Change Healthcare was breached by the BlackCat ransomware gang who used stolen Citrix credentials without multi-factor authentication. The ransomware attack led to severe operational disruptions and financial damages. Remediation efforts included swift containment, replacing laptops, and rebuilding the data center network.

Panda Restaurants Discloses Data Breach After Corporate Systems Hack

Panda Restaurant Group, the parent company of Panda Express, disclosed a data breach after attackers compromised its corporate systems in March, affecting an unknown number of associates. The breach did not impact guest data, and the company is working with cybersecurity experts and law enforcement to investigate the incident. Personal information such as names, driver’s license numbers, and non-driver identification card numbers were accessed, but the total number of affected individuals remains undisclosed.

French Hospital CHC-SV Refuses to Pay LockBit Extortion Demand

The Hôpital de Cannes – Simone Veil (CHC-SV) in France experienced a cyberattack by the LockBit 3.0 ransomware gang, leading to operational disruptions and a ransom demand. Despite the threat of data leakage, the hospital has refused to pay the ransom and is working to restore affected systems. The incident highlights LockBit’s lack of concern for healthcare services and the ongoing challenges faced by organizations in dealing with ransomware attacks.

Canadian Drug Chain in Temporary Lockdown Mode After Cyber Incident

London Drugs, a Canadian pharmacy chain, has temporarily closed its stores in British Columbia, Alberta, and Saskatchewan due to a cybersecurity incident. The company has not disclosed the nature of the incident, but they are working with third-party experts to investigate. London Drugs reassures that no customer or employee data was compromised, and they are uncertain when the stores will resume normal operations.

Qantas App Exposed Sensitive Traveler Details to Random Users

Qantas Airways confirmed a misconfiguration in its app exposed sensitive information and boarding passes to random users, affecting some customers. The incident was caused by internal configuration changes, not a cyberattack, and only impacted the app. Qantas advised users to log out, stay vigilant for scams, and assured that no personal or financial information was shared.

New Cuttlefish Malware Infects Routers to Monitor Traffic for Credentials

Cuttlefish malware infects routers to monitor and steal authentication information, creating a proxy or VPN tunnel to exfiltrate data discreetly. It can perform DNS and HTTP hijacking, impacting internal communications. To protect against Cuttlefish, organizations should eliminate weak credentials, monitor for unusual logins, secure traffic with TLS/SSL, inspect devices for abnormalities, and use certificate pinning for remote connections.

1 in 5 US Ransomware Attacks Triggers Lawsuit

Comparitech’s analysis reveals that 18% of ransomware incidents in the US led to lawsuits in 2023, with a total of 123 filed so far. Data breaches are the primary reason for these lawsuits, impacting 283.3 million records across 355 attacks since 2018. Healthcare and finance sectors saw the highest number of filed lawsuits, with out-of-court settlements averaging $2.2 million.

To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware

Hackers are increasingly using USBs to breach air-gapped OT networks, leveraging old malware and vulnerabilities to disrupt or destroy systems. The shift towards USB attacks has been observed in industrial sectors, with attackers opting for living-off-the-land tactics post-infiltration. Defenders can combat these threats by implementing strict USB policies, utilizing technology for scanning removable media, and enhancing overall security measures.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

The average ransom payment for cyberattacks has surged to $2 million, marking a 500% increase from the previous year, with additional recovery costs averaging $2.7 million per incident. The Sophos State of Ransomware 2024 report highlights a slight decrease in attack frequency but emphasizes the growing financial burden on businesses. The report also notes that cybercriminals frequently target backups to cripple recovery efforts, underscoring the critical vulnerabilities within organizational cybersecurity measures.

China-Linked ‘Muddling Meerkat’ Hijacks DNS to Map Internet on Global Scale

A cyber threat named Muddling Meerkat, likely linked to China, has been conducting sophisticated DNS activities since October 2019 to evade security measures and map the internet globally. The threat actor abuses DNS open resolvers to send queries from Chinese IP space, demonstrating a deep understanding of DNS. The actor’s motives behind these activities, which involve fake DNS responses and manipulation of internet traffic, remain unclear but raise concerns about potential internet mapping efforts or research.

New U.K. Law Bans Default Passwords on Smart Devices Starting April 2024

The U.K. National Cyber Security Centre has introduced a law, the Product Security and Telecommunications Infrastructure act, prohibiting manufacturers from using default passwords on smart devices starting April 2024. This law aims to enhance consumer protection against cyber attacks by enforcing minimum security standards. Failure to comply can lead to recalls and fines of up to £10 million or 4% of global annual revenues.

The Dark Web is Seeing an Influx of Affordable Ransomware, Making Malware More Accessible Than Ever

Sophos researchers have identified a rise in ‘junk gun’ ransomware, which is unsophisticated and sold cheaply on the dark web, posing a serious threat to organizations. These low-cost ransomware variants, like Kryptina, Diablo, and others, offer simplicity and independence to criminals, making them harder to track for law enforcement. Despite lacking the scale of major ransomware groups, these attacks can still be profitable and challenging for defenders due to their low-tech nature and potential to go undetected.

Philadelphia’s Daily Newspaper Philadelphia Inquirer Struck by Cyberattack

The Philadelphia Inquirer reported a cyberattack that compromised personal information, including financial details, of over 25,000 subscribers. The breach occurred in May 2023, allowing unauthorized access to sensitive data. Despite no immediate misuse reports, the newspaper has offered affected subscribers free credit monitoring and urged vigilance against identity theft.

U.S. Government Releases New AI Security Guidelines for Critical Infrastructure

The U.S. government has released new security guidelines to protect critical infrastructure from AI-related threats, focusing on transparency, privacy, and civil liberties. The guidelines aim to manage AI risks by establishing an organizational culture of risk management, understanding individual AI use context, and prioritizing safety and security. Additionally, recent concerns include vulnerabilities in AI systems that could be exploited by cybercriminals for malicious purposes, prompting the need for robust security measures and careful deployment practices.

Change Healthcare Hacked Using Stolen Citrix Account With no MFA

Change Healthcare was breached by the BlackCat ransomware gang who used stolen Citrix credentials without multi-factor authentication. The attack led to severe operational disruptions and financial damages estimated at $872 million. The CEO confirmed the ransomware attack and the difficult decision to pay the ransom, while remediation efforts included swift containment, system securing, and rebuilding core services.

Ransomware Rising Despite Takedowns, Says Corvus Report

Corvus Insurance’s report reveals a 21% increase in ransomware activity in the first quarter of 2024 compared to the same period in 2023, with new ransomware gangs emerging to fill the void left by LockBit and BlackCat. Despite disruptions to high-profile ransomware gangs, the number of recorded victims in Q1 2024 was significantly higher than in the same period in 2023, with industries like information technology and medical specialists being targeted the most.

Chinese Hackers Have Been Probing DNS Networks Globally for Years

A Chinese hacking group named Muddling Meerkat has been probing DNS networks worldwide since 2019, utilizing sophisticated methods to evade detection and manipulate DNS responses. The group’s activities include altering MX records and conducting what appear to be DDoS attacks, though their true intentions remain unclear. These ongoing operations highlight significant vulnerabilities in global network infrastructure and suggest possible preparation for disruptive cyberattacks.

Finnish Hacker Gets Prison for Accessing Thousands of Psychotherapy Records and Demanding Ransoms

In Finland, a hacker was sentenced to over six years in prison for hacking into a psychotherapy center’s database, accessing thousands of patient records, and demanding ransoms. This extensive breach led to severe repercussions, with thousands of individuals impacted. The case highlighted the vulnerabilities in protecting sensitive health data and the harsh penalties for cybercrimes involving personal information.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

Financial Business and Consumer Solutions (FBCS) reported a data breach affecting 1,955,385 individuals in the U.S., with unauthorized access to their network systems. The breach, discovered on February 26, 2024, allowed intruders to view or acquire personal information like full names. FBCS specializes in debt collection across various sectors like consumer credit, healthcare, and student loans.

Kaiser Permanente Data Breach Impacts 13.4 Million Patients

Kaiser Permanente reported a data breach affecting 13.4 million patients, where personal data was inadvertently shared with third-party advertisers through tracking technologies on their digital platforms. The exposed data included names, IP addresses, and user interactions, but did not include sensitive financial details or Social Security numbers. The healthcare provider has since removed the implicated tracking technologies and added safeguards to prevent future incidents.

Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023

Google prevented 2.28 million policy-violating apps from being published on Google Play in 2023, blocked 333,000 bad accounts, and rejected or remediated almost 200,000 app submissions due to issues with sensitive data access. The company strengthened security features, policy updates, and machine learning processes, partnered with SDK providers to enhance privacy, and implemented real-time scanning and security badges in the Play Store to combat malware.

FBI Warns of Fake Verification Schemes Targeting Dating App Users

The FBI has issued a warning about fake verification schemes on dating apps that lead to costly recurring subscription charges. Fraudsters approach victims on dating platforms, establish trust, and redirect them to fake verification websites to obtain personal and financial information. To protect against these schemes, the FBI advises users to be cautious of sharing personal information online, report suspicious profiles, and use low-limit credit cards for online transactions.

London Drugs Pharmacy Chain Closes Stores After Cyberattack

London Drugs, a Canadian pharmacy chain, closed all its retail stores due to a cybersecurity incident and has hired external experts to investigate the attack. The company took immediate countermeasures to protect its network and data, with no evidence of customer or employee data being impacted. London Drugs has not yet notified authorities as there is no indication of personal information compromise, but will do so if necessary according to privacy laws.

Study Reveals Alarming Levels of USPS Phishing Traffic

A recent analysis by Akamai Security researchers revealed a concerning trend of phishing and smishing attacks targeting the United States Postal Service (USPS) during peak shopping periods like Thanksgiving and Christmas. Illegitimate domains mimicking USPS websites attracted significant traffic, with deceptive domains like ‘usps-post[.]world’ and ‘uspspost[.]me’ garnering over 100,000 hits each. The study emphasized the need for continued monitoring and reporting of such threats to protect consumers and enhance cybersecurity efforts.

JP Morgan Employees Access Sensitive Information They Weren’t Supposed to See

JP Morgan disclosed a data security issue where three employees, authorized to access certain system reports, inadvertently viewed sensitive information of about 450,000 individuals not intended for them. The breach, which occurred over a span from August 2021 to February 2024, involved personal and financial details like social security numbers and bank account information. The bank has since resolved the software issue, offered credit monitoring services, and stated there’s no evidence of misuse of the information.

ICICI Bank Glitch Gave Access to other Clients’ Credit Cards

A technical glitch in ICICI Bank’s mobile app displayed other clients’ credit card information, affecting around 17,000 cards, including full card numbers, expiry dates, and CVV. The glitch also allowed unauthorized users to manage settings for international transactions. ICICI has blocked the affected cards, issued new ones, and promised compensation for any financial loss, with no misuse reported yet.

Hackers Claim to Have Infiltrated Belarus’ Main Security Service

A Belarusian hacker group, identifying as Cyber-Partisans, claimed to have breached the Belarusian KGB’s network, accessing personal files of over 8,600 employees. They also disrupted the KGB’s website and published sensitive data online to expose and counteract what they describe as severe political repressions by the Belarusian government. This action is part of ongoing efforts to challenge government authority, with the group vowing to continue their cyber activities against state institutions involved in suppressing opposition.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

Kaiser Permanente, a major healthcare service provider, revealed a data breach potentially affecting 13.4 million individuals in the U.S. Personal information was leaked to third-party trackers on their websites and mobile apps, including IP addresses, names, and user interactions. While sensitive data like SSNs and financial details were not compromised, Kaiser Permanente has taken steps to address the incident and will notify those affected as a precaution.

Hackers leak London Stock Exchange Group’s (LSEG) World-Check Screening Database With Over Five Million Records

Hackers leaked the World-Check database from the London Stock Exchange Group, exposing over 5 million records on entities and individuals linked to risks like financial crime and terrorism. The breach, attributed to a group called GhostR, involved data illicitly obtained from a client’s system, not directly from LSEG systems. This database is crucial for entities performing “know your customer” checks to prevent illicit financial activities.

New Brokewell Malware Takes Over Android Devices, Steals Data

Security researchers have discovered a new Android banking trojan named Brokewell that captures device events, steals data, and offers remote control capabilities. The malware is distributed through a fake Google Chrome update, mimics login screens to steal credentials, and can remotely control infected devices. Developed by an individual known as Baron Samedit, Brokewell is expected to be further developed and offered to other cybercriminals, posing a significant threat to Android users. To protect against such malware, users are advised to avoid downloading apps from outside Google Play and ensure Play Protect is active on their devices.

North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

The Lazarus Group, linked to North Korea, used fake job offers to distribute a new remote access trojan called Kaolin RAT in attacks targeting individuals in Asia. The RAT was used to deploy the FudModule rootkit, exploiting a now-patched admin-to-kernel exploit. The sophisticated attack chain showcases Lazarus Group’s continuous innovation and resource allocation, posing a significant challenge to cybersecurity efforts.

Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries

The Godfather mobile banking Trojan has spawned over 1,000 samples across 57 countries, targeting hundreds of banking apps. Mobile malware-as-a-service operators are rapidly generating unique samples to evade security software, posing a significant challenge to mobile security. Security solutions are struggling to keep up with the increasing number of malware samples, emphasizing the need for adaptive solutions and behavioral analysis to combat evolving mobile threats.

Researchers Found 18 Vulnerabilities in Brocade SANnav

A security assessment of Brocade’s SANnav Management Portal revealed 18 vulnerabilities, including hardcoded Docker keys. The vulnerabilities allowed attackers to compromise the SANNav appliance, Fibre Channel switches, and intercept credentials in clear-text communication. Insecure configurations such as lack of encryption for management protocols, hardcoded credentials in Postgres, and insecure Docker instances with read/write access to critical files were identified, posing significant risks to the system’s security.

Autodesk hosting PDF files used in Microsoft phishing attacks

Autodesk is unknowingly hosting malicious PDF files used in sophisticated Microsoft phishing attacks, where victims are tricked into revealing their login credentials. The attackers leverage compromised email accounts to send convincing phishing emails with links to documents on Autodesk Drive, leading to fake Microsoft login forms. The scale and customization of these attacks indicate automation and targeted compromises, emphasizing the importance of vigilance against such threats and the need for hosting companies to prevent abuse of their infrastructure.

Researchers Sinkhole PlugX Malware Server With 2.5 Million Unique IPs

Researchers at Sekoia sinkholed a PlugX malware server, observing 2.5 million unique IP connections from infected hosts in over 170 countries. By acquiring control of the C2 server, they were able to analyze traffic, map infections, and prevent further malicious activities. Sekoia has formulated disinfection strategies to address the challenge of removing PlugX from infected systems and USB drives, calling for national cybersecurity teams to join the effort.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

Ransom payments reached over $1 billion in 2023, marking a significant increase in both the scale and cost of ransomware attacks. The Ransomware Task Force (RTF) emphasizes that despite efforts to combat this threat, major challenges persist and half of the proposed strategic recommendations remain under-implemented. The need for intensified collaborative efforts, including legislative actions and international cooperation, is critical to address the evolving and increasingly costly ransomware landscape.

Supplement maker hack allegedly exposes 1M customers

Piping Rock, a supplement manufacturer, experienced a data breach resulting in unauthorized access to over 2.1 million emails, potentially impacting nearly one million customers. The leaked data includes names, addresses, and purchase histories. This breach’s details were confirmed by a Cybernews investigation and were publicly posted on a data leak forum by the perpetrator.

Scammers bypassing Google ad checks to impersonate real brands

Scammers are increasingly manipulating Google’s ad system to impersonate reputable brands, redirecting users to fraudulent sites. Using advanced techniques such as cloaking, they present legitimate content to Google’s bots while showing malicious sites to real users. Security experts recommend vigilance with sponsored search results and the use of protective browser extensions to guard against such malvertising threats.

WP Automatic WordPress plugin hit by millions of SQL injection attacks

Hackers are exploiting a critical vulnerability (CVE-2024-27956) in the WP Automatic WordPress plugin to create admin accounts and plant backdoors on websites. Over 5.5 million attack attempts have been observed, with hackers renaming the vulnerable file ‘csv.php’ and installing additional plugins for file uploads. To prevent compromise, administrators are advised to update the plugin to version 3.92.1 and regularly back up their websites.

Iran Dupes US Military Contractors, Gov’t Agencies in Years-Long Cyber Campaign

An elite team of Iranian state-sponsored hackers infiltrated hundreds of thousands of employee accounts at US companies and government agencies from 2016 to 2021, aiming to steal military secrets. The hackers posed as a cybersecurity company, using social engineering tactics like spearphishing and posing as women to trick victims into clicking on malicious links. The extent of data compromise and whether classified information was accessed remains unclear, and the indicted hackers are currently at large with a reward of up to $10 million offered for information leading to their apprehension.

US Takes Down Illegal Cryptocurrency Mixing Service Samourai Wallet

The US Department of Justice collaborated with Iceland’s authorities to seize Samourai Wallet’s web servers and domain, along with removing its Android app from the Google Play Store in the US. The co-founders, Keonne Rodriguez and William Lonergan Hill, were charged with conspiracy to commit money laundering and operate an unlicensed money-transmitting business. Samourai Wallet, a cryptocurrency mixing service operational since 2015, facilitated over $2bn in unlawful transactions and laundered over $100m in criminal proceeds, serving as a haven for criminals to engage in large-scale money laundering.

North Korea APT Triumvirate Spied on South Korean Defense Industry For Years

A triumvirate of North Korean advanced persistent threat (APT) groups has been conducting extensive espionage on the South Korean defense industry over several years. These groups have effectively compromised multiple South Korean entities to gather intelligence and strategic information. The prolonged cyber-espionage campaign highlights significant vulnerabilities in national security measures and underscores the need for enhanced cybersecurity protocols in sensitive sectors.

Over 1,400 CrushFTP servers vulnerable to actively exploited bug

Over 1,400 CrushFTP servers are vulnerable to a critical server-side template injection (SSTI) bug, allowing unauthenticated attackers to achieve remote code execution. Rapid7 confirmed the severity of the flaw, emphasizing the risk of arbitrary file read and authentication bypass. CrowdStrike reported targeted attacks exploiting the zero-day, urging users to promptly apply patches to safeguard against ongoing exploitation attempts.

LA County Health Services: Patients’ data exposed in phishing attack

The Los Angeles County Department of Health Services experienced a data breach due to a phishing attack, where 23 employees had their credentials stolen. Patients’ personal and health information, including medical records and contact details, were exposed. While no evidence of misuse was found, affected individuals are advised to verify the accuracy of their medical records and the health system has taken steps to enhance cybersecurity measures.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

The U.S. Treasury Department sanctioned two Iranian firms and four individuals for engaging in cyber activities on behalf of the Iranian Revolutionary Guard Corps Cyber Electronic Command. The individuals targeted U.S. companies and government entities through cyber operations, leading to indictments and a reward for information. The defendants face charges including conspiracy to commit computer fraud and wire fraud, with potential prison sentences of up to 20 years.

Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

Security researchers have uncovered an ongoing attack campaign, codenamed FROZEN#SHADOW, utilizing phishing emails to distribute SSLoad malware, Cobalt Strike, and ConnectWise ScreenConnect. SSLoad is designed to infiltrate systems, deploy backdoors, and maintain persistence while avoiding detection. The attackers pivot to other systems in the network, including the domain controller, creating their own domain administrator account to achieve high levels of persistence and access within the victim’s Windows domain.

Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users

Security vulnerabilities in cloud-based pinyin keyboard apps used by over 1 billion Chinese users were discovered by Citizen Lab, exposing their keystrokes to potential exploitation. Eight out of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi were found to have weaknesses, with Huawei being the only exception. The vulnerabilities could allow adversaries to decrypt keystrokes passively, prompting recommendations for users to update their apps, switch to on-device keyboard apps, and for developers to use standard encryption protocols.

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

A new malware campaign is exploiting the eScan antivirus software’s update mechanism to distribute backdoors and cryptocurrency miners, targeting large corporate networks. The threat, known as GuptiMiner, is believed to be connected to a North Korean hacking group called Kimsuky. The malware campaign involves a sophisticated infection chain that leverages a security flaw in eScan’s update mechanism, allowing the attackers to deploy malicious payloads undetected for at least five years.

US Charges Samourai Cryptomixer Founders for Laundering $100 Million

The U.S. Department of Justice has charged Keonne Rodriguez and William Lonergan Hill for laundering over $100 million through their cryptocurrency mixer service, Samourai. Criminals utilized Samourai’s services to process more than $2 billion in illicit funds, with the founders allegedly earning $4.5 million in fees. The founders are facing charges of money laundering and operating an unlicensed money-transmitting business, with Rodriguez in custody and Hill arrested in Portugal awaiting extradition to the U.S.

Medical Diagnostics Provider Synlab Halts Services Over Ransomware Attack

Synlab Italia, part of a major medical diagnostics firm, had to shut down its IT systems nationwide following a cyberattack, suspected to be ransomware, which potentially compromised sensitive customer data. Nearly 400 labs across Italy halted all operations, including patient services and data access. The disruption persisted for several days as the company worked to isolate and address the security breach.

CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation

CISA has updated its Known Exploited Vulnerabilities catalog to include a critical Windows Print Spooler flaw, CVE-2022-38028, after Microsoft reported its exploitation by Russian cyberespionage group APT28. This vulnerability, discovered in 2022, allows for privilege escalation and has been actively used to deploy malware and harvest credentials across multiple sectors. Organizations are urged to patch this vulnerability promptly to mitigate potential cyber threats.

US Congress Passes Bill to Ban TikTok

The US Senate voted on a bill that could ban TikTok or force ByteDance to relinquish ownership of the app, with 79 senators in favor and 18 against. The bill, titled Protecting Americans from Foreign Adversary Controlled Applicants Act, now awaits President Biden’s signature. ByteDance has a year to disassociate from TikTok in the US or face legal prohibitions, while TikTok’s ties with Chinese intelligence are under scrutiny.

ArcaneDoor Hackers Exploit Cisco Zero-days to Breach Government Networks

Cisco has warned of a state-backed hacking group, identified as UAT4356 and STORM-1849, exploiting two zero-day vulnerabilities in Cisco firewalls since November 2023 to breach government networks worldwide. The vulnerabilities allowed the threat actors to deploy malware implants like ‘Line Dancer’ and ‘Line Runner’ for malicious actions, including configuration modification and network traffic capture. Cisco has released security updates to fix the zero-days and urges customers to upgrade their devices and monitor for any signs of unauthorized activity.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

A threat actor claimed responsibility for a March 2024 data breach at Giant Tiger, exposing 2.8 million customer records including email addresses, names, addresses, and phone numbers. The hacker dropped the data set for free on a forum, requiring ‘8 credits’ to unlock the download link. Giant Tiger attributed the breach to a cybersecurity incident with a third-party vendor, urging customers to be cautious of messages regarding payment information.

Attackers Have Penetrated Volkswagen Group’s Systems, Stealing Over 19,000 Documents with Intellectual Property

Volkswagen Group experienced a significant breach where attackers, suspected to be from China, infiltrated their systems for over five years, exfiltrating around 19,000 documents related to engine and transmission development, including electric vehicle innovations. The German automaker’s security team has recovered some of the stolen files, indicating the potential for a larger undisclosed impact. This extended breach, highlighted by evidence from IP addresses and time zone analyses, underscores a major espionage effort targeting critical technological advancements in the automotive industry.

Synlab Italia suspends operations following ransomware attack

Synlab Italia, part of a global network, suspended all medical diagnostic services in Italy following a ransomware attack that compromised their IT systems. The attack, detected on April 18, led to the shutdown of all computers to contain the breach. While efforts are underway to restore services and eliminate malware, customers are advised to stay updated through the company’s website and social media channels.

Rural Texas Towns Report Cyberattacks That Caused One Water System to Overflow

Recent cyberattacks in rural Texas have impacted local water systems, including an overflow incident caused by Russian hacktivist group infiltrations. These attacks targeted multiple towns, with one resulting in 37,000 failed login attempts over four days. Despite rapid responses from local authorities to mitigate damage, these incidents underscore the increasing vulnerability of public utilities to cyber threats and emphasize the need for enhanced security measures.

Researchers Uncover Windows Flaws Granting Attackers Rootkit-Like Powers

Researchers have discovered Windows flaws in the DOS-to-NT path conversion process that can be exploited by threat actors to gain rootkit-like capabilities, allowing them to hide files, processes, and carry out malicious actions without admin permissions. These vulnerabilities have led to the discovery of security shortcomings, including an elevation of privilege deletion vulnerability, an elevation of privilege write vulnerability, a remote code execution vulnerability, and a denial-of-service vulnerability impacting Process Explorer. The implications of these vulnerabilities extend beyond Microsoft Windows, highlighting the importance for all software vendors to address known issues to prevent significant security risks.

Ukrainian Soldiers’ Apps Increasingly Targeted for Spying

Ukrainian soldiers’ messaging apps are increasingly targeted by hackers for spying, as reported by CERT-UA. The surge in attacks is attributed to a group known as UAC-0184, deploying various malware like HijackLoader and Remcos. Russian hackers have also been previously identified targeting Ukraine’s military messaging apps, aiming to exfiltrate encrypted communications and sensitive data.

51% of Enterprises Experienced a Breach Despite Large Security Stacks

Despite investing in large security stacks, 51% of enterprises experienced a breach in the past 24 months, leading to unplanned downtime, data exposure, and financial loss. Enterprises prioritize pentesting but struggle with a frequency gap between IT environment changes and security validation testing. Organizations are adopting more cybersecurity tools to manage risk, with an average of 53 security solutions in use, but face resource constraints and network downtime concerns related to pentesting.

MITRE Breached by Nation-state Threat Actor via Ivanti Zero-days

MITRE Corporation was breached by a nation-state threat actor through two zero-day vulnerabilities in Ivanti’s Connect Secure VPN devices, leading to lateral movement and compromise of the company’s VMware infrastructure. The attackers exploited the vulnerabilities to hijack VPN sessions, maintain persistence with webshells and backdoors, exfiltrate data, and create staging virtual machines. MITRE responded by taking down the affected environment, initiating an investigation, and sharing advice for defenders to monitor VPN traffic, segment networks, and use threat intelligence feeds.

An Unrestricted File Upload Vulnerability in the Forminator Plugin Impacts Hundreds of Thousands of WordPress Sites

Japan’s CERT has warned of multiple vulnerabilities in the Forminator WordPress plugin, including a critical flaw allowing unrestricted file uploads, potentially leading to remote code execution and sensitive data exposure. The plugin, with over 500,000 installations, is susceptible to attacks exploiting CVE-2024-28890, CVE-2024-31077, and CVE-2024-31857. Admins are urged to update to version 1.29.3 to mitigate these risks, as over 200,000 sites remain vulnerable to cyber attacks.

Cannes Hospital Cancels Medical Procedures Following Cyberattack

Cannes Hospital was forced to cancel non-urgent medical procedures and revert to manual operations after a cyberattack led to a shutdown of its IT systems. The hospital has prioritized emergency and essential services while cooperating with regional healthcare entities to manage patient needs effectively. No data theft or ransom demands have been reported, though the recovery of IT services is anticipated to be a prolonged process.

Researchers Observe a Flood of Crude and Amateurish Ransomware

Sophos X-Ops researchers report an upsurge in the sale of inexpensive, rudimentary ransomware on the dark web, referred to as “junk guns.” These low-cost ransomware tools are accessible for as little as $20, attracting lower-skilled criminals targeting small businesses and individuals. Despite their affordability and simplicity, these ransomware variants represent a growing risk to smaller targets, emphasizing the need for heightened awareness and defense measures in cybersecurity practices.

Ransomware Double-Dip: Re-Victimization in Cyber Extortion

A new trend in ransomware attacks involves “double-dipping” where threat actors repeatedly target previously victimized entities, often through re-use of stolen data or access. This cyclic victimization not only compounds the distress for affected organizations but also signifies a shift towards more aggressive extortion tactics in the cybercrime ecosystem. The increasing frequency of such re-attacks highlights a critical vulnerability in cybersecurity defenses and emphasizes the necessity for improved protective measures and response strategies.

Almost 200,000 data tracking attempts were made in just 30 days on a regular Android device through installed apps.

A recent study using /e/OS on an Android device revealed nearly 195,000 data tracking attempts within a month from 34 third-party apps, indicating a significant privacy risk. Data collected ranged from user demographics to sensitive information, with some data being sent to servers in Russia and China. The pervasive nature of this tracking emphasizes the challenges in avoiding surveillance, even with stringent privacy settings.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

The Akira ransomware group has extorted $42 million from over 250 victims by targeting businesses and critical infrastructure in North America, Europe, and Australia. They have evolved to target Linux servers, using various tactics like exploiting known vulnerabilities in Cisco appliances and utilizing tools like Mimikatz for privilege escalation. Additionally, the Akira ransomware group is believed to be linked to the Conti ransomware gang and has been observed using a hybrid encryption algorithm to encrypt systems.

180k Impacted by Data Breach at Michigan Healthcare Organization

Cherry Health in Michigan reported a ransomware attack that compromised the personal data of approximately 184,000 individuals on December 21, 2023. The breach involved sensitive information including Social Security numbers, health insurance details, and financial account information. The organization has notified affected individuals and is offering free credit monitoring and identity protection services.

22,500 Palo Alto Firewalls “Possibly Vulnerable” to Ongoing Attacks

Approximately 22,500 Palo Alto GlobalProtect firewall devices are vulnerable to the CVE-2024-3400 flaw, allowing unauthenticated attackers to execute commands with root privileges. Palo Alto Networks released patches between April 14 and 18, 2024, after the flaw was actively exploited by state-backed threat actors. Despite mitigation efforts, there are still around 22,500 possibly vulnerable instances, mainly in the United States, Japan, and India.

United Nations Agency Investigates Ransomware Attack, Data Theft

The United Nations Development Programme (UNDP) is investigating a cyberattack where threat actors breached its IT systems to steal human resources data. The attack, possibly linked to the 8Base ransomware gang, resulted in the exposure of sensitive information such as personal data, accounting data, and employment contracts. This incident highlights the ongoing threat of ransomware attacks targeting organizations, including those as prominent as the United Nations.

France’s Cannes Hospital in Midst of Major Cyberattack

Hôpital de Cannes – Simone Veil in France was hit by a severe cyberattack, resulting in all IT systems being shut down and the hospital reverting to manual, paper-based methods for documenting patient services. The hospital has canceled about a third of non-urgent procedures and is coordinating with local medical facilities to maintain emergency services. Ongoing investigations are supported by multiple cybersecurity agencies, and while there have been no ransom demands or confirmed data breaches, the hospital remains vigilant in maintaining patient care and updates.

OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining

Multiple vulnerabilities in OpenMetadata have been exploited to compromise Kubernetes clusters for cryptomining purposes. Threat actors have utilized critical authentication bypass and remote code execution flaws to infiltrate systems, downloading cryptomining malware from servers based in China. Microsoft advises updating OpenMetadata to the latest version to mitigate these risks and protect Kubernetes environments.

Cyberattack Takes Texas-based Frontier Communications Offline

Frontier Communications, a Texas-based telecom provider operating in 25 states, shut down its operations following a cyberattack that led to the theft of personally identifiable information. The breach, detected on April 14, resulted in certain systems being taken offline, causing operational disruptions. The company is currently investigating the incident, engaging cybersecurity experts, and cooperating with law enforcement authorities.

Russian APT Group Thwarted in Attack on US Automotive Manufacturer

Researchers disclosed an attack campaign by the FIN7 threat group targeting a US-based global automotive manufacturer, using spear-phishing to target IT employees with high admin-level rights. BlackBerry’s threat and research team detected and stopped the attack before the ransomware phase. FIN7, also known as Carbon Spider, is expanding its targets to include defense, insurance, and transportation sectors, aiming for larger entities with the expectation of higher ransom payments.

Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

A sophisticated phishing campaign named CryptoChameleon has targeted LastPass users, tricking them into revealing their master passwords through a series of well-crafted social engineering tactics. The attackers use a combination of phone calls, spoofed numbers, and personalized interactions to deceive victims into divulging sensitive information. Despite the attackers’ persistence and evolving tactics, awareness, caution with unsolicited communications, and refraining from sharing passwords are crucial defenses against such elaborate phishing schemes.

MITRE Says State Hackers Breached its Network via Ivanti Zero-days

MITRE Corporation disclosed a state-backed hacking group breached their systems in January 2024 by exploiting two Ivanti VPN zero-days, compromising their NERVE network. The attackers bypassed MFA defenses, used webshells and backdoors, and deployed malware for espionage. The incident led to mass exploitation affecting various organizations, prompting CISA to issue an emergency directive for federal agencies to mitigate the Ivanti zero-days.

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

The United Nations Development Programme (UNDP) and the city of Copenhagen, Denmark, were targeted in a cyberattack in late March, leading to data theft related to human resources and procurement. The UNDP is currently assessing the extent of the breach and has taken steps to identify the source and contain the affected server. While the ransomware gang 8Base claimed responsibility for the attack, the UNDP has not confirmed any ransom demands or payments.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

Asantee Games experienced a significant data leak impacting over 14 million players of their game, Magic Rampage, due to a misconfigured MongoDB database that lacked password protection. The exposed data included player usernames, emails, device data, and admin credentials with encrypted passwords. This breach poses serious risks for identity theft, phishing attacks, and unauthorized access to internal systems, highlighting the need for stringent database security practices.

Cherry Health Hit by Ransomware Attack Affecting 185,000 Individuals

Cherry Health, a U.S.-based healthcare provider, experienced a ransomware attack affecting 185,000 individuals, with a variety of personal and medical information compromised. This included names, addresses, health records, and Social Security numbers. The organization has since engaged third-party specialists for a comprehensive investigation and is advising affected patients to monitor their credit reports and account statements for any suspicious activity.

SAP Users Are at High Risk as Cybercriminals Exploit Application Vulnerabilities

Recent research highlights a significant increase in threat actor interest in exploiting SAP vulnerabilities, leading to a surge in ransomware incidents targeting poorly patched organizations. The research reveals a 400% growth in attacks since 2021, with ransomware groups like Conti, Quantum, and REvil being involved. Dark web chatter on SAP vulnerabilities has surged by 490%, emphasizing the need for organizations to secure their SAP systems, patch vulnerabilities, and enhance cybersecurity measures.

If you use Fortinet FortiClient EMS, patch NOW

Cybersecurity researchers have identified a campaign exploiting a critical SQL injection flaw in Fortinet FortiClient EMS devices to deploy ScreenConnect and Metasploit Powerfun payloads. The campaign, codenamed Connect:fun, targeted a media company by leveraging the vulnerability to download and install malicious tools. The threat actor behind the campaign has shown manual intervention and specific targeting, emphasizing the importance of applying patches, monitoring for suspicious activity, and utilizing web application firewalls to mitigate potential risks.

Exploitation of Palo Alto Firewall Vulnerability Picking Up After PoC Release

The exploitation of a Palo Alto Networks firewall vulnerability (CVE-2024-3400) has increased following the release of Proof-of-Concept (PoC) code. This critical flaw allows remote code execution with root privileges via the GlobalProtect feature and device telemetry. Cybersecurity firms have observed sophisticated threat actors, including a potential state-sponsored group, using this vulnerability to infiltrate networks and deploy malicious payloads.

Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks

Cisco has reported a significant uptick in brute-force attacks targeting VPN and SSH services, leveraging anonymizing proxies and Tor exit nodes. The attackers are using a mix of generic and known organization-specific usernames to access web applications, potentially leading to unauthorized network access or service disruptions. Cisco has updated its block list to include IPs associated with these attacks but anticipates ongoing and possibly escalating threats.

Ivanti Releases Fixes for More Than 2 Dozen Vulnerabilities

Ivanti has addressed 27 vulnerabilities in its 2024 first-quarter release, with fixes ranging from a vulnerability allowing an authenticated remote attacker to view sensitive information to a heap overflow vulnerability enabling remote command execution. The company recommends users to update to Avalanche 6.4.3 to apply all the fixes and emphasizes the importance of having the MSSQL database password readily available. Users can download the update and find further instructions on Ivanti’s website.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

Two individuals have been arrested in Australia and the U.S. for their involvement in developing and distributing the remote access trojan Hive RAT, allowing control over victim computers and access to private information. Additionally, a Nebraska man was indicted for operating a $3.5 million illegal cryptojacking operation, defrauding cloud computing providers to mine cryptocurrency. The suspects face charges including wire fraud, money laundering, and engaging in unlawful monetary transactions, with potential sentences of up to 20 years in prison.

Iran-Backed Hackers Blast Out Threatening Texts to Israelis

The Handala cyber group, allegedly backed by Iran, claimed to have compromised Israel’s radar systems and sent over 500,000 threatening texts to Israeli citizens amidst ongoing military tensions. The messages warned of imminent danger and urged citizens to evacuate, amplifying fear and confusion. While these claims have yet to be verified by Israeli officials, they reflect the escalating use of cyber warfare in geopolitical conflicts.

Ransomware Group Starts Leaking Data Allegedly Stolen From Change Healthcare

The RansomHub group has begun to leak data they claim to have stolen from Change Healthcare, involving highly sensitive personal and medical information. This follows an earlier ransomware attack by the Alphv/BlackCat group, from which RansomHub acquired the data. In response to these events, Change Healthcare’s parent company, UnitedHealth Group, is working on mitigating the impact on affected customers and has provided significant financial support to healthcare providers.

Change Healthcare cyberattack caused $872 million loss

UnitedHealth Group experienced an $872 million impact on its Q1 earnings as a result of a ransomware attack on Change Healthcare, with $593 million in direct cyberattack response costs and $279 million due to business disruptions. The attack led to a $0.74 per share impact in Q1, with estimated full-year 2024 impacts of $1.15 to $1.35 per share. The cyberattack disrupted the U.S. healthcare system, affecting claims receipt timing and prompting UnitedHealth to reflect an additional $800 million in claims reserves.

Omni Hotels Says Personal Information Stolen in Ransomware Attack

Omni Hotels confirmed a ransomware attack by the Daixin Team, which led to the theft of customer data dating back to 2017, affecting an estimated 3.5 million guests. Although sensitive financial details were not exposed, compromised data included names, emails, mailing addresses, and loyalty program information. The company has restored its systems and is navigating ransom negotiations, initially set at $3.5 million but reduced to $2 million.

Cisco Duo’s Multifactor Authentication Service Breached

A third-party provider handling telephony for Cisco’s Duo multifactor authentication service was compromised by a social engineering cyberattack, leading to a breach where SMS logs were downloaded for specific users. Cisco Duo customers were advised to watch out for potential phishing schemes. This incident highlights the risks associated with third-party identity security providers and emphasizes the importance of assessing the impact of such breaches on cybersecurity posture.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.