Welcome back to our blog! It was “just another manic Monday” this week.
In a major development, the U.S. Department of Justice announced the arrest of a Ukraine citizen suspected being part of the July ransomware attack on MSPs via Kaseya. Charged in the attack was Ukrainian national Yaroslav Vasinski, who was arrested last month by Polish authorities and is being held pending U.S. extradition proceedings. His alleged cohort, Yevginiy Polyanin, was also charged by the DOG for deploying the ransomware used in the Kaseya attack. Polyanin currently remains at large.
News emerged that electronics retail giant MediaMarkt suffered a Hive ransomware that began late Sunday night. The attackers initially demanded a massive amount: $240 million (but was later lowered). The attack caused the company’s IT systems to shut down as well as disrupt store operations in Netherlands and Germany.
A story in ZDNet discussed a warning from cybersecurity firm Palo Alto Networks the prior weekend about an ongoing hacking campaign already resulting in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education. The attacks observed by Palo Alto Networks researchers began in mid-September with scans for vulnerable servers, nine days after the US Cybersecurity and Infrastructure Security Agency (CISA) warned it detected exploits used in the wild and one day after a joint advisory was published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER).
On Tuesday, trading platform Robinhood revealed that it experienced a security breach incident on November 3rd. The data of as many as seven million users was exposed. The perpetrators were able to obtain the email addresses of five million people, the full names of a different group of approximately two million customers as well as get away with the personal information of 310 users, including their name, date of birth and zip code. More extensive account details were exposed for 10 customers among those 310. However, no Social Security numbers, bank account numbers or debit card numbers were exposed in the incident.
Customers of HPE’s Aruba networking unit, Aruba Central, were informed this week their personal information may have been exposed. A threat actor obtained an "access key" that allowed them to view customer data stored in the Aruba Central environment for 18 days between October 9th, 2021, and October 27th, when HPE revoked the key.
Finally, jointly US-Dutch owned leading travel site Booking.com was illegally accessed by an American attacker in 2016 – and the company failed to tell anyone when it became aware of what happened. That’s according to a new book written by three Dutch journalists. Their employer, Dutch title NRC Handelsblad, reported the allegations this week, claiming that Booking.com had relied on legal advice from London-based law firm Hogan Lovells saying it wasn't obliged to inform anyone of the attack.
That’s another week wrapped up. Thanks for stopping by our blog and have fun, but cybersafe weekend!
Top Global Security News
The Register (November 11, 2021) Dutch newspaper accuses US spy agencies of orchestrating 2016 Booking.com breach
"Jointly US-Dutch owned Booking.com was illegally accessed by an American attacker in 2016 – and the company failed to tell anyone when it became aware of what happened, according to explosive revelations.
The alleged miscreant, named as 'Andrew', is said to have stolen 'details of thousands of hotel reservations in countries in the Middle East,' according to a new book written by three Dutch journalists.
Their employer, Dutch title NRC Handelsblad, reported the allegations this week, claiming that Booking.com had relied on legal advice from London-based law firm Hogan Lovells saying it wasn't obliged to inform anyone of the attack."
InfoSecurity (November 11, 2021) Ransomware Attack Hits UK Fertility Clinic
"Data from a private fertility clinic has been put at risk following a ransomware attack that hit a document management firm.
The Lister Fertility Clinic said that Stor-a-file Limited, which the clinic uses for scanning medical records, had been 'hacked' by a 'cyber-gang' in a letter that it sent to its 1700 patients. The document management firm revealed that 13 organizations had been impacted, with six being healthcare-related.
While it had informed the police and the Information Commissioner’s Office, Store-a-file Limited said that the possibility hackers accessed medical information 'cannot be ruled out.'”
ZDNet (November 11, 2021) Missouri apologizes to 600k teachers who had SSNs and private info exposed
"Missouri's Department of Elementary and Secondary Education (DESE) has apologized to the 620,000 past and present educators who had their sensitive information -- including their social security numbers -- exposed on the DESE certification database.
Missouri's Office of Administration Information Technology Services Division (OA-ITSD) and the DESE will send out letters to those affected notifying them that their personally identifiable information "may have been compromised during a recent data vulnerability incident."
The situation caused national headlines last month because the governor of the state used the incident to attack The St. Louis Post-Dispatch. Josh Renaud, a reporter from the newspaper, discovered a vulnerability in the certification database that exposed teacher data, notified the DESE, and gave them time to fix it before publishing his story."
Bleeping Computer (November 10, 2021) HPE says hackers breached Aruba Central using stolen access key
"HPE disclosed today that a threat actor obtained an "access key" that allowed them to view customer data stored in the Aruba Central environment. The threat actor had access for 18 days between October 9th, 2021, and October 27th, when HPE revoked the key. The exposed repositories contained two datasets, one for network analytics and the other for Aruba Central's 'Contract Tracing' feature.
One dataset ('network analytics') contained network telemetry data for most Aruba Central customers about Wi-Fi client devices connected to customer Wi-Fi networks. A second dataset ('contact tracing') contained location-oriented data about Wi-Fi client devices including which devices were in proximity to other Wi-Fi client devices," explains an Aruba Central FAQ about the security incident."
Engadget (November 9, 2021) Robinhood security breach compromised data of 7 million users
"Robinhood has revealed that it experienced a security breach incident on November 3rd, which exposed the data of as many as 7 million users or around a third of its userbase. The bad actor, the financial services company said, obtained the email addresses of 5 million people and the full names of a different group of around 2 million customers. In addition, the infiltrator managed to steal additional personal information of 310 users, including their name, date of birth and zip code. More extensive account details were exposed for 10 customers among those 310.
No Social Security numbers, bank account numbers or debit card numbers were exposed in the incident, Robinhood said, but it's still making the appropriate disclosures to the affected customers. The company, which allows users to make commission-free stock and crypto trades, said it had already contained the attack. Upon cutting the hacker's access off, the attacker demanded payment for the stolen data and made threats on what they would do with the information if they weren't paid."
Bleeping Computer (November 8, 2021) MediaMarkt hit by Hive ransomware, initial $240 million ransom
"Electronics retail giant MediaMarkt has suffered a Hive ransomware with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany. MediaMarkt suffered a ransomware attack late Sunday evening into Monday morning that encrypted servers and workstations and led to the shutdown of IT systems to prevent the attack's spread.
BleepingComputer has learned that the attack affected numerous retail stores throughout Europe, primarily those in the Netherlands.
While online sales continue to function as expected, cash registers cannot accept credit cards or print receipts at affected stores. The systems outage is also preventing returns due to the inability to look up previous purchases."
CRN (November 8, 2021) Feds Unveil Arrest In Kaseya Ransomware Attack
"The U.S. Department of Justice Monday unveiled the arrest of a Ukraine citizen suspected being part of the July ransomware attack on MSPs via Kaseya.
The DOJ has charged Ukrainian national Yaroslav Vasinski for deploying the REvil ransomware attack in July. The DOJ also charged Russian national Yevginiy Polyanin with conspiracy to commit fraud and other charges.
Vasinski was arrested last month by Polish authorities and is being held pending U.S. extradition proceedings, while Polyanin remains at large.
Kaseya in early July was forced to take all SaaS instances of its VSA remote monitoring and management tool offline following an attack against some on-premise VSA customers."
Bleeping Computer (November 8, 2021) State hackers breach defense, energy, healthcare orgs worldwide
"Cybersecurity firm Palo Alto Networks warned over the weekend of an ongoing hacking campaign that has already resulted in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.
To breach the orgs networks, the threat actors behind this cyberespionage campaign exploited a critical vulnerability (CVE-2021-40539) in Zoho's enterprise password management solution known as ManageEngine ADSelfService Plus which allows remotely executing code on unpatched systems without authentication.
The attacks observed by Palo Alto Networks researchers started on September 17 with scans for vulnerable servers, nine days after the US Cybersecurity and Infrastructure Security Agency (CISA) warned it detected exploits used in the wild and one day after a joint advisory was published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER)."
Other Industry News
US defense contractor Electronic Warfare Associates discloses data breach - Security Affairs
Over 80% of CNI Firms Have Been Breached in Past 36 Months – InfoSecurity
Campaign used known Zoho bug to compromise firms across critical industries - SC Media
Ransomware Hits Major US Comic Book Distributor – PC Mag
