mobiles helps prevent such mobile threats. Additionally, users must avoid using cracked software apps or downloading apps from unofficial sources to protect themselves from attacks.
Wholesale Giant METRO Suffers IT Outage After Cyberattack
International wholesale giant METRO recently experienced store payment issues and infrastructure outages following a recent cyberattack. METRO’s IT team is investigating the incident with external experts to discover the underlying cause of the ongoing outage.
IT outages have affected stores in Austria, France and Germany since October 17, according to a Günter Born report. Even though its stores are operating, METRO says that its online orders got delayed, and it set up offline payment systems.
-“The company notified the authorities regarding the incident and is cooperating with investigations linked to the attack.”
METRO is a global wholesale company for HoReCa (hotel, restaurants, catering) industry customers, employing over 95,000 people and operating in over 30 countries. As of September 30, 2022, 661 wholesale stores were operating under the METRO and MAKRO brands.
“We will continue intensive monitoring and analysis and provide updates as required. METRO apologizes for any inconvenience the security incident caused for any of its business partners and customers,” the wholesaler added.
EnergyAustralia Hit by Cyber-Attack, Details of Hundreds of Customers Exposed
According to The Guardian report, EnergyAustralia became the latest cyber-attack victim, exposing hundreds of its customers’ details. In its latest statement, the electricity giant said 323 small business and residential customers got affected by unauthorized access to My Account, their online platform.
Details including customer names, email addresses, electricity and gas bills, addresses, phone numbers and the first and last three digits of their credit cards of those accounts might be compromised.
However, EnergyAustralia maintained that there was “no evidence” suggesting customer details got transferred outside its online platform. It further said they did not store sensitive documents like passports or driver’s licenses on the forum. “The information remains secure, and no other EnergyAustralia systems got affected.” The company asked its customers to implement 12-character passwords, including a mix of upper-case and lower-case letters, special characters and numbers.
Earlier, account passwords required only eight characters. The incident occurred on September 30, and EnergyAustralia contacted impacted users on October 2 and briefed government agencies and regulatory authorities.
NY Watchdogs Make Insurance Firm Cough Up $4.5m For Healthcare Security Breach
New York regulators continue to flag organizations with questionable computer security. It extracted $4.5 million from vision insurance firm EyeMed, which it accused of leaving many people’s sensitive health information that cyber criminals could access. Additionally, EyeMed agreed to conduct a thorough risk assessment of the IT systems and improve its network defenses after failing to comply with New York State’s Department of Financial Services cyber security rules.
The data breach dates back to 2020, and EyeMed said it happened when its employee fell for the phishing campaign. In July 2020, the EyeMed team discovered a cybercriminal gaining access to a shared email account used by employees to process enrolment, potentially exposing Customers’ personal information.
After discovering the breach, the vision insurer “immediately” blocked access to the inbox and hired experts. The investigators later found that the campaign continued from June 24 to July 1, 2020, during which cybercriminals read and stole emails and attachments containing customers’ non-public health information, including data related to minors, dating six years before the breach.
The US Health System Data Breach Hits 3 Million Patients
However, the Meta tracker also sends sensitive information to Meta (Facebook) before forwarding it to numerous marketers targeting patients with advertisements matching their conditions.
This privacy breach took the US by storm, as many hospitals use Meta Pixel, exposing millions of people’s details to third parties and starting lawsuits against the responsible organizations.
In August 2022, another US healthcare provider Novant Health said that improper use of Meta Pixel in its ‘MyChart’ portal exposed 1.3 million patient accounts. Incidentally, AAH also used the ‘MyChart’ patient portal and another platform called ‘LiveWell,’ both having active Meta Pixel trackers. AAH’s notification states the following details might have gotten exposed:
- IP address
- Date, time, and location of scheduled appointments
- Proximity to an AAH location
- Type of appointment or procedure
- Medical provider information
- Communications between MyChart users, which may include first, and last names and medical record numbers
- Insurance information
- Proxy account information
Verizon Prepaid Accounts Hijacked
Verizon recently notified its prepaid customers that their accounts might be compromised and their phone numbers hijacked by cybercriminals via SIM swaps. “Between October 6 and 10, a threat actor accessed your credit card’s last four digits you used to make automatic payments from your account,” Verizon’s letter [PDF] to prepaid customers said.
“The cybercriminals then used the last four digits of the credit card to gain access to the Verizon account and likely processed an unauthorized SIM card change on the prepaid line to which we are sending this notice,” the alert continued.
The Register published a report which says it’s unclear how threat actors accessed the 4-digit credit card numbers. However, Verizon assured its customers that if there was a SIM card change, they effectively reversed it. Furthermore, they prevented any further unauthorized access to their customer accounts.
iDealwine Suffers A Data Breach
iDealwine, a France-based e-merchant having offices in London and Hong Kong, said it suffered a data breach but did not inform its customers yet. The international fine wine retailer specializes in fixed-price sales and online auctions of fine wine and offers information regarding news and trends in the wine industry.
The company contacted experts to deal with the incident, including the data privacy regulators in the UK and France. It informed its customers their name, address, email address and telephone number might be compromised. However, customers’ credit card and bank information were not compromised because it does not store them on company servers.
“Do not open emails or attachments if unsure about their source, and do not click on unknown links. You can contact us if in any doubts, and our team is fully prepared to assist you,” the company said in an advisory.
Threat Actors Compromised Hong Kong Government Agency’s Network for a Year
Researchers at Symantec recently uncovered cyberattacks linked to China-linked espionage actor APT41 (or Winnti) that breached Hong Kong’s government agencies, remaining undetected for a year.
The threat actor used custom malware called Spyder Loader, which researchers previously attributed to the group. In May 2022, Cybereason researchers discovered ‘Operation CuckooBees’, underway since 2019 and focusing on high-tech manufacturing firms in Western Europe, North America and East Asia. Symantec’s report adds that there are signs that the Hong Kong activity is part of the same operation, and APT 41’s targets are the government agencies in the special administrative region.
In Operation CuckooBees, APT41 used a newer version of the Spyder Loader backdoor. Symantec’s report indicates that the attackers continue to evolve the malware, injecting several variants on the targets with the same functions.
Some of the similarities Symantec found with the version analyzed by Cybereason include the following:
- CryptoPP C++ library
- Abuse of rundll32.exe to execute the malware loader
- Compiled as a 64-bit DLL copy of the SQLite3 DLL to manage SQLite databases, sqlite3.dll.
- Spyder Loader loads AES-encrypted blobs creating the next-stage payload, “wlbsctrl.dll.”