Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach

A notorious ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) over the failure of a victim to disclose an alleged data breach resulting from an attack conducted by the cybercrime gang itself.

The ransomware group known as Alphv and BlackCat claims to have breached the systems of MeridianLink, a California-based company that provides digital lending solutions for financial institutions and data verification solutions for consumers.

The cybercriminals claim to have stolen a significant amount of customer data and operational information belonging to MeridianLink, and they are threatening to leak it unless a ransom is paid.

In an apparent effort to increase its chances of getting paid, the malicious hackers claim to have filed a complaint with the SEC against MeridianLink, accusing the company of failing to disclose the breach within four business days, as required by rules announced by the agency in July. 

BlackCat published screenshots on its leak website on November 15 to show that the complaint has been filed and received by the SEC. This appears to be the first time a ransomware group has filed an SEC complaint against one of its victims. 

The hackers stated that the attack against MeridianLink — which allegedly did not involve file-encrypting ransomware, only data theft — was conducted on November 7 and it was discovered the same day. 

However, MeridianLink said that the intrusion occurred on November 10.

“Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the company said, adding that it cannot share further details due to its ongoing investigation. 

It’s worth pointing out that the new SEC data breach disclosure rules will only go into effect in mid-December 2023. In addition, companies will be required to notify the SEC within four business days of determining that a cybersecurity incident is material to investors, which, based on MeridianLink’s statement, has yet to happen.

BlackCat has been one of the most active ransomware operations and it’s not uncommon for the group to try new methods for convincing targets to pay up, including by setting up dedicated leak websites for individual victims. 

Source – https://www.securityweek.com/ransomware-group-files-sec-complaint-over-victims-failure-to-disclose-data-breach/

Toyota Financial Services Attack Claimed by Medusa Ransomware

Toyota Financial Services (TFS), the Japanese automakers’ vehicle financing and leasing subsidiary, was recently hit by a disruptive cyberattack. The Medusa ransomware gang has just taken responsibility for it.

Earlier this week, TFS Europe & Africa said the company “identified unauthorized activity on systems,” which forced the company to take some systems offline.

“We are working diligently to get systems back online as soon as possible, and we regret any inconvenience caused to our customers and business partners,” TFS said, adding that the incident is limited to Europe & Africa.

While the company did not identify the nature of the attack, TFS was likely hit with ransomware, as it‘s been listed on the dark web leak site that Medusa uses to showcase its latest victims.

The attackers claim to have breached TFS’s Germany branch. The gang included data supposedly taken from TFS servers, such as leasing contracts, email addresses, usernames and passwords, passport details, and other sensitive data.

TFS is a financial subsidiary of the Toyota Motor Corporation, the world’s largest automaker. TFS handles auto loans, leases, and other financial services to Toyota customers in every continent.

Medusa‘s dark web blog post suggests that the gang demands $8 million to delete the data allegedly stolen from TFS. Earlier this week, Medusa said it had hit the prominent Canadian fintech Moneris. However, the company told Cybernews that the attackers had only “attempted” an attack and did not succeed.

The Medusa ransomware gang began operating around the end of 2022 and has been consistently active. According to Ransomlooker, a Cybernews ransomware monitoring tool, Medusa has attacked at least 119 organizations over the past 12 months.

Medusa ransomware is believed to be operating under the Ransomware-as-a-Service (RaaS) model, where threat actors with limited technical skill use malware devised by sophisticated developers. Affiliates later share ransom money with the developers.

Source – https://cybernews.com/news/toyota-financial-services-attack-ransomware/

Samsung Hit by New Data Breach Impacting UK Store Customers

Samsung Electronics is notifying some of its customers of a data breach that exposed their personal information to an unauthorized individual. The company says that the cyberattack impacted only customers who made purchases from the Samsung UK online store between July 1, 2019, and June 30, 2020.

Samsung discovered the data breach three days ago, on November 13, and determined that it was the result of a hacker exploiting a vulnerability in a third-party application the company used. No details have been provided about the security issue leveraged in the attack or the vulnerable application that enabled the attacker to access Samsung customer’s personal information.

The notification to customers says that exposed data may include names, phone numbers, postal and email addresses. The company underlines that credentials or financial information remains unaffected by the incident.

A Samsung spokesperson stated that the company was recently alerted of a cybersecurity incident that is limited to the UK region and does not affect data belonging to customers in the U.S., employees, or retailers.

“We were recently alerted to a cybersecurity incident, which resulted in certain contact information of some Samsung UK e-store customers being unlawfully obtained. No financial data, such as bank or credit card details, or customer passwords, were impacted. The incident is limited to the UK and does not affect U.S. customers, employees or retailer data” – Samsung

The company has taken all necessary steps to address the security issue, the representative said, adding that the incident has also been reported to the UK’s Information Commissioner’s Office.

This is the third data breach Samsung has suffered in two years. The previous one occurred in late July, 2023 – discovered on August 4, when hackers accessed and stole Samsung customers’ names, contacts and demographic information, dates of birth, and product registration data.

In March 2023, the data extortion group Lapsus$ breached Samsung’s network and stole confidential information, including source code for Galaxy smartphones.

Samsung confirmed that “certain internal data” had fallen into the hands of an unauthorized party after Lapsus$ leaked about 190GB of archived files along with a description of the contents.

Source – https://www.bleepingcomputer.com/news/security/samsung-hit-by-new-data-breach-impacting-uk-store-customers/

FBI and CISA Warn of Opportunistic Rhysida Ransomware Attacks

The FBI and CISA warned today of Rhysida ransomware gang’s opportunistic attacks targeting organizations across multiple industry sectors. Rhysida, a ransomware enterprise that surfaced in May 2023, quickly gained notoriety after breaching the Chilean Army (Ejército de Chile) and leaking stolen data online.

Recently, the US Department of Health and Human Services (HHS) also warned that the Rhysida gang was responsible for recent assaults on healthcare organizations.

Today’s joint cybersecurity advisory provides defenders with indicators of compromise (IOCs), detection info, and Rhysida tactics, techniques, and procedures (TTPs) discovered during investigations as of September 2023.

“Threat actors leveraging Rhysida ransomware are known to impact ‘targets of opportunity,’ including victims in the education, healthcare, manufacturing, information technology, and government sectors,” the two agencies noted.

“Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates.”

Rhysida attackers have also been detected hacking into external-facing remote services (like VPNs that allow enterprise users to access company assets from external locations) using stolen credentials to establish initial access and maintain a presence within victims’ networks.

This was possible when targeting organizations that didn’t have Multi-Factor Authentication (MFA) enabled by default across their environment.

Furthermore, Rhysida malicious actors are known for phishing attacks and exploiting Zerologon (CVE-2020-1472), a critical vulnerability enabling Windows privilege escalation within Microsoft’s Netlogon Remote Protocol.

The FBI and CISA add that affiliates associated with the Vice Society ransomware group, tracked by Microsoft as Vanilla Tempest or DEV-0832, have transitioned to using Rhysida ransomware payloads during their attacks.

Network defenders are advised to apply mitigations outlined in today’s joint advisory to minimize the likelihood and severity of ransomware incidents like Rhysida.

At the very least, it is crucial to prioritize patching vulnerabilities under active exploitation, enabling MFA across all services (particularly for webmail, VPN, and critical system accounts), and using network segmentation to block lateral movement attempts.

Source – https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/

PJ&A says Cyberattack Exposed Data of Nearly 9 million Patients

PJ&A (Perry Johnson & Associates) is warning that a cyberattack in March 2023 exposed the personal information of almost nine million patients. PJ&A provides medical transcription services to healthcare organizations in the United States.

The company said the threat actors breached their network and had access between March 27 and May 2, 2023. Its investigation revealed that the following information had been exposed to the threat actors:

• Full name
• Date of birth
• Medical record number
• Hospital account number
• Admission diagnosis
• Date and time of service
• Social Security numbers (SSNs)
• Insurance information
• Medical transcription files (lab and diagnostic test results)
• Medication details
• Treatment facility and healthcare provider names

PJ&A began sending notices of a data breach on October 31, 2023, to alert impacted individuals that their sensitive healthcare information had been compromised. The data exposed for each person varies depending on what information they provided to the healthcare services and the type of treatment they received. The information accessed by the unauthorized party does not include financial information or account credentials.

The exact number of the people affected by this cyber-incident had remained unknown until PJ&A submitted the relevant information to the breach portal of the U.S. Department of Health and Human Services Office for Civil Rights, which now confirms the number to be 8,952,212 patients.

Previously, Chicago’s largest healthcare provider, Cook County Health (CCH), notified 1.2 million patients that their medical records had been breached in the PJ&A incident, announcing that it would terminate its relationship with the vendor as a result.

Yesterday, Northwell Health, New York’s largest healthcare provider, announced it suffered an indirect data breach resulting from the PJ&A network compromise. The notification states that Northwell data was stolen between April 7 and April 19.

The number of impacted individuals who received care in Northwell Health’s clinics and had their sensitive information exposed in this incident surpasses 3.8 million.

This means another four million people whose medical data was exposed through other healthcare providers have not been notified yet.

Source – https://www.bleepingcomputer.com/news/security/pj-and-a-says-cyberattack-exposed-data-of-nearly-9-million-patients/

Pharmacy Provider Truepill Data Breach Hits 2.3 Million Customers

Postmeds, doing business as ‘Truepill,’ is sending notifications of a data breach informing recipients that threat actors accessed their sensitive personal information.

Truepill is a B2B-focused pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer (D2C) brands, digital health companies, and other healthcare organizations across all 50 states in the U.S.

Regarding the number of impacted individuals, according to the U.S. Department of Health and Human Services Office for Civil Rights breach portal the incident incident impacted 2,364,359 people.

The letter informs that the company discovered unauthorized network access on August 31, 2023. The investigation of the incident revealed that the attackers had gained access a day before.

The data types that might have been accessed by the threat actors include:

• Full name
• Medication type
• Demographic information
• Name of prescribing physician

The above information increases the risks of phishing and social engineering attacks. The notice clarifies that Social Security numbers (SSNs) were not in the exposed data set.

Some of the people receiving the data breach notices were somewhat puzzled, claiming they had never heard of the company and were unsure how their data got to Truepill.

The far-reaching impact of the incident may lead to legal consequences as multiple class action lawsuits are being prepared across the country, arguing that the breach would have been prevented if Postmeds maintained a better security stance compatible with the industry guidelines.

Specifically, Postmeds is blamed for not encrypting sensitive healthcare information stored on its servers, which would significantly lessen the impact of a data breach. The delay in notifying consumers may also be part of the possible lawsuits, as the firm took more than two months to inform affected persons.

During that time, some of the impacted people observed suspicious activity on their Venmo accounts, and confirmed later that their personal data had been posted on the dark web.

The content of the notices is also criticized for being too vague, not providing details about how the intruders gained access to the firm’s systems, and lacking any protection guidance for the recipients and identity theft protection service coverage.

One of the law firms leading a litigation motion against Postmed reports that the leaked data also includes addresses, dates of birth, medical treatment information, diagnosis information, and health insurance information, which aren’t mentioned in the firm’s notice.

Source – https://www.bleepingcomputer.com/news/security/pharmacy-provider-truepill-data-breach-hits-23-million-customers/

Royal Ransomware Possibly Rebranding After Targeting 350 Organizations Worldwide

The Royal ransomware gang has targeted at least 350 organizations worldwide, with their ransom demands exceeding $275 million, and the cybercriminals may be preparing to rebrand their operation, the US cybersecurity agency CISA and the FBI say in an updated alert.

Active since at least September 2022, Royal has been used in attacks against entities in critical infrastructure, education, healthcare, and manufacturing sectors, making ransom demands ranging between $1 million and $11 million, in Bitcoin.

In March 2023, CISA and the FBI issued an alert on the Royal ransomware operation, urging organizations to implement security best practices to protect their environments against Royal and other ransomware attacks.

On Monday, the two US agencies updated their advisory to provide additional indicators of compromise (IoCs) associated with Royal attacks, and to update the list of observed tactics, techniques, and procedures (TTPs).

The update also warns of a potential rebranding of the operation, or at least a spin-off, pointing out that “Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.”

Believed to be operated by a private group, rather than a ransomware-as-a-service (RaaS) operation, Royal typically relies on phishing for initial access.

The group was also seen abusing remote desktop protocol (RDP), exploiting vulnerabilities in web-facing assets, and leveraging initial access brokers to get into victims’ networks.

Post-exploitation, the threat actors use various tools for persistence, lateral movement, and data harvesting and exfiltration. Prior to deploying file-encrypting ransomware, they also delete shadow copies to prevent victims from restoring their data.

CISA and the FBI also warn that the Royal ransomware gang publishes victim data on its leak site, if a ransom is not paid.

“Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education. CISA encourages network defenders to review the updated CSA and to apply the included mitigations,” the cybersecurity agency notes.

In December last year, Royal was linked to the infamous Conti ransomware group, saying that it is a rebranded version of Zeon ransomware, which had been previously associated with one of the groups distributing Conti.

Also in December, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

Source – https://www.securityweek.com/royal-ransomware-possibly-rebranding-after-targeting-350-organizations-worldwide/

New Campaign Targets Middle East Governments with IronWind Malware

Government entities in the Middle East are the target of new phishing campaigns that are designed to deliver a new initial access downloader dubbed IronWind.

The activity, detected between July and October 2023, has been attributed to a threat actor tracked under the name TA402, which is also known as Molerats, Gaza Cyber Gang, and shares tactical overlaps with a pro-Hamas hacking crew known as APT-C-23 (aka Arid Viper).

Coinciding with the use of IronWind are consistent updates to its malware delivery mechanisms, using Dropbox links, XLL file attachments, and RAR archives to distribute IronWind. The use of IronWind is a shift from prior attack chains, which were linked to the propagation of a backdoor codenamed NimbleMamba in intrusions targeting Middle Eastern governments and foreign policy think tanks.

TA402’s latest campaigns are characterized by the use of a compromised email account belonging to the Ministry of Foreign Affairs to send phishing lures pointing to Dropbox links that facilitate the deployment of IronWind. The downloader is engineered to contact an attacker-controlled server to fetch additional payloads, including a post-exploitation toolkit called SharpSploit, following a multi-stage sequence.

Subsequent social engineering campaigns in August and October 2023 have been found to leverage XLL file and RAR archive attachments embedded in email messages to trigger the deployment of IronWind. Another notable tactic employed by the group is the reliance on geofencing techniques to complicate detection efforts.

The development comes as it was revealed that cybercriminals have been observed exploiting the “Release scores” feature of Google Forms quizzes to deliver email and orchestrate elaborate cryptocurrency scams, highlighting the creative ways threat actors resort to in order to meet their objectives.

Source – https://thehackernews.com/2023/11/new-campaign-targets-middle-east.html

22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure

Hackers compromised 22 energy organizations in a coordinated attack against Denmark’s critical infrastructure, non-profit cybersecurity center for critical sectors SektorCERT reveals.

As part of the attack, which occurred in May 2023, the hackers compromised the victim organizations within a few days, making this the largest attack against Danish critical infrastructure to date. Hackers exploited multiple vulnerabilities in Zyxel firewalls for initial access, executing code and gaining complete control over the impacted systems.

On May 11, the threat actors targeted 16 Danish energy organizations in attacks exploiting CVE-2023-28771 (CVSS score of 9.8), a critical OS command execution in Zyxel’s ATP, USG FLEX, VPN, and ZyWALL/USG firewalls that came to light in late April.

The attackers successfully compromised 11 organizations, executing commands on the vulnerable firewalls to obtain device configurations and usernames. All networks were secured by the end of the day.

A second wave of attacks, observed on May 22, involved new tools and exploitation of two zero-day vulnerabilities in Zyxel devices.

The bugs, tracked as CVE-2023-33009 and CVE-2023-33010, were patched on May 24. On the same day, the attackers started targeting multiple Danish energy firms with different payloads and exploits, and continued their assault on May 25 as well.

In at least one of the attacks, it observed activity associated with Sandworm, a Russian state-sponsored advanced persistent threat (APT) actor linked to the country’s GRU military spy agency.

Throughout the campaign, some of the vulnerable firewalls were infected with a Mirai bot and were subsequently used in distributed denial-of-service (DDoS) attacks against entities in the US and Hong Kong.

Source – https://www.securityweek.com/22-energy-firms-hacked-in-largest-coordinated-attack-on-denmarks-critical-infrastructure/

New Ransomware Group Emerges with Hive’s Source Code and Infrastructure

The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape.

Hive, once a prolific ransomware-as-a-service (RaaS) operation, was taken down as part of a coordinated law enforcement operation in January 2023.

While it’s common for ransomware actors to regroup, rebrand, or disband their activities following such seizures, what can also happen is that the core developers can pass on the source code and other infrastructure in their possession to another threat actor.

Reports about Hunters International as a possible Hive rebrand surfaced last month after several code similarities were identified between the two strains. It has since claimed five victims to date.

The threat actors behind it, however, have sought to dispel these speculations, stating that it purchased the Hive source code and website from its developers.

The group appears to place a greater emphasis on data exfiltration. Notably, all reported victims had data exfiltrated, but not all of them had their data encrypted, making Hunters International more of a data extortion outfit.

Analysis of the ransomware sample reveals its Rust-based foundations, a fact borne out by Hive’s transition to the programming language in July 2022 for its increased resistance to reverse engineering.

As the new group adopts this ransomware code, it appears that they have aimed for simplification. They have reduced the number of command line parameters, streamlined the encryption key storage process, and made the malware less verbose compared to earlier versions.

The ransomware, besides incorporating an exclusion list of file extensions, file names, and directories to be omitted from encryption, runs commands to prevent data recovery as well as terminate a number of processes that could potentially interfere with the process.

This group emerges as a new threat actor starting with a mature toolkit and appears eager to show its capabilities, but faces the task of demonstrating its competence before it can attract high-caliber affiliates.

Source – https://thehackernews.com/2023/11/new-ransomware-group-emerges-with-hives.html

DP World Cyberattack Blocks Thousands of Containers in Ports

A cyberattack on international logistics firm DP World Australia has severely disrupted the regular freight movement in multiple large Australian ports.

DP World has an annual revenue of over $10 billion and specializes in cargo logistics, port terminal operations, maritime services, and free trade zones. It is responsible for operating 82 marine and inland terminals in 40 countries. It handles about 70 million containers carried annually by 70,000 vessels, corresponding to roughly 10% of the global container traffic.

DP World has a significant presence in Australia, handling 40% of the nation’s container trade. It operates logistics terminals in the ports of Bing Bong, Fremantle, Brisbane, Sydney, and Melbourne.

According to a statement the firm shared, a cyberattack on Friday, November 10 disrupted landside freight operations at its ports. In response, the company activated its emergency plans and engaged with cybersecurity experts to overcome problems caused by the incident. It is currently testing key systems required to resume normal business operations.

Since Friday, roughly 30,000 shipping containers of varying importance and value remained unmoved and crowded to the brim the available storage spaces. At the moment, operations are being restored gradually.

The estimated damages are in the millions of dollars, as many of the stranded containers hold time-sensitive goods such as blood plasma, wagyu beef, and lobsters.

The media statement also mentions the possibility of data access and exfiltration. However, an internal investigation is still ongoing and has not confirmed this.

“A key line of inquiry in this ongoing investigation is the nature of data access and data theft.” reads the media statement

“DP World Australia appreciates this development may cause concern for some stakeholders […and] is working hard to assess whether any personal information has been impacted, and has taken proactive steps to engage the Office of the Australian Information Commissioner,” – DP World Australia.

Data theft is typical in ransomware attacks as it puts more pressure on the victim to pay a ransom. At this time, the company did not make any statement about threat actors stealing files from its network.

Source – https://www.bleepingcomputer.com/news/security/dp-world-cyberattack-blocks-thousands-of-containers-in-ports/

New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks

Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel.

Dubbed BiBi-Windows Wiper, the wiper is the Windows counterpart of BiBi-Linux Wiper, which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.

The actor behind the wiper is being tracked under the name BiBiGun, noting that the Windows variant (bibi.exe) is designed to overwrite data in the C:\Users directory recursively with junk data and append “.BiBi” to the filename.

The BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after the onset of the war. The exact method by which it is distributed is currently unknown.

Besides corrupting all files with the exception of those with .exe, .dll, and .sys extensions, the wiper deletes shadow copies from the system, effectively preventing the victims from recovering their files. Another notable similarity with its Linux variant is its multithreading capability.

For the fastest possible destruction action, the malware runs 12 threads with eight processor cores.

It’s not immediately clear if the wiper has been deployed in real-world attacks, and if so, who the targets are.

The development comes as the malware is part of a larger campaign targeting Israeli companies with the deliberate intent to disrupt their day-to-day operations using data destruction.

Tactical overlaps were identified between the hacktivist group, who call themselves Karma, and another geopolitically motivated actor codenamed Moses Staff (aka Cobalt Sapling), which is suspected to be of Iranian origin.

Although the campaign has primarily centered around Israeli IT and government sectors up to this point, some of the participating groups, such as Moses Staff, have a history of simultaneously targeting organizations across various business sectors and geographical locations.

Source – https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html

Smarttech247