Columbia hack, hunger relief ransomware, Qantas breach | #ransomware | #cybercrime

On Defense in Depth, “What’s the Most Efficient Way to Rate Third Party Vendors?”

Bloomberg sources say a cyberattack against a prominent university in June was able to exfiltrate student application data from at least as far back as 2019. A source reviewing a subset of the data found over 2.5 million applications, including names, student ID numbers, citizenship information, and application decisions. The alleged threat actor contacted Bloomberg, claiming they obtained roughly 460 gigabytes of data, including financial aid packages and 1.8 million Social Security numbers. They claimed the attack was politically motivated, seeking to find evidence that Columbia maintained admission practices barred by the Supreme Court in 2023.

(Bloomberg, Columbia Spectator)

In search of the answer to the age-old question, “how low can you go?”, the Rhysida ransomware group has targeted Welthungerhilfe, one of Germany’s largest hunger relief charities. They’re demanding over $2 million, stealing food from the mouths of the hungry. WHH has refused to pay, shut down affected systems, and brought in cybersecurity experts. Aid operations continue uninterrupted, and there’s no current evidence donor data was compromised. The same group has previously attacked hospitals and disability nonprofits, continuing a deliberate pattern of exploiting those who serve the most vulnerable.

The Australian airline disclosed it first detected unusual network activity on June 30th. An initial investigation found that the threat actors gained access through a third-party customer servicing platform, obtaining customer names, email addresses, and frequent flyer numbers. Qantas didn’t specify the number of impacted customers, but local media reports that the figure could be up to six million people. The airline said the attack did not impact operations and that no financial or passport information was accessed. 

The Forminator Forms plugin is active on over 600,000 WordPress sites, offering a drag-and-drop visual builder for form-based content. But security researcher “Phat RiO – BlueRock” discovered a flaw in how the plugin handles input validation and sanitation, which doesn’t check if those fields are supposed to handle files. This could be exploited to insert an uploaded file with a custom path that points to a system file, like wp-config.php. Forminator is often configured to auto-delete old submissions, which could then delete a core file, defaulting back to a setup stage where an attacker could start a takeover attempt. After contacting the developers, a patch was released on June 30th, but since its release, only about a third of installs have downloaded it. 

Spanish police arrested two individuals in Las Palmas for alleged cybercriminal activity that obtained data on high-ranking state officials and journalists. Police described the activity as a “serious threat to national security,” with the two leaking samples of the data online as they attempted to sell it. One suspect is reported to specialize in data exfiltration, while the other managed the sale of that data and obscured cryptocurrency transactions. Police raids also obtained electronic devices, which authorities hope will lead to more co-conspirators or buyers of the data. 

Researchers at Group-IB identified a novel SMS stealer dubbed Qwizzserial that infected almost 100,000 in the country. Qwizzserial spreads through Telegram channels, with threat actors posing as government agents trying to spread malicious apps like “Presidential Support” or “Financial Assistance.” Once installed, Qwizzserial harvests phone numbers, bank card numbers, SMS-based authentication numbers, and SIM card information. Initially, researchers saw this data exfiltrated through Telegram bots, but newer variants use a gate server with HTTP POST requests. The researchers note that Uzbekistan’s digital payments system overwhelmingly depends on SMS as its authentication layer.

Ahhh the Ivanti Cloud Service Appliance vulnerabilities, the flaws that keep on giving. France’s cybersecurity agency, ANSSI, issued a reporting finding that a campaign used these vulnerabilities to target “organizations from governmental, telecommunications, media, finance, and transport sectors.” ANSSI said the attacks were linked to the threat actor Houken, described by Mandiant as UNC5174, believed to be a contractor for China’s Ministry of State Security. The agency acknowledged the attacks were designed to exfiltrate data that the group could sell to state intelligence agencies. 

Hackers uploaded over 40 cloned crypto wallet extensions to the Firefox add-on store, mimicking trusted tools like MetaMask and Coinbase. The extensions appeared legitimate but contained hidden code that captured users’ recovery phrases, allowing attackers to drain funds—one victim reported losing over $4,000. The listings used fake five-star reviews to boost credibility. Mozilla has since implemented a system to flag and manually review suspicious crypto add-ons, but many of the malicious clones remained live for weeks.

Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search “Cyber Security Headlines” on your favorite podcast app.