The phishing threat landscape is constantly evolving, with threat actors likely to continue their actions in 2023. Here are this week’s headlines to inform you of the latest tactics being adopted by threat actors to dupe individuals and organizations alike.
\
Hackers Hold Database of Romanian Hospital for Ransom
Botoşani (northeastern Romania) based Saint Gheorghe Recovery Hospital became the latest target of a ransomware attack, impacting its medical activity. Cybercriminals demanded 3 Bitcoin to decrypt the servers’ data.
The attack resembles the one that occurred in 2019 summer when four Romanian hospitals became the target. The attackers accessed a remote connection used by one of the maintenance companies to break into the network. They entered the network and encrypted the December database. Afterward, they left a message in English, asking the hospital authorities for a 3 Bitcoin ransom.
The recent attack was complex, and computer scientists from DIICOT and BitDefender (a Romanian antivirus company) could not decrypt the files.
The manager of the Recovery Hospital, doctor Cătălin Dascălescu said, “We have notified DIICOT and the National Directorate of Cyber Security. An investigation is underway, and we are waiting for its findings. I cannot offer further details at the moment. We hope we will have medical activity at normal capacity from Monday.”
US Burger Chain Five Guys Notify A Data Breach
Five Guys, a US burger chain, recently disclosed a data breach targeting job applicants, and the company can face a lawsuit for the cybersecurity incident. Five Guys started informing customers on December 29 and notified state authorities about the incident.
It is common for businesses to disclose cybersecurity incidents near significant holidays to avoid media coverage. However, a law firm specializing in cybersecurity incidents, Turke & Strauss, noticed Five Guys’ data breach notification.
The law firm urged the impacted individuals to get in touch with them and discuss potential legal recourse against the fast food chain. It also revealed that the sensitive information includes customers’ names, driver’s licenses, and Social Security numbers.
It’s unclear if the data breach was part of a ransomware attack or if an attacker stumbled upon the unprotected cloud storage. Affected individuals were offered free identity protection and credit monitoring services.
SpyNote Strikes Again: Financial Institutions Become the Android Spyware’s Target
Financial institutions became the latest targets of an Android malware’s new version called SpyNote in October 2022. It combines both banking trojan and spyware characteristics. “The reason behind an increase in the number of SpyNote attacks is that the developer, previously selling it to other actors, made its source code public,” according to ThreatFabric. “It helped other cybercriminals develop and distribute the malware and target banking institutions.”
Some notable institutions impersonated by the malware include Kotak Mahindra Bank, Deutsche Bank, HSBC UK, and Nubank. SpyNote or SpyMax is feature-rich spyware with various capabilities like installing malicious apps, gathering calls, videos, SMS messages, and audio recordings, tracking GPS locations, and hindering efforts to uninstall the app. It also masquerades as an official Google Play Store service and other applications in productivity, wallpapers, and gaming categories. Following is a list of a few SpyNote artifacts, mainly delivered through smishing attacks:
- Bank of America Confirmation (yps.eton.application)
- BurlaNubank (com.appser.verapp)
- Conversations_ (com.appser.verapp )
- Current activity (com.willme.topactivity)
- Deutsche Bank Mobile (com.reporting.efficiency)
- HSBC UK Mobile Banking (com.employ.mb)
- Kotak Bank (splash.app.main)
- Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
Massive Leaked Archive Containing 235 million Twitter Users’ Information Available Online.
A data leak with email addresses of 235 million Twitter users was recently published on a popular hacker forum. Experts immediately analyzed it, confirming the authenticity of the entries in the massive leaked archive. In July end, a cybercriminal leaked 5.4 million Twitter users’ data, obtained by exploiting Twitter’s now-fixed vulnerability.
In January, a report claimed the discovery of a vulnerability hackers could exploit to find a Twitter account through their associated phone number/email.
Multiple threat actors exploited the vulnerability to scrape Twitter user profiles with private (email addresses and phone numbers) and public data. Then, they offered the scraped data on various online cybercrime marketplaces. In August, Twitter said that they patched the zero-day flaw discovered by researcher zhirinovskiy through the bug bounty platform HackerOne, which paid him a $5,040 bounty.
Ransomware Attack Shuts Down Massachusetts School District
Superintendent John Robidoux said that Swansea Public Schools canceled classes recently due to a ransomware attack shutting down the district’s network. According to the superintendent, no student or staff’s personally identifiable information was compromised in the attack.
Robidoux issued a news release saying that Hub Technology, the district’s cybersecurity company, shut down the network and isolated the cyberattack within minutes of the attack.
Robidoux said, “After a preliminary investigation, we determined that no personal staff or student information got compromised, and no cloud-based information or files got affected by the attack.”
“We believe this attack occurred because of an encrypted download run by someone within the district, but it is not malicious.” Robidoux added, “I am thankful our district enforces robust security measures around our network that prevented a bigger issue from occurring.”
Critical Flaws Discovered In Ferrari, Porsche, Mercedes, BMW, And Other Carmakers
BMW, Mercedes, Toyota, Ford, and other famous carmakers utilize vulnerable APIs that can allow attackers to perform malicious activities. Cybersecurity researcher Sam Curry discovered numerous vulnerabilities in the vehicles manufactured by various carmakers and the services offered by vehicle solutions providers.
Cybercriminals can exploit the vulnerabilities to perform various malicious activities, like unlocking cars and tracking them. The flaws discovered by the experts impacted popular brands, including Rolls Royce, Ferrari, Ford, Porsche, Kia, Honda, Infiniti, Mercedes-Benz, Genesis, BMW, Nissan, Acura, Toyota, Jaguar, and Land Rover. Furthermore, the research team discovered vulnerabilities in the services offered by Reviver, SiriusXM, and Spireon.
Exploiting these flaws gave the researchers access to various Mercedes mission-critical internal applications through improperly configured SSO. A cybercriminal could have exploited them for remote code execution on multiple systems. Furthermore, the flaws allowed threat actors to access the content of the systems’ memory, leading to the exposure of Mercedes’ customer and employee PII.
For BMW and Rolls Royce, experts found SSO vulnerabilities allowing them to access any employee application. The experts entered VINs, gained access to internal dealer portals, and retrieved sales documents.
Toyota Discloses a Data Breach That Exposed Customers’ Personal Information
Toyota Motor Corporation recently revealed a data breach that compromised its customers’ personal information through an access key available to the public on GitHub for close to five years. Toyota India reported the data breach at Toyota Kirloskar Motor (a joint venture between Toyota and Indian giant Kirloskar Group) to the appropriate Indian authorities.
Toyota Accidentally published a portion of the T-connect site source code on GitHub.
The carmaker recently discovered that it accidentally published the source code for its T-Connect website on GitHub. The report said that the incident might have compromised around 296,000 customer records.
The company designed the T-Connect app, giving car owners access to their vehicle’s infotainment system and allowing them to monitor who has access to it.
The source code also included the data server access key with client data like email addresses and management numbers. The motor giant said that a developer subcontractor exposed the source code.
A notice by the company says, “In December 2017, a “T-Connect” website development subcontractor unintentionally uploaded a portion of the source code on GitHub, exposing it to the public, violating the handling rules.” According to Toyota, “The website development subcontractor’s inappropriate handling of the source code caused the incident. We will proceed accordingly.”
Singapore-Based Crypto Firm Targeted by a Hack, Users Lose More Than $10 Million
A cybercriminal manipulated files of a Singapore-based crypto wallet provider, enabling victims to download the wallets on their phones and stealing over US$8 million (S$10 million). Many users reported that their funds got stolen from their BitKeep wallets, although it is unclear how many Singaporean users got affected.
According to PeckShield, a blockchain security and data analytics firm, the cryptocurrencies stolen included Binance’s BNB Coin, Ether, and stablecoins Tether and Dai.
A BitKeep spokesman, responding to queries from The Straits Times, said it adopted phishing protection techniques to safeguard its users from further losses, including freezing some of the stolen funds and tracing the addresses used in the hack. He further added that they lodged a police report at the end of December, and the police set up a task force in collaboration with cybersecurity experts.