SAN MATEO, CA, July 8, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Volcano Demon attackers use threatening phone calls
A new ransomware group, Volcano Demon, has put its own spin on cyberattacks, targeting high-ranking officials in compromised organizations with threatening phone calls. The ransomware variant, called LukaLocker, “is an x64 PE binary written and compiled using C++,†reads a report from security vendor Halcyon. “LukaLocker ransomware employs API obfuscation and dynamic API resolution to conceal its malicious functionalities — evading detection, analysis, and reverse engineering.†The attackers leave a ransom note that threatens to sell sensitive data to hackers and scammers that will target the victim company’s clients and employees. Phone calls from unidentified caller ID numbers follow, directly contacting the “leadership and IT executives” of the company under attack. While phone calls seem more threatening, using calls (vs. an obscured IP address) may make tracking the attackers easier. Read more.
Ethereum mailing list breach exposes users to draining attack
A threat actor hijacked Ethereum’s mailing list provider and used their access to deliver a phishing email to more than 35,000 addresses. The email contained a link that directed victims to a malicious website “with an announcement of a collaboration with Lido DAO and invited them to take advantage of a 6.8% annual percentage yield (APY) on staked Ethereum.” However, clicking the site’s button took people to a website that appeared legitimate but engaged a crypto drainer as soon as anyone connected their wallet to it. Ethereum has reported that its security team quickly blocked the attacker and warned the community. Thankfully, none of the recipients of the emails fell for the trap. Read more.
1+ billion records already stolen in 2024 data breaches
2024 may be only half over, but it’s already been full of the most severe data breaches in history, leading to the theft of over 1 billion records. The largest exposures of the year include a mysterious leak from AT&T that saw 73 million customer records posted to an online cybercrime forum, a ransomware attack against Change Healthcare that saw criminals make off with sensitive data belonging to a “substantial proportion” of the US population, and the theft of 560 million records from Ticketmaster. As the year continues, the staggering number of exposed or stolen records is expected to surge even further, especially with basic oversights such as failure to set up multi-factor authentication. Read more.
2024 ransomware demands increase significantly
While some metrics show a decline in the number of ransomware attacks carried out, Comparitech has released a new analysis that shows that the dollar amount that criminals are demanding has surged to an average of $5.2 million in the first quarter of 2024. The highest demand during this time was $100 million following an attack on India’s Regional Cancer Center in April. Comparitech’s report also indicates that LockBit remains the most prolific ransomware operator, carrying out 48 confirmed attacks despite a law enforcement operation that took out the gang’s infrastructure. Four hundred twenty-one confirmed ransomware attacks took place in the first quarter of 2024, a decline compared to the 704 during the same period in 2023. Read more.
2.5 million affected by Prudential Financial breach
A February data breach of Prudential Financial has compromised the personal data of many customers, according to an updated filing with the Maine Attorney General’s Office. “Through the investigation, we learned that the unauthorized third party gained access to our network on February 4, 2024, and removed a small percentage of personal information from our systems,” Prudential said. The company’s initial filing reported that the attack affected more than 36,000 people. A revision, however, has revealed that the number of customers in danger is now over 2.5 million. Prudential Financial has not reported any information about who was behind the attack, but the ALPHV ransomware gang took credit for the incident on February 13. Prudential is the second-largest life insurance company in the United States. Read more.
Chinese APT exploits zero-day flaw in Cisco switches
CVE-2024-20399 is a bug that affected Cisco’s network management platform. It “can allow authenticated attackers to execute arbitrary command as root on the underlying operating system of an affected device.” A Chinese threat actor group called Velvet Ant has pounced on this zero-day flaw, unleashing a “previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices,” according to researchers at Sygnia. Cisco has released a patch for the flaw, and all users of MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches in standalone NX-OS mode are urged to update immediately. Read more.
Man charged for scamming flight passengers via fake wifi
The Australian Federal Police (AFP) have charged a 42-year-old Australian national with “running a fake wifi access point during a domestic flight.” In a press release, the AFP said the man allegedly “established fake free wifi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them.” The suspect was charged following a report from airline employees about a mysterious wifi network appearing during a domestic flight. The following investigation saw the man’s baggage searched, revealing that he had a portable wireless access point, a laptop, and a mobile phone. Users who connected to his phony service were prompted to enter their email or social media login credentials. “The email and password details harvested could be used to access more personal information, including a victim’s online communications, stored images and videos, or bank details,” the AFP said. Read more.
Mobile political spam triples for the 2024 election season
Research from Proofpoint has highlighted a trend many smartphone users have noticed: political spam volumes have surged to three times what people experienced in 2022. With most US adults turning to digital media for news and with 97% of the country’s voting population having access to mobile messaging, bad actors are digging in and preying on people through smishing attacks tailored to current events. A 240% jump in unwanted political messaging was seen in the 48 hours following former President Donald Trump’s guilty verdict. People are urged not to open messages sent to them from unknown sources and to never click any links within them. Read more.
Android users targeted via malicious apps
Transparent Tribe, a threat actor believed to be in Pakistan, has been offering malware-containing Android apps as part of a social engineering campaign. According to SentinelOne, the group’s current campaign, dubbed “CapraTube,” continues “the group’s trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans.” The CapraRat malware “uses WebView to launch a URL to either YouTube or a mobile gaming site named CrazyGames[.]com, while, in the background, it abuses its permissions to access locations, SMS messages, contacts, and call logs; make phone calls; take screenshots; or record audio and video.” Read more.
Google blocks Chinese influence group 10,000+ times
A China-affiliated influence group called Dragon Bridge has had its activities blocked more than 10,000 times by Google in the first quarter of 2024. Described as the most prolific influence operator that Google tracks, Dragon Bridge’s primary activity consists of “low quality content without a political message, however, a small fraction of Dragon Bridge accounts post about current events, including elections in Taiwan and the Israel-Hamas war.” Google observed that Dragon Bridge created phony news content that included AI-generated hosts. However, the use of these avatars was not seen to result in higher engagement compared to those that did not use AI. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
