AppSec News Bulletin

Date - 25th to 30th November 23

In Bengaluru, cybercriminals extort Rs 3.7 crore from Infosys executive

An Infosys senior executive was coerced by cybercriminals posing as TRAI, CBI, and Mumbai police officials, extorting Rs 3.7 crore. The fraudsters alleged his involvement in various crimes, pressuring him to transfer the sum over two days. The Cyber Crime Police have initiated a case under the IT Act and IPC sections, planning to involve the CID due to the significant amount involved. The imposters used scare tactics, mentioning a false SIM card linked to the complainant's Aadhaar Card, compelling him to transfer money to avoid arrest. The victim realized the deception after transferring the sum and lodged a police complaint. Authorities caution against succumbing to such scams and advise consulting legal counsel or reporting to the police when encountering similar situations.

Source - Times of India

Govt plans to introduce a 4-hour window to reverse, modify online payments above ?2,000 to combat fraud: Report

The government is contemplating setting a maximum time frame of four hours for first-time digital transactions between users, aimed at curbing online payment frauds exceeding ?2,000. If approved, this measure will impact various digital payment methods, including UPI, IMPS, and RTGS. The proposed rule allows users four hours to modify or reverse initial transactions with unfamiliar recipients, slated for discussion among RBI, banks, and tech firms.

Presently, new UPI accounts permit ?5,000 transactions within 24 hours, while NEFT allows ?50,000 post-activation. The four-hour limit would be applicable each time a user initiates a first payment above ?2,000 to a previously unconnected account.

RBI's report highlighted over 13,000 payment frauds amounting to ?30,252 crore, with nearly half involving digital payments. The introduction of the national helpline 155260 and a reporting platform, led by the I4C, aims to combat financial losses due to cyber frauds. Additionally, guidelines on reversing UPI payments made in error were also outlined this year.

Source - Livemint

Insider Attack: 5 Techies Held for Stealing Client Data from Chennai Firm

Several tech professionals, three from Bengaluru and two from Chennai, have been apprehended for their alleged involvement in a hacking incident targeting a Chennai-based software company's foreign client data. Edison Ramesh, Ramkumar, Kavya Vasanth Krishnan, Ravitha Devasenapathy, and S Karuppaiah are the individuals implicated in the three-hour conference call held from Chennai at 1 am on October 9.

The operation, characterized as a sophisticated breach, caused chaos for the software company and its founder, triggering complaints from international clients, primarily in Australia. Foreign customers reported an inability to access the company's banking software, prompting the firm to file a complaint regarding the disruption in their comprehensive credit reporting software app.

Source - Times of India

Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability

Google has released security updates for Chrome to rectify seven security flaws, including a zero-day vulnerability currently exploited in the wild. Identified as CVE-2023-6345, this high-severity issue is an integer overflow bug in Skia, a 2D graphics library. Discovered by Beno?t Sevens and Clément Lecigne of Google's Threat Analysis Group on November 24, 2023, the exploit for this vulnerability exists in real-world attacks.

The update addresses several zero-days in Chrome since the beginning of the year, such as CVE-2023-2136, which allowed potential sandbox escape. It is suggested that users upgrade to Chrome version 119.0.6045.199/.200 (Windows) or 119.0.6045.199 (macOS and Linux) to mitigate these potential threats. Additionally, users of other Chromium-based browsers are advised to apply the fixes when made available.

Source - The Hacker News

Okta says hackers stole data for all customer support users in cyber breach

Okta revealed that hackers accessed and stole information from its customer support system in a network breach. The compromised data includes names and email addresses of all clients using the support system. While there's no direct evidence of active exploitation, Okta cautioned users about the increased risk of phishing and social engineering due to this breach. The company specializes in identity services like single sign-on and multi-factor authentication, catering to clients including Microsoft-backed OpenAI.

Source - Reuters

Capital Health hit by cyber attack. What patients need to know

Capital Health, a healthcare network managing various medical facilities in New Jersey, is dealing with a cyber attack causing network outages and service disruptions. Officials suspect it's akin to other healthcare provider attacks and anticipate its effects to linger for days. Although emergency services and inpatient care remain accessible, elective surgeries have seen minimal disruptions. Some outpatient services like radiology and certain diagnostic tests are impacted, prompting rescheduling of appointments. The medical group assures patients of open practices and prioritized surgeries based on urgency. However, the resolution timeline remains uncertain, with ongoing efforts to address the issue expected to persist for at least another week.

Source - Yahoo News

Hospitals in at least 4 states diverting patients from emergency rooms after ransomware attack

A ransomware attack on Ardent Health Services caused emergency room diversions at hospitals across four states. While patient care continued safely, some non-urgent procedures were rescheduled and ER patients diverted as a precaution. Hospitals affected included Hillcrest HealthCare System, Lovelace Health System, UT Health, and Hackensack Meridian's Mountainside Medical Center and Pascack Valley Medical Center. Ardent manages 30 hospitals and 200 care sites. After the attack on Thursday, Ardent shut down its network, suspended user access, and implemented enhanced security measures. The incident was reported to law enforcement agencies. Ransomware encrypts files, making them and related systems inaccessible, demanding a ransom for decryption.

Source - USA Today

DJVU Ransomware's Latest Variant 'Xaro' Disguised as Cracked Software

A variant of the DJVU ransomware, dubbed Xaro, has emerged, often distributed through cracked software. This strain appends the .xaro extension to encrypted files and demands a ransom for decryption. Xaro is a part of the STOP ransomware family and infiltrates systems posing as genuine services or applications, often distributed via SmokeLoader payloads.

Xaro's attack chain involves masquerading as a legitimate freeware site, offering a supposed CutePDF installer. However, this leads to the installation of PrivateLoader, which fetches a wide range of malware families, including RedLine Stealer, Vidar, Amadey, and SmokeLoader, alongside dropping Xaro.

This approach aims at double extortion by exfiltrating sensitive data and ensuring the attack's success even if security software blocks certain payloads. Xaro encrypts files, drops a ransom note demanding $980 (reduced to $490 within 72 hours) for the decryption key. This campaign highlights the risks associated with downloading software from untrustworthy sources, emphasizing the need for caution to safeguard against such attacks.

Source - The Hacker News