Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

Hackers are abusing legitimate Windows utilities to target Thai law enforcement with a novel malware that is a mix of sophistication and amateurishness.

Source: CPA Media Pte Ltd via Alamy Stock Photo

Unknown hackers are targeting individuals associated with Thailand's government, using a new and unwieldy backdoor dubbed "Yokai," potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.

Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.

**Ghost in the Machine: US-Themed Lures in Phishing Attack**

From Thai, the lure documents translate to "United States Department of Justice.pdf" and “Urgently, United States authorities ask for international cooperation in criminal matters.docx." Specifically, they made reference to Woravit "Kim" Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.

"The lures also suggest they are addressed to the Thai police," notes Nikhil Hegde, senior engineer for Netskope. "Considering the capabilities of the backdoor, we can speculate that the attacker's motive was to get access to the systems of the Thai police."

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn't so jejune as that might suggest.

**Abusing Legitimate Windows Utilities**

To begin their attack chain, the attackers made use of "esentutl," a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).

In Windows' New Technology File System (NTFS), files commonly contain more than just their primary content — their main "stream." An image or text document, for example, will also come packed with metadata — even hidden data — which won't be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.

"ADS is often used by attackers to conceal malicious payloads within seemingly benign files," Hegde explains. "When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file."

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.

**Inside the Yokai Backdoor Malware**

Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.

“There are some sophisticated elements in Yokai," Hegde says. For example, "Its C2 communications, when decrypted, are very structured." In other ways, though, it proves rough around the edges.

If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn't, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. "This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor," Hegde says.

Related:China's Elite Cyber Corps Hone Skills on Virtual Battlefields

Even a regular user might notice the strange effects to their machine. "The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system's performance issues," he says.

In all, Hegde adds, "This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Thai Police Systems Under Fire From 'Yokai' Backdoor

SUMMARY Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified…

****SUMMARY****

*   **Fake PoCs on GitHub**: Cybercriminals used trojanized proof-of-concept (PoC) code on GitHub to deliver malicious payloads to unsuspecting users, including researchers and security professionals.

*   **Credential Theft**: The attackers stole over 390,000 WordPress credentials, AWS access keys, SSH private keys, and other sensitive data from compromised systems.

*   **Stealth Techniques**: The campaign employed methods like backdoored configuration files, malicious PDFs, Python dropper scripts, and hidden npm packages to deploy the malware.

*   **Phishing Campaigns**: The attackers also targeted academics through phishing emails, tricking them into installing malware disguised as a fake kernel upgrade.

*   **Supply Chain Impact**: By leveraging trusted platforms like GitHub and popular tools, the attackers exploited the software supply chain, posing risks to professionals trusting these resources.

Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified as MUT-1244, which resulted in the theft of over 390,000 WordPress credentials.

According to Datadog Security Labs’ research, the actor used a trojanized WordPress credentials checker to steal data. SSH private and AWS access keys were also stolen from the compromised systems of hundreds of victims. The attackers’ key targets included red teamers, penetration testers, security researchers, and even other malicious actors.

****Use of Phishing and Trojan****

Researchers observed that MUT-1244 has employed two main methods to gain initial access to victim systems including phishing and trojanized GitHub repositories.

**Phishing Campaign:** The campaign targeted academics, specifically those researching high-performance computing (HPC). The email urged them to install a fake kernel upgrade, leading to the download of malicious code.

**Trojanized GitHub Repositories:** MUT-1244 created numerous fake repositories on GitHub. These repositories disguised themselves as **proof-of-concept (PoC)** codes for known vulnerabilities. However, they contained hidden malicious code that infected victims who downloaded and ran them. 

****Fake PoCs: A New Yet Familiar Weapon****

It is worth noting that the use of fake PoCs has emerged as a new weapon for cybercriminals to target cybersecurity researchers and unsuspecting users. **In June 2023**, scammers were caught impersonating real cybersecurity researchers to spread malware disguised as PoCs on GitHub and X (formerly Twitter).

**In July 2023**, a similar campaign was discovered in which fake GitHub repositories were used to distribute malware posing as PoCs. Interestingly, the stolen identity used in that attack belonged to Shakhriyar Mamedyarov, an Azerbaijani chess grandmaster.

**By September 2023**, another malicious campaign surfaced, utilizing a fake proof-of-concept script to trick researchers into downloading and executing a VenomRAT payload. This attack exploited the WinRAR vulnerability (CVE-2023-40477).

****Techniques used in the trojanized repositories:****

The techniques used in the trojanized repositories included multiple methods to hide and deliver malicious payloads. Some repositories contained legitimate exploits but hid malicious code within lengthy, backdoored configuration files.

In other cases, the malicious code was embedded inside PDF files; once opened, the fake exploit would extract and execute the hidden payload. A few repositories employed Python dropper scripts to decode base64-encoded payloads, write them to disk and execute them.

Additionally, some repositories indirectly infected victims by incorporating malicious npm packages into their code, which then downloaded and executed the attacker’s payload.

The ultimate goal of these attacks was to steal sensitive information from victims, including private SSH keys, **AWS credentials**, and command history.  Moreover, research revealed the malicious code contained hardcoded credentials for Dropbox and file.io services. These credentials allowed the attacker to access and download the stolen data from infected machines.

****390,000 WordPress Credentials****

Another shocking disclosure was the attacker’s ability to access over 390,000 WordPress credentials. Researchers believe these credentials were originally obtained by other malicious actors and subsequently compromised when the attackers used a trojanized tool called “yawpp” to validate them. 

The attack flow and one of the profiles used in the scam (Credit: Datadog Security Labs)

“We assess with high confidence that before these credentials were exfiltrated to Dropbox, they were in the hands of offensive actors, who likely acquired them through illicit means,” Datadog’s **report** read.

Yawpp was advertised as a legitimate WordPress credentials checker, making it a perfect lure for attackers unaware of its malicious nature. Nevertheless, the MUT-1244 campaign shows that cybercriminals are finding new ways to trick users, making it vital for individuals to improve their skills. This is especially true for **employees with cybersecurity training**, as staying alert can help prevent risks to themselves and their organizations.

**Casey Ellis**, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented on the issue stating, _“_Targeting red-teamers and security researchers through fake POCs is a troll technique as old as security research itself, however, as this attack demonstrates, it can also be an effective approach to watering-hole attacks._“_ Casey added, _“_This is a good reminder for those who provide offensive security services that they themselves are part of an exploitable supply-chain, and that malicious attackers know this._“_

1.  **Researcher release PoC exploit for 0-day in Chrome**
2.  **Facial DNA provider leaks biometric data via WordPress folder**
3.  **Thousands of WordPress Websites Hacked with Sign1 Malware**
4.  **Lazarus Targets Blockchain Pros with Fake Video Conferencing**
5.  **Hackers Publish PoC of 0-day Vulnerability in Windows on Twitter**

Hackers Use Fake PoCs on GitHub to Steal WordPress Credentials, AWS Keys

Cybercriminals are targeting YouTube creators with sophisticated phishing attacks disguised as brand collaborations. Learn how to identify these scams, protect your data, and safeguard your online presence

****summary****

*   **Phishing Attack**: Cybercriminals use fake brand collaboration emails to target YouTube creators.

*   **Malware Disguise**: Malicious files are hidden in password-protected attachments like contracts or promotional materials.

*   **Cloud Hosting**: Attackers leverage platforms like OneDrive to host malware, adding a layer of credibility.

*   **Sensitive Data Theft**: Malware steals login credentials, financial information, and grants remote access.

*   **Wide Reach**: Over 200,000 creators targeted globally, with thousands of phishing emails sent via automated tools.

CloudSEK’s threat research team has disclosed details of an advanced new phishing campaign targeting YouTube creators. According to CloudSEK’s investigation, shared exclusively with _Hackread.com_, scammers are using fake brand collaboration emails to steal accounts and spread scams to millions of followers.

****Campaign Analysis****

Report author Mayank Sahariya notes that this sophisticated phishing campaign involves impersonating trusted brands to distribute malware through fake collaboration offers. 

Attackers begin by scraping email addresses from YouTube channels, likely using a specialized parser tool. This allows them to target creators and organizations directly. With email addresses in hand, attackers use browser automation tools to send bulk phishing emails.

Next, the attackers send cleverly crafted emails that appear to be legitimate business proposals from well-known brands. These emails entice recipients with lucrative collaboration deals and include enticing compensation structures based on subscriber count. The malware is cleverly disguised within attachments such as Word documents, PDFs, or Excel files, often masquerading as promotional materials, contracts, or business proposals.

“At the end of the email, the threat actor includes instructions and a OneDrive link to access a zip file containing the agreement and promotional materials, secured with the password,” the report read.

The extracted files reveal four files, including Digital Agreement Terms and Payments Comprehensive Evaluation.exe, which is a malicious payload. Once downloaded and extracted, the zip file unleashes a malicious script disguised as a harmless file format, such as “webcams.pif.” This script leverages AutoIt3 automation software to execute further malware hidden within the archive.

To further bypass detection, the attackers host these malicious attachments on cloud storage platforms like OneDrive (form this ID- \[email protected\] created on August 15, 2024), protected by passwords. This tactic adds a layer of legitimacy, as recipients might expect collaboration agreements and promotional materials to be password-protected.

Once a curious YouTuber downloads the attachment, the malware installs itself on the victim’s system. This malware is designed to steal sensitive information, including login credentials, financial data, and intellectual property. In some cases, it can even grant remote access to the attacker, compromising the entire system.

Attack flow and malicious email used in the scam (Via CloudSec)

****Who are the Targets?****

According to CloudSec’s blog post, this global campaign primarily targets businesses and individuals involved in marketing, sales, and executive positions. These individuals are more likely to engage with brand collaborations and promotions, making them prime targets for this phishing scheme.  

So far, this campaign has targeted over 2 lakh YouTube creators, involving 500-1,000 phishing emails sent from a single email account and around 340+ SMTP servers have been weaponized for attacks.

To stay protected, YouTube creators should be cautious of unsolicited collaboration offers, especially password-protected attachments. Always double-check email addresses, and contact brands directly to confirm the legitimacy of collaboration offers. Also, avoid downloading attachments from unknown senders, even if password-protected to protect valuable data.

1.  **Scammers Rake in $600K with YouTube Deepfakes**
2.  **YouTube Channels Hacked to Spread Lumma Stealer**
3.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
4.  **New YouTube phishing scam using authentic email address**
5.  **Get Paid to Like Videos YouTube Scam Empties Your Wallets**

Malware Hidden in Fake Business Proposals Hits YouTube Creators

Plus: The US indicts North Koreans in fake IT worker scheme, file-sharing firm Cleo warns customers to patch a vulnerability amid live attacks, and more.

What a week! On Monday, police arrested 26-year-old Luigi Mangione and charged him in the murder of UnitedHealthcare CEO Brian Thompson. Mangione’s five-day run from authorities ended after he was spotted eating at a McDonald’s in Altoona, Pennsylvania, about 300 miles from Manhattan, where Thompson was gunned down on the morning of December 4. Authorities say they found Mangione carrying fake IDs and a 3D-printed “ghost gun,” the model of which is known as the FMDA, or “Free Men Don’t Ask.”

Meanwhile, a flood of mysterious drone sightings across New Jersey and neighboring states caused so much havoc, it quickly gained federal attention. While many people wondered why the US military couldn’t just shoot down the drones, the FBI, Department of Homeland Security, and independent experts say the drone mystery may not be much of a mystery, and the drones are probably mostly just airplanes.

As for more terrestrial threats, we dove into the far-right realm of “Active Clubs,” small groups of young, fitness-focused men who are steeped in extremist ideology and linked to several violent attacks. While the man who helped invent the Active Club network, Robert Rundo, was sentenced in federal court this week, Active Clubs around the world are proliferating.

Finally, we investigated cheating schemes that use tiny cameras to gain an illicit edge in poker, and we interrogated the ways humans will use generative AI to make the world a more dangerous place.

But that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Back in May, Microsoft jubilantly announced Recall, an AI feature for some Windows PCs that silently takes screenshots every five seconds and then allows you to easily search through the resulting digital footprint. Forgotten where you saw a recipe online? Tapping a couple of keywords into Recall could, in theory, find the dish again. It didn’t take long for the privacy and security community to find gaping holes in the feature.

In response, Microsoft delayed Recall’s launch and eventually made some significant changes—such as making Recall opt-in rather than on by default, better encrypting information captured by Recall, and adding authentication to access data that it stored. Recall finally launched for some users this month.

However, this week, testing of Recall by Tom’s Hardware demonstrated that a key safeguard put in place by Microsoft can still fail. With a Recall setting called “filter sensitive information” turned on, Tom’s Hardware’s tests found that it still took screenshots of some sensitive information—such as credit card numbers and Social Security numbers. When the publication typed a credit card number and a username and password into a Notepad window, they were gathered in the screenshots. “Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that,” Avram Piltch writes. The tool, however, didn’t record details when they were entered on a couple of online stores.

Microsoft pointed to its product information that says the system will get better over time and that people should report if sensitive information is captured by Recall. While that may be the case, it’s unlikely that any system can correctly determine what is and isn’t sensitive every time. And that could make it a bigger target for hackers.

**14 North Koreans Identified and Indicted as Fraudulent IT Workers**

For years, North Korean nationals posing as tech workers have tried to get hired by global businesses so they can send their wages back to help the Hermit Kingdom pay for its nuclear programs. Increasingly, some companies are revealing they were targeted, and investigators are unravelling the schemes. This week, the US government indicted 14 North Koreans for their alleged role in generating $88 million, stealing sensitive business information, and attempting to use that information to extort more payments from companies. To get hired, the FBI alleges, the IT workers stole real identities, paid people in the US to use their home Wi-Fi connections, or paid them to attend job interviews. Researchers from Google-owned cybersecurity firm Mandiant who focus on North Korea say that in recent months they’ve seen IT workers following through on leaking sensitive data and demanding more cryptocurrency than ever before—although, they say this desperation could be a sign of the schemes becoming less effective.

**Cleo File-sharing Software Exploited to Spread Cybercriminal Malware**

File-sharing software firm Cleo this week warned customers to implement a new security patch to prevent a wave of intrusions by cybercriminals actively exploiting a vulnerability in its code. Researchers at security firm Huntress Labs told news outlet Recorded Future that at least two dozen organizations have already been breached by the hackers exploiting the Cleo flaw. Huntress has found a sample of malware found on those victims’ networks it calls Malichus, and says it appears to have been used by a sophisticated hacker group. Huntress also noted that Blue Yonder, a software firm breached by the Termite ransomware gang in November, had a vulnerable instance of Cleo’s software exposed on its network, and some evidence suggests the same cybercrime group may now be using the software’s vulnerability to hit other victims. Cleo first released a patch for the bug currently being exploited in October, but hackers appear to have circumvented it, and the company is urging customers to apply its new patch now.

**US Sanctions Chinese Hackers Who Allegedly Hijacked Thousands of Firewalls**

For five years, UK cybersecurity firm Sophos engaged in a cat-and-mouse game with a mysterious group of Chinese hackers targeting the company’s firewalls as a vector to break into its customers’ networks, as WIRED chronicled in October. Sophos went so far as to download surveillance “implants” to its devices that the hackers were testing to better monitor and preempt their intrusion techniques—and to gain more information about who they were and where they operated. Now, following Sophos’s revelations, those hackers have been hit with sanctions from the US government, and one of them has been indicted by name. Sichuan Silence Information Technology, based in Chengdu, and an alleged hacker named Guan Tianfeng are accused of hijacking 81,000 firewalls by exploiting a zero-day vulnerability that Guan is said to have discovered. Sichuan Silence, a known seller of disinformation tools to the Chinese government, and Guan are accused of targeting 23,000 firewalls in the US specifically, 36 of which were used in US critical infrastructure networks. The US State Department also issued a $10 million bounty for information about the company or Guan.

Microsoft’s AI Recall Tool Is Still Sucking Up Credit Card and Social Security Numbers

Another day, another healthcare database misconfiguration exposing sensitive patient information.

****SUMMARY****

*   **Cybersecurity researcher Jeremiah Fowler discovered an unprotected Care1 database with over 4.8 million patient records.**

*   **Exposed data included names, addresses, medical histories, and Personal Health Numbers (PHNs).**

*   **Responsibility for the breach and its duration remains unclear.**

*   **Healthcare data breaches are increasing, posing significant privacy risks.**

*   **Stronger cybersecurity measures are essential for protecting sensitive patient information.**

Cybersecurity researcher **Jeremiah Fowler** recently discovered a massive database belonging to Care1, a Canadian company that provides AI-powered software solutions to optometrists. The database, containing over 4.8 million records of patient information (with a total size of 2.2 TB), was left completely unprotected, exposing sensitive data like patient names, addresses, medical histories, and even their unique Personal Health Numbers (PHNs).

Care1 is a specialized healthcare technology company with over 170 partner optometrists and over 150,000 patient visits managed using their software. They specialize in eyecare disruption using artificial intelligence, leveraging advanced software engineering and extensive partnership networks.

According to Fowler’s investigation, published by vpnMentor, the exposed data included detailed eye exam reports with patient information, doctor’s notes, and images. Eye exam reports were in PDF format and included patient PII, doctor’s comments, and images.

In addition, CSV and XLS spreadsheets were also part of the exposed database and listed patients with home addresses, Personal Health Numbers (PHNs), and other health-related information, including doctor’s comments and images from the eye exams.

For your information, in the Canadian healthcare system, a Personal Health Number (PHN) is a unique identifier that ensures a patient’s health information is accessible to all providers. While the PHN itself might not directly lead to financial fraud, it can be a valuable piece of information for criminals to build a comprehensive profile of an individual.

It’s unclear whether the database was directly owned and managed by Care1 or handled by a third-party contractor. It is also unclear for how long it remained exposed or whether it was accessed by any unauthorized individual unless an internal forensic audit is conducted. According to Fowler’s **blog post**, he sent a responsible disclosure notice to the company and public access was restricted promptly. 

With the increasing reliance on digital systems in **healthcare**, the potential for data breaches is also increasing. This level of exposure poses significant privacy risks for patients, as their medical information could be misused for identity theft or other malicious activities. In 2023, Fowler **discovered** a non-password-protected database belonging to Indian medical diagnostics firm Redcliffe Labs, containing over 12 million records, including sensitive patient data like medical scans and test results.

These incidents reflect the need for heightened security measures within the healthcare sector. Companies like Care1, which handle sensitive patient information, must prioritize stringent cybersecurity measures, including strong encryption, access controls, and regular security audits.

1.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
2.  **AI Firm’s Server Exposed 5.3 TB of Mental Health Records**
3.  **How Artificial Intelligence (AI) is Impacting Modern Healthcare**
4.  **Dark Web Sales Fuel 32% Increase in Healthcare Cyberattacks**
5.  **AI in Healthcare: ChatGPT Helps Boy Get Diagnosis After Doctors Fail**

Canadian Eyecare Firm Care1 Exposes 2.2TB of Patient Records

SUMMARY Byte Federal, the US’s largest Bitcoin ATM operator offering around 1,200 Bitcoin ATMs across the country, recently…

****SUMMARY****

*   **Byte Federal, the largest US Bitcoin ATM operator, suffered a data breach affecting 58,000 customers.**

*   **Hackers exploited a vulnerability in GitLab to access sensitive customer data.**

*   **Exposed information includes names, IDs, addresses, and transaction histories.**

*   **Byte Federal secured systems, notified customers, and is investigating with experts.**

*   **Customers are urged to reset passwords and monitor accounts for fraud.**

Byte Federal, the US’s largest Bitcoin ATM operator offering around 1,200 Bitcoin ATMs across the country, recently confirmed a data breach that potentially exposed the personal information of 58,000 customers.

The company submitted a report to Maine’s attorney general, revealing that the breach occurred on September 30th, 2024, but wasn’t discovered until November 18th. A consumer notification was published (PDF) on November 27th.

It is worth noting that this is the second data breach Byte Federal has experienced. In March 2023, hackers successfully stole $1.5 million worth of Bitcoin from the company.

****What Happened?****

Hackers exploited a vulnerability in a third-party software platform called GitLab to gain unauthorized access to one of Byte Federal’s servers. Upon discovering the breach, Byte Federal immediately shut down its platform, isolated the hackers, and secured the compromised server. They also implemented additional security measures, including resetting all customer accounts.

****What Information Was Involved?****

The compromised data may include a combination of the following for affected customers:

*   Name
*   Birthdate
*   Address
*   Photographs
*   Phone number
*   Email address
*   Transaction history
*   Social Security number
*   Government-issued ID number

****What Byte Federal is Doing****

At the time of this writing, Byte Federal has no evidence that any information was misused or user funds/assets were compromised. The company is currently conducting a forensic investigation with the help of a cybersecurity team to determine the full scope of the breach. They are also cooperating with law enforcement.  

The company has notified all affected customers via mail and issued a press release. Additionally, they’ve updated their website with further details and suggest the following steps for customers:

*   Reset login credentials for Byte Federal services
*   Monitor bank and credit card statements for fraudulent activity
*   Obtain a free credit report and monitor it regularly for unauthorized activity
*   Place a fraud alert or security freeze on credit reports with major credit reporting agencies (Experian, Equifax, TransUnion)

If you are a Byte Federal customer, follow the recommendations outlined above. Additionally, Byte Federal provided contact information for their dedicated helpline and customer service email for further assistance. They also encourage them to report any suspicious activity immediately.

Cryptocurrency platforms are facing increasing cyber threats, where attackers are targeting both assets and personal information, highlighting the ongoing challenges the cryptocurrency industry faces in safeguarding user data. Recently, hackers posted fake claims and phishing links, announcing a new CEO of Giggle Academy, founded by former Binance CEO Changpeng Zhao.

In October 2024, crypto payment services firm Transak suffered a data breach that exposed the information of over 92,000 individuals. This breach compromised sensitive data such as names, birthdays, passport and driver’s license information, and user selfies. Such incidents highlight the need for enhanced security measures within the crypto industry.

Roger Grimes, data-driven defense evangelist at KnowBe4, shared the following comment with Hackread.com regarding this news stating, _“_It seems like Byte Federal is doing all the right things in response to this security breach. Other companies should take note. My biggest worry would be a user’s funds or private keys being compromised, but this doesn’t appear to have happened, and that’s a good thing._“_

Roger explained that _“_Although, the information the attacker did have access to could easily be used in sophisticated spear phishing attacks using crypto-related themes. That’s the only remaining worry. Byte Federal customers have to understand that some attackers intent on stealing their crypto value could use learned information against them in sophisticated phishing attacks and act accordingly._“_

1.  **Hackers Drain $1.48 Billion from Crypto in 2024**
2.  **Hackers selling Bitcoin ATM Malware on Dark Web**
3.  **Scammers using fake WHO Bitcoin wallet to steal donation**
4.  **Hackers Deploy Linux FASTCash Malware for ATM Cashouts**
5.  **The Growing Importance of Secure Crypto Payment Gateways**

Bitcoin ATM Giant Byte Federal Hit by Hackers, 58,000 Users Impacted

BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the company's Conferencing division, leading to server shutdowns and potential data theft.

****SUMMARY****

*   **BT Group Ransomware Attack**: British telecom giant BT Group’s Conferencing division was hit by a ransomware attack by Black Basta, leading to certain servers being taken offline.
*   **Stolen Data**: Black Basta claims to have stolen 500 GB of sensitive data, including financial, corporate, and personal information, and threatened to leak it unless a ransom is paid.
*   **Company Response**: BT Group stated the attack was confined to specific parts of its Conferencing platform, with core services unaffected, and is working with authorities to investigate.
*   **Black Basta’s Methods**: The group uses advanced tactics like email bombing and social engineering through platforms like Microsoft Teams to gain initial access.
*   **Global Ransomware Threat**: Black Basta has targeted over 500 organizations, affecting critical infrastructure sectors, emphasizing the need for robust cybersecurity measures.

Days after the ransomware attacks on the NHS Hospitals in the United Kingdom, British telecommunications giant BT Group has fallen victim to a ransomware attack launched by the notorious Black Basta gang. The attack specifically targeted the company’s Conferencing business division, forcing the company to take certain servers offline as a precautionary measure.

While BT Group has downplayed the severity of the attack, claiming limited impact on its services and customer data, Black Basta paints a far more alarming picture. The ransomware gang asserts that they successfully stole a staggering 500 gigabytes of sensitive information. As an evidence, the group has released screenshots of stolen documents and folder listings. 

The threat actors added BT’s btci.com and btconferencing.com domains to their data leak site, threatening to publicly release the stolen information, which includes financial, corporate, and even personal data such as passport copies, unless a ransom is paid. However, the exact amount of the ransom has not been disclosed.

BT Group has confirmed to _Hackread.com_ that it is actively investigating the incident and cooperating with relevant authorities. The company has emphasized that the attack was confined to specific elements of the Conferencing platform and that core services remain operational.

“We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated.”

“We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response,” BT Group’s spokesperson stated.

Black Basta has targeted over 500 organizations globally in the past two years, targeting 12 out of 16 critical infrastructure sectors, with victims including Ascension Healthcare, Hyundai Europe, Capita, Yellow Pages Canada, and Dish. 

The group, a ransomware-as-a-service (RaaS) variant emerging in 2022 after the Russian invasion of Ukraine and the downfall of Conti,  has had significant impacts on the global economy, according to the FBI and CISA’s (PDF) advisory titled “#StopRansomware: Black Basta.”

Research reveals that Black Basta, has been refining its social engineering methods. The group often initiates attacks by bombarding victims with emails from various mailing lists, creating a sense of urgency and confusion. 

“Recent techniques include email bombing—a tactic used to send a large volume of spam emails—to aid social engineering over Microsoft Teams and trick victim end users into providing initial access via remote monitoring and management (RMM) tools,” CISA’s updated advisory revealed.

This social engineering ploy often leads victims to grant remote access to their devices, allowing the hackers to deploy malware and steal sensitive information.

The incident reminds us that ransomware attacks remain a consistent threat, even for large, well-resourced organizations. Therefore, businesses must invest in advanced cybersecurity measures to protect sensitive data and maintain business continuity.

1.  **US, UK Military Social Network “Forces Penpals” Leaks PII Data**
2.  **Qilin Ransomware Leaks 400GB of NHS, Patient Data on Telegram**
3.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**
4.  **Major UK Security Provider Leaks Trove of Guard and Suspect Data**
5.  **China Suspected in Cyberattack on UK’s Ministry of Defence (MoD)**

Telecom Giant BT Group Hit by Black Basta Ransomware

PRESS RELEASE

TAMPA BAY, Fla., Dec. 3, 2024 /PRNewswire/ -- KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today released its Q3 2024 Phishing Report. This quarter's findings reveal the most frequently clicked email subjects in simulated phishing tests, demonstrating the continued efficacy of HR and IT-related phishing attempts.

KnowBe4's Q3 2024 Phishing Report reveals that HR and IT-related phishing emails claim a significant 48.6% share of top-clicked phishing types globally. Despite evolving techniques by bad actors, phishing emails remain among the most prevalent tools for executing cyberattacks. KnowBe4's 2024 Phishing by Industry Benchmarking Report reveals that about one in three users is susceptible to interacting with malicious links or fraudulent requests. Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into clicking malicious links or opening harmful attachments.

The report spotlights the ongoing threat posed by email-embedded phishing links, which continue to be the top attack vector of choice. These malicious links, PDF attachments and spoofed domains, when interacted with, often result in disastrous cyberattacks, including ransomware attacks and business email compromise. The report also reveals a surge in phishing campaigns leveraging QR codes. Popular QR code phishing subjects include HR reminders for policy reviews, DocuSign emails to sign an urgent document, and Zoom meeting invitations. These messages, often masquerading as communication from HR, colleagues or external vendors, pose substantial risks as they can easily be replicated by malicious actors.

"Our latest phishing report underscores the evolving sophistication of phishing tactics, with cybercriminals increasingly exploiting the trust employees place in internal communications," said Stu Sjouwerman, CEO of KnowBe4. "The prevalence of HR and IT-themed phishing attempts, coupled with emerging techniques like QR code integration, presents a complex threat landscape. These tactics are particularly deceptive as they leverage the perceived legitimacy of trusted sources, often prompting hasty actions before verification. In this rapidly changing environment, a well-trained workforce and a robust security culture are not just beneficial—they are essential. By prioritizing human risk management, organizations can effectively build a formidable defense against avoidable cyberthreats."

To download a copy of the Q3 2024 KnowBe4 Phishing Report infographic, visit here.

About KnowBe4 

KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organizations worldwide, KnowBe4 helps to strengthen security culture and manage human risk. KnowBe4 offers a comprehensive AI-driven 'best-of-suite' platform for Human Risk Management, creating an adaptive defense layer that fortifies user behavior against the latest cybersecurity threats. The HRM+ platform includes modules for awareness & compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilizes personalized and relevant cybersecurity protection content, tools and techniques to mobilize workforces to transform from the largest attack surface to an organization's biggest asset.

You May Also Like

KnowBe4 Releases the Latest Phishing Trends in Q3 2024 Phishing Report

### Impact
Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.

### Patches
We are currently working on a patch that will be released when ready.

### Workarounds
This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.

### References
Original issue: #1488

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-52800

**veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability**

Low severity GitHub Reviewed Published Nov 29, 2024 in veraPDF/veraPDF-library • Updated Dec 2, 2024

**Package**

maven org.verapdf:core (Maven)

**Affected versions**

<= 1.26.1

maven org.verapdf:core-arlington (Maven)

maven org.verapdf:core-jakarta (Maven)

maven org.verapdf:verapdf-library-arlington (Maven)

maven org.verapdf:verapdf-library-jakarta (Maven)

maven org.verapdf:verapdf.library (Maven)

**Impact**

Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.

**Patches**

We are currently working on a patch that will be released when ready.

**Workarounds**

This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.

**References**

Original issue: #1488

**References**

*   GHSA-4cx5-89vm-833x
*   https://nvd.nist.gov/vuln/detail/CVE-2024-52800
*   veraPDF/veraPDF-library#1488

Published to the GitHub Advisory Database

Dec 2, 2024

Tag

#pdf