Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data threats. Show all posts

$65 Million Settlement for Health System After Nude Photos Leak

 


In a recent court filing, attorneys on behalf of victims of a devastating ransomware attack in February 2023 have been awarded a settlement of $65 million after hackers uploaded nude photos of cancer patients on the internet. This settlement is the most significant of its kind in terms of per-patient compensation that has ever been achieved by a law firm on behalf of the plaintiffs, Saltz Mongeluzzi Bendesky. 

Earlier this month, a major healthcare company in Pennsylvania, Lehigh Valley Health Network (LVHN), one of the nation's largest primary care groups, settled with the federal government for $65 million after the data of nearly 135,000 patients and employees were compromised. An unidentified woman in her 50s who goes by the name Jane Doe has become the first plaintiff in a class action lawsuit against Lehigh Valley Healthcare for allegedly failing to safeguard confidential patient information, including nude photos of hundreds of cancer patients, which led to an investigation by the FBI. 

It was announced by a law firm on Sept. 12, that Lehigh University had settled with the antitrust enforcement agency of $65 million. This episode sheds light on the growing threat of cyberthieves infiltrating American healthcare firms with alarming frequency, how these thieves exploit competitively valuable personal information as well as the consequences for individuals and institutions. 

A report recently reviewed a list of cases compiled by the Department of Health and Human Services going back to the year 2022 and found almost a dozen breaches that compromised the personally identifiable health information of hundreds of Americans almost every single month. As a result of an investigation by the FBI's Internet Crime Complaint Center, more reported ransomware attacks against targets in the health-care industry last year compared to any other sector it monitors, including six others. 

In addition to explaining the legal predicaments for healthcare organizations that are increasingly targeted by cybercriminals, the Lehigh Valley case highlights the legal risks healthcare organizations may face in dealing with cybercriminals as well as complaints brought by patients whose lives have been ruined by a breach.

More than 600 of these patients had their medical records hacked, resulting in the theft and publication of images from those records, including photos of themselves in nude. This Settlement settlement consists of a payment ranging from $50 to $70,000 for each Settlement Class member, with the maximum payment going to those who had their nude photos published online as part of the settlement. A distribution of the money is estimated to be made in the early part of next year by the attorneys. 

A data breach occurred according to the lawsuit on February 6, 2023, and the lawsuit claims that the breach exposed personally identifiable information and protected health information, including an individual's address, an email address, a social security number, a passport number, a driver's license number/state identification number, their health insurance provider, their medical diagnosis and treatment information, their medications, their lab results, and their nude photographs. 

There was an incident of data breaches that were later revealed as the work of the cyber-hacker group ALPHV, or BlackCat in the case of the computer virus. ALPHV gained notoriety after one of its cyberattacks was identified against an academic institution and a healthcare establishment.

Dark web authorities have reported that about 132 gigabytes of information have been uploaded to the site. If LHVN had not paid the ransom demanded by the hackers, the data breach would have resulted in the release of sensitive information to the public. The corporation LVHN did not pay the ransom despite knowing about it, but the images were released after the payment was made. 

According to the lawsuit, LVHN has put its own "financial interests" above the best interest of its patient's health to achieve financial success. Accordingly, the lawsuit can be argued that the class, including a plaintiff identified as only Jane Doe in the lawsuit, has suffered embarrassment and humiliation as a result of this action. 

It has also been revealed that Doe will receive a larger portion of the settlement money than the rest of the class, according to Saltz Mongeluzzi Bendesky, the law firm that represents the class. A health system executive called patients to inform them of the breach after they discovered it in February 2023. The executive said that hackers had posted their personal information on the dark web - including nude photos - and that it was not accessible through conventional search engines like Google - which is a collection of hidden websites. 

It is the description of the executive who apologized for the behaviour of the woman in her 50s, along with the offer of two years of credit monitoring, which the woman accepted with a chuckle. In the lawsuit, the cancer patient says that she was completely in disbelief that the health system had stored nude photos of her on its computer network. She was in complete disbelief at the time of the incident. 

Approximately 135,000 patients, health-system employees, and others involved in the breach will receive a payout as part of the proposed settlement, which still requires a judge's approval. However, according to the agreement, there will be 80 per cent of the settlement money earmarked for the victims whose nude photos were published on the dark web to compensate them. 

It is estimated that roughly 600 men and women fall into this category, and each will receive at least $75,000, says Howard. There is a possibility that Jane Doe, as the lead plaintiff, can receive $125,000 as a settlement.

Hackers Leak 10 Billion Passwords How Users Should Respond

 


Several months ago, security researchers discovered the world's largest collection of stolen passwords and credentials had been uploaded to an infamous criminal marketplace where cybercriminals would trade such credentials for a considerable amount of money. A hacker known as 'ObamaCare' has posted a database which, according to the hacker, contains nearly 10 billion unique passwords built over many years as a result of numerous data breaches and hacks he has been spreading across the web for several years. 

'ObamaCare', a user identified as 'ObamaCare', posted on a popular hacking forum on Thursday a collection of leaked passwords known as 'RockYou2024'. In the past, 'ObamaCare' has outsourced stolen data on the internet several times and it is not the first time they have done so. According to the report, the user had previously shared a database of Simmons & Simmons employees, a lead from the online casino AskGamblers, and applications from Rowan College in New Jersey before taking down the reports. 

The researchers at CyberNews have reported that on July 4, 2014, a hacker using the handle "ObamaCare" posted a file on a hacking forum that contained 9,948,575,739 unique plaintext passwords. The password dump that was recently found on the web is a more recent version of the "RockYou2021" data leak collection that surfaced in June 2021. 

In that particular instance, there were 8.4 billion unique passwords within the stolen collection of passwords at the time. This goldmine of thousands of unique passwords has been expanded by cybercriminals since 2021. The goldmine now includes 1.5 billion new and unique passwords added by these cyber criminals. “The team verified the leak passwords by cross-referencing the RockYou2024 leak passwords with a leaked password checker provided by Cybernews, which showed that these passwords were obtained from a mix of both old and new leaks,” Cybernews researchers wrote. 

There seem to have been a record number of stolen and leaked credentials discovered on the BreachForums criminal underground forum by security researchers from Cybernews. This collection has been the largest collection that has ever been seen on that site. A compilation of RockYou2024 appears to consist of an astonishing 9,948,575,739 unique passwords, all in plaintext form, with a total of 9,948,575,739 passwords. 

The database is said to have been built from an earlier credentials database called RockYou 2021, which contained eight billion passwords, and that has been added to with roughly 1.5 billion new passwords. The credential files cover a period to be measured between the years 2021 and 2024, and a total of 4,000 huge databases of stolen credentials have been estimated to contain information spanning a minimum of two decades in the latest credential file. 

Researchers stated that, in essence, the RockYou2024 leak contains a compilation of passwords that are used by people around the world. They also stated that, according to the researchers, the number of passwords used by threat actors is very large, which translates into a substantial risk of credential-stuffing attacks. There are several ways in which credential stuffing and brute force attacks can be mounted on passwords that have been leaked in such datasets. In credential stuffing attacks, the criminal acts by which they use passwords that have been stolen from one device or account to gain access to another device or account are described as the practice of the criminals. 

There is a premise at the foundation of this attack that users often have a single password for all of their accounts and devices, which allows criminals to access their account information, including other accounts or all their accounts, using that password. It is a process of using trial and error methods to try and guess sign-in information, passwords, and encryption keys for network systems. This is called a brute force attack. In a report published by Cybernews, the researchers said the database, which can be used to target all sorts of services, from online to offline, to internet-facing cameras and industrial hardware, is among the data. 

"By combining the data from RockYou2024 with other leaked databases from hacker forums, marketplaces, and other places where electronic mail addresses and other credentials can be published, it has the potential to trigger a cascade of data breaches, identity thefts, and financial frauds," the researchers stated. The multi-platform password manager that Bitdefender offers offers numerous benefits, including automatic password leak alerts that alert you as soon as your passwords and emails have been exposed online, with the ability to change them immediately. 

Users are advised to utilize a digital identity protection service to monitor their online identity and receive real-time alerts about data breaches and leaks involving their online information. One such service, Bitdefender Digital Identity Protection, offers a comprehensive solution for identity protection. Bitdefender Digital Identity Protection enables users to respond immediately to data breaches and privacy threats. 

Through instant alerts, users can take swift action to prevent damage, such as changing passwords with one-click action items. The service provides real-time monitoring by continuously scanning the internet and the dark web for personal information. Users receive alerts whenever their data is involved in a data breach or leak. Additionally, Bitdefender Digital Identity Protection offers peace of mind by immediately flagging suspicious activity and actively monitoring personal information. Users can rest assured that their digital identity is under constant surveillance. 

Furthermore, the service provides a 360° view of all data associated with a user’s digital footprint. This includes traces from services no longer in use but still retaining the user’s data. Users can also send requests for data removal from service providers, ensuring a more secure online presence. Overall, Bitdefender Digital Identity Protection is recommended for users seeking to safeguard their online identity and stay informed about potential security threats in real-time.

Google DeepMind Researchers Uncover ChatGPT Vulnerabilities

 

Scientists at Google DeepMind, leading a research team, have adeptly utilized a cunning approach to uncover phone numbers and email addresses via OpenAI's ChatGPT, according to a report from 404 Media. This discovery prompts apprehensions regarding the substantial inclusion of private data in ChatGPT's training dataset, hinting at the risk of inadvertent information exposure. 

The researchers expressed astonishment at the success of their attack and emphasized that the vulnerabilities they exploited could have been identified earlier. They detailed their findings in a study, which is currently available as a not-yet-peer-reviewed paper. The researchers also mentioned that, to their knowledge, the notable frequency with which ChatGPT emits training data had not been observed before the release of this paper. 

Certainly, the revelation of potentially sensitive information represents merely a fraction of the issue at hand. As highlighted by the researchers, the broader concern lies in ChatGPT mindlessly reproducing extensive portions of its training data verbatim at an alarming rate. This susceptibility opens the door to widespread data extraction, possibly supporting the claims of incensed authors who contend that their work is falling victim to plagiarism. 

How Researchers Executed Their Attack? 

The researchers acknowledge that the attack is rather simple and somewhat amusing. To execute it, one just needs to instruct the chatbot to endlessly repeat a specific word, like "poem," and then let it do its thing. After a while, instead of repetitive behaviour, ChatGPT begins generating varied and mixed pieces of text, often containing substantial chunks copied from online sources. 

OpenAI introduced ChatGPT (Chat Generative Pre-trained Transformer) to the public on November 30, 2022. This chatbot, built on a robust language model, empowers users to shape and guide conversations according to their preferences in terms of length, format, style, level of detail, and language. 

According to the Nemertes enterprise AI research study for 2023-24, over 60% of the organizations surveyed were actively employing AI in production, and nearly 80% had integrated AI into their business operations. Surprisingly, less than 36% of these organizations had established a comprehensive policy framework to govern the use of generative AI.

DarkGate Using its New Variant MSI to Harm Your System

 

In the last month, the Netskope Threat Labs team noticed a big increase in malware being spread through SharePoint. This happened because some cyber attackers used Microsoft Teams and SharePoint to trick people into downloading the malware, called DarkGate. DarkGate is a malware that was first found in 2018. It has been used in many attacks recently. 

People like using DarkGate because it can do a lot of harmful things like taking control of a computer, recording what you type, stealing information, and even downloading more bad software. DarkGate can also be used to start even bigger attacks, like locking up your files and asking for money to unlock them. 

Recently, Netskope found a new version of DarkGate being spread using a special file called MSI. They used a method similar to something called Cobalt Strike Beacon to make it work. 

Let’s take a closer look at how MSI will infect your system 

The infection process begins with a deceptive email that pretends to be an invoice. This email carries a PDF document, which, when opened, reveals a template resembling a DocuSign document. This is designed to trick the user into thinking they need to review a document. When the user clicks on the document, it triggers the execution of an MSI file. This sets off a series of steps that load various elements, all contained within another file known as a CAB file, which is stored inside the MSI. 

Additionally, Trend Micro has noted that the DarkGate operators have attempted to distribute their malware through Microsoft Teams in organizations that allow messages from external users. In the past, Truesec and MalwareBytes have identified phishing campaigns in Teams that utilize harmful VBScript to deploy the DarkGate malware. 

Despite its age, DarkGate remains a prominent threat, exhibiting heightened activity in recent times. The DarkGate malware loader has witnessed a substantial surge in cybercriminal interest, becoming a favoured tool for gaining initial access to corporate networks. This uptick in usage garnered attention, especially after the successful disruption of the Qakbot botnet in August, underscoring the impact of international collaborative efforts. 

In the lead-up to the dismantling of the Qakbot botnet, an individual claiming to be DarkGate's developer sought to peddle subscriptions on a hacking forum, floating the possibility of an annual fee as high as $100,000. 

Various campaigns have employed diverse delivery and loading techniques, accompanied by the introduction of new malware functionalities. This demands vigilant efforts from the security community. Netskope Threat Labs is committed to monitoring the evolution of DarkGate malware and its Tactics, Techniques, and Procedures (TTPs).

Does Your Organization Have a False Sense of Cybersecurity?

Many people think that by piling up a bunch of cybersecurity tools, an organization is automatically super secure. Yet, when you look at recent trends in cyberattacks, it becomes clear that reality often paints a different picture. 

In the wake of the pandemic, we have witnessed an alarming 600% surge in cybercrime due to the emergence of new threats. Hackers and scammers employ a spectrum of tactics, ranging from traditional email phishing scams to sophisticated techniques like cross-site scripting (XSS), their aim is to illicitly obtain sensitive information and, in some cases, hold organizations hostage. 

The expanding scope of cyber threats has prompted the cybersecurity sector to develop an array of new security solutions. While this surge in innovation is certainly a positive development, it also brings forth a potential challenge. The abundance of cybersecurity tools within a single organization could lead to a fragmented security approach, potentially leaving vulnerabilities in its wake. 

Furthermore, a recent study conducted by Forbes has revealed an interesting finding, which suggests that organizations that utilize a higher number of cybersecurity tools are more prone to experiencing breaches in their security. It is intriguing to note that organizations armed with a multitude of security tools may inadvertently cultivate a false sense of assurance, rather than establishing a genuinely robust security infrastructure. 

Oftentimes, these tools concentrate on isolated facets of the network, neglecting the broader context and, crucially, lacking seamless communication between them. This can result in a disjointed perspective of the organization's security stance, rendering it difficult to pinpoint potential vulnerabilities. It is like having a bunch of puzzle pieces without knowing what the whole picture is supposed to be. This can make it hard to find out where there might be problems. 

According to Adarma's research, about 61% of cybersecurity experts think that the cybersecurity market is too confusing, scattered, complicated, and crowded. This makes it hard for them to get better at keeping things secure. Using too many different security tools can cause problems. For example, if several tools try to fix the same security problem, like phishing attacks, it can mean doing the same thing over and over, which is a waste of time and resources. 

Protecting a company in today's digital world needs a thorough plan that covers many areas. It is not just about setting up tools initially, but also about looking after them continuously, much like taking care of a garden. Knowing how to handle different security tools is key, as they each have their own special requirements. 

Bringing together different sources of information gives a complete picture of security in the whole organization. Making sure the tools are set up right and kept up to date is really important. While combining all the security measures can make things run smoother, it should be done thoughtfully. 

Recognizing and fixing any gaps in security shows strength and being ready to take action. Trusting in both the tools and the team using them is just as crucial. Following this well-rounded plan helps companies strengthen their defenses and stay on top of the ever-changing digital threats. 

Email Hack Hits 15,000 Business Customers of TPG

The second largest Australian telecommunications company TPG fell victim to a high-profile cyber attack. TPG is Australia’s No. 2 Internet service provider which serves 7.2 million accounts in the nation. TPG Telecom was previously known as Vodafone Hutchison Australia, however, it was renamed after its merger with TPG. 

The company released its documents on Wednesday in which it shared that the e-mails of up to 15,000 of its corporate customers had been breached. The company identified this attack during a forensic review. 

“TPG Telecom’s external cyber security advisers, Mandiant, advised that they found evidence of unauthorized access to a Hosted Exchange service which hosts email accounts for up to 15,000 iiNet and Westnet business customers,” the wireless carrier reported. 

The company also revealed that the group of threat actors was looking for cryptocurrency and other financial information. However, the company further did not describe whether customers’ data has been accessed during the attack or not. 

“We apologize unreservedly to the affected iiNet and Westnet Hosted Exchange business customers. We continue to investigate the incident and any potential impact on customers and are advising customers to take necessary precautions,” TPG Company's report read.  

As per the data, before this attack around 8 other Australian companies witnessed hacks since the month of October. These incidents are prompting public outrage in Australia. 

Following the reports, the government said last week that the government is working hard to develop a new cyber-security strategy to fight against cyber threats. Furthermore, the government is also considering banning the payment of ransom to threat actors. 

After the public announcement, the company further added that we had implemented measures against the vulnerabilities in the system to stop unauthorized access. Also, the company has started contacting all its customers on the exchange service affected by the incident. 

“The matter remains under investigation and we will be communicating with directly affected customers as more information becomes available,” the company added. 

Windows, Linux and macOS Users Hit by Chinese Iron Tiger

China-sponsored cyberhackers group Iron Tiger (aka LuckyMouse) has been exposed using the compromised servers of a chat application called MiMi to execute malware to Windows, Linux, and macOS systems. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines. 

Cybersecurity organizations Trend Micro and SEKOIA published a detailed report stating that the Iron Tiger organized a new cyberespionage campaign by the Iron Tiger, also known as Emissary Panda, Cycldek, Bronze Union, Goblin Panda Conimes, LuckyMouse, APT27, and Threat Group 3390 (TG-3390). This group has been active since at least 2010, victimizing hundreds of organizations worldwide for cyberespionage purposes. 

Additionally, the group has a history of working around targeted servers in pursuit of its political and military intelligence-collection objectives aligned with China. Trend Micro has identified one of the victims of this attack  a Taiwan-based gaming development firm that along with thirteen other entities was targeted. 

The advanced persistent threat (APT) group used the compromised servers of MiMi, a messaging application available on different platforms with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Windows, Android, macOS, and iOS. The desktop version of MiMi has been built using the cross-platform framework ElectronJS. 

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro. 

Trend Micro has uncovered various rshell samples, including some targeting Linux. Prior samples were uploaded in June 2021. Further Sekoia wrote in its blog post that the campaign has all elements of a supply chain attack since the hackers control the host servers of the app.

“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” the trend microblog post read.

China's Draft Cybersecurity Rules Pose Risks For Financial Firms

 

Recently, China has come up with a new cybersecurity proposal for financial firms that could create risks to operations of western organizations by making their sensitive and important data vulnerable to hacking, among other things, the cyber researchers’ group noted. 

This latest regulatory proposal comes at a time when a number of western investment banks and asset managers are expanding their business in China, either by setting up wholly-owned firms or by taking a bigger share in existing joint ventures. 

Following the new policy, on April 29, the China Securities Regulatory Commission (CSRC) released the draft Administrative Measures for the Management of Network Security in the Securities and Futures Industry and also offered a month-long public consultation on the proposals. 

According to the draft rules, it will become mandatory for investment banks, asset managers, and futures companies willing to invest in China to share data with CSRC, allow regulator-led testing and help set up a centralized data backup center. 

The draft also states that CSRC could conduct penetration-testing -- a simulated cyber attack against the operational system -- and system scanning on securities, futures, and fund firms. 

"The real risks to firms due to the potentially disruptive nature of penetration testing and the sensitivity of testing results. Testing systems and applications without operational context could create significant disruption to firm operations,” ASIFMA noted. 

The institution has laid out a number of reasons for sharing data with the center, but the cyber researchers’ group is concerned passing on sensitive data will make companies in the sector more vulnerable to "hackers and other bad actors". 

Moreover, a number of international banks and asset managers are also not backing the plan or setting up a centralized data backup center. 

"This not only poses huge risks to all core institutions and operating institutions on an individual basis but also brings significant systemic risks for the sector in China and globally given the inter-connectedness of the global financial sector if the data is compromised or leaked," the ASIFMA letter said. 

However, at present, the government did not set any timeline for the final issuance of the rules or for their implementation.

How Often do Developers Push Vulnerable Code?

In a recent Research Synopsys stated that 48% of organizations deliberately push vulnerable code in their application security programs due to time constraints. The survey has been published after a thorough investigation conducted on more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place. 

The survey report named “Modern Application Development Security” examined to what extent threat security teams understand modern development and deployment practices, and where security controls are required to lower the risk. 

Following the survey, 60% of respondents mentioned that their production applications were exploited by OWASP top-10 vulnerabilities in the past 12 months. 42% of developers push vulnerable code once per month. 

The research stated that certain organizations knowingly push vulnerable codes without a thorough understanding of the security risks that they are taking. Employees think that it does not come into their bucket of responsibility to fix the code before the immense pressure. 

29% of developers within their organization lack the knowledge to mitigate issues. Developers play a very important role in application security, but the report stated that they lack the skills and training. Nearly one-third (29%) of respondents express that developers within their organization lack the knowledge to mitigate issues identified by their current application security tools. Further, the report said that Developers fix only 32% of known vulnerabilities. 

The researchers have also given solutions to fix the vulnerabilities efficiently. A third of vulnerabilities are noise. To reduce false-positive vulnerabilities, scans must have access to all of the required data so that security tools can accurately research whether vulnerability exists. Reducing security noise will allow developers to address security issues confidently and on time. 

Following the research, Tromzo CTO Harshit Chitalia said, “These findings show that developers regularly ignore security issues, but can we really blame them? Security teams are bombarding them with an endless stream of issues that need to be addressed with no way for them to separate what’s actually critical from all the noise, all while they are expected to release software more frequently and faster than ever before…” 

“…If we want developers to truly implement security, we must make it easy for them. This means integrating contextual and automated security checks into the SDLC so we can transition from security gates to security guardrails,” he further added, 

CISA Warns of Critical Vulnerabilities in Airspan Networks Mimosa

 

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published Industrial Controls Systems Advisory (ICSA) warning report informing the Airspan Networks Mimosa of multiple vulnerabilities in their network. The group of cybercriminals abused the system to gain remote code execution, obtain private data, and also create a denial-of-service (DoS) condition. 

According to the technical data, the Airspan Networks Mimosa product line facilitates hybrid fiber-wireless (HFW) network solutions to the industrial service providers, and government agencies for both short and long-range broadband deployments. 

"Successful exploitation of these vulnerabilities could allow an attacker to gain user data (including organization details) and other sensitive data, compromise Mimosa's AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices," CISA said in the alert report. 

In the warning report, the CISA has detected seven flaws in the vulnerabilities, that affect the following products. 

• Mimosa Management Platform (MMP) running versions prior to v1.0.3 

• Point-to-Point (PTP) C5c and C5x running versions prior to v2.8.6.1

• Point-to-Multipoint (PTMP) A5x and C-series (C5c, C5x, and C6x) running versions prior to v2.5.4.1 

The agencies have recommended mitigating steps to the organizations and the users to update MMP version 1.0.4 or higher, PTP C5c and C5x version 2.90 or higher, and PTMP A5x and C-series version 2.9.0 or higher. CISA has also notified affected organizations to isolate control system networks from the business network, minimize network exposure, and use virtual private networks (VPNs) for remote access.

Chinese APT Actor Tracked as 'Antlion' Targeting Companies in Taiwan

 

It has been almost 18 months since the Chinese state-backed advanced persistent threat (APT) actor tracked as ‘Antlion’ has been attacking financial institutions and manufacturing companies in Taiwan state in a persistent campaign. The researchers at Symantec noted that the threat actors deployed a new custom backdoor named 'xPack' on compromised networks, which gave malicious actors wide access into the victim’s system.

The backdoor was designed to run WMI commands remotely, while it has also been seen that the attackers leveraged EternalBlue exploits in the backdoor. The attackers also interact with SMB shares, and it is also possible that the actors used mounted shares over SMB to transfer data to the command and control (C2) server. 

Furthermore, the attackers have successfully browsed the web through the backdoor, likely using it as a proxy to mask their IP address. Researchers believe that the malware was used in a campaign against Taiwan and had allowed the adversaries to run stealthy cyber-espionage operations. 

While dissecting such an attack, it could be seen that the malicious actors spent 175 days on the compromised network. However, the Symantec cyberthreat unit is studying two other incidents of such kind to determine how the adversary went undetected on the network for as long as 250 days. 

The researcher said that the new custom malware helped threat actors achieve this level of furtiveness; Symantec researchers have also deducted the following custom tools that help xPack in this operation. 

• EHAGBPSL – Custom C++ loader 
• CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT 
• JpgRun – Custom C++ loader 
• NetSessionEnum – Custom SMB session enumeration tool 
• Kerberos golden ticket tool based on the Mimikatz credentials stealer 
• ENCODE MMC – Custom bind/reverse file transfer tool 

"There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network," explains Symantec.

FlexBooker Breached, Over 3.7 Million Impacted

 

A cybercriminal group that identifies itself as Uawrongteam has compromised accounts of more than three million users of the U.S.based FlexBooker – a popular online appointment scheduling platform that allows customers to schedule appointments ranging from counseling to haircuts. 

The same intruders are offering data on hacker forums from FlexBooker along with other databases compromised on the same day, belonging to Racing.com and Redbourne Group’s rediCASE case management software, both from Australia. 

According to the reports, the compromised data that has been published on malicious websites includes IDs, photos, driver’s licenses. The stolen database also contains customer information such as names, phone numbers, emails, hashed passwords, and password salt. 

The organization has already alarmed local authorities and sent notifications to its customers, explaining that its Amazon AWS servers have been breached by distributed denial-of-service (DDoS) attack. FlexBooker customers include the brands Chipotle, GoDaddy, Bausch + Lomb, and Krewe. 

“After working further with Amazon to understand what happened, we learned a certain set of data, including personal information of some customers, was accessed and downloaded,” the company said. Meanwhile, Nasser Fattah, a cyber security expert, warned that the attack might not be over. 

“We know that there are financial losses associated with system outages, hence, why security teams have all eyes on glass, so to speak, when there is a DDoS attack…,” Fattah explained on Friday. “…And when this happens, it is important to be prepared for the possibility of a multifaceted attack and be very diligent with monitoring other anomalies happening on the network.” 

Israeli Media Outlets Hacked on Soleimani Killing Anniversary

 

On the anniversary of the killing of a prominent Iranian general, malicious actors attacked two major Israeli media outlets with a threatening message. Hackers replaced websites’ content with an image that threatened a site associated with Israel's undeclared nuclear weapons program. 

The websites that have been taken over by the hackers are Jerusalem Post and the Twitter account of Maariv. As of now, no group has taken the responsibility for the attack. While the image posted on the Jerusalem Post's website included a fist firing a shell out of a ring with a red stone towards Israel’s Dimona nuclear facility. 

"We are close to you where you do not think about it", read the text in English and Hebrew below the fist. 

We are aware of the apparent hacking of our website, alongside a direct threat to Israel. We are working to resolve the issue & thank readers for your patience and understanding. For now, you can continue reading us on our app: https://t.co/UrEXIpatDPhttps://t.co/veBDuWgucp — The Jerusalem Post (@Jerusalem_Post) January 3, 2022.  

Qassem Soleimani was the head of the Quds Force, the foreign operations arm of Iran's Revolutionary Guards -- hailed as a hero in Iran -- brave, charismatic, and beloved by the troops. He, who was the most important figure in the Iranian administration, was killed 2 years ago by a US drone strike at Baghdad International Airport, Iraq. Since then this incident incites hatred in Iraq towards USA and Israel.

LINE Pay leaked 133,000 Users' Data to GitHub

Yesterday, digital messaging and payment facility platform ‘LINE Pay’ – released a statement in which it said that around 133,000 clients’ payment data was erroneously published on GitHub between September and November this year. The incident affected more than 51,000 Japanese users and around 82,000 Taiwanese and Thai users.

Data detailing individuals in a LINE Pay promotional program that was organized between late December 2020 and April 2021 was accidentally uploaded to the collaborative coding crèche by an employee. After the attack findings, the company has notified its customers and the fintech division of the company has issued an official apology letter and assured its users of future protection. 

The data that has been leaked includes the time, date, amount of transactions, and user and franchise store identification numbers. However, telephone, addresses, credit card, and bank account numbers were not leaked, the names of the customers and other credentials could be accessed with little effort. 

Additionally, many political figures and dignitaries stopped using this app since the July 2021 cyberattack. Also, Japanese government officials have stopped using this app when it was discovered that important information was being leaked to China. Prior to the discovery, Japan extensively used this communication app for many regional official communications. 

GitHub--headquartered in California, USA, has been a subsidiary of Microsoft since 2018. The platform is commonly used for organizing open-source projects for software development (As of November 2021, GitHub reports having over 73 million developers). It provides the distributed version control and source code management (SCM) functionality of Git and its own factors. Besides the aforementioned, it also offers access control and several collaboration features such as feature requests, bug tracking, task management, continuous integration, and wikis for every project.

Phishing Scam Tempts Military Families

 

Threat analysts at Lookout have reported in new findings that a phishing campaign is victimizing members of the United States military units and their families. As per the report, it is a long-running operation that has impersonated various military support organizations and personnel profiles to lure victims into advance-fee scams, stealing sensitive personal information and financial data. 

Motivated by monetary benefits, malicious actors are stealing financial sensitive data from victims which includes bank account information, photo identification, names, addresses, and phone numbers, Lookout said in the report. 

“Based on our analysis, it’s clear that the threat actor is looking to steal sensitive data from victims such as their photo identification, bank account information, name, address, and phone number…,” wrote Lookout’s threat analysts in a blog post published today. 

“…With this information, the actor could easily steal the victim’s identity, empty their bank account and impersonate the individual online,” the blog further read.

The group of scammers created a series of websites that appears legitimate and genuine, the operators enhanced the authenticity of the sites by adding various advertisements for Department of Defense services (DODS) to falsely indicate their affiliation with the military. 

Sources accounted, the operators offer high-priced services that are never delivered such as leave applications, communication permits, and care packages, to lure clients into thinking that they are interacting with a military member. Cybersecurity threat analysts have also reported that Nigeria is the scammers’ operational base. 

“The websites were primarily hosted by Nigerian providers that are offshore or ignore the Digital Millennium Copyright Act (DMCA). We were able to further confirm the operator’s location from a phone number one of the web developers accidentally left on the draft version of the site. The country code of the number is from Nigeria,” said researchers. 

“We were also able to link this group to numerous other scams advertising fake delivery services, crypto-currency trading, banks, and even online pet sales,” researchers added.

Retail Industry Remains Favorite Target of Cyber Criminals

 

The retail industry has always been a favorite target of cybercriminals. Recent studies have shown a great surge in cybersecurity threats against the retail industry that has become a fundamental business risk for retailers. Studies show cyber security threats lead to loss of customers and leave customers unsatisfied with the services of the company. Following the major data breaches that affected Target, Home Depot, and TJX — retail security threats have now become a daily concern for retailers.

Cyber attacks could be a reason for the global supply chain crisis. Any disruption could be a reason for delays in shipments and could even keep physical and digital store shelves empty throughout the season. 

Online retailer institutions have been a primary target of automated bot activities and of DDoS attacks – spiking 200% in September 2021. Bots could be designed for either good or malicious activity. A malicious bot is a self-propagating malware that hits a host and connects back to a central server (s) that acts as a command and control (C&C) center for an entire network of compromised devices, or “botnet.” With the use of a botnet, malicious actors can launch broad-based, “remote-control,” flood-type attacks against their victims. 

In 2021, monthly bad bot cyberattacks on retail websites increased up to 13%, which is double from the previous year. The research found out that this year 57% of cyberattacks that targeted eCommerce websites were carried out by bad bots. 

The study further read that in 2021 the bad bots made up 33% of the total cyberattacks on websites in all other organizations. According to the researchers, a takeover of customers’ accounts remain a big risk for customers who have login into websites with their sensitive data including credit card or payment information. 

Compared to other organizations, online retailer institutions face a higher volume of account takeover logins (32.8%) in 2021, compared to the average logins (25.5%) across all other industries. There are 4 Common Retail Security Threats that industries usually face including Refund Fraud, IOT Vulnerabilities, Gift Card Hacking, and Supply Chain Attacks. It's the pandemic effect that e-commerce has become a center for cyber threats, according to the researchers. 

Ransomware Attack on Lab in Florida

Florida-based laboratory witnessed a ransomware attack that has leaked the personal health information (PHI) of more than 30,000 individuals. Nationwide Laboratory Services situated in Boca Raton, noticed suspicious activities on its network on May 19, 2021. After the investigation on suspicious activities, it has been revealed that the group of attackers had used ransomware to encrypt files across the healthcare provider’s network, making data inaccessible for every member. 

Laboratory Services firm recruited a third-party cybersecurity firm to investigate further into the attack and aid with cleanup. According to Digital forensics, the group of cyber-attackers hacked into parts of Nationwide Laboratory Services’ network that housed patients’ PHI. 

The perpetrators of the attack compromised the data of patients including their names, addresses, dates of birth, lab test results, Medicare numbers, medical record numbers, and health insurance information. Furthermore, a notice on the security incident has been released by the Nationwide Laboratory Services that gives a warning that “a small number of individuals had their Social Security numbers affected.” 

According to the lab, the attack did not exploit all nationwide patients’ data. It was also reported that the compromised data varied from person to person. The laboratory firm added, “Nationwide has no indication that any information was or will be used for an improper purpose.” 

It was about October 28 when Nationwide had published a report about the data breach to the Department of Health and Human Services’ Office for Civil Rights. A study has shown, around 33,437 individuals’ personal credentials may have been compromised recently. Individuals who have been affected extensively by the ransomware attack were notified and given recommendations on how to secure their important data. 

“On May 19, 2021, Nationwide Laboratory Services realized that a ransomware virus had begun encrypting files stored on its network,” the laboratory reported…” 

“…An unauthorized entity may have deleted a restricted number of files from its system in addition to encrypting them.” Firm added.

Mobile Phishing Attacks Surge, Researchers Warn Energy Sectors

 

There has been seen a surge in cyberattacks, threat actors are extensively going after mobile phishing attacks and victimizing the energy sectors, pharmaceuticals industries, government entities, and finance departments by targeting workers with phishing and malware campaigns designed to take advantage of potential security vulnerabilities in smartphones and tablets. 

Recently, a report has been published by cybersecurity researchers at Lookout in which they warned energy sectors against cybercrimes. According to the report, there has been a great surge from 2020 (161%) in mobile phishing attacks targeting the energy sectors. Threat actors strive to break into networks used to provide services including gas and electricity. 

Cyber attacks through mobile phishing against energy sectors globally account for around 17% which is higher than other sectors including finance, pharmaceuticals, government, and manufacturing. Notably, these independent cyber criminals are not the only threat against energy sectors, state-backed threat actors are also targeting networks of energy providers.

"The energy industry is directly related to the wellbeing and safety of citizens, globally," Stephen Banda, senior manager of security solutions at Lookout, reported.

"Threat actors know that mobile devices aren't usually secured in the same way as computers. For this reason, mobile phishing has become one of the primary ways threat actors get into corporate infrastructure," said Banda. 

"By launching phishing attacks that mimic the context that the recipient expects, attackers are able to direct a user to a fake webpage that mimics a familiar application login page. Without thinking, the user provides credentials and data has been stolen," he added. 

Phishing emails and malware become more difficult to notice in smartphones and tablets because the smaller screen provides very few opportunities while smartphones and tablets might not be secured as comprehensively as laptops and desktop PCs, it creates opportunities for attackers to compromise networks. 

 "The majority of attacks start with phishing, and mobile presents a multitude of attack pathways. An anti-phishing solution must block any communication from known phishing sites on mobile devices — including SMS, apps, social platforms, and email," said Banda.

Possible Cyberattack Disrupts Healthcare Services in Canadian province

 

On Monday, Health authorities of the Canadian province of Newfoundland have reported that the internal system of healthcare has been disrupted. There are possibilities of a cyber attack against the healthcare system. Because of the attack, several appoints have been canceled. 

At present, findings of the attack are underway to understand the level and the nature of the attack, with reference to what Health Minister John Haggie told reporters. 

"This led to progressive failure of what's been described to me as the brain of the data center and a loss of functionality and systems across the regional health authorities," he said, adding that authorities have adopted contingency measures. 

In the wake of the attack, a significant impact could be seen across the healthcare system in the remote Atlantic province. According to the Chief Executive Officer David Diamond of the Eastern Regional Health Authority, the emergency department which hit hard was working as per its routine on Monday but other appointments that have been canceled would be rescheduled for another day.

According to the Canadian Broadcasting Corporation a ransomware attack, which is a type of malicious software designed to lock and encrypt the victim’s computer files and then demands a ransom to unlock and decrypt the system was behind the disruption of healthcare services, but Haggie did not confirm the given information.

Consumers Loosing Trust In Financial and E-commerce Industries

 

Callsign, a digital identity pioneer, revealed that the rise of scams is harming organizations’ reputations across the world. UK-based company Callsign has illustrated in its report that the rising scam crimes are threatening organizations’ image around the world. The global study of consumers has disclosed that merely receiving a scam message claiming to be from an official brand is enough for 49.8% of customers to lose confidence in the organization regardless of any real association with the message. 

Founded in 2012, Callsign is considered a digital identity giant that offers identity authorization and authentication, fraud protection, it also provides products and services to banks and other public and private sector organizations. Those organizations that mostly have been targeted by cyber fraudsters are the financial services and e-commerce industry. Consumers from various organizations have reportedly said that for all scam messages that they receive, around 59% claim to be from their bank, or a retailer (36%). 

Globally, by and large, individuals who receive fraud messages via various mediums of communication receive 1133 messages a year, of which 24% claim that they receive more fraud messages than friends and family. Around 41% admit that they don’t report files against fraud messages because mostly consumers underestimate the level of crime. 

Following the report, Stuart Dobbie, SVP, Innovation, Callsign said, “Fraud hides in volume and the rapid migration of the global population online in the last 18 months has led to the industrialization of scams. The consequence is fraudsters are using the same channels we’re using to authenticate genuine consumers, and this is harming organizations’ reputations with the decrease of trust in their brands, Organizations need to re-evaluate the communications channels they use to interact with customers to better establish trust. With fraudsters monopolizing open channels such as SMS and email, these channels cannot be relied upon to also authenticate identity…” 

“…Our research shows that over a third (38%) of consumers think identity is the problem and that people should prove who they are when signing up to use a platform to stop scammers. These consumer concerns emphasize organizations must wake up to the importance of digital identification.”