Cybersecurity News – July 3, 2024

The following are handpicked stories for July 2 and July 3. These include the various data breach incidents, hacks, cyber attacks, and ransomware attacks.

Page Contents

Arkansas Attorney General Jim Griffin has launched a legal battle against Temu, a Chinese e-commerce platform, accusing it of exploiting its online marketplace to conduct widespread data theft. This lawsuit underscores mounting concerns regarding the privacy and security risks associated with foreign-owned technology companies operating within the United States. The lawsuit alleges that Temu’s nefarious activities extend beyond the direct engagement of its users. According to sources cited in *The Street*, individuals communicating with Temu users through text or email may unknowingly expose their private conversations to harvesting. Read the full story.

On June 27, 2024, Landmark Admin, LLC filed a notice of data breach with the Attorney General of Montana after discovering that certain files on its network were compromised by an unauthorized party. In this notice, Landmark Admin explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, addresses, Social Security numbers, driver’s license numbers, state-issued identification numbers, passport numbers, financial account numbers, medical information, and dates of birth. Read the full story.

Ticketmaster’s website says notifications are now going out to customers whose sensitive information was affected. Notices are going out via emails and letters. Ticketmaster says it’s offering free credit monitoring for a year. It advises customers to monitor their accounts. If you notice suspicious activity, contact your bank or credit card company. Ticketmaster says in late May it discovered a third-party database was hacked. The breach reportedly impacted an estimated 560 million customers who bought tickets to events in the U.S., Canada and Mexico. Read the full story.

Florida Community Health Centers (FCHC) notified the Maine Attorney General’s Office that on or around June 13, 2023, it noticed suspicious activity in its network. Because it was so difficult to determine whose data may have been accessed and who needed to be notified, FCHC posted a notice of the incident on the homepage of its website on  November 20, 2023 as an interim notice. The incident has now been reported as affecting a total of 296,635 people. Read the full story.

A cyberattack on Texas Retina Associates has affected more than 312,000 patients, Human Technology Inc., has confirmed that patient data has been compromised in a cyberattack, and the Monti ransomware group has claimed responsibility for a cyberattack on Wayne Memorial Hospital. Suspicious network activity was identified on March 27, 2024, and third-party cybersecurity specialists were engaged to investigate the activity. They confirmed that an unauthorized actor gained access to its network on October 8, 2023, and maintained access until the breach was detected. Read the full story.

Ransomware demands are reaching new heights in 2024, with the average extortion demand per ransomware attack being more than $5.2 million per incident in the first half of the year. In an analysis calculated from 56 ransom demands from January until June of this year, the largest demand was $100 million after an attack on India’s Regional Cancer Center (RCC) on April 20. The second and third highest were issued to Synnovis, a UK pathology provider, and London Drugs, a Canadian retailer, with extortion demands of $50 million and $25 million, respectively. Read the full story.

Nearly three months after a ransomware attack disrupted phone lines, computer services and Wi-Fi across Solano County’s public libraries, systems are still down with no recovery in sight. Patrons who depend on using library computers haven’t had access to them since the April 5 attack. Solano County officials still have not publicly confirmed that a cyberattack occurred. The county’s chief information officer, Tim Flanagan, told the Chronicle in mid-April only that officials had found “unexpected activity” within the library’s IT network and “responded quickly to confirm the security of our systems and to work toward restoring full functionality as soon as possible.” Read the full story.

FIA (Fédération Internationale de l’Automobile), the auto racing governing body since the 1950s, says attackers gained access to personal data after compromising several FIA email accounts in a phishing attack. “Recent incidents pursuant to phishing attacks has led to the unauthorised access to personal data contained in two email accounts belonging to the FIA,” the organization said on Wednesday. “The FIA took all actions to rectify the issues, notably in cutting the illegitimate accesses in a very short time, once it became aware of the incidents.” Read the full story.

In response to recent security vulnerabilities discovered in flagship Samsung models, the UAE Cyber Security Council has issued a critical alert advising users to promptly update their Android devices. These Samsung vulnerabilities, identified in major flagship models, pose significant risks including unauthorized access and potential data theft. Samsung released comprehensive updates, incorporating patches from Google’s Android Security Bulletin for July 2024 alongside additional fixes developed by Samsung. The updates are designed to fortify device security and safeguard user data against emerging threats. Read the full story.

Hackers are actively exploiting a remote code execution vulnerability in the HTTP File Server (HFS) program. The vulnerability, identified as CVE-2024-23692, was disclosed in May 2024 and has since been leveraged by attackers to install malware and take control of vulnerable systems. HFS, a popular file-sharing program, is now at the center of a significant security threat. The CVE-2024-23692 vulnerability allows attackers to send malicious packets to HFS servers, executing commands remotely. Read the full story.

Hackers abuse phishing attacks as they are highly effective and low-cost methods for deceiving users into revealing sensitive information. Despite the recent surge in passkey adoption by large tech firms, Joe Stewart of Esentire discovered that several online platforms are still susceptible to Adversary-in-the-Middle (AitM) phishing attacks even with passkey technology. This deficiency arises from incorrect use of partial alternatives mainly keeping unsecure backup applications. Read the full story.

Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government. In an update on Sunday evening, TeamViwer said a Kremlin-backed group tracked as APT29 was able to copy employee directory data like names, corporate contact information and the encrypted passwords, which were for the company’s internal IT environment. Read the full story.

Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks. What’s interesting about this ransomware group, Halcyon researchers said, is that it has no public leaks website but instead uses phone calls to intimidate and negotiate payments with leadership at victim organizations. These calls originate from unidentified numbers and often carry a threatening tone, the researchers said. Read the full story.

Two vulnerabilities in Rockwell Automation PanelView Plus have been discovered. Unauthenticated attackers could exploit them remotely to perform remote code execution (RCE) and denial-of-service attacks. Rockwell Automation, Inc. is an American provider of industrial automation and digital transformation technology. Among the brands are FactoryTalk, Allen-Bradley, and LifecycleIQ Services. PanelView Plus devices are utilized in the industrial sector as graphic terminals, sometimes referred to as human machine interfaces or HMIs. Microsoft claims that two custom classes in PanelView Plus are vulnerable to an RCE attack that might be used to upload and load a malicious DLL onto the device. Read the full story.

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. “MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems,” Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week. Read the full story.

Cybersecurity researchers have discovered an attack campaign that targets various Israeli entities with publicly-available frameworks like Donut and Sliver. The campaign, believed to be highly targeted in nature, “leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware,” HarfangLab said in a report last week. Read the full story.

The Harry Perkins Institute of Medical Research in Perth is investigating a major cyber security incident. The institute confirmed it had identified a “cyber incident impacting our internal servers”. But a spokesperson for the institute would not comment to the ABC on a report that a ransomware “gang” had stolen data and was demanding $500,000. Read the full story.

CDK Global says that its dealer management system (DMS), impacted by a massive IT outage following a June 18th ransomware attack, will be back online by Thursday for all car dealerships. The company is also working on restoring access to other affected applications, including its Customer Relationship Management (CRM), ONE-EIGHTY, and Service solutions. Read the full story.

Thousands of Armed Forces personnel are to launch legal action over their data being compromised by Chinese state hackers. A highly embarrassing development for the Ministry of Defence saw soldiers’ names and banking details accessed in a cyber attack orchestrated by Beijing. Those affected include people involved in highly sensitive UK security operations whose roles require anonymity. Read the full story.

Digital roleplaying tool, popular among players of games such as Dungeons & Dragons and many others, has sent out emails to some of its customers warning of a data breach. Roll20 discovered a compromised administrative account on June 29 at 6.30 pm. An hour later, Roll20 blocked all access to that account and began an investigation into the incident. The email sent by Roll20 stated “Following our investigation, we learned that the unauthorised third party had access to administrative tools, which may have resulted in the exposure of personal information, such as your: first and last name, email address, last known IP address, and the last 4 digits of your credit card.” Read the full story.

South Africa’s National Health Laboratory Service (NHLS), the government-run network of healthcare testing laboratories, continues to battle in its recovery from a ransomware attack that disrupted systems and deleted backups. The attack targeted specific weak points in the NHLS’s information infrastructure on June 22, effectively blocking communications between the laboratories’ information systems and other medical databases, resulting in delays in lab testing across public health facilities. Read the full story.

CSHARP-STREAMER, a Remote Access Trojan (RAT), was identified during an investigation of a ransomware attack using Metaencryptor, with a Powershell loader deploying CSHARP-STREAMER, which utilizes publicly available techniques, including AMSI-Memory-Bypass and XOR-decryption.  These parts were made by security researchers GetRektBoy724 (XOR decryption) and a user on Github (AMSI Memory Bypass), which suggests that CSHARP-STREAMER has been used in more than one attack since it was first found, such as the deployment of ALPHV ransomware and campaigns linked to REvil and Operation White Stork. Read the full story.

The University Hospital Centre in Zagreb, Croatia, has been claimed by the LockBit ransomware group barely a week after the healthcare organization announced it was hit by a cyberattack last Thursday. Hospital officials said the June 27th attack had incapacitated its networks, forcing emergency patients to be diverted to other Zagreb hospitals, taking the facility “back 50 years – to paper and pencil,” reported Croatian Radio. Read the full story.

Modern CPUs from Intel, including Raptor Lake and Alder Lake, have been found vulnerable to a new side-channel attack that could be exploited to leak sensitive information from the processors. The attack, codenamed Indirector by security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen, leverages shortcomings identified in Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass existing defenses and compromise the security of the CPUs. Read the full story.

Google has released patches for 25 documented security vulnerabilities in the Android operating system, including a critical-severity flaw in the Framework component. The critical bug, tracked as CVE-2024-31320, impacts Android versions 12 and 12L and allows an attacker to escalate privileges on a vulnerable device. “The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google explains in an advisory. Read the full story.

Cisco switch owners should probably apply the patch that just dropped for a vulnerability that was exploited in April as a zero-day to install malware on an array of its Nexus switches. On paper, CVE-2024-20399 doesn’t seem like the worst thing in the world. It is a command injection bug, typically a serious issue, but it has only a moderate severity rating of 6.0. Cisco says this vulnerability lies in the CLI of Cisco NX-OS, the operating system for its Nexus-series switches, and allows authenticated, local attackers to execute arbitrary commands as root. Read the full story.

A ransomware attack at Dublin-based Patelco Credit Union may prevent customers from accessing banking services for days or weeks, the company said. In an email to credit union members, Patelco President and CEO Erin Mendez said a cybersecurity forensic firm was helping the company investigate the attack and recover its networks as soon as possible, but said restoring full service to customers would take time. Read the full story.

Heritage Valley Health System has agreed to pay the federal government $950,000 to settle potential patient privacy violations following a ransomware attack in 2017 that crippled the health system’s electronic medical records system. A U.S. Department of Health and Human Services review of HVHS’ electronic medical records system and security provisions following the malware attack identified failures to conduct a risk analysis of the system to determine vulnerabilities, develop contingency plans to respond to emergencies such as ransomware attacks, and to restrict access to the records to authorized users. Read the full story.

Buy-now-pay-later company Affirm told the US Securities and Exchange Commission (SEC) on Monday that it believes personal data of Affirm Card holders was potentially stolen in the ransomware attack on Evolve. The number of financial institutions hit by the breach at Evolve Bank & Trust continues to rise as fintech businesses Wise and Affirm both confirm they have been materially affected. Read the full story.

Planned Parenthood Los Angeles, or PPLA, has wound up in a $6 million class action lawsuit for allegedly failing to protect its clients from a data breach, per Top Class Actions. During the 2021 breach, the private information of 409,437 patients was compromised. Their names, insurance information, and other sensitive data were potentially exposed to hackers. The plaintiffs in the lawsuit argued the nonprofit health service provider could have avoided the breach by enforcing reasonable cybersecurity measures. Read the full story.

A former employee at vendor Nuance Communications accessed patient data two days after being terminated, according to the health system. The employee is facing federal charges. The data breach at Geisinger may have exposed the personal information of more than 1.2 million patients, according to a report filed with federal regulators. Law enforcement asked Nuance to delay notifying patients about the breach until now to avoid impacting their investigation. The worker has been arrested and is now facing federal charges, Geisinger said. Read the full story.

After initially disclosing a data breach in February to the Securities and Exchange Commission (SEC) that it said was not materially impacting, Prudential Financial has updated its notice with a revised total number of affected residents — a number staggeringly higher than anticipated. More than 2.5 million individuals have been compromised by this data breach attack, rather than the 36,000 the insurance company originally said were affected. The stolen information includes names, addresses, driver’s license numbers, and identification card numbers. Read the full story.

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow “any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications,” E.V.A Information Security researchers Reef Spektor and Eran Vaknin said in a report published on July 1. Read the full story.

Sophos released additional findings from its annual “State of Ransomware 2024” survey. According to the report, among organizations surveyed, 96% of Indian companies that were hit by ransomware over the past year engaged with law enforcement and/or official government bodies for help with the attack. In addition, more than half (59%) of the organizations that did engage with law enforcement also reported finding the process easy. Only 7% of those surveyed said the process was very difficult. Read the full story.

Japanese media giant Kadokawa confirmed that some of its data was leaked in the ransomware attack last month. In a statement on Saturday, Kadokawa said that the leaked data included business partner information, including contracts and other documents, as well as internal company data such as personal information on all employees of its subsidiary Dwango, which runs the popular Japanese video-sharing site Niconico. Read the full story.

Bugcrowd recently released its “Inside the Mind of a CISO” report. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. This is explained in part by the fact that 40% believed that less than 1 in 3 companies truly understood their risk of being breached. Speaking of money, nearly 9 in 10 (87%) reported that they were currently hiring security staff and 56% stated that their security team was currently understaffed. Read the full story.

Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches. The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as root on the underlying operating system of an affected device. The IT giant pointed out that only attackers with Administrator credentials can successfully exploit this vulnerability on a Cisco NX-OS device. Read the full story.

Experts have warned Android users to be wary of the apps they download onto their smartphones, with cyber attackers using “increasingly sophisticated techniques” to breach devices. One type of malware, called Rafel RAT, operates stealthily on devices and “provides malicious actors with a powerful toolkit for remo te administration and control”.The latest warning comes from Antonis Terefos and Bohdan Melnykov, from cyber threat intelligence company Check Point Research. Read the full story.

Related stories:

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.