November is flying by at top speed as we approach the festive season. Despite that, we are of course keeping an eye on all things cybersecurity (we are slightly obsessed!) Here’s our round up of the biggest stories in cybersecurity from the last month.
Critical Concern for Critical Infrastructure Services
Critical infrastructure services are exactly like they sound. These are the organizations that provide critical services including energy, transportation, communications, drinking water and more. Knowing this, hackers will frequently target this sector.
Denmark are well aware of this after experiencing a nightmare scenario back in May. The incident, believed to be the most extensive cyberattack in Danish history, is potentially linked to the Russian GRU Main Intelligence Directorate. The highly coordinated attacks allowed cyber criminals to gain access to the systems of 22 companies overseeing various components of Danish energy infrastructure. In a report published on November 14th, it is believed hackers took advantage of zero-day vulnerabilities in firewalls from Zyxel, which many Danish critical infrastructure operators use for network protection.
Unfortunately, due to cost, some of the companies had not updated their firewalls according to SektorCERT, an organization owned and funded by Danish Critical Infrastructure (CI) companies. Some companies also mistakenly assumed the Zyxel firewalls had the latest updates to protect them from an attack. Knowing the potential for a calamity due to an attack on critical infrastructure, the UK and the US recently published reports about the dangers of not being prepared enough. Everyone should take heed.
Anonymous Sudan Claims Attacks on ChatGPT and Cloudflare
Cybercrime gang ‘Anonymous Sudan’ is keeping busy these days. Not only did they execute an attack on OpenAI, the company behind ChatGPT, they have also claimed to attack cloud security provider Cloudflare. In the case of OpenAI, the company experienced a major outage on 8 November due to a Distributed Denial-of-Service (DDoS) attack. The following day, Anonymous Sudan then claimed to have taken down Cloudflare's website in yet another DDoS attack. Cloudflare confirmed that there was an outage but that it had only affected the www.cloudflare.com website without impacting other products or services. Despite its name, Anonymous Sudan is not affiliated with the country of Sudan. Rather it appears to be linked to the notorious Russian hacking group, KillNet, and possibly the Russian government.
Boeing and a Major Mexico City Airport both Get LockBitten
It’s never good news when a company (or individual) is the victim of a cybercrime. But it’s really NOT good when the entity attacked is a major defense company, specializing in aeroengineering, among other things. In this case, the victim is Boeing. In mid-November the notorious ransomware gang LockBit leaked gigabytes of files it says it stole from the company. On a leak website, LockBit claimed that “a tremendous amount of sensitive data” has been stolen, but later removed the company from its site, saying that negotiations had started.
However, negotiations failed and on 10 November LockBit leaked 45 gigabytes of data. The ramifications of this leak could be extraordinarily bad if the data gets into the wrong hands. The incident at Boeing comes on the heels of another air travel industry-related cyber-attack at one of the busiest airports in Mexico. The Querétaro Intercontinental Airport near Mexico City suffered a cyber security incident on 30 October. LockBit threatened to leak the stolen data online unless airport authorities pay a ransom.
Ransomware Victim Doesn’t Pay, so Hackers File a Complaint with the SEC
In a totally unpredictable move from cyber criminals, a ransomware group filed a “failure to report” complaint with the U.S. Securities and Exchange Commission (SEC) because the company they hacked hadn't disclosed the breach. In a bid to increase the chances of getting paid, Alphv/BlackCat claim to have breached the systems of MeridianLink, which provides digital lending solutions for financial institutions and data verification solutions for consumers. The notorious ransomware gang posted screenshots of the SEC complaint on 15 November and claimed to have stolen a “significant” amount of customer data and operational information and threaten to leak it unless they are paid. Fortunately, MeridianLink says that no user data has been breached.
Hackers Have an Unhealthy Obsession with Healthcare and Medical Organizations
Unfortunately, November has been chock full of attacks on a broad spectrum of healthcare and medical organizations. Interestingly none of the incidents took place outside of the U.S. Cyber-attacks were declared at a hospital in California, a large hospital chain, a medical device provider, a provider in the pharmacy industry and more. Not only that, but northern California-based healthcare system Sutter Health disclosed that more than 845,000 patients had their personal data exposed after its third-party communications firm Virgin Pulse was impacted by the widespread MOVEit file transfer system hack.
Here’s a list of them some of the attacks we are aware of:
- Pharmacy provider Truepill data breach hits 2.3 million customers - Bleeping Computer
- California hospital declares an internal disaster after suffering from a cyber-attack - Tech Times
- 9 million health records spilled by transcription firm - SC Magazine
- 2.2 million impacted by data breach at McLaren Healthcare - Security Week
- FBI, CISA, MS-ISAC warn of Rhysida ransomware threat to hospitals - American Hospital Association
- Medical device manufacturer Henry Schein confirms data breach, details financial impact of cyberattack - Mass Device
- Over 100K Connecticut residents' personal information leaked in Prospect Medical's hospital cyberattack - CT Insider
Samsung Says UK Online Store Customer Data Breached
Android device maker Samsung, is notifying some of its customers of a data breach that exposed their personal information to an unauthorized individual. However, the impact is limited only to customers who made purchases on Samsung’s UK online store between 1 July 2019, and 30 June 2020. Samsung discovered the data breach on 13 November and determined that it was the result of a hacker exploiting a vulnerability in a third-party application the company used. The company says that extremely sensitive customer data such as payment information remains safe.
But Wait There’s More
Treasury Markets Disrupted by ICBC Ransomware Attack – Dark Reading
DP World: Australia sites back online after cyber-attack - BBC
Homeowners livid after mortgage company exposes millions of customers' personal information – The Street
Cisco patches serious flaws in firepower and identity services engine - CSO Online
British, Toronto Libraries Struggle After Cyber Incidents – Dark Reading
Hackers target weak spots in Booking.com phishing scam - Irish Independent
Royal Mail cybersecurity still a mess, say infosec sleuths -The Register
The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story -WIRED
Russian hackers disrupted Ukrainian electrical grid last year - Cyberscoop
Cross-border Perspectives on the Open Banking Debate in the United States - Lexology