Cyberattacks are a growing concern for individuals and organizations. With major attacks occurring every week, we must stay up to date with cybersecurity‘s latest for the best protection. Here is a look at this week’s major cybersecurity news:
Health Companies Funneling Consumer Data to Facebook
Digital health companies are reportedly funneling critical and private data shared by patients to Facebook to aid in targeted advertisements, raising concerns about HIPAA violations.
Light Collective, a research group, posted a detailed study highlighting how common marketing tools share sensitive patient data to Facebook without their consent.
When any individual signs up on a digital medicine or generic testing application and has a Facebook account, vendors embed third-party trackers which share Off-Facebook activity. Since Facebook uses predictive algorithms, such action from the vendor updates the individual’s ad interests leading to health-related ads based on the user’s health data and interests.
Light Collective conducted the study based on results from Color Genomics, HereditaryCancerQuiz[.]com, Invitae, Ciitizen, and multiple more applications and discovered JSON files revealing the funneling of data by various digital health organizations.
They summarized how the extent of awareness of the organizations sharing health data is unknown. But the practice of building businesses through advertising-related channels can contradict the privacy policies stated by these said organizations and expose sensitive health information.
Chinese Cyberspy Targeting Governments and Humanitarian Entities
RedAlpha, a Chinese state-sponsored cyber-espionage group, has been targeting governments and think tanks. In the past, RedAlpha targeted Taiwanese entities and has expanded its campaigns toward Portugal, Vietnam, Brazil’s MOFAs (Ministry of Foreign Affairs), and India’s NIC (National Informatics Center).
The RedAlpha group utilizes weaponized websites that imitate ESPs (Email Service Providers) and steal credentials. The cyber espionage group has been using reseller[.]com nameservers and employs phishing pages that mimic genuine login portals for specific government organizations.
RedAlpha has registered over 250 major email and storage service providers, including Yahoo, Google, Microsoft, Purdue University, several think tanks, humanitarian organizations, and the Taiwanese Democratic Progressive Party for its malicious activities.
Recorded Future, a US cybersecurity organization, highlights how cyber espionage has targeted Amnesty International, American Institute in Taiwan, Radio Free Asia, and the FIDH (International Federation for Human Rights) in the past. The group’s strategic interests coincide with those of the Chinese government and might indicate a Chinese state nexus to the cybercriminal group’s activities.
Defense is the New Offense, says Cyber Director for the White House
White House Cyber Director Chris Inglis discussed the shortcomings of cyber defenses for the country at DEF CON 2022. The cyber director outlined three waves of attacks that have progressed in the recent past, with the first wave including adversaries who held data and systems at risk, the second one where they expanded the first one by putting critical systems at risk, and the third one where they attack an organization or country’s confidence, highlighting the Colonial Pipeline attack as a prime example.
Inglis summarized that a crucial lesson to be learned here is that defense is the only reasonable solution and stated that defense is the new offense. Organizations can defend collaboration and confidence with upfront investments in cybersecurity robustness and attack resilience in data, systems, roles, and responsibilities.
The cyber director added that responsibility and accountability should be allocated to providers, suppliers, and integrators so all designs are resilient and robust.
The cyber director believes the solution to cybersecurity lies with a defensive approach, emphasizing collective defense with individual responsibility and understanding. Hence, everyone participates in their defense and knows their role in protecting the system.
Android Banking Malware Strikes Smartphones
Sova, an android banking malware discovered in underground markets last September, has emerged again. Cybersecurity researchers at Cleafy, an enterprise specializing in online fraud prevention, have identified Sova, now with an updated range of abilities and enhanced ransomware encryption.
Sova android malware can mirror over 200 online financial applications, including cryptocurrency wallets, and can encrypt smartphones with ransomware. As mobile devices are becoming popular and central for banking and storing personal and business data, ransomware for smartphones could prove significantly fatal.
Sova can intercept MFA (Multi-Factor Authentication) tokens and allow attackers to steal information from protected devices. The malware is delivered via fake applications advertised by Google and Amazon and can cause significant harm.
The mastermind behind Sova claims the malware was under development last year and is back with full blast. With the ability to harvest credentials, steal cookies, add false overlays to applications, spy via keylogging, and use ransomware to block devices, Cleafy has defined it as a critical threat equipped to carry out malicious activities at scale.
Russian Hack-and-Leak Campaign using Microsoft OneDrive
Microsoft warned of a Russian threat actor, Seaborgium, that targets NATO nations for credential theft campaigns, to hack and leak information to sway the public. The cybercriminal group targeted the US, UK, Baltics, Nordics, Eastern Europe, and Ukraine before the Russian invasion.
MSTIC (Microsoft Threat Intelligence Center) outlined Seaborgium’s attack pattern of social engineering approaches to deliver initial malware URLs (Uniform Resource Locators). The threat actor establishes contact by imitating distant but legitimate connection’s in the victim’s social network and creating LinkedIn profiles and email accounts.
The threat actor then proceeds with weaponized emails, building rapport via multiple emails and delivering malware via URLs and PDF files. Seaborgium employs Microsoft’s OneDrive share, leading victims to a threat-actor-controlled infrastructure, prompting them to authenticate for document access via legitimate sign-in pages and harvesting their credentials. The threat actor uses these accounts to exfiltrate data and sets up email forwarding rules for persistent data collection.
Microsoft summarized the details of the Seaborgium credential theft campaigns and has added security countermeasures to Microsoft Defender and SmartScreen. With a detailed list of IOCs (Indicators of Compromise), Microsoft recommends customer actions to check email filtering and disable email auto-forwarding.
Google Blocks History’s Largest Layer 7 HTTPS DDoS Attack
A DDoS (Distributed denial-of-service) attack over HTTPS (Hypertext Transfer Protocol Secure) hit a Google Cloud Armor customer, reaching over 46 million RPS (Requests per second), making it the largest recorded attack.
The attack targeted the victim’s load balancer with an initial 10,000 RPS in an episode that lasted 69 minutes. The DDoS attack escalated to 100,000 RPS in eight minutes and 46 million in two more. Google’s Cloud Armor Protection kicked in and protected the victim, who was still running normal operations, as a result of following Google’s recommended guidelines.
Google revealed that the traffic came from 5256 IP (Internet Protocol) addresses from 132 countries. Google is yet to determine the malware behind the attack but hints at Mēris, a DDoS botnet that uses unsecured proxies to send out bad traffic, hiding the attack’s origin. Mēris has previously been used in attacks against Cloudflare customers and Russia’s internet giant, Yandex.