CommonSpirit Health hit with “IT security issue”
The issue impacted its electronic health record systems, forcing the nonprofit health care organization to shut off systems at some facilities. CommonSpirit operates over 1,000 care sites and 140 hospitals across 21 states. Some sites rescheduled patient appointments, while at least one hospital redirected ambulances as a result. Anecdotally, several patients said doctors struggled to access the MyChart tool. Cybersecurity researcher Kevin Beaumont suggests ransomware may be involved, based on IR chatter.
MySQL servers backdoored
Analysts at the German security firm DCSO CyTec discovered a new piece of malware targeting Microsoft MySQL servers. Called Maggie, it brute-forces admin logins to other SQL servers while serving as a bridge head into the network environment. Telemetry data shows Maggie running on hundreds of machines, most prevalent in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States. The malware appears as a digitally signed Extended Stored Procedure DLL. It works as a backdoor since it can be controlled by SQL queries. It’s unclear how it initially installs on systems or who operates the malware.
Fraud hitting P2P payment apps
A new report from the office of Senator Elizabeth Warren found an increasing prevalence of fraud and scams using the peer-to-peer payment service Zelle. The banks Bank of America, Truist, Capital One, JPMorgan Chase, PNC Bank, U.S. Bank, and Wells Fargo own the company that operates Zelle. Since the second half of 2021, data from four of these banks shows 192,878 cases of fraud resulting in $213.8 million in losses using payments made with Zelle. Despite bank ownership, the reports found only 3,500 cases where the banks reimbursed for the losses, and in those cases only reimbursing an average of 47%. The Consumer Financial Protection Bureau is expected to issue regulations to require banks to reimburse customers for a wider array of scams and fraud.
Twitter deal isn’t done yet
We covered yesterday that Elon Musk re-offered his original price to take Twitter private, with a share price already approved by Twitter’s board. The deal isn’t done yet, with Twitter getting a new concession in the case. The Delaware Court of Chancery approved Twitter to proceed with a limited investigation into whether whistleblower Peiter “Mudge” Zatko contacted Elon Musk’s lawyers prior to his previous attempt to back out of buying Twitter. This involved a May 6th email sent from an anonymous ProtonMail account claiming to be “a former exec at Twitter leading teams directly involving Trust & Safety/Content Moderation” and offered Musk information on Twitter through alternate channels. If Musk and Twitter reach an agreement to end litigation, the matter would be moot.
Thanks to today’s episode sponsor, Hunters
Another Australian telco hit with breach
Australia’s largest telco Telstra confirmed it suffered a data breach at a third-part organization, exposing employee data dating back to 2017. It estimates 30,000 people were impacted, with names and email addresses leaked. This comes two weeks after another telco in the country, Optus, suffered a data breach impacting up to 10 million accounts.
Capital One hacker sentenced
U.S. District Judge Robert S. Lasnik sentenced former Amazon software engineer Paige Thompson to time served and five years of probation for obtaining personal information on over 100 million people as part of a breach of Capital One in 2019. As a result of the breach, Capital One reached a $190 million settlement with impacted customers, and was fined $80 million by the Treasury. Prosecutors sought a seven-year prison sentence. The judge cited Thompson’s mental health for the probation sentence. Thompson’s financial restitution for the crime will be determined in a December hearing.
CISA warns of targeted attacks on defense
The Cybersecurity and Infrastructure Security Agency, FBI, and NSA issued an advisory warning of APTs actively seen on the networks of Defense Industrial Base organizations. These attacks were observed from November 2021 through January, using the Impacket toolkit for initial access and achieving data exfiltration with CovalentStealer. More troublingly, CISA found it likely multiple APTs gained access, some with “long-term access to the environment.” Initially scouting and access for these attacks may go as far back as January 2021. CISA recommends organizations monitor logs for connections from unusual VPNs as a sign of access.
Overwatch 2 hit with DDoS at launch
Overwatch 2 launched on October 4th, with many players reporting inordinately long wait times. Blizzard president Mike Ybarra confirmed that a distributed denial of service attack hit Overwatch 2 servers, causing connection issues for users trying to play the game. As of October 5th, Overwatch Game Director Aaron Keller reported that a second DDoS attack was underway, resulting in further server instability. No word on what network might be behind the attacks.