SAN MATEO, CA, October 31, 2022 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- CISA develops Cybersecurity Performance Goals for critical infrastructure
- Google releases emergency update for zero-day Chrome vulnerability
- Bug in GitHub could have allowed hackers to spread malware via “repojacking”
- Ransomware attack on Australia’s Medibank potentially exposes all 3.9 million of its customers
- Vice Society cybercrime gang targeting US schools with a variety of ransomware
- FTC comes down on Drizly CEO for cybersecurity deficiencies that exposed customer data
- Malicious Google Play apps removed after 20 million downloads
- Typosquatting campaign unleashing Windows and Android malware
- Hackers using fake websites and browser extensions to make unauthorized 3Commas crypto trades
CISA develops Cybersecurity Performance Goals for critical infrastructure
In response to President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure, CISA has developed cross-sector Cybersecurity Performance Goals (CPGs) in an effort to create a universal set of security fundamentals for organizations in the sector. The CPGs, which are voluntary, are to reduce the likelihood of a cyberattack as well as the impact of one should it occur. They are not comprehensive, but provide the instructions an organization needs to kickstart cybersecurity efforts. Read more.
Google releases emergency update for zero-day Chrome vulnerability
Users of Google’s Chrome browser are being urged to update as the company has released an emergency patch for a zero-day bug that has been actively exploited by hackers. The exploit is a type confusion bug within Chrome’s V8 Jacascript engine. For now, Google is remaining tightlipped regarding other details of the vulnerability, stating that they wish to keep it slightly under the radar until the majority of users have updated. Google has also not disclosed to what extent the flaw has been exploited in the wild, not indicating if attacks have been widespread or minimal. Read more.
Bug in GitHub could have allowed hackers to spread malware via “repojacking”
A bug within GitHub could have been used by hackers to spread malware through retired URLs. When a GitHub user rebrands by changing their name, a new URL is generated to which traffic from the previous one is directed. A flaw within GitHub allowed hackers to claim the old URL, fill it with malware and then break the redirect, thereby tricking people into downloading malicious software instead of what they were initially after in a scheme referred to as “repojacking.” GitHub has fixed the bug, there is still the possibility that hackers could find new ways to exploit it. Read more.
Ransomware attack on Australia’s Medibank potentially exposes all 3.9 million of its customers
Medibank, Australia’s largest health insurance organization, has revealed that a ransomware attack in which a hacker stole a purported 200GB of data has possibly affected every single one of its 3.9 million customers. It is believed that the company was breached after someone stole credentials belonging to a high-ranking employee and then sold them on a Russian cybercriminal forum. The buyer is then thought to have installed a pair of backdoors within the company’s system through which they exfiltrated customer data including Medicare numbers, medical procedures, names, addresses, phone numbers and more. Medibank is reportedly in contact with the hacker but has not stated whether or not they intend to negotiate with them. The attack is the latest in a recent series of high-impact hacks that have prompted the Australian federal government to increase the fines associated with maintaining poor cybersecurity, which the companies are being accused of. Read more.
Vice Society cybercrime gang targeting US schools with a variety of ransomware
A report from Microsoft Security Threat Intelligence states that Vice Society, a Russian-speaking ransomware gang, has been targeting US schools with ransomware variants that include BlackCat, Zeppelin and LockBit. Vice Society is known for prolifically attacking educational and healthcare organizations around the world, sometimes skipping the ransomware injection and moving directly to extortion, other times performing a double extortion attack and, in some cases, moving on without having made any money at all. According to Microsoft, the gang’s use of a Vice Society-branded version of Zeppelin implies that, despite their odd track record, they have “active ties in the cybercriminal economy.” Read more.
FTC comes down on Drizly CEO for cybersecurity deficiencies that exposed customer data
Online alcohol retailer Drizly and its CEO James Cory are on the receiving end of action by the Federal Trade Commission over failing to address security issues that resulted in 2.5 million customers having their data exposed. Hackers were able to use Drizly’s servers to mine cryptocurrency in 2018 following the online posting of login credentials online by an employee. The company claimed to have kept up with security since, but the theft of customer data two years later implied otherwise. The FTC is alleging that Drizly did not adhere to cybersecurity basics, all while publicly stating that they had been. Read more.
Malicious Google Play apps removed after 20 million downloads
Security researchers at McAfee have identified 16 apps on the Google Play store that harbor “clicker” malware that is designed to visit and browse websites in the background without the users knowledge. This technique profits the criminal responsible by creating fake ad clicks. This activity can also cause performance issues for the device infected. Clicker malware is hidden in reputable-looking apps that act as flashlights, calendars, cameras and more. The apps removed from Google Play are estimated to have been downloaded around 20 million times. Read more.
Typosquatting campaign unleashing Windows and Android malware
Researchers have discovered a massive typosquatting network that is designed to infect victims with Windows or Android-based malware using website domains that are nearly identical to a reputable company aside from a letter or two. While many of the sites impersonate only stores like Google Play or financial sites like PayPal, some also mimic crypto platforms and seek to steal currency from visitors. Users are urged to not click ads or follow links to get to the sites they intend to visit, as advertisements are often purchased by scammers who intend to direct people to fake websites. Read more.
Hackers using fake websites and browser extensions to make unauthorized 3Commas crypto trades
Automated crypto trader 3Commas has warned users that hackers have been using fraudulent websites to phish for API keys that they then use to make unauthorized trades. 3Commas also suspects that third-party browser extensions and malware were also employed in order to gain account access. The platform has assured users that no breach of its system has taken place and that the activity is taking place outside of the 3Commas infrastructure. Read more.