Cyber Security News for August 6th 2024 - keeping you informed on what is happening in the Cyber Threat Actor world and helping keep you safe.
Welcome to this week's roundup of the latest happenings in the world of cybersecurity. As always, the threat landscape is evolving faster than a hedgehog can roll up, and we've got the scoop on the most pressing incidents and trends you need to know about. From ruthless ransomware attacks on nonprofits to sophisticated social engineering schemes, our aim is to keep you informed and one step ahead of the cybercriminals. So, grab a coffee, settle in, and let's dive into the stories that are shaping the digital battlefield this week.
In a disturbing development, Planned Parenthood of Montana has become the latest target of a ruthless cyberattack. The notorious ransomware gang, RansomHub, has claimed responsibility for the breach, boasting that it has pilfered a staggering 93 GB of data. The criminals now threaten to leak this sensitive information unless their demands are met.
Martha Fuller, CEO and President of Planned Parenthood Montana, confirmed the incident detected on August 28th. She reassured the public that immediate action was taken, including shutting down parts of their network as a precaution. Despite the attack, the organization remains resilient, with federal law enforcement and cybersecurity experts working tirelessly to investigate and mitigate the breach's impact.
Often running on tight budgets, nonprofits are particularly vulnerable to such extortion attempts. Fuller emphasized that the organization is taking the threat very seriously and is cooperating fully with federal authorities to ensure the safety and security of its systems. The FBI has also been notified, though it has yet to comment on the situation.
RansomHub's track record is grim, with over 210 victims across various sectors, from healthcare to critical infrastructure. This attack, targeting an organization that provides vital reproductive healthcare services, marks a new low for the ransomware group.
Transport for London (TfL) is currently dealing with a cybersecurity incident, though it assures the public that there is no evidence of customer data being compromised. The organization, responsible for most of London's public transport network, confirmed the breach late yesterday and stated that immediate measures were taken to secure its systems.
Shashi Verma, TfL's Chief Technology Officer, noted that while the entire assessment is ongoing, there has been no disruption to services, and no customer data appears to have been accessed. The organization's proactive measures to secure its systems, along with its collaboration with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC), should instill a sense of security in the public.
Reports indicate that backroom systems at TfL's headquarters have been affected, leading to some staff being asked to work remotely. This situation highlights the potential risks to critical infrastructure if such attacks were to disrupt public services.
Interestingly, the sign-in page for Oyster and Contactless payments is currently offline for maintenance, a coincidence that might raise eyebrows but is reportedly unrelated to the breach.
The FBI has issued a stark warning about an ongoing cyber threat from North Korean operatives. These state-sponsored hackers are reportedly planning complex and elaborate social engineering attacks against employees of decentralized finance (DeFi) companies in an attempt to steal cryptocurrency.
North Korea has a history of turning to cryptocurrency theft to bypass international sanctions, and these latest efforts appear more refined and difficult to detect than previous campaigns. The FBI cautions that even those with robust cybersecurity practices could fall victim to these tailored attacks.
The scammers' modus operandi involves posing as legitimate professionals on platforms like LinkedIn, using their knowledge of the crypto industry to engage with and eventually trick victims into downloading malware or executing harmful scripts.
The Bureau has provided a checklist of red flags, urging businesses to be vigilant and report suspicious activities. This wave of attacks is yet another reminder of the persistent and evolving threat landscape in digital finance, but the FBI's efforts to warn businesses should make the audience feel more informed and prepared.
In a significant bust, three men in the UK have pleaded guilty to running a multi-million dollar operation that helped cybercriminals bypass multi-factor authentication (MFA) to raid victims' bank accounts. The group, operating under OTP.agency, provided tools that allowed criminals to circumvent security measures at central banks, including HSBC and Lloyds.
Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque were behind the operation, which is estimated to have targeted over 12,500 victims. They offered MFA bypass tools for as little as £30 per week. In contrast, a premium service for £380 per week included access to verification sites for Visa and Mastercard.
The trio faces significant prison time, with sentences of up to 14 years. This case underscores cybercriminals' growing sophistication and the ongoing need for robust security measures.
In a landmark ruling, the Dutch Data Protection Authority (DPA) has fined Clearview AI €30.5 million ($33 million) for illegally collecting and processing images of individuals without their consent. The controversial facial recognition company has been under fire for scraping photos from the Internet and adding them to its vast database, which is used by law enforcement agencies worldwide.
The DPA criticized Clearview's practices as a gross violation of privacy, particularly given that most people are unaware their images are being collected and used in this way. Despite Clearview's protests that it does not operate in the EU, the DPA has clarified that the company's activities are unlawful under GDPR.
This hefty fine adds to Clearview's growing legal troubles in Europe. It raises serious questions about the future of its operations.
Another week, another WordPress vulnerability. Cybersecurity researchers have discovered a critical flaw in the LiteSpeed Cache plugin that could allow unauthorized users to take over accounts on affected sites. The vulnerability, identified as CVE-2024-44000, has a CVSS score of 7.5, indicating a high level of severity.
The flaw resides in a debug log file that, if left publicly accessible, could expose sensitive user information, including session cookies. While the debug feature is turned off by default, sites that have previously enabled it and not removed the debug log could be at risk.
Users are urged to update to the latest version, 6.5.0.1, which addresses the issue by moving the log file to a more secure location and making other enhancements to prevent unauthorized access.
Zyxel has released critical patches for a security flaw that could allow attackers to execute unauthorized commands on specific access points and security routers. The vulnerability tracked as CVE-2024-7261 has a CVSS score of 9.8, making it a serious threat to affected devices.
The flaw arises from improper handling of special elements in the 'host' parameter, allowing attackers to inject OS commands via a crafted cookie. Zyxel has urged all users to apply the latest updates to protect against potential exploits.
This patch comes as Zyxel addresses several other vulnerabilities in its routers and firewalls, underscoring the importance of staying current with security updates to protect critical infrastructure.
RansomHub, a notorious ransomware-as-a-service (RaaS) group, has wreaked havoc across multiple sectors, targeting over 210 victims since its emergence earlier this year. The group, a descendant of the Cyclops and Knight ransomware variants, has rapidly gained notoriety for its aggressive tactics and high-profile affiliates.
RansomHub's attacks have affected industries ranging from healthcare to transportation. They employ a double extortion model in which data is both encrypted and exfiltrated, with threats of public release unless ransom demands are met.
The US government has highlighted the group's use of known security vulnerabilities to gain initial access, followed by sophisticated techniques to maintain persistence and escalate privileges within compromised networks.
Organizations are urged to patch known vulnerabilities and strengthen their defenses against this increasingly dangerous threat.
In a creative twist on cyber espionage, researchers have uncovered a malware campaign using Google Sheets as a command-and-control (C2) mechanism. The campaign began in August 2024 and targeted over 70 organizations across various sectors by masquerading as communications from tax authorities in multiple countries.
The attackers employ a bespoke tool called Voldemort to gather information and deliver additional payloads. Using Google Sheets for C2 is particularly concerning as it provides a stealthy and effective way to manage the malware without raising red flags.
While the identity of the threat actors remains unknown, the campaign's sophistication suggests a high level of expertise, raising concerns about the potential for similar tactics to be employed in future attacks.
That wraps up this week's cybersecurity updates. Stay vigilant, and remember—at Hedgehog Security, we're here to keep the pricks on the outside.