Iran was the victim of serious cyberattacks on Saturday that interfered with government functions and targeted nuclear installations, amidst escalating tensions in the Middle East. After Israel promised to retaliate against Iran’s missile onslaught on October 1, these assaults took place. Sensitive material was stolen as a result of cyberattacks targeting Iran’s judiciary, legislative, and executive departments, according to Abolhassan Firouzabadi, the former secretary of the country’s Supreme Council for Cyberspace. Transportation, fuel delivery, and nuclear plants are examples of critical infrastructure that was attacked. Furthermore, walkie-talkies and pagers were prohibited aboard Iranian aircraft after sabotage strikes in Lebanon that claimed the lives of 39 Hezbollah fighters using these devices.
Chicago Children’s hospital confirms cyberattack, continues to provide care | Published Feb. 9, 2024, | Emily Olsen
Lurie Children’s Hospital confirmed its network had been accessed by a “known criminal threat actor,” more than a week after the Chicago-based provider was forced to take its computer systems offline.
The hospital shut down its phone, email, electronic health record system, and MyChart patient portal on January 31 to protect its data. It has been working with teams of internal and external experts in responding to the incident and law enforcement, including the FBI.
The hospital has been without computer system access for over a week following the incident. Phone, email, and electronic systems at Lurie Children’s Hospital were offline, the pediatric provider reported. The hospital had initially reported the network outage on January 31.
Lurie said it provides care for more than 239,000 children each year and hence is still accepting patients. It has been operating under “downtime procedures” to continue providing care during system outages.
The US Department of Justice has arrested 18 individuals and entities in a series of fraud operations, involving manipulation to market digital assets. The FBI made its own cryptocurrency token and company, codenamed Operation Token Mirrors (Operation Mirror Tokens) or NexFundAI. The company decided to develop a cryptocurrency that would be operated as secure storage for value, and most importantly — trigger changes in the AI domain. The publication notes that ZM Quant, CLS Global, and MyTrade market makers are indicted in Malaysia court for allegedly part-taking or plotting to be involved in wash trading activities with their employees on behalf of NexFund.AI. Over $25 million in cryptocurrency has been seized and various bots that were involved in wash trading have been disabled as well.
Star Health Insurance, a leading health insurance provider in India, confirmed a data breach that compromised information of approximately 31 million customers. The hacker, known as xenZen, claims to have accessed 7.24 terabytes of data, including sensitive personal and medical details, and is reportedly selling it online. The hacker also accused Star Health’s Chief Information Security Officer (CISO), Amarjeet Khanuja, of involvement in the breach, alleging that Khanuja sold the data. However, the company stated that there is no evidence of his wrongdoing and that he is cooperating with the investigation. Star Health has initiated a forensic investigation with cybersecurity experts and filed legal actions against the hacker and Telegram, where data was allegedly leaked using chatbots. The company has assured customers that its operations remain unaffected and is working to comply with a court order to disable access to the leaked data
Cisco investigating data breach: what we know so far
IntelBroker is a black hat hacker (criminals who infamous for it’s high profile attacks (Europol, Apple, and others) offering data taken from Cisco on October 6th. The alleged data stolen from Cisco included files such as GitHub, source code, Cisco confidential documents, API tokens, and many more. With this type of information, hackers can gain unauthorized entry to a company’s systems, disrupt operations, and steal valuable data. In a post by IntelBroker information on seven Cisco employees was included, with names, usernames, email addresses, and hashed passwords revealed. The post also consisted of screenshots of Excel sheet presentations, infrastructure panels, and similar information. However,IntelBroker has intention of selling this data so only limited data samples were included in the original post. The hackers’ claims are still unconfirmed but the Cybernews research team has concluded that the attackers’ claims seem “believable”.
A report published this week by OpenAI reveals that the artificial intelligence company has disrupted more than 20 cyber and covert influence operations since the beginning of the year, including the activities of Iranian and Chinese state-sponsored hackers.
TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns:
New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device’s unlock pattern or PIN.
First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android’s accessibility services.
Some of the new variants of the malware have also been equipped to harvest the device’s unlock pattern or PIN by presenting to the victim a deceptive User Interface (UI) that mimics the device’s actual unlock screen.
The UI is an HTML page that’s hosted on an external website and displayed in full-screen mode, thus giving the impression that it’s a legitimate unlock screen.
India came out as the top target for mobile attacks during the time frame, experiencing 28% of all attacks, followed by the U.S., Canada, South Africa, the Netherlands, Mexico, Brazil, Nigeria, Singapore, and the Philippines.
Taiwan visitors exposed in massive hotel booking data leak
Blockchain technology solutions company OwlTing has inadvertently exposed 765,000 users’ sensitive data by leaving open access to its AWS storage (S3). The spill mostly affected hotel guests in Taiwan.
On July 29th, the Cybernews research team, during a routine investigation using OSINT methods, discovered a misconfigured Amazon S3 bucket storing a massive amount of files. S3 buckets are simple cloud storage containers on Amazon Web Services (AWS), similar to file folders for storing files.
Over 168,000 CSV and XLSX documents in the bucket contained the personally identifiable information (PII) of over 765,000 customers.
The leak was attributed to OwlTing, a Taiwanese company that serves global travel, food safety, hospitality, media, and other e-commerce sectors and offers well-recognized blockchain solutions.
Fidelity says data breach exposed personal data of 77,000 customers
Fidelity Investments has disclosed a data breach that resulted from a third party accessing information from its systems between August 17 and August 19 using two customer accounts that they created. According to data breach filings, the attacker was able to access customer data by making fraudulent requests against an internal database and retrieving images of documents pertaining to Fidelity customers. Fidelity disclosed that the breached data includes customers’ social security numbers and driver’s licenses.
“MoneyGram confirms customer data breach”
Money transfer company, Moneygram, has notified its customers of a data breach in which it says customers had their personal information breached between September 20-22nd, 2024. The incident was discovered on September 27th and a subsequent investigation revealed customer’s PII was stolen including names, contact information, social security numbers, dates of birth, bank account numbers, and identification documents. The amount of customers affected by this breach remains unclear. Moneygram announced they took certain systems offline to avoid any further compromise. Affected customers should take steps to protect themselves including changing their passwords and setting up identity monitoring services. Moneygram has also announced that the breach appears to have started with a social engineering attack on its IT helpdesk staff. This data breach has led directly to the cancellation in the UK of its longstanding contract with the Post Office showing the serious consequences it has had. https://www.malwarebytes.com/blog/news/2024/10/moneygram-confirms-customer-data-breach
The TrickMo banking trojan, which originally worked with the TrickBot cybercriminal group, was extended to embed capabilities enabling attackers to steal unlock patterns and PINs from Android devices. TrickMo can capture user credentials by displaying a sham version of the device’s real unlock screen via a phishing user interface, then send the results to a distant server. Stolen credentials range from banking information to access into the corporation, including VPNs. This malware targets a wide range of applications; thus, this attracts the growth in mobile devices to security breaches.
This is an interesting case since it shows a glimpse of how complex mobile malware has become; it’s constantly evolving in efforts to bypass even security mechanisms that were formerly thought to be generally secure, like PINs or unlock patterns.
Ransomware attack costs rising sharply in 2024, cyber insurer warns
Average demand for cyber ransom is now 1.3mil. “The average loss after negotiations amounted to $353,000.” The attacks and ransom are typically during the summer months and in the winter near holidays, because typically businesses are slower to react at these times. The risk increase with use of various risky technologies (image breakdown here: https://media.cybernews.com/2024/10/risks.png). Multi-factor authentication for anyone using a VPN is a good protection. I found this interesting because I wonder how many companies are now buying insurance for cyber ransom vs self-insuring or even using group captives.
A recent data breach involving Taiwan-based travel service Owlting has exposed sensitive data of visitors. The leak included personal information such as names, passport numbers, and travel dates, affecting both tourists and residents. Investigators found that the breach likely originated from a misconfigured cloud server, leaving the data publicly accessible. This incident underscores the importance of robust cybersecurity practices, especially in tourism-related sectors that handle large volumes of personal data. Owlting has since taken steps to secure the affected systems and notify impacted individuals.
Recent cyberattacks have significantly disrupted operations across Iran, affecting various government branches and nuclear facilities. On October 12, simultaneous cyberattacks targeted Iran’s infrastructure, marking a potential Israeli response to recent missile threats from Iran. As these tensions escalate, both countries brace for possible further confrontations.
In The News – Ascension Health, nation’s largest Catholic hospital chain, victim of cyberattack disrupting operations
Summary of Events: On May 8, 2024, Ascension Health, the largest chain of Catholic Hospitals suffered a cyber-attack that resulted in a disruption of operations. Malware attacks exploited weaknesses in the hospital’s outdated software. Additionally, the hospital had no access control policies in place or cyber hygiene training was conducted. The disruptions included the loss of access to the organization’s electronic health records (EHR), affecting the Ascension Health Clinics ability to function as well as denial of access to the company’s patient portal. No information provided on how the incident was resolved but in a statement to from the company on June 15, operations were restored on June 14, 2024.
Iran was the victim of serious cyberattacks on Saturday that interfered with government functions and targeted nuclear installations, amidst escalating tensions in the Middle East. After Israel promised to retaliate against Iran’s missile onslaught on October 1, these assaults took place. Sensitive material was stolen as a result of cyberattacks targeting Iran’s judiciary, legislative, and executive departments, according to Abolhassan Firouzabadi, the former secretary of the country’s Supreme Council for Cyberspace. Transportation, fuel delivery, and nuclear plants are examples of critical infrastructure that was attacked. Furthermore, walkie-talkies and pagers were prohibited aboard Iranian aircraft after sabotage strikes in Lebanon that claimed the lives of 39 Hezbollah fighters using these devices.
https://securityaffairs.com/169693/cyber-warfare-2/cyber-attack-hit-iranian-nuclear-facilities.html
Chicago Children’s hospital confirms cyberattack, continues to provide care | Published Feb. 9, 2024, | Emily Olsen
Lurie Children’s Hospital confirmed its network had been accessed by a “known criminal threat actor,” more than a week after the Chicago-based provider was forced to take its computer systems offline.
The hospital shut down its phone, email, electronic health record system, and MyChart patient portal on January 31 to protect its data. It has been working with teams of internal and external experts in responding to the incident and law enforcement, including the FBI.
The hospital has been without computer system access for over a week following the incident. Phone, email, and electronic systems at Lurie Children’s Hospital were offline, the pediatric provider reported. The hospital had initially reported the network outage on January 31.
Lurie said it provides care for more than 239,000 children each year and hence is still accepting patients. It has been operating under “downtime procedures” to continue providing care during system outages.
https://www.cybersecuritydive.com/news/lurie-childrens-hospital-cyberattack/707094/
The US Department of Justice has arrested 18 individuals and entities in a series of fraud operations, involving manipulation to market digital assets. The FBI made its own cryptocurrency token and company, codenamed Operation Token Mirrors (Operation Mirror Tokens) or NexFundAI. The company decided to develop a cryptocurrency that would be operated as secure storage for value, and most importantly — trigger changes in the AI domain. The publication notes that ZM Quant, CLS Global, and MyTrade market makers are indicted in Malaysia court for allegedly part-taking or plotting to be involved in wash trading activities with their employees on behalf of NexFund.AI. Over $25 million in cryptocurrency has been seized and various bots that were involved in wash trading have been disabled as well.
https://thehackernews.com/2024/10/fbi-creates-fake-cryptocurrency-to.html
Star Health Insurance, a leading health insurance provider in India, confirmed a data breach that compromised information of approximately 31 million customers. The hacker, known as xenZen, claims to have accessed 7.24 terabytes of data, including sensitive personal and medical details, and is reportedly selling it online. The hacker also accused Star Health’s Chief Information Security Officer (CISO), Amarjeet Khanuja, of involvement in the breach, alleging that Khanuja sold the data. However, the company stated that there is no evidence of his wrongdoing and that he is cooperating with the investigation. Star Health has initiated a forensic investigation with cybersecurity experts and filed legal actions against the hacker and Telegram, where data was allegedly leaked using chatbots. The company has assured customers that its operations remain unaffected and is working to comply with a court order to disable access to the leaked data
https://www.reuters.com/technology/cybersecurity/indias-star-health-probes-alleged-role-security-chief-data-leak-2024-10-10/
Cisco investigating data breach: what we know so far
IntelBroker is a black hat hacker (criminals who infamous for it’s high profile attacks (Europol, Apple, and others) offering data taken from Cisco on October 6th. The alleged data stolen from Cisco included files such as GitHub, source code, Cisco confidential documents, API tokens, and many more. With this type of information, hackers can gain unauthorized entry to a company’s systems, disrupt operations, and steal valuable data. In a post by IntelBroker information on seven Cisco employees was included, with names, usernames, email addresses, and hashed passwords revealed. The post also consisted of screenshots of Excel sheet presentations, infrastructure panels, and similar information. However,IntelBroker has intention of selling this data so only limited data samples were included in the original post. The hackers’ claims are still unconfirmed but the Cybernews research team has concluded that the attackers’ claims seem “believable”.
https://cybernews.com/news/cisco-investigating-data-breach-what-we-know/
A report published this week by OpenAI reveals that the artificial intelligence company has disrupted more than 20 cyber and covert influence operations since the beginning of the year, including the activities of Iranian and Chinese state-sponsored hackers.
https://www.securityweek.com/openai-says-iranian-hackers-used-chatgpt-to-plan-ics-attacks/
TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns:
New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device’s unlock pattern or PIN.
First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android’s accessibility services.
Some of the new variants of the malware have also been equipped to harvest the device’s unlock pattern or PIN by presenting to the victim a deceptive User Interface (UI) that mimics the device’s actual unlock screen.
The UI is an HTML page that’s hosted on an external website and displayed in full-screen mode, thus giving the impression that it’s a legitimate unlock screen.
India came out as the top target for mobile attacks during the time frame, experiencing 28% of all attacks, followed by the U.S., Canada, South Africa, the Netherlands, Mexico, Brazil, Nigeria, Singapore, and the Philippines.
Read more at https://thehackernews.com/2024/10/trickmo-banking-trojan-can-now-capture.html
Taiwan visitors exposed in massive hotel booking data leak
Blockchain technology solutions company OwlTing has inadvertently exposed 765,000 users’ sensitive data by leaving open access to its AWS storage (S3). The spill mostly affected hotel guests in Taiwan.
On July 29th, the Cybernews research team, during a routine investigation using OSINT methods, discovered a misconfigured Amazon S3 bucket storing a massive amount of files. S3 buckets are simple cloud storage containers on Amazon Web Services (AWS), similar to file folders for storing files.
Over 168,000 CSV and XLSX documents in the bucket contained the personally identifiable information (PII) of over 765,000 customers.
The leak was attributed to OwlTing, a Taiwanese company that serves global travel, food safety, hospitality, media, and other e-commerce sectors and offers well-recognized blockchain solutions.
https://cybernews.com/security/taiwan-visitors-exposed-in-massive-data-leak-owlting/
Fidelity says data breach exposed personal data of 77,000 customers
Fidelity Investments has disclosed a data breach that resulted from a third party accessing information from its systems between August 17 and August 19 using two customer accounts that they created. According to data breach filings, the attacker was able to access customer data by making fraudulent requests against an internal database and retrieving images of documents pertaining to Fidelity customers. Fidelity disclosed that the breached data includes customers’ social security numbers and driver’s licenses.
https://techcrunch.com/2024/10/10/fidelity-says-data-breach-exposed-personal-data-of-77000-customers/?utm_source=tldrinfosec
“MoneyGram confirms customer data breach”
Money transfer company, Moneygram, has notified its customers of a data breach in which it says customers had their personal information breached between September 20-22nd, 2024. The incident was discovered on September 27th and a subsequent investigation revealed customer’s PII was stolen including names, contact information, social security numbers, dates of birth, bank account numbers, and identification documents. The amount of customers affected by this breach remains unclear. Moneygram announced they took certain systems offline to avoid any further compromise. Affected customers should take steps to protect themselves including changing their passwords and setting up identity monitoring services. Moneygram has also announced that the breach appears to have started with a social engineering attack on its IT helpdesk staff. This data breach has led directly to the cancellation in the UK of its longstanding contract with the Post Office showing the serious consequences it has had.
https://www.malwarebytes.com/blog/news/2024/10/moneygram-confirms-customer-data-breach
The TrickMo banking trojan, which originally worked with the TrickBot cybercriminal group, was extended to embed capabilities enabling attackers to steal unlock patterns and PINs from Android devices. TrickMo can capture user credentials by displaying a sham version of the device’s real unlock screen via a phishing user interface, then send the results to a distant server. Stolen credentials range from banking information to access into the corporation, including VPNs. This malware targets a wide range of applications; thus, this attracts the growth in mobile devices to security breaches.
This is an interesting case since it shows a glimpse of how complex mobile malware has become; it’s constantly evolving in efforts to bypass even security mechanisms that were formerly thought to be generally secure, like PINs or unlock patterns.
https://thehackernews.com/2024/10/trickmo-banking-trojan-can-now-capture.html
Ransomware attack costs rising sharply in 2024, cyber insurer warns
Average demand for cyber ransom is now 1.3mil. “The average loss after negotiations amounted to $353,000.” The attacks and ransom are typically during the summer months and in the winter near holidays, because typically businesses are slower to react at these times. The risk increase with use of various risky technologies (image breakdown here: https://media.cybernews.com/2024/10/risks.png). Multi-factor authentication for anyone using a VPN is a good protection. I found this interesting because I wonder how many companies are now buying insurance for cyber ransom vs self-insuring or even using group captives.
https://cybernews.com/security/ransomware-attack-costs-rising-sharply-in-2024/
A recent data breach involving Taiwan-based travel service Owlting has exposed sensitive data of visitors. The leak included personal information such as names, passport numbers, and travel dates, affecting both tourists and residents. Investigators found that the breach likely originated from a misconfigured cloud server, leaving the data publicly accessible. This incident underscores the importance of robust cybersecurity practices, especially in tourism-related sectors that handle large volumes of personal data. Owlting has since taken steps to secure the affected systems and notify impacted individuals.
https://cybernews.com/security/taiwan-visitors-exposed-in-massive-data-leak-owlting/
Recent cyberattacks have significantly disrupted operations across Iran, affecting various government branches and nuclear facilities. On October 12, simultaneous cyberattacks targeted Iran’s infrastructure, marking a potential Israeli response to recent missile threats from Iran. As these tensions escalate, both countries brace for possible further confrontations.
https://economictimes.indiatimes.com/news/defence/massive-cyberattacks-strike-irans-nuclear-facilities-and-government-agencies-is-israel-behind-it/articleshow/114192558.cms?from=mdr
In The News – Ascension Health, nation’s largest Catholic hospital chain, victim of cyberattack disrupting operations
Summary of Events: On May 8, 2024, Ascension Health, the largest chain of Catholic Hospitals suffered a cyber-attack that resulted in a disruption of operations. Malware attacks exploited weaknesses in the hospital’s outdated software. Additionally, the hospital had no access control policies in place or cyber hygiene training was conducted. The disruptions included the loss of access to the organization’s electronic health records (EHR), affecting the Ascension Health Clinics ability to function as well as denial of access to the company’s patient portal. No information provided on how the incident was resolved but in a statement to from the company on June 15, operations were restored on June 14, 2024.
Works Cited
Casiano, L. (2024, May 9). Ascension Health, nation’s largest Catholic hospital chain, victim of cyberattack disrupting operations. Retrieved from Fox Business: https://www.foxbusiness.com/healthcare/ascension-health-nations-largest-catholic-hospital-chain-victim-cyberattack-disrupting-operations