Round Up of Major Breaches and Scams
A threat actor is selling account databases containing an aggregate total of 34 million user records that they claim were stolen from seventeen companies during data breaches. On October 28th, a data breach broker created a new topic on a hacker forum to sell the stolen user databases for seventeen companies. In a conversation with BleepingComputer, the seller told us that they were not responsible for hacking into the seventeen companies and is acting as a broker for the databases.
According to ZDNet, “once beloved for its streamlined and clean users interface, the integrated RedMart experience was described by customers as cluttered, difficult navigate, and missing several popular features such as the ability to update a scheduled order and access to the favorite items list.” In its email, the firm confirmed that the hackers took the information from the database of its online grocery platform, RedMart. RedMart had been inactive for more than eighteen months.
Cyber-researchers weigh in on what concerns them the most as the U.S. heads into the final weekend before the presidential election — and they also highlight the positives. What keeps researchers up at night leading up to Nov. 3 isn’t election-day winners and losers. Most cite possible attacks on local infrastructure, crippling ransomware incidents and disinformation campaigns. There are also many concerned voters this year. Election-related cybersecurity attacks have been making headlines daily, keeping the U.S. electorate worried about possible late-stage cyberattacks.
After years of mostly targeting users in Japan, Korea, and other countries in the region, operators of the Trojan expanded their campaign to the US this week. A new malware campaign targeting smartphone users in the US is the latest sign that mobile devices are becoming the next big target for cyberattackers. Kaspersky this week said its threat-monitoring systems had detected malware known as the Wroba Trojan, which targets Android and iOS device owners in the US with a fake package-delivery notification.
The Federal Bureau of Investigation (FBI) shared indicators of compromise (IOCs) associated with the Iranian state-sponsored threat group behind last week’s Proud Boys voter intimidation emails that targeted Democratic voters. The threatening spoofed emails used the “Vote for Trump or Else” subject and warned voters registered as Democrats that they must vote for President Trump and change their party to Republican unless they want the Proud Boys far-right group to come after them.
Singapore’s largest online grocery store Lazada Redmart has suffered a data breach after 1.1 million user accounts were put up for sale on a hacker forum. The database dump containing sensitive customer is priced at $1,500. Lazada is a billion-dollar arm of Alibaba with over 8,000 employees globally. Hackers selling the illicit data dumps told BleepingComputer they had obtained Lazada’s MongoDB-based data set with data from over 1.1 million RedMart accounts.
A malicious hacker that attacked Montreal’s transit agency with malware has demanded a ransom of US $2.8m to restore normal network operations. The Société de transport de Montréal (STM) was targeted with ransomware on October 19. The attack knocked the agency’s reservation system for adapted transit offline and caused an outage that affected around 1,000 of STM’s 1,600 servers, 624 of which are considered operationally sensitive.
Round Up of Major Malware and Ransomware Incidents
US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks. Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group). Both ComRAT and Zebrocy are malware families that have been used by Russia hacking groups for years, with ComRAT being deployed in attacks for more than a decade, having evolved from the old Agent.BTZ malware.
Hackers are stepping up attacks on health care systems with ransomware in the United States and other countries, creating new risks for medical care as the global coronavirus pandemic accelerates. Alerts from US authorities and security researchers highlight a wave of cyberattacks on hospitals coping with rising virus infections. An unusual warning this week from the FBI with the Departments of Homeland Security and Health and Human Services, underscored the threat.
Security researchers say they uncovered more tools associated with a North Korea-linked cyber-espionage group that was the subject of a U.S. government alert last week. The previously undocumented malware and server infrastructure appear to be the work of Kimsuky, an advanced persistent threat (APT) group, according to the researchers with Boston-based Cybereason. U.S. military and civilian agencies issued a joint warning about the APT, saying the current threat was greatest for “commercial sector businesses.”
Andrea Alberizia reports that CMC in Ravenna has been compromised by NetWalker ransomware. A team of 20 engineers from Itway has been working around the clock for four days to get the coop network fully restored. The company has no intention of paying the ransom demand. The amount of the demand was not reported, but is expected to be in the millions, consistent with NetWalker’s other demands.
In a recent interview with Yelisey Boguslavskiy, “UNKN” of the threat actors known as REvil (Sodinokibi) indicated that they were planning a major attack on a gaming network. Today, the threat actors added GPI (Gaming Partners International) to their dedicated leak site. GPI describes itself as a leading provider of casino currency and table game equipment worldwide.
Fraudulent call centers started using bots to filtering distrustful victims in order to force them to call back and assist them on their own. According to experts, this approach makes it possible to reduce the cost of attacks on victims and increase conversion. “The robot says: “Your card in this bank is blocked, call us back at this number”. When the victim calls back, allegedly the bank’s security officers answer, ” explained Artem Gavrichenkov, technical director of Qrator Labs. He added that scammers make up to hundreds of calls a day using such robots.
The Maze ransomware operators are shutting down their operations for more than one year the appeared on the threat landscape in May 2019. The Maze cybercrime gang is shutting down its operations, it was considered one of the most prominent and active ransomware crew since it began operating in May 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of 2019.
An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection. The malware, dubbed “Firestarter,” is used by an APT threat group called “DoNot.” DoNot uses Firebase Cloud Messaging (FCM), which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications. The service is provided by Firebase, a subsidiary of Google, and has been previously leveraged by cybercriminals.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory on an Iranian advanced persistent threat (APT) actor targeting U.S. state websites, including elections websites, to obtain voter registration data. Joint Cybersecurity Advisory AA20-304A: Iranian APT Actor Identified Obtaining Voter Registration Data provides indicators of compromise and recommended mitigations for affected entities.
Round Up of Major Vulnerabilities and Patches
Google’s Project Zero researchers have disclosed a Windows 0day vulnerability that allows attackers to escape Chrome sandboxes and run malware on Windows. Google’s Project Zero researchers Mateusz Jurczyk and Sergei Glazunov have discovered a new zero-day security flaw in the cng!CfgAdtpFormatPropertyBlock function’s IOCTL 0x390400. Reportedly, it is an integer overflow flaw originated from one of the IOCTLs that the Kernel Cryptography Driver (cng.sys) in Windows supports. The flaw can lead to privilege escalation and allow attackers to escape sandboxes.
In all, WordPress patched 10 security bugs as part of the release of version 5.5.2 of its web publishing software. WordPress released a 5.5.2 update to its ubiquitous web publishing software platform. The update patches a high-severity bug, which could allow a remote unauthenticated attacker to take over a targeted website via a narrowly tailored denial-of-service attack. In all, the WordPress Security and Maintenance Release tackled 10 security bugs and also brought a bevy of feature enhancements to the platform.