Chinese Hacking Campaign Breached Four More U.S. Defense Firms, Scope Reaches 600 U.S. Systems
Ransomware attackers gained access to personal data on 400,000 Planned Parenthood patients in Los Angeles, DOJ indicts Ubiquiti insider, Bulletproof hosting provider sentenced to 60 months, more
Researchers at Palo Alto Networks say that a suspected Chinese hacking campaign has breached four more U.S. defense and technology companies in the last month on top of the one U.S. victim organization previously identified in November. Globally, at least 13 organizations in defense, health care, energy, and transportation are now confirmed to have been breached.
Moreover, the researchers identified about 600 cases in the U.S. of systems running a type of vulnerable software made by the multinational technology firm Zoho that the hackers have exploited, including installations at 23 universities, 14 state or local governments, and ten health care organizations. The effort shares similarities with the techniques of a group Microsoft has identified as operating in China.
Palo Alto Networks' Unit 42 researchers believe the hackers could be trying to gain long-term access to computer systems to siphon off critical data from US companies. (Sean Lyngaas / CNN)
Related: Palo Alto Networks Unit 42
A hacker gained access to the personal information of about 400,000 Planned Parenthood Los Angeles area patients in October during a ransomware attack. Between October 9 and October 17, the hacker installed malicious software and exfiltrated some files.
In letters to affected patients, Planned Parenthood Los Angeles said, “we identified files that contained your name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.” (Aaron Schaffer, Joseph Marks, and Hannah Knowles / Washington Post)
According to an indictment unsealed by the Justice Department, Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.
According to the indictment, Sharp stole gigabytes of confidential data from Ubiquiti's AWS (on December 10, 2020) and GitHub (on December 21 and 22, 2020) infrastructure using his cloud administrator credentials, cloning hundreds of GitHub repositories over SSH. In addition, sharp allegedly tried hiding his home IP address using Surfshark's VPN services, but his actual location was exposed after a temporary Internet outage.
Sharp allegedly demanded almost $2 million in exchange for returning the stolen files and identifying a remaining vulnerability. Sharp is charged with four counts and faces a maximum sentence of 37 years in prison if found guilty. (Sergiu Gatlan / Bleeping Computer)
A Russian court handed down a mild one-year suspended prison sentence to Maxim Zhukov Sergeevich, a member of the notorious FIN7 hacking group.
Zhukov previously worked as a developer for Combi Security, a Russian company that the US Department of Justice described in 2018 as a front company and fake security firm through which FIN7 hired new members and used them to hide intrusions as penetration tests. Zhukov was detained by Russia’s FSB security service in February 2019 and later accused of creating malware specialized in the theft of money from bank accounts. (Catalin Cimpanu / The Record)
Russian Aleksandr Grichishkin, the founder of a bulletproof hosting service, was sentenced to 60 months in prison for allowing cybercrime gangs to use the platform in attacks targeting US financial institutions between 2008 to 2015. Along with three other defendants involved in the service, Grichishkin pleaded guilty to one count of RICO conspiracy in May 2021
Malware hosted on the organization's bulletproof hosting platform, including Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit, was used in attacks against U.S. organizations and caused millions of dollars in losses. The Federal Deposit Insurance Corporation (FDIC) estimated that just SpyEye and Zeus attacks caused roughly $64 million in damages to banks and their corporate clients in a single year, based on incidents in 2011. (Sergiu Gatlan / Bleeping Computer)
Despite Amazon founder Jeff Bezos’ accusation that the National Enquirer attempted to extort him with embarrassing texts and photos, and in the face of his security team’s suggestion that Saudi Arabia could have gleaned this data by hacking his phone, the FBI and the Manhattan U.S. attorney’s office have been unable to bring charges against anyone.
The FBI didn’t obtain Mr. Bezos’ phone, and the investigation into whether the Saudis hacked the phone wasn’t a high priority. Sources say the Manhattan prosecutors have determined that the source of the photos and texts was Michael Sanchez, the brother of Mr. Bezos’ girlfriend Lauren Sanchez, with whom he was having an extramarital affair. (Corinne Ramey, Dustin Volz, and Aruna Viswanatha / Wall Street Journal)
Related: Business Insider
The Cybersecurity and Infrastructure Security Agency (CISA) named twenty-three members to a new cyber advisory panel that will make recommendations on subjects ranging from battling misinformation to gaining aid from the hacker community on national cyber defense.
The members are leaders from social media, cybersecurity companies, major technology firms, and critical infrastructure sectors such as finance and energy. It includes officials from Johnson & Johnson and Walmart, a longtime cybersecurity journalist, and the mayor of Austin, Texas. (Tim Starks / Cyberscoop)
Jen Easterly @CISAJenI'm thrilled to announce the initial members of @CISAgov's new Cybersecurity Advisory Committee. Couldn’t be more excited to tap into their unique expertise to continue to transform CISA into the premier cyber defense agency our nation needs and deserves. https://t.co/OF2dbxhTNb https://t.co/mTA7Ip7bXW
Respawn Entertainment, the maker of the video game Titanfall, is halting sales of the game and will remove it from subscription services on March 1, 2022, following years of struggling to combat hacks and DDoS attacks that made the game frequently unplayable.
Although the company didn’t say why it’s halting support of Titanfall, speculation holds that it’s not worth the effort required to keep up the fight against hackers. (Andy Chalk / PC Gamer)
Facebook announced it took down a coordinated campaign to spread disinformation on the platform that used more than 500 fake accounts, 20 pages, four groups, and 86 Instagram accounts amplified by a coordinated cluster of Chinese state employees, including some working for a Chinese cybersecurity company called Sichuan Silence Information Technology.
Facebook also announced that it shut down a disinformation network in France and Italy that spread anti-vaccination disinformation, intimidated and harassed users who promoted COVID vaccines and called doctors and journalists “Nazi supporters” for promoting vaccines. (Lorenzo Franceschi-Bicchierai / Vice News)
Researchers at security firm Qihoo 360 discovered that unpatched, years-old vulnerabilities in networking devices have allowed a noxious malware to infect t least 5,700 U.S.-based AT&T subscribers.
The malware appears to have seeped into users’ enterprise network edge devices, EdgeMarc Enterprise Session Border Controllers, produced by Ribbon Communications, via a bug initially discovered back in 2017. The malware can enable DDoS attacks, port scanning, file management, and the execution of arbitrary commands. AT&T said it had taken steps to mitigate the problem, but it has no evidence that customer data was accessed. (Lucas Ropek / Gizmodo)
A new “Magnitsky-style” law passed by the Australian Senate would allow Australia to issue sanctions against cyber attackers directly.
The law, which has been sent to the lower house for another sign-off, would allow the Australian government to directly issue sanctions against individuals or entities that ban them from visiting Australia or making any investments in the country. The law also seeks to direct sanctions against human rights abusers, corrupt officials, and international peace, security, and humanitarian law threats. (Campbell Kwan / ZDNet)
Mozilla has addressed a critical memory corruption vulnerability affecting its cross-platform Network Security Services (NSS) set of cryptography libraries.
The security flaw, found by Google vulnerability researcher Tavis Ormandy, can lead to a heap-based buffer overflow when handling DER-encoded DSA or RSA-PSS signatures in email clients and PDF viewers using vulnerable NSS versions. (Sergiu Gatlan / Bleeping Computer)
Related: The Hacker News
Project Zero Bugs @ProjectZeroBugsnss: memory corruption validating dsa/rsa-pss signatures https://t.co/yAcRzbkkKG
The House passed three bipartisan bills intended to shore up network security and increase cyber literacy across the nation, following a challenging year fraught with several significant cybersecurity attacks.
The three bills are The Understanding Cybersecurity of Mobile Networks Act, sponsored by Representatives Anna Eshoo (D-CA) and Adam Kinzinger (R-IL), the American Cybersecurity Literacy Act, primarily sponsored by Kinzinger and The FUTURE Networks Act, sponsored by Representative Mike Doyle (D-PA), chair of the House Energy and Commerce Committee’s Subcommittee on Communications and Technology, along with Representative Bill Johnson (R-OH) and Lucy McBath (D-GA). (Maggie Miller / The Hill)
According to two sources, President Joe Biden is expected to pick Major General Maria Barrett to be the first female leader of U.S. Army Cyber Command.
Barrett is currently head of the Army’s Network Enterprise Technology Command (NETCOM), a subordinate unit to Army Cyber Command. (Martin Matishak / The Record)
CrowdStrike and the Cybersecurity and Infrastructure Security Agency (CISA) have announced a new partnership that will see the cybersecurity company provide endpoint security for the government organization and others while also "operationalizing" President Biden’s Cybersecurity Executive Order endpoint detection and response (EDR) initiative.
The White House is providing funds for the project through the American Rescue Plan. (Jonathan Greig / ZDNet)
CyCognito, which develops bot technology to probe potential cyberattack vectors, has raised $100 million in a Series C venture funding round.
The Westly Group led the round with participation from new investors Thomvest Ventures and The Heritage Group and existing investors Accel, Lightspeed Venture Partners, Sorenson Ventures, and UpWest. (Ron Miller / TechCrunch)
Cloud security analytics platform company Panther Labs raised $100 million in a Series B venture funding round.
Coatue Management led the round with new participation from ICONIQ Growth and Snowflake Ventures and continued support from Lightspeed Venture Partners, S28 Capital, and Innovation Endeavors. (Mehnaz Yasmin / Reuters)