SAN MATEO, CA, August 12, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Kimsuky APT targets universities with phishing attacks
As part of its ongoing global espionage operations, North Korea’s Kimsuky APT group has been actively targeting “university staff, researchers and professors, aiming to access and exfiltrate valuable research and intelligence.” Once they achieved access, Kimsuky stole information “critical for North Korea, particularly given the country’s limited scientific community.” The group uses phishing pages that spoof university login portals to nab login credentials, most often from schools based in South Korea, the UK, and the US. “The operation also highlighted Kimsuky’s use of a custom tool called ‘SendMail,’ which was deployed to send phishing emails using compromised email accounts. These emails were carefully crafted to deceive recipients into providing their login information, furthering Kimsuky’s espionage efforts.” Read more.
CrowdStrike makes changes to avoid future outages
In response to an update bug that created an outage affecting industries worldwide, CrowdStrike is giving customers more control over how updates are applied to their systems. Other changes the company is making in its processes include “new content configuration system test procedures, additional deployment layers, and acceptance checks for its content configuration system, and new validation checks for its updates.” Additionally, CrowdStrike has asked a pair of third-party security vendors to review the code for its Falcon sensor technology, quality control, and release processes. “We are using the lessons learned from this incident to better serve our customers,” CrowdStrike CEO George Kurtz said. “To this end, we have already taken decisive steps to help prevent this situation from repeating and to help ensure that we — and you — become even more resilient.” The company has found itself to be the target of class-action lawsuits after the paralysis their faulty rollout caused and is likely to have to defend itself against more in the near future. Read more.
Google Drawings and WhatsApp in new phishing scheme
Researchers at Menlo Security have uncovered a new phishing scam that leverages Google Drawings and WhatsApp’s shortened links to fool victims into clicking malicious links that steal their sensitive information. The attack begins with a phony email directing users to a graphic that looks like an Amazon verification link but is actually hosted on Google Drawings. The page they end up on after clicking spoofs an Amazon page but is used by the attackers to harvest credentials and credit card details. The phishing campaign exploits trusted platforms to bypass security filters, making it difficult for users and security systems to detect the threat. Something else that makes Google Drawings appealing at the beginning of the attack, according to researchers, “is that it allows users (in this case, the attacker) to include links in their graphics. Such links may easily go unnoticed by users, particularly if they feel a sense of urgency around a potential threat to their Amazon account.” Read more.
Security giant ADT confirms breach of customer data
After threat actors posted ADT’s stolen customer data on a hacking forum on July 31, ADT confirmed that it suffered a data breach. The company’s official filing reads, “ADT Inc. recently experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information.” It goes on to say that the attackers “obtained some limited customer information, including email addresses, phone numbers, and postal addresses.” The company states that no customer home security systems have been compromised, nor has banking information or credit card data been exposed. Details regarding the attack have not yet been made public. The threat actor who posted the data claimed it includes 30,800 customer records. Read more.
Treat ransomware like terrorism
In a proposal sponsored by committee chairman Mark Warner, the Senate Intelligence Committee suggests treating ransomware attacks as if they were terrorist actions by calling out the groups by name, labeling them as “hostile foreign cyber actors,” and designating countries that harbor hackers as “state sponsors of ransomware” that could be sanctioned. If passed, the proposal would give the US greater legal means to pursue ransomware actors by “elevating ransomware to the level of a national intelligence priority.” Critics are skeptical of the effectiveness of piling more sanctions on state entities that are already swimming in them, saying that they will likely not be deterred by them and will “do little to change the behavior of ransomware groups with nebulous relationships to the states in which they operate.” Proponents of the measure feel that it would send a clear message to ransomware attackers that the full might of the US intelligence community will be zeroing in on them. Read more.
Cencora latest healthcare sector giant to report major breach
Pharma giant Cencora has reached out to more than a million people around the US to tell them that their personal health information was compromised in a February breach. “Cencora, known as AmerisourceBergen until 2023, says in its data breach notice that the compromised data includes patient names, their postal address and date of birth, as well as information about their health diagnoses, medications and prescriptions.” It has yet to be revealed if the breach was due to a lapse in security or a malicious attack, nor has the exact number of affected people been reported. Cencora serves at least 18 million patients and has stated that it is impossible to alert them all due to addresses being outdated. Cencora has stated that the breach is not in any way connected to the ransomware attack carried out against Change Healthcare. Read more.
Thousands of Ubiquiti devices vulnerable to 5-year-old bug
Researchers warn that around 20,000 small office/home office (SOHO) devices sold by Ubiquiti Inc. are vulnerable to a five-year-old bug that can be exploited to launch denial-of-service attacks. Ubiquiti has acknowledged and patched the flaw, but the number of devices still vulnerable is staggering. While the old manner of exploitation involved exploiting the Ubiquiti discovery protocol, a new process can achieve the same results. Researchers at Check Point note that the flaw makes it “easy” to attack an entity because they “discovered that communicating with neither the CloudKey+ nor its connected devices required any sort of authentication” and the messages they received in response included specific information regarding the device as well as its owner’s name and location. One researcher said, “[I could] find their contact details, and call them up saying: ‘Hey, I’m calling from your Internet provider. I need to do some maintenance work. Provide me with access to the admin panel.'” Read more.
New SharpRhino malware has IT workers in the crosshairs
The Hunters International ransomware group is using a new C# remote access trojan called SharpRhino to breach corporate networks via IT workers, according to findings from Quorum Cyber. The group uses a typo squatting site to impersonate Angry IP Scanner, a networking tool popular among IT professionals. This tactic of creating websites impersonating open-source network scanning tools leads researchers to believe that Hunters International is targeting IT workers to breach accounts with administrative or otherwise elevated privileges. Hunters International launched in late 2023 and is believed to be a rebrand of Hive due to similarities in its code. The group has thus far announced 134 ransomware attacks worldwide. Read more.
China-linked threat actors compromise ISP
EvasivePanda, a China-linked cyber espionage group known as Bronze Highland, Daggerfly, and StormBamboo, has been found to have compromised an unnamed internet service provider to push malicious software updates to target companies. According to a report on the subject from Volexity, the strategy signals a new level of sophistication for the group. “The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances,” it reads. The hackers are said to be engaging in DNS poisoning attacks “to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers,” researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster said. Read more.
TikTok sued by US for violating children’s privacy laws
The US Justice Department and the Federal Trade Commission have alleged that TikTok is guilty of violating the Children’s Online Privacy Protection Act (COPPA). According to the complaint, TikTok “knowingly broke the law by allowing children under 13 to create regular TikTok accounts and create, view, and share videos and messages with adults and others on the platform.” The complaint also alleges that TikTok kept email addresses and personal information for users who created “Kids Mode” accounts that could be used to build profiles on children for advertising purposes. “TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC chair Lina Khan. “The FTC will continue to use the full scope of its authorities to protect children online – especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
