At a glance.
- Sodinokibi evolves into a possible point-of-sale and paycard threat.
- North Shore Pain Management discloses breach.
- MaxLinear hit with Maze ransomware.
- Indiabulls sustains ransomware attack.
- A look at "the invisible god of networks."
- BlueLeaks update.
Sodinokibi evolves into a possible point-of-sale and paycard threat.
Researchers at Symantec’s Critical Attack Discovery and Intelligence Team this morning reported a couple of new wrinkles in the Sodinokibi ransomware. First, the gang is using the commodity malware Cobalt Strike to deliver its payload. Second, they’re also scanning some of the victims’ networks for point-of-sale or paycard management software. This second activity is ambiguous but suggestive of a further direction in the malware’s evolution. They could be attempting to encrypt point-of-sale data, or they could be interested in diversifying their revenue stream through some carding on the side.
That would be consistent with the recent tendency of ransomware to steal data for either leverage or resale in addition to simply encrypting it. It’s worth noting that, even confined to traditional extortion by encryption, Sodinokibi is asking a lot from its victims. Symantec says that their current demands are $50,000 (in Monero, of course) if the victim pays up within the first three hours of infection. After that the ransom goes up to $100,000.
North Shore Pain Management discloses breach.
Massachusetts-based healthcare provider North Shore Pain Management has disclosed a data breach that affects the confidentiality of patient records. "On April 21, 2020, NSPM became aware that an unauthorized person gained access to the NSPM system and acquired some of our files on April 16, 2020." Patients who paid North Shore between August 1, 2014, and April 16, 2020 were affected. The information exposed includes patients' names, date-of-birth, Social Security Number (if an insurer used it as a member identification number), health insurance information, financial information (of patients who paid by check, paycard, or account transfer), and, finally, clinical information about the care received, "including diagnosis and treatment information and, in limited instances, ultrasound or MRI images." North Shore Pain Management has established a help line for affected patients and is offering complimentary credit monitoring to those whose Social Security Numbers were compromised.
MaxLinear hit with Maze ransomware.
Southern California-based IT hardware company MaxLinear has disclosed that it was the victim of a security incident in which unauthorized parties accessed its systems between April 15th and May 24th of this year. The company's investigation confirmed that personal information was exposed, including customer names, personal and company email address, personal physical mailing address, employee ID number, driver’s license number, financial account number, Social Security number, date of birth, work location, compensation and benefit information, dependents, and date of employment. This sounds like employee information, and the disclosure letter MaxLinear sent to affected individuals was signed by its vice president of human resources, but ITPro, which also reports that the incident was an attack with Maze ransomware, calls the data "personal customer information." In any case, MaxLinear has retained the services of CyberScout to give affected persons access to cyber, credit, and public records monitoring.
Stalker (the MMO game, not the criminal type) is breached.
Cyber News reports that Stalker, a popular massively multiplayer online game, was breached. Data on more than 1.2 million users was found for sale in a dark web souk. Those data included "usernames, passwords, email addresses, phone numbers and IP addresses" organized into two databases. The Cyber News contacted the legitimate e-commerce platform, Shoppy.gg, that hosted the criminal shops, and Shoppy.gg promptly took the storefronts down. As Infosecurity Magazine points out, the stolen information could be used in credential-stuffing attacks; it could also be used for phishing, spamming, or fraudulent in-game microtransactions.
Indiabulls sustains ransomware attack.
According to ET CIO, the Gurgaon, India-based conglomerate Indiabulls Group has been hit with Clop ransomware. The attackers claim to have sensitive information on the company's pharmaceutical and housing finance units, which they'll release if they're not paid. Indiabulls says no customer data were affected.
A look at "the invisible god of networks."
According to Group-IB, "the invisible god of networks" is a Russophone man from Kazakhstan who went by the nom-de-hack "Fxmsp." They don't know what's become of him, since he seems not to be currently active, at least not in his old haunts or under his old identity, but the researchers believe Fxmsp's success in monetizing illicit access to corporate systems and the role he played in shaping the Russian-speaking cyber underworld warrant an account of his record and methods. He hit 135 companies in 44 countries. Group-IB says his favorite targets were IT, light industrial, and retail companies, and he earned more than $1.5 million. Forbes has an easily accessible account of the research into Fxmsp's activities. His approach was simple but effective: he scanned for open Remote Desktop Protocol ports and took it from there.
Both WIRED and ZDNet have updates on BlueLeaks, the incident in which police data were stolen and posted online. We've received further comment from industry sources. Timothy Chiu, Vice President of Marketing at K2 Cyber Security, sees the lesson as the importance of recognizing the nth-party vulnerabilities vendors and partners bring to an enterprise. "The ‘BlueLeaks’ event is another good reminder that organizations aren’t silos in data security," he wrote. "Every organization’s security depends on the security of all their partners as well as their own. Your partners need to be practicing as good security hygiene (if not better) than you are in order to protect your shared applications and assets."
Colin Bastable, CEO of Lucy Security, see the incident as a cautionary tale about user convenience. “At the heart of cyber-risk is convenience," he said, "making it easy to upload files and build a website has also enabled the hackers to score a spectacular win against US law enforcement." He notes that in his opinion the site generally believed to be the point at which the hackers entered, Netsential, showed in its very self-presentation a worrisome lack of attention-to-detail accompanied by a willingness to display itself as a high-payoff target:
"The Netsential website is barebones right now, but checking out the Wayback Machine for the Netsential website shows a consistent typo: 'Netsential builds sites with as much or as customer involvement that is desired.' For me that would be a red flag – a sign that I should take a closer look at the company, especially since Netsential advertise the fact that the FBI and DoJ are customers. My point being that Fusion Centers were set up as a Homeland Security initiative post-9/11 in order to facilitate information sharing at all levels of law enforcement – an obvious target for China, Russia, Iran or organized crime.
"You would expect the FBI to have identified this potential point of entry and remedied it. The Feds have been living off their reputation and believing their own propaganda for far too long now. My heart goes out to those many people whose information is compromised.”