SAN MATEO, CA, February 6, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- TruthFinder and Instant Checkmate background check platforms suffer 20 million customer data breach
- Cisco issues update to patch backdoor persistence bug
- Jira releases patch for critical authentication vulnerability
- New Nevada ransomware outfit growing quickly, seeking cybercriminals
- Google Fi customer data compromise likely due to T-Mobile breach
- TrickGate shellcode-based packer has remained hidden for over 6 years
- Killnet takes down websites of 14 US hospitals
- Scam reward apps on Google Play store downloaded 20 million times
- Vulnerabilities found in the code of OpenEMR healthcare software
TruthFinder and Instant Checkmate background check platforms suffer 20 million customer data breach
A 2019 backup database holding information related to 20 million PeopleConnect customers has been leaked, according to the company. PeopleConnect owns TruthFinder and Instant Checkmate background checkers, subscription-based platforms that let users run background checks on people. The info was posted on Breached, a hacker forum, and it was allegedly stolen from an exposed database. In a statement, PeopleConnect said that the stolen dat includes names, email addresses, phone numbers and encrypted passwords. Read more.
Cisco issues update to patch backdoor persistence bug
A high-severity, low-complexity vulnerability within Cisco’s IOx application hosting environment has been patched with an update from the developer this week. According to Cisco, “An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file.” Injection of malicious code using this flaw allows it to remain within a targeted system between reboots and across firmware updates. The bug can only be exploited by an attack that has authenticated administrative access to a victim’s system. However, further security flaws could be used to escalate privileges to the level needed to stage an attack. There has been no evidence of this exploit being utilized in the wild. Read more.
Jira releases patch for critical authentication vulnerability
Jira Service Management Server and Data Center has had an update issued by developer Atlassian to patch a flaw that allows a hacker to achieve unauthorized access by impersonating another user. The flaw, CVE-2023-22501, has been described as having “low attack complexity,” making it easy for hackers to exploit under the right circumstances. Vulnerable Atlassian products have recently become a tempting attack vector for threat actors, meaning that users of their platforms should update all software immediately upon patch releases. Read more.
New Nevada ransomware outfit growing quickly, seeking cybercriminals
Researchers have observed that a new ransomware variant called Nevada has been advancing rapidly, increasing its capabilities and targeting Windows and VMware ESXi systems. In December of last year, Nevada was being promoted on RAMP hacker forums seeking Chinese and Russian speaking members and offering an 85% share of any paid ransoms. Nevada even offered to up that to 90% for hackers who generated a high victim count. Nevada’s current features include a Rust-based locker, a chat portal used to negotiate with victims and Tor network domains for both affiliates and victims. Researchers are closely monitoring its aggressive growth. Read more.
Google Fi customer data compromise likely due to T-Mobile breach
Google Fi customers have received a notice informing them that a “limited amount” of customer information had recently been involved in a data breach. Since Google Fi uses T-Mobile for network connectivity, most experts are confident that the incident is related to the mobile carrier’s recently disclosed hack. It is not currently clear how many Google Fi customers may have been impacted by the breach. Google’s messaging indicates that no payment data, PIN numbers or text/voice message content had been stolen. Read more.
TrickGate shellcode-based packer has remained hidden for over 6 years
Researchers have uncovered TrickGate, a shellcode-based packer that has remained undetected for more than six years as threat actors have used it to launch malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze and REvil. TrickGate has evaded detection because it is continually updated and “undergoes changes periodically.” TrickGate has been in circulation since late 2016, at least, and has been mostly used in attacks against organizations within the manufacturing sector. Read more.
Killnet takes down websites of 14 US hospitals
Russian hackers Killnet are claiming credit for a wave of DDoS attacks that targeted 14 US hospitals Monday morning. As per usual, Killnet’s activity was less destructive than “annoying,” as described by security researchers, and at least half of the affected websites were back to normal operation by the afternoon. Hospitals located in the Netherlands were also reportedly attacked by Russian threat actors the same morning. Killnet targets organizations within countries that have been critical of Moscow’s ongoing war with Ukraine. Read more.
Scam reward apps on Google Play store downloaded 20 million times
According to Dr. Web, a slew of reward apps appearing on the Google Play store are actually adware that forces users to view dozens of apps to claim rewards that never materialize. The apps masquerade as fitness trackers that encourage users to take steps or otherwise remain active to earn points that can be claimed for rewards such as gift cards. Once downloaded, however, the apps become intrusive and subject users to a seemingly endless barrage of ads with little to no actual incentive being given. Dr. Web has reported that the apps in question have been downloaded on more than 20 million devices. Read more.
Vulnerabilities found in the code of OpenEMR healthcare software
Researchers at Sonar have discovered three vulnerabilities within electronic health records and medical practice management software OpenEMR. According to Sonar researchers, “a combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data.” The flaws were reported to OpenEMR administrators in October of last year and a patch was released to fix them. Users are encouraged to update immediately. Read more.