Ransomware gang targets clean water nonprofit
The ransomware as-a-service gang Medusa has listed Water for People, a nonprofit organization that helps provide safe drinking water to communities in need around the world, on its darknet site. The group is threatening to publish what it has stolen, unless they receive a $300,000 ransom. A spokesperson for Water for People has stated that the stolen information goes back to before 2021, did not compromise the organization’s financial systems and no business operations were impacted. Last year this same group attacked a municipal water supplier in Italy as well as Toyota Financial Services.
(The Record)
Denmark energy sector attacks likely not Sandworm after all
Research from cybersecurity firm ForeScout suggests that last year’s cyberattacks on the Danish energy sector may not have been a Sandworm hack, but rather two distinct waves of attacks, one that exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a separate one in which attackers used Mirai botnet variants on infected hosts as an access point. ForeScout stated that not only were the two waves unrelated, it was also “unlikely the work of the state-sponsored group Sandworm owing to the fact the second wave was part of a broader mass exploitation campaign against unpatched Zyxel firewalls.” The perpetrators are currently unknown. A link to the ForeScout report is available in the show notes to this episode.
(The Hacker News and ForeScout)
SEC says X account breach did not lead to further breaches
According to Reuters, the U.S. Securities and Exchange Commission stated on Friday that said there was “no evidence to suggest the breach of its X account earlier this week also involved a breach of the agency’s systems, devices, data, or other social media accounts.” CISA, the FBI, and the SEC’s own Inspector General continue to investigate the breach, which a representative from X (formerly Twitter), has said resulted from “an unidentified individual obtaining control of a phone number.”
(Reuters)
End-of-life Cisco routers targeted by Chinese espionage group
According to SecurityScorecard a group named Volt Typhoon, identified as a Chinese government espionage unit, is exploiting Cisco RV320/325 devices, which were discontinued by Cisco in 2019, with service and support intended to be terminated on January 31, 2025. The hackers are exploiting two vulnerabilities, CVE-2019-1653 and CVE-2019-1652, which are also listed on CISA’s Known Exploited Vulnerabilities list for 2019. SecurityScorecard says 30% of the RV320/325 devices may have been compromised, a statement based on its observation of frequent connections between the devices and known Volt Typhoon infrastructure.
(The Record)
Huge thanks to this week’s episode sponsor, Savvy Security
Hacker uses a million virtual servers to mine crypto
Europol has arrested a 29-year-old man in Ukraine who used hacked accounts to create one million virtual servers, which were then used to mine $2 million in cryptocurrency. One report of the investigation and arrest of the individual, published by the Ukraine police, stated that the suspect had used automated tools to brute force the passwords of 1,500 accounts of “a subsidiary of one of the world’s largest e-commerce entities.” He then used these accounts to gain access to administrative privileges, which were used to create more than one million virtual computers for use in the crypto mining process.
(Bleeping Computer)
Microsoft releases fix to Windows 10 BitLocker patch fail
Following up on a story we brought you on Thursday, Microsoft has now released a PowerShell script to automate the update to the Windows Recovery Environment (WinRE) partition to fix CVE-2024-20666, a vulnerability that allowed for BitLocker encryption bypass. It was reported by the industry media last week that the initial fix, released as part of Patch Tuesday, resulted in an error message, with little in the way of easy recourse. A link to the Microsoft fix page is also available in the show notes to this episode.
(Bleeping Computer and Microsoft)
Last week in ransomware
Last week saw another large mortgage lender, loanDepot confirming that the cyberattack it suffered was indeed ransomware. It joins a prominent group that includes Mr. Cooper, First American Financial and Fidelity National Financial. Other ransomware attack victims last week included the Toronto Zoo, Paraguay’s largest mobile carrier, Tigo Business, and Capital Health hospital network, which was allegedly attacked by LockBit. We saw reports of ransomware operators upping their extortion game by swatting company executives and hospital patients, while the New York Attorney General laid down the law with the Hudson Valley’s Refuah Heath Center, demanding that is invest in better cybersecurity measures. Finland sent out warnings to companies in that country regarding of the prevalence of Akira ransomware. Meanwhile Dutch police, working in consort with Cisco Talos, were able to arrest a ransomware operator recover decryption keys which they handed over to Avast, to allow victims of the Babuk-based Tortilla ransomware to recover their files for free.
(Bleeping Computer and Cyber Security Headlines)