Hello and welcome back to our weekly re-cap of all thing's cybersecurity. Let's dive in, shall we?
The saga of the ongoing attack against Australia's MediBank took a new twist this week with the attackers releasing the details of the nearly 10 million records they swiped. MediBank, Australia’s largest health insurer, is refusing to pay the ransom. Question is, who is behind the attacks? Data Breach Today explores this.
Europol announced the arrest of a Russian national linked to the notorious LockBit ransomware gang. The suspect was arrested in Ontario, Canada last month following an investigation involving not only Europol, but also the French National Gendarmerie, the FBI, and the Canadian Royal Canadian Mounted Police (RCMP). LockBit is known for targeting critical infrastructure organizations, financial services and healthcare, but also smaller targets such as municipalities, which, as documented by security company Acronis, is what happened earlier this year to towns in Colorado and Ontario, Canada. Acronis also says the LockBit gang took credit for 50 ransomware incidents in June alone.
An attack at one of the world's largest astronomical observatories late last month is raising concerns about the security of space technology. The attack took place at Chilé's Atacama Large Millimeter observatory on October 29th. The incident affected its computer systems and their public website was taken down. While the observatory's work is suspended for now, its antennas and scientific data were not compromised.
Microsoft this week announced it has patched a pair of Exchange zero-days publicly disclosed in late September. The two zero-days are high-severity vulnerabilities in Exchange that, when used together, allow hackers to execute malicious code on servers. When the vulnerabilities came to light in September, researchers in Vietnam reported they had been used to infect on-premises Exchange servers with web shells, the text-based interfaces that allow people to remotely execute commands.
SolarWinds said the U.S. Securities and Exchange Commission (SEC) is investigating the company in connection with the 2020 cyberattack on its Orion software platform, according to a new SEC filing. In addition, the Texas-based IT management solutions provider agreed to pay $26 million to settle a shareholder lawsuit related to the 2020 incident. The SolarWinds attack impacted the highest levels of the U.S. government and was the impetus for companies to more closely examine their software supply chain, leading to the increased adoption of the Software Bill of Materials (SBOM).
Finally, a Canadian supermarket giant appears to have suffered a major cyber attack. Empire Company, which owns 1,500 stores across Canada, on Monday announced an "information technology systems issue" was causing some of its pharmacies to experience difficulty fulfilling prescriptions. Signs posted at some stores also said the gift card and Scene points systems were down. As of Tuesday, the company had not responded to media inquiries about the issues affecting the chain.
That's a wrap for the week. Have a great weekend!
Top Global Security News
Bleeping Computer (November 10, 2022) Russian LockBit ransomware operator arrested in Canada
Europol has announced today the arrest of a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide.
The suspect was arrested in Ontario, Canada, last month following an investigation led by the French National Gendarmerie with the help of Europol's European Cybercrime Centre (EC3), the FBI, and the Canadian Royal Canadian Mounted Police (RCMP).
Law enforcement agents also seized eight computers and 32 external hard drives, two firearms, and €400,000 worth of cryptocurrency from the suspect's home.
Databreach Today (November 9, 2022) Microsoft Patches ProxyNotShell Exchange Vulnerabilities
Microsoft patched a pair of Exchange zero-days publicly disclosed in late September and known to have been exploited in the wild by a threat actor with indicators of Chinese origin.
The first flaw is a server-side request forgery vulnerability that allows attackers access to back-end servers that they would not have otherwise. The second flaw allows remote code execution when Remote PowerShell is activated. Attackers can exploit the first flaw to trigger the second. They are, respectively, CVE-2022-41040 and CVE-2022-41082 and together are known as ProxyNotShell for their similarity to a trio of 2021 Exchange vulnerabilities together known as ProxyShell.
Cybersecurity Dive (November 9, 2022) SolarWinds under SEC probe related to 2020 supply chain attack
SolarWinds said the Securities and Exchange Commission is investigating the company in connection with the 2020 cyberattack on its Orion software platform, according to a SEC filing last week.
The SEC provided SolarWinds with a Wells Notice to recommend enforcement action alleging violations of certain securities laws related to cybersecurity disclosures and public statements. It is also looking into internal controls and disclosure controls and procedures.
SolarWinds considers its internal controls appropriate and will respond to the allegations, the company said. The Wells Notice is not considered a formal charge nor a final determination.
ABC News (November 8, 2022) Hacker publishes Australian health insurer's customer data
Medibank client data was published by an extortionist Wednesday, including details of individuals' medical procedures, after Australia’s largest health insurer refused to pay a ransom for the personal records of almost 10 million current and former customers.
The release of information on the dark web appeared to be a sample of the data that Medibank had previously determined had been stolen last month, a company said. Medibank expected the thief would continue releasing data.
“This is a criminal act designed to harm our customers and cause distress,” Medibank CEO David Koczkar said in a statement that reiterated a previous apology to customers.
The Record (November 7, 2022) Cyberattack on observatory in Chile raises concerns about security of space tech
One of the world’s largest astronomical observatories suffered a cyberattack in late October and was forced to suspend work, it announced last week.
The Atacama Large Millimeter Array (ALMA) observatory in Chile said last Wednesday that a cyberattack on October 29 had affected its computer systems and taken down its public website. ALMA’s antennas and scientific data were not compromised, but ALMA suspended space observations and restricted the use of its email services.
Although the threat has been contained, it is not yet possible to estimate when the observatory will return to normal operations, according to its statement.
CBC News (November 8, 2022) Owner of Sobeys, Safeway stores tight-lipped on IT problems impacting pharmacies
Two major Canadian food companies continue to keep mum about information technology problems that have plagued their operations for days and as the silence drags on, some experts say a ransomware attack could be behind the issues.
Empire Company, which owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, Needs and other grocery outlets, said Monday an "information technology systems issue" was causing some of its pharmacies to experience difficulty fulfilling prescriptions. Signs posted at some stores also said the gift card and Scene points systems were down.
The company has not released any further information about the issues affecting the chain, and did not respond to questions posed by CBC News on Tuesday.
Other Top Security News