In today’s cybersecurity news…
Singing River patient data was swiped in ransomware attack
Mississippi-based Singing River Health System has warned that more than 895,000 patients have been impacted by a ransomware attack it suffered in August 2023. That number is roughly four times greater than the number of affected individuals the health system announced back in December. Exposed data includes names, dates of birth, addresses, Social Security Numbers (SSN), and medical information. While Singing River said there is no evidence that the exposed data was fraudulently used, it is offering 24 months of credit monitoring and identity restoration services to victims.The attack was claimed by the Rhysida ransomware gang, which is notorious for attacking healthcare service providers.
PoC exploit released for D-Link router zero-day
Researchers at SSD have discovered a vulnerability in D-Link EXO AX4800 (DIR-X4860) routers that could lead to complete device takeovers. The attack sends a specially crafted Home Network Administration Protocol (HNAP) login request to the router’s management interface. The router responds with a challenge, a cookie, and a public key, which can be used to generate a valid login password for the “Admin” account. SSD contacted D-Link three times over the last 30 days to share its findings but said the router maker has not responded. The researchers have now made the proof-of-concept (PoC) exploit publicly available. Until a firmware update is made available, router admins should disable the device’s remote access management interface to prevent exploitation.
Google to use GenAI to help identify phone scams
At the Google I/O 2024 developer conference on Tuesday, Google previewed a Generative AI-driven feature that will alert users to potential phone scams in real-time. The feature will be built into a future version of Android and will use Gemini Nano, which can run entirely on-device. The system effectively listens for “conversation patterns commonly associated with scams” such as fraudsters claiming to be bank representatives, offering gift cards or making requests for passwords. When a potential scam is detected, a pop up notification will alert the user that they may be falling prey to unsavory characters. No specific release date has been set for the feature.
North Korea once again tied to Tornado crypto mixer
United Nations sanctions monitors reported Friday that they have investigated 97 suspected North Korean cyberattacks on cryptocurrency companies between 2017 and 2024, resulting in theft of $3.6 billion. The monitors say that total includes $147.5 million stolen late last year from the HTX exchange and then laundered in March through the Tornado Cash crypto mixer. Tornado Cash was sanctioned by the U.S. two years ago over alleged support for North Korea. In 2023, two of the mixer’s co-founders were charged with laundering more than $1 billion. The monitors also reported that a number of the thefts resulted from North Korean workers inadvertently being hired by small crypto companies.
(Reuters)
Huge thanks to our sponsor, Vanta
With the largest network of Trust Centers, Vanta can help you streamline security reviews to win customer trust, save time, and close deals fast.
Proactively demonstrate security by showcasing key resources like your SOC 2 or ISO 27001 and provide real-time evidence for passing controls. And when a security questionnaire is required, Vanta takes the first pass for you.
Visit vanta.com/ciso to take a tour.
Ebury botnet diversifies with crypto theft
In its 15 year existence, the Ebury botnet has grown into one of the most advanced server-side malware campaigns. Long known for deploying spam, web traffic redirections and credential stealing, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD and OpenBSD servers. More than 100,000 were still compromised as of late 2023. A recent campaign uncovered previously compromised servers being used to perform Address Resolution Protocol (ARP) spoofing attacks against Bitcoin and Ethereum wallets on targets residing in the same network segment. These evolving tactics appear to be paying off as August 2023 saw record-breaking activity from the botnet, with over 6,000 compromised servers recorded that month.
You should probably patch that (Patch Tuesday edition)
Microsoft rolled out its April security updates on Tuesday, addressing 60 vulnerabilities across various software products including two actively exploited zero-days. The first zero-day bug (CVE-2024-30051) is a heap-based buffer overflow in the Windows Desktop Window Manager (DWM) Core Library. Exploitation of the 7.8 out of 10 severity bug requires elevated SYSTEM privileges. As is customary, Microsoft did not share details of related Indicators of Compromise IOCs which help defenders hunt for signs of intrusions. The second zero-day (CVE-2024-30040) is an 8.8 severity security feature bypass bug in Microsoft 365 and Office. The company also urged Windows admins to pay attention to a critical-severity remote code execution vulnerability in Microsoft Sharepoint (CVE-2024-30044).
Additionally, Microsoft fixed two issues that stemmed from their April 2024 security updates. The first was an issue causing client-server VPN connections to break and the second causing issues with NTLM authentication failures and domain controller reboots.
Meanwhile Tuesday, Adobe patched 35 security vulnerabilities across a wide range of its products, calling attention to critical-severity bugs in Adobe Acrobat, Reader, Illustrator, Substance 3D Painter, Aero, and Animate software programs. The company said it was not aware of any of these issues leading to exploits in the wild.
(SecurityWeek [1][2] and Bleeping Computer [1][2] and Krebs on Security)
Data breaches in U.S. schools exposed over 37 million records
Since 2005, U.S. educational institutions have suffered 3,700 data breaches, impacting over 37.6 million records. According to new data from Comparitech, 2023 marked a record year, with 954 breaches, representing a dramatic rise from 139 in 2022. The 4.3 million records compromised in 2023 soared 40% compared to each of the prior two years. Of the records compromised last year, 1.9 million were affected as part of 65 ransomware attacks and 1.7 million records were compromised in third-party breaches. Colleges and universities accounted for 60% of breaches, largely due to the MOVEit incident.
A glimpse into Africa’s internet vulnerability
Early Sunday morning, several African countries experienced a severe internet outage caused by two severed undersea cables. The incident is under investigation but is suspected to have been caused by a ship anchor. The country recently experienced two similar disruptions including back in February, when a ship’s anchor dragged through three cables in the Red Sea. Africa’s internet relies on a limited number of fragile undersea cables so when routes become unavailable, alternate pathways become jammed causing service slowdowns. Repairing damaged cables can take weeks due to requiring specialized skills and equipment and fair weather conditions. Progress toward improving Africa’s internet infrastructure challenges has been slowed by logistical and financial constraints. Experts say the problem needs to be solved through investment in diversified connectivity such as satellite internet links and vital communications infrastructure on the ground such as data centers and internet exchanges.
(BBC)