Watchtower Weekly InfoSec Roundup: June 22 to June 30
Cyber Attacks & Breaches
Report: Jet Propulsion Laboratory Hacked for 10 Months (SecurityWeek) - June 22nd
NASA’s Office of the Inspector General reports hackers used a “credit card-sized computer and a compromised external user account” to steal 500 megabytes of data. This, however, is not the first time JPL has been hacked, citing similar occurrences in 2009, 2011, 2014, 2016, and 2017.
2,200 patients’ data breached, Franciscan Health investigation finds (NWI Times) - June 25th
During a recent audit, Franciscan Health determined a former employee accessed protected health information of 2,200 patients “without a business reason.” At this time, there is no evidence the employee downloaded, disclosed, or transmitted any of the information accessed, according to the health care system.
Global cyberattack Campaign Hit Mobile Carrier Networks (Dark Reading) - June 25th
Believed to be the work of a nation-state group, the attackers stole files that show the communication history and travel patterns of its victims. The attack began with a malicious Web shell sitting on a Web page. When a targeted employee visited that page, reconnaissance began. "They would compromise the network, do a credential dump, scan the network, and hop from server to server," Serper says of the attack. "Finally they were able to get domain admin credentials. They were then able to create their own accounts, some of which were domain admins themselves.
Second Florida city pays giant ransom to ransomware gang in a week (ZDNet) - June 26th
Despite the city's IT staff disconnecting impacted systems within ten minutes of detecting the attack, a ransomware strain infected almost all its computer systems, except for the police and fire departments, which ran on a separate network. This aided the decision for Lake City to vote in favor of paying the $500,000 ransom, just a few days after Riviera city paid $600,000 to gain back access to their data.
Minneapolis Software Firm ResiDex Reports Data Breach (Twin Cities Business) - June 26th
ResiDex says that as soon as it became aware of the breach, it began countermeasures to restore its servers, moving them to a new hosting provider. Backups and other tools were also used to restore security and services on the same day as the attack. However, investigators weren’t able to determine specifically who—if anyone at all—was affected.
Ransomware attack causes California health group to turn to paper records (Beckers Hospital Review) - June 28th
Marin Community Clinics decided to pay an undisclosed percentage of the ransom to get the encryption codes used to ransom their data, reports the HIPAA Journal. The health group was able to get its computer systems back online and said no patient data was compromised. The health group is, however, still in the data recovery process.
Cloud Provider PCM Suffers Data Breach (Dark Reading) - June 28th
PCM, which has 2,000-plus customers and generated about $2.2 billion in 2018, detected the breach in mid-May, sources report. Those same sources say intruders were able to steal admin credentials the company uses to handle client accounts in Office 365. It seems the attackers want to use the stolen data in gift card fraud schemes at financial organizations and retailers, according to a security expert at a PCM client who was informed of the intrusion.
Key Biscayne Hit by Cybersecurity Attack (Dark Reading) - June 28th
A third small Florida town has been hit with a cyber attack. Key Biscayne, a village of some 13,000 residents, has confirmed that it suffered a "data security event" on Sunday, June 23. According to reports in local media, all village government systems were running properly as of Wednesday morning. On Thursday morning, village council members voted to authorize funding for IT staff to engage with outside consultants to better understand how the attack happened and how a similar attack can be prevented. No details of the attack or its remediation have been given to the press.
Vulnerabilities & Exploits
New Mac Malware Exploits GateKeeper Bypass Bug that Apple Left Unpatched (The Hacker News) - June 25th
Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple's MacOS Gatekeeper, which was publicly disclosed late last month. Until Apple patches this issue, the researcher advised network administrators to block NFS communications with external IP addresses, and for home users, it is always important to not open email attachments from an unknown, suspicious, or untrustworthy source.
New Linux Work Attacks IoT Devices (Dark Reading) - June 26th
The new software, dubbed "Silex," is running across the Internet looking for Linux systems deployed with default admin credentials. Once it finds such a system, it overwrites all of the system's storage with random data, drops its firewall rules, removes its network configuration, and then restarts the system — effectively rendering the device useless. So far, more than 2,000 devices have been bricked, and any Linux system deployed on the Internet with open telnet ports and default admin credentials is at risk.
Account Takeover Vulnerability Found in Popular EA Games Origin Platform (The Hacker News) - June 26th
This popular gaming platform used by hundreds of millions of people worldwide has been found vulnerable to multiple security flaws that could have allowed remote hackers to takeover players' accounts and steal sensitive data. To perform this attack, malicious actors took advantage of a long-known unpatched weakness in Microsoft's Azure cloud service that allowed them to takeover one of the EA subdomains. They then planted a script that exploited weaknesses in the EA games' oAuth single sign-on (SSO) and TRUST mechanism.
Risks & Warnings
DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors (HIPAA Journal) - June 25th
As the United States and Iranian tensions rise, cyber attacks are mounting. While cyber attacks can take many forms, Iranian threat actors have increased attacks using wiper malware. In addition to stealing data and money, the threat actors use the malware to wipe systems clean and take down entire networks.
Riltok banking trojan begins targeting Europe (SC Magazine) - June 25th
With a few modifications, the Riltok banking trojan has spread to Europe. Riltok is distributed from infected devices via SMS, disguised as apps for popular free ad services in Russia. Victims typically receive an SMS containing a malicious link pointing to a fake website that appears to be a popular free ad service. They are then prompted to download a “new version” of the mobile app, which is actually the trojan. To install the phony app, a victim must permit the installation of apps from unknown sources in the device settings. They have been largely successful by spamming ads until the user clicks to allow these permissions.
‘Legit Apps Turned into Spyware’ Targeting Android Users in Middle East (The Hacker News) - June 26th
Cybersecurity researchers are warning about an ongoing Android malware campaign that has been active since 2016 and was first publicly reported in August 2018. Dubbed "ViceLeaker" by researchers at Kaspersky, the campaign has recently been found targeting Israeli citizens and some other middle eastern countries with a powerful surveillance malware designed to steal almost all accessible information, including call recordings, text messages, photos, videos, and location data—all without users' knowledge.