Here is the weekly cybersecurity bulletin, bringing you the top cybersecurity news covering the latest malware discoveries, ransomware attacks, vulnerable Cisco adapters, healthcare data breaches, and the FBI taking down nine crypto exchange websites. Let us take a look.
Fluhorse Malware Targets Android Devices, Stealing Passwords and 2FA Codes
Fluhorse, a new Android malware, has targeted East Asian users with malicious versions of genuine applications.
Check Point’s researchers discovered the malware sample, targeting multiple sectors since May 2022. FluHorse is distributed via emails and is known for stealing account credentials and credit card information from high-profile targets.
The malware also snatches 2FA (Two Factor Authentication) codes and approaches high-profile targets with a payment issue, urging them to act promptly, leading them to a phishing website with a fake APK (Android Package File) that contains the malware.
FluHorse mimics ETC, VPBank Neo, and multiple genuine applications on the Google Play store. Individuals are advised not to pay attention to such phishing emails and refrain from downloading files or software from websites.
Alpha Gang Claims Responsibility for Ransomware Attack on Constellation Software
A Canadian software enterprise, Constellation Software, confirmed that its systems were breached where the hackers made away with critical business data and personal information.
The threat actors were able to access a handful of systems in Constellation’s internal financial reporting, but other independent systems were not impacted in any way. Constellation has highlighted that all of its systems have been restored and that business partners and customers whose information was stolen during the data breach will be contacted and provided with all the details.
Constellation did not give any details of the attack. However, the ALPHV (aka BlackCat) added a new entry to its leaked website, claiming to breach Constellation’s website and steal over 1 TB of data. ALPHV has made a ransom demand and will not negotiate.
ALPHV threatened to release the data and shared a few documents with critical business information online.
Cisco Phone Adapters Vulnerable to RCE Attacks; No Available Fix at the Moment
Cisco disclosed a new critical vulnerability where its web-based interface for Cisco SPA112 2-Port Phone Adapters is at risk of RCE (Remote Code Execution) attacks.
Being tracked as the CVE-2023-20126, Cisco shared details of the vulnerability caused by a missing authentication process contained within the firmware upgrade that allows threat actors to upgrade the device to a crafted firmware and execute arbitrary code on these devices with full privileges. One crucial thing is that these adapters are not exposed to the Internet, and the flaw can only be exploited from the local network.
Since the SPA112 has reached the end of its life, Cisco will not provide a security update. Individuals relying on the same should go for the Cisco ATA 190 Series Analog Telephone Adapter.
Facebook Disrupts NodeStealer Information-Stealing Malware
Facebook came across NodeStealer, a new info-stealer distributed on Meta.
NodeStealer allows threat actors to steal browser cookies and hijack Meta, Gmail, and Outlook accounts. In a blog post, Facebook’s security team shared malware details highlighting that NodeStealer is still in the early distribution phase.
The organization disrupted the operation only 2 weeks after its deployment. NodeStealer was observed in late January this year by Vietnamese threat actors with the primary goal of stealing cookies and account credentials from Chromium-based browsers such as Microsoft Edge, Google Chrome, Brave, Opera, and more.
Facebook reported the threat actor’s server, which was taken down on 25 January.
Brightline Data Breach Affects 783K Pediatric Mental Health Patients
Brightline, a pediatric mental health provider, suffered a data breach that impacted 783,606 individuals.
A ransomware gang was able to steal data by exploiting a critical zero-day in the Fortra GoAnywhere MFT file-sharing platform. Brightline confirmed the details of the breach and highlighted that the data stolen contained protected health information.
Clop ransomware gang, the ransomware gang behind the attack, utilized the CVE-2023-0669 to steal data from nearly 130 organizations, including Brightline. The internal investigation revealed that the threat actors made away with full names, residential addresses, dates of birth, member identification numbers, date of health plan coverage, and employer names.
Brightline has offered all impacted individuals identity theft and credit monitoring services for 2 years via Cyberscout.
FBI Seizes 9 Crypto Exchanges Involved in Laundering Ransomware Payments
The FBI (Federal Bureau of Investigation) and the Ukrainian police seized 9 crypto exchanges that facilitated money laundering for threat actors.
The FBI outlined that the crypto exchange websites allowed threat actors to anonymously convert crypto into another coin, which is harder to trace, allowing threat actors to launder their stolen assets without being traced by law enforcement agencies. Here is a list of all the websites that the FBI took down:
- 24xbtc.com
- 100btc.pro
- pridechange.com
- 101crypta.com
- uxbtc.com
- trust-exchange.org
- bitcoin24.exchange
- paybtc.pro
- owl.gold
All the above websites show the “This Website Has Been Seized” message in English and Russian. By taking these websites down, the FBI has dismantled malicious services and hindered the financial operations of multiple ransomware groups, sending out a strong message that the law will prevail against threat actors.