TCE Cyberwatch: Breaches Hit Universities and Big Names
17 June 2024 at 10:10
“Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.” - vx-undergroundThe initial access vector in the attack on MGM included targeting of a help desk executive with social engineering tactics. Mandiant in its latest report found Scattered Spider aka UNC3944 using the same modus operandi, and although no victim names were stated, it now suggests the possible linkage between them. *Update (June 17 5:45 AM EST): Added details on the 22-year old young cyber scammer's identity and possible links to Scattered Spider group.
“The disrupted terrorist operated websites worked as a node and an archive for terrorist propaganda produced by the different IS [Islamic State] media outlets using a multiplatform approach.” - Capt. Alberto Rodríguez Vázquez of Spain's Guardia Civil.
“The network was designed to be resilient and low profile and that explains its multi-server hosting strategy. It operated both on the surface web and the dark web.” – Vázquez.
“The servers supported multiple media outlets linked to Islamic State. They were used to disseminate worldwide propaganda and messages capable of inciting terrorism.” - EuropolAccording to Europol, the targeted websites enabled terrorist organizations and violent extremists to bypass the enhanced moderation and content removal efforts of mainstream online service providers. This helped them maintain a persistent online presence. The sites were used for recruitment, fundraising, inciting violence, and spreading propaganda, including manuals for creating explosives and content designed to radicalize and mobilize individuals. [caption id="attachment_77383" align="aligncenter" width="1024"]
OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.
OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
“Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” - Mandiant
“Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.”Once the threat group gained access to any of the SaaS applications, they then used endpoint detection and response tooling to test access to the environment and further used tools like Airbyte and Fivetran to exfiltrate data to attacker-owned cloud storage.
“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - SynnovisServices including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.
“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas.”
We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.
“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.