Round Up of Major Breaches and Scams
Today multiple reports have emerged from Home Depot customers in Canada stating that the company had sent them hundreds of emails containing order information of strangers. Multiple users received upwards of 600 “order ready for pickup” reminder emails, each pertaining to a different order. What alarmed hundreds of users was the orders were not associated with their Home Depot accounts. BleepingComputer has obtained copies of these emails that divulge information such as the customer’s name, order number, ordered items, and partial payment card information.
A Swedish security firm that suffered a cyber-attack is warning customers that their data has been leaked online. Malicious hackers compromised the servers of Gunnebo in August 2020 in a highly organized attack that was reported to the Swedish Security Service, Säpo. Gunnebo’s CEO, Stefan Syrén, said hackers uploaded 38,000 files to a public server after management refused to give in to demands for a ransom.
Phone scammers are using spoofed caller ID numbers to convince their victims they are employees of your bank. Don’t fall for their tricks. “You can check the number in your display online sir. You’ll see I’m really calling from your bank.” That is, of course, if you are unaware that phone numbers can be spoofed. Then again, they wouldn’t be successful scammers if they weren’t convincing. If you suggest calling them back, they’ll tell you it’s impossible to call their extension directly and you would have to go through the operator in the head office.
Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Aetna is an American managed health care company that sells traditional and consumer-directed health insurance and related services.
Round Up of Major Malware and Ransomware Incidents
An Eastern European cybercriminal group has conducted ransomware attacks at multiple U.S. hospitals in recent days in some of the most disruptive cyber-activity in the sector during the coronavirus pandemic, cybersecurity company FireEye said Wednesday. The group, which FireEye calls UNC1878, has been deploying Ryuk ransomware and taking multiple hospital IT networks offline, said Charles Carmakal, senior vice president of Mandiant, FireEye’s incident response arm.
The joint alert, from CISA, the FBI, and others, describes activities from the North Korean advanced persistent threat group. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the US Cyber Command Cyber National Mission Force (CNMF) have issued a join alert regarding continuing threats from Kimsuky, a North Korean advanced persistent threat group targeting organizations worldwide.
A few days after the TrickBot takedown, Netscout researchers spotted a new TrickBot Linux variant that was used by its operators. A few days ago, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.
Emotet got a superficial facelift this week, hiding itself within a fake request asking users to update Microsoft Word to take advantage of new features. Emotet, one of cybersecurity’s most-feared malware threats, got a superficial facelift this week, hiding itself within a fake Microsoft Office request that asks users to update Microsoft Word so that they can take advantage of new features.
Administrators woke up to a scary surprise today after false positives in Microsoft Defender ATP showed network devices infected with Cobalt Strike. Microsoft Defender ATP is Microsoft’s enterprise antivirus and threat monitoring solution that admins deploy on devices throughout an organization. These endpoints then monitor devices for malicious threats and behavior and send them back to Microsoft’s cloud-based Microsoft Defender Security Center, where the alerts are aggregated and viewed from a central location.
It seems I missed an announcement that another North Carolina community college got hit with ransomware (or is this the mysterious listing I saw briefly on a dedicated leak site but it was gone before I could note the name and details?). In any event, on August 24, Piedmont Community College (PCC) in North Carolina reported that they had discovered what they described as a “cyber-incident.” The college took critical systems such as VPN access and other services offline by the end of that day.
The following is a Google translation of the Hanover Chamber of Crafts’ statement: Hanover, October 26, 2020 . Despite high IT security according to international standards, the networks of the Hanover Chamber of Crafts at all four locations as well as the wholly owned subsidiary Projekt- und Servicegesellschaft were hit by an extortionate Trojan from the group “Sodinokibi” on Wednesday night of last week.
Turla has outfitted a trio of backdoors with new C2 tricks and increased interop, as seen in an attack on a European government. The advanced persistent threat (APT) known as Turla is targeting government organizations using custom malware, including an updated trio of implants that give the group persistence through overlapping backdoor access. Russia-tied Turla (a.k.a. Ouroboros, Snake, Venomous Bear or Waterbug) is a cyber-espionage group that’s been around for more than a decade.
Round Up of Major Vulnerabilities and Patches
Fraudulent Facebook messages allege copyright infringement and threaten to take down pages, unless users enter logins, passwords and 2FA codes. Scammers have hatched a new way to attempt to bypass two-factor authentication (2FA) protections on Facebook. Cybercriminals are sending bogus copyright-violation notices with the threat of taking pages down unless the user attempts to appeal. The first step in the “appeal?” The victim is asked to submit a username, password and 2FA code from their mobile device, according to Sophos researcher Paul Ducklin, allowing fraudsters bypass 2FA.
While Microsoft patched the bug known as CVE-2020-0796 back in March, more than one 100,000 Windows systems are still vulnerable. More than 100,000 Windows systems have not yet been updated to protect against a previously-patched, critical and wormable flaw in Windows called SMBGhost. Microsoft patched the remote code-execution (RCE) flaw bug tracked as CVE-2020-0796 back in March; it affects Windows 10 and Windows Server 2019, and ranks 10 out of 10 on the CVSS scale.