Hospital hack warning, Five Eyes follow-up, NYC municipal hack
U.S. Government warns hospitals of hackers targeting IT help desks
This warning comes from the Health Sector Cybersecurity Coordination Center, and states that “hackers are using social engineering tactics to target IT help desks across the Healthcare and Public Health (HPH) sector.” This is giving attackers access to their targets by enrolling their own multi-factor authentication (MFA) devices, with the primary goal, currently, of stealing funds. According to BleepingComputer, “the threat actors use a local area code to call organizations”? including using voice cloning techniques, pretending to be employees in the financial department. They provide stolen ID verification details, including corporate ID and social security numbers. Using this sensitive information and claiming their smartphone is broken, they convince the IT helpdesk to enroll a new device in MFA under the attacker’s control.” No group has yet been associated with these attacks, but the name Scattered Spider does keep coming up.
U.S. government contractor Acuity responds to alleged Five Eyes breach
Following up on a story we covered on Friday regarding the threat actor IntelBroker claiming to be in possession of documents belonging to the Five Eyes Intelligence Group, the contractor at the center of the storm has spoken up. Acuity CEO Rui Garcia told SecurityWeek, that it had “recently identified a cybersecurity incident related to GitHub repositories,” but confirmed that the data that was compromised was old and not sensitive. Security Week adds that IntelBroker is known for making false or exaggerated claims about obtaining U.S. government data.
New York City becomes latest in municipal government hack attempts
According to The Record, New York City’s Office of Technology and Innovation “was made aware of a smishing campaign targeting NYCAPS users.” Smishing is essentially phishing via text messages, and NYCAPS is the city payroll system, whose full name is New York City Automated Personnel System, Employee Self Service. “The smishing campaign allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain. NYCAPS remains online, and “City employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity.”
Over 92,000 internet-facing D-Link NAS devices found vulnerable
A researcher known as Netsecfish has revealed a new arbitrary command injection and hardcoded backdoor flaw that affects multiple D-Link NAS devices. The vulnerability is being tracked as CVE-2024-3273. An attacker can exploit the flaw to achieve command execution on the affected devices, and then gain access to potentially sensitive information, alter system configuration alteration, create a denial-of-service situation. Netsecfish states that over 92,000 Internet-facing devices are vulnerable. The models affected are DNS-340L, DNS-320L, DNS-327L, and DNS-325.
领英推荐
Huge thanks to this week’s episode sponsor, Vanta
Hackers Exploit Magento Bug to steal e-commerce payment data
Researchers from the e-commerce fraud detection company Sansec say they have discovered a “cleverly crafted layout template in the database being used to automatically inject malicious code to execute arbitrary commands.” This has allowed them to inject a persistent backdoor into e-commerce websites by leveraging CVE-2024-20720 (CVSS score: 9.1), a flaw that was addressed by Magento in updates released on February 13, 2024. The hack injects a Stripe payment skimmer to capture and exfiltrate financial information to another compromised Magento store.
University of Winnipeg staff and students have sensitive data stolen
The university located in the central province of Manitoba in Canada, has confirmed an incident that took place in late March. The data stolen includes standard PII as well as compensation information of all current and former employees since 2003, with everyone employed since 2015 also having their bank account information seized. No further details on the nature of the hack have been revealed.
Malware spreads through Facebook pages impersonating AI brands
As expected, “cybercriminals are now taking over Facebook pages and using them to advertise fake generative artificial intelligence software loaded with malware.” Researchers at Bitdefender say the actors use malvertising to impersonate products like Midjourney, Sora AI, ChatGPT 5 and others. They make the pirated pages appear to be run by “well-known AI-based image and video generators” to which they include news stories and ads that lead to downloads containing infostealing malware. Bitdefender notes this campaign is focusing largely on countries in Europe, adding that the criminals have “tremendous reach through Meta’s sponsored ad system.”
Last week in ransomware
Last week was a busy week for ransomware with attacks targeting VMware ESXi and other virtual machine platforms. Omni Hotels suffered a massive virtual machine related ransomware attack that impacted its company’s reservation system and disabled phones and room door lock system. Chilean hosting provider IxMetro Powerhost suffered a ransomware attack on its VMware ESXi servers, which created a cascade effect on IxMetro’s customers’ virtual private servers (VPS). We also reported on the British city of Leicester, Japanese lens manufacturer Hoya suffering cyberattacks as well as Prudential Insurance and luxury boat maker MarineMax providing updates on their February attacks. The Microsoft product OneNote came under scrutiny last week as a primary tool for delivering ransomware due to its ability to circumvent email attachment blocking rules and other detection methods.