Last Week in Infosec

July 8 – July 15, 2022

New security patches from no less than five major vendors, actively exploited vulnerabilities, ransomware, leaks, espionage and the Disneyland social media debacle – here’s your weekly infosec news summary.

Vulnerabilities and Exploits

5 major manufacturers release security updates

Last week, security patches were released for various products from Citrix, Microsoft, SAP, Adobe and Juniper. Microsoft alone closes 84 vulnerabilities, one of which is already being actively exploited.[1]

Microsoft vulnerability CVE-2022-22047 is actively exploited

The U.S. agency CISA maintains a catalog of vulnerabilities [2] that are known to be publicly exploited. Last week, vulnerability CVE-2022-22047 was added to this catalog. This is a privilege escalation vulnerability with a CVSS rating of 7.8 (High), but details have not yet been published. A patch has already been released.

What’s the patch status in your company right now? If you don't know the answer, it's very likely that your company is at risk. We get it, security is a complex topic that can easily make your head spin. 😵

Our friends over at LastBreach are happy to answer any questions you may have and make sure that you don't have to worry about security.

Threat Actors & Campaigns

140,000 customer records exposed in Aon hack

In a report to the Securities and Exchange Commission in February, Aon reported the incident. Three months later, in May, additional information was provided. [3]

According to a May 27 letter (💾PDF) from Aon informing those affected, personal data disclosed included driver’s license numbers, Social Security numbers, and, in rare cases, details about insurance policy purchases. The company has taken steps to ensure that the unauthorized third party can no longer access the data. Aon has no reason to believe that the third party copied, stored or transferred any other data.

Telecoms hit by ransomware attack

In our post last week, we had written about LockBit. Shortly after, we read that the administrative and management capacities of the French telecom provider MVNO LPA are significantly limited after a ransomware attack. The attack started on July 4 and is believed to have been carried out by the LockBit group. A week later, the company’s website is still down and has been replaced with a description of the cyberattack. [4]

Security experts have seen a sharp increase in LockBit activity in recent months, with some speculating that the group was more active in the first quarter of 2022 than Conti, which had the unenviable honor of being the most active ransomware gang in 2021. Given their vast consumer data stores and near-essential services, telecom companies are obviously a desirable target for cybercriminals.

‘BlackCat’ ransomware raises claims to $2.5 million

Cybersecurity researchers claim to have noticed a significant increase in ransomware demands from the BlackCat ransomware. [5] A statement from the organization said, “Such practices have a significant impact on the underground ransomware ecosystem, harming companies of various sizes around the world.”

To get the victim to end the situation as soon as possible, the BlackCat ransomware perpetrators have reportedly started defining ransom demands of $2.5 million, with a potential discount of almost half. To give the victim enough time to buy Bitcoin or MXR, the usual deadline for payment is between 5 and 7 days. If there are problems, the victim can hire an “intermediary” to assist with the payment process.

Ransomware attacks breach 1.9 million health records

In February, 1.9 million patient records from 657 healthcare providers were accessed through a “sophisticated” ransomware attack on the Professional Finance Company collection agency. [6]

Although this had a significant impact, it was only the third largest healthcare data breach reported in 2022. With more than 2.8 million patients affected by fewer than 45 providers, the Eye Care Leaders incident remains the largest healthcare incident to date. With 2 million patients affected, the Shields Health Care Group hack is the second largest.

PFC asserted (💾PDF) that it had strengthened its network security after the incident by wiping and rebuilding affected systems. Those efforts may have come a bit too late, however, as the agency would not say whether the stolen data was encrypted.

Business, Politics and Culture

Disneyland social media hacked with racist posts

Early Thursday morning, a hacker posted a series of offensive, racist, homophobic, and insensitive messages on the Disneyland Resort’s official Instagram account. [7]

The posts were published before 5 a.m. and quickly removed, but not before many people read or screenshotted them. At just before 4:30 a.m. (PST) on Thursday, four posts surfaced on Disneyland’s Instagram account. One of the captions said a self-proclaimed “superhacker” was seeking revenge against the theme park, according to the Los Angeles Times. The posts included homophobic obscenities and the N-word was used frequently.

Increasing cyber espionage against Russia

An investigation published Thursday shows that hackers with ties to the Chinese government are increasingly targeting Russian entities, with the ongoing operation appearing to be primarily linked to espionage. [8] The latest analysis also traces previous attacks by Chinese APT organizations that targeted Russia. These include the Space Pirates, Mustang Panda, and Scarab campaigns identified by SentinelLab. Google’s Threat Analysis Group (TAG) also drew attention in May to the increasing targeting of Russia by Chinese threat actors.

Cyberattacks in Ukraine surged in Q2

In the second quarter of the year, Ukraine reported an increase in cyberattacks directed against its networks. [9]

A report on the rise in cyberattacks was released by Ukraine’s State Service for Special Communications and Information Protection. Although there have been more attacks since Russia’s invasion, the increase was not expected in the second quarter of 2022. Ukraine’s National Vulnerability and Cyber Incident Detection System processed 19 billion events during the period. The number of registered and processed security incidents increased from 40 to 64, despite the measures introduced against Russian hacking groups. In addition, a sharp increase in activities of malicious hacker groups was recorded in the distribution of malware. The malicious code category, for example, grew by 38% in the second quarter compared to the first quarter of the year.

That’s it for today. We’ll be back next week with our infosec news summary.🕵️