Cyber Security Headlines: Authorities bust NetWire RAT, CISA warns of Plex bug after LastPass breach, Blackbaud to pay $3 million for misleading disclosure

FBI and international authorities catch a NetWire RAT

On Tuesday, Croatian police arrested the suspected administrator of the site which sold the NetWire remote access trojan (RAT). On the same day, federal authorities in Los Angeles seized the internet domain, and Swiss law enforcement seized the malware’s hosting server. NetWire was first discovered in 2012 and cybercriminals commonly deliver the RAT through files attached to phishing emails. NetWire is capable of stealing passwords, keylogging, and remotely controlling infected devices. The FBI began investigating the operation back in 2020, creating accounts on its website, buying a subscription, and creating a custom NetWire instance using the builder tool.

(The Register)

CISA warns of actively exploited Plex bug after LastPass breach

CISA has added a nearly three-year-old high-severity remote code execution (RCE) vulnerability in the Plex Media Server to its catalog of exploited security flaws. Tracked as CVE-2020-5741, the flaw could allow threat actors with admin privileges to abuse the Camera Upload feature and remotely execute arbitrary Python code in low-complexity attacks. While CISA didn’t confirm specific attacks, the issue is likely linked to the incident involving a LastPass senior DevOps engineer whose computer was hacked last year to install a keylogger and gain access to customer vault backups.

(Bleeping Computer)

Blackbaud to pay $3 million for misleading ransomware disclosure

Back in 2020, cloud software provider Blackbaud suffered a ransomware attack which affected 13,000 customers from charities, foundations, non-profits, and universities in the US, Canada, the UK, and the Netherlands. According to the SEC, Blackbaud initially stated that the attackers had not gained access to donor bank account details or social security numbers. Shortly thereafter, company staff learned that the threat actors had indeed accessed and stolen this sensitive information but failed to report it to management. This led to the company filing an SEC report the following month, which omitted vital information about the breach and also downplayed associated risks, passing them off as hypothetical. Blackbaud agreed to pay a $3 million civil penalty to settle the misreporting charges brought by the Securities and Exchange Commission (SEC). 

(Bleeping Computer)

Acronis clarifies hack impact following data leak

Last Thursday, a hacker announced on a popular cybercrime forum that they were leaking 12 GB of data stolen from Swiss data protection firm, Acronis. The hacker said the data included certificate files, information logs, system configurations, scripts, and filesystem archives. They added that they hacked Acronis because they were bored and wanted to humiliate them. Acronis initially confirmed the attack, but said no customer data had been compromised. The company has now clarified that the leaked data appears to have come from a single customer’s account and that they are working with that customer to resolve the issue.


Pig Butchering and investment fraud now a $3 billion cybercrime

Pig butchering is an investment scam that ensnares victims by providing them small returns on cryptocurrency deals and personal interactions, often with a romance element, to convince them to invest wildly. Pig butchering started in Asia, but expanded operations into the US during the pandemic. Investment fraud, which includes pig butchering, cost victims about $3 billion in 2022. This makes investment fraud the top cybercrime loss leader, overtaking business email compromise (BEC) and even ransomware. 

(Dark Reading)

Last week in ransomware

Last week’s biggest ransomware news was the coordinated, international law enforcement operation that led to the arrest of two members of the DoppelPaymer gang and seizing electronics from multiple locations. DoppelPaymer is believed to be leveraged by the Evil Corp operation, also known for managing and distributing the Dridex malware botnet.

Additionally, new research uncovered two new encryptors, Royal Ransomware which targets ESXi servers and IceFire which targets Linux.

Several other ransomware attacks revealed last week include those on Hospital Clínic de Barcelona, Washington State bus system, Technion, Fonasa, and the Minneapolis Public Schools district. Additionally, the Play Ransomware gang began leaking data stolen from the City of Oakland incident which occurred last month.

Finally, Recorded Future reported that ransomware attacks targeting healthcare orgs dropped to only six in February, the lowest count since January 2020. Other sectors didn’t fare as well last month, with the overall ransomware extortion victims rising to 204, up from 163 in January.

(Bleeping Computer and The Record)

Cerebral informs 3 million individuals of data exposure

Emotional health care provider Cerebral is informing over 3.1 million individuals that their protected health information (PHI) might have been inadvertently exposed via third-party tracking technologies on its platforms. Cerebral has been using tracking technologies, such as those provided by Facebook, Google, and TikTok, since 2019, but disabled, reconfigured, or removed them after learning that some of the data shared with the third-parties also included PHI. The company has also ceased sharing data with subcontractors in cases that did not meet all HIPAA requirements. The company said that individuals who created a Cerebral account potentially had their name, phone number, email, IP addresses, birth date, and client ID number exposed.


Gizmodo found 28,000 apps sending user data to TikTok

A new report from Gizmodo has revealed that, while TikTok does pose legitimate privacy issues, the proposed ban on the company won’t fix the actual problem. Gizmodo calls out the existence of a vast, largely unregulated personal data broker market that is hugely profitable and also easily exploitable by Chinese intelligence agencies. Gizmodo found that over 28,000 different apps make use of TikTok’s software development kits. All of these apps send TikTok various data to handle things like ads, logging in to services, and sharing videos from the app.


Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.