Expert Insights Cybersecurity News Recap: December 3 – 10 2024

Welcome to the weekly Expert Insights cybersecurity news roundup.

🚨 This week, our team is attending the 2024 CybersecurityMarketingCon in Philadelphia. Let us know if you’re there—we’d love to see you!

Got a story to share with our team? Email [email protected].

1. Over 300k Patients Affected By Hospital Ransomware Attack

A non-profit community hospital has notified over 316,000 patients that their personal data was compromised in a breach last year, reports Security Week and Infosecurity Magazine.

Anna Jacques Hospital in Newburyport, Massachusetts, was targeted by a ransomware attack on Christmas Day 2023. The attack forced the hospital to shut down their health record systems and divert patients from its emergency rooms.

Initial response: On January 19^th, ransomware group “Money Message” began publicly extorting the hospital, claiming to have stolen 600 Gb of data. The group leaked allegedly stolen data samples on their site.

The hospital didn’t engage with the threat actors; instead, on January 24^th, it disclosed the breach, noting that Personally Identifiable Information (PII) as well as medical and insurance information had likely been compromised. Days later, Money Message released all the stolen data for download.

Post-investigation: The hospital completed its forensic investigation of the breach in November this year and later announced that financial information may also have been stolen.

Last week, the hospital notified the Maine Attorney General’s Office that 316,342 individuals may have been affected by the breach. It is providing these individuals with two years of free identity theft and credit monitoring services through Experian IdentityWorks.

Staying vigilant: In addition to these services, Anna Jacques recommends that its employees and patients “remain vigilant” in reviewing their financial account statements and health insurance benefits statements for unexpected or fraudulent activity.

2. Ransomware Group “Termite” Takes Credit For Blue Yonder Breach

The “Termite” ransomware group has officially claimed responsibility for the November attack against supply chain vendor, Blue Yonder, reports Security Week.

The attack disrupted Blue Yonder’s managed services and impacted several firms using those services, including Starbucks and two major UK grocery stores, Morrisons and Sainsbury’s.

On Friday, Termite claimed responsibility for the attack via its Tor-based website.

”Our team got 680gb of data such as DB dumps Email lists for future attacks (over 16,000) Documents (over 200,000) Reports Insurance documents,” the threat actors claim, and they have threatened to make some of that data available “soon”.

New kids on the block: Termite is a new ransomware group that emerged in mid-October, according to threat intelligence company Cyjax. The group’s website only lists seven victims in total, all added around the same time as the Blue Yonder breach.

Cybersecurity providers Cyble, and Broadcom Symantec both report that the file-encrypting malware used by Termite is a version of the Babuk ransomware that was leaked in September 2021.

Blue Yonder’s response: Blue Yonder is aware of the claims made by the threat actor and continues its investigation.

“We are aware that an unauthorized third party claims to have taken certain information from our systems,” the company said. “We are working diligently with external cybersecurity experts to address these claims.”

Staying protected: A strong threat detection and response solution is key to protecting your business against ransomware attacks, Martin Zugec, Technical Solutions Director at Bitdefender told Expert Insights.

“One thing I always recommend, especially for smaller and mid-market companies, is make sure you have detection and response capabilities. Doesn’t matter if it’s EDR, XDR, MDR. Threat actors generate a lot of noise, but in our investigations, we always see clues that could reveal these malware attacks,” Zugec says.

3. New Cyber Rules Proposed For US Telecom Following Salt Typhoon Breach

In response to the infiltration of either US telecom companies by Chinese cybercriminal group Salt Typhoon, the Federal Communication Commission (FCC) has proposed new requirements for carriers to secure their networks, reports SC Media.

On December 5^th, FCC Chairwoman Jessica Rosenworcel proposed a Declaratory Ruling that would clarify that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) legally requires telecoms carriers to secure their networks against unlawful access and interception.

“As technology continues to advance, so does the capabilities of adversaries, which means the US must adapt and reinforce our defenses,” said Rosenworcel. “While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”

The impact: Rosenworcel’s proposal would require carriers to submit an annual certification to the FCC proving that they have created, updated, and implemented a cybersecurity risk management plan.

If adopted, the Declaratory Ruling will take effect immediately.

4. Web3 Workers Targeted By Fake Video-Conferencing Apps

Hackers are targeting Web3 professionals with malware disguised as a video-conferencing app, reports TechRadar.

The app, called “Meeten”, installs an infostealer malware called Realst to exfiltrate sensitive information such as login credentials, bank card details, Keychain credentials, and browser cookies.

In some cases, victims were first contacted via Telegram, where they were offered a job opportunity and invited to a video call using Meeten. Researchers from Cado Security Labs found that the “Meeten” app had been rebranded numerous times, having previously used names including Meetio, Meetone, and others.

Once downloaded, the app would display a message saying that the victim needed to reinstall it or use a VPN. Meanwhile, the infostealer works in the background and a malicious JavaScript attempts to drain wallets connected to the app.

The big picture: Fake job ads have been around for years. One of the biggest thefts in the crypto world was caused by a fake job attack against Web3 developers, in which threat actors stole around USD 600 million in various tokens. And just this year, cybersecurity providers Jamf Threat Labs and Recorded Future have both uncovered attacks that used fake virtual meeting software to steal information and money from victims.

Staying safe: To protect themselves against these attacks, users should consider implementing a strong antivirus or anti-malware solution that can block malicious software, as well as an effective phishing protectiontool that covers multiple messaging channels.

5. Manson Market Fraud Marketplace Shut Down By Europol

Last week, Europol shut down a Clearnet marketplace that facilitated large-scale online fraud, reports The Hacker News and Help Net Security.

Led by the Hanover Police Department and the Verden Public Prosecutor’s Office in Germany, the operation enables authorities to seize over 50 servers, collect over 200 Tb of digital evidence, and arrest two suspects. Over 80 data storage devices as well as cash and crypto assets worth over USD 66,500 were also confiscated.

The background: Launched in 2022, the marketplace was used by cybercriminals to sell and trade data that had been stolen in phishing attacks. Users could filter stolen data by region and account balance, allowing them to carry out targeted fraud with accuracy and efficiency, says Europol.

Investigators also unearthed several phishing websites used to steal payment information, as well as a Manson Market channel on Telegram, the app involved in recent attacks against Web3 workers. Set up on October 14^th 2024, the channel would share credit card details for free every day.

The impact: According to Hanover Police Department, around 57 victims have suffered over USD264,000 in losses due to the sale of stolen financial information on the marketplace.

That’s all for this week. 👋

We’re back on Thursday for our weekly cybersecurity vendor news roundup.

Expert Insights Cybersecurity Resources: