Cybersecurity Stories – Week ending 27 September

Read the handpicked cybersecurity stories. Know more about the ransomware incidents, data theft, and other cyber attacks affecting organizations worldwide.

The current page lists all the cybersecurity incidents and happenings for the current week.

Headlines

Hackers compromised OpenAI’s official press account on X, a platform used for product and policy announcements. The attackers posted a fake announcement about a new OpenAI-branded blockchain token, “$OPENAI,” and linked it to a phishing site designed to steal users’ login credentials.

The post claims that all OpenAI users were eligible to claim a piece of the token’s initial supply and that holding the token would grant access to future beta programs.

However, the token does not exist, and the site was a clear attempt to phish unsuspecting users, reads TechCrunch report. Read the full story.

The U.S. Department of Homeland Security (DHS) announced this week the availability of about US$280 million in grant funding for the Fiscal Year (FY) 2024 for the State and Local Cybersecurity Grant Program (SLCGP). DHS will implement the SLCGP through the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA).

“These cyber grants are an investment in the security of our nation’s infrastructure, helping to ensure that communities across the country have the tools they need to defend against cyberattacks,” said Jen Easterly, CISA director. Read the full story.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled alleged HIPAA violations with the Washington healthcare provider Cascade Eye and Skin Centers, P.C. for $250,000.

The patient data had been exposed in a March 2017 ransomware attack. According to OCR, the ransomware group had access to a network server where 291,000 files containing patients’ protected health information were stored.

Cascade Eye and Skin Centers was given the opportunity to settle the alleged HIPAA violations and chose to pay the financial penalty and adopt a corrective action plan, with no admission of wrongdoing or liability. Read the full story. Read the full story.

Michigan Medicine alerted about 57,891 patients that their health information was possibly exposed in a data breach, marking the health system’s second cyberattack this year. This breach occurred after an employee’s email account was compromised, according to a release.

When they discovered the breach, Michigan Medicine blocked the cyberattacker’s IP address, and password changes were made. Michigan Medicine says the emails did not include Social Security Numbers, bank account numbers, or credit or debit card information. 

On Sept. 26, Michigan Medicine started mailing notices to the impacted patients. People who are concerned and do not receive a letter can contact the toll-free Michigan Medicine Assistance Line: 1-877-225-2078 with questions from 9 a.m. to 9 p.m. Monday through Friday. Read the full story.

The Seattle Public Library expects to spend about $1 million responding to a May ransomware attack by the end of 2024 and is still investigating what, if any, personal data hackers stole. Library officials expect to have a report within four to six weeks on what type of data hackers exfiltrated and whether the data contained personal information.

SPL will have spent about $800,000 on consultants and $200,000 on extra information technology costs related to the ransomware attack by year’s end, said Rob Gannon, director of administrative services.  Read the full story.

Simone Margaritelli, a cybersecurity researcher and Linux developer has discovered a critical Linux vulnerability that could allow attackers to gain complete control of vulnerable systems. This Linux vulnerability affects GNU/Linux systems, specifically for Linux Remote code execution.

While specific details of the vulnerability remain confidential, the severity score of 9.9 out of 10, confirmed by major Linux distributors like Canonical and Red Hat. Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet.

The vulnerability may affect known exposed services like OpenSSH and possibly filtering services like Net Filter, although there is no indication of which service may be affected, and these are just hypotheses. Read the full story.

Progress Software warned customers to patch multiple critical and high-severity vulnerabilities in its WhatsUp Gold network monitoring tool as soon as possible. It published an advisory on Tuesday to address vulnerabilities reported on Friday.

“We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20. If you are running a version older than 24.0.1 and you do not upgrade, your environment will remain vulnerable.”

To upgrade to the latest version, download the WhatsUp Gold 24.0.1 installer from here, run it on vulnerable WhatsUp Gold servers, and follow the prompts. Read the full story.

The social media giant Meta has been fined €91 million ($101 million) for accidentally storing hundreds of millions of its users’ passwords in plaintext instead of in an encrypted format on its internal systems. Meta first announced discovering the engineering mistake back in 2019.

Following a five year investigation, the Irish Data Protection Commission (DPC) — which is the EU’s lead privacy authority on Meta, as the company’s European headquarters are based in Ireland — found the incident was a breach of Meta’s legal duties under the EU’s General Data Protection Regulations (GDPR). In a statement on Friday, the DPC said it was issuing a reprimand and fine to Meta for several breaches of the GDPR, including failing to notify the DPC of the personal data breaches and also failing to implement appropriate technical measures to protect users’ passwords. Read the full story.

Microsoft has discovered a new threat actor, labeled Storm-0501, that previously operated as an affiliate for other ransomware-as-a-service gangs, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. Now, they’re trying to do something of their own.

Recently, Storm-0501 launched multi-staged attacks in the US, compromising hybrid cloud environments and moving laterally from on-premises devices to the cloud. This led to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment.

“As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations,” the report by Microsoft Threat Intelligence warns. Read the full story.

A large Dallas suburb is dealing with a ransomware attack that has required help from the FBI to resolve. Richardson — home to about 120,000 people — released a statement saying hackers gained access to government servers on Wednesday morning and attempted to encrypt files on the network. 

City Manager Don Magner said the attack is something officials “have been diligently preparing for” and explained that their security protocols appear to have minimized the impact. The city of Dallas faced its own devastating ransomware attack last year. Read the full story.

Kuwait’s Health Ministry is recovering from a cyberattack that took down systems at several of the country’s hospitals, as well as the country’s Sahel healthcare app. The Ministry of Health website is still down as of Thursday afternoon but the agency released a statement through the Kuwait News Agency.

The country of more than four million people has about 36 hospitals, including 20 public hospitals. The hackers were stopped from reaching “essential databases,” according to the statement, but the ministry was forced to shut down certain systems in order to install needed updates.  Read the full story.

A critical vulnerability in the VLC media player affects versions 3.0.20 and earlier of the popular media player. This vulnerability could enable a malicious third party to cause VLC to crash or execute arbitrary code with the target user’s privileges.

The VLC development team has addressed this issue in VLC Media Player version 3.0.21. Users are urged to update to this latest version to protect against the vulnerability. Read the full story.

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with several international cybersecurity agencies, has released a comprehensive guide on detecting and mitigating Active Directory compromises. The guide details 17 common techniques used by malicious actors to compromise Active Directory.

The release of this guide underscores the critical need for organizations to prioritize the security of their Active Directory environments. By understanding the common techniques used by malicious actors and implementing the recommended mitigation strategies, organizations can significantly enhance their cybersecurity. Read the full story.

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned Cryptex and PM2BTC, two cryptocurrency exchanges that laundered funds from Russian ransomware gangs and other cybercrime groups.

Cryptex (which used the cryptex[.]net domain) reportedly provides financial services to cybercriminals and laundered over $51 million in funds linked to ransomware attacks. “Cryptex is also associated with over $720 million in transactions to services frequently used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and OFAC-designated virtual currency exchange Garantex,” the Treasury said. Read the full story.

Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate.

“These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription,” security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll said. The issues impact almost all vehicles made after 2013, even letting attackers covertly gain access to sensitive information including the victim’s name, phone number, email address, and physical address. Read the full story.

WordPress on Wednesday escalated its conflict with WP Engine, a hosting provider, by blocking the latter’s servers from accessing WordPress.org resources – and therefore from potentially vital software updates.

“WP Engine wants to control your WordPress experience. They need to run their own user login system, update servers, plugin directory, theme directory, pattern directory, block directory, translations, photo directory, job board, meetups, conferences, bug tracker, forums, Slack, Ping-o-matic, and showcase,” Mullenweg wrote in a WordPress.org post announcing the ban. “Their servers can no longer access our servers for free.”

Many WordPress users rely on several plugins. Preventing WP Engine users from accessing plugin updates is therefore serious, as it could mean users can’t update plugins that have security issues, or other fixes. Read the full story.

The latest in a long line of cryptocurrency wallet-draining attacks has stolen $70,000 from people who downloaded a dodgy app in a single campaign researchers describe as a world-first.

Investigators at Check Point Research (CPR) said the app, which is called WalletConnect and used the open source project’s official logo in the app tile image, is the first drainer of its kind to target mobile users exclusively. Of the total 150 or so victims of the app, CPR noted that only 20 bothered to leave a negative review on the Play Store – apathy that allowed the miscreants behind it the chance to post ample fake positive reviews, drowning out the victims’ voices. Read the full story.

More than 6,500 ransomware attacks were recorded in 2023, touching a record number of 117 countries across the globe after a brief dip in 2022. There was a 73% year-over-year increase in attacks to 6,670 ransomware incidents, with notable spikes in June and July due to the exploitation of a popular file transfer tool.  

The task force  found at least 117 countries experienced ransomware incidents launched by 66 different groups. For 2022, the numbers were slightly lower at 105 countries and 58 ransomware gangs. Read the full story.

Government-run water systems are still at risk of attack by cybercriminals and nation-states, according to a new advisory from the U.S.’s top cybersecurity agency. The notice from the Cybersecurity and Infrastructure Security Agency (CISA) came two days after Arkansas City, Kansas reported a cybersecurity issue that forced them to switch to manual operations. 

Due to their importance, the more than 150,000 public water systems in the U.S. have become a focal point of debate about what role federal and state governments have in protecting the public from a cybersecurity perspective. Read the full story.

Financial payment giant MoneyGram restored its website and several of its services following widespread outages that limited the ability of millions to send money to families around the world. In a social media message on Thursday morning, the company said its website and app are now live and available. 

“Customers can send and receive money through both our digital platforms and agent partners. We continue to work diligently to fulfill pending transactions,” they said. MoneyGram has not responded to questions about the type of issue it is dealing with. Its initial statement said the incident forced the company to “take systems offline” and call in law enforcement for assistance. Read the full story.

Citrix has issued a security bulletin detailing vulnerabilities in XenServer and Citrix Hypervisor. The vulnerabilities, identified as CVE-2024-45817, CVE-2022-24805, and CVE-2022-24809, affect XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR.

The primary vulnerability, CVE-2024-45817, allows a malicious administrator of a guest VM to cause the host to crash or become unresponsive. Citrix has released updates to address these vulnerabilities. For XenServer 8 users, updates are available in both the Early Access and Normal update channels. For Citrix Hypervisor 8.2 CU1 LTSR users, a hotfix (XS82ECU1077) has been released and can be downloaded here. Read the full story.

NVIDIA has disclosed critical vulnerabilities in its Container Toolkit, potentially allowing attackers to execute remote code. The vulnerabilities, identified as CVE-2024-0132 and CVE-2024-0133, affect all versions of the NVIDIA Container Toolkit up to and including version 1.16.1.

CVE-2024-0132, is a Time-of-check, Time-of-use (TOCTOU) vulnerability with CVSS score of 9. CVE-2024-0133 presents a less severe but still significant risk. It has a CVSS score of 4.1. To mitigate these risks, NVIDIA recommends updating to version 1.16.2 of the Container Toolkit and version 24.6.2 of the NVIDIA GPU Operator. Read the full story.

A CYBER attack has disrupted the wi-fi systems at at least 20 UK railway stations, including major hubs like London Euston, Manchester Piccadilly, Liverpool Lime Street, and Birmingham New Street. Network Rail confirmed the issue, with a spokesperson stating: “We are currently dealing with a cyber security incident affecting the public wi-fi at Network Rail’s managed stations.”

The wi-fi remained down as of Wednesday, and the British Transport Police are investigating the incident, reported the BBC. Passengers who attempted to connect to the wi-fi encountered a screen referencing terror attacks in Europe. Read the full story. Read the full story.

In the event of a cloud breach, 26% of Singaporean IT and security leaders say it would be easy for an attacker to find weaknesses in their organisations’ environment and move laterally. This is because they have limited or no controls in place to limit network discovery or lateral movement or have a limited amount of preventative and detective controls.

“The goal of cyberattacks has shifted from monetising data to impacting business operations and, as a result, the cloud has become a prime target for attack. Yet, more than half of Singaporean businesses say they wouldn’t be able to operate in the event of a cloud breach, which is concerning,” says Andrew Kay, director of Systems Engineering APJ at Illumio. Read the full story.

Despite being top of the ransomware tree at the moment, RansomHub – specifically, one of its affiliates – clearly isn’t that bright as they are reportedly trying to extort Delaware Libraries for around $1 million. Delaware Libraries’ website also states that some sites across the state are shut as a result, and it hasn’t determined how long it will take to restore its services.

RansomHub claims to have stolen a bunch of documents from Delaware Libraries, leaking what appears to be a small number of financial documents from previous years. A screenshot of a single folder shows it contains more than 80,000 files totaling 56 GB, created on September 20, the day before the organization confirmed the IT issues. Read the full story.

CrowdStrike is making two changes to how it pushes out updates for its security tools after a July incident left thousands of airports, businesses and governments scrambling to recover from outages.

Adam Meyers, senior vice president at the cybersecurity company, told a House subcommittee on Tuesday that customers will now be able to choose whether they are among the first to receive content updates — essentially serving as guinea pigs for new changes — or schedule to get the updates at a later date. Meyers also explained at length the internal changes CrowdStrike is making to how the company verifies the updates. Read the full story.

An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).

Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant. “Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries,” Cloudflare said in an analysis. Read the full story.

The percentage of Android vulnerabilities caused by memory safety issues has dropped from 76% in 2019 to only 24% in 2024, representing a massive decrease of over 68% in five years.

This is well below the 70% previously found in Chromium, making Android an excellent example of how a large project can gradually and methodically move to a safe territory without breaking backward compatibility. Google says it achieved this result by prioritizing new code to be written in memory-safe languages like Rust, minimizing the introduction of new flaws with time. Read the full story.

European digital rights group NOYB (None Of Your Business) has filed a privacy complaint with the Austrian data protection watchdog (DSB) against Mozilla, alleging the company uses a Firefox privacy feature (enabled without consent) to track users’ online behavior.

The feature, called “Privacy-Preserving Attribution” (PPA) and jointly developed with Meta (formerly Facebook), was announced in February 2022 and was automatically enabled in Firefox version 128, released in July. NOYB’s complaint claims that, despite its name, Mozilla uses the feature to track Firefox user behavior across websites. Read the full story.

The Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) has reported a data breach to the HHS that has affected 3,112,815 individuals.  The data breach was the same one the CMS and Wisconsin Physicians Service Insurance Corporation (WPS) announced earlier this month – the exploitation of a zero day vulnerability in the MOVEit Transfer solution by the Clop group in a mass exploitation event in May 2023, as detailed in the post below. In the announcement, the CMS and WPS stated that notifications were being issued to 946,801 individuals. Read the full story.

The hacker behind July’s $230 million WazirX hack has nearly finished laundering the stolen funds, using Tornado Cash to obscure the transactions. Just $6 million worth of ether is left. In July, WazirX was hit by a security breach in one of its multisig wallets, causing over $100 million in shiba inu (SHIB) and $52 million in ether, among other assets, to be drained from the exchange.

The hacker moved just over $50 million worth of tokens to Tornado in August and stepped up activity in September, as the chart below shows. The latest movement was a 3,792 ETH ($10 million) transfer to a wallet early on Wednesday. Read the full story.

The DragonForce ransomware group emerged in August 2023, deploying a variant based on LockBit 3.0, a notorious ransomware strain. However, by July 2024, the group introduced a second variant, initially claimed to be their original creation but later found to be a fork of ContiV3 ransomware. These dual ransomware versions are used to exploit vulnerabilities in companies.

With its RaaS affiliate program, launched on June 26, 2024, DragonForce ransomware offers attackers the ability to personalize ransomware payloads. Read the full story.

Victims have yet to receive any compensation after a document was mistakenly published in 2023 containing data belonging to members of the Police Service of Northern Ireland (PSNI), however, fresh reports say damages in the case could reach up to £240 million ($320.9 million).

In the incident, the names of all serving PSNI officers, plus their rank and location/department, were mistakenly included in a publicly available Freedom of Information (FoI) response. Read the full story.

A massive leak has exposed 95 million records belonging to French citizens. The compromised phone numbers, email addresses, and partial payment information leave them vulnerable to targeted cyberattacks. An unknown actor is hoarding personal information from French data breaches and compiling it in one database.

Elasticsearch is a tool for data analytics and search in near real-time. This instance, accessible to anyone without authorization, stood out due to a massive index with a mysterious name, “vip-v3.” It contained 95,350,331 documents from at least 17 data breaches and had a total size of 30.1GB. Read the full story.

A vulnerability has been discovered in the TeamViewer Remote clients for Windows that allows local privilege escalation on a Windows system. The vulnerability is being tracked as CVE-2024-7479 and CVE-2024-7481. The CVSS score of the vulnerability is 8.8. To exploit this vulnerability, an attacker needs local access to the Windows system.  

The vulnerability has been fixed with version 15.58.4 and additional versions listed below. Teamviewer recommends updating to the latest available version. This threat was detected under the Trend Micro Zero Day Initiative for the discovery and the responsible disclosure. Read the advisory here.

AutoCanada is warning that employee data may have been exposed in an August cyberattack claimed by the Hunters International ransomware gang. Although the firm says it has detected no fraud campaigns targeting impacted individuals, it is sending notifications to alert affected people of potential risks.

In mid-August, the car dealership company disclosed that it had to take specific internal IT systems offline to contain a cyberattack, leading to operational disruptions. While the firm published no further information or updates, the ransomware gang Hunters International claimed the attack with a post on their extortion portal on September 17. Read the full story.

Transportation and logistics companies in North America are the target of a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs). The activity cluster, per Proofpoint, makes use of compromised legitimate email accounts belonging to transportation and shipping companies so as to inject malicious content into existing email conversations.

As many as 15 breached email accounts have been identified as used as part of the campaign. It’s currently not clear how these accounts are infiltrated in the first place or who is behind the attacks. Read the full story.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the authentication of the admin panel and create rogue administrative users. Read the full story.

Taiwan has dismissed Chinese allegations that its military sponsored a recent wave of anti-Beijing cyber attacks.

China’s Ministry of State Security made the allegations on Monday using its official WeChat channel. The Ministry alleged that a group called Anonymous64 was “trying to obtain control authority over portal websites, outdoor electronic screens, network television, etc.” in mainland China, Hong Kong and Macao, to display content critical of China’s system of government.

According to Taiwan’s Ministry of National Defense the mainland’s accusations are “not true.” Read the full story.

European auto resellers are violating the continent’s tough data privacy laws, according to a new study that found four out of five cars resold in Germany, the U.K. and Italy are hitting the market with prior drivers’ personal data stored and easily accessible.

One-third of customers can find stored location data and home addresses in resold vehicles and about half can access prior owners’ call logs and text messages, according to a white paper published Tuesday by the industry watchdog Privacy4Cars. The study is largely based on an audit of hundreds of vehicles resold by dozens of dealers. Out of 46 dealers the watchdog sent an undercover shopper to, 35 said they always delete personal data. However, the shopper found prior owners’ stored data in 40 out of 70 test drives at those dealerships. Read the full story.

Senior Vice President of Counter Adversary Operations Adam Meyers appeared before the US House Homeland Security Cybersecurity and Infrastructure Protection subcommittee to answer questions about the events leading up to the July 19th global tech outage.

The cybersecurity firm’s threat intelligence leader explained that an untested content configuration update for its Falcon Sensor security software was the trigger behind the meltdown of 8.5 million computers around the world. “We are deeply sorry this happened and we are determined to prevent this from happening again,” Meyers said. Read the full story.

Arkansas City, a small city in Kansas, says its water treatment facility was forced to switch to manual operations while a cybersecurity incident is being resolved. The incident, described by local media as a cyberattack, was discovered on the morning of September 22 and led to precautionary measures being taken “to ensure plant operations remained secure”, the city announced in an incident notice.

“Despite the incident, the water supply remains completely safe, and there has been no disruption to service. Out of caution, the water treatment facility has switched to manual operations while the situation is being resolved,” the city manager Frazer said. Read the full story.

HP has intercepted an email campaign comprising a standard malware payload delivered by an AI-generated dropper. The use of gen-AI on the dropper is almost certainly an evolutionary step toward genuinely new AI-generated malware payloads.

In June 2024, HP discovered a phishing email with the common invoice themed lure and an encrypted HTML attachment; that is, HTML smuggling to avoid detection. The attacker implemented the AES decryption key in JavaScript within the attachment. The decrypted attachment opens with the appearance of a website but contains a VBScript and the freely available AsyncRAT infostealer. The VBScript is the dropper for the infostealer payload. Read the full story.

According to recent data from Check Point Research, the global weekly average number of attacks per organization within the healthcare industry has increased by 32% over the same period last year, reaching a staggering 2,018 per week. According to Check Point’s report, Europe, despite experiencing fewer weekly attacks at an average of 1,686. North America, with 1,607 weekly attacks and a 20% increase, remains a prime target due to the wealth of sensitive patient data. Read the full story.

The audit and consulting giant, Deloitte, has confirmed being aware of the claims of a purported data breach and a statement provided to SecurityWeek suggests that the company did indeed suffer a data breach, but impact is limited.  “Our investigation has found no threat to client data or other sensitive data related to this incident,” Deloitte said in an emailed statement. Read the full story.

A newly discovered vulnerability in Apache Tomcat, identified as CVE-2024-38286, has raised significant concerns among cybersecurity experts. This flaw allows attackers to trigger a Denial of Service (DoS) attack by exploiting the TLS handshake process.

The vulnerability, classified as “Important” in severity, affects several versions of Apache Tomcat. The Apache Software Foundation, the vendor behind Tomcat, has confirmed that an attacker can cause an OutOfMemoryError by abusing the TLS handshake process under certain configurations on any platform. Read the full story.

One of India’s most popular podcast and audiobook platforms, KukuFM, left a publicly accessible instance and exposed more people than the entire population of Poland. Worryingly, even after the company was notified, it took no steps to secure the data.

Mumbai-headquartered KukuFM left an open Kibana instance exposing over 38 million of the platform’s users, the Cybernews research team has discovered.  As late as September 20th, the same Kibana instance was still open to the public, continuing to leak KukuFM’s user data. When the team first discovered the instance, 29 million records were exposed. Read the full story.

Pro-Russia hacker groups have claimed responsibility for disrupting dozens of Austrian websites ahead of the country’s general election later this month. The groups, known as NoName057(16) and OverFlame, said they launched distributed denial-of-service (DDoS) attacks on websites for the Austrian government, airports, financial services entities and a stock exchange. 

Researchers at the cybersecurity firm Radware reported that the campaign began early last week and is still ongoing. The incidents have not caused any long-term damage to their targets. DDoS campaigns attempt to overload websites with junk traffic and cause outages. Read the full story.

A class action lawsuit against CorrectCare Integrated Health LLC (CorrectCare) over a 2022 data breach that affected around 600,000 individuals has been settled for $6.49 million. The settlement has recently been granted final approval by the court.

In July 2022, CorrectCare identified a misconfiguration on its web server. he misconfiguration meant sensitive data was exposed over the Internet from January 22, 2022, to July 7, 2022. The exposed data included names, dates of birth, inmate numbers, and limited health information, including diagnosis codes, CPT codes, treatment providers, dates of treatment, and for some individuals, Social Security numbers. Read the full story.

On August 19, 2024, a group of cybercriminals identified as Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) allegedly conducted a phishing operation targeting a victim in Washington, D.C.

The attackers, posing as support personnel from Google and Gemini, tricked the victim into resetting two-factor authentication (2FA) and transferring funds to a compromised wallet. The group further exploited the victim using remote access software AnyDesk to reveal private keys stored in the victim’s Bitcoin core.

ZachXBT (@ZachXBT) provided transaction hashes that tracked the flow of Bitcoin, confirming that 59.34 BTC and 14.88 BTC were stolen during the attack, followed by the transfer of a massive 4,064 BTC, worth $243 million at the time, which was quickly split among the attackers. Read the full story.

Google said it has been contacted by several major U.S. companies recently who discovered that they unknowingly hired North Koreans using fake identities for remote IT roles.

In a report published Monday by the company’s Mandiant unit, researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018. In most cases, the IT workers “consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.”  Read the full story.

A “cybersecurity issue” has shut down MoneyGram’s systems and payment services since Friday, and the fintech leader has yet to update customers as to when it expects to have its global money transfer services back up and running. The downed services reportedly include in-person payments as well as online transactions. 

After initially alerting customers via X/Twitter on Saturday, and describing the problem as a “network outage impacting connectivity to a number of our systems,” the financial technology firm disclosed on Monday that the outage was due to some sort of digital intrusion. Read the full story.

In a surprise move, Kaspersky customers in the United States have discovered that their antivirus software has been automatically replaced with a new antivirus solution called UltraAV. This transition comes after the U.S. Department of Commerce banned Kaspersky from selling or updating certain antivirus products in the United States due to alleged national security risks.

“Kaspersky, in partnership with UltraAV, has worked to ensure that customers maintain the high standards of security and privacy they have come to expect. UltraAV offers comparable features, including industry-leading antivirus protection, premium VPN, password manager, and identity theft protection,” reads the official notice. Read the full story.

The popular messaging service Telegram has updated its terms of service to discourage “bad actors” from “jeopardizing the integrity” of the platform, according to its founder Pavel Durov.

Durov said on Monday that Telegram will now disclose the IP addresses and phone numbers of users who violate the app’s rules to relevant authorities “in response to valid legal requests.” Read the full story.

A county in Kansas warned regulators last week that a ransomware attack earlier this year leaked personal data found in county records. Franklin County, which is about an hour outside of Kansas City, warned 29,690 residents on Friday that hackers breached the County Clerk’s Office on May 19 and took data from the network. 

On May 20, the county said it “discovered and responded to a ransomware attack” that required them to contact cybersecurity experts and federal law enforcement. The county informed the public on July 19 that it was investigating the incident. That investigation concluded nearly a month later and determined that the hackers gained access to the county poll book records, which contained names, Social Security numbers, driver’s license numbers, financial account numbers and medical information. Read the full story.

A hacking forum post has surfaced, claiming that Oracle Corporation, a leading multinational computer technology company, has suffered a data breach. The alleged breach reportedly occurred in September 2024 and involved the exposure of 4,002 rows of employee information. The post by a user with the handle “888” on BreachForums suggests that the breach resulted from a third-party vulnerability. Read the full story.

Cyble Research and Intelligence Labs (CRIL) has identified a stealthy Android spyware campaign specifically targeting individuals in South Korea. Active since June 2024, this malware exploits an Amazon AWS S3 bucket as its Command and Control (C&C) server, facilitating the exfiltration of sensitive personal data, including SMS messages, contacts, images, and videos.

The data exfiltrated from infected devices is alarmingly stored openly on the Amazon AWS S3 bucket, allowing for easy access by the attackers. Read the full story.

BingX confirmed that on September 20th, it detected “abnormal network access, potentially indicating a hacker attack on BingX’s hot wallet.”

“We immediately implemented emergency measures, including urgent transfer of assets and a temporary suspension of withdrawals. There has been minor asset loss, but the amount is small and is currently being calculated,” the crypto platform said. It appears that the company is offering a generous bounty for returning the funds. According to Bitrace, the BingX team sent a message to the hacker, promising a 10% bug bounty. Read the full story.

Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. The same hacker behind the original breach is now claiming that Dell has been “breached again,” suggesting a larger ongoing issue.

According to the hacker, the breach contains data related to Jira files, database tables, and schema migrations, amounting to a total of 3.5 GB of uncompressed data. The hackers claim to have gained access by compromising Dell’s Atlassian software suite, including Jenkins and Confluence, widely used tools for software development and collaboration. Read the full story.

LinkedIn recently began harnessing its users’ content and data to train artificial intelligence models, opting all platform participants into the program without formal notice — except for users in the United Kingdom and Europe. On Friday, an official with the U.K’s data privacy watchdog, the Information Commissioner’s Office (ICO), released a statement indicating the regulator had engaged with LinkedIn to stop the feature from being rolled out in Britain.

“We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its UK users,” Stephen Almond, executive director of regulatory risk at the ICO, said in the statement. Read the full story.

A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools.

“Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand,” researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said. Read the full story.

Apple’s recent release of macOS 15, also known as Sequoia, has been causing significant disruptions to various security tools designed by prominent cybersecurity companies such as CrowdStrike, SentinelOne, Microsoft, and others.The problem seems to stem from changes in the network stack of macOS Sequoia. CrowdStrike, for instance, had to delay support for the new OS version due to these issues. Read the full story.

Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government’s Cybersecurity and Infrastructure Security Agency, has argued.

“The truth is: Technology vendors are the characters who are building problems” into their products, which then “open the doors for villains to attack their victims,” declared Easterly during a Wednesday keynote address at Mandiant’s mWise conference.

“Despite a multi-billion-dollar cyber security industry, we still have a multi-trillion-dollar software quality issue leading to a multi-trillion-dollar global cyber crime issue,” Easterly lamented. Read the full story.

Singaporean crypto platform BingX said Friday that more than $44 million was stolen from their platform in a cyberattack. 

Blockchain security firms began seeing millions flow out of the platform Thursday night before the company posted a message on social media about a shutdown related to “wallet maintenance.” The company quickly released a longer statement saying the disruption was triggered after the company “detected abnormal network access, potentially indicating a hacker attack on BingX’s hot wallet.” Read the full story.

Almost half of cyberattacks in the European Union are denial of service attacks (DDoS), putting NoName057 at the top of the most active threat actors’ list. Ransomware is the next most active threat, followed by data breaches, which now mostly happen in the cloud, according to a new report by the European Union Agency for Cybersecurity (ENISA).

The organization has seen “a significant increase” in cybersecurity events in the EU. From July 2023 to June 2024, the top threats were attacks against availability (DDoS) and ransomware. The EU suffered a total of 4,120 attacks that could be attributed to various types of denial of service (DoS, DDoS, RDoS). That’s 41.1% of total cyberattacks analyzed in the Threat Landscape report by ENISA.

Ransomware’s share was 25.8%, which corresponds to 2,590 attacks, followed by 1,910 data incidents (19%). Read the full story.

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets. “Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery,” Kaspersky said in a Friday analysis.

Kaspersky said Twelve shares infrastructural and tactical overlaps with a ransomware group called DARKSTAR (aka COMET or Shadow), raising the possibility that the two intrusion sets are likely related to one another or part of the same activity cluster. Read the full story.

The notorious threat actor, IntelBroker, allegedly claimed responsibility for leaking internal communications from Deloitte, a leading global auditing firm. The breach reportedly occurred in September 2024, when an Apache Solr server was inadvertently exposed to the internet with default login credentials, allowing unauthorized access.

The compromised data includes email addresses, internal settings, and communications between intranet users. IntelBroker, who is associated with the BreachForums community, shared proof of access to these sensitive communications on the platform. Read the full story.

A critical vulnerability in MediaTek Wi-Fi chipsets, commonly used in embedded platforms supporting Wi-Fi 6 (802.11ax), has been discovered, allowing attackers to launch remote code execution (RCE) attacks without any user interaction.

This 0-click vulnerability, CVE-2024-20017, affects a wide range of devices from manufacturers such as Ubiquiti, Xiaomi, and Netgear. The vulnerability resides in the wappd network daemon, a part of the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. Read the full story.

Cybernews exclusive research has revealed that a massive data leak at MC2 Data, a background check firm, affects a staggering amount of US citizens. MC2 Data and similar companies run public records and background check services.

Cybernews research reveals that the company left a database with 2.2TB of people’s data passwordless and easily accessible to anyone on the internet. What was likely to be a human error exposed 106,316,633 records containing private information about US citizens, raising serious concerns about privacy and safety. Read the full story.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.