In today’s cybersecurity news…
Planned Parenthood cyberattack
Officials from the nonprofit agency have confirmed that a cyberattack has impacted its IT systems, forcing it to take parts of its infrastructure offline. The attack occurred on August 28. The RansomHub group has claimed responsibility and is threatening to leak 93GB of data in six days. They have already published a selection of confidential documents on their leak site as proof.
DOJ seizes 32 propaganda domains in disinformation crackdown
This past Wednesday, the Department of Justice announced the seizure of “32 internet domains used by a pro-Russian propaganda operation called Doppelganger.” The companies behind the domains are accused of violating U.S. money laundering and criminal trademark laws. The sites using the domains contained messaging to “reduce international support for Ukraine, bolster pro-Russian policies and interests, and influence voters in the U.S. and other countries.” A list of the domains, many of which resemble legitimate media outlets, is available in the show notes to this episode.
Microchip Technology confirms theft of personal information
The August attack on the U.S. semiconductor supplier, which was later claimed to have been executed by the Play ransomware group, has now been confirmed as having involved theft of company information, some of which has since been posted online. This includes employee IDs, financial documents and even some encrypted and hashed passwords. Spokespeople for the company state that they have restored critical IT systems and has resumed order processing and product shipping but have yet to determine the full extent of the incident and whether the attack would have a material impact on its financial condition or results of operations.
OnlyFans malware spins a duplicitous web
Researchers at security firm Veriti have discovered a new distribution mechanism for infostealer malware: a “checker” tool used by hackers to validate stolen credentials. The OnlyFans connection comes from the fact that the checker tool provides cybercriminals with the ability to “validate OnlyFans logins, check account balances, verify if accounts have payment methods attached and determine if accounts have creator privileges.” However, Veriti says this same checker tool is also a delivery mechanism for Lumma Stealer, which buries itself deep within the systems owned by other cybercriminals. The checker tool has also been used on hackers who target accounts on Disney+ and Instagram.
Thanks to today’s episode sponsor, Scrut Automation
DOJ indicts two RT employees for election disinformation
Charges of “conspiracy to violate the Foreign Agents Registration Act (FARA) and conspiracy to commit money laundering” have been laid against two Russian nationals who are employees of the Russian state media group RT (formerly known as Russia Today). This is in relation to a U.S. content company, “identified in reports as right-wing site Tenet Media,” to post election related Russian propaganda across a range of social media channels. The two individuals assisted in funneling $9.7m to the company via shell companies in Turkey, the United Arab Emirates and Mauritius. They also posed as external editors, editing the U.S. firm’s content and monitoring funding and hiring.
Indictments follow swatting attack on CISA boss Easterly
Following up on the story from last December in which a swatting attack was placed on the home of Jen Easterly, two individuals have now been identified as instigating this attack along with about 100 other threats against U.S. politicians, members of Congress and senior Federal law enforcement officials. The two individuals, both in their 20s, are from Romania and Serbia.
Cisco issues patches for smart licensing utility
These patches deal with two issues regarding the company’s Smart Licensing Utility. The first would allow unauthenticated attackers to access sensitive information or to log in as administrators. It exists due to “an undocumented static user credential for an administrative account present in the Utility.” The second issue is due to “excessive verbosity in a debug log file, which could allow an attacker to send a crafted HTTP request and obtain log files containing sensitive data, including credentials.” Since there are no workarounds available, Cisco recommends migrating to Smart License Utility version 2.3.0.
DrayTek added to CISA KEV catalog
The addition to the Known Exploited Vulnerabilities catalog refers to DrayTek VigorConnect, a management software for DrayTek network equipment. Its flaws, which were discovered by researchers at Tenable in 2021, are described as “path traversal issues that can allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges.” They were patched in October 2021. Researchers at FortiGuard Labs say they have seen the vulnerability being exploited this year in “a worldwide campaign targeting various industries, including finance payroll, networking, manufacturing, real estate, telecom, technology storage, software and hardware companies). They do not believe that these recent attacks are the work of a specific group, but rather “multiple threat actor groups trying to exploit this vulnerability to exfiltrate data from affected organizations.”