Grandoreiro Trojan reappears, Kimsuky’s new backdoor, More healthcare breaches

Grandoreiro Trojan reappears, Kimsuky’s new backdoor, More healthcare breaches

Subscribe to Cyber Security Headlines podcast

Spotify, Apple Podcasts , RSS link , add as an Alexa Skill , or search "Cyber Security Headlines" on your favorite podcast app.

In today’s cybersecurity news…

Grandoreiro banking Trojan reappears, hits banks worldwide

This malware has come back in a new and improved version since its attacks in 2022 and following a takedown by law enforcement in January of this year. Its victims currently are banks in Central and South America, Africa, Europe, and the Indo-Pacific. According to IBM’s X-Force, the breadth of this attack was achieved through the participation of other criminal groups, using Grandoreiro as a malware-as-a-service. Once again, this campaign starts with phishing emails that instruct recipients to click on a link to view an invoice or make a payment.

(The Hacker News )

Kimsuky deploys new backdoor in latest attack on South Korea

Researchers at Symantec are warning of a new Linux backdoor named Gomir, being used by the ever-creative Kimsuky APT group linked to North Korea. Gomir shares a good deal of its code with another backdoor, GoBear, as well as Troll Stealer, which is known to be able to copy the Government Public Key Infrastructure folder on infected computers in South Korea. Symantec suggests this campaign highlights that North Korean espionage actors increasingly favor software installation packages and updates as infection vectors as well as shifting to software supply chain attacks through trojanized software installers and fake software installers.

(Security Affairs )

Microsoft Windows Server 2019 May updates may deliver error codes

Microsoft says this month’s security update for Windows Server 2019, released May 14, might present users with what it calls issues during the installation process. “The installation might fail with an error code and is more likely to affect devices that do not have en_us language pack support.” Many Windows admins around the world have reported such failures since last week’s Patch Tuesday. Microsoft has yet to provide a workaround and is for the time being helping admins install the U.S. language pack.

(BleepingComputer )

Eric Goldstein reflects on his time at CISA

After holding the position of executive assistant director for cybersecurity at CISA since the start of the Biden administration, Goldstein will be transitioning to the private sector in June. Speaking with Cyberscoop, he says the three areas of progress made by CISA during his time there are, the agency’s ability to understand cybersecurity risks and use that understanding to drive change through initiatives such as like CyberSentry, secondly, collaboration with industry, for example, the Joint Cyber Defense Collaborative, and thirdly, the secure-by-design initiative, which puts more of cybersecurity onus on product developers rather than the organizations that use them. His hopes for the agency following his departure include the “need to maintain the humility in our ability to project and forecast changes in the technology and threat environment,” and the criticality of people in the designing, implementing, and investing in cybersecurity.

(Cyberscoop )

And now a word from our sponsor, Tines

Company that provides admin services to health care insurers discloses 2023 breach

Texas-based WebTPA posted an undated announcement on its website that says it was the victim of a data security incident in 2023. Over 2.4 million people were notified, being told that information exposed varies per individual but could include Social Security numbers and insurance information along with standard PII. Financial information such as credit card numbers, as well as treatment or diagnostic information were not affected. The breach occurred between April 18 and 23, 2023, and WebTPA notified benefit plans and insurance companies of the breach on March 25 of this year.

(The Record )

Australian government warns of large-scale ransomware data breach in healthcare

The incident which has also been disclosed by the affected prescription company MediSecure is said to have impacted “the personal and health information of individuals,” and originated from a third-party vendors. This is a developing ransomware story, and more information may be forthcoming as the investigation continues.

(The Record )

CISOs contend with IBM’s unexpected exit from cybersecurity software

Following up on a story we covered last week, the marriage between IBM and Palo Alto Networks is giving CISOs a headache due to the complications involved in IBM’s agreement to sell the QRadar SaaS portfolio to its new partner. An article in Dark Reading points out that “customers must now determine if they want to follow the newly announced chosen path, which calls for the migration of the QRadar legacy and SaaS suites to Palo Alto’s Cortex XSIAM, or evaluate other options.” Omdia managing principal analyst Eric Parizo says this sudden change of course is “frankly not in line with the customer-centric ethos IBM is known for.”

(Dark Reading )

Last week in ransomware

In addition to Australia’s unfolding MediSecure ransomware story, the Phorpiex botnet was seen sending millions of phishing emails that “led to LockBit Black ransomware attacks, with the encryptor believed to have been created using LockBit’s leaked source code.” As we reported, BlackBasta was found mailbombing companies and then pretending to be an IT support company, Nissan North America announced a breach that impacted over 53,000 employees, the City of Wichita revealed that its LockBit attack severely affected law enforcement operations. INC Ransomware source code appeared for sale on hacking forums for $300,000, and GuidePoint called April an outlier month as power shift saw ALPHV/BlackCat and LockBit make way for smaller less theatrical ransomware operations.

(BleepingComputer and CISO Series)

要查看或添加评论,请登录

社区洞察

其他会员也浏览了