Cyber Victor – a leading blog on cyber security

The Health Sector Cybersecurity Coordination Center (HC3), part of the US Department of Health and Human Services (HHS), is warning healthcare organizations of the threat posed by ongoing Royal ransomware attacks.

“Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.” says the report.

Royal ransomware was first observed in September 2022. Once infected, the requested demand for payment has been seen to range anywhere from $250,000 to over $2 million.

Unlike otherransomware operators that performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal.

Once a network has been compromised, they will perform activities commonly seen from other operations, including deploying Cobalt Strike for persistence, harvesting credentials, and moving laterally through a system until they ultimately encrypt the files.

Royal is a newer ransomware, and less is known about the malware and operators than others.

Read more about it here.

Researchers at industrial cybersecurity firm Claroty devised an attack technique for bypassing the Web Application Firewalls (WAF) of several industry-leading vendors. The technique was discovered while conducting an unrelated experiment probing the Cambium Networks’ wireless device management platform. The researchers found they could append legitimate JSON queries to benign SQL code, allowing them to bypass the ability of WAFs to detect SQL injection attacks, and giving attackers the ability to gain direct access to back-end databases.

The core issue of this vulnerability was that in one particular case, the developers did not use a prepared statement to append user-supplied data to a query. Instead of using a safe method of appending user parameters into an SQL query and sanitizing the input, they simply appended it to the query directly.

The technique worked against most major relational databases, including PostgreSQL, Microsoft’s MSSQL, MySQL, and SQLite. The technique allowed to exfiltrate users’ session cookies, SSH keys, password hashes, tokens, and verification codes.

Read more about it here.

Phone numbers of nearly 500 million WhatsApp users are on sale. As reported by Cybernews, on November 16, 2022, a a threat actor has posted an ad on a hacking community forum, claiming that it is selling a 2022 database of 487 million WhatsApp user mobile numbers. The actor claimed that the database contains mobile numbers of active WhatsApp users from 84 different countries. The phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), US (32 million), Saudi Arabia (29 million), France (20 million), Turkey (20 million), UK (11 million), Spain (11 million), Russia (10 million) and Germany (6 million).

The threat actor told Cybernews they were selling the US dataset for $7,000, the UK for $2,500, and Germany for $2,000.

Upon request, the seller of WhatsApp’s database shared a sample of data with Cybernews researchers. There were 1097 UK and 817 US user numbers in the shared sample. Cybernews investigated all the numbers included in the sample, and managed to confirm that all of them are, in fact, WhatsApp users.

WhatsApp is reported to have more than two billion monthly active users globally.

Such information is mostly used by attackers for smishing and vishing attacks, so users should remain wary of any calls from unknown numbers, unsolicited calls and messages from unknown senders.

Read more about it here.

Australian health insurance giant Medibank said no ransom payment will be made to the criminals responsible for a recent data leak, wherein around 9.7 million current and former customers’ data was compromised. This figure represents around 5.1 million Medibank customers, 2.8 million ahm customers and around 1.8 million international customers

Medibank confirmed that name, date of birth, address, phone number, and email addresses for around 9.7 million current and former customers were accessed in the data theft. Medibank first announced the cyberattack on October 12.

The health insurer believes the criminals have not accessed primary identity documents, such as drivers’ licenses, for Medibank and ahm resident customers, because it does not collect primary identity documents for resident customers except in exceptional circumstances.

The Australian Federal Police (AFP) later announced that it has identified the criminals.

Read more about it here.

The European Union Agency for Cybersecurity, ENISA, has published its 10th annual report on the state of the cybersecurity threat landscape. The report covers the period of April 2021 to July 2022.

The report identifies prime threats, major trends observed with respect to threats, threat actors and attack techniques, and also describes relevant mitigation measures.

Top threats

• Ransomware:
  • 60% of affected organisations may have paid ransom demands
• Malware:
  • 66 disclosures of zero-day vulnerabilities observed in 2021
• Social engineering:
  • Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing
• Threats against data:
  • Increasing in proportionally to the total of data produced
• Threats against availability:
  • Largest Denial of Service (DDoS) attack ever was launched in Europe in July 2022;
  • Internet: destruction of infrastructure, outages and rerouting of internet traffic.
• Disinformation – misinformation:
  • Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service
• Supply chain targeting:
  • Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020

Main trends
Zero-day exploits are the new resource used by cunning threat actors to achieve their goals;
A new wave of hacktivism has been observed since the Russia-Ukraine war.
DDoS attacks are getting larger and more complex moving towards mobile networks and Internet of Things (IoT) which are now being used in cyberwarfare.
AI-enabled disinformation and deepfakes. The proliferation of bots modelling personas can easily disrupt the “notice-and-comment” rulemaking process, as well as the community interaction, by flooding government agencies with fake contents and comments.

Read more about it here.

Australian retail giant Woolworths disclosed a data breach that impacted 2.2 million MyDeal customers. In September 2022, Woolworths purchased 80% of MyDeal.

According to the company, a threat actor leveraged a user’s compromised credentials to access the MyDeal customer relationship management (CRM) system.

This gave the attacker access to MyDeal customer data, including name, email address, phone number, delivery address and, in some cases, date of birth. Woolworths said 1.2 million of the impacted customers only had their email address compromised. Payment, drivers license, or passport details were not accessed, because MyDeal does not store this information. In addition, no customer account passwords were accessed.

Woolworths itself was not impacted by the security breach.

Read more about it here.

Japanese giant Toyota Motor Corporation disclosed in a statement that nearly 300,000 customers may have had their personal data leaked, after a third party mistakenly uploaded part of the T-Connect source code to their GitHub account while it was set to be public in December 2017. The source code contained the access key to a data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted. The server contained customer email addresses and management numbers.

T-Connect is an app developed by the company that allows car owners to control the vehicle’s infotainment system and monitor the access of the vehicle

The silver lining to the data leak is that customer names, phone numbers, credit cards, etc., were not exposed. With no additional personal information about the user, threat actors cannot tailor their social engineering efforts while carrying out phishing attacks, making them a bit less severe.

Read more about it here.

Telstra Telecom, Australia’s largest telecommunication company, reported on October 4, 2022, that it was the victim of a data breach through a third-party. This occurred nearly two weeks after its main rival, Optus, reported a data breach of its own. In total, the first names, last names and the email addresses of 30,000 Telstra employees and former employees have been leaked on a hacking forum.

“There has been no breach of Telstra’s systems. And no customer account data was involved”, said in a statement Narelle Devine, the company’s Chief Information Security Officer for the Asia Pacific region.

Read more about it here.

American Airlines has recently suffered a data breach. Threat actors compromised a limited number of employee Microsoft 365 email accounts, and as a result gained access to sensitive customer and employee personal information. The information included names, email addresses, passport numbers, date of birth, driver’s license numbers, mailing addresses, phone numbers, and certain medical information.

The company filed a data breach notification letter with Montana’s State Attorney General’s Office on September 16, 2022, disclosing that the breach was discovered in July, approximately two months earlier. The notification reads: “In July 2022 we discovered that an unauthorized actor compromised the email accounts of a limited number of American Airlines team members. Upon discovery of the incident, we
secured the applicable email accounts and engaged a third party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident. Our investigation determined that certain personal information was in the email accounts. We conducted a full eDiscovery exercise and determined some of your personal information may have been contained in the accessed email accounts. We have no evidence to suggest that your personal information was misused.”

The company did not disclose how many customers were impacted by the data breach.

American Airlines employs about 123,000 employees, and makes about 6,800 daily flights to 350 destinations in over 50 countries. It is the world’s largest airline when measured by fleet size, scheduled passengers carried, and revenue per passenger mile.

Read more about it here.

InterContinental Hotels Group PLC (IHG) disclosed on September 9, 2022 that has been breached. Parts of its technology systems have been subject to unauthorized activity. The attack significantly disrupted IHG’s booking channels and other applications, which implies that the company may have been subject to ransomware attack. The attack impacted also third-party sites, such as Expedia and Booking.com.

IHG operates 17 brands, including Regents, InterContinental, Crowne Plaza and Holiday Inn.

Read more about it here.