With the rising cyber threats, organizations need to stay up-to-date on the latest developments and attacks. This week’s weekly cybersecurity bulletin shares ransomware threats and attacks, the novel medusa ransomware, fake LinkedIn job offers with malware, Akamai’s 900 GBPS attack mitigation, and Fortinet’s latest RCE discovery, among others.
La Housing Authority Reports Data Breach Following Ransomware Attack
The Housing Authority of the City of Los Angeles (HACLA) has sounded the alarm regarding a “data security event” following a ransomware attack perpetrated by the LockBit gang.
With an annual budget of $1 billion, HACLA was forced to close down all of its servers and initiate an extensive inquiry when computer systems on its network were encrypted on December 31, 2022. Investigations conducted until February 13, 2023, revealed that the hackers had unauthorized access to systems between January 15, 2022, and December 31, 2022.
An analysis of the incident uncovered that members of HACLA might have had their personal and financial data breached, including but not limited to full names, SSNs (Social Security Numbers), dates of birth, passport numbers, driver’s licenses, state ID numbers, tax ID numbers, military ID numbers, government-issued ID numbers, credit/debit card numbers, financial account numbers, health insurance information, and medical information.
The organization has contacted all impacted individuals via mail, providing instructions on monitoring their accounts, placing fraud alerts, and reporting identity theft incidents to the authorities. The LockBit 3.0 ransomware gang, one of the most active and notorious RaaS (Ransomware-as-a-Service) operations, has claimed responsibility for the attack on HACLA. They also uploaded samples of the files they purport to have stolen from the organization uploaded to the LockBit extortion site on December 31, 2022.
Following the publication of all files on January 27, 2023, it is evident that the negotiations for the ransom payment failed, and HACLA refused to acquiesce to the cybercriminals’ demands.
Hackers Abscond With $197 Million in Crypto During Euler Finance Attack
On Sunday, a cryptocurrency flash loan attack targeted lending protocol Euler Finance, resulting in the theft of $197 million in various digital assets.
The perpetrator’s ETH wallet, which contains the stolen funds, is being monitored, making it difficult to move the funds and convert them into usable forms. The UK-based Euler Labs, the startup behind Euler Finance, issued a brief statement on Twitter, stating that they are cooperating with security professionals and law enforcement agencies and will release further details soon. The attack led to a 44.2% overnight drop in the Euler (EUL) token value, falling from $6.56 to $3.37.
PeckShield, a blockchain security and analytics enterprise, reported that Euler’s hack resulted from flawed logic in its donation and liquidation system. As a result, the attackers could manipulate the conversion rate and profit from the liquidation process.
DeFi hacks have risen over the past couple of years, with hackers shifting their focus from exchanges to exploiting the logic flaws in crypto lending platform smart contracts.
Medusa Ransomware Syndicate Intensifies Targeting of Organizations Across the World
The Medusa ransomware campaign has emerged as a significant threat to corporations worldwide in 2023, demanding millions of dollars in ransom.
The campaign was launched in June 2021 and saw low activity with minimal victims. However, its activity has increased significantly this year, and the gang behind the campaign has used a “Medusa Blog” to release data belonging to those who refuse to pay the ransom. Recently, Medusa took responsibility for the attack on the MPS (Minneapolis Public Schools) district and shared a video of the stolen data, gaining media attention.
Medusa is shared among different malware families, including MedusaLocker ransomware, a Mirai-based botnet with ransomware abilities, and Medusa Android malware. The ransomware gang behind Medusa uses a Tor website for ransom negotiations with a unique onion address. The ransomware deletes over 280 Windows services and processes and encrypts files with AES-256 + RSA-2048 encryption using the BCrypt library.
The ransom note contains contact information, including a Tor data leak site, a Tor negotiation site, a Telegram channel, a Tox ID, and the key.medusa.serviceteam@protonmail[.]com email address.
Cybercriminals Use LinkedIn Job Offers to Target Security Researchers With New Malware
North Korean hackers are using fake job offers to infiltrate media organizations and security researchers in the US and Europe with three new, custom malware families. It is suspected that this hacking group is different from the Lazarus group.
These North Korean hackers use social engineering to lure their targets into communicating through WhatsApp and deliver “PlankWalk,” a C++ backdoor, to infiltrate the corporate environment. The attackers pose as job recruiters on LinkedIn before sending target Word documents with malicious macros that fit the job description.
These macros use remote-template injection to fetch a trojanized version of TightVNC from compromised WordPress sites that act as command and control servers. The hackers have developed a new, custom malware dropper called “TouchShift,” which mimics a legitimate Windows binary and loads other malware, including a new backdoor called “SideShow,” which supports 49 commands.
These attackers have previously targeted security researchers by creating fake online personas pretending to be vulnerability researchers.
Akamai Thwarts Record-Breaking 900 GBPS Ddos Attack in Asia
On February 23, 2023, Akamai reported mitigating the most significant DDoS attack against a customer in the Asia-Pacific region.
Typically, such attacks aim to disrupt business operations for political, competitive, or extortion purposes. In the most recent incident that Akamai mitigated, the attack reached a peak of 900.1 gigabits and 158.2 million packets per second, lasting for approximately one minute.
The internet security organization handled the attack well by dropping the garbage traffic to its scrubbing network, which involved a distributed infrastructure of many strategically located centers that took incoming traffic and removed unwanted requests from the target’s network.
Although 48% of the malicious traffic was handled by scrubbing centers in the APAC region, all of Akamai’s 26 centers were loaded, but all were within 15% of the total traffic. The impacted customers experienced no direct or collateral damage, and their services were not rendered inaccessible to legitimate customers.
Akamai’s highest mitigation was a DDoS attack on September 12, 2022, targeting a customer in Eastern Europe, which peaked at 704 million packets per second.
Fortinet Cautions of New High-Severity RCE Vulnerability Without Authentication
Fortinet has announced a severe vulnerability, CVE-2023-25610, that affects FortiOS and FortiProxy, allowing an attacker to execute arbitrary code or carry out a DoS (Denial of Service) attack on vulnerable devices.
The flaw is a buffer underflow vulnerability categorized as “Critical,” with a CVSS v3 score of 9.3, indicating the flaw’s severity. The Fortinet security advisory indicates that it has not yet identified any active exploits in the wild. However, the vulnerability affects various products.
However, the DoS aspect affects all devices running a vulnerable version of FortiOS. Fortinet advises administrators to apply the available security updates as soon as possible, disable the HTTP/HTTPS administrative interface, or restrict remote access by limiting the IP (Internet Protocol) addresses that can access it as a temporary workaround.
Fortinet previously fixed two critical remote code execution flaws in FortiNAC and FortiWeb products in February 2023 and encouraged users to apply the security updates immediately. A working proof-of-concept was released only four days later, and active exploitation began on February 22, 2023.