Hello and welcome to GlobalSign’s latest NewsScam.
Although it is the holiday season, the cybersecurity world is not showing any signs of slowing down. Let’s dive into all the news!
One of the most concerning stories this month was the discovery of a serious U.S. hack at the hands of China-backed “Salt Typhoon” on at least eight US telecoms providers including AT&T, T-Mobile and Verizon.
A story from December 16th confirmed that at least 40 wallet addresses were drained of a collective minimum total of $5 million following the 2022 breach at password manager provider LastPass.
The conferencing division of top EMEA telecoms provider BT was breached by the Black Basta ransomware group in early December, resulting in some of their servers being shut down as a precaution.
Both Microsoft and Meta fell victim to high-profile incidents, with a “widespread” incident involving Microsoft 365 on December 10th less than a month following a similar incident which was followed by a global access outage of Facebook, Instagram, Threads and WhatsApp just a day later.
Three hospitals in Liverpool were impacted by an attack on a shared service utilized, carried out by the same group that attacked the Leicester City Council in April.
Finally, a Romanian electricity provider was hacked and Irish authorities arrested a women connected to a cyber-attack that occurred last year. With critical infrastructure increasingly taking hits, the US government issued a much-needed guidebook to improving cybersecurity and also how to better prepare for funding requests.
As we wrap up the news for 2024, we look forward to covering more groundbreaking stories in our monthly NewsScam in 2025, which you will be able to find exclusively on LinkedIn in the new year.
China-Backed Crime Gang Has Been Spying on Top Telecom Providers for Years
A two-year U.S. hack, apparently at the hands of China-backed “Salt Typhoon”, has impacted at least eight US telecoms providers, including AT&T, T-Mobile and Verizon. U.S. Deputy National Security Adviser for Cyber, Anne Neuberger, says that Salt Typhoon also hit dozens of other countries, accessing large quantities of metadata while searching for calls and texts of its targets.
T Mobile’s US CSO Jeff Simon told The Register, “The way the cyber-spies hopped between organizations' networks and tried, ultimately unsuccessfully, to break into T-Mobile US was unique,” adding that it was “not something that I've seen in my 15-plus-year career in cybersecurity.” According to Risky.Biz, the U.S. Federal Bureau of Investigation (FBI) says the activity unfortunately has not stopped, and, subsequently is “still fighting to evict Salt Typhoon from the compromised networks.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is now launching an investigation into the massive hack and it, along with numerous other US and global government agencies, have issued guidance to the telecom sector regarding defensive measures to strengthen visibility for engineers and system administrators overseeing communications infrastructure.
Just in Time for Christmas, a Threat Actor Steals More than $5M in Crypto
A new cryptocurrency heist is connected to a data breach that occurred in the summer of 2022 at password manager provider LastPass. According to investigator ZachXBT, attackers have stolen $5.6 million in cryptocurrency from more than 40 individual victim addresses, between December 16th and December 17th, with other estimates reaching as high as $12 million. ZachXBT also claims that the stolen money has already been converted into different currencies and transferred to various instant exchanges.
Attackers stole large amounts of data such as source code, API tokens and customer keys in 2022, leading to two separate crypto hacks where more than $6.2 million was stolen. This new incident means it’s the third heist stemming from one breach. In a statement to Tom's Guide, LastPass' CTO and CSO Christofer Hoff provided further insight on these crypto thefts, saying: “A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass.” Adding that they invite any security researchers who may have further evidence to contact their Threat Intelligence Team at securitydisclosure@lastpass.com.
Not So Merry: December Outages Hit Both Microsoft and Meta
There were some large but fairly brief outages at Microsoft and all of Meta, the activity beginning at Microsoft on Tuesday, December 10th for its 365 users. The incident described as “widespread”, occurred less than a month following a similar incident at the company, also impacting Office web apps and the Microsoft 365 admin center.
Affected customers reported seeing messages stating "We're experiencing a service outage. All of your open files have been saved. It may be some time before the outage is resolved." The company advised users with the required licenses to access their Microsoft 365 apps and documents using the desktop applications as a workaround. The following day, Facebook, Instagram, Threads and WhatsApp all experienced a global outage at around 12:40 pm ET. For example, users attempting to access Facebook saw a message stating, “Sorry, something went wrong. We're working on getting this fixed as soon as we can." The extent of the service outages varied depending on user location.
Cybercrime Gang that Attacked the Leicester City Council in April Responsible for Last Month’s Attack on Three British Hospitals
A late November cyberattack in Liverpool impacted three separate hospitals due to a shared service utilized by the group. The hack, which initially struck Alder Hey Children's NHS Foundation Trust, also hit Liverpool Heart and Chest Hospital and Royal Liverpool University. The incident confirmed on December 4th appears to be the responsibility of ransomware gang, INC. The group was also behind the April hack at the Leicester City Council. According to a post on Alder Hey Children's NHS Foundation Trust website, “Criminals gained unlawful access to data through a digital gateway service shared by Alder Hey and Liverpool Heart and Chest Hospital.” As a result INC was able to obtain a small amount of data from Royal Liverpool University Hospital.
Black Basta Blitzes BT
In other telecoms industry news, the Black Basta ransomware group attacked BT in early December. While a data breach at its conferencing division did indeed occur, a company spokesperson told BleepingComputer that the security incident didn't impact BT Group's operations or BT Conferencing services, so it is unclear if any systems were encrypted or if only data was stolen. Black Basta maintains it took 500GB of data, including financial and organizational data. The cybercrime gang is a Ransomware-as-a-Service operation whose previous victims include the Toronto Public Library, the American Dental Association, German defense contractor Rheinmetall and government contractor ABB. In October, BleepingComputer published another article about Black Basta, saying that the group had “moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.” The group is understood to have splintered from the Conti Cybercrime Syndicate, which shut down two years ago and split into various groups, one of which is believed to be Black Basta.
In the Wake of Increasingly Dangerous Cyberattacks on Critical Infrastructure, US Government Issues Guidebook
With cyber criminals becoming more emboldened with attacks on critical infrastructure facilities like electric companies and water treatment plans, the US government has just issued a new guide to help operators build cyber resilience into grant programs for cybersecurity funding. The 75-page guide, titled Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure, provides templates, models and recommendations that better prioritize cybersecurity tools. Grant applicants can use this resource when creating their cyber risk assessments and plans, among other things.
There has not been a US case this month on critical infrastructure but there has been some activity overseas. In Romania an attack by a newly emerging group, Lynx ransomware gang, breached one of the country’s largest electricity suppliers, the Electrica Group. Soon after, the company warned investors that it was investigating a possible incident, but it fortunately, appears that the company's SCADA and other critical systems were isolated and unaffected by the attack.
In Ireland, a woman has been arrested following a data breach at Electric Ireland last year. Ireland’s police, the Gardai said that the young woman was taken into custody in early December and appears to be an employee of Electric Ireland. In a press release, the company said that she “may have inappropriately accessed a small proportion of 1.1 million residential customer accounts” (approximately 8,000 customer accounts). Electric Ireland has pushed for the suspect to be apprehended, concerned that the breach could lead to a misuse of personal and financial data.
U.S. Subsidiary of Stoli Declares Bankruptcy Following Crippling Attack
U.S. subsidiary of vodka brand Stoli filed for bankruptcy in a Texas court on November 29th, apparently following a cyber-attack in August. The Record says that Stoli Group USA’s CEO Chris Caldwell attributed a range of factors leading to its financial difficulties, the most impactful being the attack which severely damaged the company’s IT infrastructure. In the bankruptcy filing, Caldwell stated that “The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group's enterprise resource planning (ERP) system being disabled and most of the Stoli Group's internal processes (including accounting functions) being forced into a manual entry mode.” Apparently the company is still recovering from the incident; the CEO expects systems will be restored “no earlier than in the first quarter of 2025.”
But Wait, There’s More
Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat' – The Register
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen – TechRadar
Online ordering at Krispy Kreme disrupted by cyberattack – The Record
Major auto parts firm LKG hit by cyberattack – SecurityWeek
Abuse of Cloudflare domains for phishing doubled in 2024, report says - SCWorld
50 Servers Linked to Cybercrime Marketplace and Phishing Sites Seized by Law Enforcement - Security Week
Hacker Conversations: Dan McInerney and Puzzle-Driven Hacking – Security Week
Major Drop in Cyber-Attack Reports from Large UK Financial Businesses – Infosecurity
8Base hacked port operating company Luka Rijeka - Help Net Security
Six identity takeaways from 2024’s cyber blunders and breaches – SC World
Why Phishers Love New TLDs Like .shop, .top and .xyz – KrebsOnSecurity
