Cybersecurity News – July 8

The following cybersecurity stories capture cyber incidents for the last week until July 8, 2024. All these stories have been handpicked from reliable cyber security websites, journals and blogs.

Page Contents

The founding CEO of the UK’s National Cyber Security Centre (NCSC) has warned that outdated NHS systems are endangering its security and increasing vulnerability to cyberattacks. The BBC reported Professor Ciaran Martin has identified three key cybersecurity issues faced by the NHS: outdated IT systems, the need to identify vulnerabilities, and implementing basic security practices. His caution has arrived after NHS England announced its patient data managed by pathology services organisation, Synnovis, was stolen in a cyberattack on 3 June. “It was obvious that this was going to be one of the most serious cyber incidents in British history because of the disruption to healthcare,” said Professor Martin to the BBC. Read the full story.

A Bay Area-based credit union says it has stabilized its network after a ransomware attack and is processing transactions again. The breach crippled Dublin-based Patelco Credit Union more than a week ago, disrupting sevices to its members such as simple account balance statements, mobile banking and cashing checks. Patelco said in a statement late Sunday it is now processing transactions, and customers will soon be able to see their account balances, “but the restoration of our systems while ensuring their future security requires careful and methodical work.” Read the full story.

The September 2023 data breach on state-run Philippine Health Insurance Corporation (PHIC) has affected P42 million individuals, the National Privacy Commission (NPC) said Monday. Director 4 and lawyer Maria Theresita Patula made the response upon the questioning of House appropriations panel senior vice chairperson Stella Quimbo of Marikina City. Read the full story.

Apple removed a number of virtual private network (VPN) apps in Russia from its App Store on July 4, 2024, following a request by Russia’s state communications watchdog Roskomnadzor, Russian news media reported. This includes the mobile apps of 25 VPN service providers, including ProtonVPN, Red Shield VPN, NordVPN and Le VPN, according to MediaZona. It’s worth noting that NordVPN previously shut down all its Russian servers in March 2019. Read the full story.

The founding chief executive of the National Cyber Security Centre has warned parts of the NHS’s IT system is “out of date” and at risk of further cyber attacks. More than 6,000 appointments and procedures were postponed at major London hospitals because of a cyber attack in June. Professor Ciaran Martin said he was “horrified, but not completely surprised” by the ransomware attack. He told the BBC: “Ransomware attacks on healthcare are a major global problem. “In parts of the NHS estate, it’s quite clear that some of the IT is out of date.” Read the full story.

According to an exclusive report from the New York Times, citing a pair of anonymous OpenAI insiders, someone managed to breach a private forum used by OpenAI employees to discuss projects early last year. OpenAI apparently chose not to make the news public or tell anyone in law enforcement about the digital break in, because none of the Microsoft-backed firm’s actual AI builds were compromised. Execs who disclosed the breach to employees didn’t think it was much of a threat, because it was believed the miscreant behind the breach was a private individual unaffiliated with any foreign governments. Read the full story.

The STORMOUS group alleges that it has successfully infiltrated HITC Telecom’s systems, exfiltrating sensitive data and compromising critical infrastructure. The group has not yet disclosed the full extent of their accessed data. Still, initial reports suggest that customer information, internal communications, and financial records may have been compromised.  HITC Telecom has yet to release an official statement regarding the breach. Cybersecurity experts have been hired to conduct a thorough investigation and strengthen the company’s defenses against future attacks. Read the full story.

A serious cyber threat is targeting Apple IDs, and it’s more crucial than ever to be on your guard. Security experts from Symantec have uncovered a sophisticated SMS phishing campaign designed to trick you into giving up your valuable Apple ID credentials. hackers send out text messages that look like they’re from Apple. These messages urgently request that you click on a link for an important iCloud update or verification. Symantec’s research shows these links lead to cleverly designed fake websites that ask for your Apple ID and password. To make the site seem legitimate, the attackers have even included a CAPTCHA. Read the full story.

A proof-of-concept (PoC) exploit has been released for a critical remote code execution vulnerability in the HTTP File Server (HFS) software, identified as CVE-2024-39943. The vulnerability arises because HFS uses a shell to execute the df command, which attackers can exploit to run arbitrary commands on the host system. The National Vulnerability Database (NVD) has acknowledged this issue but not yet fully analyzed it. Read the full story.

Cloudflare’s privacy-first public DNS resolver service was hit by two simultaneous BGP issues recently, resulting in an unintentional BGP hijacking incident that highlights ongoing concerns over the security of the 35-year-old internet  routing protocol. The outage and slowdowns that affected the free Cloudflare DNS resolver service “1.1.1.1” for a few hours on June 27 affected less than 1 percent of internet traffic, but the issue is likely to bring fresh attention to BGP, dubbed the “three-napkin protocol” for the way it was drafted on a lunch break at an IETF meeting in 1989. The FCC recently voted to require ISPs to report on their BGP security progress, a preliminary vote that will go through a public comment period before it can be finalized. Read the full story.

E-commerce platform Shopify denies it suffered a data breach after a threat actor began selling customer data they claim was stolen from the company’s network. “Shopify systems have not experienced a security incident,” Shopify told BleepingComputer. “The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.” Read the full story.

The hacking group RansomHub this week claimed it exfiltrated and published 100 gigabytes of sensitive data from the Florida Department of Health because the department refused to meet its ransom demands. According to a July 1 post on X by HackManac, a company that tracks cyberattacks, RansomHub threatened to release the stolen health department data in a post on the dark web unless the state paid an undisclosed amount of money by Friday. Read the full story.

Sen. Charles Grassley (R-IA) on Wednesday sent Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly a stern letter seeking documentation and answers relating to a January hack of the agency’s Chemical Security Assessment Tool (CSAT) along with the breach of a second sensitive system. “It appears that CISA hasn’t taken adequate steps to ensure the safety of its own systems, leaving the nation at risk,” the Grassley letter said.  Read the full story.

Hackers have leaked what they claim is Ticketmaster barcode data for 166,000 Taylor Swift Eras Tour tickets, warning that more events would be leaked if a $2 million extortion demand is not paid. In May, a well-known threat actor named ShinyHunters began selling data on 560 million Ticketmaster customers for $500,000. Ticketmaster later confirmed the data breach, which they ultimately stated was from their account on Snowflake, a cloud-based data warehousing company used by the enterprise to store databases, process data, and perform analytics. Read the full story.

Recently, a threat actor in an underground forum published an alleged data breach. The leak purportedly involves sensitive information from the Ukraine traffic police (GAI). The data, spanning millions of entries, was shared on the forum by a user named “Tanaka.” According to the forum post, the leaked dataset includes a comprehensive range of details about vehicle registrations, owners, and other pertinent information. Read the full story.

Microsoft discovered and responsibly disclosed two vulnerabilities in Rockwell Automation PanelView Plus that could be remotely exploited by unauthenticated attackers, allowing them to perform remote code execution (RCE) and denial-of-service (DoS). The RCE vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS. Read the full news.

Waupaca County confirmed Tuesday, July 3, that its computer “systems were impacted by ransomware.” Computers at the Waupaca County courthouse have been down since June 18. That’s when county IT staff responded to a network interruption that resulted in an outage. County IT staff took steps to ensure the security of network systems and engaged third-party specialists to assist in investigating the nature and source of the disruption. The specialists also assess its impact on county systems and began restoring the systems. Read the full story.

French cloud computing firm OVHcloud said it mitigated a record-breaking distributed denial-of-service (DDoS) attack in April 2024 that reached a packet rate of 840 million packets per second (Mpps). “While the attack was distributed worldwide, 2/3 of total packets entered from only four [points of presence], all located in the U.S. with 3 of them being on the west coast,” OVHcloud noted. “This highlights the capability of the adversary to send a huge packet rate through only a few peerings, which can prove very problematic.” Read the full story.

OVHcloud, a global cloud services provider and one of the largest of its kind in Europe, says it mitigated a record-breaking distributed denial of service (DDoS) attack earlier this year that reached an unprecedented packet rate of 840 million packets per second (Mpps). Earlier this year, OVHcloud had to mitigate a massive packet rate attack that reached 840 Mpps, surpassing the previous record holder, an 809 Mpps DDoS attack targeting a European bank, which Akamai mitigated in June 2020. Read the full story.

A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows. The gang has already claimed 16 victims, most of them in the U.S., in real estate, educational, healthcare, and manufacturing sectors. Researchers at cybersecurity company Group-IB monitored the Eldorado’s activity and noticed its operators promoting the malicious service on RAMP forums and seeking skilled affiliates to join the program. Read the full story.

The New York Times reported on July 4, 2024, that OpenAI suffered an undisclosed breach in early 2023. “After the breach, Leopold Aschenbrenner, an OpenAI technical program manager, focused on ensuring that future A.I. technologies do not cause serious harm, sent a memo to OpenAI’s board of directors, arguing that the company was not doing enough to prevent the Chinese government and other foreign adversaries from stealing its secrets,” writes the NYT. Read the full story.

A hacker reportedly stole information on OpenAI’s new technologies last year by breaking into the company’s internal messaging systems. The company did not report the breach to federal law enforcement or make the news public, as it believed no customer information had been stolen. It did not consider the event a national security threat, pegging the hacker to be a private individual with no links to nation-state attackers. Read the full story.

Australia said Thursday a $1.35 billion deal with U.S. technology giant Amazon to build three secure data centers for top-secret information will increase its military’s “war-fighting capacity.” The data centers are to be built in secret locations in Australia and be run by an Australian subsidiary of the U.S. technology company Amazon Web Service, the government said. Australian officials said the project would create a “state-of-the-art collaborative space” for intelligence and defense agencies to store and gain access to sensitive information in a centralized network. Read the full story.

European law enforcement agency Europol on Wednesday announced a global crackdown against the use of legitimate security tools by cybercriminals, including the takedown of nearly 600 Cobalt Strike servers linked to criminal activity. The agency said it teamed up with multiple private sector companies to flag known Cobalt Strike servers used by criminal groups and passed that information to online service providers to disable unlicensed versions of the tool. “A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down,” Europol said. Read the full story.

Alabama’s education superintendent said Wednesday that some data was “breached” during a hacking attempt at the Alabama State Department of Education. Superintendent Eric Mackey said the June 17 attack was stopped while it was in progress. He said they are working to determine exactly what information might have been compromised. In a statement, he confirmed – “We don’t know exactly what data was breached and we can’t disclose everything. But again, the attack on our system was interrupted and stopped by our IT professionals before the hackers could access everything they were after. That we know,” Mackey said. Read the full story.

Logsign, a web server built on Python for Unified Security Operations (SecOps), has successfully addressed critical vulnerabilities that could potentially enable threat actors to gain full control over the system. The vulnerabilities, identified as CVE-2024-5716 and CVE-2024-5717, can be combined to achieve remote, unauthenticated code execution via HTTP requests. Read the full story.

Malware authors are exploiting the growing popularity of QR codes to target users through PDF files, where these malicious PDFs, often delivered via email disguised as faxes, contain QR codes that trick users into scanning them with their smartphones. Phishing scammers are impersonating the Microsoft login page by utilizing a QR code that redirects users through a benign-looking host (bing.com) to a phishing URL. Read the full story.

Cybersecurity researchers have uncovered a new botnet called Zergeca that’s capable of conducting distributed denial-of-service (DDoS) attacks. Written in Golang, the botnet is so named for its reference to a string named “ootheca” present in the command-and-control (C2) servers (“ootheca[.]pw” and “ootheca[.]top”). “Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information,” the QiAnXin XLab team said in a report. Read the full story.

The supply chain attack targeting widely-used Polyfill[.]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024. “Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany,” it noted. “This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it.” Read the full story.

In a major international takedown, law enforcement and private companies joined forces to cripple a network of cybercriminals relying on Cobalt Strike. Operation Morpheus, launched three years back in September 2021 by Europol’s European Cybercrime Centre (EC3), targeted nearly 600 internet protocol (IP) addresses linked to malicious Cobalt Strike deployments between June 24 and June 28.UK’s National Crime Agency (NCA), the FBI, and law enforcement agencies from Canada, Germany, the Netherlands, Poland, and Australia joined hands to dismantle the network. These include: Australian Federal Police, Royal Canadian Mounted Police, German Federal Criminal Police Office (Bundeskriminalamt), Netherlands National Police (Politie) and the Polish Central Cybercrime Bureau. Read the full details.

Apple Mac users must update their ChatGPT desktop app to ensure their conversations are encrypted.  Last month, OpenAI released its ChatGPT desktop app for Mac, featuring capabilities such as text generation and code writing through chatbot interaction. However, a recent discovery has highlighted a significant security issue that could have exposed users’ conversations to hackers or malicious apps. OpenAI has since addressed and fixed the bug. Read the full story.

The hackers behind a major cyber attack on the Indonesian government have issued a surprise apology and offered to release the “keys” to the stolen data. The attack last month on the government’s data centres disrupted airport immigration checks and affected more than 230 government agencies and services across the country. The Brain Cipher group had made a public statement on its website issuing an apology and promising to provide the decryption keys “for free” by Wednesday. Read the full story.

Indonesian Ministry of Communication and Information (Kominfo) confirmed that it has attempted to use the decryption key provided by the Brain Cipher ransomware group to unlock access to the compromised Temporary National Data Center (PDNS). “We’ve tested the key in the space room, and it successfully unlocked six data sets,” Director General of Informatics Applications, Semuel Abrijani Pangerapan, at the Kominfo Ministry Office in Jakarta on Thursday, July 4. The datacenter had suffered a ransomware attack carried out by the Brain Cipher ransomware operator. Read the full story.

Google released an emergency security update to patch a heap buffer overflow vulnerability in WebP in September 2023. This vulnerability was a zero-day threat that allowed cybercriminals to send corrupted images via HTML. When an internet user clicks one of the images, one of a bunch of predetermined actions will occur.  it has been discovered that it affects any application that uses WebP, which is a lot. Also, CVE-2023-4863 is a client-side vulnerability. This means that it exploits end-users, making it a high-risk cyber threat. Whenever a user interacts with a corrupted WebP image, a cybercriminal will be able to inflict damage on their computer. Read the full story.

The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords. “In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said. Read the full story’

On Tuesday, health tech services provider HealthEquity disclosed in a filing with federal regulators that it had suffered a data breach, in which hackers stole the “protected health information” of some customers. In an 8-K filing with the SEC, the company said it detected “anomalous behavior by a personal use device belonging to a business partner,” and concluded that the partner’s account had been compromised by someone who then used the account to access members’ information. Read the full story.

Twilio this week confirmed suffering a data breach after hackers leaked 33 million phone numbers associated with the Authy application. The notorious ShinyHunters hackers announced on the relaunched BreachForums website in late June that they were leaking 33 million random phone numbers associated with Twilio’s two-factor authentication app Authy. The leaked information also included account IDs and some other non-personal data associated with Authy users. Read the full story.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.