In today’s cybersecurity news…
Blue Shield of California shared private health data of millions with Google
Health insurer, Blue Shield of California, confirmed Wednesday that it had shared patient private health information with Google since 2021. Blue Shield said it used Google Analytics to track how its customers used its websites, but a misconfiguration caused personal and health information to be collected as well, including member account numbers, claim service dates and providers, patient names, and patients’ financial responsibility. The insurer said that the data sharing stopped in January 2024 and that it’s now notifying 4.7 million affected individuals.
(TechCrunch and Bleeping Computer)
The FBI issues its 2024 IC3 report
Yesterday the FBI issued the 25th installment of its annual Internet Crime Complaint Center (IC3) report. The report revealed that IC3 recorded a new high for reported losses last year, reaching an astounding $16.6 billion. IC3 also received over 850,000 complaints, up 33% from 2023. Cyber-enabled fraud accounted for a staggering $13.7 billion of those losses and accounted for 40% ICC’s complaint volume. People over age 60 suffered the most significant financial losses coming in at over $4.8 billion, a 43% increase from 2023. To end on a positive note, the FBI said, last year, cyber fraud-related arrests increased 700% to 215 through 11 joint operations with other local law enforcement agencies.
Ex-Army sergeant jailed for selling military secrets
On Wednesday, 25-year-old former U.S. Army intelligence analyst, Sgt. Korbein Schultz, was sentenced for selling classified military information to a foreign national. Authorities said Schultz sent at least 92 sensitive documents to a foreign conspirator, likely connected with the Chinese government, over a period of less than two years in exchange for $42,000. Schultz supplied the conspirator with details on U.S. military exercises in South Korea and the Philippines, and also provided details relevant to Taiwan’s defenses. Additionally, Schultz supplied his contact with helicopter and fighter aircraft manuals, along with tactical combat playbooks. Schultz received a sentence of 7 years in prison after which he will be required to complete three years of supervised release.
(NYT)
Nintendo is pursuing perpetrator behind major Pokémon leak
Nintendo has requested a California court to force Discord to provide the identity of the person behind last year’s massive Pokémon data breach. Nintendo alleges that, in October of last year, a Discord user called, ‘GameFreakOUT’ leaked “confidential materials not released to the public” including next-generation Pokémon titles, builds of older games, and loads of concept art and lore documents. Nintendo provided a partially redacted screenshot of the Discord server called “FreakLeak” in which GameFreakOUT posted a file and told users to “enjoy.” Nintendo is seeking the name, address, phone number, and email address of the leaker. While the subpoenas do not always result in lawsuit, Nintendo has taken Pokémon game leakers to court in the past.
(Polygon)
Huge thanks to our sponsor, Dropzone AI
Mandiant report details DPRK threat clusters
A report from Mandiant detailed the activities of multiple threat clusters based in the Democratic People’s Republic of Korea (DPRK). Mandiant said the threat clusters are targeting organizations and individuals in the Web3 and cryptocurrency space using a variety of social engineering techniques. These tactics include posing as investors from reputable companies on Telegram, using job-related lures to trick developers into running malware-laced projects, and conducting large-scale phishing campaigns. Mandiant highlighted that in 2023, North Korean threat actor UNC3782 conducted phishing operations against TRON users and successfully transferred more than $137 million USD worth of assets in a single day. Mandiant said these threat actors, “use their privileged access to steal data and enable cyberattacks, in addition to generating revenue for North Korea.”
Japan warns of unauthorized stock trading via stolen credentials
Japan’s Financial Services Agency (FSA) is warning that attackers are using stolen customer login IDs and passwords harvested from fake financial securities phishing sites. Fraudulent transactions were initially reported in February by two security firms. Now six security firms have reported a total of 3,312 instances of unauthorized access resulting in 1,454 fraudulent transactions to date. The FSA said, “in most cases, the fraudsters gain unauthorized access to the victim’s account, sell the stocks, etc., in the account, and use the proceeds to buy Chinese stocks.” The FSA recommends e-traders look out for fake e-trading advertisements and take precautions including avoiding opening links in emails or texts, proactively bookmarking legitimate trading-related sites, using multifactor authentication (MFA) and enabling account transaction notifications.
Ransomware groups test new business models to increase profits
According to research published by SecureWorks on Wednesday, ransomware-as-a-service schemes are launching new business models to attract affiliates. For example, DragonForce, which launched as a traditional RaaS scheme in August 2023, rebranded itself as a “cartel” last month and has shifted to a distributed model that allows affiliates to use their infrastructure to create their own ‘brands’ and deploy their own malware. Meanwhile, Anubis now offers three monetization schemes for its customers, from traditional encryption attacks (where affiliates pocket 80% of the ransom) to data extortion attacks (60% of the ransom) and simple access monetization (50% of the ransom). Anubis also includes various options and tactics for increasing pressure on victims to pay, including naming them on social media. SecureWorks said, these examples highlight how the ransomware ecosystem is evolving. They added, “Understanding how these groups are operating, tooling and monetizing is crucial in deploying the right defenses to secure people and businesses.”
Ripple NPM supply chain attack hunts for private keys
Security firm Aikido, discovered that a “sophisticated” attack was carried out Monday evening and involved installed backdoors on five versions of the Ripple ledger (XRPL) official NPM package. XRPL, allows devs to build apps using the crypto ledger’s features such as wallet and key management, payment channels, and escrow. Weekly downloads for the popular NPM package hit a high of more than 186,000 in April. The vulnerability has been assigned a critical CVE (CVE-2025-32965, 9.3), though the CVE is lacking in details, only indicating that the flaw exists and is connected to the xrpl supply chain attack. Users of affected versions should assume they are compromised and rotate their private keys as soon as possible.