Hello and welcome back to our weekly cybersecurity news round-up.
The biggest story of the week is undoubtedly in Australia. The country is grappling with a massive cyber attack that's impacted the country's largest health insurer, Medibank Private Ltd. This week the company said evidence was presented to them that personal information of 100 customers was stolen. That was part of a theft of 200 gigabytes of data which the company disclosed last week. In total Medibank serves at least four million customers. Australia's cyber-security minister, Clare O’Neil, this week described the latest attack as "relentless". The incident comes on the heels of recent cyber security attacks at Austrlian telecom providers Optus and Telstra, as well as technology consultancy Dialog. According to research by Imperva, between July 2021 and June 2022, cyber attacks in Australia increased by 81%. At the same time, Australia’s traffic only increased by 38%, showing that the rise in attacks is not simply due to increased network traffic. This trend grew over the past year, but increased sharply between December and January.
On Wednesday Microsoft confirmed that a misconfigured endpoint exposed data related to prospective customers. That came after threat intelligence firm SOCRadar announced earlier in the day it has identified many misconfigured cloud storage systems, including six large buckets that stored information associated with 150,000 companies across 123 countries. Microsoft believes SOCRadar is exaggerating the numbers of companies affected. The tech giant also contends the data exposure "was not the result of a security vulnerability."
Also this week, Brazil's Federal Police arrested a Brazilian suspect - possibly a teenager -- believed to be part of the Lapsus$ extortion gang. The suspect was detained following an investigation that began in December 2021 after last year's breach of the Brazilian Ministry of Health. According to The Hacker News, the arrest was made as part of a new law enforcement effort, dubbed Operation Dark Cloud. In the attack, websites under Brazil's Ministry of Health were breached, resulting in the alleged exfiltration of 50TB of data and temporary unavailability of COVID-19 vaccination information of millions of citizens. Lapsus$ is also blamed for attacks on additional government portals in Brazil, including the Ministry of Economy, Comptroller General of the Union, and the Federal Highway Police.
The company that publishes an annual report on data breaches announced it, too, is the victim of a data breach. Yes, Verizon announced this week the accounts of some of its prepaid customers have been breached. The company says an undisclosed number of prepaid customers were impacted. "We determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account," Verizon said in an alert published this week. The statement continued, "Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it." Verizon added that it blocked further unauthorized access to its clients' accounts and found no evidence that this malicious activity is still ongoing.
That's a wrap for this week. Have a great weekend.
Top Global Security News
HealthITSecurity (October 20, 2022) 3M Advocate Aurora Health Patients Face PHI Exposure Tied to Tracking Pixels
Advocate Aurora Health notified 3 million patients of a data breach that resulted in potential protected health information (PHI) exposure.
The breach stemmed from the nonprofit health system’s use of Google and Meta (Facebook’s parent company) tracking pixels, which are commonly used tools that allow organizations to track website visitor activity.
With the tracker present, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address.
Security Week (October 20, 2022) Microsoft Confirms Data Breach, But Claims Numbers Are Exaggerated
Microsoft has confirmed that it inadvertently exposed information related to prospective customers, but claims that the company which reported the incident has exaggerated the numbers.
Threat intelligence firm SOCRadar revealed on Wednesday that it has identified many misconfigured cloud storage systems, including six large buckets that stored information associated with 150,000 companies across 123 countries.
These buckets, which the firm has dubbed BlueBleed, included a misconfigured Azure Blob Storage instance allegedly containing information on more than 65,000 entities in 111 countries. SOCRadar described it as “one of the most significant B2B leaks”.
Channel News (October 20, 2022) Australia “Under Relentless Cyber-Attack”: Home Affairs Minister
Home Affairs Minister Clare O’Neil has called the recent spate of cyber-attacks on Australian institutions a “huge wake-up call” for the country.
Speaking on the recent Medibank incident, O’Neil said the government has a “clear mandate” to amend the current laws, adding that “the very best people in the country are working with Medibank to try to prevent any harm from occurring from what has gone on here.
“There is an element here that cybercrime is growing really quickly around the world,” O’Neil said.
“There was an Interpol conference that yesterday, the kind of police heads of forces from around the world got together and their message to the community was that cybercrime is now their main crime concern internationally.
Bleeping Computer (October 18, 2022) Verizon notifies prepaid customers their accounts were breached
Verizon warned an undisclosed number of prepaid customers that attackers gained access to Verizon accounts and used exposed credit card info in SIM swapping attacks.
"We determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account," Verizon said in an alert published this week.
"Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it."
Verizon added that it blocked further unauthorized access to its clients' accounts and found no evidence that this malicious activity is still ongoing.
Bleeping Computer (October 19, 2022) Brazil arrests suspect believed to be a Lapsus$ gang member
Today, the Brazilian Federal Police arrested a Brazilian suspect in Feira de Santana, Bahia, believed to be part of the Lapsus$ extortion gang.
The suspect was detained following an investigation started in December 2021 after last year's breach of the Brazilian Ministry of Health. During the incident, the attackers deleted files and defaced the Ministry of Health website to display a message where the Lapsus$ hacking group claimed the attack and said it had stolen data from the ministry's network.
Besides the Ministry of Health, the group also targeted dozens of other Brazilian Federal Government bodies and entities, including the Ministry of Economy, the Comptroller General of the Union, and the Federal Highway Police.
Other Top Security Stories
White House rallies industry support for Internet of Things labeling effort - Cyberscoop
Keystone Health Data Breach Impacts 235,000 Patients - Security Week
Ransomware attackers compromise German newspaper, Heilbronn Stimme - IT World Canada
Car theft ring used software to steal hundreds of vehicles without the physical key fob, say police - ZDNet
New York Attorney General Fines E-Commerce Parent Company for Failing to Properly Handle a Data Breach - Lexology
The EU takes stock of whether PSD2 is a success - Raconteur
‘We don’t teach developers how to write secure software’ – Linux Foundation’s David A Wheeler on reversing the CVE surge - Portswigger
The Fallout From the First Trial of a Corporate Executive for ‘Covering Up’ a Data Breach - Lawfare
Many public safety agencies remain unequipped to defend against cyberattacks - Cyberscoop