Australian health insurance provider Medibank confirms major data breach
One of Australia’s largest private health insurance provider Medibank has confirmed that some of its customer data may have been stolen in a cyberattack that occurred on October 13.
The company revealed in a security notice that it was contacted by a hacker who claims to have stolen data from Medibank and wants to negotiate about the alleged removal of customer info. Although Medibank did not disclose the amount of the stolen data, some media reports say the 200GB of data was allegedly taken from the company’s systems.
According to the health insurance provider, the attacker provided a sample of records for 100 policies, which the company believes comes from its systems. The criminal also claims to have stolen other information, including data related to credit card security. However, this claim has not yet been verified by the company.
2.4TB of Microsoft customer data exposed via a misconfigured server
Security researchers with SOCRadar have discovered a misconfigured Azure Blob Storage bucket maintained by Microsoft that exposed 2.4TB of customer data belonging to more than 65,000 companies across 111 countries.
Dubbed “BlueBleed,” the data leak included files dated from 2017 to August 2022. The analysis of the files showed that the leaked data included Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, customer emails, internal documents for customers, partner ecosystem details, internal comments for customers, and other information.
Microsoft has confirmed the data leak, but said it was “greatly exaggerated” and that a lot of data in question was duplicate information, with multiple references to the same emails, projects, and users.
URSNIF malware switches focus from banking fraud to ransomware and data theft
URSNIF (aka Gozi), one of the oldest banking trojans, appears to have switched its focus from banking fraud to ransomware and data theft. Cybersecurity firm Mandiant said it uncovered a new version of URSNIF, dubbed LDR4, which functions as a basic backdoor trojan that may have been purposely built to enable operations like ransomware and data theft extortion. Given the success and sophistication RM3 previously had, LDR4, could be a significantly dangerous variant capable of distributing ransomware that should be watched closely, Mandiant warned.
A new version of FurBall Android malware used to spy on Iranian citizens
Security researchers at ESET discovered a new mobile surveillance campaign aimed at Iranian citizens. The campaign, attributed to a threat actor known as Domestic Kitten or APT-C-50, uses an updated variant of the FurBall Android malware distributed as a translation app via a malicious website masqueraded as a legitimate Iranian site that provides translated articles, journals, and books.
While the new FurBall version has the same surveillance functionality as previous versions, the threat actors slightly obfuscated class and method names, strings, logs, and server URIs.
New Prestige ransomware targets transportation orgs in Ukraine and Poland
Microsoft’s Threat Intelligence Center (MSTIC) research team said it detected a never-before-seen ransomware strain called “Prestige” that attacks organizations in the transportation and related logistics industries in Ukraine and Poland.
The new ransomware was first deployed on October 11, in attacks that occurred within an hour across all victims. Microsoft says that the observed activity was not connected to any of the 94 currently active ransomware gangs tracked by the tech giant. It shares victimology with recent Russian state-linked activity and overlaps with previous victims of the FoxBlade malware (aka HermeticWiper). MSTIC has yet to attribute the activity it is temporarily tracking as DEV-0960 to any known threat actor.
BlackLotus Windows UEFI bootkit is being advertised on the dark web
A threat actor is selling on underground criminal forums a new UEFI bootkit that can disable or bypass security solutions and controls. Dubbed “Black Lotus,” the bootkit comes with a slew of features, including anti-virtualization, anti-debugging, and code obfuscation, and can disable security applications and defense mechanisms on target machines, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The Windows bootkit can also bypass User Access Control (UAC) and secure boot mechanisms, load unsigned drivers, and can operate within an environment undetected for a long time, perhaps years.
Ransom Cartel group linked to REvil ransomware
Threat researchers at Palo Alto’s Unit 42 found a link between the relatively new Ransom Cartel ransomware operation and the now-defunct REvil ransomware syndicate. The researchers believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments, suggesting that the two groups had had a relationship at some point. Unit 42 said that it is possible that Ransom Cartel “is an offshoot of the original REvil threat actor group, where the individuals only possess the original source code of the REvil ransomware encryptor/decryptor, but do not have access to the obfuscation engine.”
Researchers share details on a now-patched Windows CLFS zero-day
The Zscaler ThreatLabz threat research team published a technical report detailing a now-patched Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2022-37969) said to have been exploited in the wild.
“Fully undetectable” PowerShell backdoor gets detected
A novel fully undetectable (FUD) PowerShell backdoor has been discovered that disguises itself as part of the Windows update process. The new backdoor appears to be the work of a sophisticated, unknown threat actor who has targeted about 100 victims.
China-linked APT41 deployed SpyLoader malware against govt’s organizations in Hong Kong
The China-based cyber-espionage threat actor APT41 has been targeting government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees. The threat actor deployed the Spyder Loader malware on target networks, likely to gather intelligence. Symantec says that APT41 remained active on some victim networks for over a year. Besides Spyder Loader, the attackers used a variety of tools to carry out other activity on victim networks.
European police dismantled cybercriminal gang that hacked keyless cars
In a coordinated action law enforcement agencies in France, Latvia, and Spain have arrested more than 30 individuals suspected to be members of a car theft ring that have been stealing keyless cars using fraudulent software to duplicate keys.
The criminals targeted keyless vehicles from two French automakers using a fraudulent tool marketed as an “automotive diagnostic solution” to replace the original software of the vehicles. Once installed, the tool allowed to open doors and start the ignition without needing the actual key fob.
Dutch police obtained more than 150 decryption keys from DeadBolt ransomware gang
The Dutch National Police, in tandem with cybersecurity firm Responders.NU, obtained more than 150 decryption keys by tricking the DeadBolt ransomware gang using fake bitcoin payments. The Dutch authorities were able to conduct their “scam” operation after a tip from researchers who discovered that the Deadbolt ransomware gang was storing the decryption key inside the metadata of a Bitcoin transaction. Using this finding, the police made several payments with a minimum fee and then canceled the transactions after receiving a decryption key
75 suspected members of Black Axe cybercrime syndicate arrested as part of Interpol-led operation
Interpol announced the arrests of 75 suspected members of the “Black Axe” cybercrime syndicate as a result of an international law enforcement effort. Codenamed “Operation Jackal,” the operation took place between September 26 and 30, 2022, in South Africa, and involved law enforcement agencies in 14 countries across four continents. Two of the suspected fraudsters, who were arrested in South Africa last month, are believed to be responsible for $1.8 million in financial fraud.
Alleged Lapsus$ hacker detained in Brazil
The Brazilian Federal Police arrested a suspected member of the prolific Lapsus$ extortion gang, known for its attacks on high-profile targets, including Nvidia, Samsung, Microsoft, Okta, Vodafone, Mercado Libre and Uber.
The suspect was detained following an investigation into last year's breach of the Brazilian Ministry of Health. According to the police, during the attack the threat actors deleted data and compromised a website used to manage COVID vaccine certificates. The Lapsus$ group is said to have posted a message to the ministry’s website claiming the stolen information was in its hands.