In today’s cybersecurity news…
Chameleon reappears targeting Canadian restaurant chain
The malware originally known for attacking banks has now begun targeting hospitality workers in Canada and Europe, including “an unnamed Canadian restaurant chain that operates internationally.” This is according to a report from Threat Fabric released on Monday. True to its name, device takeover trojan has changed its appearance and is now disguised as a customer relationship management app, often used in the hospitality industry for task automation, communication, and data analysis. The report adds that “if the attackers succeed in infecting a device that has corporate banking access, Chameleon can then target business banking accounts.
(The Record and Threat Fabric)
Rhysida claims attack on Bayhealth Hospital in Delaware
Bayhealth Hospital is a not-for-profit healthcare system with that serves central and southern Delaware. The ransomware group is demanding 25 bitcoin to avoid the leak of data and it has posted screenshots of stolen passports and ID cards as proof. Rhysida is also known far having breached Abdali Hospital in Jordan, the King Edward VII Hospital in London, the British Library and China Energy Engineering Corporation.
BlackSuit/Royal achieves $500m in ransomware demands
A new report from CISA – actually an update to a previous CISA report, compiled with the FBI and released on August 7, says that the ransomware group once known as Royal and now rebranded as BlackSuit has demanded more than $500 million from its victims in less than two years. This is the group that most notably attacked the City of Dallas last year, and which maybe responsible most recently for attacks on two counties in Indiana. The $500 million number represents monies demanded, not received, and like other gangs it is known for negotiating down once the victims make contact. The report states that “phishing emails are among the most successful vectors for initial access by BlackSuit threat actors.”
SaaS apps present an abbreviated kill chain for attackers
A warning from researchers from AppOmni, speaking at Black Hat this week, that “organizations that are expanding their use of SaaS applications may want to revise their notions of, and approaches to, the cyber kill chain.” Their analysis states that attackers will likely not need to execute all seven steps of the traditional chain to launch a successful SaaS attack. Moving from the traditional steps required for a successful attack, weaponization, delivery, exploitation, installation, command and control, and actions on objectives; the researcher now suggest that the kill chain has now been reduced to two: initial access and credential access, and collection and exfiltration. A more detailed summary, presented in Dark Reading, is linked in the show notes.
Thanks to today’s episode sponsor, Vanta
North Korea’s Kimsuky’s operations revealed in part
The Kimsuky espionage group is best known for phishing campaigns in which its agents pose as academics or journalists in order to steal sensitive information. A new report published yesterday, Thursday, by Resilience, reveals some of the APT groups activities through analysis of its operational security mistakes, which “led to the collection of source code, login credentials and other crucial data.” Resilience’s findings describe the group’s use of phishing pages that mimic legitimate university login portals, and its use of a custom tool called “SendMail,” which sends phishing emails through compromised email accounts. According to Resilience, “the breadth and depth of Kimsuky’s tactics underscore the persistent and evolving threat posed by state-backed cyber groups.”
Ransomware attack cost LoanDepot $27 million
The attack, which occurred in January of this year, involved the theft of PII and financial account information of 16 million individuals. The company now says the cost of this attack, including “costs to investigate and remediate the cybersecurity incident, the costs of customer notifications and identity protection, professional fees including legal expenses, litigation settlement costs, and commission guarantees” amounted to $26.9 million. The ALPHV/BlackCat group took credit for this attack.
Vulnerabilities exposed solar power systems to hacking
A warning from researchers at Bitdefender regarding serious vulnerabilities in widely used solar power systems, which could potentially allow attackers to cause disruption and blackouts. The source of the problem is in photovoltaic system management platforms provided by interconnected Chinese companies Solarman and Deye, which operate millions of solar installations worldwide, generating 195 GW, or roughly 20% of the global solar power production. The researchers state the vulnerabilities could be exploited to take full control of any account on the Solarman platform, enabling attackers to modify parameters and manipulate inverters, also “gain access to sensitive data, including personal information and location data for solar installations.” This cold also lead to exposure of sensitive information about users and organizations, and to cause disruptions that could lead to grid instability or blackouts.
Hackers could spy on cell phone users through 5G baseband flaws
Researchers from Pennsylvania State University say they have discovered a series of security flaws in different 5G basebands, which are processors used by cell phones to connect to mobile networks. These they say could have allowed hackers to hack victims and spy on them. Speaking at Black Hat on Wednesday, the group described their custom-made analysis tool called 5GBaseChecker, which “uncovered baseband vulnerabilities made by Samsung, MediaTek, and Qualcomm, which are used in phones made by Google, OPPO, OnePlus, Motorola, and Samsung.” They have released the 5GBaseChecker on GitHub to allow other researchers to also hunt for 5G vulnerabilities.