FEAM Aero Reportedly Hit by Ransomware

Feam Aero, the global aircraft maintenance and technical services company, has been claimed by the LockBit ransomware gang. The Russian-linked hacker collective posted the company’ on its dark leak site Tuesday, stating it had stolen troves of sensitive data in the hack.

The ransom group threatened to begin releasing parts of the cache in the next 48 hours.

“FEAM has been hacked. All critical company and customer data was stolen,” it said.

FEAM is one the largest MRO (Maintenance, Repair, Overhaul) companies in the US, providing line maintenance and A-check services at 52 maintenance bases around the world, according to its website. The FAA-certified company works with dozens of commercial and cargo airlines, from Amazon and DHL to Air France and Singapore Airlines.

FEAM employs over 1500 aviation professionals, including engineers, mechanics, and technicians that service both domestic and international aircraft, including numerous Airbus, Boeing, Embraer, De Havilland, and Mitsubishi models.

LockBit did not post the amount of data it had but did provide a sample of 67 files – including several US passports, social security cards, mechanics licenses, third-party disclosures, company credit card statements, and insurance records.

The hacker group posted it was able to exploit multiple vulnerabilities in FEAMs network, and said it plans to use the sensitive customer data for criminal purposes.

It warned that “numerous customers of the company have been accessed they will be attacked soon.”

The ransomware group claims they have obtained numerous documents such as:

• Customer and partner engineering projects
• Financial and banking records
• Insurance information of partners and customers
• Confidential and NDA contracts
• Secret documents and drawings
• Information about the company’s business processes
• Internal company and management correspondence
• HR documents
• Databases
• Engineering system baselines

Headquartered in Miami, FEAM is installed at dozens of major airports spanning the US and Europe, including locations in Tel Aviv, Egypt, Georgia, and Algeria.

Source – https://cybernews.com/news/feam-aero-ransomware-attack-lockbit/

Welltok Data Breach Exposes Data of 8.5 million US patients

Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack.

Welltok works with health service providers across the U.S., maintaining online wellness programs, holding databases with personal patient data, generating predictive analytics, and supporting healthcare needs like medication adherence and pandemic response.

Earlier this year, the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit software to breach thousands of organizations worldwide, following up with extortion demands and data leaks impacting over 77 million people.

Welltok published a notice of a data incident in late October, warning that its MOVEit Transfer server was breached on July 26, 2023. This occurred despite applying the security updates as soon as those were made available by the vendor.

Patient data was exposed during the breach, including full names, email addresses, physical addresses, and telephone numbers. For some, it also includes Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and certain Health Insurance information.

The impact of the breach impacted institutions in various states, including Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts, with the following healthcare providers said to be impacted:

• Blue Cross and Blue Shield of Minnesota and Blue Plus
• Blue Cross and Blue Shield of Alabama
• Blue Cross and Blue Shield of Kansas
• Blue Cross and Blue Shield of North Carolina
• Corewell Health
• Faith Regional Health Services
• Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
• Mass General Brigham Health Plan
• Priority Health
• St. Bernards Healthcare
• Sutter Health
• Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
• The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
• The Guthrie Clinic

Initial estimates about the number of impacted individuals varied as Welltok didn’t immediately disclose this information. However, earlier today, the firm reported on the U.S. Department of Health and Human Services breach portal that the data breach has been confirmed to impact 8,493,379 people.

This figure places the Welltok breach as the second largest MOVEit data breach after services contractor Maximus, whose data breach affected 11 million people.

Source – https://www.bleepingcomputer.com/news/security/welltok-data-breach-exposes-data-of-85-million-us-patients/

185,000 Individuals Impacted by MOVEit Hack at Car Parts Giant AutoZone 

Car parts giant AutoZone, which has over 7,000 stores across the Americas, is informing nearly 185,000 individuals that their personal information was compromised as a result of the massive MOVEit hacking campaign.

AutoZone revealed that cybercriminals have stolen information, including social security numbers, after exploiting a vulnerability in the MOVEit Transfer managed file transfer application. However, the company is not aware of instances where the exposed information has been used for fraud.

Nevertheless, impacted customers are being offered free credit monitoring and identity protection services. 

In response to the breach, the MOVEit application was temporarily disabled by AutoZone, the vulnerability was patched, and the affected system was rebuilt.

AutoZone pointed out that it is one of the more than two thousand organizations impacted by the MOVEit hack. However, the company determined that the exploitation of the MOVEit vulnerability resulted in data exfiltration only on August 15, more than two months after news of widespread exploitation broke.

Starting in late May and possibly earlier, the Cl0p ransomware group exploited a MOVEit software vulnerability tracked as CVE-2023-34362 to steal data from many organizations that had been using the application to transfer files. 

The number of impacted organizations — both directly and indirectly — reached 2,620 as of November 21, with more than 77 million individuals being affected. The list of victims includes hundreds of US schools, the state of Maine, the US Department of Energy, and energy giants Siemens Energy, Schneider Electric, and Shell. 

Source – https://www.securityweek.com/185000-individuals-impacted-by-moveit-hack-at-car-parts-giant-autozone/

North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns

North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world.

The activity clusters have been codenamed Contagious Interview and Wagemole, respectively.

While the first set of attacks aims to infect software developers with malware through a fictitious job interview, the latter is designed for financial gain and espionage. The first campaign’s objective is likely cryptocurrency theft and using compromised targets as a staging environment for additional attacks.

The fraudulent job-seeking activity, on the other hand, involves the use of a GitHub repository to host resumes with forged identities that impersonate individuals of various nationalities.

The Contagious Interview attacks pave the way for two hitherto undocumented cross-platform malware named BeaverTail and InvisibleFerret that can run on Windows, Linux, and macOS systems.

It’s worth noting that the intrusion set shares tactical overlaps with previously reported North Korean threat activity dubbed Operation Dream Job, which involves approaching employees with potential job offers and tricking them into downloading malicious tools – a rogue npm package hosted on GitHub, in this case – as part of an online interview.

The threat actor likely presents the package to the victim as software to review or analyze, but it actually contains malicious JavaScript designed to infect the victim’s host with backdoor malware.

BeaverTail, the JavaScript implant, is a stealer and a loader that comes with capabilities to steal sensitive information from web browsers and crypto wallets, and deliver additional payloads, including InvisibleFerret, a Python-based backdoor with fingerprinting, remote control, keylogging, and data exfiltration features.

InvisibleFerret is also designed to download the AnyDesk client from an actor-controlled server for remote access.

This is not the first time North Korean threat actors have abused bogus modules in npm and PyPI. In late June and July 2023, Phylum and GitHub detailed a social engineering campaign that targeted the personal GitHub accounts of employees working in technology firms to disseminate a counterfeit npm package under the guise of collaborating on an open-source project.

The attacks have been attributed to another cluster known as Jade Sleet, which is also called TraderTraitor and UNC4899, and has since been implicated in the JumpCloud hack that took place around the same time.

The discovery of Wagehole echoes a recent advisory from the U.S. government, which disclosed North Korea’s subterfuge to beat sanctions by dispatching an army of highly-skilled IT workers who obtain employment in several companies globally and funnel back their wages to fund the country’s weapons programs.

Source – https://thehackernews.com/2023/11/north-korean-hackers-pose-as-job.html

Microsoft: Lazarus hackers Breach CyberLink in Supply Chain Attack

Microsoft says a North Korean hacking group has breached Taiwanese multimedia software company CyberLink and trojanized one of its installers to push malware in a supply chain attack targeting potential victims worldwide.

According to Microsoft Threat Intelligence, activity suspected to be linked with the altered CyberLink installer file surfaced as early as October 20, 2023. This trojanized installer was hosted on legitimate CyberLink update infrastructure owned and has so far been detected on more than 100 devices worldwide, including in Japan, Taiwan, Canada, and the United States.

Microsoft attributed this supply chain attack with high confidence to a North Korean cyberespionage group tracked as Diamond Sleet (aka ZINC, Labyrinth Chollima, and Lazarus).

The second-stage payload observed while investigating this attack interacts with infrastructure that the same group of threat actors previously compromised. Microsoft tracks the trojanized software and related payloads as LambLoad, a malware downloader and loader.

LambLoad targets systems not protected by FireEye, CrowdStrike, or Tanium security software. If these conditions are unmet, the malicious executable continues running without executing the bundled malicious code.

However, if the criteria are met, the malware connects with one of three command-and-control (C2) servers to retrieve a second-stage payload concealed within a file posing as a PNG file using the static User-Agent ‘Microsoft Internet Explorer.’

This is a common attack method used by the Lazarus North Korean threat actors, who are known for trojanizing legitimate cryptocurrency software to steal crypto assets.

Even though Microsoft has yet to detect hands-on-keyboard activity following LambLoad malware breaches, the Lazarus hackers are known for:

• Stealing sensitive data from compromised systems
• Infiltrating software build environments
• Progressing downstream to exploit further victims
• Establishing persistent access to victims’ environments

The Lazarus Group is a North Korean-sponsored hacking group that has been operating for more than ten years, since at least 2009. Known for targeting organizations worldwide, Lazarus’ operations have so far included attacks on financial institutions, media outlets, and government agencies. The group is thought to be behind many high-profile cyber attacks, including the 2014 Sony Pictures hack, the WannaCry ransomware attack of 2017, and the largest crypto hack ever in 2022.

Source – https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-breach-cyberlink-in-supply-chain-attack/

Play Ransomware Goes Commercial – Now Offered as a Service to Cybercriminals

The ransomware strain known as Play is now being offered to other threat actors “as a service,” new evidence unearthed has revealed.

The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it.

The findings are based on various Play ransomware attacks tracked by researchers spanning different sectors that incorporated almost identical tactics and in the same sequence. This includes the use of the public music folder (C:\…\public\music) to hide the malicious file, the same password to create high-privilege accounts, and both attacks, and the same commands.

Play, also called Balloonfly and PlayCrypt, first came to light in June 2022, leveraging security flaws in Microsoft Exchange Server – i.e., ProxyNotShell and OWASSRF – to infiltrate networks and drop remote administration tools like AnyDesk and ultimately deploy the ransomware.

Besides using custom data gathering tools like Grixba for double extortion, a notable aspect that set Play apart from other ransomware groups was the fact that the operators in charge of developing the malware also carried out the attacks.

The new development, therefore, marks a shift and completes its transformation into a RaaS operation, making it a lucrative option for cybercriminals.

Source – https://thehackernews.com/2023/11/play-ransomware-goes-commercial-now.html

Citrix Bleed Bug Inflicts Mounting Wounds, CISA Warns

Ransomware affiliates for the LockBit 3.0 gang are ramping up their assault on the so-called “Citrix Bleed” security vulnerability, resulting in re-upped warnings from CISA and Citrix itself to take affected appliances offline if immediate remediation isn’t an option.

The critical bug (CVE 2023-4966, CVSS 9.4) is found in the NetScaler Web application delivery control (ADC) and NetScaler Gateway appliances, and was patched in late October, after a warning about its use as a zero-day in limited, targeted cyberattacks. But it quickly caught the attention of more opportunistic threat actors, especially after the swift release of public proof-of-concept exploits (PoCs).

As CISA warned, the bug offers a relatively easy authentication bypass route to the corporate crown jewels — a fact not lost on LockBit 3.0 users, who have mounted attacks on a range of targets, including Boeing, Australian shipping giant DP World, and the ICBC, China’s state bank and the largest financial institution in the world.

The risk is significant: “Citrix Bleed allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions,” warned the agency, in a joint advisory with the FBI, MS-ISAC, and the Australian Cyber Security Center. “Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”

As far as what to do amid the voluminous attack activity, CISA offered detailed remediation guidance, detection methods, and indicators of compromise (IOCs) for Citrix Bleed, while Citrix in its advisory reiterated its previous warning that patching is not enough to protect affected instances, because compromised NetScaler sessions will continue to be vulnerable after patching.

“If you are using any of the affected builds listed in the security bulletin, you should upgrade immediately by installing the updated versions,” Citrix noted on Nov. 20. “After you upgrade, we recommend that you remove any active or persistent sessions.”

Both CISA’s and Citrix’s alerts reiterated the importance of isolating vulnerable appliances if patching and killing the instances isn’t an immediate option, given that this bug is likely to remain near the top of the list for threat actors to target.

The organizations issued the warnings just ahead of the Thanksgiving holiday in the US, when many security teams will be running skeleton crews. A recent analysis from ReliaQuest indicated that thousands of organizations remain exposed to the threat.

Source – https://www.darkreading.com/vulnerabilities-threats/citrix-bleed-bug-inflicts-mounting-wounds-cisa-warns

Hacktivists Breach U.S. Nuclear Research Lab, Steal Employee Data

The Idaho National Laboratory (INL) confirms they suffered a cyberattack after ‘SiegedSec’ hacktivists leaked stolen human resources data online. INL is a nuclear research center run by the U.S. Department of Energy that employs 5,700 specialists in atomic energy, integrated energy, and national security.

The INL complex extends over an 890-square-mile (2,310 km2) area, encompassing 50 experimental nuclear reactors, including the first ones in history to produce usable amounts of electricity and the first power plant designed for nuclear submarines.

Currently, INL is occupied with research on next-gen nuclear plants, light water reactors, control systems cybersecurity, advanced vehicle testing, bioenergy, robotics, nuclear waste processing, and other studies.

On Monday, SiegedSec announced it had gained access to INL data, including details on “hundreds of thousands” of employees, system users, and citizens.

As the group has done in previous breaches on NATO and Atlassian, they openly leaked stolen data on hacker forums and a Telegram channel run by the group, not caring to negotiate with the victim or demand ransoms.

The data leaked by SiegedSec includes:

• Full names
• Dates of birth
• Email addresses
• Phone numbers
• Social Security Numbers (SSN)
• Physical addresses
• Employment information

On Telegram, SiegedSec also posted alleged proof of the breach by sharing screenshots of tools used internally by INL for document access and announcement creation. The attackers also showed the creation of a custom announcement on INL’s system to let everyone in the complex know about the breach.

INL has not published any statements on the incident yet. However, a spokesperson confirmed the breach to local media outlets, commenting that it is currently under investigation and that federal law enforcement is involved.

“Earlier this morning, Idaho National Laboratory determined that it was the target of a cybersecurity data breach, affecting the servers supporting its Oracle HCM system, which supports its Human Resources applications. INL has taken immediate action to protect employee data,” INL media spokesperson Lori McNamara told EastIdahoNews.com.

“INL has been in touch with federal law enforcement agencies, including the FBI and the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency to investigate the extent of data impacted in this incident.”

Although SiegedSec has neither accessed nor disclosed any data on nuclear research, the incident will inevitably intensify law enforcement scrutiny of the hacktivist group, as INL is considered a vital part of U.S. critical infrastructure.

Source – https://www.bleepingcomputer.com/news/security/hacktivists-breach-us-nuclear-research-lab-steal-employee-data/

NetSupport RAT Infections on the Rise – Targeting Government and Business Sectors

Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT.

The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns. No less than 15 new infections related to NetSupport RAT have been identified in the last few weeks.

While NetSupport Manager started off as a legitimate remote administration tool for technical assistance and support, malicious actors have misappropriated the tool to their own advantage, using it as a beachhead for subsequent attacks.

NetSupport RAT is typically downloaded onto a victim’s computer via deceptive websites and fake browser updates.

In August 2022, a campaign was detailed in which compromised WordPress sites were being used to display fraudulent Cloudflare DDoS protection pages that led to the distribution of NetSupport RAT.

The use of bogus web browser updates is a tactic often associated with the deployment of a JavaScript-based downloader malware known as SocGholish (aka FakeUpdates), which has also been observed propagating a loader malware codenamed BLISTER.

The Javascript payload subsequently invokes PowerShell to connect to a remote server and retrieve a ZIP archive file containing NetSupport RAT that, upon installation, beacons out to a command-and-control (C2) server.

“Once installed on a victim’s device, NetSupport is able to monitor behavior, transfer files, manipulate computer settings, and move to other devices within the network,” researchers said.

Source – https://thehackernews.com/2023/11/netsupport-rat-infections-on-rise.html

Yamaha Motor Confirms Data Breach Following Ransomware Attack

The personal information of employees was stolen in a ransomware attack targeting a Philippines subsidiary of Yamaha Motor.

The incident, the Japanese mobility and industrial giant says, occurred on October 25, and only impacted one server managed by Yamaha Motor Philippines, the company’s motorcycle manufacturing and sales subsidiary in the country.

The server, Yamaha Motor says, “was accessed without authorization by a third party and hit by a ransomware attack, and a partial leakage of employees’ personal information stored by the company was confirmed.”

Yamaha says it immediately set up a “countermeasures team”, took steps to prevent further damage, and launched an investigation into the incident. The attack was also reported to the Philippine authorities.

On November 16, the investigation revealed that some personal information stored by Yamaha Motor Philippines was compromised in the attack.

The company says it has restored all Yamaha Motor Philippines servers and systems that were not impacted in the attack. The incident did not affect the headquarters and other companies in the Yamaha Motor group, the motorcycle maker says.

While Yamaha did not name the ransomware group responsible for the attack, the INC Ransom gang has claimed responsibility for the incident.

Active since July 2023, the ransomware group appears opportunistic in nature, targeting organizations in various industries, typically by exploiting vulnerable internet-facing assets.

INC Ransom has been observed exploiting CVE-2023-3519, a critical-severity Citrix NetScaler ADC and Gateway vulnerability that came to light in July, when it was exploited as a zero-day by both financially motivated and state-sponsored threat actors.

Last week, INC Ransom published on its leak site data allegedly stolen from Yamaha Motor Philippines, including identification documents, employee ID cards, and various internal documents.

Over the past month, the ransomware gang has claimed hacking into the systems of a dozen organizations, including WellLife Network, Decatur Independent School District, Guardian Alarm, EFU Life Assurance, and Global Export Marketing.

Source – https://www.securityweek.com/yamaha-motor-confirms-data-breach-following-ransomware-attack/

Smarttech247