Blog

Cyber Security Stories - September 2024
Stay Secure and Get the Latest Cyber Security Updates with GoAllSecure’s Monthly Bulletin!

LockBit Makes a Return as the Most Prominent Ransomware Actor in May 2024

The latest analysis reveals that the notorious LockBit group reemerged as the leading ransomware actor in May 2024. LockBit 3.0 staged 176 ransomware attacks, accounting for 37% of the total attacks in that month, marking a substantial 665% increase from the previous month. This surge in activity positioned LockBit ahead of other prominent groups such as Play and RansomHub. LockBit’s resurgence follows a period of dormancy after the global law enforcement operation, Operation Cronos, incapacitated key infrastructure used by the group in February 2024. Despite speculation that LockBit 3.0 would dissolve following this operation, the recent surge in activity suggests otherwise. There are also concerns that the group may be inflating their numbers to disguise the true state of their organization. The report also revealed a 32% increase in global ransomware attacks from the previous month. Notably, the industrial sector was the most targeted, accounting for 30% of attacks, followed by the technology sector. Additionally, significant regional trends were observed, with a decline in attacks targeting North America and substantial increases in Europe, South America, and Africa.
 

Ticketmaster Confirms Breach Potentially Impacting 560 Million Users

Live Nation, the parent company of Ticketmaster, has confirmed that it experienced a cyber-attack last month, resulting in the exposure of internal data. The majority of the compromised data came from its Ticketmaster subsidiary, affecting potentially 560 million customers. The company identified unauthorized activity within a third-party cloud database environment and launched an investigation. A criminal threat actor known as ShinyHunters is allegedly selling 1.3TB of stolen customer data, including names, addresses, emails, phone numbers, and partial payment card information. The breached third-party cloud storage firm, Snowflake, was also reportedly involved in a similar incident with Spanish bank Santander. It was reported that the threat actor targeted a Snowflake employee’s ServiceNow account with stolen credentials to gain access to the Ticketmaster database. However, Snowflake clarified that the recent increase in threat activity is due to industry-wide identity-based attacks, not caused by any vulnerability or misconfiguration within their product. Despite the potentially large impact on customers, Live Nation downplayed the operational and financial impact of the incident in an SEC filing, stating that they do not believe it will have a material impact on their business operations or financial condition. They continue to evaluate the risks, and their remediation efforts are ongoing.
 

Cybersecurity Burnout Is Real, and It’s Costing Firms $700m+ Annually

A recent study from Hack The Box suggests that British and US businesses may be losing up to $756 million annually due to reduced productivity caused by burnout among cybersecurity staff. The study calculated this figure by considering the average daily wage for cybersecurity professionals and then factoring in the average number of sick days and days lost to poor productivity. According to the research, UK employers could be losing around $130 million annually, while their US counterparts may be facing losses of up to $626 million. The primary reason identified for this burnout is the high stress, fatigue, and pressure experienced by cybersecurity professionals, largely due to the fast-paced nature of technological advancements and increasing threat volumes. The study also found that a significant number of cybersecurity professionals have taken time off due to work-related mental well-being issues. Interestingly, it was highlighted that while 90% of CISOs are concerned about the impact of burnout on their teams, only 47% of CEOs share the same level of concern. The CEO of Hack The Box emphasized the need for business leaders to prioritize the mental well-being of cybersecurity professionals and to collaborate closely with them in order to provide the necessary support and solutions for success.
 

92% of Organizations Hit by Credential Compromise from Social Engineering Attacks

In 2023, a new report by Barracuda revealed that 92% of organizations encountered an average of six credential compromises due to email-based social engineering attacks. The majority of these attacks (86%) involved scamming and phishing. Some key trends in these attacks included a rise in conversation hijacking by 70% compared to 2022, with attackers monitoring compromised business accounts to craft convincing messages. Business email compromise (BEC) attacks increased to 10.6%, and extortion attacks made up 2.7% of total social engineering attacks. The report also highlighted that cybercriminals often used legitimate services to launch these attacks, with Gmail being the most utilized email domain, accounting for 22% of attacks. Additionally, popular commercial URL-shortening services were leveraged, with bit.ly being the most widely used. An emerging trend was the significant increase in QR code phishing attacks, targeting around 5% of mailboxes in late 2023. These attacks prompt users to scan the code, leading them to fake pages designed to extract sensitive information or distribute malware. This method of attack poses challenges for traditional email filtering and security software, as it directs users to personal devices that are often less protected.
 

Data Disaster: Los Angeles Public Health Department Suffers Biggest Data Breach

The Los Angeles County Department of Public Health (DPH) experienced a data breach affecting 200,000 individuals. The breach, caused by phishing, exposed personal, medical, and financial information. DPH is notifying affected individuals by mail and offering free identity monitoring for a year. The department has implemented security enhancements and is working with law enforcement and regulatory agencies. In another incident, the US private healthcare provider Ascension was hit by a ransomware attack, leading to compromised patient information and disrupted services.
 

London Ransomware Attack Led to 1500 Cancelled Appointments and Operations

The recent ransomware attack on an NHS supplier led to the cancellation and rescheduling of over 800 planned operations and 700 outpatient appointments in the first week. Efforts are underway to restore IT functionality and increase the capacity for processing blood tests, but complete technical recovery may take longer, potentially causing disruptions for months. Impacted sites continue to prioritize urgent care, and individuals are encouraged to use emergency services as usual. The public is advised to utilize the NHS App, online resources, or phone services for non-emergency healthcare needs. Patients with scheduled appointments are advised to attend as usual unless informed otherwise. Meanwhile, the NHS has issued appeals for blood donors and volunteers, and healthcare providers are taking steps to minimize the impact on patients, such as organizing extra weekend clinics and collaborating with other hospitals to ensure timely assistance for those in need.
 

Ascension Cyberattack Caused by Employee Downloading Malicious File

In May 2024, Ascension, a major U.S. healthcare system, disclosed that a ransomware attack was initiated by an employee who unwittingly downloaded a malicious file onto a company device. The incident impacted the MyChart electronic health records system, phones, and systems for ordering tests and medications, prompting the temporary shutdown of certain devices. This forced employees to resort to manual record-keeping and led to the pausing of some non-emergent elective procedures, tests, and appointments. Ascension has mentioned that evidence suggests the attackers only accessed and extracted files from a small number of servers, with some potentially containing Protected Health Information (PHI) and Personally Identifiable Information (PII). While investigating, the healthcare system has not found evidence of data theft from its Electronic Health Records (EHR) and other clinical systems. While the attacker has not been definitively identified, there are reports connecting the attack to the Black Basta ransomware gang, known for targeting the healthcare sector.
 

Snowflake Data Breach: 165 Customers’ Data Exposed in an Ongoing Extortion Campaign

The cyber threat campaign targeting Snowflake has expanded beyond initial estimations, potentially putting the data of around 165 customers at risk. Mandiant, working with Snowflake, has linked the activity to a financially motivated threat actor called UNC5537, known for illicitly accessing Snowflake customer instances, advertising stolen data on cybercrime platforms, and extorting victims. The group, believed to have North American and Turkish ties, is reported to have targeted numerous organizations worldwide. Snowflake has highlighted the importance of implementing advanced security controls like multi-factor authentication and tightening security measures to mitigate such threats.
 

IoT Vulnerabilities Skyrocket, Becoming Key Entry Point for Threat Attackers

Microsoft has stressed the importance of securing internet-exposed operational technology (OT) devices in response to a series of cyber attacks targeting such environments since late 2023. The company’s Threat Intelligence team emphasized the urgent need to bolster the security of OT devices and prevent them from becoming easy targets, as cyber attacks on OT systems could allow malicious actors to manipulate critical parameters in industrial processes, leading to malfunctions and system outages. Microsoft warned that OT systems often lack sufficient security measures, making them susceptible to exploitation by adversaries. These systems are particularly vulnerable when directly connected to the internet, as they can be discovered by attackers through internet scanning tools and exploited using weak passwords or outdated software with known vulnerabilities. Recent advisories from Rockwell Automation and warnings from the US Cybersecurity and Infrastructure Security Agency (CISA) underscore the heightened threats to industrial control systems, necessitating a concerted effort to secure OT assets and infrastructure.
 

BBC Pension Scheme Breached: Exposing Details Of 25,000 Current and Former BBC Employees

The BBC has confirmed a security breach impacting its pension scheme, leading to the exposure of personal data belonging to many employees. Attackers copied files containing personal details such as names, National Insurance numbers, dates of birth, and home addresses from a cloud-based storage device. The breach affected over 25,000 current and former employees, but the copied data did not include sensitive information like telephone numbers, email addresses, or financial details. There is no evidence of a ransomware attack, and the BBC is working closely with internal and external teams to investigate and secure the situation. The impacted employees are cautioned to be vigilant against potential phishing attempts and identity theft.
 

Personal Information of 44,000 Compromised in the First American Ransomware Attack

This week, First American Financial Corporation disclosed that a December 2023 cyberattack may have compromised the personal information of 44,000 individuals. First American took steps to contain the incident by temporarily shutting down certain systems and email services. After a week, the company began bringing some systems back online, with full restoration announced on January 8, 2024. First American notified the Securities and Exchange Commission (SEC) about the data breach and stated that data on certain non-production systems had been encrypted. The company pledged to provide notifications to potentially affected individuals and offer them credit monitoring and identity protection services at no cost. Despite refraining from disclosing specific details about the types of personal information compromised or the ransomware gang behind the attack, First American stated that it had bolstered its network security following an investigation conducted with external cybersecurity experts.
 

Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts

Several WordPress plugins have been compromised to inject malicious code, allowing the creation of unauthorized administrator accounts and the injection of malicious JavaScript into websites. According to Wordfence security researcher Chloe Chamberland, the injected malware aims to create new administrative user accounts and sends the details back to an attacker-controlled server. The attackers have been observed creating new admin accounts with usernames “Options” and “PluginAuth,” and the exfiltrated account information is being sent to the IP address 94.156.79[.]8. The attack, which appears to have been initiated on June 21, 2024, affects several plugins, including Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. These plugins are no longer available for download from the WordPress directory. Users of the affected plugins are advised to check for suspicious administrator accounts and remove any malicious code from their sites.
 

Credit Card Data Theft via Exploitation of PrestaShop’s Facebook Module

A critical flaw in the pkfacebook module for PrestaShop has been exploited by hackers to deploy a card skimmer on vulnerable online stores. The flaw enables remote attackers to execute SQL injection using HTTP requests. Friends-of-Presta warned of active exploitation in the wild and urged users to upgrade to the latest pkfacebook version and apply specific WAF rules. However, the patch availability remains unclear, as the latest version listed on the vendor’s site is 1.0.0, while the NVD lists all versions from 1.0.1 and below as vulnerable. It’s crucial for users to stay informed about security vulnerabilities and promptly apply recommended patches to safeguard their online stores and customer data.
 

Truist Bank Confirms Breach After Stolen Data Shows Up On Hacking Forum

Truist Bank, a prominent US commercial bank resulting from the merger of SunTrust Banks and BB&T, recently acknowledged a cyber breach in October 2023. Following the breach, a threat actor known as Sp1d3r purportedly offered stolen data, including employee information and bank transaction details, for sale on a hacking forum. Truist confirmed that the cybersecurity incident occurred and was promptly contained. The bank engaged external security consultants to conduct a thorough investigation and implement additional security measures. While they initially notified a limited number of clients, they have now expanded the notifications in light of ongoing investigations. Truist clarified that the incident is unrelated to the Snowflake attacks and stated that they have not identified any fraudulent activities resulting from the breach. In response to this and similar incidents, Truist reiterated its commitment to collaborating with law enforcement and third-party cybersecurity experts to safeguard its systems and data.
 

Insurance Giant Globe Life Investigates Web Portal Breach, Says Attackers Accessed Consumer Information

Globe Life, an American financial services holding company, revealed a potential data breach in one of its web portals. The breach was discovered during a review of access permissions and user identity management, prompted by an inquiry from a state insurance regulator on June 13. Christopher T. Moore, Associate Counsel and Corporate Secretary at Globe Life stated that external access to the portal was immediately revoked upon notification. The company believes that only this specific portal was affected, and all other systems are operational. Globe Life has activated its incident response plan, engaged external security experts, and is currently investigating the incident’s full scope and impact. Despite ongoing investigations, they stated that the incident has not materially impacted their operations. Globe Life, a Texas-based company listed on the New York Stock Exchange, offers insurance products and services through its subsidiaries. The company faced a significant share price decrease on April 11 due to allegations of insurance fraud.
  Have a suggestion or a question for us? Be sure to reach out; we would love to hear from you.