Serbian authorities accused of using Cellebrite to spy on journalists
Easily the most widely covered story on Monday, as reports from Amnesty International accuse Serbian authorities of using Cellebrite’s phone-cracking tools in conjunction with a newly discovered spyware, NoviSpy, to target journalists and activists. The spyware is allegedly installed during police custody of devices, which allows remote access to sensitive data and device control. Amnesty highlights interviews with 13 people claiming to be directly targeted by the spyware, including a journalist who says their phone started acting strangely after a traffic stop, once released from custody the journalist found his data and Wi-Fi settings turned off and spyware was later discovered. Cellebrite denies any involvement in the spyware installation and says they are currently investigating the claims.
(Security Week), (The Hacker News), (CyberScoop), (The Record)
Ransomware attack shuts down Rhode Island’s public assistance system
Rhode Island’s RIBridges system, managed by Deloitte, was hit by a ransomware attack likely tied to the Brain Cipher gang, exposing sensitive data like Social Security numbers and banking details of residents applying for public assistance programs. Some of those assistance programs included Medicaid, Supplemental Nutrition Assistance Program (SNAP), and Child Care Assistance Program (CCAP). The state took the system offline after discovering malware, and Deloitte confirmed a “high probability” of data theft and that affected individuals should reset passwords and monitor accounts. As of this recording, those services are still offline.
(Bleeping Computer), (The Register)
ConnectOnCall breach exposes close to a million patients
Healthcare SaaS company Phreesia is notifying over 910,000 patients of a data breach in its subsidiary ConnectOnCall, a telehealth platform, following an attack between February and May 2024. Exposed data includes communications between a patient and their healthcare provider, names, phone numbers, health conditions, and, in some cases, Social Security numbers. Phreesia has taken ConnectOnCall offline but says their other services including their patient intake platform were not compromised.
Ransomware groups exploit zero-day in DrayTek Routers
More than 300 organizations were targeted in a coordinated ransomware campaign exploiting undocumented vulnerabilities in DrayTek Vigor routers, including a potential zero-day flaw. The campaign, identified between August and September 2023, involved multiple threat groups, including Monstrous Mantis, which facilitated credential harvesting and shared stolen access with partners like Ruthless Mantis and LARVA-15. Forescout’s analysis suggests the flaw is related to the mainfunction.cgi web page in DrayTek’s router interface, with new CVE entries confirming vulnerabilities that have gone unpatched for years.
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Clop ransomware behind Cleo data theft
Clop ransomware group has claimed responsibility for exploiting zero-day vulnerabilities in Cleo’s file transfer tools, targeting organizations using the Harmony, VLTrader, and LexiCom platforms. The attacks leveraged CVE-2024-50623 and the newly identified CVE-2024-55956, with threat actors deploying the Java-based backdoor “Malichus” to steal data and execute commands. Cleo’s October patch for the initial vulnerability was incomplete, prompting further exploitation and the release of a new fix last week. Despite Clop’s claims, some experts suggest multiple threat groups may be involved, as CISA confirms the vulnerabilities are actively exploited and has added them to its Known Exploited Vulnerabilities catalog.
(Security Week), (Bleeping Computer)
Data theft hits SRP Federal Credit Union
SRP Federal Credit Union is notifying over 240,000 individuals that their personal information was stolen in an attack, which occurred between September 5 and November 4, 2024. The stolen data includes names, dates of birth, Social Security numbers, driver’s license numbers, and financial information. While not confirmed, the new ransomware gang on the block, Nitrogen has claimed responsibility for the attack, claiming to have stolen 650 GB of data from the organization.
South African telecom company refuses ransom, data leaked
The country of Namibia’s state-owned telecom provider confirmed that customer information was leaked following a ransomware attack because “we don’t negotiate with cyber terrorists.” The attackers, identified as Hunters International, leaked over 400,000 files, including personal and financial data, some of which belonged to high-ranking government officials. Telecom Namibia refused to negotiate with the attackers, citing the high ransom demands and the lack of guarantee that the data would not be leaked even if paid.
Auto parts provider business impacted
A cyberattack on LKQ Corporation’s Canadian business unit caused weeks of disruption but is now believed to be contained, according to the company’s recent SEC filing. LKQ, a global auto parts provider with over 45,000 employees, detected unauthorized access to IT systems on November 13. The company says the affected business units are back close to fully-operational, no group has come forward to claim the attack.