Leafperforator: New attacks target maritime facilities

A new cyberespionage campaign carried out by the nation-state advanced persistent threat (APT) group Leafperforator (aka SideWinder) targets ports and maritime facilities in the Indian Ocean and Mediterranean Sea.

According to the BlackBerry Research and Intelligence Team, regions targeted by the spear-phishing campaign include Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

Active since at least 2012, Leafperforator is assessed to be affiliated with India. “SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants,” BlackBerry researchers said. The latest campaign uses lures related to sexual harassment, employee termination, and salary cuts in order to trick recipients into opening booby-trapped Microsoft Word documents.

The attackers exploit known vulnerabilities (CVE-2017-0199 and CVE-2017-11882) in their attacks to establish contact with a malicious domain, download additional files, and execute JavaScript. While the end result of the JavaScript code is unknown, based on prior Leafperforator campaigns, the end goal is likely intelligence gathering.

Protection
For the latest protection updates, please visit the Symantec Protection Bulletin.

DigiCert revokes large number of certificates at short notice due to issuing error

Some admins who were using SSL/TLS certificates issued by DigiCert had only 24 hours to replace them before they were revoked by DigiCert recently. The reason given for the revoking of "approximately 0.4 percent of the applicable domain validations we have in effect" was an error in the issuing process, which was first introduced back in 2019.

The process, which involves a step called Domain Control Verification (DCV), is supposed to verify that the applicant of a certificate is actually the owner of the domain name. This process was performed improperly for a small proportion of certificates issued because an underscore prefix was not added to a random value used in the verification DNS CNAME record. 

Even though the risk posed by this error is said to be extremely low, due to the rules governing the technology, affected certificates must be revoked within 24 hours of discovery without any exception.

Customers impacted by this action were notified by DigiCert and provided with appropriate steps to take to avoid any service disruptions.

HealthEquity to notify 4.3 million victims of data breach discovered in June 2024

After a period of investigation into a data breach that occurred in March 2024, HealthEquity, a major U.S. financial services institution focused on helping people save for healthcare expenses, has notified the Maine Attorney General of its intentions to send communications and offer free credit monitoring and other services to 4.3 million individuals who may be impacted by the breach.

The breach is reported to have exposed private data for almost a third of the company’s 15 million customers. The data exposed includes personally identifiable information (PII) such as names, addresses, phone numbers, Social Security numbers, information about employers and dependents, as well as payment card information in some cases.

The cause of the breach is said to be due to the compromise of a user account at a third party vendor, which allowed the attacker to gain access to an “unstructured data repository” which was hosted outside of HealthEquity’s own networks. 

Fortune 500 firm pays record-breaking $75 million ransom

The Dark Angels ransomware group received a $75 million ransom payment from a Fortune 500 company, breaking the record for the largest ransomware-related transaction ever reported.

According to Zscaler researchers, the unnamed company paid the ransom following an attack that occurred in early 2024. The $75 million ransom beats the previous record of $40 million paid by insurance giant CNA following an Evil Corp ransomware attack.

While Zscaler did not name the company that made the ransom payment, BleepingComputerspeculates that it could be pharmaceutical giant Cencora. The Fortune 50 firm suffered a ransomware attack in February 2024; however, no ransomware group claimed responsibility for the incident, potentially indicating that the company paid the ransom.

Active since at least May 2022, the Dark Angels ransomware group targets a range of sectors, including healthcare, government, finance, and education, and has recently focused on large industrial, technology, and telecommunications companies.

Major SMS stealing campaign targets Android users in 113 countries

A major Android malware campaign is reported to have hit users from across 113 different countries. The most heavily affected countries by far are India and Russia, followed by Brazil, Mexico, the U.S., Ukraine, and Spain. 

Victims of the campaign are believed to be infected via a number of methods including fake app stores being advertised online, as well as ending up chatting with one of the 2,600 Telegram bots operated by the attackers when searching for pirated Android apps online. In one instance observed by researchers, the Telegram bot requested the phone number of the intended victim. The phone number was then used to customize the APK offered to the victims to sideload onto their devices. 

Once installed, the malicious APK requests various permissions to enable it to perform its malicious activities, which include intercepting SMS messages and stealing data such as one-time passwords used for multi-factor authentication for sites belonging to over 600 different brands. In addition to stealing information, the malware connects to one of 13 command-and-control servers, enabling the attackers to access and execute commands on the device remotely.

The campaign is said to have involved the use of over 100,000 distinct malware samples, though this may be due to the customization of each APK used for infection with the victim’s phone number. 

Protection
For the latest protection updates, please visit the Symantec Protection Bulletin.

Cybersecurity lapses led to breach of 40 million UK voters’ data

The UK's privacy watchdog on Tuesday (July 30) reprimanded the country’s Electoral Commission for security failings leading to the compromise of personal information of 40 million people during a 2021 cyberattack.

The Information Commissioner’s Office (ICO) found that the election agency failed to ensure systems were up to date with the latest security updates and did not have sufficient password policies. “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened,” ICO Deputy Commissioner Stephen Bonner said in a statement.

Chinese state-backed hacking group Sheathminer (aka  APT31), who carried out the attack, accessed the personal information, including names and home addresses, of people registered to vote in the UK since 2014. Sheathminer accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known vulnerabilities in the system. Patches for the vulnerabilities in question (ProxyShell) had been made available in April and May 2021, months before the attack, according to the ICO.