The Sting 3/17/23
🍀🐝 Happy St. Patrick’s Day from ThreatBee! 🍀 Welcome to the latest edition of our newsletter, “The Sting”, your source for the latest news, trends, and insights in the world of cybersecurity. In this edition, we bring you updates on recent cyber-attacks and data breaches, including the theft of customer records from lender Latitude, the hack of Amazon’s Ring by a ransomware group, and the exposure of 9 million customer accounts in a data breach at an AT&T vendor. We also cover the takedown of a darknet cryptocurrency mixer by the US Department of Justice, part of ongoing efforts to combat illegal activity involving cryptocurrency. Stay informed and stay secure with “The Sting” from ThreatBee.
Security Alert: Recent Data Breaches and Cyberattacks
03/17/2023
Wave Of Stealthy China Cyberattacks Hits U.S., Private Networks, Google Says
State-sponsored hackers from China have developed techniques that evade common cybersecurity tools and enable them to burrow into government and business networks and spy on victims for years without detection, researchers with Alphabet Inc.’s Google found. Over the past year, analysts at Google’s Mandiant division have discovered hacks of systems that aren’t typically the targets of cyber espionage. Instead of infiltrating systems behind the corporate firewall, they are compromising devices on the edge of the network—sometimes firewalls themselves—and targeting software built by companies such as VMware Inc. or Citrix Systems Inc. These products run on computers that don’t typically include antivirus or endpoint detection software. Full Story
Source: The Wall Street Journal
03/17/2023
Staples-Owned Essendant Coping With Security Incident
Deerfield, Ill. based-Essendant, a Staples-owned wholesale distributor of office products, has issued a Security Incident Update on its website. “We want to provide an update on our ongoing investigation into the network outage we experienced on Mar. 6. Immediately upon discovering the incident, Essendant took systems offline to contain the incident, initiated an investigation, and engaged third party forensics and cybersecurity experts to assist in our remediation and investigative efforts. We are in contact with law enforcement about the incident and are cooperating with their investigation. Our investigation has determined that the outage was the result of a ransomware incident. An unauthorized actor has publicly claimed responsibility for this incident. We are continuing to investigate the validity of these claims.” More Information
Source: Cybercrime Magazine
03/16/2023
Hundreds Of Thousands Of Customer Records Stolen From Lender Latitude In Cyber-Attack
Consumer lender Latitude Financial has been hit by a “sophisticated and malicious cyberattack” that has resulted in the theft of more than 100,000 identification documents and 225,000 customer records. The Melbourne, Australia-based non-bank lender, which offers personal loans and credit to customers shopping at such stores as JB Hi-Fi and Harvey Norman, said in a statement to the market that most of the identification documents were copies of driver’s licences. The company said it had detected unusual activity on its systems over the last few days. “While Latitude took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated,” the company said. Share trading in Latitude has been suspended as the lender tries to contain the incident. Full Story
Source: The Guardian
03/13/2023
Hacked Cyprus Land Registry Website To Be Fully Restored Next Week
The Department of Lands and Surveys is the main authority dealing with the registration of property in the Republic of Cyprus, which has a population of around 1.25 million. Its website should be fully restored next week, as technicians have been grappling with a hack which took place last week. Land registration director Elikkos Elia said that the website will be restored gradually with IT teams working intensely to try and resolve the problem. “Our efforts are going towards restarting some operations this week and expand this the following week, so we are fully operational,” he said. One of the first website functions Elia is aiming to have restored is the filing of sales documents, which he said he hopes can be done this week on a trial basis in Nicosia. Other immediate services the department wants to try and offer include transfers, mortgages and liens, for instance being able to file a deed of sale or a memo against a person. Full Story
Source: CyprusMail
Ransomware at Large: Current and Recent Incidents
03/16/2023
Is Russia Regrouping For Renewed Cyberwar?
As the second year of the Russian war in Ukraine commences, a detailed survey of the cyberattacks used during the first year of the war, and especially new developments Microsoft has observed in recent months, provide hints of what the future of this hybrid war may hold. Since the start of the war, Russia has deployed at least nine new wiper families and two types of ransomware against more than 100 government and private sector Ukrainian organizations. Strong cyber defense partnerships between the public and private sector, and Ukrainian preparedness and resilience, has successfully defended against most of these attacks, but Russian activity continues. In 2023, Russia has stepped up its espionage attacks, targeting organizations in at least 17 European nations, mostly government agencies. Full Story
Source: Microsoft
03/15/2023
Hackers Used Fortra Zero-Day To Steal Sales Data From Cloud Management Giant Rubrik
Cloud data management giant Rubrik confirmed that hackers attacked the company using a vulnerability in a popular file transfer tool. The Clop ransomware group – which has been the primary force behind the exploitation of a vulnerability affecting Fortra’s GoAnywhere Managed File Transfer product – added Rubrik to its list of victims on Mar. 14. A spokesperson for the company directed The Record to a longer statement from Rubrik CISO Michael Mestrovich, which said Clop’s attack began in February. Using the widely-covered zero-day vulnerability affecting GoAnywhere, the hackers gained access to information in one of Rubrik’s non-production IT testing environments. Full Story
Source: The Record
03/15/2023
Ransomware Group Claims Hack Of Amazon’s Ring
A ransomware gang claims to have breached the massively popular security camera company Ring, owned by Amazon. The ransomware gang is threatening to release Ring’s data. Ring told Motherboard it does not have evidence of a breach of its own systems, but said a third-party vendor has been hit with ransomware. “There’s always an option to let us leak your data,” a message posted on the ransomware group’s website reads next to Ring’s logo. The ransomware group claiming responsibility for the attack is ALPHV, whose malware is known as BlackCat. Motherboard verified that a listing naming Ring is currently on ALPHV’s data dump site. ALPHV’s site stands out in that the section of its site which publishes hacked data, called “Collections,” is easier to search than some other hacking group’s sites. Full Story
Source: Motherboard
The Cryptocrime Scene: A Summary of recent incidents and developments
03/17/2023
Crypto Investment Fraud In The US Hits Record $2.57B – Up 183 Percent YoY
Cryptocurrency investment fraud in the U.S. was up almost 3x year-over-year in 2022 — making investment fraud the “costliest scheme reported,” according to the FBI’s 2022 internet crime report. Crypto investment fraud hit a record $2.57 billion in 2022, compared to $907 million in 2021 — a 183 percent increase on an annual basis. Crypto investment fraud losses made up roughly 25 percent of all money lost to online scams and fraud during 2022 and almost 90 percent of the $3.31 billion lost to online investment fraud. Crypto investment frauds were not limited to online schemes, and some scammers used fake real estate investment opportunities to steal people’s cryptocurrency. Fake employment opportunities were also used to scam people. Full Story
Source: CryptoSlate
03/16/2023
DoJ Investigation Leads To Takedown Of Darknet Cryptocurrency Mixer That Processed Over $3 Billion Of Unlawful Transactions
The Justice Department announced today a coordinated international takedown of ChipMixer, a darknet cryptocurrency “mixing” service responsible for laundering more than $3 billion worth of cryptocurrency, between 2017 and the present, in furtherance of, among other activities, ransomware, darknet market, fraud, cryptocurrency heists and other hacking schemes. The operation involved U.S. federal law enforcement’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account, as well as the German Federal Criminal Police’s (the Bundeskriminalamt) seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency. Coinciding with the ChipMixer takedown efforts, Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged today in Philadelphia with money laundering, operating an unlicensed money transmitting business and identity theft, connected to the operation of ChipMixer. Full Story
Source: U.S. Department of Justice
03/14/2023
Hackers Steal Around $200 Million From Crypto Lender Euler Finance
According to blockchain monitoring firm PeckShield, hackers exploited Euler “in a flurry of transactions” which led to the theft of around $197 million in crypto yesterday. Crypto security firm BlockSec also reported the attack. While this sounds like a lot of money — and it is — it’s only the 26th largest crypto theft ever, according to a website that keeps track of crypto hacks and scams. ZachXBT, an independent researcher who investigates crypto scams and hacks, wrote on Twitter that his is “almost certainly” an attack by malicious hackers, given that the same people were exploiting “some random protocol on [Binance Smart Chain] a few weeks ago and then the funds deposited to Tornado [Cash],” a popular crypto mixing service that has been sanctioned by the U.S. government for allegedly facilitating money laundering. Full Story
Source: TechCrunch
Cybercriminals Brought to Justice: Current and Recent Arrests and Convictions
03/17/2023
North Carolina Man Gets Prison Time For Hacking U.S. Army Soldier’s Snapchat Account, Selling Her Nude Photos
A High Point, N.C. man hacked into the Snapchat account of a U.S. Army soldier stationed at Fort Bragg, sold nude images of her online and conned her friends into sending him money, federal prosecutors say. Patrick Marquez Black, 30, pleaded guilty to two counts of computer fraud and abuse and one count of wire fraud in October. This week a federal judge sentenced the man to 13 months in prison and three years of supervised release. “We are targeting hackers and cybercriminals who invade privacy for cash,” said U.S. Attorney Michael Easley. “Our cyber-prosecutors are partnering with law enforcement to ensure that the world wide web does not become the wild, wild west,” Easley said. Full Story
Source: Spectrum News 1
03/17/2023
Man Who Ran A Website That Illegally Streamed Major League Sports Gets 3 Years Behind Bars
A Minnesota man was sentenced to three years in prison on Mar. 16 for illegally streaming major league sports content to outside third parties. Joshua Streit, also known as Joshua Brody, was arrested in 2021 after an investigation found he had hacked into a Major League Baseball system and attempted to extort $150,000 from the organization. According to the filing, after hacking the Major League Baseball database and communicating with employees, “Streit claimed he knew MLB reporters who were “interested in the story,” and stated that it would be bad if the vulnerability were exposed and MLB was embarrassed.” Federal authorities found that Streit had accessed the computers without authorization and obtained the login credentials for “commercial advantage and private financial gain,” according to a 2021 court filing. Full Story
Source: Gizmodo
03/16/2023
Exiled Chinese Businessman Guo Wengui Busted By FBI In $1 Billion Fraud Scheme
An exiled Chinese billionaire was arrested at his palatial Manhattan apartment Mar. 15 in a billion-dollar fraud scheme. Ho Wan Kwok, aka Guo Wengui and Miles Guo, allegedly duped thousands of online followers out of investments and spent the ill-gotten cash on lavish assets, including a $36,000 mattress, a $26.5 million New Jersey mansion, and a $37 million yacht. Guo amassed a large online following after starting two nonprofits in 2018 that pushed his purported agenda of being critical of the Chinese Communist Party. Guo and a co-conspirator, Kin Ming Je, then set up numerous business entities, including a media group, a loan program, and members-only luxury clubs. The alleged fraudster then sought investments in the businesses and siphoned off more than $1 billion given by thousands of his followers. Full Story
Source: New York Post
03/15/2023
Plaintiff Wins Case Against Hackers After Serving Court Papers Via NFT
A federal judge in Florida has ruled in favor of a plaintiff who sued anonymous hackers and issued formal notice of the legal action via NFT, according to recent court filings. The ruling, a default judgment from Judge Beth Bloom of the U.S. District Court Southern District of Florida, declares that the unidentified hackers are on the hook for the $971,291 worth of USDT (Tether) that they stole from plaintiff Rangan Bandyopadhyay’s Coinbase wallet in Dec. 2021. The perpetrators have been ordered to pay the equivalent amount back to Bandyopadhyay, with the amount set to accrue interest on that debt until it is paid in full. Because of the blockchain, it remains unclear who these digital thieves were, let alone where they reside. That’s why Judge Bloom permitted them to be served via NFT in last week’s case, using the same on-chain addresses they used to steal from Bandyopadhyay. Full Story
Source: Decrypt
03/15/2023
Two Men Charged For Breaching Federal Law Enforcement Database And Posing As Police Officers To Defraud Social Media Companies
A criminal complaint was unsealed Mar. 14 in federal court in Brooklyn charging Sagar Steven Singh and Nicholas Ceraolo with wire fraud and conspiracy to commit computer intrusions. The charges stem from Singh’s and Ceraolo’s efforts to extort victims by threatening to release their personal information online. Singh was arrested yesterday in Pawtucket, R.I., and will make his initial appearance this afternoon in federal court in Providence, R.I. Ceraolo remains at large. In pursuit of victims’ personal information, Singh and Ceraolo unlawfully used a police officer’s stolen password to access a restricted database maintained by a federal law enforcement agency that contains detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports. News Release
Source: U.S. Department of Justice
03/13/2023
26-Year-Old Fraudster Sentenced To 14 Years In Prison
A young man who turned to fraud to fund the lavish lifestyle he craved was sentenced on Mar. 9 to 14 years in federal prison. J. Nicholas Bryant, 26, of Slaton, Texas, pleaded guilty to wire fraud in Nov. 2022. Mr. Bryant engaged in various wire fraud schemes to defraud at least 56 unsuspecting individuals and small businesses during an 18-month crime spree that spanned multiple states. The fruits of his crimes brought him luxury goods and services – including private jet rides, private yacht excursions, and extravagant meals complete with champagne and steak. In many instances, Mr. Bryant manipulated online payment platforms like QuickBooks and Veem to make it appear that payments were forthcoming. The payments never funded. In all, he defrauded and attempted to defraud victims of more than $3.5 million, and successfully racked up nearly $1.2 million in actual losses to the victims, prosecutors said at the sentencing hearing. News Release
Source: U.S. Department of Justice
The Cybercrime and Privacy Landscape: A Summary of Recent Developments and News
03/17/2023
Cyber Attack Prompts Lansing Community College To Cancel Classes
Lansing Community College said it has cancelled classes and activities yesterday and today because of a cyberattack. “In response to an ongoing cybersecurity incident, LCC will suspend all college classes, events, practices and activities on Mar. 16 and 17,” the college said in a Tweet. It also said college employees should not report for work. However, employees with the school’s police, information technology, payroll, incident management, facilities, academy, and aviation departments should still report for duty. College officials said they are working with the FBI, the college’s cyber insurance response team and the state police Michigan Cyber Command Center to investigate and resolve the situation, according to MLive. Founded in 1957, LCC has approximately 9,500 students and is one of the largest community colleges in Michigan. Full Story
Source: The Detroit News
03/16/2023
Hundreds Of Thousands Of Customer Records Stolen From Lender Latitude In Cyber-Attack
Consumer lender Latitude Financial has been hit by a “sophisticated and malicious cyberattack” that has resulted in the theft of more than 100,000 identification documents and 225,000 customer records. The Melbourne, Australia-based non-bank lender, which offers personal loans and credit to customers shopping at such stores as JB Hi-Fi and Harvey Norman, said in a statement to the market that most of the identification documents were copies of driver’s licences. The company said it had detected unusual activity on its systems over the last few days. “While Latitude took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated,” the company said. Share trading in Latitude has been suspended as the lender tries to contain the incident. Full Story
Source: The Guardian
03/16/2023
More Than 80,000 Could Be Affected By Data Breach At Tuscaloosa Ambulance Service
A Tuscaloosa, Ala.-based ambulance service is notifying 82,450 patients of a data breach that happened in September 2022 and could have compromised sensitive information including social security numbers and insurance data. NorthStar Emergency Medical Services posted a notice on its website and is reaching out to individual patients by mail. NorthStar officials have reported the incident to law enforcement, according to their statement, but have not released information about who might be responsible for the breach. Health providers have become popular targets for hacking. Last year, an ambulance service in New York’s Hudson Valley disclosed it had been targeted in an attack that affected more than 300,000 people. Full Story
Source: AL.com
03/16/2023
IP Firm IPH Is Latest Australian Company To Suffer Data Breach
IPH Ltd, an intellectual property (IP) services provider, reported a data breach in a portion of its IT systems, becoming the latest Australian company to be targeted by hackers. IPH said that on Mar. 13 it detected unauthorised access to document management systems, which include administrative documents, and some client documents and correspondence, at its head office and two member firms. IPH said it is working with external cybersecurity advisers to conduct a forensic investigation and that it has notified the Australian Cyber Security Centre (ACSC) of the incident. IPH shares tumbled 12 percent to A$7.36, in their biggest one-day fall in over three years. They were the biggest loser on Australia’s benchmark S&P/ASX 200 stock index. Full Story
Source: CNA
03/15/2023
Hackers Used Fortra Zero-Day To Steal Sales Data From Cloud Management Giant Rubrik
Cloud data management giant Rubrik confirmed that hackers attacked the company using a vulnerability in a popular file transfer tool. The Clop ransomware group – which has been the primary force behind the exploitation of a vulnerability affecting Fortra’s GoAnywhere Managed File Transfer product – added Rubrik to its list of victims on Mar. 14. A spokesperson for the company directed The Record to a longer statement from Rubrik CISO Michael Mestrovich, which said Clop’s attack began in February. Using the widely-covered zero-day vulnerability affecting GoAnywhere, the hackers gained access to information in one of Rubrik’s non-production IT testing environments. Full Story
Source: The Record
03/15/2023
UK’s Wymondham College Hit By Sophisticated Cyber Attack
Wymondham College said disruption was likely to continue until the Easter holidays due to its IT system being targeted. The school is working with the Department of Education and the National Cyber Security Centre. The attack has left teaching staff unable to use computer resources and students without access to files. “We fully appreciate that some pupils may be anxious about access to saved resources, including coursework in Years 11 and 13,” the school said. “We are working to safely resolve this and are in communication with the relevant examination boards to replay current information.” The Wymondham, UK-based college is one of only a handful of state boarding schools in the country with students from a huge range of backgrounds and challenging personal circumstances. Full Story
Source: Eastern Daily Press
03/15/2023
Data Breaches Near Historic High
Last year was a banner year for cybercriminals. The 1,802 data compromises reported last year in the U.S. was the second highest reported in a single year, with at least 422 million instances of private data being accessed, including individuals hit multiple times, according to the recently released Identity Theft Resource Center’s 2022 Data Breach Report. It fell only slightly behind 2021, which saw 1,862 compromises. Still, generally speaking, “companies who suffer a cyberattack or data breach are waiting far too long to report them,” says Steve Morgan, founder of Northport-based Cybersecurity Ventures, a cybersecurity industry market researcher. “We’re seeing anywhere from six months to a year.” Reasons include reputational concerns and investor and consumer backlash, he says. Full Story
Source: Newsday
03/14/2023
Ukraine Scrambles To Draft Cyber Law, Legalizing Its Volunteer Hacker Army
Ukraine’s government is drafting a new law to bring its volunteer hacker brigade, the IT Army, into the armed forces, aiming to put an end to uncertainty about its status in a legal gray area that has drawn pointed warnings from the Red Cross. The IT Army of Ukraine has claimed responsibility for cyber attacks such as knocking offline the websites of Russian state media during President Vladimir Putin’s recent annual State of the Nation speech. But the hacktivist group, which has recruited foreign volunteers who need only a computer or a smartphone to join the fight, has also drawn criticism for attacking Russian hospitals and other civilian targets. The IT Army has been held up as an example for other countries. If the law passes, Ukraine would join a handful of other Western nations, led by Finland and Estonia, that have a full-scale reserve cyber force to augment their regular military. Full Story
Source: Newsweek
03/14/2023
Arizona Department Of Economic Security Confirms Data Breach
The Arizona Department of Economic Security says the personal information of some members may have been exposed. DES says it discovered the breach on Jan. 19. The department says a former employee in the Division of Developmental Disabilities had records that contained protected health information such as names, addresses, phone numbers, dates of birth, and Arizona Health Care Cost Containment System (AHCCCS) identification numbers. DES says it notified more than 800 members whose information was confirmed to be included in the data breach. The Department of Economic Security says the records have been returned and disciplinary measures have been taken. Full Story
Source: KOLD News 13
03/14/2023
1M Individuals Impacted By Healthcare Data Breach At Medical Device Company
ZOLL Medical Corporation recently began notifying more than one million individuals of a healthcare data breach. According to its website, ZOLL Medical develops novel resuscitation and acute critical care technology. ZOLL detected suspicious activity within its network on Jan. 28, and immediately took steps to investigate by consulting with third-party security experts and notifying law enforcement. By Feb. 2, ZOLL had determined that names, addresses, Social Security numbers, and birth dates were potentially compromised. The investigation is still ongoing, but ZOLL notified impacted individuals of the incident and offered 24 months of complimentary identity theft protection services. Full Story
Source: Health IT Security
03/14/2023
Hospital In Brussels Latest Victim In Spate Of European Healthcare Cyberattacks
A university hospital in Brussels has become the latest institution targeted in a spate of cyberattacks against European hospitals. Ambulances were diverted from the Centre Hospitalier Universitaire (CHU) Saint-Pierre this weekend following the attack in the early hours of Friday morning. Details about the attack and the perpetrators have not yet been disclosed. CHU Saint-Pierre’s chief executive, Pierre Leroy, told Belgian newspaper Le Soir that the hospital had an emergency plan “specifically established for this type of situation” following previous attacks on other hospitals in Belgium. While staff were initially left working with paper records, the hospital managed to disconnect its servers and restart them by Saturday afternoon (Mar. 11), said Leroy. The servers remain disconnected from the internet, he said. Full Story
Source: The Record
03/13/2023
Russians Warned Of Nuclear Attack After Hackers Break In To Country’s TV Service
Hacked Russian TV and radio stations broadcast startling messages of a nuclear attack and urged residents to put on gas masks and run for cover. On Mar. 9, residents in eastern Russia were told to “take potassium iodide pills” and take shelter immediately during the hacked broadcast, according to a report from Metro. “There was a strike. Urgently go to a shelter,” viewers of TV were told as a map of Russia displayed the country turning red from west to east. “Seal the premises. Use gas masks of all types. In the absence of gas masks, use cotton-gauze bandages.” Screens also displayed a black and yellow radiation warning with a message urging people “immediately to shelter.” The hack was widespread enough that it forced the Russian emergency ministry to respond, releasing a statement assuring residents that a “false air raid alert was broadcast in Moscow after servers of radio stations and TV channels were hacked.” Full Story
Source: Fox News
03/13/2023
Cyberattack On UK’s Gloucester Museum To Cost Nearly £1m, Still Problems
A cyber attack is stopping a museum from accessing its artifact database more than a year after the initial breach. Benefit payments, planning applications and house sales were all delayed when Gloucester City Council was hit by hackers in 2021. A council report has now revealed the Museum of Gloucester is still being affected by the cyber incident. Council officers first became aware their systems had been compromised on Dec. 20, 2021. Gloucester City Council has had to rebuild all of its servers as a result of the attack, which has been linked to Russian hackers. The latest estimate suggests the bill to the taxpayer is approaching the £1m mark. The Museum, situated on Brunswick Road in Gloucester, U.K., is home to a collection of over 750,000 objects of international importance. Full Story
Source: BBC