Breaches and Attacks in the News
TeamViewer Confirms Security Breach by Russian Midnight Blizzard
By WAQAS – HACKREAD
TeamViewer, a leading Goeppingen, Germany-based remote access and support software company, has confirmed a security breach in its internal corporate IT environment. The incident, first detected on June 26, 2024, has been attributed to the Russian threat actor known as APT29 or Midnight Blizzard, according to the latest update from the company. In an initial statement released on June 27, TeamViewer reported that their security team had detected an “irregularity” in their internal corporate IT environment. The company immediately activated its response team and began investigations with the help of globally renowned cybersecurity experts.
See Also: Teamviewer Discloses Investigation Update Following Cyber Attack
RansomHub says it published Florida health department data
By Sophia Fox-Sowell – Statescoop
The hacking group RansomHub this week claimed it exfiltrated and published 100 gigabytes of sensitive data from the Florida Department of Health because the department refused to meet its ransom demands. According to a July 1 post on X by HackManac, a company that tracks cyberattacks, RansomHub threatened to release the stolen health department data in a post on the dark web unless the state paid an undisclosed amount of money by Friday.
Bay Area Credit Union Struggles to Recover After Ransomware Attack
By Jai Vijayan – DarkReading
Tens of thousands of customers of Bay Area credit union Patelco remain without access to their accounts, following a crippling ransomware attack on the 88-year-old financial institution. The June 29 attack forced the credit union to shut down several of its key banking systems in a measure to contain damage and remediate the issue.
See Also: “Everything’s frozen”: Ransomware locks credit union users out of bank accounts
Fintech Frenzy: Affirm & Others Emerge as Victims in Evolve Breach
By Nate Nelson – DarkReading
A ransomware attack against a large financial services provider has become a problem for many companies it works with, two of which have already alluded to potential negative impacts on customer data. The infamous LockBit group earned some undue attention early last week when it claimed to have hacked the US Federal Reserve. In fact, it had breached the far lesser Evolve Bank & Trust. According to a statement from Memphis-based Evolve, the attack occurred in late May, when an Evolve employee clicked on a malicious phishing link. Though the attackers didn’t access any customers’ money, they were able to access and download customer information from databases and a file share. They also encrypted some data but, thanks to backups, the company “experienced limited data loss and impact on our operations.”
Threats, Campaigns, and Techniques in the News
EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
By Ziyi Shen – 3Nails Information Security
Hey friends, today I will share a technique that can be used to evade EDR products. I hesitate to call it a “new” technique, as I drew inspiration from existing projects and techniques. It is not a typical evasion method like sleep obfuscation, stack obfuscation, or syscall manipulation. Instead, it exploits oversights in detection mechanisms. The principle behind the technique is neither groundbreaking nor complex. However, I encountered multiple rabbit holes and thought I had reached dead-ends several times during my research. Therefore, I will also share my struggles and failed attempts in this article.
Volcano Demon Ransomware Gang Makes Phone Calls to Victim for Ransom
By Deeba Ahmed – HACKREAD
A new and particularly menacing ransomware group known as “Volcano Demon“ has surfaced, causing alarm across manufacturing and logistics industries. This group has deviated from the usual ransomware playbook, opting for a more direct and intimidating method to coerce their victims. Over the past two weeks, “Volcano Demon“ has successfully targeted several companies, deploying their unique ransomware called “LukaLocker” in at least 2 cases. This malicious software encrypts files with the .nba extension and is designed to evade detection and analysis, making it a formidable threat. According to cybersecurity firm Halcyon, What makes “Volcano Demon“ stand out is their use of phone calls to pressure company executives into paying ransoms. Instead of the typical data leak sites, they rely on frequent, threatening calls from unidentified numbers. Tim West, an analyst at Halcyon, shed light on this unsettling tactic. “They call very frequently, almost daily in some cases,” he said.
See Also: Volcano Demon Ransomware Group Rings Its Victims To Extort Money
Hackers Actively Exploiting Microsoft SmartScreen Vulnerability To Deploy Stealer Malware
By Tushar Subhra Dutta – CyberSecurity News
Hackers attack Microsoft SmartScreen as it’s a cloud-based, anti-phishing, and anti-malware component that determines whether a website is potentially malicious, protecting users from downloading harmful viruses. By exploiting vulnerabilities in SmartScreen, hackers can sneak past Windows Defender and spread malware onto users’ devices. Cybersecurity researchers at Cyble recently discovered that hackers have been actively exploiting the Microsoft SmartScreen vulnerability to deploy stealer malware.
Software Productivity Tools Hijacked to Deliver Infostealers
By Nate Nelson – DarkReading
An India-based software company in June was inadvertently distributing information-stealing malware packaged with its primary software products. Conceptworld Corporation sells three auto-logical software tools: Notezilla, a sticky notes app; RecentX, a tool for storing recently used files, folders, applications, and clipboard data; and Copywhiz, used for copying, organizing, and backing up files. A few weeks ago, researchers from Rapid7 discovered that the installation packages associated with all three had been Trojanized, secretly carrying rudimentary infostealing malware. Rapid7 informed Conceptworld on June 24. Within 12 hours, the company had removed the malicious installers and replaced them with legitimate, signed copies.
Cybersecurity and Public Policy in the News
Cybersecurity regulations face ‘uphill battle’ after Chevron ruling
By Derek B Johnson – Cyberscoop
President Joe Biden’s executive branch has distinguished itself on cybersecurity policy from previous administrations with its willingness to embrace regulations — often with a bit of creative lawyering involved. But a landmark ruling by the Supreme Court last week that overturned the so-called Chevron doctrine — which holds that courts should defer to federal agencies when interpreting parts of federal law not specified by Congress — threatens to make it much more difficult for the Biden administration to put in place more stringent cybersecurity rules.
Cybersecurity Opinions and Advice
A CISO’s Guide to Avoiding Jail After a Breach
By Nate Nelson – DarkReading
For years, the government has been trying carrots and sticks that might get companies to better steward their user data. On that long history, Sullivan tells Dark Reading, “I think we’re in the ugly middle period right now.” When he worked for the Obama administration, he recalls, “The thing we wrestled with the most was: How does the federal government get corporations to commit to doing more in cybersecurity? And the approach for a long time was public-private partnerships and collaboration. You still see versions of that with a lot of the work that [the Cybersecurity and Infrastructure Security Agency] does. But the Biden administration came out with their National Cybersecurity policy in March 2023 that says, very clearly, that we’ve decided to shift responsibility to those that have the means to do so — larger corporations in the private sector.”
3 Ways to Chill Attacks on Snowflake
By Robert Lemos
More than a month after a spate of data theft of Snowflake environments, the full scope of the incident has become more clear: at least 165 likely victims, more than 500 stolen credentials, and suspicious activity connected to known malware from nearly 300 IP addresses. In June, the cloud data service provider washed its hands of the incident, pointing to the cybersecurity investigation report published by its incident response providers Google Mandiant and CrowdStrike, which found that 165 Snowflake customers had potentially been impacted by credentials stolen through information-stealing malware. In a June 2 update, Snowflake confirmed that it found no evidence that a vulnerability, misconfiguration, breach, or stolen employee credential had led to the data leaks.
Cybersecurity Trends and Research
Ransomware Extortion Demands Soar to $5.2M per Attack
By DarkReading Staff
Ransomware demands are reaching new heights in 2024, with the average extortion demand per ransomware attack being more than $5.2 million per incident in the first half of the year. In an analysis calculated from 56 ransom demands from January until June of this year, the largest demand was $100 million after an attack on India’s Regional Cancer Center (RCC) on April 20.
ChatGPT 4 can exploit 87% of one-day vulnerabilities
By Jennifer Gregory – SecurityIntelligence
Since the widespread and growing use of ChatGPT and other large language models (LLMs) in recent years, cybersecurity has been a top concern. Among the many questions, cybersecurity professionals wondered how effective these tools were in launching an attack. Cybersecurity researchers Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang recently performed a study to determine the answer. The conclusion: They are very effective.