By the CyberWire staff
At a glance.
- China's Salt Typhoon breached US wiretapping systems.
- Internet Archive sustains major breach and DDoS attacks.
- American Water hit by cyberattack.
- Colorado health system hit by ransomware.
- Comcast discloses third-party breach.
- New version of the Octo Android Trojan impersonates popular apps.
- GoldenJackal conducts cyberespionage against air-gapped systems.
- ODNI issues report on foreign interference campaigns targeting US elections.
- Ukrainian hackers disrupt Russia’s court information system.
China's Salt Typhoon breached US wiretapping systems.
The Washington Post reports that the Chinese threat actor Salt Typhoon breached networks belonging to US broadband providers, including Verizon, AT&T, and Lumen, and gained access to systems used by the Federal government for court-authorized wiretapping. The Post cites US officials as saying the operation was likely "aimed in part at discovering the Chinese targets of American surveillance." The hackers remained undetected within the networks for several months. The FBI, the Department of Homeland Security, and other US intelligence agencies are investigating the incidents.
The Post says that in Verizon's case, the hackers exfiltrated data by reconfiguring Cisco routers. Verizon, AT&T, and Lumen have declined to comment.
Internet Archive sustains major breach and DDoS attacks.
The Internet Archive's website was defaced on Wednesday with a message stating that it suffered a "catastrophic security breach" affecting 31 million users, the Verge reports. The Archive's founder Brewster Kahle confirmed a "breach of usernames/email/salted-encrypted passwords." Troy Hunt, administrator of Have I Been Pwned, told BleepingComputer that the threat actor sent him the Internet Archive's authentication database, containing "authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data." Hunt said the database contains 31 million unique email addresses.
The Internet Archive was also hit by DDoS attacks Wednesday and Thursday, knocking the service offline. It's not clear if the breach and the DDoS attacks are connected.
Focus on what matters most. Leave the details to us.
For startups and fast-growing SaaS organizations, it’s easy for cybersecurity and compliance tasks to pile up and bog down your engineering team’s productivity. That’s where our security engineering services come in. From endpoint detection and response to cloud security posture management, BARR Advisory’s consulting team can take tedious and complicated cybersecurity tasks off your plate so you can focus on driving your business forward. Unlock your potential today.
American Water hit by cyberattack.
American Water, the largest water and wastewater utility company in the US, disclosed that it sustained a cyberattack on Thursday, October 3rd, which caused the company to disconnect or deactivate some systems, the Associated Press reports. The company stated, "Upon learning of the issue, our team immediately activated our incident response protocols and third-party cybersecurity professionals to assist with containment, mitigation and an investigation into the nature and scope of the incident. We also notified law enforcement and are coordinating fully with them." American Water has taken its MyWater customer portal offline, and will not be charging late fees for missed payments.
The company, which serves more than 14 million people across 14 states, says water is still safe to drink and that it "currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident."
Colorado health system hit by ransomware.
Axis Health System, which operates thirteen hospitals across Colorado, sustained a cyberattack that disrupted its primary care patient portal, the Record reports. The Rhysida ransomware gang claimed responsibility for the attack, demanding $1.5 million in ransom.
The health system stated, "Upon discovery, Axis quickly followed its incident response protocol and took steps to stop the activity and investigate the nature and scope of the incident. If it is determined that patient data was impacted, affected individuals will be notified directly by mail. We are still investigating this incident." The organization added, "If you need to communicate with your provider or for other inquiries, please call your clinic directly."
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
Comcast discloses third-party breach.
Comcast has disclosed that data belonging to 237,000 customers was breached during a ransomware attack against debt collection agency Financial Business and Consumer Solutions (FBCS), SecurityWeek reports. The incident, which was discovered in February 2024, exposed names, addresses, dates of birth, Social Security numbers, and Comcast account numbers.
Comcast stated, "FBCS received your information because they previously provided Comcast with collections-related services for delinquent payments until 2020, when Comcast ceased working with FBCS. The compromised information about you dates from around 2021, as FBCS is subject to data retention requirements beyond Comcast’s working relationship with FBCS....This security incident occurred entirely at FBCS and not at Xfinity or on Comcast systems. FBCS notified Comcast that due to its current financial status, it would no longer be able to provide notices or credit monitoring protection to individuals impacted by the incident."
Comcast is offering one year of credit monitoring and identity protection services to impacted customers.
New version of the Octo Android Trojan impersonates popular apps.
DomainTools has published a report on Octo2, a new version of the Octo Android banking Trojan. The new version "offers differentiating features including increased Remote Access Trojan (RAT) stability, improved anti-analysis and anti-detection techniques, and the use of a domain generation algorithm (DGA) to generate the actual C2 server name."
Octo2 has been observed on devices in Italy, Poland, Moldova, and Hungary, and the researchers believe the malware will spread globally over the course of the next year. It's currently being distributed by impersonating popular Android apps, including Google Chrome and NordVPN.
Save 30% on N2K Cyber & IT practice tests
In celebration of Cybersecurity Awareness Month, N2K is offering a 30% discount on all N2K practice tests with promo code "SECURE30". Choose from our vast exam prep library that includes top vendors like AWS, CompTIA, ISC2, Microsoft, and more. Get access to simulated exams, custom quizzes, e-flashcards, and more. Whether you're gearing up for a certification exam or looking to enhance your skills, now is the perfect time to invest in your cybersecurity journey. Visit n2k.com/certify to find your cert and save 30% with promo code “SECURE30” today.
GoldenJackal conducts cyberespionage against air-gapped systems.
ESET has published a report on "GoldenJackal," an APT group that conducts cyberespionage against government and diplomatic entities across Europe, the Middle East, and South Asia. The threat actor specializes in deploying malware designed to target air-gapped networks via USB drives.
The threat actor compromised a South Asian embassy in Belarus in 2019 and an unnamed governmental organization in Europe from 2022 to 2024. Notably, GoldenJackal used unique strains of malware in each case. ESET notes, "With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems."
ODNI issues report on foreign interference campaigns targeting US elections.
The US Office of the Director of National Intelligence (ODNI) has issued an election security update outlining foreign interference campaigns attempting to influence the upcoming US presidential and congressional elections. ODNI says Russian influence operations tend to favor former President Trump, while Iranian activity appears to support Vice President Harris. China doesn't appear to be targeting the presidential election, but is "seeking to influence congressional races with candidates—regardless of party affiliation—perceived by Beijing to threaten its core interests, especially in relation to Taiwan."
The advisory adds, "Foreign actors are almost certainly considering the possibility of another contested presidential election and a tight contest for control of both the Senate and the House of Representatives. They will likely take advantage of such an opportunity to use similar tactics in a post-election period to undermine trust in the integrity of the election, election processes, and further exacerbate divisions among Americans."
Ukrainian hackers disrupt Russia’s court information system.
A Ukrainian hacker group called "BO Team" has launched a cyberattack against Russia's court information system, claiming to have wiped court documents, the Washington Post reports. Another hacker group calling itself "sudo rm-RF" shut down Russian state broadcaster VGTRK on Sunday through early Monday afternoon. The attacks appear to be timed to coincide with Vladimir Putin's birthday on Monday.
CyberScoop notes that BO Team has in the past collaborated with Ukraine's Ministry of Defence.
Patch news.
Microsoft on Tuesday issued patches for five publicly disclosed zero-days, two of which were being actively exploited, KrebsOnSecurity reports. One of the exploited vulnerabilities (CVE-2024-43573) affects Internet Explorer's MSHTML browser engine, and is being used in phishing attacks. The other exploited flaw (CVE-2024-43572) impacts the Microsoft Management Console and can lead to remote code execution.
Adobe has issued patches for 52 vulnerabilities, including critical flaws affecting Adobe Commerce and Magento.
SecurityWeek has a summary of patches from ICS vendors, with fixes issued by Siemens, Schneider Electric, Phoenix Contact, and CERT@VDE.
Qualcomm has issued patches for a high-severity zero-day affecting the Digital Signal Processor service used by its chipsets, BleepingComputer reports. The vulnerability (CVE-2024-43047) is a use-after-free flaw that can lead to "memory corruption while maintaining memory maps of HLOS memory." Qualcomm notes, "There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation."
Researchers at Cyfirma have disclosed a critical privilege-escalation flaw (CVE-2024-44193) affecting iTunes for Windows that can allow attackers to gain full administrative privileges. A patch is available, and users should update to version 12.13.3 or later.
Crime and punishment.
A 21-year-old man from Indiana has pleaded guilty to stealing $37 million from nearly 600 victims after hacking an investment holdings company based in South Dakota. The defendant, Evan Frederick Light, faces up to 20 years in prison.
Police in the Netherlands and Ireland have arrested the alleged administrators of the Bohemia and Cannabia criminal marketplaces, the Register reports.
Policies, procurements, and agency equities.
New York State has enacted new cybersecurity requirements for general hospitals, requiring the facilities to report material cybersecurity incidents such as ransomware attacks to the state's health department within 72 hours, BankInfoSecurity reports. Hospitals will also need to "develop, implement, and maintain minimum cybersecurity standards and programs, including information technology (IT) staffing, network monitoring and testing, policy and program development, employee training and remediation, incident response, appropriate reporting protocols, and records retention."