Hackers warn Las Vegas-area parents they have their children’s data.
Welcome to Cyber Security Today. It’s Monday, October 30th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
One of the biggest public school districts in the U.S. is dealing with the data theft and publishing of 200,000 student profiles. Clark County School District in Nevada, which includes Las Vegas, was hit early this month. According to the news site DataBreaches.net, a group calling itself SingularityMD claims it has been in the school district’s IT network for months. The gang claims it got in because the district made students use their birthday as a password. At least one parent says they got an email from the hackers warning they had their children’s information. The gang is demanding money for the return of the data. This school district was hit with a ransomware attack in 2020. It refused to pay then, and apparently is refusing to pay now.
The Toronto edition of the 2023 Pwn2Own hacking challenge ended Friday with winning teams collecting just over US$1 million. They got the money for finding 58 zero-day vulnerabilities in routers, network-attached storage servers, wireless speakers, internet-connected surveillance cameras and smartphones. The device manufacturers have 90 days to issue patches for the holes in their products. The biggest winner was a team from Vietnam mobile network provider Viettel, which won US$180,000. Pwn2Own contests are held annually in a number of cities around the world. It’s part of the Zero-Day Initiative organized by Trend Micro to encourage and reward the safe discovery of vulnerabilities.
Some ransomware gangs don’t target hospitals because of the bad publicity. Others are not so shy. The BlackCat/AlphV gang is one of them. According to the news site Databreaches.net, earlier this month the gang threatened to release stolen data from Morrison Community Hospital in Illinois. For a few days the threat was taken off the gang’s data notification site. That usually happens because a gang has second thoughts about victimizing a target or because it’s talking to the victim. But last week the gang started publishing what it says is over 8TB of VMware images from the hospital, along with what it says are employee passwords.
More American companies are acknowledging being victims of the hack of their Progress Software MOVEit servers. Among them is NASCO, the benefits administration division of the private Blue Cross and Blue Shield health plans. NASCO is notifying over 800,000 customers some of their personal information was stolen, including names and Social Security numbers. According to researchers at Emsisoft, over 2,500 businesses and governments have had data stolen through MOVEit compromises.
Resort Data Processing, which provides property management software for hotels, is notifying over 61,000 people their payment card data was stolen from the websites of hotels where they made reservations. Compromising e-commerce modules of websites to steal credit and debit card information continues to be a problem that plagues many companies.
The latest victim of the hack of an American e-commerce provider called CommerceV3 is a gift basket site called Pennsylvania General Store. It is notifying over 19,000 customers who made purchases between November, 2021 and December 2022 that their names and payment card numbers may have been stolen. Other companies hit by the hack include HRM Enterprises, which runs the Hartville Hardware and Lehman’s hardware chains. They had to notify 40,000 customers earlier this year that some of their personal data was stolen in the CommerceV3 hack.
Stanford University has acknowledged a cyber attack after the Akira ransomware gang claimed it hit the California institution this month. In a statement Friday the university said it was investigating a cybersecurity incident at its public safety department. There is no indication the incident affected any other part of the university, the statement says. The disclosure of the attack was made by Brett Callow of Emsisoft.
Experts emphasize the importance of quickly applying critical patches to applications before threat actors take advantage. The latest example of an organization failing this guidance comes from researchers at Kaspersky. They say an unnamed software company was compromised by North Korea’s Lazarus group, who got into the company through an application it uses. The creator of that application had warned all customers to patch its product, but this particular software company didn’t. In fact, the victim software company had been hacked several times by Lazarus. That suggests the group is targeting this firm for its source code or to get into its supply chain. The lesson: It’s OK to prioritize your patches, but get the updates installed as soon as possible.
Speaking of security warnings, here are two of them: F5 has released a mitigation script to deal with a critical vulnerability in a number of models of its BIG-IP family of security and application delivery devices. The script should be run on devices running software versions 14.1 and later. And VMware says its vCenter Server and Cloud Foundation need updates to be installed to close critical vulnerabilities. Due to the criticality of this hole there is a patch available for some end-of-life versions of these applications.
Finally, an Ottawa man has pleaded guilty to cyberattacks including ransomware on over 1,000 Canadian individuals, businesses, three police forces and a Ronald McDonald House in Halifax. According to the Ottawa Citizen the man used phishing messages to get victims to open malicious attachments. In some cases the malware would steal bank login credentials, allowing the accused to transfer money from their bank accounts. The Ontario Provincial police investigation started after it was tipped off by the FBI. The accused out on bail awaiting sentencing.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.