Hackers steal funds from the Wisconsin Republican Party
According to the party’s chairman Andrew Hitt, the attackers stole $2.3 million from the state, with suspicious activity first noticed on October 22nd. The attackers used manipulated invoices from four vendors being paid for campaign mailers, altering the payment details. No data is believed to have been stolen in the attack. According to Wisconsin Democratic Party spokeswoman Courtney Beyer, they had been seen by over 800 financially motivated phishing attack attempts this election cycle.
Ransomware attackers leak Georgia county voter information
Hall county in Georgia initially reported the ransomware attack on October 7th, saying it impacted phone and network systems, but that there was no evidence that unencrypted data was exfiltrated. However the DoppelPaymer ransomware group published roughly 1GB of files stolen from country computers, claiming to have encrypted 2,464 devices in its attack. Ballot proofs, poll worker lists, administrative documents, accounting and financial records, and city bulletins were among the leaked documents, as well as some publicly available voter information. Bleeping Computer reports that one document included social security numbers.
The FBI is investigating ransomware attacks on hospitals
Reuters reports that, according to sources the FBI investigation began after a coordinated series of attacks against hospitals, including ones in Oregon, California and New York made public this week. Sources say the attackers used the Trickbot trojan and Ryuk ransomware against the hospitals, resulting in communications being made on paper and making viewing and updating a patient’s history unavailable. The security firm Check Point said it has seen ransomware attacks up 50% in the last quarter.
UMC pleads guilty to stealing Micron trade secrets
The Taiwanese chipmakers will pay a $60 million fine as part of the plea, which the US DOJ says is the second-largest fine in a criminal trade secret prosecution. The case started with a 2018 indictment of UMC and China’s Fujian Jinhua, which found that three UMC employees stole DRAM production trade secrets. UMC management said it was unaware and did not authorize the action. In an ongoing indictment, the US maintains that Fujian Jinhua used the trade secrets in its memory chip designs. UMC denies transferring the secrets to any third-party.
Thanks to our sponsor, F5
Education industry vulnerable to business email compromise
This comes from a new study published by Barracuda Networks. In comparison to all other verticals, BECs in education account for more than double the percentage of spear-phishing attacks, with 28% vs 11%. The report also found that 57% of malicious emails came from internal accounts with education organizations, primarily from student-owned addresses. Barracuda found this was because many students don’t use their school-based email. The report looked at 3.5 million spear-phishing attacks targeted at 1,000 educational institutions from June through September 2020.
Device Vulnerability Report now available in Defender for Endpoint
Microsoft announced this new vulnerability management report as a preview in Microsoft Defender, designed to compliment existing threat and vulnerability management capabilities in the software. The report will provide the vulnerability security levels of devices, availability of exploits for devices with vulnerabilities, and the age of unpatched security flaws, as well as a list of vulnerable devices. The report will also pull insights together to view larger trends. While in preview, Microsoft warns that this report comes without a service level agreement and is not currently recommended for production workloads.
Details emerge on the Buer Loader malware dropper
Researchers at Sophos Labs recently published a detailed look at Buer, first seen in August 2019 used by Ryuk ransomware to gain initial system access. This operates as a malware-as-a-service solution similar to Emotet or Trickbot’s Bazar loader, providing an initial compromise of a Windows 10 PC for further exploits. Command and Control servers can be used by customers to view the number of downloads in a malware campaign, assign tasks to bots with filters by country, with support for task scheduling and windowing. Sophos saw Google Docs used as an attack vector, which would download an executable once scripting was enabled.
Oracle WebLogic flaw is being actively exploited
Oracle released a patch on October 21st to the recently disclosed remote code execution flaw in the popular application server. However Johannes B. Ullrich, dean of research at the SANS Technology Institute, said that based on honeypot observations, threat actors are now actively searching for the flaw to exploit. Ullrich says scans of all IPV4 addresses for the servers have reached a saturation point, warning that if you have an unpatched server, assume its exploited.