InForce Cyber

Threat Report October 2021

The month of October was the month of the Breaches. Here are some topics to support this statement:

Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites

We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware have been covered by other researchers, our blog entry focuses on the malicious actor’s latest attacks.

We’ve observed a new cryptocurrency related campaign that abuses a legitimate Russian RAT known as Safib Assistant via a newer version of the malware called SpyAgent. This involves the exploit of a DLL sideloading vulnerability, which causes a malicious DLL to load. This DLL hooks and patches various API functions called by the RAT. This results in the RAT windows being hidden from a user. 

Panasonic Suffers Data Breach After Hackers Hack Into Its Network

Japanese consumer electronics giant Panasonic has disclosed a security breach wherein an unauthorized third-party broke into its network and potentially accessed data from one of its file servers.

„As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion,“ the company said in a short statement published on November 26. Panasonic didn’t reveal the exact nature of the data that was accessed, but TechCrunch reported that the breach began on June 22 and ended on November 3. 

Ransomware Operators Threaten to Leak 1.5TB of Supernus Pharmaceuticals Data

Biopharmaceutical company Supernus Pharmaceuticals last week confirmed it fell victim to a ransomware attack that resulted in a large amount of data being exfiltrated from its network.

The attack, the Rockville, Maryland-based company says, likely happened in mid-November, when a ransomware group accessed data on certain systems, deployed malware to prevent access to files, and then threatened to leak the exfiltrated files.

Despite that, Supernus Pharmaceuticals says it did not experience a significant impact on its business, as its operations were not seriously disrupted by the incident. 

IKEA hit by a cyber attack that uses stolen internal reply-chain emails

According to BleepingComputer, threat actors are targeting IKEA employees in phishing attacks using stolen reply-chain emails.

Once compromised the mail servers, threat actors use the access to reply to the company’s internal emails in reply-chain attacks. Sending the messages from the organizations allows the attackers to bypass detection. Threat actors also exploit the access to internal emails to target business partners.

“In internal emails seen by BleepingComputer, IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.” reports BleepingComputer. 

Pfizer Alleges Insider Stole #COVID19 Vaccine Docs

Pharmaceuticals giant Pfizer alleges that an employee stole COVID-19 vaccine secrets in advance of a job move to a rival company.

The New York-headquartered firm filed a complaint in a Californian district court earlier this week against “soon-to-be-former employee” Chun Xiao (Sherry) Li, according to Bloomberg Law.

It reportedly alleges that Li uploaded more than 12,000 files, including “scores” of confidential documents to a Google Drive account. They’re said to have included vaccine study analysis and info on the development of new drugs.

It’s claimed that the pharma giant detected the activity after installing software to monitor for suspicious behavior, such as uploading files to the cloud. The firm had reportedly already disabled USB access on employee devices. 

Swire Pacific Offshore Operations hit by Cl0p ransomware gang

Swire Pacific Offshore (SPO) has confirmed becoming a victim of a targeted cyberattack by the Cl0p ransomware gang. The company claims that personal information and classified proprietary commercial information might be exposed.

For your information, SPO is Swire conglomerate’s marine services division.

About the Attack

The company didn’t share details of the attack, but it is speculated that the Cl0p ransomware gang targeted it with ransomware because the gang has updated its blog, flaunting that it has successfully breached SPO’s systems.

According to SPO, the attack didn’t impact its global operations as it took immediate action to reinforce already implemented security measures. 

NPC: Personal data of 22K S&R members compromised in cyber attack

The National Privacy Commission (NPC) on Wednesday, Nov. 24, said the personal data of 22,000 S&R members were compromised following a recent cyber attack.

In a statement, NPC confirmed the receipt of a breach notification report on Nov. 15 from S&R Membership Shopping concerning a cyber attack “that may have compromised its members’ personal data.”

The S&R said they discovered the security incident last Nov. 14 and submitted a supplemental breach report to the NPC on Wednesday.

According to the report, members’ personal data, including date of birth, contact number, and gender have been compromised.

However, S&R’s data protection officer assured that credit cards and other financial information of its customers were not among the compromised personal data.

Huntington Hospital – Notice of Unauthorized Access to Personal Information

Huntington Hospital has sent notices to approximately 13,000 patients about an incident involving the unauthorized access of personal information. The hospital learned that a night shift employee improperly accessed electronic medical patient records in violation of its policies. After a thorough investigation, on February 25, 2019, the hospital determined that the employee improperly accessed patient information without role-based authorization between October 2018 and February 2019.
The employee was immediately suspended, and he was subsequently terminated. In addition, Huntington Hospital notified law enforcement of the incident. The hospital cooperated with the law enforcement investigation, which included following instructions to delay notifying any patients who were potentially impacted by this incident through November 2021. The law enforcement investigation resulted in the former employee being charged with a criminal HIPAA violation. 

Leaks and Breaches

Samaritan Daytop Village (US)An unauthorised actor gained access to certain systems and viewed or stole certain information. Potentially compromised information includes names, dates of birth, Social Security numbers, medical diagnoses, and health insurance information.Unknown
Central Depository Services Limited (India)A critical vulnerability was discovered in India’s largest securities depository. Personal and financial information on investors was exposed. The data dated back to 2005, and included names, permanent account numbers, dates of birth, email addresses, permanent address, annual income tax return, and more.43.9 million
Scoolio (Germany)An API vulnerability exposed the data of users of the app. Exposed information includes user and parent email addresses, location data, names of schools and classes, personal interests and traits, and more.400,000
Blue Shield of California (US)The ransomware attack against Team Alvarez Insurance Services discovered on August 25th, 2021, resulted in the disclosure of members’ data. Potentially compromised information includes dates of birth, email and physical addresses, phone numbers, and health insurance information.2,858
Seneca Family of Agencies (US)A data breach occurred after an unauthorised individiual accessed their network between August 25th and August 27th, 2021. Possibly exposed information includes names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, driver’s license numbers, digital signatures, and various medical and insurance information.Unknown
Zales[.]com (US)An issue with the website exposed personal information of customers to website users. Possibly compromised information includes names, billing addresses, shipping addresses, phone numbers, email addresses, order information, and the last four digits of the customer’s credit card number.Unknown
Avista (US)The company notified customers that it suffered a ransomware attack that exposed customers’ email addresses, Avista utility numbers, service addresses, and energy usage.~ 20,000
School District of Janesville (US)Data was posted on a Russian-language forum that appears to have been obtained in a ransomware attack against the district on October 24th, 2021. A user named ‘Garrett’ posted screencaps of files allegedly from the district, revealing account numbers, a deposit for a student field trip, and a list of redacted students.Unknown
Coughlin & Gerhart (US)An unauthorised attacker gained access to certain computer systems between April 2nd and April 3rd, 2021. Potentially exposed information includes names, addresses, Social Security numbers, driver’s license numbers, passport numbers, financial account information, medical information, and health insurance information.Unknown
UMass Memorial Health (US)An unauthorised person gained access to company email accounts between June 2020 and January 2021. Potentially compromised information includes names, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, health insurance information, and clinical and treatment information.209,048

Here’s the top 10 list of CVEs released by Microsoft for November 2021:

CVE-2021-42292Microsoft Excel Security Feature Bypass VulnerabilityImportant7.8NoYesSFB
CVE-2021-42321Microsoft Exchange Server Remote Code Execution VulnerabilityImportant8.8NoYesRCE
CVE-2021-432083D Viewer Remote Code Execution VulnerabilityImportant7.8YesNoRCE
CVE-2021-432093D Viewer Remote Code Execution VulnerabilityImportant7.8YesNoRCE
CVE-2021-38631Windows Remote Desktop Protocol (RDP) Information Disclosure VulnerabilityImportant4.4YesNoInfo
CVE-2021-41371Windows Remote Desktop Protocol (RDP) Information Disclosure VulnerabilityImportant4.4YesNoInfo
CVE-2021-42279Chakra Scripting Engine Memory Corruption VulnerabilityCritical4.2NoNoRCE
CVE-2021-42298Microsoft Defender Remote Code Execution VulnerabilityCritical7.8NoNoRCE
CVE-2021-42316Microsoft Dynamics 365 (on-premises) Remote Code Execution VulnerabilityCritical8.7NoNoRCE
CVE-2021-26443Microsoft Virtual Machine Bus (VMBus) Remote Code Execution VulnerabilityCritical9NoNoRCE

Trending Vulnerable Products

Ransomware mentions in the Healthcare Industry