Every week there are new developments in cyberspace, threats, and breaches. This week’s cybersecurity news covers Ferrari’s Data Breach, the New HinataBot Botnet, Pompompurin’s arrest, Samsung’s 18 Zero-Day Vulnerabilities, the Redline Info-Stealing Malware, and the ILS Healthcare Data Breach. Let’s get started.
Ferrari Reveals Data Breach After Receiving Ransom Demand
Following a breach in some of its IT systems, Ferrari has revealed that it received a ransom demand from attackers.
In breach notification letters sent to customers, Ferrari expressed regret for the cyber incident, acknowledging that a limited number of systems in its IT environment had been accessed. While the luxury carmaker confirmed that the attackers demanded a ransom not to leak data stolen from its systems, it has not yet revealed whether this was a ransomware attack or an extortion attempt.
Ferrari explained that a threat actor had contacted Ferrari S.p.A, its wholly-owned Italian subsidiary, with a ransom demand related to specific client contact details. After receiving the ransom demand, Ferrari immediately initiated an investigation along with a leading international third-party cybersecurity enterprise.
Names, addresses, email addresses, and telephone numbers were among the customer information exposed in the incident, according to one of the world’s most significant and popular vehicle manufacturers. However, the organization has not found evidence that payment details, bank account numbers, or other sensitive payment information were accessed or stolen.
Ferrari reassured its customers that the attack did not impact the organization’s operations, as measures have been taken to secure the compromised systems. The automaker also reported the attack to relevant authorities and is working with a cybersecurity organization to determine the extent of the impact.
Massive 3.3 Tbps DDoS Attacks Possible with New ‘HinataBot’ Botnet
Researchers from Akamai recently discovered a novel botnet that targets Realtek SDK, Huawei routers, and Hadoop YARN servers. The malware botnet seeks to harness devices into a DDoS (Distributed Denial of Service) swarm, which can lead to massive attacks. The botnet operates by exploiting old vulnerabilities such as CVE-2014-8361 and CVE-2017-17215.
The botnet, called HinataBot, appears to be a Go-based variant of the notorious Mirai strain and is distributed by either brute-forcing SSH endpoints or using infection scripts and RCE payloads for known vulnerabilities. After infecting devices, the malware runs quietly, waiting for commands from the command and control server.
HinataBot is still under active development, with functional improvements and anti-analysis additions. Although earlier versions of HinataBot supported HTTP, UDP, ICMP, and TCP floods, the newer variants only feature HTTP and UDP attacks. Nevertheless, the botnet has the potential to execute powerful DDoS attacks. Akamai researchers suggest that HinataBot is still in development and may implement more exploits and widen its targeting scope.
Its ongoing development increases the likelihood of more potent versions being circulated in the wild soon. It is hoped that the authors of HinataBot will move on to other activities before the botnet becomes more widespread.
Cybercrime Charges Lead to Arrest of Alleged BreachForums Owner Pompompurin
On Wednesday, US law enforcement apprehended a New York man suspected to be the owner of BreachForums, a hacking forum, who goes by the name Pompompurin.
During the arrest, the accused revealed his real name as Connor Brian Fitzpatrick and confirmed that he is indeed Pompourin, the owner of BreachForums. FBI Special Agent John Longmire stated that Fitzpatrick had been released on a $300,000 bond and would appear in the Eastern District of Virginia District Court on 24 March.
Until his court appearance, Fitzpatrick has relinquished his documents and can only travel within certain areas for legal proceedings. Additionally, he is prohibited from contacting witnesses, co defendants, or co conspirators. In the absence of Pompompurin, a forum admin has announced that BreachForums will continue to function with full access to the site’s infrastructure.
Pompompurin has been a significant player in the underground cybercriminal world, focused on breaching organizations and selling or leaking stolen data through forums and social media. He was also a prominent member of the RaidForums cybercrime forum until the FBI seized it in 2022.
Google Detects 18 Zero-Day Vulnerabilities in Samsung Exynos Chipsets
Google’s Project Zero recently uncovered and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets.
Four of the 18 vulnerabilities are deemed the most serious, as they allow for RCE (Remote Code Execution) from the Internet and can be exploited by attackers to compromise devices without user interaction. The remaining 14 vulnerabilities require local access or a malicious mobile network operator to be used. Samsung has acknowledged these vulnerabilities and provided security updates for other vendors.
However, the patches are not yet public and cannot be applied by all affected users. There’s a security issue with Wi-Fi calling and VoLTE (Voice-over-LTE) that you need to be aware of. For now, it’s recommended that you disable these features until patches become available to prevent potential attacks.
According to Project Zero’s Head, Tim Willis, the only information that attackers need to execute the exploit is your phone number. With minimal research, malicious actors could easily create an exploit to compromise devices remotely without raising any red flags.
While this situation is definitely concerning, Samsung and Google are already taking steps to address the issue. Samsung has confirmed the workaround suggested by Project Zero and is urging everyone to update their devices immediately to stay protected.
Redline Info-Stealing Malware Pushed Through Adobe Acrobat Sign
Avast researchers have recently uncovered a new cybercrime trend, in which criminals are taking advantage of Adobe Acrobat Sign’s online document signing service to distribute malware that steals sensitive information from unsuspecting users.
For those who don’t know, Adobe Acrobat Sign is a cloud-based e-signature service that enables individuals to send, sign, track, and manage electronic signatures easily. Unfortunately, cybercriminals are now exploiting this service to carry out their nefarious activities, which is a major cause for concern.
Threat actors utilize the service to register and send emails to individuals they are targeting, which includes a link to a document stored on Adobe’s servers. The link within the document leads to a website that requires visitors to solve a CAPTCHA to confirm legitimacy.
Once verified, the website provides a ZIP archive that contains the Redline information stealer, malicious software that has the capability of stealing various types of data, including account credentials, cryptocurrency wallets, and credit card details stored on the device that has been breached. Avast has identified highly focused attacks that use this method, one instance where the target was the owner of a popular YouTube channel with a large number of subscribers.
ILS Healthcare Provider Warns 4.2 Million People of Data Breach
Miami-based healthcare administration and managed care solutions provider ILS (Independent Living Systems) experienced a data breach that compromised the personal information of 4,226,508 individuals.
The healthcare organization discovered that its network had been hacked on 5 July 2022. After an investigation, it was found that the hackers had access to ILS systems between 30 June and 5 July 2022, during which they could access the data. The threat actors may have accessed patients’ personal information, such as their names, SSNs (Social Security Numbers), and medical and health insurance information.
The breach could lead to phishing attacks against the affected individuals. ILS completed its internal review of the breach on 17 January 2023, over six months after the discovery of the breach, and notified affected individuals in September. The organization has offered Experian’s free identity protection services to those affected by the breach for one year. The announcement comes amid a string of notable data breaches in the healthcare sector this year.