Threat Report April 2022
Anonymous claims to have hacked the Russian Orthodox Church ‘s charitable wing and leaked 15 GB of alleged stolen data.
Anonymous continues to target Russian government entities and private businesses, this week the group claimed to have hacked the private firms Thozis Corp and Marathon Group owned by oligarchs.
Now the collective announced the hack of the Russian Orthodox Church’s charitable wing and leaked 15GB of data along with 57,000 emails.
Emma Sleep Company admits checkout cyber attack
Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne’er-do-wells to skim customers’ credit or debit card data from its website.
Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was “subject to a cyber attack leading to the theft of personal data” but not specifying in the message when it discovered the digital burglary.
“This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not,” the email to customers states.
Mailchimp: Crook stole cryptocurrency clients’ mailing-list subscriber info
Mailchimp has confirmed a miscreant gained access to one of its internal tools and used it to steal data belonging to 100-plus high-value customers. The clients were all in cryptocurrency and finance-related industries, according to Mailchimp. “Our findings show that this was a targeted incident,” the mailing-list giant’s CISO Siobhan Smyth said in a statement to The Register on Monday.
Rumors of the intrusion surfaced on Twitter over the weekend: on Sunday, hardware cryptocurrency wallet maker Trezor, whose website is trezor.io, warned someone was sending out emails from noreply[at]trezor[dot]us containing a link to malware designed to harvest wallet owners’ information.
More than $15 million stolen after hackers exploit DeFi platform Inverse Finance
An attack on decentralized finance (DeFi) protocol Inverse Finance led to the theft of more than $15 million in cryptocurrency, the company said on Saturday.
The company wrote on Twitter that a hacker managed to manipulate its money market, Anchor, and increased the price of INV via Sushiswap – an open-source ecosystem of DeFi tools.
INV is an Ethereum token that powers Inverse Finance, a decentralized platform used for lending, borrowing, and creating synthetic assets.
The manipulation caused a sharp increase in the price of INV, allowing the hacker to borrow $15.6 million in the DOLA, ETH, WBTC and YFI cryptocurrencies against it.
German wind turbine maker shut down after cyberattack
A German wind turbine maker was forced to shut down its IT systems across multiple locations and business units after it was hit with a cyberattack on March 31.
Nordex designs, sells and manufactures wind turbines, reporting nearly $6 billion in sales in 2021. The company has factories in Germany, China, Mexico, the United States, Brazil, Spain and India. Last Thursday, the company said it detected an intrusion “in an early stage” and managed to initiate response measures quickly.
“The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure,” the company said in a statement.
Bank had no firewall license, intrusion or phishing protection – guess the rest
An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.
The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India’s smaller banks.
The Works hit by hackers, UK retailer shuts some stores after problems with payment tills
UK high street retailer The Works has shut some of its stores following a “cyber security incident” which saw hackers gain unauthorized access to its systems. According to a statement issued by the firm, which has over 500 stores across the country selling a range of cut-price books, art and craft materials, gifts, and stationery, the attack has caused issues with payment tills which have forced the closure of some stores:
“There has been some limited disruption to trading and business operations, including the closure of some stores due to till issues. Replenishment deliveries to the Group’s stores were suspended temporarily and the normal delivery window for the fulfilment of online orders was extended, but store deliveries are expected to resume imminently and the normal online service levels are progressively being reintroduced.”
Researchers Trace Widespread Espionage Attacks Back to Chinese ‘Cicada’ Hackers
A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a “widening” of the threat actor’s targeting.
The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied to a group tracked as Cicada, which is also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.
Leaks and Breaches
|First Choice Community Healthcare (US)||Hive ransomware claimed an attacked on March 28th, 2022. They provided archived files containing patient-related information, financial, information, and personnel and HR-related files as proof.||Unknown|
|McKenzie Health System (US)||Avos Locker added the hospital to their leak site on April 7th, 2022. The threat actors offered some proof of claim, which included one file containing health insurance information.||Unknown|
|North Carolina AT&T University (US)||A cybersecurity breach between March 7th and March 11th, 2022, affected multiple systems. The university appeared on the ALPHV ransomware darknet site prior to disclosure.||Unknown|
|Bet9ja (Nigeria)||BlackCat ransomware targeted the site in a sophisticated attack. The site claims the attackers have already demanded a ransom, but insists they will never accept their conditions.||Unknown|
|Weatherford ISD (US)||A breach disclosed on March 31st, 2022, possibly compromised addresses and Social Security numbers.||1,254|
|Tuloso-Midway ISD (US)||A data breach reported on March 3rd, 2022, reportedly involves names, Social Security numbers, and financial information.||637|
|FOX News (US)||An open and non-password protected database exposed 12,976,279 records, totaling 58GB of data. Potentially compromised information includes internal FOX emails, usernames, employee ID numbers, host names, IP addresses, and more.||Unknown|
|SuperCare Health (US)||Unauthorised activity on their systems occurred between July 23rd and July 27th, 2022. Potentially compromised information includes names, addresses, dates of birth, patient account numbers, health insurance information, treatment information, and more.||318,379|
|Northern Ireland Trust Ford||The vehicle dealer is believed to have been targeted by Conti ransomware operators in a recent attack that impacted the company’s internal systems. The Information Commissioner’s Office is now investigating the attack.|
|Wellstar Health System (US)||An unauthorised individual gained access to two email accounts between December 6th, 2021, and January 3rd, 2022. Possibly exposed patient information includes names, medical record numbers, unique account numbers, and laboratory information.||Unknown|
Here’s the top 10 list of CVEs released by Microsoft for April 2022: