Round Up of Major Breaches and Scams
On June 8, 2020, Premier Health discovered unusual activity involving certain Premier Health email accounts. We immediately reset passwords to the accounts and commenced an investigation that included working with computer forensic specialists to understand the full scope of the incident. While our investigation is ongoing, on July 17, 2020, we confirmed certain accounts were subject to unauthorized access by someone not connected with Premier Health.
A number of threat actors continue to take advantage of the ongoing coronavirus pandemic through phishing scams and other campaigns distributing malware. In this blog, we look at 3 different phishing waves targeting applicants for Covid-19 relief loans. The phishing emails impersonate the US Small Business Administration (SBA), and are aimed at delivering malware, stealing user credentials or committing financial fraud. In each of these campaigns, criminals are spoofing the sender’s email so that it looks like the official SBA’s.
The Director of the U.S. National Counterintelligence and Security Center (NCSC) William Evanina shared information on ongoing operations aimed at influencing the 2020 U.S. elections. Evanina linked the efforts to Russia, China, and Iran, he explained, for example, that Russian actors are supporting President Trump’s candidacy with a coordinated effort on both Russian television and media.
Belarus’ crackdown on protests following the re-election of an authoritarian leader also appears to include widespread internet blackouts and traffic throttling on major websites. Twitter confirmed Monday it was experiencing blocking and throttling in Belarus amid ongoing protests disputing the results of the presidential election. The company didn’t specifically attribute the disruptions to the government, though it said “Internet shutdowns are hugely harmful.
The Better Business Bureau is warning of a new scam targeting a vulnerable population — those seeking work or study visas to the US during the coronavirus pandemic. The scammers, according to the BBB, promise access to a US visa in exchange for a fee. A visa, of course, never appears. The BBB says that the scam often begins with an official-looking email or website that originates with a scam operation.
Round Up of Major Malware and Ransomware Incidents
The first was a hack and extortion demand on Athens Orthopedic Clinic. We also learned about a second hack and extortion attempt by thedarkoverlord against Peachtree Orthopedic, who after initially (and falsely) claiming that I had my facts all wrong, finally disclosed their breach, only to have more than 500,000 patients’ data dumped by thedarkoverlord. Now another chain of Atlanta orthopedic centers has been hit by threat actors. This time, it is Piedmont Orthopedics / OrthoAtlanta that has been hit, and by Pysa (Mespinoza) threat actors.
Researchers from threat intelligence firm Cyble reported that Nefilim ransomware operators allegedly hacked The SPIE Group, an independent European leader in multi-technical services. The number of ransomware attacks continues to increase, hackers also steal victims’ data and threaten them to release the stolen info if they don’t pay the ransom. During darkweb and deepweb monitoring, the Cyble Research Team discovered a post from Nefilim ransomware operators in which they claimed to have breached The SPIE Group.
New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014. This malware is currently very popular with business email compromise (BEC) scammers.
Avaddon ransomware is the latest cybercrime operation to launch a data leak site that will be used to publish the stolen data of victims who do not pay a ransom demand. Since the Maze operators began publicly leaking files stolen in ransomware attacks, other operations soon followed suit and began creating data leak sites to publish stolen files. These sites are designed to scare victims into paying a ransomware under threat that their files will be leaked to the public. If publicly released, this data could expose financial information, personal information of employees, and client data, which leads to a data breach.
Round Up of Major Vulnerabilities and Patches
Find My Mobile is designed to help users find lost Samsung phones. It can also be used to remotely lock a device, block access to Samsung Pay, and completely wipe the phone if it “falls into the wrong hands.” According to Char49, there were a total of four vulnerabilities in Find My Mobile components and they could have been exploited by a malicious app installed on the targeted device. Pedro Umbelino told SecurityWeek that the malicious app would only require access to the device’s SD card in order to exploit the first vulnerability in the chain.
Have I Been Pwned allows users to verify whether their emails or passwords have been exposed as part of a data breach and has become the place to go for information when massive data breach dumps become public. Over the past couple of years, the site’s popularity has increased after an API that allows for the fast search of compromised account data from third-party products and services started being integrated into browser extensions, applications, mobile software, notification websites, and the like, including Firefox and LastPass.
After Google Home users started receiving mysterious alerts when their fire alarms went off or their plates smashed in their homes, Google acknowledged that it accidentally rolled out a feature causing the smart devices to record sounds without the voice prompt. Reports of the privacy faux pas began after one Reddit user reported earlier in August that Google sent him a phone notification saying that the smoke detector in his home had been triggered.
A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin, one of today’s most popular forum software. The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. The previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).
Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser. The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet.
A vulnerability in Google’s Chromium-based browsers would allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code. The bug (CVE-2020-6519) is found in Chrome, Opera and Edge, on Windows, Mac and Android – potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman. Chrome versions 73 (March 2019) through 83 are affected (84 was released in July and fixes the issue).
Twitter is experiencing a worldwide service disruption preventing users from receiving account verification codes via text messages or phone calls. This makes it impossible for Twitter users who have set up two-factor authentication (2FA) through these two methods to authenticate on the website. While the SMS and phone call account verification codes aren’t sent by Twitter, users can still log into their accounts with a backup code.