Hello and welcome to the September NewsScam. We’re here yet again covering the biggest stories over the last month in cybersecurity, but we also like to feature articles you may have missed. Because there is just SO much happening it can be hard to keep up with it all!
Some of the most prominent activities were in both the transportation and healthcare sectors this month, from a somewhat impactful attack on London’s transport system, to the main airport in Seattle, Washington recovering from an incident last month. At least the airport incident wasn’t implemented by an apparently bored teenager!
Also, in the latter part of the month, it was revealed the personal information of more than 3,000 U.S. Congressional staffers was leaked on the dark web. Research from internet security firm Proton discovered more than 1,800 passwords used by employees of the U.S. Congress on the dark web. The report found one case where a single staffer had 31 passwords exposed online.
On the healthcare front, an ambulance company servicing four states in the southern U.S. was breached during the summer - and has now disclosed that hackers are demanding $7 million – but word has it a deal is in the works where the ambulance provider would have to pay significantly less.
It’s distressing to see companies continuing to pay for data, despite the U.S. government guidance several years ago to not pay ransom. However, at this time there is not an outright ban. And so on it goes.
On a positive note, there were numerous takedowns in September. The most notable involved a Chinese botnet comprising 260,000 internet-connected devices. The US Federal Bureau of Investigation (FBI) took control of it the week of September 10th. The botnet, which was running Mirai malware, was operated by a Chinese group affiliated with “Flax Typhoon”. The Mirai botnet is quite infamous, having first debuted about ten years ago. At one point, the perpetrators behind it even targeted the amazing cyber sleuth Brian Krebs. For those new to the topic of the Mirai botnet, Brian has some excellent background on the Mirai malware and their attempt at attacking him. It dates back to 2017, but as the expression goes, “it’s an oldie, but a goodie!”
That’s a wrap for our summary. Please scroll down the page for dozens of stories we’ve curated for your reading pleasure. We hope to see you next month!
- Cyber Incidents are Driving the Transportation Sector Crazy
- International Takedown of Chinese Botnet Targeting Critical Infrastructure, and More Tales of Cybercriminal Arrests
- Der Spiegel: Top Russian Hacking Group Created a Bogus Website of a Leading German Institute, then Began a Months-Long Phishing Campaign
- Healthcare Cybersecurity – A Temperature Check
Cyber Incidents are Driving the Transportation Sector Crazy
Cyber criminals have been busy disrupting a plethora of organizations in the transportation sector. From yet another major incident in London, a data breach at a major rental car company in the US to an attack on an automotive manufacturer, September was active.
- Let’s begin in London, where it turns out a teenager is responsible for an early September cyber attack that targeted Transport for London (TfL), the government body responsible for the transportation network in Britain’s capital. Initially detected on September 1st, the incident led to some passengers on London subways experiencing problems with contactless payments three days later. The 17-year-old attacker was detained by authorities on September 5th but was later released on bail. The incident impacted London’s underground train system (‘The Tube”) which serves about 4 million daily journeys. Then, on September 25, the Wi-fi system was hacked at 19 railway stations. Even more concerning, the rail system's Wi-fi was used to display a message about terror attacks in Europe.
- Motorcycle manufacturer Kawasaki Motors Europe (KME) is a victim of the cybercriminal group RansomHub. The group has released 487GB of data on the dark web. According to a statement on KME’s website, the incident began in early September. The company says the attack was not successful but acknowledged their servers were “temporarily isolated” while an investigation was implemented. In its statement KME said by the following week “over 90% of server functionality was restored,” and that “normal business had been resumed in respect of dealers, business administration and third-party suppliers such as logistics companies.”
- Following a major incident that began in August, the Seattle-Tacoma International Airport is recovering after nearly three weeks into a cyberattack that delayed passengers and disrupted baggage handling. While the airport may have recovered, the Rhysida ransomware gang is demanding a 100-bitcoin ransom — about $6 million — for data contained in the eight files it stole during the heist.
- Also this month, U.S. car rental giant Avis notified 300,000 people about the occurrence of a data breach in August. Although the company attributed the incident to “insider wrongdoing” no employee has been named, so what exactly happened at Avis is unclear. The company was forced to announce the breach after a notification letter was published by the Maine Office of the Attorney General. It appears that an un-named business app Avis uses was impacted. An investigation of the incident at the company is ongoing.
International Takedown of Chinese Botnet Targeting Critical Infrastructure, and More Tales of Cybercriminal Arrests
In January, U.S. authorities announced the disruption of a Chinese-controlled botnet targeting critical infrastructure. Fast forward to September, there's been the discovery, and disruption of yet another Chinese botnet. The latest botnet was taken over by the FBI the week of September 10th. It comprised 260,000 internet-connected devices such as digital cameras and video cameras to storage devices and even home routers. It also ran Mirai malware, which as previously mentioned in this post, has been wreaking havoc for around a decade. This newest botnet is operated by Integrity Technology Group – connected to hacking group “Flax Typhoon” - was targeting critical infrastructure in the U.S. and overseas which could ultimately become destructive. By collaborating with international partners, the FBI was able to take over the botnet’s own infrastructure. According to TechCrunch, the FBI also removed malware from compromised devices and that “when the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a Distributed Denial of Service attack against us.” Devices included in the massive botnet have been discovered in the Americas, Europe, Africa, Southeast Asia and Australia. But that’s not the end of the story. Authorities worldwide have been plenty busy catching the bad guys! Here are a few snippets.
- An operation on September 17 organized by Europol and led by the Australian Federal Police lead to the arrest of 32-year-old man who ran the crimeware messaging app, Ghost. The app, which was taken down during the operation, was used by organized criminal groups in Ireland, Italy and central Europe.
- Law enforcement in Europe and Latin America were involved in the takedown of a phishing network that has supposedly impacted nearly half a million victims. Seventeen suspects involved with the iServer platform were rounded up between September 10th and 17th, during which 921 items were seized. A post from Europol states the international operation involved authorities from Spain, Argentina, Chile, Colombia, Ecuador and Peru.
- Miami authorities apprehended two suspects in mid-September, charging the pair with conspiracy to steal and launder more than $230 million in cryptocurrency. The defendants, a 21- and 20-year-old, were arrested on September 19th by FBI agents and charged with an August 18th attack involving more than 4,100 Bitcoin from a Washington, D.C. victim. The stolen cryptocurrency was used to purchase luxury cars, watches, designer handbags as well as nightclub outings in Miami and Los Angeles.
- Also in Miami, two foreigners living there were recently indicted for running a cybercrime training service. Authorities say that Alex Khodyrev, 35, and Pavel Kublitskii, 37 ran the WWH Club, a Russian-language cybercrime marketplace and training service. The pair were charged on September 6th and if convicted could serve up to 20 years in prison. In this story by Cyberscoop, the FBI describes the WWH Club as a “cross between Ebay and Reddit…that exists for the sole purpose of promoting and facilitating crime.” The part of the story I love? How “Despite showing no outward signs of being employed legitimately, Kublitskii rented a “luxury condominium” in Sunny Isles Beach, Fla… “while in March 2023 Khodyrev purchased a 2023 Corvette at a South Florida dealership with approximately $110,000 in cash.”
Der Spiegel: Top Russian Hacking Group Created a Bogus Website of a Leading German Institute, then Began a Months-Long Phishing Campaign
Germany’s cyber agency Federal Cyber Security Authority (BSI) is investigating an article in Der Spiegel claiming that Russian state hacking group APT28 created a bogus website that imitates Germany’s Kiel Institute for the World Economy. The September 6th article is based on a confidential IBM X-Force report, the exact date of which is currently unavailable. APT28 (AKA Fancy Bear) allegedly included a month-long phishing campaign following the creation of a domain that visitors thought belonged to the Institute. Except, of course, it didn’t. Visitors of the fraudulent site were shown documents that were difficult to read but ultimately instructed them to click further. Doing so led to malware being loaded onto victim’s computers. German security authorities believe that APT28/Fancy Bear is behind other incidents in the country, including a 2015 attack on the German parliament (Bundestag) and a 2022 attack on the Social Democratic Party (SPD). In 2016, the group also reportedly compromised Hillary Clinton’s presidential campaign, as well as the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee.
Healthcare Cybersecurity – A Temperature Check
One of the biggest attack targets is always (sadly) healthcare. In a year that has featured major incidents such as the June attack at British lab Synnovis that led to a massive disruption at London-area hospitals, to February’s Change Healthcare attack in the U.S., cyber criminals commonly focus on a market with a ferocity that is hard to imagine knowing how many people can be adversely affected. With that in mind, here’s a breakdown of incidents impacting this vulnerable industry this month alone:
- A Louisiana (U.S.)-based ambulance company notified nearly 3 million people about a data breach that occurred in June. Ransomware gang Daixin reportedly stole, and published, data of current and former patients of Acadian Ambulance Service, which services four U.S. states. The following month, Daixin supposedly demanded a $7 million ransom from Acadian. Not surprisingly, the demand was impossible for the ambulance company to pay, and may have negotiated for a figure “less than $173,000”, according to DataBreaches.net.
- According to a September 17th article in the Wall Street Journal, Pennsylvania-based Lehigh Valley Health Network has agreed to a $65 million settlement related to a rather upsetting 2023 cyberattack. In that attack by the infamous ALPHV/Blackcat ransomware group, not only was patient data posted online, naked photos taken as part of their treatment were also exposed. In total, the data and files of 135,000 patients were stolen.
- As for the aforementioned attack on Synnovis back in June, a new report in The Record says the data of nearly 1 million of the UK’s National Health Service patients were leaked online. The ransomware attack significantly impacted London hospitals, especially blood transfusions and other critical medical procedures which were forced to be cancelled or rescheduled.
But Wait, There’s More
I stole 20 GB of data from Capgemini – and now I'm leaking it, says cybercrook – The Register
US Capitol Hit by Massive Dark Web Cyber Attack: Reports – Newsweek
Cyber-attack paralyses 40 French museums - Highxtar
Telegram says it will share phone numbers and IP addresses of ‘bad actors’ to authorities – The Record
FBI Issues Warning About BEC Attacks as Losses Increase to $55.5 Billion – The HIPAA Journal
Google Street View Images Used For Extortion Scams - Infosecurity
Ford seeks patent for tech that listens to driver conversations to serve ads - The Record
Kevin Mandia’s 5 question confidence test for CISOs – Cybersecurity Dive
Botnets are Still Exploiting IoT: What Needs to be Done - scmagazineuk.com
Mainframes aren't dead, they're just learning AI tricks - The Register
US Moves Toward Expanding Reg E to Address Payment Fraud – FraudToday.io
Cybersecurity’s next great authentication battle as AI Improves – CSO Online
FCC Seeking IoT Cyber Trust Mark Administrators – MeriTalk