AMD investigates breach after data for sale on hacking forum
AMD is investigating whether it suffered a cyberattack after a threat actor dubbed IntelBroker shared some screenshots of the data it allegedly swiped from the company. Another source claims the data includes employee and customer information, financial documents, source code and other confidential information. AMD said its working with law enforcement and a, “third-party hosting partner to investigate the claim and the significance of the data.” IntelBroker is best known for the breach of DC Health Link, which exposed the personal data of members and staff of U.S. House of Representatives.
Qilin demands $50 million ransom from UK hospital
Following up on the recent rash of cyberattacks on UK hospitals we’ve been covering here on Cyber Security Headlines, Russian-speaking members of the Qilin gang are now claiming they have demanded $50 million from UK lab-services provider, Synnovis. On June 4, Synnovis announced that it fell victim to a ransomware attack that locked systems used to provide blood-testing and transfusion services to National Health Service hospitals. A Qilin member said they plan to leak stolen data online if Synnovis fails to pay for the ransom. Qilin also refused to accept responsibility for patients affected by the incident. Instead, they suggested the attack was retaliation for the British government’s involvement in unspecified wars.
Hackers derail Amtrak Guest Rewards accounts
In a breach-disclosure notice it filed in Massachusetts, the passenger rail service said an unauthorized third party gained access to a customer database between May 15-18. Amtrak said its systems were not hacked, but that accounts were likely compromised using usernames and passwords from prior breaches. Affected data includes customer names, contact information, Amtrak Guest Rewards account numbers, date of birth, partial payment details (such as partial credit card number and expiration date), gift card info (such as card number and PIN) and other transaction and trip data. In some cases, the hackers took over accounts and changed emails and passwords to lock legitimate users out. Amtrak took quick action to restore accounts and reset passwords and also urged riders to rotate their passwords and implement multifactor authentication.
Blackbaud fined $6.75M for 2020 ransomware attack
South Carolina-based software company, Blackbaud, has been ordered by the California Attorney General’s Office to pay $6.75 million to settle a ransomware attack that took place in May 2020. The AG’s office said that Blackbaud’s poor security practices were to blame for the attack including failure to implement multifactor authentication, monitor its network, and encrypt sensitive data. The AG said the company “then made misleading statements about its security controls and “extent of the breach” which affected the private info of 13,000 nonprofits, universities, and hospitals. The press release said Blackbaud violated the Reasonable Data Security Law, Unfair Competition Law, and the False Advertising Law. The fine is part of a broader set of penalties including a $49.5 million settlement with 49 states and Washington, DC which we covered on Cyber Security Headlines back in October 2023.
Huge thanks to our sponsor, Vanta
Nearly 20% of Microsoft SQL Servers have passed end of support
Researchers at Lansweeper scanned of over a million instances of SQL Server and found that 19.8 percent were now unsupported by Microsoft. To make matters worse, an additional 12% were running SQL Server 2014 which is due to drop out of extended support on July 9. However, customers can pay to continue receiving security updates for SQL Server 2014 for another three years. The scan even detected a few instances of SQL Server 7 which was released back in 1998. The researchers said good luck upgrading a database running on SQL Server 7 to the latest versions.They concluded that it’s tough to entice businesses to upgrade if systems that are still working adding, “It’s only when the house is on fire – when there’s massive vulnerability – that somebody will go care about that.”
Cut & Paste tactics import malware to unwitting victims
Over the past three months, researchers at Proofpoint observed a threat actor (tracked as TA571) using fake pop-up textboxes suggesting an error occurred when trying to open the document or webpage. Instructions then prompt users to copy and paste a malicious PowerShell script into either the PowerShell terminal or the Windows Run dialog box. The script then loads various malware strains, including remote access Trojans (RATs) and infostealers. The researchers said that cybercriminals continue to adopt “increasingly creative attack chains” that employ technical tactics not easily detected by users. They recommend that organizations update their user training to help them identify and report suspicious activity to their security teams.
ONNX phishing service targets financial firms with QR codes
A new robust phishing-as-a-service (PhaaS) platform called ONNX Store is targeting employees at financial firms. The platform operates via Telegram bots to target Microsoft 365 and Office 365 email accounts. The phishing emails impersonate salary updates from human resources (HR) departments as lures to open attached PDFs. The PDFs contain QR codes that, when scanned on a mobile device, bypass phishing protections to route victims to malicious sites mimicking Microsoft 365 login interfaces. Victims are then prompted to enter their login credentials and 2FA token which attackers immediately use to hijack accounts before the token expires. Additionally, ONNX uses Cloudflare services to prevent its domains from being taken down, including an anti-bot CAPTCHA and IP proxying.
Two men plead guilty for hacking into law enforcement portal
Two Rhode Island men, Sagar Steven Singh, 20, and Nicholas Ceraolo, 26 pleaded guilty to hacking into a confidential federal law enforcement database. Prosecutors said both men belonged to an aptly named hacking group called “ViLe” that collected victims’ personal data to harass, threaten or extort them (a practice known as “doxxing”) into paying to have their information removed from ViLe’s public website. According to the press release, Singh used a stolen password belonging to a police officer to access a non-public, password-protected federal law enforcement portal. He then messaged victims, threatening to harm their family if they did not provide login credentials to social media accounts. To prove he had access to sensitive information, Singh included the victim’s Social Security number, driver’s license number and home address. As of Monday, both men have pleaded guilty to charges of computer intrusion conspiracy and aggravated identity theft and face two to seven years in federal prison.