Information Technology Security

By Bill Toulas,  Bleeping Computer Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware. For years, malicious advertising (malvertising) campaigns have targeted the Google search platform, where threat actors place ads to impersonate well-known software sites that install malware on visitors' devices. To make matters worse, threat actors have been able to create Google search ads that show legitimate domains, which adds a sense of trust to the advertisement. In a new malvertising campaign found by Malwarebytes, threat actors created ads that display an advertisement for Google Authenticator when users search for the software in Google search. What makes the ad more convincing is that it shows 'google.com' and "https://www.google.com" as the click URL, which clearly should not be allowed when a third party creates the advertisement. We have seen this ve

By Sergiu Gatlan,  Bleeping Computer Microsoft confirmed today that a nine-hour outage on Tuesday, which took down and disrupted multiple Microsoft 365 and Azure services worldwide, was triggered by a distributed denial-of-service (DDoS) attack. Redmond says the outage impacted Microsoft Entra, some Microsoft 365 and Microsoft Purview services (including Intune, Power BI, and Power Platform), as well as Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, and the Azure portal. The company confirmed in a mitigation statement published today that the root cause behind yesterday's outage was a DDoS attack, although it has yet to link it to a specific threat actor. "While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating i

By Bill Toulas,  Bleeping Computer A malicious campaign targeting Android devices worldwide utilizes thousands of Telegram bots to infect devices with SMS-stealing malware and steal one-time 2FA passwords (OTPs) for over 600 services. Zimperium researchers discovered the operation and have been tracking it since February 2022. They report finding at least 107,000 distinct malware samples associated with the campaign. The cybercriminals are motivated by financial gain, most likely using infected devices as authentication and anonymization relays. Telegram entrapment The SMS stealer is distributed either through malvertising or Telegram bots that automate communications with the victim. In the first case, victims are led to pages mimicking Google Play, reporting inflated download counts to add legitimacy and create a false sense of trust. On Telegram, the bots promise to give the user a pirated application for the Android platform, asking for their phone number before they share the APK

By Lawrence Abrams,  Bleeping Computer A Fortune 50 company paid a record-breaking $75 million ransom payment to the Dark Angels ransomware gang, according to a report by Zscaler ThreatLabz. "In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount— an achievement that's bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics (which we describe below)," reads the 2024 Zscaler Ransomware Report . This record-breaking payment was further confirmed by crypto intelligence company Chainalysis, who tweeted about it on X. The largest known ransom payment was previously $40 million, which insurance giant CNA paid after suffering an Evil Corp ransomware attack. While Zscaler did not share what company paid the $75 million ransom, they mentioned the company was in the Fortune 50 and the attack occurred in early 2024. One Fortune 50 company that suffered a cyberattack

 By  KrebsOnSecurity More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds. Your Web browser knows how to find a site like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly website names (example.com) into numeric Internet addresses. When someone registers a domain name, the registrar will typically provide two sets of DNS records that the customer then needs to assign to their domain. Those records are crucial because they allow Web browsers to find the Internet address of the hosting provider that is serving that domain. But potential problems can arise when a domain’s DNS records are “lame,” meaning the authoritative name server does not have enough information about t

By Sergiu Gatlan,  Bleeping Computer The United Kingdom's Information Commissioner's Office (ICO) revealed today that the Electoral Commission was breached in August 2021 because it failed to patch its on-premise Microsoft Exchange Server against ProxyShell vulnerabilities. In March, the U.K. National Cyber Security Centre (NCSC) attributed the UK Electoral Commission breach to a Chinese state-backed threat actor. Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, these security flaws were chained to hack into the commission's Exchange Server 2016 and deploy web shells, which allowed the attackers to gain persistence after installing web shells and backdoors. While Microsoft released security updates in May 2021 that fixed the ProxyShell vulnerability chain, the commission failed to patch its systems promptly, exposing them to attacks. The attack and the deployed malware were discovered on October 28, 2021, when an employee found that the Commission's Exchan

By Bill Toulas,  Bleeping Computer HSA provider HealthEquity has determined that a cybersecurity incident disclosed earlier this month has compromised the information of 4,300,000 people. HealthEquity, one of the largest HSA custodians in the U.S., specializes in providing health savings accounts (HSAs), flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans. In a Form 8-K filing submitted on July 2, 2024, the company disclosed that threat actors stole members' sensitive health data using a partner's compromised credentials. An investigation determined that the breach occurred on March 9, 2024, but was only verified by the firm on June 26, following an internal investigation. "We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems," reads the data breach notice to be

By Bill Toulas,  Bleeping Computer A massive phishing campaign dubbed "EchoSpoofing" exploited now-fixed, weak permissions in Proofpoint's email protection service to dispatch millions of spoofed emails impersonating big entities like Disney, Nike, IBM, and Coca-Cola, to target Fortune 100 companies. The campaign started in January 2024, disseminating an average of 3 million spoofed emails daily and reaching a peak of 14 million emails in early June. The phishing emails were designed to steal sensitive personal information and incur unauthorized charges. They also included properly configured Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) signatures, making them appear authentic to the recipients. Guardio Labs helped discover the phishing campaign and security gap in Proofpoint's email relay servers. In May 2024, they notified the firm and helped them fix it.

By Ionut Ilascu,  Bleeping Computer A faulty component in the latest CrowdStrike Falcon update is crashing Windows systems, impacting various organizations and services across the world, including airports, TV stations, and hospitals. The glitch is affecting Windows workstations and servers, with users reporting massive outages that took offline entire companies and fleets of hundreds of thousands of computers. According to some reports, emergency services in the U.S. and Canada have also been impacted. Worldwide outage By the time of the correction, though, many large organizations across multiple verticals had already been affected. Some reports say that CrowdStrike’s update impacted some 911 emergency service agencies in the state of New York (EMS, police, fire department), Alaska, and Arizona, as well as 911 services in parts of Canada. A 911 telecommunicator in Illinois said that they were “working off of paper until things come back.” There also reports that the health hotline in

By Sergiu Gatlan,  Bleeping Computer Microsoft says an Azure configuration change caused a major Microsoft 365 outage on Thursday, affecting customers across the Central US region. This massive outage started around 6:00 PM EST and prevented users from accessing various Microsoft 365 apps and services. The list of services impacted by the outage includes Microsoft Defender , Intune, Teams, PowerBI, Fabric, OneNote, OneDrive for Business, SharePoint Online, Windows 365, Viva Engage, Microsoft Purview, and the Microsoft 365 admin center. Xbox Support confirmed that the Xbox Live service was also hit by the issue, saying gamers had problems logging into their accounts. Throughout the outage, Downdetector has received tens of thousands of service issue reports, with affected Xbox users experiencing server connection issues and saying they couldn't log in. After acknowledging the outage, Microsoft said, "We're working on rerouting the impacted traffic to alternate systems to

By  KrebsOnSecurity At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain. The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network , Compound Finance , Pendle Finance , and Unstoppable Domains . In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors’ cryptocurrency funds. New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Sq

By  KrebsOnSecurity AT&T Corp . disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or text message sent. AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). In a regulatory filing with the U.S. Securities and Exchange Commission today, AT&T said cyber intruders accessed an AT&T workspace on a third-party cloud platform in April, downloading files containing customer call and text interactions between May 1 and October 31, 2022, as well as on January 2, 2023. The company said the stolen data includes records of calls and texts for mobile providers tha

By  Hindustan Times This could be the largest such compilation of leaked passwords ever and the file contains passwords compromised in both recent and old data breaches. A file containing almost 10 billion passwords was reportedly posted on an online hacking forum. This could be the largest such compilation of leaked passwords ever and the file contains passwords compromised in both recent and old data breaches all over the world, Semafor reported. Owing to this, there could be an increased chance of credential stuffing attacks in which one compromised password used for a user’s account can be reused by a hacker to break into another account. The report claimed that not all the passwords in the file appeared to be new which means that they have been leaked previously and this increases the chance of “credential stuffing.” As per the practice, a bad actor can take a user’s known password and try to reuse it to break into other accounts in their name, Cybernews, a cybersecurity-focused n

By Bill Toulas,  Bleeping Computer Geisinger , a prominent healthcare system in Pennsylvania, has announced a data breach involving a former employee of Nuance , an IT services provider contracted by the organization. Geisinger is a non-profit organization that operates 134 care sites, ten hospitals, and the Geisinger Health Plan, serving a total of 1.2 million people. It employs 26,000 staff, including 1,600 doctors, and is considered one of Pennsylvania’s most important organizations. An announcement published earlier this week explains that in November 2023, Geisinger detected unauthorized access to its patients’ database by a former Nuance employee. Nuance was promptly informed and took action to block the former employee’s access to Geisinger’s systems holding patient records. “On Nov. 29, 2023, Geisinger discovered and immediately notified Nuance that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated,” read

By  The Hacker News A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader). That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing. The threat actors are luring unsuspecting users to fake websites purporting to contain legitimate software. But attempting to download the setup binary launches a malware infection chain instead. Specifically, the executable serves as a pathway for a backdoor called Oyster, which is capable of gathering information about the compromised host, communicating with a hard-coded command-and-control (C2) address, and supporting remote code execution. While Oyster has been observed in the past being delivered by means of a dedicated loader component known as Broomstick Loader (aka

By Lawrence Abrams,  Bleeping Computer UnitedHealth has confirmed for the first time what types of medical and patient data were stolen in the massive Change Healthcare ransomware attack, stating that data breach notifications will be mailed in July. On Thursday, the company published a data breach notification warning that the ransomware attack exposed a "substantial quantity of data" for a "substantial proportion of people in America." While UnitedHealth has not explicitly shared how many people were affected, UnitedHealth CEO Andrew Witty stated during a congressional hearing that "maybe a third" of all American's health data was exposed in the attack. According to the data breach notification, a massive trove of sensitive information was stolen, including: Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); Health i

By Bill Toulas,  Bleeping Computer A new malware distribution campaign uses fake Google Chrome, Word, and OneDrive errors to trick users into running malicious PowerShell "fixes" that install malware. The new campaign was observed being used by multiple threat actors, including those behind ClearFake, a new attack cluster called ClickFix, and the TA571 threat actor, known for operating as a spam distributor that sends large volumes of email, leading to malware and ransomware infections. Previous ClearFake attacks utilize website overlays that prompt visitors to install a fake browser update that installs malware. Threat actors also utilize JavaScript in HTML attachments and compromised websites in the new attacks. However, now the overlays display fake Google Chrome, Microsoft Word, and OneDrive errors. These errors prompt the visitor to click a button to copy a PowerShell "fix" into the clipboard and then paste and run it in a Run: dialog or PowerShell prompt. &quo

By Sergiu Gatlan,  Bleeping Computer NHS England revealed today that multiple London hospitals impacted by last week’s Synnovis ransomware attack were forced to cancel hundreds of planned operations and appointments. Formerly known as Viapath, Synnovis was established as GSTS Pathology in 2009 and switched to the Synnovis brand in October 2022. The organization was established as a partnership between SYNLAB UK & Ireland, Guy's and St Thomas' NHS Foundation Trust, and the King's College Hospital NHS Foundation Trust. Ongoing service disruptions at Guy's and St Thomas' NHS Foundation Trust, King's College Hospital NHS Foundation Trust, and primary care providers across South East London result from Synnovis being locked out of its systems by a June 3 attack linked to the Qilin ransomware operation. While memos issued by hospital officials revealed this "ongoing critical incident" has had a "major impact" on their procedures and operations

By Lawrence Abrams, Bleeping Computer LastPass says its almost 12-hour outage yesterday was caused by a bad update to its Google Chrome extension. Starting at around 1 PM ET yesterday, LastPass users were suddenly unable to access their password vaults or log into their accounts, instead seeing "404 Not Found" errors, which typically indicate a page does not exist. The impact did not go unnoticed, with LastPass customers venting their frustration on Reddit and Twitter about the outage and their inability to retrieve their saved credentials and log in to sites.