Cybersecurity Roundup for August–September 2024
“There appears to have been a data security incident that may have involved some of your personal information.”
This is background-check provider National Public Data finally admitting to a hack of their system starting in late December of last year, with leaks in April and this summer. But word first broke through Bloomberg, from a class action suit about the breach.
What’s at stake is 2.9 billion records of stolen data that supposedly contain information from the entire population of the US, Canada, and more. This includes email addresses, home addresses, names, social security numbers, and other personal information — at least some of which has been verified to be accurate, but it may not all be reliable.
This is just the latest in the seemingly endless cascade of user data flowing from the Internet to criminals who are working to profit from it. And while we’ve often covered businesses losing customer data, this comes from a data aggregator who gathered it themselves from other sources.
In this week’s cybersecurity roundup for August and September, we look at: the big breaches and changes in ransomware attacks in 2024, new attack types, a survey of corporate readiness, and what’s brewing in international cybercrime.
With so many cybersecurity threats and attack surfaces available, let us help you keep up with the cyberattack news as we close out the summer of 2024!
Ransomware/Breaches
In a profile of security consultant Troy Hunt’s popular website Have I Been Pwned?, Scientific American writer Ben Guarino references stunning statistics: the website has more than 6 billion unique email addresses, and each account has been breached, on average, twice. This site allows users to enter email addresses to check exposure, a service that is increasingly in need with each passing month.
And while that stat may be mind-boggling, results from a recent study by the University of Minnesota are more heartbreaking, finding that hospitals that experience severe ransomware attacks witness an increased mortality rate between 36–55%, which is even higher for patients of color (62–73%).
Overall, ransomware attacks by volume have been down, but by the ransoms demanded (and paid) they’ve been way up, showing that attackers are focusing on fewer, bigger targets, many of which, unfortunately, are in healthcare.
These numbers climb daily — since we built the visuals above just days ago, attacks this month climbed to 268, with the known, data-leaking ransomware attacks up to 3,534 at the time of publication.
Ransomware attackers have new toolsets to draw on, too, with the FBI and CISA putting out an advisory on RansomHub, a new ransomware-as-a-service (RaaS) provider with an array of options (phishing, password brute force attacks, more than nine known exploits in internet-facing systems, credentials dumping, lateral movement, and at least seven tools for exfiltrating data, from PuTTY to WinSCP to AWS S3 tools). According to the Cybernews, RansomHub claims one victim every day on average.
Significant data breaches hitting the news in August and September 2024 include:
- National Public Data Breach: As we leadled with, hackers stole 2.9 billion records of personal data from citizens of the US, Canada, and Britain. This includes legitimate social security numbers and an enormous percentage of the population, so everyone should freeze their credit at the major reporting agencies (Equifax, Experian, and TransUnion) ASAP. This is free, and relatively easy, and prevents criminals from opening new accounts in your name. As security expert and former reporter Brian Krebs points out on his blog Krebs on Security, there’s plenty of information out there to enable identity theft, so if you haven’t been targeted to date, they probably just haven’t gotten around to you yet.
- Port of Seattle: Rhysida (RaaS) ransomware was used to encrypt data and take down systems in late August, paralyzing baggage, check-in, parking, and other systems. The government agency that runs it refused to pay the ransom, getting most systems back online within a week. It remains to be seen what data will surface, with the port being a bold adopter of machine learning in their automation processes.
- Service Bridge Leaks 32 Million Documents: Security researcher Jeremiah Fowler revealed his discovery of an open database of 2.68TB of ServiceBridge customer data. Accessible without passwords or authentication, it includes work orders, partial credit card data, usernames, email addresses, phone numbers, and even HIPAA consent forms with health information, dating back to 2012 and spanning a stunning array of businesses. And while it’s since been secured, it’s unclear how long it remained so open, indicating likely fraud coming for both businesses and individuals.
- Disney’s Leak Get Worse: We wrote last time about the Disney cybersecurity breakdown, and over the two months, things have gotten worse, with the Wall Street Journal reporting that stolen data includes financial and strategy information, personally identifiable data for staff and customers, including even passport numbers, visa details, and more. It spans offerings from the Disney Cruise Lines to services like ESPN+, including even some user login credentials.
- Halliburton Hacked: Multinational oil services company Halliburton confirmed a Reuters report from late August that they’d taken services offline after hackers gained access to systems and immediately activated their response plan. In September, they filed with government regulators, confirming that data was also exfiltrated. TechCrunch reported on the ransom note, saying that RansomHub was taking credit, though the amount and ramification of this hack remain unknown.
- Microsoft Warns of Healthcare Attacks: In late September, Microsoft’s threat intelligence warned of the Vanilla Tempest group attacking US healthcare providers with INC (another RaaS). Tempest frequently uses different RaaS providers to attack US healthcare, education, and manufacturing, and it remains to be seen who has been targeted this time.
On Attack Types and Readiness
In addition to the proliferation of methods we’re familiar with, cybersecurity awareness must always extend to the ever-growing new (or updated/amalgamated) forms of attack, repurposing techniques used by the private sector.
Google’s Threat Analysis Group (TAG) in August profiled a specific form of watering hole attack from Russia’s Cozy Bear gang that mimics tools used by commercial spyware vendors Intellexa and NSO. If a vulnerable device even just loads an infected website, it can be hacked, taking advantage of unpatched devices.
Another example (profiled in depth by Seguranca Informatica in late August) uses Microsoft Office documents (Word or Excel), well disguised as financial reports. Once opened, VBA macros write a DLL to disk which, once in memory, downloads a BAT file from server (along with private key) to open an SSH backdoor. It executes a Cobalt Strike beacon through legitimate Windows processes, allowing it to keep control and stay hidden.
Speaking of Windows, at the Black Hat security conference in early August, researchers from SafeBreach revealed a vulnerability that could allow hackers to roll back your version of the OS, exposing old vulnerabilities including even the capacity to take control of the machine. Microsoft has acknowledged the flaw and is working on the fix now.
Popular website-crafting service WordPress has suffered a vulnerability from yet another widely used plugin (WPML, for multilingual sites). According to Cybernews, this is the third WordPress plugin needing an urgent update in just the last two weeks. A patch was released in August, but the vulnerability extended to over a million websites worldwide.
[For more on WordPress and alternative website solutions, check out this edition of The PTP Report.]
In terms of readiness, the Cybernews Business Digital Index of 1000 global companies (financial and healthcare sectors) was released in September, with 63% of those examined receiving a D rating and 40% an F. Only 11% received an A, with common the most common issues being:
Making matters worse, they found that 35% have high-risk vulnerabilities, with 49% having employees still reusing compromised passwords.
International/Governance Corner
In addition to the Port of Seattle (see above), Check Point Research determined that US utilities are dealing with more than a 70% increase in cyberattacks this year, showing the surging threat to infrastructure. So far these haven’t yet crippled systems at scale, but the possibility remains from a sufficiently coordinated strike.
With elections occurring all over the world in 2024, attacks and misinformation have been rampant, and the US is no exception, with them occurring to both candidates and from a wide variety of nations, including waves of Russian cyberattacks, as well as China, Iran, and North Korea.
North Korea also made cybersecurity news for fake job-themed lures looking to plant malware on the machines of workers in aerospace and energy. Posing as recruiters from major companies, they deliver the malware via PDF (supposedly containing job descriptions) or even online coding challenges. They frequently use existing job descriptions but tailor them to perfectly fit the desired target.
This joins with approaches we covered previously that work in the reverse, with agents looking to get hired by security vendors. Once hired, they immediately turn around and hack their new company.
Conclusion
There’s much more to report on than we even have the space for, including cybersecurity regulations, the US prisoner exchange with Russia that included (for the first time) hackers, and law enforcement successes with Chinese hacking groups the Ghost cybercrime platform.
It’s no surprise that profits are surging for many cybersecurity firms, too, with companies like Avast, Datadog, Palo Alto Networks, and Fortinet beating financial estimates over the period.
But showing the scale and reach of these ongoing attacks, even Fortinet was breached, confirming in September a leak of some 440GB of customer data from a shared third-party cloud drive after they declined to pay a ransom.
This concludes our coverage for now, but if you have need of cybersecurity experts, or are game to join the fight yourself, contact PTP for onsite or remote consultants!
You can also catch up on our prior bi-monthly roundups here:
References
Security Incident, National Public Data
What Giant Data Breaches Mean for You, Scientific American
NationalPublicData.com Hack Exposes a Nation’s Data, Krebs on Security
#StopRansomware: RansomHub Ransomware, CISA
Ransomware newcomer RansomHub claiming one victim per day, Cybernews
2 TB of Sensitive “ServiceBridge” Records Exposed in Cloud Misconfiguration, HackRead
Port of Seattle says August cyberattack was Rhysida ransomware, CSO
Leaked Disney data reveals financial and strategy secrets, WSJ reports, Reuters
Halliburton confirms data was stolen in ongoing cyberattack, TechCrunch
State-backed attackers and commercial surveillance vendors repeatedly use the same exploits, Google TAG Updates
A Flaw in Windows Update Opens the Door to Zombie Exploits, Wired
Microsoft warns of ransomware attacks on US healthcare, CSO
Cybernews Business Digital Index reveals major shortcomings in corporate customer data security, Cybernews
Cyberattacks on US utilities surged 70% this year, says Check Point, Reuters
North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs, Security Week
Fortinet confirms breach that likely leaked 440GB of customer data, CSO
Source: PTechPartners.com