Friday, July 08, 2022 // (IG): BB //Weekly Sponsor: Zanes Hand Made
Carolina Behavioral Health Alliance, LLC Confirms Data Breach Following Ransomware Attack
ANALYST NOTES: State-sponsored actors (prob. DPRK) are deploying the unique malware. It is unknown if MAUI ransomware was used for the CBHA compromise. Coverage of the CBHA network includes the Fort Bragg area. Potentially members seeking treatment could have their mental health "metadata" is paired with OPM (or like) information. It is unclear at this time if digitally created patient notes are effected.
Historically DPRK actors focus highly on Revenue generation (REVGEN) - but this could be a more focused effort on collecting psychological profiles of possible DoD members or affiliates. Data which “could have” been leaked as per CBHA’s notice: First/Last name, address, date of birth, date(s) of service, level of care, provider name(s), health plan identification information, and/or Social Security number. Pre developed behavioral profiles could be useful in potential recruiting or influence on the member.
FROM THE MEDIA: Recently, Carolina Behavioral Health Alliance, LLC confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on the company’s computer network. According to the CBHA, the breach resulted in the names, dates of birth, level of care, provider names, addresses, health plan identification numbers, genders, and Social Security numbers of certain plan members being compromised. On July 1, 2022, CBHA filed an official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Carolina Behavioral Health data breach, please see our recent piece on the topic here.
READ THE STORY: JDSUPRA // GOVCIO // Threatpost
U.S. Healthcare Orgs Targeted with Maui Ransomware
FROM THE MEDIA: Several federal agencies are warning healthcare organizations that they are under threat of attacks from North Korean state-sponsored actors employing a unique ransomware that targets files with surgical precision, according to U.S. federal authorities.
Threat actors from North Korea have been using Maui ransomware since at least May 2021 to target organizations in the healthcare and public health sector, according to a joint advisory issued Wednesday by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury (Treasury).
READ THE STORY: ThreatPost
China's Tonto Team APT Ramps Up Spy Operations Against Russia
FROM THE MEDIA: Nation-state hackers with links to the Chinese government seem to be targeting Russian entities at an increasing rate, an analysis published Thursday suggests. The ongoing activity appears primarily espionage-related as the Chinese government may be working to gain intelligence about Moscow’s actions in the Ukraine war, even while trying to strengthen its political alliance with Russia.
While China has targeted Russia in the past, and vice versa, the pace of attacks — especially by the purported threat actor, Tonto Team — has grown following the Russian invasion of Ukraine, says Tom Hegel, a senior threat researcher at SentinelOne.
READ THE STORY: CyberScoop // Dark Reading
Quantum ransomware attack affects 657 healthcare orgs
FROM THE MEDIA: Professional Finance Company Inc. (PFC), a full-service accounts receivables management company, says that a ransomware attack in late February led to a data breach affecting over 600 healthcare organizations. Founded in 1904, PFC helps thousands of healthcare, government, and utility organizations across the U.S. ensure that customers pay their invoices on time. The company started notifying the impacted healthcare providers' patients on May 5, saying that an ongoing investigation discovered that the attackers accessed files containing their personal information before encrypting some of PFC's systems.
READ THE STORY: Bleeping Computer
Free decryptor released for AstraLocker, Yashma ransomware victims
FROM THE MEDIA: New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. The free tool is available for download from Emsisoft's servers, and it allows you to recover encrypted files using easy-to-follow instructions available in this usage guide [PDF]. "Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files," Emsisoft warned.
READ THE STORY: Bleeping Computer
Abortion Rights Hacktivists Strike States with Bans
FROM THE MEDIA: An abortion rights hacktivist group says it launched cyber attacks against Arkansas and Kentucky state governments and leaked files from their servers to protest their bans on abortion after the U.S. Supreme Court’s recent decision to overturn Roe v. Wade. The group, which calls itself SiegedSec, said it hacked the two states because it was angry about their bans.
“THE ATTACKS WILL CONTINUE!” the group posted on a Telegram channel. “Our main targets are any pro-life entities, including government servers of the states with anti-abortion laws.”
READ THE STORY: GOVTECH
PyPI Packages Steal Telegram Cache Files, Add Windows Remote Desktop Accounts
FROM THE MEDIA: This week Sonatype has discovered multiple malicious PyPI packages that either set up new Remote Desktop user accounts on your Windows computer or steal encrypted Telegram data files from your Telegram Desktop client. These packages were discovered by Sonatype’s automated malware detection system, offered as a part of Nexus platform products, including Nexus Firewall. On a further review, we deemed these packages malicious and reported them to PyPI.
READ THE STORY: Security Boulevard
TrickBot Gang Shifted its Focus on "Systematically" Targeting Ukraine
FROM THE MEDIA: In what's being described as an "unprecedented" twist, the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022. The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter. Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially motivated cybercrime gang is known for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this year.
READ THE STORY: THN
'This is a terrible idea': Security experts bemoan Microsoft’s backtrack on blocking VBA macros
FROM THE MEDIA: Microsoft has quietly admitted it'll re-enable Visual Basic Application (VBA) macros on Office documents, backtracking on a widely-praised move earlier this year that sought to block their use by default. VBA macros in Microsoft Office documents have been abused by cyber criminals for years, mainly as a way to drop malware or ransomware onto enterprise networks, usually in conjunction with a phishing campaign.
READ THE STORY: ITpro
Facebook Accounts Stolen Through Phishing Schemes Using Messenger Chatbots
FROM THE MEDIA: Trustwave has reported a new scheme in which threat actors are using the popular Facebook Messenger platform to steal Facebook login credentials. According to the report, the threat actors are using a phishing email to Facebook users that employs Meta’s Messenger chatbot feature. The message states that the user’s page will be terminated because the user has violated Facebook’s community standards. The email appears to be coming from Facebook’s support team, alleges the user can appeal the termination within 48 hours, and urges the user to click on the “Appeal Now” link.
READ THE STORY: JDSUPRA
Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign
FROM THE MEDIA: Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. "This was done using automation which includes the ability to pass the NPM 2FA challenge," Israeli application security testing company Checkmarx said. "This cluster of packages seems to be a part of an attacker experimenting at this point."
READ THE STORY: THN
ALPHV’s ransomware makes it easy to search data from targets who do not pay
FROM THE MEDIA: ALPHV, also known as BlackCat, is a ransomware developed in the Rust programming language, which makes it easier to compile and customize for various different operating systems, therefore widening the range of possible targets for the threat actor. Rust is also a more secure programming language, with improved performances and reliability. The use of Rust is still quite uncommon when it comes to malware development. The group has targeted more than 60 organizations around the world, including those in the U.S., gaining traction since late 2021. It operates using a Ransomware-as-a-Service business model, which means the group provides malware code and infrastructure to affiliates who are then in charge of attacking targets. Many of the developers and money launderers for ALPHV are actually linked to Darkside and Blackmatter ransomware groups, according to the FBI.
READ THE STORY: TechRepublic
Latest Marriott breach shows a human error pattern
FROM THE MEDIA: The hotel chain said it identified the breach and was investigating the incident before the threat actor contacted the company in an extortion attempt. Marriott did not pay the threat actor, according to the company spokesperson. The unnamed threat actor claiming to be behind the attack supplied DataBreaches with documents containing personal information, including airline flight crews’ names, corporate credit card information, and room numbers at the BWI Airport Marriott property.
READ THE STORY: Cyber Security Dive
Amid Exodus, Threat Actor Advertises US Immigration Services on Russian-Language DDW Forum XSS
FROM THE MEDIA: A threat actor operating under the alias “Royal Bank” is advertising alleged immigration services to the US or Canada on Russian-language forum XSS, Flashpoint has identified. The post, pictured in Russian below, occurred on June 17. The service is also called “Royal Bank” and its motto is: “The best place under the sun is in the shade.” “The shade” is not located on the territory of the Russian Federation but instead in North Americas—in the US or Canada. The service allegedly costs $5,000.
READ THE STORY: Security Boulevard
Matanbuches Malware That Selling For $2500 in Dark-Web Re-Appeared via BeliaDemon Hackers
FROM THE MEDIA: Matanbuches malware that is distributing over the dark web via Malware-as-a-Service (MaaS) now reappeared via a spear-phishing campaign with malicious attachments. Malware is attributed to BelialDemon threat actor who is operating from a Russian-speaking cybercrime underground forum, and marketplace and selling the malware for $2500 to infect different victims around the globe including large universities and high schools, also tech organizations. Matanbuches loader has recently been observed via spam campaigns with the malicious .HTML attachment embedded with base64 and is written in Javascript and HTML language.
READ THE STORY: Cyber Security News
Indian tax authorities raid offices of Chinese smartphone maker Vivo
FROM THE MEDIA: India's Department of Revenue has acted against scams it alleges originate in China. The Department's Directorate of Enforcement on Wednesday raided 48 premises belonging to Vivo Mobiles, the Indian outpost of the smartphone vendor that, according to Counterpoint Research, holds 15 percent of India's smartphone market.
READ THE STORY: The Register
Arrested Russian hacker Pavel Sitnikov looks to start a new chapter
FROM THE MEDIA: In December 2020, The Record published an interview between Recorded Future’s Dmitry Smilyanets and Russian hacker Pavel Sitnikov about ransomware, cybercrime, and his self-proclaimed connection with the notorious hacking group APT28, or Fancy Bear. Since then, Sitnikov’s fortunes have changed: He was arrested last May by Russian authorities, who charged him with distributing malware via his Telegram channel called Freedomf0x. His home was raided, and he faced up to five years in prison for allegedly sharing the source code of the Anubis banking trojan on Freedomf0x.
READ THE STORY: The Record
Russia's Sberbank re-uses bank card chips to combat shortage
FROM THE MEDIA: Russia's top lender Sberbank (SBER.MM) on Thursday said it had started removing chips from un-activated bank cards to combat a shortage sparked by European suppliers halting deliveries, as sanctions rain down on Russia and its banking sector. Unprecedented Western sanctions over Moscow's actions in Ukraine and supply chain disruptions have severely impacted Russia's access to certain goods, with the import of advanced technology posing a particular challenge.
READ THE STORY: Reuters
DOE Helps Ukraine Set Up Electricity Exports to the EU
FROM THE MEDIA: Ukrainian president Volodymyr Zelenskyy said that despite being in full on war with Russia, Ukraine has kicked off electricity exports to the European Union via an interconnection with Romania. Exports have started with 100 megawatts, with the United States Department of Energy playing a major role in arranging the deal. As they increase in volume, power exports from Ukraine will diversify Europe’s energy supply in the midst of Russia’s aggression, support energy security throughout the region, strengthen their trade relations with Western allies, and provide a much-needed source of revenue to Ukraine’s embattled energy sector.
READ THE STORY: RIGZONE
Security teams struggle with ‘alert fatigue’ amid rising cyber threats: study
FROM THE MEDIA: Almost three-in-four (70 percent) organizations struggle to keep up with the volume of alerts generated by security analytics tools, according to the latest ESG study commissioned by Kaspersky. The report, titled ‘SOC Modernization and the Role of XDR’ also revealed that this challenge results in a lack of resources for important strategic tasks and leads organizations towards process automation and outsourcing.
READ THE STORY: ITP
Review of polygraph tests stokes privacy fears at cyber spy agency
FROM THE MEDIA: The watchdog body overseeing Canada's intelligence agencies is looking into whether polygraph tests — popularly known as lie detector tests — should be used to hire spies. Its investigation has some of Canada's cyber intelligence officials and agents worried that their most personal information could be viewed by strangers. The National Security and Intelligence Review Agency [NSIRA] is in the midst of reviewing internal security programs at the Communication Security Establishment [CSE], the foreign signals intelligence agency. Among other things, NSIRA is looking into whether the use of polygraph tests in CSE recruitment "is lawful, reasonable and necessary."
READ THE STORY: CBC
Cyber experts SANS Institute praise Apple's Lockdown Mode
FROM THE MEDIA: Apple has announced the launch of 'Lockdown Mode', which is designed to offer increased protection from mobile spyware, a common tool in a cybercriminal’s kit that may be used to steal valuable information from a victim. According to John Davis, Director UK & Ireland, SANS Institute, contrary to popular belief, "mobile malware less often relies on zero-day vulnerabilities, but more commonly leverages known, reported security loopholes, hoping to target unpatched systems or applications, to infiltrate and wreak havoc on mobile devices".
READ THE STORY: TECHMAG
The new wave of cyber security threats facing critical national infrastructure (CNI)
FROM THE MEDIA: In 2010, researchers discovered a powerful computer worm targeting critical national infrastructure (CNI). The worm – Stuxnet – was part of a huge cyber attack on an Iranian uranium enrichment plant, allegedly perpetrated by the US and Israel in a joint effort to derail the country’s nuclear program. As the Stuxnet assault demonstrated, attacks on CNI can have very physical consequences. Amid an increasingly unstable geopolitical climate, this has prompted warnings about the risk posed to CNI systems.
In April, US government agencies issued a joint statement, saying hackers are making custom tools targeting the industrial control systems (ICS) underpinning CNI to gain “full system access”. The agencies urged critical infrastructure organizations to shore up cyber security immediately to protect systems from attack.
In the UK, regulations including the Network and Infrastructure Security Regulations (NIS) and roadmaps such as the National Cyber Strategy 2022 aim to ensure CNI is as secure as possible from a cyber attack. It’s especially important as the risk grows from aggressive nation state powers such as Russia. Indeed, Ukraine says Russia has been targeting its CNI since the conflict began. How significant is the risk from hackers targeting CNI, and how can organizations boost their defenses to ward off cyber attacks?
READ THE STORY: ITpro
Items of interest
House Bill Seeks Report on SolarWinds Attack Impact
FROM THE MEDIA: Rep. Ritchie Torres, D-N.Y., introduced legislation on July 1 that would require the Cybersecurity and Infrastructure Security Agency (CISA) to investigate and report on the impact of the 2020 SolarWinds cyberattack on Federal agency networks and U.S. critical infrastructure.
The Building Cyber Resilience After SolarWinds Act would direct CISA to work in consultation on the report with the National Cyber Director and the heads of other relevant Federal departments.
The incident, first discovered in December 2020, involved Russian government-backed hackers exploiting vulnerabilities in software made by SolarWinds. The attack compromised nine Federal agencies, including the Department of Homeland Security (DHS), along with at least 100 private sector groups.
Soon after the SolarWinds attack, CISA reported that threats to government networks caused by the attack pose a “grave risk” to Federal government, state, tribal and territorial governments, critical infrastructure entities, and other private-sector organizations.
READ THE STORY: Meritalk
Healthcare Cyber Attack North Korea. Hospitals Under Cyber Attack from North Korea. HIPAA sucks. (Video)
FROM THE MEDIA: Healthcare Cyber Attack North Korea. Hospitals Under Cyber Attack from North Korea. HIPAA sucks. US govt warns of Maui ransomware attacks against healthcare orgs. The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations. he FBI has responded to and detected multiple Maui ransomware attacks impacting HPH Sector orgs across the U.S.
Marriott & SHI Cyberattacks, Apple Lockdown Mode, North Korea & China (Video)
FROM THE MEDIA: Today's Headlines and the latest #cybernews from the desk of the #CISO: Marriott hit by new data breach and a failed extortion attempt Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware North Korean ‘Maui’ ransomware targeting healthcare organizations IT services giant SHI hit by "professional malware attack" US, UK Leaders Raise Fresh Alarms About Chinese Espionage Chinese hackers targeting Russian government, telecoms
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com