Router Manufacturer’s Support Portal Compromised
A recent security breach has impacted Mercku, a Canadian router manufacturer known for providing networking equipment to numerous ISPs across Canada and Europe. The company’s support portal has been compromised, leading to phishing emails being sent in response to new support tickets. When users submit a request, they receive an email prompting them to update their MetaMask account, with a threat of losing account access if not done within 24 hours. This email is a phishing attempt aimed at stealing sensitive information. The phishing link misleads users by appearing to direct them to a legitimate MetaMask website, but actually redirects them to a malicious site. Users are advised not to interact with these emails and to avoid using the Mercku support portal until the issue is resolved. This incident highlights the increasing targeting of popular cryptocurrency platforms like MetaMask by cybercriminals.
Intel CPUs Vulnerable to New Indirector Side-Channel Attack
Researchers have discovered a new high-precision Branch Target Injection (BTI) attack, named ‘Indirector,’ that affects modern Intel processors, including those from the Raptor Lake and Alder Lake generations. This vulnerability exploits flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to extract sensitive information from the CPU through speculative execution. The Indirector attack was identified by three researchers at the University of California, San Diego, and will be detailed at the upcoming USENIX Security Symposium. The attack involves using custom tools to identify and manipulate prediction structures, break Address Space Layout Randomization (ASLR), and infer data through cache side-channel techniques. Intel was notified in February 2024, and mitigations include enhanced use of the Indirect Branch Predictor Barrier (IBPB) and improving the design of the Branch Prediction Unit (BPU). However, these mitigations come with performance trade-offs, particularly a 50% performance hit on Linux systems.
Prudential Financial Data Breach Affects 2.5 Million Individuals
Prudential Financial, a leading global financial services company, has disclosed that a February data breach compromised the personal information of over 2.5 million people. The incident, initially detected on February 5, was attributed to a suspected cybercrime group that gained access to the company’s systems the previous day, extracting administrative, user, and employee data. Initially, Prudential reported the breach affected over 36,000 individuals, but recent updates to the Maine Attorney General’s Office reveal the actual impact to be significantly higher. The ALPHV/Blackcat ransomware gang, linked to numerous global breaches, claimed responsibility for the attack. This breach follows a separate incident in May 2023, where the Clop cybercrime gang exposed data of 320,000 Prudential customers by hacking a third-party vendor. Prudential has since collaborated with cybersecurity experts to secure their systems and prevent further unauthorized access.
Affirm Cardholders Affected by Evolve Bank Data Breach
Affirm, a prominent buy now, pay later loan company, has announced that personal information of its payment cardholders was exposed in a data breach at its third-party issuer, Evolve Bank & Trust. Evolve, which partners with various fintech firms, including Affirm, experienced a cybersecurity incident involving the LockBit ransomware gang. Although the gang falsely claimed to breach the US Federal Reserve, the compromised data was confirmed to belong to Evolve Bank. This data includes names, Social Security Numbers, bank account details, and contact information. Affirm has warned its customers about potential exposure of their information, as Affirm shares user data with Evolve to issue Affirm Cards. While Evolve has taken steps to mitigate the breach and assured containment, investigations are ongoing. Other fintech firms, such as Wise and Bilt, have also been impacted by this breach, prompting further disclosures and heightened security measures across the industry.
Patelco Shuts Down Banking Systems Following Ransomware Attack
Patelco Credit Union has announced a ransomware attack that prompted the shutdown of several customer-facing banking systems to mitigate the incident’s impact. With over $9 billion in assets, Patelco serves more than 400,000 members through 37 branches across California. The attack, detected on June 29, 2024, led to the unavailability of online banking, mobile app, call center services, and electronic transactions such as transfers and direct deposits. While debit and credit card transactions are operational, they are functioning at a limited capacity.
Members can still withdraw cash from ATMs, and Patelco is collaborating with cybersecurity experts to investigate and expedite recovery. Although no specific date for restoring normal operations has been provided, the credit union has warned of potential customer service delays.
The identity of the attackers remains unknown, and the possibility of data theft involving sensitive personal and financial information has not been ruled out. Patelco advises its clients to remain vigilant against suspicious communications and monitor their accounts closely.
Formula 1 Governing Body Discloses Data Breach After Email Hacks
The Fédération Internationale de l’Automobile (FIA), the governing body for Formula 1 and other auto racing championships, has revealed a data breach resulting from a phishing attack. This attack compromised personal data contained in two FIA email accounts. Founded in 1904, the FIA oversees numerous racing events and includes 242 member organizations worldwide.
In response to the breach, the FIA swiftly cut off unauthorized access and informed relevant data protection authorities, including the Swiss and French regulators. The organization has implemented enhanced security measures to prevent future attacks and expressed regret for any concern caused to affected individuals. Despite the disclosure, the FIA has not yet specified the number of individuals impacted or the nature of the compromised data. BleepingComputer reached out to the FIA for further details, but no immediate response was available.
OVHcloud Blames Record-Breaking DDoS Attack on MikroTik Botnet
OVHcloud, a leading European cloud services provider, mitigated a record-breaking DDoS attack this year, peaking at 840 million packets per second (Mpps). This unprecedented attack is part of a trend of increasing DDoS sizes, with attacks over 1 Tbps now occurring almost daily.
The surge in high-packet rate attacks, including the April record-breaker, has been attributed to compromised MikroTik Cloud Core Router (CCR) devices, particularly models CCR1036-8G-2S+ and CCR1072-1G-8S+. These devices often run outdated firmware, making them vulnerable to exploitation. Attackers used MikroTik’s RouterOS “Bandwidth Test” feature to generate massive packet rates.
OVHcloud identified nearly 100,000 internet-exposed MikroTik devices, estimating that even a 1% compromise could create a botnet capable of attacks reaching 2.28 billion packets per second. Despite notifying MikroTik, OVHcloud has yet to receive a response.
HealthEquity Data Breach Exposes Protected Health Information
HealthEquity, a healthcare fintech firm, has disclosed a data breach resulting from a compromised partner account. The breach allowed unauthorized access to HealthEquity’s systems and led to the theft of protected health information. The company detected the incident after observing unusual behavior from a partner’s personal device and launched an investigation.
The investigation revealed that hackers had compromised the partner’s account, using it to access and exfiltrate sensitive health data. This data included personally identifiable information and protected health information of certain members. HealthEquity is now notifying affected individuals and offering complimentary credit monitoring and identity restoration services.
Despite the breach, HealthEquity reports no evidence of malware on its systems or disruptions to its operations. The company, a major provider of health savings accounts (HSAs) and other consumer-directed benefits, is assessing the impact of the incident but believes it will not materially affect its business or financial results.
Hackers Exploit HFS Servers to Deploy Malware and Monero Miners
Hackers are targeting outdated versions of HTTP File Server (HFS) from Rejetto to distribute malware and Monero mining software. Security researchers at AhnLab identified that attackers are exploiting CVE-2024-23692, a critical vulnerability allowing unauthenticated command execution in HFS versions up to 2.3m. Despite warnings from Rejetto to avoid these versions, they remain widely used.
Attackers use this flaw to install backdoors, gather system information, and deploy malware like XMRig for Monero mining, XenoRAT, Gh0stRAT, PlugX, and GoThief for remote access and data theft. AhnLab recommends updating to HFS version 0.52.x for better security. They also provide indicators of compromise to help detect and prevent these attacks.
Hackers Leak Alleged Taylor Swift Tickets, Amplify Ticketmaster Extortion
Hackers have leaked what they claim are Ticketmaster barcodes for 166,000 Taylor Swift Eras Tour tickets, demanding a $2 million ransom to prevent further leaks. In May, the hacker group ShinyHunters began selling data on 560 million Ticketmaster customers for $500,000, which Ticketmaster confirmed was from their Snowflake account. The breach involved stolen credentials used to access Snowflake databases, impacting numerous organizations.
The new leak, attributed to the threat actor Sp1d3rHunters, includes data for upcoming Taylor Swift concerts in Miami, New Orleans, and Indianapolis. The hackers have threatened to leak data from more events, including concerts and sports, if their demands are not met.
Ticketmaster has assured customers that their SafeTix technology, which refreshes barcodes every few seconds, makes the stolen tickets unusable. They also stated that no ransom negotiations occurred, disputing claims of a $1 million offer to delete the data.
Shopify Denies Data Breach, Attributes Stolen Data to Third-Party App
E-commerce platform Shopify has denied experiencing a data breach following a threat actor’s claim of selling customer data allegedly stolen from the company’s network. Shopify informed BleepingComputer that their systems had not been compromised and that the data loss was due to a third-party app. The app developer is expected to notify affected customers.
The threat actor, known as ‘888,’ began selling data purportedly from Shopify, including customer IDs, names, emails, phone numbers, order counts, and subscription details. Shopify has not provided additional details about the implicated app. Previously, ‘888’ has sold data linked to several major organizations, including Credit Suisse and Shell.
In 2020, Shopify reported that two rogue support team members accessed the transactional records of about 200 merchants, but no current security incidents have been confirmed by the company.
Conclusion
The cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such asRansomware Recovery Services,Ransomware Negotiation Services, andRansomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.
