SecureFact - Cyber Security News - Week of April 22, 2024

Data Breach

1. Ransomware gang starts leaking alleged stolen Change Healthcare data

The RansomHub extortion gang has started leaking what they claim is stolen corporate and patient data from United Health subsidiary Change Healthcare. The cyberattack on Change Healthcare occurred in February and caused significant disruption to the US healthcare system, preventing pharmacies and doctors from billing or sending claims to insurance companies. The attack was linked to the BlackCat/ALPHV ransomware operation, who stole 6 TB of data during the attack.

2. Threat actor leaks info of 2.8 million Giant Tiger shoppers online

A threat actor called BreachForums has recently leaked the personal information of 2.8 million Giant Tiger shoppers. The leaked data includes unique email addresses, names, phone numbers, physical addresses, and website activity. The data breach occurred in March 2024, and the stolen information is available for download on the forum for eight forum credits, which are easily obtained by forum members. The company has sent notices to all relevant customers informing them of the situation.

3. Patients Sue Ernest Health After Data Breach of 94,747 Exposed

Ernest Health, a US-based healthcare system, faces lawsuits after a cyberattack compromised the data of around 94,747 patients. The breach, which occurred from January 16 to February 4, 2024, involved unauthorized access to Ernest Health's networks. The LockBit ransomware group claimed responsibility and threatened to release stolen information, including patient names, contact details, health data, and Social Security numbers. The healthcare provider filed a notice of data breach with the Attorney General of Massachusetts, and patients were notified about the breach to ensure transparency.

?4. UNDP Hit by Cyberattack: HR and Procurement Data Breached

The United Nations Development Programme (UNDP) that resulted in the breach of human resources and procurement data. The UNDP received a threat intelligence notification in late March 2024, indicating that a data-extortion actor had breached its systems and stolen sensitive information. The organization responded swiftly, initiating measures to identify the source of the breach and notifying those affected.

5. Alleged Luxor Data Breach: Sensitive Information from Indian Stationery Giant Leaked

The alleged Luxor data breach involves Luxor International Private Limited, a prominent Indian manufacturer of stationery products. The breach was first detected on April 19, 2024, when postmaster, operating within the nuovo BreachForums, disclosed the leak of a database purportedly belonging to Luxor. The leaked data comprises 692 MB of SQL data, encompassing a trove of sensitive information, including first names, middle names, last names, dates of birth, hashed passwords, billing and shipping details, tax information, and more. The breach included information about individuals registered on the Luxor’s website, implying that the leaked data could be authentic.

6. Victorian Councils Hit by OracleCMS Breach: Multiple Australian Cities Report Data Exposure

The Australian publication Cyber Daily reported a major data breach involving OracleCMS, a localized provider of customer care solutions and call center services based in Australia. OracleCMS confirmed the breach, stating that the compromised data may include corporate information, contract details, invoices, and triage process workflows. The breach has affected various government entities, including the Campbelltown Council, Tweed Shire Council, Dandenong City Council, and several law firms, a real estate agent giant, and the Queensland branch of the Philadelphia Church of God

7. Alleged Cyberattack on Bureau van Dijk: US Consumer Data Compromised

The threat actor USDoD, previously known for attacks against U.S. infrastructure and Airbus, has claimed Bureau van Dijk as its latest victim in a cyberattack. Bureau van Dijk, a business intelligence firm owned by Moody’s Analytics, offers consumer and private company intelligence products focused on sales, marketing, and customer support. The attack involved the theft of sensitive data, including a US consumer database with information like names, emails, phone numbers, job titles, and addresses.

Malware and vulnerabilities

1. AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs

The cybersecurity research highlighted a vulnerability named LeakyCLI, which affects command-line interface (CLI) tools from Amazon Web Services (AWS), Google Cloud, and Azure. This vulnerability exposes sensitive credentials in build logs, posing significant risks to organizations. The vulnerability allows adversaries to collect sensitive information in the form of environment variables from CLI commands, potentially compromising security.

2. Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber ransomware by leveraging a critical security vulnerability, CVE-2023-22518, affecting the Atlassian Confluence Data Center and Server. This flaw allows attackers to reset Confluence and create an administrator account, granting them full control over affected systems. Financially motivated cybercrime groups have been observed using this access to install the Effluence web shell plugin and execute arbitrary commands on the host, leading to a complete compromise of confidentiality, integrity, and availability.

3. CISCO warns of a command injection escalation flaw in its imc. Poc publicly available

Cisco has addressed a high-severity Integrated Management Controller (IMC) vulnerability, tracked as CVE-2024-20295, which allows a local attacker to escalate privileges to root. The vulnerability resides in the CLI of the Cisco Integrated Management Controller (IMC) and impacts products running a vulnerable release of Cisco IMC in the default configuration. Cisco has released software updates to address the issue, and there are no workarounds available.