The month of October was the month of the Breaches. Here are some topics to support this statement:
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware have been covered by other researchers, our blog entry focuses on the malicious actor’s latest attacks.
We’ve observed a new cryptocurrency related campaign that abuses a legitimate Russian RAT known as Safib Assistant via a newer version of the malware called SpyAgent. This involves the exploit of a DLL sideloading vulnerability, which causes a malicious DLL to load. This DLL hooks and patches various API functions called by the RAT. This results in the RAT windows being hidden from a user.
Panasonic Suffers Data Breach After Hackers Hack Into Its Network
Japanese consumer electronics giant Panasonic has disclosed a security breach wherein an unauthorized third-party broke into its network and potentially accessed data from one of its file servers.
“As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion,” the company said in a short statement published on November 26. Panasonic didn’t reveal the exact nature of the data that was accessed, but TechCrunch reported that the breach began on June 22 and ended on November 3.
Ransomware Operators Threaten to Leak 1.5TB of Supernus Pharmaceuticals Data
Biopharmaceutical company Supernus Pharmaceuticals last week confirmed it fell victim to a ransomware attack that resulted in a large amount of data being exfiltrated from its network.
The attack, the Rockville, Maryland-based company says, likely happened in mid-November, when a ransomware group accessed data on certain systems, deployed malware to prevent access to files, and then threatened to leak the exfiltrated files.
Despite that, Supernus Pharmaceuticals says it did not experience a significant impact on its business, as its operations were not seriously disrupted by the incident.
IKEA hit by a cyber attack that uses stolen internal reply-chain emails
According to BleepingComputer, threat actors are targeting IKEA employees in phishing attacks using stolen reply-chain emails.
Once compromised the mail servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks. Sending the messages from the organizations allows the attackers to bypass detection. Threat actors also exploit the access to internal emails to target business partners.
“In internal emails seen by BleepingComputer, IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.” reports BleepingComputer.
Pfizer Alleges Insider Stole #COVID19 Vaccine Docs
Pharmaceuticals giant Pfizer alleges that an employee stole COVID-19 vaccine secrets in advance of a job move to a rival company.
The New York-headquartered firm filed a complaint in a Californian district court earlier this week against “soon-to-be-former employee” Chun Xiao (Sherry) Li, according to Bloomberg Law.
It reportedly alleges that Li uploaded more than 12,000 files, including “scores” of confidential documents to a Google Drive account. They’re said to have included vaccine study analysis and info on the development of new drugs.
It’s claimed that the pharma giant detected the activity after installing software to monitor for suspicious behavior, such as uploading files to the cloud. The firm had reportedly already disabled USB access on employee devices.
Swire Pacific Offshore Operations hit by Cl0p ransomware gang
Swire Pacific Offshore (SPO) has confirmed becoming a victim of a targeted cyberattack by the Cl0p ransomware gang. The company claims that personal information and classified proprietary commercial information might be exposed.
For your information, SPO is Swire conglomerate’s marine services division.
About the Attack
The company didn’t share details of the attack, but it is speculated that the Cl0p ransomware gang targeted it with ransomware because the gang has updated its blog, flaunting that it has successfully breached SPO’s systems.
According to SPO, the attack didn’t impact its global operations as it took immediate action to reinforce already implemented security measures.
NPC: Personal data of 22K S&R members compromised in cyber attack
The National Privacy Commission (NPC) on Wednesday, Nov. 24, said the personal data of 22,000 S&R members were compromised following a recent cyber attack.
In a statement, NPC confirmed the receipt of a breach notification report on Nov. 15 from S&R Membership Shopping concerning a cyber attack “that may have compromised its members’ personal data.”
The S&R said they discovered the security incident last Nov. 14 and submitted a supplemental breach report to the NPC on Wednesday.
According to the report, members’ personal data, including date of birth, contact number, and gender have been compromised.
However, S&R’s data protection officer assured that credit cards and other financial information of its customers were not among the compromised personal data.
Huntington Hospital – Notice of Unauthorized Access to Personal Information
Huntington Hospital has sent notices to approximately 13,000 patients about an incident involving the unauthorized access of personal information. The hospital learned that a night shift employee improperly accessed electronic medical patient records in violation of its policies. After a thorough investigation, on February 25, 2019, the hospital determined that the employee improperly accessed patient information without role-based authorization between October 2018 and February 2019.
The employee was immediately suspended, and he was subsequently terminated. In addition, Huntington Hospital notified law enforcement of the incident. The hospital cooperated with the law enforcement investigation, which included following instructions to delay notifying any patients who were potentially impacted by this incident through November 2021. The law enforcement investigation resulted in the former employee being charged with a criminal HIPAA violation.
Leaks and Breaches
|Samaritan Daytop Village (US)||An unauthorised actor gained access to certain systems and viewed or stole certain information. Potentially compromised information includes names, dates of birth, Social Security numbers, medical diagnoses, and health insurance information.||Unknown|
|Central Depository Services Limited (India)||A critical vulnerability was discovered in India’s largest securities depository. Personal and financial information on investors was exposed. The data dated back to 2005, and included names, permanent account numbers, dates of birth, email addresses, permanent address, annual income tax return, and more.||43.9 million|
|Scoolio (Germany)||An API vulnerability exposed the data of users of the app. Exposed information includes user and parent email addresses, location data, names of schools and classes, personal interests and traits, and more.||400,000|
|Blue Shield of California (US)||The ransomware attack against Team Alvarez Insurance Services discovered on August 25th, 2021, resulted in the disclosure of members’ data. Potentially compromised information includes dates of birth, email and physical addresses, phone numbers, and health insurance information.||2,858|
|Seneca Family of Agencies (US)||A data breach occurred after an unauthorised individiual accessed their network between August 25th and August 27th, 2021. Possibly exposed information includes names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, driver’s license numbers, digital signatures, and various medical and insurance information.||Unknown|
|Zales[.]com (US)||An issue with the website exposed personal information of customers to website users. Possibly compromised information includes names, billing addresses, shipping addresses, phone numbers, email addresses, order information, and the last four digits of the customer’s credit card number.||Unknown|
|Avista (US)||The company notified customers that it suffered a ransomware attack that exposed customers’ email addresses, Avista utility numbers, service addresses, and energy usage.||~ 20,000|
|School District of Janesville (US)||Data was posted on a Russian-language forum that appears to have been obtained in a ransomware attack against the district on October 24th, 2021. A user named ‘Garrett’ posted screencaps of files allegedly from the district, revealing account numbers, a deposit for a student field trip, and a list of redacted students.||Unknown|
|Coughlin & Gerhart (US)||An unauthorised attacker gained access to certain computer systems between April 2nd and April 3rd, 2021. Potentially exposed information includes names, addresses, Social Security numbers, driver’s license numbers, passport numbers, financial account information, medical information, and health insurance information.||Unknown|
|UMass Memorial Health (US)||An unauthorised person gained access to company email accounts between June 2020 and January 2021. Potentially compromised information includes names, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, health insurance information, and clinical and treatment information.||209,048|
Here’s the top 10 list of CVEs released by Microsoft for November 2021:
|CVE-2021-42292||Microsoft Excel Security Feature Bypass Vulnerability||Important||7.8||No||Yes||SFB|
|CVE-2021-42321||Microsoft Exchange Server Remote Code Execution Vulnerability||Important||8.8||No||Yes||RCE|
|CVE-2021-43208||3D Viewer Remote Code Execution Vulnerability||Important||7.8||Yes||No||RCE|
|CVE-2021-43209||3D Viewer Remote Code Execution Vulnerability||Important||7.8||Yes||No||RCE|
|CVE-2021-38631||Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability||Important||4.4||Yes||No||Info|
|CVE-2021-41371||Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability||Important||4.4||Yes||No||Info|
|CVE-2021-42279||Chakra Scripting Engine Memory Corruption Vulnerability||Critical||4.2||No||No||RCE|
|CVE-2021-42298||Microsoft Defender Remote Code Execution Vulnerability||Critical||7.8||No||No||RCE|
|CVE-2021-42316||Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability||Critical||8.7||No||No||RCE|
|CVE-2021-26443||Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability||Critical||9||No||No||RCE|
Trending Vulnerable Products
Ransomware mentions in the Healthcare Industry