Welcome to the Cyber Watch series for today, January 5, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
Interesting! Tech titan Google has opted to settle a landmark privacy lawsuit surrounding its Chrome web browser, averting a jury trial that could have cost billions. The class action case alleged the search giant duped users into believing they could browse with complete anonymity by enabling ‘Incognito Mode’.
In reality, the lawsuit asserted Google illegally tracked these private sessions using hidden web analytics tools, amassing a trove of data on unwitting users who assumed their activities were confidential. When Google argued it had sufficiently informed users via disclaimers, the judge rejected this – ruling users never consented explicitly to private browsing tracking.
Legal experts said the case raised important questions about the limits of online surveillance technologies in overriding personal privacy expectations. While Incognito prevents local device history storage, tech giants still have free rein to analyze a user’s web journey via other advanced tracking techniques. For Google, a multi-billion dollar trial judgment risked denting public trust in their products. By settling now, the company likely aims to preempt further scrutiny of the conflicts between its insatiable data harvesting and users’ fundamental privacy rights.
HealthEC Data Breach Exposes 4.5 Million Patients’ Sensitive Information Across 17 Healthcare Providers
HealthEC LLC, a health management solutions provider, has fallen victim to a data breach affecting a staggering 4.5 million individuals who received care through its client organizations. The breach, occurring between July 14 and 23, 2023, resulted in unauthorized access to HealthEC’s systems and the theft of sensitive personal and medical data, including names, addresses, Social Security numbers, and medical records.
The company disclosed the breach on December 22, 2023, after an investigation concluded on October 24, 2023. Initially, the number of affected individuals was undisclosed, with a submission to Maine’s Attorney General indicating 112,005 impacted persons. However, the U.S. Department of Health and Human Services breach portal unveiled the alarming total.
Among the 17 healthcare providers and state-level health systems impacted are prominent organizations like Corewell Health, HonorHealth, and the University Medical Center of Princeton Physicians’ Organization.
Transformative Healthcare Data Breach Exposes 900,000 Individuals via Defunct Fallon Ambulance Service
Transformative Healthcare disclosed that the personal information of over 900,000 individuals has been compromised through a breach at the now-defunct Fallon Ambulance Service. The breach, detected on April 23, 2023, allowed attackers access to archived data between February 17 and April 22, 2023, encompassing sensitive details such as names, addresses, Social Security numbers, and medical information.
Transformative Healthcare, in a letter to the affected individuals, reported the completion of the evaluation of compromised information by December 27, 2023. Despite no evidence of misuse, the healthcare organization is taking proactive measures by offering free identity protection services for two years and urging affected individuals to remain vigilant for any suspicious activities on their accounts. The cyberattack, claimed by the Alphv/BlackCat ransomware group, raises concerns about the security of healthcare data. Notably, the group, responsible for hitting over 1,000 entities, faced law enforcement action recently.
In a concerning breach, the MyEstatePoint Property Search app, developed by NJ Technologies, left a MongoDB server exposed, leaking data on nearly half a million users. The compromised information encompasses sensitive details such as names, plain-text passwords, email addresses, and more. Despite attempts to notify NJ Technologies, the developers remained unresponsive until the exposed instance was secured. The leaked data poses severe risks, allowing threat actors to exploit it for unauthorized access, identity theft, and fraudulent activities.
With over 500,000 downloads primarily in the Indian market, the affected user base nearly matches the leaked dataset, emphasizing the widespread impact. Cybernews research discovered the exposed server on November 6th, highlighting the urgency of addressing security lapses in app development. Users are urged to change passwords immediately, especially if reused across accounts, and exercise heightened vigilance against potential phishing attacks leveraging the leaked credentials.
In a notable incident, Mandiant’s X account, a cybersecurity firm subsidiary of Google, fell victim to a hack. The breach involved a hacker promoting a crypto-stealing link and engaging in various activities, prompting questions about the platform’s security measures. Details on the breach remain unclear, but concerns arise about the use of strong passwords and two-factor authentication.
Additionally, a claim of a “reflected XSS” vulnerability in the social media site adds to the overall security landscape. the inherent characteristics of cryptocurrencies are exploited by hackers executing scams, leveraging decentralization and anonymity. The lucrative yet unregulated crypto space has become a breeding ground for fraudulent schemes, attracting threat actors seeking quick financial gains.
Nigerian national, Olusegun Samson Adejori, faces an eight-count indictment for orchestrating a sophisticated Business Email Compromise (BEC) scheme. Adejorin, arrested in Ghana, allegedly stole $7.5 million from a New York-based charity by using a credential harvesting tool to pilfer email login credentials. Employing classic BEC tactics, including spoofed domain names and concealing fraudulent emails, he posed as an employee to persuade a Maryland charity providing investment services to transfer millions of dollars into an account under his control.
Despite withdrawal approvals for sums over $10,000, Adejorin successfully manipulated the charity into transferring funds. The charges include wire fraud, aggravated identity theft, and unauthorized access to a protected computer, with potential sentences of up to 20 years for each wire fraud count. As BEC remains a lucrative cybercrime type, accumulating over $2.7 billion in 2022, this case highlights the global impact of such schemes and the ongoing challenges in combating transnational cyber threats.
In a critical cybersecurity alert, CISA mandates the patching of two vulnerabilities by January 23. CVE-2023-7101, tied to a sophisticated Chinese campaign, involves an Excel library bug exploited by the UNC4841 group. This bug has been leveraged against Barracuda Networks and governments, showcasing its significant exploitability. The second vulnerability, CVE-2023-7024, is the eighth zero-day for Google Chrome in 2023, posing a threat to widely used browsers.
The urgency is underlined by in-the-wild exploits, prompting Google’s swift release of an update. These incidents highlight the evolving landscape of cyber threats, where threat actors demonstrate sophistication by targeting overlooked aspects, such as older technologies in spam filtering software. The recurrence of zero days emphasizes the need for robust DevSecOps practices and continuous software updates to mitigate potential risks.
CISA’s Known Exploited Vulnerabilities catalog serves as a crucial tool in addressing these challenges, emphasizing the importance of proactive cybersecurity measures and collaboration in safeguarding critical infrastructure and widely used applications.
Bunker Hill Community College (BHCC) in Boston, Massachusetts, successfully mitigated a ransomware attack detected on May 23, 2023. BHCC’s prompt response, including taking affected systems offline and involving law enforcement, prevented data loss as backups remained unaffected. The investigation revealed an unauthorized actor gaining network access before deploying ransomware, copying a limited amount of data.
BHCC, conducting a thorough review, identified potential exposure of personal details such as names, Social Security Numbers, and medical information. While there’s no indication of misuse, BHCC is transparently notifying affected individuals and emphasizes ongoing monitoring. The incident highlights the persistent threat of ransomware attacks on educational institutions and underscores the importance of robust cybersecurity measures.
BHCC’s effective response serves as a model for mitigating the impact of data breaches, demonstrating transparency and accountability in safeguarding sensitive information. Affected individuals are urged to remain vigilant and take necessary precautions to protect their data against potential misuse.
New DLL Hijacking Variant Targets Windows Systems, Exploiting WinSxS Folder to Bypass Security Measures
A Hacker News report unveiled a fresh variant of DLL search order hijacking, strategically exploiting the trusted “C:\Windows\WinSxS” folder on Windows 10 and 11 systems. The method leverages executables within WinSxS to execute malicious code, presenting a challenge to security mechanisms. Unlike traditional techniques, this variant eliminates the need for elevated privileges, enabling threat actors to introduce potentially vulnerable binaries into the attack chain.
DLL search order hijacking typically targets applications that don’t specify the full path to required DLLs, relying on a predefined search order. In this case, Security Joe’s twist focuses on manipulating files within WinSxS, a critical Windows component for system customization and updating. The approach signifies a novel application in cybersecurity, showcasing attackers’ adaptability beyond conventional methods. Ido Naor, CEO of Security Joes, notes the uniqueness of this technique in a landscape where attackers traditionally rely on well-known approaches.
A threat actor named “xc7d2f4” claims to be selling a remote command injection vulnerability impacting Cisco ASA’s 55XX series. This alleged exploit poses a serious threat to the widely-used security appliance, known for integrating firewall, antivirus, and VPN capabilities. The Cyber Express has reached out to Cisco for verification, but an official response is pending at the time of this report.
Remote command injection vulnerabilities allow unauthorized execution of operating system commands, potentially leading to data breaches and network compromise. Cisco ASA plays a pivotal role in securing corporate networks and data centers, making the alleged vulnerability a significant concern. If confirmed, organizations relying on Cisco ASA are urged to stay vigilant, implement patches promptly, and adhere to cybersecurity best practices to mitigate potential risks associated with this alleged exploit.
That’s all for today. Stay tuned for our next episode. See you next week!