FlowerStorm attacks Microsoft 365, BeyondTrust on KEV, Ascension Health fallout

Subscribe to Cyber Security Headlines podcast

Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.

In today’s cybersecurity news…

PaaS platform “FlowerStorm” attacking Microsoft 365 users

This new phishing-as-a-service called FlowerStorm has emerged from the ashes of RockStar2FA to use adversary-in-the-middle (AiTM) techniques to intercept user credentials and session cookies in order to bypass multi-factor authentication protections. “The platform uses phishing portals that mimic legitimate Microsoft login pages to harvest credentials and MFA tokens.” A report from Sophos says that approximately 63% of organizations and 84% of users targeted by FlowerStorm are based in the United States. To protect against these sophisticated phishing attacks, experts recommend using “multi-factor authentication with AiTM-resistant FIDO2 tokens, deploying email filtering solutions, and using DNS filtering to block access to suspicious domains.”

(Cybersecurity News)

CISA adds BeyondTrust flaw to its Known Exploited Vulnerabilities catalog

Following up on a story we covered last week and which we discussed on last Friday’s episode of Cyber Security Headlines Week In Review, the issue afflicting security company BeyondTrust has now been added to its KEV catalog. According to its advisory, “a critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.” This vulnerability carries a CVSS score of 9.8, and federal agencies must now fix this vulnerability by December 27.

(Security Affairs)

Ascension Health ransomware attack impacted nearly 6 million people

In breach notification documents filed with regulators, the healthcare giant states that the attack, which happened in on May 8, resulted in the theft of medical information, insurance data, government identification and payment information, which includes records of medical tests, credit card information, Social Security numbers, and passport information. Victims are getting two years of free identity protection services and access to a $1,000,000 insurance reimbursement policy for fraud incidents. This was one of many healthcare related attacks this year, and like so many others, it forced its member hospitals to “turn away ambulances, revert to paper records and cancel non-emergency appointments.”

(The Record)

Ukraine suffers one of largest Russian cyberattacks to date

According to a statement from Ukrainian officials released Thursday, this attack “targeted Ukrainian state registers, which store various types of official records, including citizens’ biometric data, business records, property ownership, real estate transactions, legal and court decisions, voter information, tax records and permits.” Ukrainian officials call this an attack intended to sow confusion and panic. The pro-Russian group XakNet claimed responsibility through their Telegram channel. It said their hackers “managed to infiltrate the Ministry of Justice’s infrastructure through a contractor that runs the registers, the state enterprise National Information Systems (NAIS).”

(The Record)

Huge thanks to our sponsor, ThreatLocker

BadBox Android infection grows

Following up on a story we covered last week in which we described 30,000 Android devices in Germany being infected, researchers at Bitsight have discovered a new BadBox bot infrastructure, that shows more than 192,000 devices now infected. These additional devices include Russian-made Yandex 4K QLED Smart TVs and Chinese-made Hisense Smartphones. Most of the infected devices are in Russia, China, India, Belarus, Brazil, and Ukraine. BadBox malware comes pre-installed on these types of devices and creates email and messaging accounts for spreading disinformation.

(Security Affairs)

U.S. unseals complaint against Russian-Israeli accused of working for LockBit

The U.S. is seeking to extradite Rostislav Panev, 51, a dual Russian and Israeli national accused of being a software developer for the LockBit ransomware group. He faces trial on 40 counts, including for computer damage and extortion. The complaint states that Panev worked for the cybercrime group from 2019 up until its takedown by law enforcement in February of this year. Among the pieces of evidence presented was Panev’s computer which had access to the LockBit control panel, which was “only available to LockBit members who have undergone a vetting process and not to the general public.”

(The Record)

Microsoft 365 users hit by random product deactivation errors

Microsoft is looking into an issue in which customers using Microsoft 365 Office apps are encountering “Product Deactivated” errors. Specifically these are occurring when “moving users between licensing groups (including Azure Active Directory groups or synced on-premises security groups) or switching user subscriptions, such as changing from an Office 365 E3 license to a Microsoft 365 E3 license. Affected users should be able to click the “Reactivate” button on the error banner and sign in when prompted. Or, they can sign out of all Microsoft 365 apps, close them, and restart them before signing back in.

(BleepingComputer)

North Korean hackers stole $1.3bn of crypto in 2024

According to a report from research firm Chainalysis, this number is more than double last year’s haul. This amount also represents 59 percent of all the crypto stolen this year which also has increased 21 percent over 2023, although still below the levels recorded in 2021 and 2022. The report adds that “the majority of crypto stolen this year was due to compromised private keys – which are used to control access to users’ assets on crypto platforms.”

(BBC News)