Blog

This Week in Cybersecurity News: Sav-RX Breach and CatDDos botnet Edition

5 minute read

  • Nathan Burke
realistic photo of a cat sitting next to an auctioneer's gavel on the shelf of a pharmacy that is closed, dusty, and looks like it's out of business

2.8 million impacted by data breach at prescription firm Sav-Rx, auctioneer Christie’s confirms criminals stole some client data, and researchers warn of CatDDoS botnet and DNSBomb DDoS attack technique.

Breaches and Attacks in the News

2.8 Million Impacted by Data Breach at Prescription Services Firm Sav-Rx
By Ionut Arghire – SecurityWeek
Pharmacy prescription services provider A&A Services, which operates as Sav-Rx, is notifying roughly 2.8 million individuals that their personal information was compromised in a cyberattack. The incident, the organization said, occurred on October 8, 2023, when it identified an interruption to its computer network, and was immediately contained, with the impacted systems restored the next business day. “The disruption to our IT systems did not result in any material disruption to patient care. Prescriptions were shipped on time and without delay. Our adjudication system was not affected so network pharmacy claims adjudicated continuously without impact or delay,” Sav-Rx said. According to the company, however, the attackers accessed non-clinical systems containing personal information and exfiltrated data from them.
See Also: Sav-Rx discloses data breach impacting 2.8 million Americans,

Ransomware Group Claims Responsibility for Christie’s Hack
By Zachary Small – The New York Times
A hacker group called RansomHub said it was behind the cyberattack that hit the Christie’s website just days before its marquee spring sales began, forcing the auction house to resort to alternatives to online bidding. In a post on the dark web on Monday, the group claimed that it had gained access to sensitive information about the world’s wealthiest art collectors, posting only a few examples of names and birthdays. It was not immediately possible to verify RansomHub’s claims, but several cybersecurity experts said they were a known ransomware operation and that the claim was plausible. Nor was it clear if the hackers had gained access to more sensitive information, including financial data and client addresses. The group said it would release the data, posting a countdown timer that would reach zero by the end of May.
See also: Auction house Christie’s confirms criminals stole some client data

Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique
The Hacker News
The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. “CatDDoS-related gangs’ samples have used a large number of known vulnerabilities to deliver samples,” the QiAnXin XLab team said. “Additionally, the maximum number of targets has been observed to exceed 300+ per day.”

Hackers phish finance orgs using trojanized Minesweeper clone
By Bill Toulas – BleepingComputer
Hackers are utilizing code from a Python clone of Microsoft’s venerable Minesweeper game to hide malicious scripts in attacks on European and US financial organizations. Ukraine’s CSIRT-NBU and CERT-UA attribute the attacks to a threat actor tracked as ‘UAC-0188,’ who is using the legitimate code to hide Python scripts that download and install the SuperOps RMM. Superops RMM is a legitimate remote management software that gives remote actors direct access to the compromised systems.

Intercontinental Exchange to pay $10M SEC penalty over VPN breach
By Sergiu Gatlan – BleepingComputer
The Intercontinental Exchange (ICE) will pay a $10 million penalty to settle charges brought by the U.S. Securities and Exchange Commission (SEC) after failing to ensure its subsidiaries promptly reported an April 2021 VPN security breach. ICE is an American company listed on the Fortune 500 that owns and operates financial exchanges and clearing houses worldwide, including the New York Stock Exchange (NYSE). In 2023, it employed over 13,000 people and reported a total revenue of $9.903 billion. As Regulation Systems Compliance and Integrity (Regulation SCI) requires, firms must immediately notify the SEC about security incident intrusions and provide an update within 24 hours unless they determine the impact on their operations or market participants is negligible.

Threats, Campaigns, and Techniques in the News

Russian Hackers Shift Tactics, Target More Victims with Paid Malware
By Deeba Ahmed – HackRead
Earlier this week, reports surfaced indicating that state-sponsored groups in Iran are collaborating for large-scale attacks, and similar activities are occurring in Russia. As the Ukraine-Russian War continues, Russian Advanced Persistent Threat (APT) groups are adapting their TTPs and malware, with many sharing delivery techniques and using paid tools instead of custom payloads, revealed researchers at Flashpoint in their latest report. The researchers have discovered a dangerously fast-paced sophistication in their Tactics, Techniques, and Procedures (TTPs) in recent spear-phishing campaigns and a preference for malware readily available on illegal online marketplaces, making them harder to detect.

SECURITY CYBER ATTACKS New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea
By Waqas– HackRead
A recent investigation by Bitdefender Labs has uncovered the activities of a previously unknown cyber threat group, dubbed “Unfading Sea Haze.” This group has been actively targeting high-level organizations, particularly military and government entities, in countries surrounding the South China Sea. The scope and nature of their attacks suggest a potential alignment with Chinese interests in the region. It is worth noting that the South China Sea nations typically refer to countries that border the South China Sea. These include China, Taiwan, the Philippines, Malaysia, Brunei, Indonesia, and Vietnam.

AI Voice Generator App Used to Drop Gipy Malware
DarkReading
Gipy, a newly discovered campaign using a strain of infostealer malware, is targeting users in Germany, Russia, Spain, and Taiwan with phishing lures promising an AI voice changing application. Researchers at Kaspersky said Gipy malware first emerged in early 2023 and, once delivered, allows adversaries to steal data, mine cryptocurrency, and install additional malware on the victim’s system. Threat actors in this instance are luring victims with the promise of a legitimate AI voice altering application, the researchers explained. Once the user installs it, the application starts to work as promised, meanwhile, Gipy malware is also being delivered in the background, the Kasperky team added.

Cybersecurity Research and Reports in the News

HR and IT related phishing scams still most popular according to KnowBe4’s latest Phishing Report
ITSecurityGuru
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, has revealed the results of its Q1 2024 top-clicked phishing test report. The results include the most common email subjects clicked on in phishing tests, reflecting the persistent use of HR or IT-related business email messages that captivate employees’ interests. HR-related phishing attacks take the top spot at 42%, a trend that has persisted for the last three quarters, followed by IT-related phishing emails at 30%. Phishing emails from HR or IT departments that prompt dress code changes, tax and healthcare updates, training notifications and other similar actions are effective in deceiving employees as they can affect a user’s work, evoke an  immediate response and can cause a person to react before thinking about the validity of the email.

Best Buy and Geek Squad were most impersonated orgs by scammers in 2023
By Matthew Connatser – TheRegister
The Federal Trade Commission (FTC) has shared data on the most impersonated companies in 2023, which include Best Buy, Amazon, and PayPal in the top three. The federal agency detailed the top ten companies scammers impersonate and how much they make depending on the impersonation. By far the most impersonated corp was Best Buy and its repair business Geek Squad, with a total of 52k reports. Amazon impersonators came in second place with 34k reports, and PayPal a distant third with 10,000. Proportionally, the top three made up roughly 72 percent of the reports among the top ten, and Best Buy and Geek Squad scam reports were about 39 percent on their own.

70% of CISOs worry their org is at risk of a material cyber attack
By Jessica Lyons – TheRegister
Chief information security officers around the globe “are nervously looking over the horizon,” according to a survey of 1,600 CISOs that found more than two thirds (70 percent) worry their organization is at risk of a material cyber attack over the next 12 months.  This is compared to 68 percent the year prior, and 48 percent in 2022. Additionally, nearly a third (31 percent) believe a significant attack is “very likely,” compared to 25 percent in 2023. For its annual Voice of the CISO report, Proofpoint polled CISOs from organizations with at least 1,000 employees across 16 countries: The US, Canada, UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, Singapore, South Korea, and Brazil. Research firm Censuswide conducted the survey between January 20 and February 2, and interviewed 100 CISOs in each country, we’re told.  Of those surveyed, we’d assume that CISOs in South Korea (91 percent), Canada (90 percent) and the US (87 percent) get the least sleep each night, as these are the three top percentages of chief infosec officers who are concerned about experiencing a material cyber attack. 

Author

Cybersecurity News

More like this
Gartner Hype Cycle for Security Operations 2024

Blog

Nagomi Recognized in the Gartner® Hype Cycle™ for Security Operations: A Milestone for Automated Security Control Assessment

FacebookLinkedInTweetEmail The Hype Cycle™ for Security Operations has recently been unveiled, and we believe it’s already ...

Read the post: Nagomi Recognized in the Gartner® Hype Cycle™ for Security Operations: A Milestone for Automated Security Control Assessment

Blog

Transforming Threat Intelligence: Nagomi and CrowdStrike Unite for Next-Level Defense

FacebookLinkedInTweetEmail In today’s high-stakes cyber battleground, 80% of breaches have proven preventable with tools organizations already ...

Read the post: Transforming Threat Intelligence: Nagomi and CrowdStrike Unite for Next-Level Defense

Blog

Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management

FacebookLinkedInTweetEmail Nagomi’s new “Threats in the News” feature is transforming the way cybersecurity teams manage and ...

Read the post: Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management

Blog

Prioritizing MITRE ATT&CK Techniques for Valid Accounts

FacebookLinkedInTweetEmail The fourth in a five part series exploring how security teams can identify the most ...

Read the post: Prioritizing MITRE ATT&CK Techniques for Valid Accounts