Month: December 2022

Gemini crypto exchange warned users of an ongoing phishing campaign, after a third-party vendor suffered a security breach. The notification comes after multiple posts on hacker forums seen by BleepingComputer offered to sell a database allegedly from Gemini, containing email addresses and partial phone numbers of 5.7 million users. The company pointed out that its systems were not impacted and customer accounts remain secure.

As a result of the breach, customers of the crypto exchange received phishing emails.

The database appeared to be available for sale since September 2022, when a seller was offering it for 30 bitcoins, or roughly $500,000.

Gemini advised its customers to rely on strong authentication methods and recommended activating two-factor authentication (2FA) protection and/or using of hardware security keys to access their accounts.

Read more about it here.

The Health Sector Cybersecurity Coordination Center (HC3), part of the US Department of Health and Human Services (HHS), is warning healthcare organizations of the threat posed by ongoing Royal ransomware attacks.

“Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.” says the report.

Royal ransomware was first observed in September 2022. Once infected, the requested demand for payment has been seen to range anywhere from $250,000 to over $2 million.

Unlike otherransomware operators that performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal.

Once a network has been compromised, they will perform activities commonly seen from other operations, including deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files.

Royal is a newer ransomware, and less is known about the malware and operators than others.

Read more about it here.

Researchers at industrial cybersecurity firm Claroty devised an attack technique for bypassing the Web Application Firewalls (WAF) of several industry-leading vendors. The technique was discovered while conducting an unrelated experiment probing the Cambium Networks’ wireless device management platform. The researchers found they could append legitimate JSON queries to benign SQL code, allowing them to bypass the ability of WAFs to detect SQL injection attacks, and giving attackers the ability to gain direct access to back-end databases.

The core issue of this vulnerability was that in one particular case, the developers did not use a prepared statement to append user-supplied data to a query. Instead of using a safe method of appending user parameters into an SQL query and sanitizing the input, they simply appended it to the query directly.

The technique worked against most major relational databases, including PostgreSQL, Microsoft’s MSSQL, MySQL, and SQLite. The technique allowed to exfiltrate users’ session cookies, SSH keys, password hashes, tokens, and verification codes.

Read more about it here.