AGL hit by ‘cyber incident’ causing customer account lockdown

One of Australia’s largest energy providers, AGL, was the latest organisation to be hit by a cyber incident as a wave of data breaches impact big companies across the nation. Elevated levels of suspicious activity on its “My Account” platform were first reported on December 1.

The latest analysis appears to show that malicious actors used stolen credentials acquired externally (such as usernames and passwords used elsewhere by customers) to log into several accounts affecting approximately 600 customers. AGL have contacted those affected and locked their accounts as a precaution. All customers have been urged to use strong passwords and turn on two-factor authentication.

The federal government and relevant cyber security bodies have been notified of the incident. It comes after the purported hackers of Medibank posted a vast amount of stolen data yesterday. The federal government also recently passed new legislation which would see Australia’s biggest companies slammed with massive fines if they are subject to a major cyber-attack.

Source – https://www.9news.com.au/national/australian-energy-provider-agl-reports-cyber-incident-thousands-customers-impacted-account-lockdown/a725de83-b9cb-4a1d-9f5a-039b2ccc5900

Hackers Target Colombia’s Healthcare System With Ransomware

Colombian healthcare provider Keralty reported a ransomware attack on Sunday, which affected its systems as well as two of its subsidiaries: EPS Sanitas and Colsanitas. The attack disrupted the companies’ IT operations, websites, and scheduling of medical appointments. Keralty released a statement on Tuesday acknowledging the attack.

The hacking operation was then also reportedly confirmed by a Twitter user, who posted a screenshot of the alleged malware affecting Keralty’s systems and deployed by the threat group RansomHouse. In addition to disrupting patient care, the RansomHouse ransomware group has claimed to have stolen 3TB of data. Research shows that the majority of ransomware data disclosures against the healthcare and pharmaceutical industry include finance and accounting data and patient data.

The hacking of Keralty’s systems comes weeks after a study by Obrela Security Industries suggested more than four-fifths of UK healthcare organizations suffered a ransomware attack in the last year.

Source – https://www.infosecurity-magazine.com/news/ransomware-target-colombias-health?utm_source=twitterfeed&utm_medium=twitter

Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems and trivially abused by a malicious actor without any privileges. Tracked as CVE-2022-4116 (CVSS score: 9.8), the vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote code execution (RCE).

Quarkus is an open-source project used to create Java applications in containerised and serverless environments. The issue only impacts developers running Quarkus and tricked into visiting a specially crafted website, embedded with malicious JavaScript code designed to install or execute arbitrary payloads through an attack such as spear phishing. Alternatively, the attack can be pulled off by serving rogue ads on popular websites frequented by developers.

The Dev UI, which is offered through a Dev Mode, is bound to localhost (i.e., the current host) and allows a developer to monitor the status of an application, change the configuration, migrate databases, and clear caches. Because it’s restricted to the developer’s local machine, the Dev UI also lacks crucial security controls like authentication and cross-origin resource sharing (CORS) to prevent a fraudulent website from reading another site’s data. The problem identified lies in the fact that the JavaScript code hosted on a malware-laced website can be weaponised to modify the Quarkus application configuration via an HTTP POST request to trigger code execution.

Users are recommended to upgrade to version 2.14.2.Final and 2.13.5.Final to safeguard against the flaw. A potential workaround is to move all the non-application endpoints to a random root path.

Source – https://thehackernews.com/2022/12/researchers-disclose-critical-rce.html

New Windows malware scans victims’ mobile phones for data to steal

North Korean hackers have been identified using a previously unknown backdoor they call Dolphin for more than a year to steal files and send them to Google Drive storage. The APT 37 threat group (a.k.a. Reaper, Red Eyes, Erebus, ScarCruft) has been associated with espionage activity aligning with North Korean interests since 2012. Dolphin was discovered in April 2021 and has evolved into new versions with improved code and anti-detection mechanisms.

Dolphin is used together with BLUELIGHT, a basic reconnaissance tool seen in previous APT37 campaigns, but it features more powerful capabilities like stealing information from web browsers (passwords), taking screenshots, and logging keystrokes. BLUELIGHT is used to launch Dolphin’s Python loader on a compromised system but has a limited role in espionage operations. The Python loader includes a script and shellcode, launching a multi-step XOR-decryption, process creation, etc., eventually resulting in the execution of the Dolphin payload in a newly created memory process. Dolphin is a C++ executable using Google Drive as a command and control (C2) server and to store stolen files. The malware establishes persistence by modifying the Windows Registry. The backdoor also sends to the C2 its current configuration, version number, and time. The configuration contains keylogging and file exfiltration instructions, credentials for Google Drive API access, and encryption keys.

The malware has an extended set of capabilities that includes scanning local and removable drives for various types of data (media, documents, emails, certificates) that are archived and delivered to Google Drive. This feature was further improved to filter data by extension. Its search capabilities extend to any phone connected to the compromised host by using the Windows Portable Device API. ESET notes that this functionality appeared to be under development in the first version of the malware they found. Additionally, it can also lower the security of a victim’s Google account by changing related settings. This could allow attackers to keep their access to the victim’s account for a longer period. Dolphin can record user keystrokes in Google Chrome by abusing the ‘GetAsyncKeyState’ API and it can take a snapshot of the active window every 30 seconds.

It’s possible that newer versions of Dolphin exist and have been used in attacks, given that the backdoor has been deployed against select targets.

Source – https://www.bleepingcomputer.com/news/security/new-windows-malware-scans-victims-mobile-phones-for-data-to-steal/

AIIMS Server Hacked – Hacker Demand 200 Crore in Cryptocurrency

The All India Institute of Medical Sciences (AIIMS), Delhi suffered a data breach resulting in their server being down for six days in a row. The hackers have allegedly demanded almost 200 crores in cryptocurrencies from the institution. The hack, found on Wednesday morning, exposed the information of patients, particularly several VIPs, including former prime ministers, ministers, officials, and judges, who have data stored on the AIIMS server.

Due to the server being down, patient care services in the emergency, outpatient, inpatient, and laboratory wings are being managed manually. The India Computer Emergency Response Team (CERT-IN), Delhi Police, and representatives of the Ministry of Home Affairs are investigating the ransomware attack. The NIC team are scanning and cleaning any additional servers that are required for the provision of hospital services. For the four physical servers that have been set up to restore e-hospital services, the databases and applications have been scanned and prepared. There are plans for anti-virus programmes for computers and servers. Almost 1,200 of the 5,000 available computers have it installed.

There is a possibility that Chinese hackers are accountable for the attack, according to speculation. The lack of cloud-based servers and a poor firewall are likely to blame for the ransomware attack.

Source – https://cybersecuritynews.com/aiims-server-hacked/

Vatican website down in suspected hacker attack

The official Vatican website was taken offline on Wednesday following an apparent hacking attack. The web page for the Vatican is where worshippers can find prayers, letters, and papal announcements. Parts of the site remained down on Thursday morning, returning an error message to visitors. The suspected hack came a day after Moscow criticised Pope Francis’s latest condemnation of Russia’s invasion of Ukraine. In an interview with a Jesuit magazine, the pope had singled out troops from Chechnya and other ethnic minorities in Russia for their particular cruelty during the war.

There is currently no indication of who was to blame for the apparent cyber-attack. A spokesman for the Holy See, Matteo Bruni, said: “Technical investigations are ongoing due to abnormal attempts to access the site.”

It is not the first time the Pope has been the target of cyber-attacks. In 2020 a Chinese cyber-attack on the Vatican’s internal computer network was uncovered. The attack used a Trojan malware to infiltrate the Holy See’s systems, which was woven into a letter sent to a Vatican official in Hong Kong. When the note was opened, it allowed hackers to try to access private information on the Catholic Church’s plans for negotiations with the Chinese Catholic Church, which has links to Beijing.

Source – https://www.telegraph.co.uk/business/2022/12/01/pope-francis-vatican-website-goes-suspected-hack/

Trigona ransomware spotted in increasing attacks worldwide

A new Tor negotiation site where they accept Monero as ransom payments has been launched having rebranded as Trigona. Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilised email for negotiations and were not branded under a specific name. As Trigona is the name of a family of large stingless bees, the ransomware operation has adopted a logo showing a person in a cyber bee-like costume. There have been numerous victims of the new ransomware operation, including a real estate company and what appears to be a village in Germany.

A recent sample of Trigona showed it supports various command line arguments that determine whether local or network files are encrypted, if a Windows autorun key is added, and whether a test victim ID (VID) or campaign ID (CID) should be used.

The command line arguments are listed below:

When encrypting files, Trigona will encrypt all files on a device except those in specific folders, such as the Windows and Program Files folders. In addition, the ransomware will rename encrypted files to use the ._locked extension. For example, the file 1.doc would be encrypted and renamed to 1.doc._locked. The ransomware will also embed the encrypted decryption key, the campaign ID, and the victim ID (company name) in the encrypted files. A ransom note named how_to_decrypt.hta will be created in each scanned folder. This note displays information about the attack, a link to the Tor negotiation site, and a link that copies an authorisation key into the Windows clipboard needed to log in to the Tor negotiation site. After logging into the Tor site, the victim will be shown information on how to buy Monero to pay a ransom and a support chat that they can use to negotiate with the threat actors. The site also offers the ability to decrypt five files, up to 5MB each, for free.

When a ransom is paid, the victims will receive a link to a decryptor and a keys.dat file, which contains the private decryption key. The decryptor allows you to decrypt individual files or folders on the local device and network shares. It is unclear how the operation breaches networks or deploys ransomware. Their attacks have been increasing worldwide, and with the investment into a dedicated Tor platform, they will likely continue to expand their operations.

Source – https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide/

Irish Regulator Fines Facebook $277 Million for Leak of Half a Billion Users’ Data

Meta platforms have been fined €265 million ($277 million) by Ireland’s Data Protection Commission (DPC). The fines came as a result of failing to safeguard the personal data of more than half a billion users of its Facebook service. An inquiry was initiated by the European regulator on April 14, 2021, following the leak of a dataset of Facebook personal data that had been made available on the internet.

The data leaked included the personal information of 533 million users of the platform, such as their phone numbers, dates of birth, locations, email addresses, gender, marital status, account creation date, and other profile details. Meta stated that the information was obtained by malicious actors by taking advantage of a technique called phone number enumeration to scrape users’ public profiles. This entailed misusing a tool called Contact Importer to upload a huge list of phone numbers to uncover matches.

The Irish watchdog also ordered Meta’s Irish unit to make sure its processing complies with the E.U. data protection laws. The development marks the fourth time Ireland has placed fines on Meta and its subsidiaries, which also comprise Instagram and WhatsApp. In September 2021, the WhatsApp messaging service was fined €225 million for not being transparent about how users’ personal information is gathered and used, as well as how it’s shared with its parent, Meta.

Source – https://thehackernews.com/2022/11/irish-regulator-fines-facebook-277.html

Wave of cyber-enabled scams target FIFA World Cup fans

As expected, the arrival of one of the world’s biggest sporting events in the FIFA world cup has seen an explosion of activity from cybercriminals. Scammers have set up a variety of ways to harvest personal information and steal money from people trying to buy merchandise or tickets online or searching for on-site work during the games.

As many as 90 potentially compromised Hayya accounts have been identified. Hayya is the mandatory online system established so World Cup attendees can enter Qatar and access tickets and other services such as transportation. To carry out the scam’s info-stealing malware such as Redline and Erbium have been observed. Roughly 40 fake apps in the Google Play Store promising access to tickets and at least five websites purporting to be job application forms used to harvest personal information have been discovered. In another instance, scammers impersonated an unnamed leading Qatari petrochemical company to trick users into filling out a survey — asking for a range of personal information — on the chance they’ll receive a prize. Those users are then asked to share the link to the scam survey via WhatsApp with between five and 10 groups or 20 to 30 contacts. Other malware families used as part of the various scams included Qakbot, Emotet, Formbook, Remocos, and QuadAgent.

World Cup 2022 cyber scams have been ongoing for at least a year. In November 2021, roughly 11,000 scam emails were detected related to invites to bid on providing services for the event, or event giveaways.

Source – https://www.cyberscoop.com/fifa-world-cup-cyber-scam-phishing-malware/

US bans sales of Huawei, Hikvision, ZTE, and Dahua equipment

The Federal Communications Commission (FCC) in the US has banned the sale of equipment from Chinese telecommunications and video surveillance vendors Huawei, ZTE, Hytera, Hikvision, and Dahua due to risks to national security. The FCC adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the US.

The U.S. previously accused telecommunication hardware vendor Huawei of stealing intellectual property, research and development data, and planting backdoors in their products that would potentially allow the Beijing government to run espionage operations. Telecommunications technology from both Huawei (5G in particular) and ZTE have been banned or excluded over the past years in multiple countries, including Australia, New Zealand, India, Japan, the U.S., Canada, Romania, and the U.K. Surveillance camera maker Dahua was added to the U.S. Department of Commerce’s ‘Entity List’ in October 2019, but sales of its equipment to consumers and private American companies weren’t banned. In March 2021, the FCC included all five companies now banned from having a presence in the United States market on its list of communications equipment and services as they were deemed to pose an unacceptable risk to national security.

All four FCC members, who have different political orientations, voted unanimously to adopt the new measures against the five Chinese tech firms.

Source – https://www.bleepingcomputer.com/news/security/us-bans-sales-of-huawei-hikvision-zte-and-dahua-equipment/

EU Council adopts NIS2 directive to harmonize cybersecurity across member states

A new cybersecurity directive has been undertaken by the Council of the European Union (EU).  The newly adopted directive is designed to improve resilience and incident response capacities across the EU, replacing NIS, the current directive on the security of network and information systems.

NIS2, will set the baseline for cybersecurity risk management measures and reporting obligations across sectors and aims to harmonise cybersecurity requirements and implementation of measures in different member states. It aims to do this by establishing minimum rules for a regulatory framework and laying down mechanisms for effective cooperation among relevant authorities. It will update the list of sectors and activities subject to cybersecurity obligations and provide remedies and sanctions to ensure enforcement.

The new directive will introduce a new size-cap rule for the identification of regulated entities, meaning that all medium-size and large entities operating within the sectors or providing services covered by the directive will fall within its scope. However, it will not apply to entities carrying out activities in areas such as defense or national security, public security, and law enforcement.

Moreover, the directive has been aligned with sector-specific legislation such as the Digital Operational Resilience Act (DORA) for the financial sector (DORA) and the Center for European Reform (CER) on the resilience of critical entities, to provide legal clarity and ensure coherence between NIS2 and these acts.

NIS2 is set to be published in the Official Journal of the European Union in the coming days and will enter into force on the 20th day following this publication. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions.

Source – https://www.csoonline.com/article/3681070/eu-council-adopts-nis2-directive-to-harmonize-cybersecurity-across-member-states.html