Welcome to the Cyber Watch series for today, March 8, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
DDoS Attacks Surge by 196% as Hacktivism Rises in 2024
The cyber threat landscape took an ominous turn in 2024 according to a new report from Radware. Distributed denial-of-service (DDoS) attacks skyrocketed, with the average number of incidents per customer increasing by a staggering 94% worldwide. The Americas region was hit hardest, suffering a 196% jump and bearing the brunt of nearly half of all global DDoS attacks.
The attacks grew not just in volume but sophistication.
Web application and API attack instances linked to web DDoS soared 171% year-over-year, emerging as a potent new threat vector. Meanwhile, hacktivism campaigns fueled a wave of cyber chaos. The first half of 2024 saw 5,606 claimed attacks by hacktivist groups, a number that further rose 24% to 6,971 in the latter half of the year. The prolific NoName057(16) was the year’s top menace, claiming responsibility for 3,391 DDoS strikes alone.
Certain industries remained squarely in the crosshairs throughout the onslaught. The finance sector was heavily targeted, enduring 29% of all DDoS activity. Technology (22%), healthcare (14%) and government (12%) entities were also frequently bombarded.
Thousands of ChatGPT Credentials Stolen and Sold on Dark Web
Researchers have uncovered a massive trove of stolen ChatGPT credentials being sold on the dark web, potentially exposing sensitive data to malicious actors. According to Group-IB’s Hi-Tech Crime Trends Report 2023/2024, at least 225,000 sets of OpenAI credentials were compromised and put up for sale last year.
The stolen credentials originated from devices infected with information-stealing malware like LummaC2, Raccoon, and RedLine. These insidious programs scour infected systems for sensitive details such as login credentials and financial information, which are then compiled into logs and sold on dark web marketplaces.
The threat escalated rapidly throughout 2023, with a 36% increase in leaked ChatGPT credentials between the first and last five months of the year. The final month alone saw a staggering 33,080 instances of stolen OpenAI credentials. LummaC2 emerged as the primary culprit, responsible for over 70,000 cases between June and October.
EU Accepts “Cyber Solidarity” Pact to Bolster Regional Cyber Resilience
The European Union has taken a decisive step towards strengthening its cyber defenses, approving a groundbreaking “cyber solidarity act” that aims to foster greater resilience and coordination against cyber threats across member states. This provisional regulation establishes a series of crucial cooperation mechanisms to enhance the region’s ability to prepare for, prevent, and respond to major cybersecurity incidents.
At the heart of this initiative lies the creation of an EU-wide cybersecurity alert system, designed to rapidly disseminate information on emerging cyber threats throughout the bloc. This pan-European infrastructure will comprise national and cross-border cyber hubs tasked with detecting and responding to cyber-attacks, enabling authorities to mount more effective responses to large-scale incidents.
Furthermore, the regulation paves the way for a cybersecurity emergency mechanism, facilitating preparedness actions, mutual financial assistance, and access to a “cybersecurity reserve” of private-sector incident response services. This reserve will be ready to intervene at the request of member states or EU institutions during major cyber crises.
Alongside the Cyber Solidarity Act, the EU has also agreed to establish European certification schemes for managed security services, aiming to boost the quality and consistency of these providers across the internal market.
Third-Party Breach Exposes 30,000 Fidelity Investments Customers’ Data
Over 30,000 individuals have been left vulnerable after a third-party data breach involving Fidelity Investments Life Insurance Company (FILI). The incident, orchestrated through Infosys McCamish (IMS), a service provider to FILI, has raised serious concerns about the security measures in place to protect sensitive customer information.
The breach, which occurred between October 29 and November 2, allowed unauthorized access to critical data, including names, Social Security numbers, states of residence, and even bank account details. Fidelity was notified of the “cybersecurity event” by IMS in November, prompting an immediate investigation in collaboration with a third-party firm.
The financial services giant has taken proactive measures to mitigate the impact on affected individuals. Fidelity is actively reviewing its records to identify all impacted parties and is working closely with IMS to address the breach’s ramifications. Additionally, the company is offering affected customers 24 months of free credit monitoring through TransUnion Interactive and advising them to vigilantly monitor their financial statements and credit reports for any suspicious activity.
The incident underscores the growing threat of third-party breaches, as enterprises increasingly rely on service providers who may serve as potential entry points for cyber threats. Jeff Margolies, chief product and strategy officer at Saviynt, emphasized this concern, stating, “Enterprises are highly reliant on third-party service providers, who are now often the easiest vector into an enterprise’s most critical data.”
Fidelity Investments Life Insurance & Empire Fidelity Investments Life Insurance, based in Smithfield, United States, has formally disclosed the breach’s details, with Chief Compliance Officer Brian Leary at the forefront of this communication, emphasizing the company’s commitment to transparency and rectification.
LinkedIn Suffers Outage In Alleged Hacking Attempt
Microsoft-owned LinkedIn experienced an outage on Wednesday, leaving thousands of users unable to access the business-oriented networking site. This incident comes just a day after Meta’s Facebook and Instagram platforms were down for hours, locking out hundreds of thousands of users worldwide.
The LinkedIn outage began around 3:30 p.m. EST and peaked with nearly 50,000 users affected, according to data from the internet monitoring site Downdetector.com. By 5:00 p.m. EST, 65% of LinkedIn users reported issues with the website, while 32% experienced problems with the app.
Netblocks, an organization that monitors internet freedoms, confirmed the outage, stating that the issues were “not related to any country-level internet disruptions or filtering.” Users quickly took to other social media platforms like X (formerly Twitter), using the trending hashtag #linkedindown to share their experiences and speculate on the cause of the outage.
The incident comes on the heels of a significant outage affecting Meta’s platforms on Monday morning, which left over 600,000 users worldwide unable to access their Facebook and Instagram accounts. While Meta initially cited technical issues, the company later hinted to Cybernews that the disruption may have been the result of a hacking attempt, with multiple hacktivist groups claiming responsibility for distributed denial-of-service (DDoS) attacks.
$22M Ransom Potentially Paid in Crippling Change Healthcare Attack
Evidence has emerged suggesting that healthcare firm Change Healthcare may have paid a staggering $22 million ransom to the AlphV ransomware gang responsible for the crippling attack that disrupted pharmacies across the United States. The attack, which has been ongoing for 10 days and counting, has led to serious snags in the delivery of prescription drugs nationwide.
The potential ransom payment came to light through a dispute within the criminal underground, where an affiliate of AlphV claimed the group had cheated them out of their share of the ransom from Change Healthcare. The affiliate pointed to a publicly visible Bitcoin transaction worth approximately $22 million, which blockchain analysis firms have linked to AlphV.
If confirmed, the payment would not only represent a massive payday for the ransomware gang but also set a dangerous precedent for the healthcare industry. Security experts warn that such a lucrative attack could incentivize other cybercriminals to target healthcare services, putting patient care at risk.
The self-described AlphV affiliate, known as “notchy,” also claimed to have accessed data from numerous other healthcare firms partnered with Change Healthcare during the attack. This revelation raises concerns that sensitive medical information could still be at risk, even if the ransom was paid.
Cisco Unveils Open Source Tool for Monitoring Industrial Backplane Traffic
Cisco has unveiled an open-source proof-of-concept tool designed to improve the monitoring of backplane traffic. The tool, named Badgerboard, focuses on Schneider Electric’s Modicon M580 programmable logic controllers (PLCs) and the industrial giant’s X80 backplane, providing security teams with greater insight into high-speed communication between these critical components.
Backplanes are hardware components that connect various modules and components, enabling vital data exchange in operational technology (OT) environments. However, in many cases, OT security teams cannot properly monitor all the traffic crossing the backplane, preventing them from gaining full visibility into their network and leaving potential vulnerabilities undetected.
Cisco’s Badgerboard aims to address this issue by making backplane traffic visible to regular network security solutions such as Snort. While not a fully engineered solution, the tool demonstrates the feasibility of expanding backplane traffic visibility, which Cisco hopes will serve as a “call to arms” for customers to demand more advanced monitoring solutions from vendors.
The company acknowledges that security vendors cannot solve this problem alone and emphasizes the need for collaboration with PLC vendors, who have the capability and expertise to create products that accomplish what Badgerboard has set out to do. Cisco believes that consumer demand must drive the conversation, as plugging in third-party modules can impact customer warranties.
CISA Adds Android Pixel, Sunhillo SureLine Flaws to Exploited Vulnerabilities List
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to promptly address these security flaws to protect their networks from potential attacks.
The first vulnerability, CVE-2023-21237, is an Android Pixel information disclosure flaw residing in the applyRemoteView of NotificationContentInflater.java. This vulnerability could lead to local information disclosure without requiring additional execution privileges or user interaction. Google has acknowledged limited, targeted exploitation of this flaw, which is likely chained with other vulnerabilities in an exploit used by commercial spyware vendors or nation-state actors.
The second vulnerability, CVE-2021-36380, is an OS Command Injection flaw in Sunhillo SureLine. The exploitation of this vulnerability could allow attackers to execute arbitrary commands with root privileges, potentially leading to complete system compromise.
In accordance with Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies (FCEB) are required to address these identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. CISA has set a deadline of March 26, 2024, for federal agencies to mitigate the Android Pixel and Sunhillo SureLine vulnerabilities.
WordPress Sites Under Siege from Brute-Force Attacks via Malicious JS Injections
Threat actors are employing a new tactic to launch brute-force attacks against WordPress sites, leveraging malicious JavaScript injections to exploit unsuspecting site visitors’ browsers. Security researchers at Sucuri have uncovered this campaign, which has already impacted over 700 sites.
The attack unfolds in five stages, enabling the threat actors to take advantage of already compromised WordPress sites to launch distributed brute-force attacks against other potential victim sites. The process begins with obtaining a list of target WordPress sites and extracting real usernames of authors that post on those domains. Malicious JavaScript code is then injected into the compromised sites, which triggers a brute-force attack on the target sites via the browsers of unsuspecting visitors.
The injected code attempts to authenticate using a list of common and leaked passwords, and if successful, it creates a small text file with valid credentials in the WordPress uploads directory. This grants the threat actors unauthorized access to the target sites, which can be monetized in various ways.
While the motivation behind this shift from crypto drainers to distributed brute-force attacks is not entirely clear, researchers speculate that it may be driven by profit motives, as compromised WordPress sites offer multiple avenues for monetization.
Facebook Messenger Abused to Spread Python-Based Data Stealer “Snake”
Threat actors are leveraging Facebook Messenger to distribute a Python-based information stealer dubbed “Snake,” designed to capture credentials and other sensitive data from unsuspecting users. The campaign, first discovered on the social media platform X in August 2023, involves sending prospective victims seemingly innocuous RAR or ZIP archive files that, upon opening, initiate the infection sequence.
The attack chain involves two downloaders, a batch script and a cmd script, with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository. Cybereason researchers have identified three distinct variants of the stealer, with the third being an executable assembled by PyInstaller.
The malware is designed to gather data from various web browsers, including the Vietnamese browser Cốc Cốc, suggesting a potential focus on Vietnamese users. The collected information, comprising credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API.
Notably, the stealer is specifically designed to dump cookie information specific to Facebook, indicating that the threat actor is likely aiming to hijack accounts for their own nefarious purposes. The Vietnamese connection is further reinforced by the naming conventions of the GitHub and GitLab repositories and the presence of Vietnamese language references in the source code.
That’s all for today. Stay tuned for our next episode. See you next week!