A rundown of the headlines of news and events from the past week pertaining to ransomware, data breaches, quick response security, and other related topics.
Malware Attacks From SmokeLoader And RoarBAT, CERT-UA Warns
CERT-UA has reported the spread of SmokeLoader malware through invoice-themed phishing campaigns, which hijack accounts to send emails with a ZIP package containing a bogus document and JavaScript file. SmokeLoader, which has been active since 2011, can download and install additional malware onto affected devices.
The report also details the financial benefit garnered by UAC-0006’s theft of passwords and illegal transfer of money. Additionally, Ukrainian cybersecurity authorities have warned of the destructive attacks on government institutions by UAC-0165 and the use of RoarBAT, a new wiper malware that exploits WinRAR to permanently erase files with specific extensions. Read more
NextGen Healthcare Hit By Data Breach, Over 1M+ Details Exposed
NextGen Healthcare is notifying approximately one million people whose confidential details were stolen in a data breach. The breach happened between March 29 and April 14, 2023. Sensitive information including names, addresses, dates of birth, and Social Security numbers, were accessed.
NextGen Healthcare claims that no sensitive patient information was viewed and that the hackers likely gained access to the database using customer credentials that were likely stolen in a separate incident. The company has reset passwords and notified law enforcement and was previously attacked by ransomware gang earlier this year. Read more.
13 Additional Domains Linked To DDoS-for-Hire Firms Seized By FBI
Codenamed PowerOFF, global police operation. December, federal authorities seized 48 domains. Ten new domains were nearly identical to their previous ones. The Justice Department stated, Ten of the 13 domains confiscated today are reincarnations of services seized in December, which targeted 48 top booter services or DDoS-for-hire platforms.
Cyberstress.org was seized this week after cyberstress.us in December. Today’s action indicates law enforcement’s commitment to shutting down booter services. A federal court seizure warrant claims the FBI shut down high-bandwidth government websites using active service accounts. Read more.
Intel BootGuard Secret Keys Compromised During An MSI Breach
Last month’s ransomware attackers posted MSI’s secret code signing keys on the dark web. “Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem,” tweeted Binarly founder and CEO Alex Matrosov over the weekend. 11th-generation Tiger Lake, 12th-generation Adler Lake, and 13th-generation Raptor Lake devices may not support Intel Boot Guard.
Private Intel Boot Guard and firmware image signing keys for 116 MSI devices and 57 PCs were stolen. MSI Boot Guard keys may affect Intel, Lenovo, and Supermicro. Hardware-based Intel Boot Guard protects systems from unauthorized UEFI firmware. Money One month after MSI’s double-extortion ransomware assault, message surfaced. Readmore.
LinkedIn Displaces 716 Positions, Pulls Out Its China App
California-based LinkedIn, the world’s largest professional social media site, is laying off 716 workers and ending its mainland China employment app. CEO Ryan Roslansky informed employees on Monday. He stated, “We are making adjustments to our Global Business Organization and China strategy that will result in the loss of 716 jobs as we navigate LinkedIn through this fast-changing market.
Microsoft-owned LinkedIn eliminated staff this year. Meta fired 10,000 in March 2022. After 18,000 in January, Amazon lost 9,000 in February. “A challenging macroeconomic climate” and “fierce competition” led Roslansky to suspend. A spokeswoman said LinkedIn will help Chinese companies hire and train foreigners. LinkedIn is China’s last Western social network. Read more.
Scanning Plans On Europe’s CSAM May Violate International Law
According to a leaked legal opinion, EU laws that ban widespread and indiscriminate monitoring of communications are incompatible with the legislative plan proposed by the European Commission in May 2021 to combat child sexual abuse online by mandating platforms to scan for abuse and grooming.
According to legal advice provided by the Council, the Child Sexual Abuse Regulation (commonly known as “Chat control”) violates core European rights like privacy, data protection, freedom of expression, and respect for private family life. The Commission maintained that the scheme was constitutional since it would impose “targeted” and “proportionate” limitations solely on those websites where sexual exploitation of children occurs online. Read more.
Severe Ruckus RCE Flaws Utilized By …….
A critical vulnerability allows remote attackers to manage Linux-based Ruckus access points (AP). AndoryuBot, a new botnet, exploited CVE-2023-25717 in February, according to Fortinet. “[AndoryuBot] contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies,” said Fortinet senior antivirus analyst Cara Lin.
Our IPS signatures trigger count shows this campaign started distributing the updated version after mid-April. AndoryuBot exploits Ruckus to download and disseminate a script. Fortinet uncovered a Linux-targeted variant that infected smartphones, laptops, and other CPUs. Curl gets AndoryuBot. Fortinet found a programming error that stopped some computers from launching malware. Lin stated AndoryuBot quickly spreads and communicates with its C2 server using SOCKS. “ Read more.
Phishing Ring Busted, Spanish Police Have Arrested…..
Spanish police detained hundreds of phishing gang members who made over €700,000 ($767,000). 40 Spanish police arrested two hackers and 15 “Trinitarios” for bank fraud, document forgery, identity theft, and money laundering. Phishing and bank fraud were used to buy drugs, weapons, prisoner lawyers, and inmates. Hackers sent victims SMS phishing messages from their bank claiming a security issue required them to click on a malicious link.
Clicking the link, the victim typed their banking logins on a fake website. Hackers used logins to obtain loans, access accounts, and link cards to phone wallets. These card details were used to buy bitcoin, which was swapped for fiat currency and deposited in a “common box” for later use. The group coordinated a vast money mule network to “cash out” at ATMs or receive funds via bank transfer and made bogus purchases through fictional online cosmetics shops via point-of-sale (POS) terminals to monetize the obtained bank data. Read more.
FBI Disables ‘Sophisticated’ Russian Snake Cyberspying Tool
The US has shut down FSB Snake-infected networks worldwide, targeting Turla, a Russian state-sponsored entity linked to the FSB. Turla designed Snake, the “most sophisticated cyber espionage tool” and targeted NATO, Europe, the CIS, and Mideast states that threaten Russia-supported regional governments.
For nearly 20 years, Turla used versions of the Snake malware to collect sensitive details from lots of computer systems in at least 50 countries, including NATO member governments, journalists, and other targets of interest to the Russian Federation. Turla exfiltrated these documents through a covert network of unwitting Snake-compromised computers in the US and worldwide. Read more.
Hacker Pleads Guilty To Twitter’s 2020 Outage…..
A UK guy deported to the US this month confessed to the 2020 Twitter breach that affected celebrities and leaders like “President Barack Obama” and “Microsoft’s Bill Gates.” Spain extradited 23-year-old PlugwalkJoe. He allegedly hacked 130 Twitter accounts and a famous figure’s Snapchat account, threatening to disclose sexual photos. O’Connor and unknown collaborators hijacked many celebrity and corporate accounts utilizing Twitter’s administrative tools in 2020.
Stolen accounts fueled a $120,000 Bitcoin fraud. Court filings suggest that PlugwalkJoe and his colleagues used SIM switching to access three bitcoin exchange executives between March and May 2019. Stolen $784,000. Three Twitter scammers were charged. “Mastermind” Graham Ivan Clark pleaded guilty in 2021. Orlando’s Nima Fazeli (Rolex) and Bognor Regis’ Mason Sheppard (Chaewon) were charged federally. Read more.
North Korean Hackers Stole 830K Data From Seoul’s……
Authorities revealed Wednesday that North Korean hackers stole hundreds of thousands of patient records from a major Seoul hospital. The threat actor layed havoc on Seoul National University Hospital (SNUH)’s intranet between May and June 2021 using seven domestic and international computer servers, according to a KNPA press statement.
The news announcement said the SNUH computer attack compromised 830,000 people, including 810,000 patients and 17,000 former and present staff. Two years later, the KNPA used North Korean IP addresses, penetration methods, and terminology to identify the hackers. Police informed South Korean media that the hackers’ password was a North Korean phrase meaning “Don’t provoke me” and a special character. “Don’t hurt” in South Korea. Local media implicated Kimsuky, a major cyber syndicate, but the police press release did not. Read more.
Google Broadens Dark Web Monitoring To Track All Gmail Users
Google announced today that all US Gmail users would soon be able to use the dark web monitoring tool to verify if their email address is on the dark web. At Google I/O, the firm revealed the feature would roll out over the coming weeks in certain foreign locations. Gmail users can search the dark web for their email addresses and take Google-recommended data protection steps.
Enable two-step authentication to prevent Google account takeover. Google Core services SVP Jen Fitzpatrick said U.S. Gmail users will be able to run dark web scans and get safety advice in the coming weeks. Google also regularly alerts Gmail users to check underground cybercrime forums for data breaches. Read more.
Tech Provider ABB Struck By Black Basta Ransomware Attacks
Black Basta ransomware targeted Swiss electrification and automation company ABB. ABB builds industrial control and SCADA solutions for manufacturing and energy suppliers with governments and businesses. The Windows Active Directory attack slowed manufacturing and projects. To stop the infection, ABB suspended customer VPN connections.
Black Basta and QBot created Ransomware-as-a-Service in April 2022. Black Basta malware crippled Swiss electrification and automation company ABB. Zurich-based ABB has $29.4 billion in 2022 revenue and 105,000 employees. The company develops manufacturing and energy supply ICS and SCADA solutions. Read more.
9 Ransomware Forms Against VMware ESXi Built From Babuk Source Code
Nine ransomware groups are targeting VMware ESXi machines with Babuk’s stolen code. Researchers say Babuk Locker, the disclosed code, has spawned 18 months of malware versions. Up to 9 criminal groups attacked Linux-based VMware ESXi hypervisors using leaked Babuk source code. SentinalOne’s research arm, SentinalLabs, says the malware targets Linux systems.
Ransomware targets on-premises and hybrid VMware ESXi hypervisors. SentinalLabs says Babuk source code-based malware targets Linux hypervisors. For two years, organized ransomware gangs like ALPHV, Black Basta, Conti, Lockbit, and REvil have employed Linux lockers, according to research. Read more.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.