Catch Up On This Week’s News and Events 

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | May 19, 2023 11:35 pm PST

Toyota: Tragic Data Breach, 2 Million Vehicles Affected For Ten Years

Toyota revealed a data breach from ten years ago that impacted over 2 million cars. The breach affected their cloud-based Connected service, which is limited to Japanese cars between January 2012 and April 2023. With no issues reported so far, vehicle identification numbers (VINs), along with location and time data, may have been compromised. Toyota assures that there is no evidence of leaked or misused information, and personal owner identification was not included in the breached data. Read more.

5.8 Million People Sees Data Breach at PharMerica

PharMerica has notified more than 5.8 million people of a data breach that happened in the previous month of March. Unauthorized access to PharMerica’s computer systems resulted in the exposure of personal information, including names, addresses, dates of birth, Social Security numbers, health insurance details, and medication lists. The breach notification letters indicate that the incident occurred between March 12 and March 13. The ransomware group is known as Money Message is suspected to be responsible for the cyberattack, as they allegedly obtained and began disclosing PharMerica employees’ and patients’ personally identifiable information (PII) and protected health information (PHI) in April. Read more.

Merdoor Backdoor Exploits Agencies By The Lancefly APT

The advanced persistent threat (APT) group known as Lancefly has been targeting organizations in South and Southeast Asia, utilizing a custom-written backdoor named Merdoor. Symantec’s Threat Hunter Team has revealed that these attacks have been ongoing for several years, with the Merdoor backdoor first observed in 2018. The campaign using Merdoor was detected by Symantec researchers in the first half of 2023. The primary objective behind these attacks appears to be intelligence gathering, with targeted sectors including government, aviation, education, and telecommunications in South and Southeast Asia. The backdoor has been deployed selectively on a limited number of networks and PCs. Read more.

Damage Cyberattack Halts Publication At The Philadelphia Inquirer

The Philadelphia Inquirer experienced a cyberattack that caused significant disruption to its operations, marking the most significant disturbance in 27 years. Due to the attack, journalists were unable to use the newsroom to cover the city’s mayoral race, and the newspaper’s headquarters will remain closed until at least Tuesday. Print operations are being restored after the attack prevented the Sunday edition from being printed, although the website experienced technical difficulties. The cyberattack was discovered when anomalous activity was detected on select computer systems, and the newspaper is working with a risk advising firm to investigate and restore their systems. Read more.

RA Group Hacks Businesses Using Stolen Babuk Source-Code

The RA Group, a newly identified ransomware threat actor, has targeted businesses in the United States and South Korea using stolen Babuk code. Various sectors, such as manufacturing, wealth management, insurance, and pharmaceuticals, have been affected. Cisco Talos has reported double extortion attacks by the RA Group, where they threaten to publish stolen data if victims fail to respond or pay the ransom. Evidence suggests that the RA Group has rapidly expanded its operations, with the gang launching a data leak site in April and making adjustments to it as more victim details were made public. This aligns with a recent report highlighting the value of ESXi hypervisors as targets for ransomware groups. Read more.

Chinese Hackers Mustang Panda Attacks TP-Link Routers

 A new round of targeted attacks against European foreign affairs entities since January 2023 is suspected to be linked to the Chinese government actor Mustang Panda. Check Point researchers discovered a unique firmware implant called ‘Horse Shell’ designed for TP-Link routers, allowing persistent access and lateral movement within compromised networks. The Israeli cybersecurity company is monitoring the attack organization known by various names. The method of deploying the compromised firmware images to routers and their use in actual attacks remains unknown, but initial entry may have been through security vulnerabilities or weak passwords. Read more. 

US Offers $10 Million For Russian Ransomware Operator’s Capture

Matveev faces charges of ransomware conspiracy, damage to protected systems conspiracy, and damage to protected computers by malicious code, with a potential prison sentence of nearly 20 years if found guilty. The “U.S. Department of State” attached a reward of up to $10 million for details leading to his identification, capture, and conviction. The Office of Foreign Assets Control (OFAC) has also issued sanctions against Matveev, stating that his activities will be tolerated by local authorities as long as he remains loyal to Russia. The ransomware-as-a-service (RaaS) model continues to thrive, providing high-profit margins to affiliates without the need for software development and allowing aspiring hackers to launch attacks and keep most of the proceeds. Read more.

Warning Issued About BianLian Ransomware Attacks By CISA & FBI

The FBI, CISA, and ACSC have issued warnings to critical infrastructure organizations about BianLian ransomware attacks. Since June 2022, the gang has gained access to victim networks through RDP credentials obtained from initial access brokers or phishing attacks. The BianLian gang has targeted US critical infrastructure organizations and Australian private companies, including a critical infrastructure organization, for a year, with a shift towards data exfiltration rather than ransomware starting in January 2023. The gang deploys remote management and access tools, creates administrator accounts, disables antivirus software, and modifies the Windows registry, utilizing various tools for reconnaissance purposes. Read more.

Lacroix Shuts Down Facilities After Ransomware Attack

Lacroix Group, a global designer and manufacturer of IIoT systems, suspended three production sites for a week following a ransomware attack. The attack targeted their French, German, and Tunisian electronics system production plants. The company shut down computer systems, conducted investigations, and is assessing the scope of the attack and potential data theft. Lacroix aims to resume production at the affected sites on May 22 with limited activity measures and recovery plans in place, expecting a minimal impact on their overall performance as the sites accounted for 19% of sales last year and were closed for a public holiday during the attack. Read more.

18-Year-Old Hacker Charged Over Theft Of 60,000 DraftKings Accounts

Joseph Garrison, an 18-year-old from Wisconsin, has been identified as the individual responsible for a credential stuffing scheme that affected over 60,000 DraftKings customers and resulted in over $600,000 in losses. Garrison has been charged with six counts of fraud and could face up to 20 years in prison. His court date is scheduled for Thursday afternoon. Garrison allegedly used credential stuffing to gain unauthorized access to victims’ accounts and withdraw funds. Law enforcement seized evidence-filled computers and cell phones from Garrison’s residence, revealing his involvement in fraud schemes and operating a website that sold hijacked accounts. The FBI is committed to combating cyberattacks and holding perpetrators accountable in the criminal justice system to protect the economy from such threats. Read more. 

Lemon Group Exploits 8.9 Million Pre-Infected Android Phones

The Lemon Group, a cybercrime group, has deployed the ‘Guerilla’ malware on approximately 9 million Android devices, including smartphones, watches, TVs, and TV boxes. The malware enables malicious activities like intercepting one-time passwords, setting up reverse proxies, and hijacking WhatsApp sessions. Trend Micro discovered the Lemon Group’s operations and identified similarities between their infrastructure and the Triada trojan operation from 2016. Initially exposed in February 2022, the group rebranded as “Durian Cloud SMS” while maintaining its tactics and infrastructure. The Lemon Group’s primary focus is on analyzing big data, marketing, and advertising, with a particular interest in user and manufacturer shipment data. The exact method of infecting devices with Guerilla remains unclear but could involve supply chain attacks, compromised software or firmware updates, or insider involvement in manufacturing or distribution. Read more.

Apple Deploys Emergency Patches To Thwart 3 Zero-Day Threats

Apple released patches on Thursday to address numerous vulnerabilities in its operating systems, including three zero-days in the WebKit browser engine. Two active vulnerabilities, identified by an unknown researcher, posed risks of data theft and malware execution if users interacted with specially crafted online content or visited malicious websites. Apple’s Rapid Security Response updates, iOS 16.4.1(a), iPadOS 16.4.1(a), and macOS 13.3.1(a), addressed these issues. Additionally, iOS 16.5 and iPadOS 16.5 resolved CVE-2023-28204, CVE-2023-32373, and CVE-2023-32409, with the latter being reported by Google’s Threat Analysis Group and Amnesty International, suggesting exploitation by a commercial spyware vendor. Google disclosed multiple iOS and Android exploits linked to malware suppliers. Read more.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x