Dallas still reeling from ransomware
Last week, the city of Dallas confirmed it suffered a ransomware attack. The Royal ransomware organization took credit. Over the weekend, the city said it believed it contained the attack with no signs of new spread. However on May 8th all municipal courts remained closed. Police and fire departments also informed local outlets of continuing issues. Dispatchers are writing down information and relaying it manually over radios. This also played into the response to the mass shooting in Allen, Texas, as police were unable to access prior information on police calls to the home of the shooter. City officials also warned against scammers approaching the general public to pay things like utility bills, saying the city would not proactively reach out.
Hacked Facebook pages buying Facebook ads
Social media consultant Matt Navarra noticed suspicious looking Facebook pages servicing ads under accounts meant to impersonate Meta, Google, and other big tech platforms. These appear to come from hacked accounts, which subsequently change names to spoof the platforms. These accounts retained Meta verification after the name changes, and then purchased ads to further extend the reach of suspicious link posts. In some cases, these compromised accounts reached millions of followers, before accounting for any paid reach. Meta does show the name change history of verified accounts, but its unclear how these clearly spoofed ads made it through Meta’s review system. Meta subsequently disabled the pages highlighted by Navarra.
Court rules on Merck cyber insurance claim
Back in 2018, Merck got caught up in the NetPetya attacks, suffering an estimated $1.4 billion loss. This accounted for outages, consulting, and system replacements, At the time, it held a $1.75 billion all-risk policy from Ace American. But the insurer refused to pay it citing an “Acts of War” clause, arguing the attacks were Russian-backed. Merck filed suit in 2018 disputing this. A December 2021 New Jersey Superior Court decision determined these provisions did not apply. Ace American appealed. How the Superior Court of New Jersey Appellate Division upheld the judgment. It found the details of the attack on Merck came “wholly outside the context of any armed conflict or military objective.”
AI hacking comes to DEF CON
As AI becomes more of a mainstay of corporate operations, securing it becomes important. We’ve already seen organizations banning AI tools over security and privacy concerns. To shed from light, at this year’s DEF CON the AI Village wants hackers to find bugs and biases in various large language models. AI Village organizers describe as “the largest red teaming exercise ever for any group of AI models”, and will provide machines with timed access to various LLMs, including from the biggest names in the industry: OpenAI, Anthropic, Google, Hugging Face, Nvidia, and Stability, plus access to an evaluation platform developed by Scale AI.
And now a word from our sponsor, TrendMicro
NextGen Healthcare confirms breach
The US-based electronic health record software provider confirmed that an unauthorized third-party accessed its systems, in a filing with the Maine attorney general’s office. In the process, they stole data on over 1 million patients. Data stolen includes names, addresses, dates of birth, and Social Security numbers. NextGen said it saw no signs attackers accessed medical information. The attackers appeared to use stolen credentials for initial access, with suspicious activity detected March 30th. This comes after the ALPHV ransomware organizations claimed an attack against NextGen back in January.
Iranian attackers targeting PaperCut servers
Microsoft’s Threat Intelligence team disclosed that two Iranian-linked threat groups began targeting known vulnerabilities in the popular print servers. These groups historically showed links to Iran’s Ministry of Intelligence and Security and Iran’s Islamic Revolutionary Guard Corps. One group, dubbed Mango Sandstorm, seems to only use it using tools from prior attacks to connect to C2 servers, while the other, Mint Sandstorm, appears more opportunistic. While mitigations have been published for the vulnerabilities, VulnCheck notes new attack methods seen last week show they can bypass existing detection methods.
Western Digital confirms customer data lost
We continue to learn more about the cyber attack against Western Digital. The company now confirmed that the attackers stole personal information from its online store, including names, addresses, and emails, as well as hashed and salted passwords and partial credit card numbers. Details on the attack have come out gradually since Western Digital confirmed a “network security incident” on March 26th. ALPHV eventually took credit for the breach, claiming to steal about 10 terabytes of data. Western Digital estimates it will restore its online store the week of May 15th.
Twitter confirms “security incident” with Circles
Last month, we covered reports that some private Twitter Circles posts became visible to public feeds. Twitter sent an email to Circle users over the weekend, advising on a “security incident” with the service. It did not clarify what caused the issue, but claimed “this issue was identified by our security team and immediately fixed so that these tweets were no longer visible outside of your circle.” Other platitudes offered include that it made a “thorough investigation” and that “we deeply regret this happened.”