From fines, data breaches, and malware-infected google ads, here are the latest headlines bringing you the latest on cybersecurity news from around the world. Let us get into it.
NY Attorney General Fines Spyware Vendor for $410,000
The New York Attorney General’s Office has imposed a fine of $410,000 on a Stalkerware developer, Patrick Hinchy, who used 16 enterprises to promote illegal surveillance tools.
Stalkerware, also known as spyware, enables customers to monitor other people’s phones without their knowledge and gather sensitive information, such as location data, which can be used for malicious purposes.
In September 2021, the US Federal Trade Commission banned Stalkerware maker Spyfone from the surveillance business and required them to notify the device owners that their devices were monitored and no longer secure. The FTC also banned Retina-X Studios from selling Stalkerware apps (MobileSpy, PhoneSheriff, and TeenShield) in October 2019 after two cloud storage breaches.
The Attorney General, James, stated that “snooping on a partner and tracking their cell phone without their knowledge isn’t just a sign of an unhealthy relationship, it is against the law,” and added that these apps opened New Yorker residents up to stalking and domestic abuse and were aggressively marketed by Hinchy through 16 different enterprises.
Hinchy has agreed to inform the victims whose phones were being monitored using his apps, including Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint, and TurboSpy.
20 Million Customer Records Compromised in TruthFinder and Instant Checkmate Data Breach
PeopleConnect, the organization behind the background check services TruthFinder and Instant Checkmate, has confirmed a data breach after hackers leaked a 2019 backup database containing information on millions of customers.
The subscription-based services allow users to conduct background checks on others using publicly scraped data, federal and state records, criminal records, social media, and other sources. In 2020, PeopleConnect Holdings, Inc. merged with PubRec, LLC, which owned TruthFinder and Instant Checkmate, creating a comprehensive portfolio of people-search services.
On January 21st, the data of 20.22 million TruthFinder and Instant Checkmate customers up to April 16th, 2019, was leaked on the Breached hacking and data breach forum. The stolen data was shared as two 2.9 GB CSV files and included customer information such as email addresses, hashed passwords, first and last names, and phone numbers.
In a statement, the organization said that the leaked data consisted of all customer accounts created between 2011 and 2019 and appeared to be an “inadvertent leak or theft of a particular list.”
PeopleConnect is working with a third-party cybersecurity enterprise to investigate the incident and has warned customers to be on the lookout for phishing attacks. The leaked data has been added to Have I Been Pwned, allowing users to confirm if their account information was exposed.
Cyberattack Forced Florida Hospital to take down IT Systems
Tallahassee Memorial HealthCare (TMH) was forced to take its IT systems offline and halt non-emergency procedures following a cyberattack that occurred on Thursday with patients requiring emergency medical services redirected to other hospitals, while TMH only accepts Level 1 traumas from its immediate service area.
TMH issued a statement saying that its IT Department detected the security issue early and shut down its IT systems proactively to limit the impact. The hospital is now reviewing each of its IT systems, prioritizing them, and bringing them back online one by one, with no current timeline for completion as the situation is still evolving.
The cybersecurity incident is suspected to be the result of a ransomware attack, as per local media sources with knowledge of the situation, and is the second suspected ransomware incident involving US hospitals this year.
The US federal government has warned about ransomware operations targeting healthcare organizations, including the Royal. Venus, Maui, Zeppelin ransomware operations, and the Daixin Team cybercrime group.
TMH has emphasized that patient safety remains its top priority and apologizes for any inconvenience or delays. The hospital has already reported the incident to law enforcement and is working with them as part of an ongoing investigation.
Google Ads Pushing “Virtualized” Malware for Evading Antiviruses
There is an ongoing malware campaign that is spreading malware installers through Google ads.
Known as Formbook, the malware leverages KoiVM virtualization technology to evade detection during installation. KoiVM is a plugin for the ConfuserEx .NET protector that obfuscates a program’s opcodes only to be understood by the virtual machine. When executed, the virtual machine translates the opcodes back to their original form, making it difficult for security systems to detect malicious behavior.
The threat actors behind this campaign are pushing the Formbook malware as virtualized .NET loaders, dubbed “MalVirt,” which help distribute the final payload without triggering antivirus alerts. SentinelLabs reports that while KoiVM virtualization is popular for hacking tools and cracks, it is seldom used in malware distribution.
The security enterprise believes the recent trend in its use could be one of the multiple side effects of Microsoft’s disabling of macros in Office.
The threat actors behind this campaign are abusing Google search ads to distribute the MalVirt loaders by pretending to be for the Blender 3D software. Formbook also employs a new trick to hide its real C2 traffic and IP addresses by mixing its real traffic with encrypted and encoded “smokescreen” HTTP requests. The campaign is a severe threat; it would be best to be careful of the links you click in search results.
The Latest “No Pineapple” Cyber Espionage Campaign
The North Korean hacking group Lazarus struck once again, this time with a new cyber espionage campaign called “No Pineapple!” to target sensitive data. The campaign took place between August and November 2022 and targeted organizations in the medical research, healthcare, chemical engineering, energy, defense, and leading research university sectors.
The operation was discovered by WithSecure, who were able to link the campaign to the North Korean APT group Lazarus through multiple pieces of evidence, including the use of new infrastructure, new versions of the Dtrack info-stealer malware, the GREASE malware, and through TTP (Tactics, Techniques, Procedures) overlaps.
The hackers used the Zimbra vulnerabilities to drop a web target’s mail server and then deployed tunneling tools to create reverse tunnels back to their infrastructure. The Lazarus hackers then extracted email messages and continued to steal data from devices, eventually stealing 100GB of data. The Lazarus group now relies solely on IP addresses without domain names, and a new version of the Dtrack malware has been spotted.
The Lazarus group has been attributed to multiple significant attacks, and this new campaign is the latest in a long line, which is why individuals need to be careful.
Google Fi Suffers Data Breach Leading to SIM Swap Attacks
The Google Fi platform informed customers of a data breach where threat actors stole their personal information. Google informed its customers of a Google Fi data breach that led to the exposure of their phone numbers, account statuses, and SIM card serial numbers, which could be utilized by threat actors behind the attacks for SIM swapping attacks.
Apart from the above, the threat actors also made away with customer names, card information, social security numbers, tax IDs, government IDs, phone calls, and email addresses. The data breach resulted from another breach on one of its network providers that, many believe to be T-Mobile, an enterprise that suffered an API (Application Programming Interface) data breach in November last year, exposing the information of 37 million subscribers.
The stolen data can be used for SIM swapping attacks, allowing threat actors to port customer mobile numbers to new SIM cards and can utilize those numbers for further malicious harm, such as overtaking MFA (Multi-Factor Authentication) codes and other customer accounts.
Google sent separate notices to customers impacted by SIM swap attacks, restoring their Google Fi services on the affected SIM cards.