Swatting on the rise.
Swatting is on the rise. LoanDepot, the Toronto Zoo and the World Council of Churches all confirm ransomware attacks. Iran-linked hackers target Albania. Sea Turtle focuses on espionage and information theft. Fake “security researchers” offer phony ransomware recovery services. Could AI make KYC EOL? Avast enhances Babuk decryption. Joe Carrigan looks at the human side of email security. And a group of midwives fail to deliver.
Today is January 9th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Swatting on the rise.
NBC News reports that special counsel Jack Smith, leading the prosecution against former President Donald Trump in two federal cases, and Judge Tanya Chutkan, overseeing one of these cases, were targets of attempted "swatting" incidents at their residences. Swatting is a criminal harassment tactic involving false reporting of serious incidents to draw a heavy police response to a specific location. In Smith's case, a 911 call falsely claimed he had shot his wife, but Deputy U.S. Marshals at his home confirmed it was a hoax. Chutkan experienced a similar situation, with police responding to a falsely reported shooting at her home. No arrests have been made in either case.
Smith, who has been prosecuting Trump for alleged efforts to overturn the 2020 election results and mishandling classified documents at Mar-a-Lago, has faced numerous threats and intimidating communications, particularly after Trump's inflammatory posts about him. Chutkan has also encountered threats; a Texas woman was arrested for leaving a threatening voicemail for her. Trump has specifically targeted Chutkan on social media, leading to a gag order against him, later narrowed by an appeals court.
The security concerns for judges and prosecutors have been escalating. The recent swatting incidents underscore the heightened security concerns surrounding high-profile legal cases involving political figures.
LoanDepot, the Toronto Zoo and the World Council of Churches confirm ransomware attacks.
Following up on yesterday's story, a mortgage lending firm LoanDepot confirmed a ransomware attack causing system disruptions and data encryption in a Form 8-K filing with the SEC. The Irvine, California-based company took immediate containment steps, initiated an investigation, and notified regulators and law enforcement. While they work to secure operations and assess impact, it's unclear if personal information was compromised.
And speaking of ransomware, The Toronto Zoo, Canada's largest zoo, experienced a ransomware attack on January 5th, affecting its systems and potentially visitor, member, and donor information. Immediate steps were taken to assess the impact, and the zoo remains open with animal care systems unaffected. The incident, reported to Toronto Police Services, is being addressed with assistance from the City of Toronto's Chief Information Security Office and external cybersecurity experts. This follows similar cyber incidents in Toronto, including the Public Library system and SickKids Hospital.
The World Council of Churches (WCC), representing numerous Christian denominations, was hit by a ransomware attack during the Christmas season. Responsibility for the attack was claimed by the Rhysida ransomware gang, targeting the Lutheran World Federation, a WCC member. The attack, which occurred on December 26, resulted in a system shutdown including the WCC's website. The ransom demanded is 6 bitcoins (about $280,000) with a 7-day deadline. The incident has been reported to Swiss police and is under investigation, with no specific details on the data breach or the number of affected individuals disclosed.
And, in a reminder that the effects of ransomware can extend beyond the event itself, New York Attorney General Letitia James reached an agreement with Refuah Health Center following a ransomware attack in May 2021 that compromised sensitive patient data. The attack, perpetrated by the Lorenz ransomware group, was facilitated by outdated and unsecured administrator credentials. Refuah failed to maintain appropriate cybersecurity controls, leading to extensive data breaches, including personal and health information of over 260,000 individuals.
The NY AG identified multiple violations of the HIPAA Security Rule and New York General Business Law, including insufficient policies, failure to conduct risk analyses, and inadequate incident response measures. As part of the agreement, Refuah will invest $1.2 million in cybersecurity improvements and pay $450,000 in penalties and costs. They are also required to notify affected individuals and enhance their security and incident response policies.
Iran-linked hackers target Albania.
In international news, a group of Iran-linked hackers known as Homeland Justice used a wiper malware named No-Justice in a series of cyberattacks targeting Albanian organizations in December. These attacks hit the Albanian parliament, telecom companies ONE Albania and Eagle Mobile, and Air Albania. No-Justice, identified by ClearSky researchers, crashes the Windows OS, preventing rebooting, and a PowerShell script spreads the wiper across networks. The malware had a valid digital signature and required admin privileges. The attacks may have been in retaliation for Albania sheltering the Iranian opposition group MEK. The full extent of the damage is unclear, but Homeland Justice's operations pose a threat to other countries and are likely state-sponsored.
Sea Turtle focuses on espionage and information theft.
Researchers at Hunt and Hackett describe Sea Turtle, believed to be a Turkey-based Advanced Persistent Threat (APT) group. Sea Turtle focuses on espionage and information theft targeting public and private entities. From 2017 to 2019, it was primarily known for DNS hijacking, but has more recently changed tactics to better evade detection. Microsoft and the Greek National CERT have highlighted its intelligence-gathering activities, aligned with Turkish interests. The group targets organizations in Europe and the Middle East, especially governmental bodies, Kurdish groups, NGOs, telecommunication entities, ISPs, IT service providers, and media organizations. Their modus operandi includes intercepting internet traffic to gain unauthorized access to networks and using reverse shell mechanisms for data extraction.
Fake “security researchers” offer phony ransomware recovery services.
Organizations hit by ransomware face uncertainty about whether cybercriminals will actually decrypt and delete their stolen data, even after paying the ransom. Helpnet Security reports that imposters posing as security researchers are offering to hack into the ransomware groups' servers to delete exfiltrated data for a fee. Arctic Wolf researchers encountered this scam in two cases involving victims of Royal and Akira ransomware. The imposters, using aliases like Ethical Side Group and xanonymoux, approached victims via online chat, provided proof of access to data, warned of future attack risks, specified the stolen data amount, and demanded less than 5 Bitcoins (around $220,000). It's unclear if these follow-on extortions are connected to the ransomware groups or are independent actions. In both observed cases, this additional extortion attempt was unsuccessful.
Could AI make KYC EOL?
KYC (Know Your Customer) processes, essential for financial institutions, banks, and fintech startups, are at risk due to generative AI (GenAI) advancements. These processes often use ID images or selfies for customer identity verification. A report from TechCrunch examines how posts on platforms like X (formerly Twitter) and Reddit demonstrate how attackers could manipulate selfies using GenAI tools to create convincing deepfaked ID images and potentially bypass KYC checks. Although there's no evidence of GenAI being used against actual KYC systems yet, the ease of creating deepfaked images is concerning.
The growing threat extends to bypassing 'liveness' checks, which are designed to ensure a real person is present during verification. These checks are vulnerable to advanced GenAI tools capable of simulating real-time actions like head turns. As GenAI technology improves, even human reviewers might struggle to distinguish between real and deepfaked images and videos, potentially rendering this type of KYC ineffective as a security measure.
Avast enhances Babuk decryption.
A tip of the virtual hat to Avast, who in cooperation with Cisco Talos and Dutch Police, have released an updated version of the Avast Babuk decryption tool, capable of restoring files encrypted by the Babuk ransomware variant called Tortilla. Well done.
Midwives fail to deliver.
Clients of Midwives of Windsor in Ontario experienced a rude awakening, finding out their sensitive personal and pregnancy-related data had been exposed due to a cyber breach in April 2023. This breach, only disclosed to clients months later - nine months later - included names, birth dates, addresses, emails, phone numbers, pregnancy details, treatment information, prescriptions, patient IDs, and health insurance data. Although there's no reported misuse of the data yet, the potential for phishing attacks or identity theft looms large. Midwives of Ontario has since secured the compromised email account and is investigating with third-party experts. As clients navigate this breach, one can't help but note the irony: Midwives, experts in delivering timely care, seem to have missed the mark in delivering timely information.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.
