To stay ahead of cybercriminals, one needs to understand their modus operandi and how they operate on a micro level. This week’s headlines share the top cybersecurity news, covering ransomware attacks, government warnings, stolen financial information, federal arrests, and cryptocurrency phishing campaigns.
City of Oakland’s Stolen Data Released by Ransomware Group
The City of Oakland, California, was recently targeted in a cyberattack by the Play ransomware gang, now leaking stolen data.
The ransomware attack occurred on 8 February, taking all IT systems offline until the network was secured. The attack did not impact emergency services; however, phone services and systems used to collect payments, process reports, issue permits, and licenses were taken offline.
The leaked data reportedly consists of a 10GB RAR archive containing confidential documents, employee information, passports, and IDs. The cybercriminals have claimed responsibility for the leak, stating that the published data includes private and personal confidential data, financial information, IDs, passports, full employee info, and human rights violation information.
The City of Oakland has released a statement regarding the incident, stating that they are investigating the incident and will notify any citizens whose personal data may have been compromised. They also confirmed that an unauthorized third party had acquired specific files from their network and intended to release the information publicly.
The City of Oakland has enlisted the help of third-party specialists and law enforcement to investigate the validity of cybercriminals’ claims.
BidenCash Market Offers Free Access to Over 2 Million Stolen Credit Cards
The underground cybercrime marketplace BidenCash has released a database of 2,165,700 stolen credit and debit cards to celebrate its first anniversary.
According to researchers, the leaked information contains 740,858 credit cards, 811,676 debit cards, and 293 charge cards, with tens of thousands of duplicates. Despite the duplicates, the data includes 2,141,564 unique cards that contain personal information, including names, phone numbers, residential and email addresses, and payment card information, including expiration dates and CVV codes.
BidenCash also revealed 497,000 unique email addresses, with over 28,000 individual email domains that could be used for future targeted phishing scams or fraud campaigns. The presence of email addresses and complete information (“Fullz”) could also open the victims of the leak to phishing, identity theft, and online scams.
BidenCash has used free credit card leaks for promotion, including releasing 1,221,551 credit cards in October 2022. The carding shop has been active since 28 February 2022, and has used such “marketing” tactics as part of the carding marketplace world.
FBI and CISA Issue Warning on Growing Risks of Royal Ransomware Attacks
The FBI and CISA have jointly warned about the increasing threat of ongoing Royal ransomware attacks against critical U.S. infrastructure, including healthcare, communications, and education.
The Department of Health and Human Services (HHS) had previously issued an advisory in December 2022, linking the ransomware operation to multiple attacks against U.S. healthcare organizations. In response, the FBI and CISA shared the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) to assist defenders in detecting and preventing attempts to deploy Royal ransomware payloads on their networks.
The agencies have urged all enterprises at risk of being targeted to take proactive steps to safeguard themselves from ransomware threats, including prioritizing remediation of known vulnerabilities and training employees to identify and report phishing attempts. Despite the FBI’s recommendation against paying ransoms, victims are encouraged to report incidents to their local FBI field office or CISA for information-gathering purposes.
Royal Ransomware is a private operation that has seen a surge in activity since September, with ransom payments ranging from $250,000 to tens of millions per attack. The group employs social engineering tactics, including callback phishing attacks and hacked Twitter accounts, to pressure victims and attract media attention.
Chick-fil-A Acknowledges Accounts Compromised in “Automated” Attack Spanning Several Months
Chick-fil-A, an American fast food chain, recently disclosed that over 71,000 customer accounts were breached due to a months-long credential-stuffing attack.
Chick-fil-A has confirmed a credential stuffing attack in a security notice submitted to multiple Attorney General offices. The attack lasted from 18 December 2022, to 12 February 2023, and affected 71,473 accounts. According to the notification, the attack was launched by unauthorized parties who used account credentials obtained from a third-party source.
Chick-fil-A is warning affected customers that hackers may have accessed their personal information, including their name, email address, membership numbers, phone number, QR code, masked card credentials, and the credit on their account. To respond to the attack, Chick-fil-A forced customers to reset passwords, froze funds loaded into accounts, and removed any stored payment information. They went on to restore Chick-fil-A One account balances and added rewards to impacted accounts as a way of apologizing.
Impacted customers must change their passwords on all sites they frequent, primarily if they use the same Chick-fil-A password. They should also look for potentially targeted phishing emails utilizing their personal information.
Australian Woman Arrested for Email Bombing Government Office
A woman in Sydney, Australia, was apprehended by the Australian Federal Police (AFP) for allegedly conducting an email bombing attack on a Federal Member of Parliament’s office.
Email bombing is a cyberattack where attackers overwhelm an email address with many emails to flood the recipient’s inbox or mail server. According to the AFP, the woman is accused of sending over 32,000 emails to the MP’s office within 24 hours, resulting in the office’s IT systems being disrupted and the public being unable to contact the office.
The Australian Federal Police states that the woman used multiple domains to send the emails, leading to continued disruption and harassment. The woman will face charges for violating section 477.3 of the Criminal Code Act 1995, which carries a maximum sentence of ten years imprisonment. Her specific charge is one count of committing unauthorized impairment of electronic communications.
Although the AFP did not explain the exact method the woman used to send a large volume of emails quickly, they stated that the attack involved multiple domains, suggesting that the woman used an “email bombing” service.
Due to email bombing attacks involving many senders, blocking the email addresses or marking their messages as spam is not an acceptable defense method. Therefore, organizations must set up advanced filtering tools to block messages based on specific criteria, such as keywords in the content.
Massive Crypto Wallet Phishing Campaign Alerted by Trezor
An ongoing phishing campaign is currently targeting Trezor users. The attackers are pretending to be Trezor data breach notifications and attempting to steal their target’s cryptocurrency.
Trezor is a physical wallet for cryptocurrencies that enables users to store their digital assets offline instead of relying on cloud-based or device-based wallets. Trezor is not intended to be connected to a computer, so it provides security against malware and compromised devices. Additionally, when creating a new Trezor wallet, users are given a recovery seed consisting of either 12 or 24 words, which can be used to recover the wallet. But, if others get hold of the seed, it risks the wallet.
Since 27 February, Trezor customers have received phishing messages asking them to visit a website to secure their devices after a data breach. The fake site prompts users to enter their recovery seed, which threat actors then steal. Trezor has warned users to beware of phishing SMS and emails warning of a fake data breach. The organization states they have not found evidence of a recent data breach in its systems.
While it is not known how the threat actors are targeting Trezor customers’ phone numbers and email addresses, it could be through a marketing list stolen in a MailChimp breach in March 2022.