APT Breach Bug CVE Cyber Security Data leak Hacking Malspam Malvertise Malware Ransomware RCE Scam SIM swapping Spying Vulnerability

Blackbaud breach affects more than 5.6 million patients, Hacker exfiltrates data from federal agency, and more

Major cybersecurity events on 25th September 2020 (Morning Post): Microsoft removes 18 Azure AD applications tied to the Chinese state-sponsored threat actor group APT40. Polish authorities shut down hacker super-group associated with bomb threats, ransomware attacks, SIM swapping.

Round Up of Major Breaches and Scams

CISA says a hacker breached a federal agency

A hacker has gained access and exfiltrated data from a federal agency, the Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday. The name of the hacked federal agency, the date of the intrusion, or any details about the intruder, such as an industry codename or state affiliation, were not disclosed. CISA officials revealed the hack after publishing an in-depth incident response (IR) report detailing the intruder’s every step.

Interim Report on Blackbaud Breach: 5.6 million patients and counting

Since our first interim report, has continued to compile reports that mention patient information that was disclosed to Blackbaud and that may have been accessed or exfiltrated by ransomware threat actors in the data breach discovered in May. Despite the criminals pinky-swearing that they wouldn’t misuse the data and would destroy it all in exchange for an unspecified amount of ransom, most HIPAA-covered entities seem to be viewing this all as a reportable breach.

Round Up of Major Malware and Ransomware Incidents

Microsoft removed 18 Azure AD apps used by Chinese state-sponsored hacker group

Microsoft said today that it removed 18 Azure Active Directory applications from its Azure portal that were created and abused by a Chinese state-sponsored hacker group. The 18 Azure AD apps were taken down from the Azure portal earlier this year in April, the Microsoft threat intelligence team said in a report published today. The report described the recent tactics used by a Chinese hacker group known as Gadolinium (aka APT40, or Leviathan).

Taurus Project stealer now spreading via malvertising campaign

The Taurus Project stealer gains an additional distribution vector via exploit kit. For the past several months, Taurus Project—a relatively new stealer that appeared in the spring of 2020—has been distributed via malspam campaigns targeting users in the United States. The macro-laced documents spawn a PowerShell script that invokes certutil to run an autoit script ultimately responsible for downloading the Taurus binary.

Mount Locker ransomware joins the multi-million dollar ransom game

A new ransomware operation named Mount Locker is underway stealing victims’ files before encrypting and then demanding multi-million dollar ransoms. Starting around the end of July 2020, Mount Locker began breaching corporate networks and deploying their ransomware. From ransom notes shared with BleepingComputer by victims, the Mount Locker gang is demanding multi-million dollar ransom payments in some cases.

Polish police shut down hacker super-group involved in bomb threats, ransomware, SIM swapping

Polish authorities have shut down today a hacker super-group that has had its fingers in a multitude of cybercrime operations, such as ransomware attacks, malware distribution, SIM swapping, banking fraud, running fake online stores, and even making bomb threats at the behest of paying customers. Four suspects were arrested this week, and four more are under investigation. According to reports in Polish media, the hackers have been under investigation since May 2019, when they sent a first bomb threat to a school in the town of Łęczyca.

US Army combines fake hacks, natural disaster simulation to test responses in Charleston, Savannah

Cybersecurity experts from the U.S. military and the private sector have spent recent weeks working with two American cities to test their ability to respond during a simulated cyberattack layered with several simulated physical disruptions. The virtual exercise, which has feigned malware and ransomware attacks against targets in Charleston, S.C., and Savannah, Ga., over the last several weeks, is aimed at testing participants’ ability to defend against digital threats while simultaneously facing an array of emergency scenarios in the physical realm.

Round Up of Major Vulnerabilities and Patches

Cisco Patch-Palooza Tackles 29 High-Severity Bugs

Cisco Systems released a barrage of patches, Thursday, aimed at fixing bugs in the networking giant’s ubiquitous IOS operating system. The patches plug holes in a wide range of products and address denial-of-service, file overwrite and input validation attacks. The advisory was planned and part of Cisco’s IOS and IOS XE Software Security Advisory Bundled Publication. Twenty-nine of the Cisco bugs are rated high severity, with 13 rated medium in severity.

Critical Instagram Flaw Could Let Attackers Spy on Victims

A now-patched remote code execution vulnerability could be exploited with a specially sized image file, researchers report. A critical Instagram flaw could have enabled attackers to perform remote code execution and access a victim’s camera, microphone, and other components, Check Point researchers found. CVE-2020-1895 has a CVSS score of 7.8 and exists in the Instagram app on both Android and iOS. It was discovered in early February and reported to Facebook, Instagram’s owner, which issued a patch.

The Windows XP source code was allegedly leaked online

The source code for Windows XP SP1 and other versions of the operating system was allegedly leaked online today. A person who claims have spent the last two months compiling a collection of leaked Windows source code released a 43 GB torrent today of their entire collection. Included in this torrent is the alleged source code for Windows XP and Windows Server 2003, as well as an assortment of even older versions of the operating system.

Bluetooth Security Weaknesses Pile Up, While Patching Remains Problematic

Turns out, creating wireless ecosystems for a vast number of different architectures, configurations, and use cases is hard. The complex nature of Bluetooth continues to cause security problems for the low-powered, short-range wireless technology, with academic researchers releasing a parade of new attacks against the technology in the past few months.

Unpatched Domain Controllers Remain Vulnerable to Netlogon Vulnerability, CVE-2020-1472

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft’s August 2020 Security Advisory for CVE-2020-1472 can prevent exploitation of this vulnerability.

Ring’s New Always Home Cam Is Actually an Indoor Spy Drone

Among an avalanche of new Echo and Ring devices announced by Amazon today, there’s one that stuck out as a clear step towards our dystopian future: the Ring Always Home Cam. While its name might suggest that the Always Home Cam is simply just an updated home security cam, it’s way more than that. Ring describes the $250 Always Home Cam as an “autonomous indoor camera that will automatically fly to predetermined areas of the home, giving you multiple viewpoints with just one camera,” but you can’t fool me, I know a drone when I see one.