Industry Intel

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

Cyber News Rundown: Hackers Aim at Oil Producers

As Oil Prices Drop, Hackers Take Aim at Producers

With the recent crash in oil prices, and supply rapidly piling up, a new spear phishing campaign has begun targeting executives at several major oil producers. A massive number of emails started being distributed in late March, without the telltale signs of amateur phishing like bad spelling and grammar. Furthermore, the emails appeared to be from a sender with knowledge of the oil and gas industry. Two documents within the emails posed as bid contracts and proposal forms but were used to deliver the final payload, a trojan called Agent Tesla, which is a malware-as-a-service that can perform a variety of malicious activities on a system.

Software Affiliates Sending Phony Expiration Notices

Several dubious third-party software affiliates have been spotted distributing a campaign targeting antivirus users, prompting them to renew their subscription through the affiliate’s link, thus netting them additional revenue. Most affiliate programs have strict guidelines as to how the company can promote the affiliated software, and purposely misleading customers can lead to major penalties. Emails displaying expiration notices for Norton and McAfee have both been identified. With a percentage commission, the affiliate could be earning up to 20% of the purchase price for each fraudulent sale.

Philadelphia Sandwich Chain Faces Data Breach

PrimoHoagies, a Philadelphia-based sandwich chain, was the unsuspecting victim to a data breach that went undetected from July 2019 until this February. The breach affected all online sales during that time period, though no in-store purchase data was compromised. By April, the company released an official statement regarding the breach. But the admission came only days before a data security lawsuit was filed by a customer who had seen fraudulent charges on his credit card.

Decryption Keys for Shade Ransomware Made Available

After nearly five years of operation, the creators of Shade ransomware have decided to close shop and give out nearly 750,000 decryption keys along with an apology for harm done. While most ransomware variants tend to purposely avoid Russia and Ukraine, Shade focused specifically on these two countries during its run. Though the many decryption keys and master keys have been made public, the instructions for recovering the actual files are not especially user-friendly and a full decryption tool has not yet been released.

ExecuPharm Hit with Ransomware Attack

One of the largest pharmaceutical companies in the U.S. recently suffered a ransomware attack that not only encrypted their systems but also gain access to a trove of highly sensitive personal information belonging to thousands of clients. It is believed that the attack started with in mid-March with phishing emails targeting specific employees with the widest access to internal systems. At this time, there is no confirmed decryption tool for the ransomware variant used and the company has begun contacting affected customers.

Cyber News Rundown: Ransomware Hits LA Suburbs

Los Angeles Suburb Hit with Ransomware

Last month, the City of Torrance, California fell victim to a ransomware attack that shut down many of their internal systems and demanded 100 Bitcoins to not publish the stolen data. Along with the roughly 200GB of data it stole from the city, the DoppelPaymer ransomware also deleted all local backups and encrypted hundreds of workstations. At this time, it’s uncertain whether the City of Torrance has chosen to pay the ransom, as the malware authors seem to have diligently removed any means for the City to recuperate on their own.

Malicious Packages Hidden Within Popular File Repository

Over 700 malicious packages have been discovered within the RubyGems main program and file repository. These originated from just two accounts and were uploaded over a single week period in late February. Between them, the many packages have a combined download number of over 100,000, most of which included a cryptocurrency script that could identify and intercept cryptocurrency transactions being made on Windows® devices. While this isn’t the first time malicious actors have used open source file repositories to distribute malicious payloads, this infiltration of an official hub for such a long period of time speaks to the lack of security within these types of systems.

Maze Ransomware Targets Cognizant ISP

Late last week, the Maze Ransomware group took aim at New Jersey-based internet service provider, Cognizant, and took down a significant portion of their internal systems. The attack occurred just a day after the removal of a dark web post that offered access to an IT company’s systems for $200,000. It had been listed for nearly a week. While Cognizant has already begun contacting its customers about the attack, the true extent of the damage remains unclear.

COVID-19 Scams Net $13 Million

The Federal Trade Commission recently released statistics on the number of complaints they’ve received specifically related to the COVID-19 pandemic: it’s over 17,000 in just a three-month period. While this number is assuredly less than the actual number of COVID-19 related scams, these reported complaints have resulted in a sum of over $13 million in actual losses, ranging from fraudulent payments to travel cancellations and refunds. Additionally, the FTC was able to catalogue over 1,200 COVID-19 related scam calls reported by people on the Do Not Call list.

Customer Data Stolen from Fitness App

A database belonging containing 40GB of personally identifiable information on thousands of customers of the fitness app, Kinomap, was found unsecured. Containing a total of 42 million records, the database remained accessible for nearly 2 weeks after the company was informed. It was only secured at last after French data protection officials were notified. Kinomap API keys were also among the exposed data, which would have allowed malicious visitors to hijack user accounts and steal any available data.

Cyber News Rundown: Ransomware Wrecks Florida City

Florida City Sees Lasting Effects of Ransomware Attack

Nearly three weeks after the City of Jupiter, Florida suffered a ransomware attack that took many of their internal systems offline, the city has yet to return to normal. City officials announced they would be working to rebuild their systems from backups, rather than paying any ransom, and were able to get their main website up and running again, along with many essential services. The timing of the attack couldn’t have been worse, as most of the City’s staff were under lockdown and unable to access compromised machines in a quick and safe manner.

Hackers Breach San Francisco International Airport

Late last Month, Russia-based hackers attempted to breach the internal networks of San Francisco International Airport using a simple injection script to obtain employee credentials. By forcing the use of the SMB file-sharing protocol, the hackers could quickly grab the usernames and hashed passwords, which would then allow them to deploy any number of malicious payloads or access extremely sensitive information. Shortly after the attack was detected and subsequently ended, the IT staff issued a forced password reset for all staff in hopes of minimizing any further damage.

Critical Exploits Patched by Microsoft

Recently, Microsoft patched three zero-day exploits that could allow remote code execution, privilege increases, and even creating new accounts with full OS permissions. Two of the patched flaws related to the Adobe Type Manager Library and were functional on multiple Windows® operating systems, but performed different tasks based on the environment in which they were deployed.  

DDoS Suspect Arrested in Netherlands

Two Dutch government websites that were created to distribute information related to the COVID-19 pandemic fell victim to a DDoS attack for several hours. Dutch authorities, who have been heavily involved in many cybersecurity operations, have arrested at least one suspect and shut down 15 sites offering DDoS services. Hopefully, the shutdowns will help reduce the number of these types of attacks going forward.

RagnarLocker Takes Down Portuguese Energy

One of the largest energy providers in Europe, Energias de Portugal (EDP), became the victim of a ransomware attack that used the RagnarLocker variant. In exchange for the estimated 10TB of data stolen during the attack, attackers demanded a ransom of $10.9m to be paid in cryptocurrency. The authors behind RagnarLocker have already begun posting segments of the stolen data to their main website, along with the promise to release the rest and make their entire client list aware of the breach, if the ransom isn’t met.

What’s Behind the Surge in Phishing Sites? Three Theories

One of the most notable findings to come from the Webroot 2020 Threat Report was the significant rise in the number of active phishing sites over 2019—a 640% rise, to be exact. This reflects a year-over-year rise in active phishing sites, but it’s important to keep this (dangerous) threat in context.

“Of all websites that host malicious content, phishing historically has been a minority,” says Webroot Security Analyst Tyler Moffitt. “While it’s growing quite a bit and a significant threat, it’s still not a large percentage of the websites being used for malicious content. Those would be things like botnets or malware hosting.”

This traditional low instance rate is likely one explanation—or at least a portion of an explanation—that’s led to such a gaudy increase in the number of active sites.

Here are three other factors that may have contributed to the rise.

The diversification of attacks

Since first being described in a 1987 paper, phishing attacks have diversified considerably. While it was once reliably email-based with a broad scope, it now entails malware phishing, clone phishing, spear phishing, smishing, and many more specialized forms. Inevitably, these strains of attack require landing pages and form fields in for users to input the information to be stolen, helping to fuel the rise in active phishing sites.

Spear phishing—a highly targeted form of phishing requiring cybercriminals study their subject to craft more a realistic lure—has turned out to be a lucrative sub-technique. This has likely contributed to more cybercriminals adopting the technique over mass-target emails pointing to a single source. More on profitability later.

Check out this infographic for 5 tips on recognizing a phishing email.

Opportunism

After years of studying phishing data, it’s clear that the number of active phishing sites rises predictably during certain times of the year. Large online shopping holidays like Prime Day and Cyber Monday inevitably precipitate a spike in phishing attacks. In another example, webpages spoofing Apple quadrupled near the company’s March product release date, then leveled off.

Uncertainty also tends to fuel a rise in phishing sites.

“Not only do we always see a spike in phishing attacks around the holidays,” says Moffitt, “It also always happens in times of crisis. Throughout the COVID-19 outbreak we’ve followed a spike in phishing attacks in Italy and smishing scams promising to deliver your stimulus check if you click. Natural disasters also tend to bring these types of attacks out of the woodwork.”

The year 2019 was not without its wildfires, cyclones, and typhoons, but it’d be safe to suspect the number of phishing sites will grow again next year.

Short codes and HTTPs represent more phishing opportunities for cyber criminals. Malicious content is now often hosted on good domains (up to a quarter of the time, according to our Threat Report). Short codes also have the unintended consequence of masking a link’s destination URLs. Both these phenomena make it more difficult to identify a phishing attack.

“All of sudden these mental checks that everyone was told to use to sniff out phishing attacks, like double-checking URLs, no longer hold,” says Moffitt.

Profitability

Let’s face it, this is the big one. The rise in popularity of shared drives makes it more likely that any single phishing success will yield troves of valuable data. Compromising a corporate Dropbox account could easily warrant a six-figure ransom, or more, given the looming threat of GDPR and CCPA compliance violations.

“A few years ago, most of the targets were financial targets like PayPal and Chase,” according to Moffitt. “But now they are tech targets. Sites like Facebook, Google, Microsoft, and Apple. Because shared drives offer a better return on investment.”

Even for private individuals, shared drives are more bang for the buck. Credentials which can easily lead to identity theft can be sold on the dark web and, given the rampant rates of password re-use in the U.S., these can be cross-checked against other sites until the compromise spirals.

Finally, phishing is profitable as an initial entry point. Once a cybercriminal has accessed a business email account, for instance, he or she is able to case the joint until the most valuable next move has been determined.

“It’s a really lucrative first step,” says Moffitt.

Don’t take the bait

Installing up-to-date antivirus software is an essential first step in protecting yourself from phishing attacks. Features like Webroot’s Real-Time Anti-Phishing Shield can help stop these attacks before a user has the chance to fall for it. Continual education is equally as important. Webroot data shows that ongoing phishing simulations can lower click-through rates significantly.

Cyber News Rundown: Malicious COVID-19 Websites Surge

Malicious COVID-19 Websites Surge

In recent months, more than 136 thousand new domains have been registered that reference the current COVID-19 outbreak, many of which have yet to be flagged. A large portion of these sites are distributing phishing campaigns with fake bank login forms and inaccurate URLs, including any number of pandemic buzz words. Hopefully, some of the domain registrars will implement stricter detection for these sites to avoid the preying on of people seeking information during the outbreak.

NASA Employees Face Spike in Cyberattacks

NASA and many other federal departments are among those moving to telework and they are seeing an alarming rise in cyberattacks. These attacks include several variations of phishing campaigns designed to seek sensitive data or login credentials through requests for tax forms or disinformation about the current pandemic. NASA employees are especially seeing these types of attacks targeting mobile devices directly, since they often have fewer active security measures in place when compared to other devices.

Fingerprint Security Still Not Foolproof

A group of researchers that recently spent time studying various mobile devices’ fingerprint security measures found a shockingly high success rate from fake prints. By testing a variety of mobile devices, they learned that creating a continuously-successful print mold, while requiring a significant amount of time, could easily unlock a device before wiping features would be triggered. Advancements in fingerprint technology and better biosecurity implementations are clearly necessary.

Medical Testing Company Suffers Data Breach

After a ransomware attack by Maze authors, a major medical testing firm has had a large portion of stolen data published on the Maze “news” site. The data was leaked nearly a week after the initial attack, which the company refused to pay ransom for. While the stolen data only included victims with surnames beginning with D, G, I, and J, the testing company recommends all clients monitor their financials for any signs of fraud. This attack comes during a time where several ransomware authors pledged to avoid attacking healthcare or medical establishments, though they claim this campaign was started prior to the current outbreak.

Philippines Law Enforcement Arrests Fake News Distributors

At least 32 individuals were arrested in the Philippines for spreading fake COVID-19 information across several social media platforms. Some of the accused were reported to have instigated raids of food storage facilities after making false claims of regional shortages. The country, with over 3,000 confirmed cases of COVID-19, will maintain lockdown procedures to limit the spread of the disease until the end of April.

Cyber News Rundown: Zoom Targeted by Hackers

Zoom Video Software Targeted by Hackers

With much of the professional world now telecommuting, hackers have taken notice and are finding vulnerabilities within Zoom’s software to hijack online meetings. Over 400 new domains have been registered through Zoom in just the last month, of which many have been found to contain suspicious content or activity. Other adware variants have been found spoofing Microsoft’s Teams videoconferencing while performing malicious activities in the background.

Microsoft Takes Steps to Prevent Ransomware Attacks on Healthcare

In a push to limit the spread of ransomware throughout the healthcare industry, Microsoft has begun reaching out to hospitals that have public-facing VPNs or other remote-access services that could allow malicious activity when improperly setup. With hospitals already overwhelmed with the current pandemic, a ransomware attack shutting down their systems for any time could be devastating. In the end, it comes down to these organizations taking this notification seriously and locking down any unsecure devices or networks.

Georgian Citizens’ Data Exposed

A popular hacker forum recently received sensitive details on over 4.9 million alive and deceased citizens of the country of Georgia. It is still unclear where the database originated, but one of the users posting the leaked data claims it did not come from the country’s election commission. Much of the information stored in the database could be easily used to identify and locate any number of individuals. More worryingly, the criminals could use the data belonging to more than 1 million deceased individuals for illicit means.

Marriott Leaks Data of 5.2 Million Customers

Officials have been working over the past month to identify the source of a data leak from an internal Marriott International application, which may have compromised the data of over 5 million customers. While the app itself didn’t collect payment of personal information, it did contain basic contact info and other hotel-related information. Fortunately, Marriott International has begun offering credit monitoring services for all affected clients and has pushed a mandatory password reset for their loyalty programs.

YouTube Accounts Hacked to Promote Scams

Many YouTube accounts were recently hijacked and renamed to variations of ‘Microsoft’ while streaming hours of cryptocurrency scams, all while pretending to be Bill Gates. These types of scams used to be extremely common on Twitter but have dropped off in recent years as the platform implemented security measures, so the scammers have switched to a more forgiving platform. Microsoft commented that the hijacked channels neither belonged to them, nor were they affiliated in any way.

Cyber News Rundown: WHO Under Cyberattack

World Health Organization Sees Rise in Cyberattacks

Officials for the World Health Organization (WHO) have announced that many of their sites and servers have been under attack by unsuccessful hackers trying to capitalize on the latest health scare. The attack stemmed from the use of several malicious domains that attempted to gain sensitive information and credentials from WHO employees. Thousands of other malicious domains have been created over the last few weeks to exploit the uninformed victims of the Coronavirus outbreak.

TrickBot Sidesteps 2FA on Mobile Banking Apps

The creators of TrickBot have developed a new mobile app called TrickMo, that can silently circumvent two-factor authentication that is used by various mobile banking apps. The malicious app is used mainly to intercept authentication tokens, once it is installed on the victim’s device. Currently, the TrickMo app is targeting German individuals and using the name “Security Control” to disguise any ulterior motives, and even sets itself as the default SMS app, in order to steal additional information.

Google Play Finds 56 New Malicious Apps

Over 56 new malicious apps have been spotted on the Google Play store, with a combined 1.7 million installations on devices across the globe. To make matters worse, a large portion of the apps were targeted specifically at children and used native Android functionality to imitate typical user actions to boost ad revenue. Many of the apps took extreme measures to avoid being uninstalled by the users, though Google itself has since removed all of the related apps from the Play Store.

Fake Coronavirus Vaccine Sites Shutdown

A website offering fake Coronavirus vaccine kits that were claiming to be approved by the WHO has been shutdown following a ruling by a federal court. The operator of the site has been accused of committing fraud and the hosting service has received a restraining order to stop public access to the site. The site in question, “coronavirusmedicalkit.com” offered the fake kits with users only paying for shipping and entering their payment card data.

Tupperware Website Breached

The main website for Tupperware was recently hacked and used to host Magecart code to steal payment card information. The malicious code was first discovered at the end of last week, but was still active nearly a week later, even after multiple attempts to contact the company. Magecart has been a wide-spread issue for online retailers over the last couple years, and still maintains a large presence due to their ease of use and continuing success.

Cyber News Rundown: DDoS Strikes U.S. Health Department

DDoS Attack Strikes U.S. Health Department

Amidst the panic caused by the novel coronavirus, millions of people began navigating to the U.S. Department of Health’s website to find more information on the illness, but instead found the site to be offline after a DDoS attack overwhelmed its servers. This comes as only one of many unfortunate attacks that are being used to spread disinformation and panic, as well as delay healthcare workers from assisting patients or working towards slowing the overall spread of the illness.

Netfilim Ransomware Uses Old Code but New Tactics

Researchers have been tracking the spread of a new ransomware variant known as ‘Netfilim,’ which has been on a steady rise since February. By utilizing a large portion of code from another ransomware variant, Nemty, it has a quick distribution rate and keeps with the promised threat of releasing all stolen data within a week of encryption. It does differ from Nemty in its payment process, however, relying solely on email communication rather than directing the victim to a payment site that is only accessible through a Tor browser, leaving .NETFILIM as the appended extension for all encrypted files.

US Loan Database Exposed

A database containing millions of financial documents and other highly sensitive information was found freely accessible through an unsecured Amazon web service bucket. Contained within the 425GB of data were credit reports, Social Security numbers, and personally identifiable information for thousands of individuals and small businesses. The database itself is connected with a loan app that was developed by two major New York funding firms, Advantage Capital and Argus Capital.  

Malicious Coronavirus Mapping Apps Spreading More than Misinformation

Many malware authors have been capitalizing on the recent coronavirus (COVID-19) epidemic by way of phishing campaigns and newly renamed ransomware variants. Their latest endeavor is an app used to reportedly “track” the spread of coronavirus across the globe, but has instead been dropping malicious payloads on unsuspecting victims’ devices. Some of these apps can lock devices and demand a ransom to unlock it, while others deliver full ransomware payloads that can encrypt and upload any files to another remote server. Fortunately, researchers worked quickly to engineer up a decryption key for victims.

Magecart Group Targets NutriBullet Website

Following a network breach in late February, Magecart scripts were found to be actively stealing payment card information from NutriBullet websites up to present. The specific organization, known as Group 8, has been using similar Magecart scripts for over two years and have claimed over 200 unique victim domains. Despite several contact attempts from the researchers who found the skimmers, no changes have been made to the affected sites, leaving current and new customers vulnerable.

Cyber News Rundown: Paradise Ransomware

Paradise Ransomware Spreading Through Unusual Attachments

While Paradise ransomware isn’t new to the scene, the latest methods it’s using to spread are a bit surprising. Though it sticks to using email for transmission, it now offers up an IQY attachment instead of a typical word document or excel spreadsheet. These can make a quick connection to a malicious URL prompting the download of the actual ransomware payload. What makes these especially dangerous is that they appear to be simple text files with no internal malicious code, just commands for retrieving it, so it isn’t typically picked up by most security services.

Entercom Data Breach

One of the world’s largest radio broadcasters, Entercom, recently revealed it had fallen victim to a data breach. It was initiated through a third-party service that stored login credentials for Radio.com users and could affect up to 170 million customers. This breach would be the third security incident targeting Entercom in just the last six months. The company has already fallen victim to two separate cyberattacks that caused their systems to be disrupted. Entercom has since implemented several additional security measures and prompted all users to change their passwords, especially if reused on other sites.

Western Union Begins Fraud Payback

Western Union has started paying back roughly $153 million to victims of fraudulent transactions processed by the firm’s payment systems. According to the U.S. Department of Justice, several employees and owners of Western Union locations were involved with allowing these fraudulent payments to be made and failing to properly discipline those individuals. The payback terms have started with 109,000 victims worldwide and will eventually total $586 million in reimbursements.

Whisper App Exposes User Data and Messages

The anonymous messaging app Whisper was recently revealed to own an unsecured database containing a large amount of personal customer records. Two independent researchers first discovered the database, containing over 900 million records and reaching back nearly eight years, and quickly contacted Whisper. The company then locked down the unrestricted access. Though financial or personally identifiable information were not included in the database, the app does track location data that could be used to narrow down a specific user’s location to a home or place of work.

Online Shopper Records Leaked

Up to 8 million sales records were discovered in an unsecured MongoDB database that has been misconfigured for an undetermined amount of time. The researcher who found the database quickly contacted the third-party servicing company that managed the database and it was secured five days later. The database contained roughly four million records pertaining to Amazon UK and eBay alone, comprised mainly of payment and contact information for online shoppers.

Cyber News Rundown: Estée Lauder Data Exposed

Estée Lauder Leaves Massive Database Unprotected

Earlier this week researchers discovered an unsecured database containing over 440 million records belonging to Estee Lauder, a major make-up manufacturer. Though the company has confirmed that no customer data was stored in that database, they are still unsure on how long it was left exposed for and it did contain sensitive company information. Estée Lauder was able to properly secure the database on the same day the initial researcher contacted them.

SoundCloud Account Vulnerabilities Fixed

Researchers have contacted SoundCloud about vulnerabilities in their platform API that could allow attackers to illicitly access user accounts. While officials quickly resolved the security flaws, two additional API flaws had the potential to initiate DDoS attacks or create fraudulent song statistics by exploiting a specific set of track IDs. Attackers would have been able to exploit the user ID authentication to test previously leaked username/password combinations in hopes some victims were using the same credentials on multiple sites.

Danish Data Leak Exposes 1.3 Million Citizens

Over a period of five years from 2015 to 2020, a bug in the country’s tax systems has leaked sensitive ID numbers for nearly 1.3 million Danish citizens. The bug itself displayed the user’s ID number in the URL after the user made changes in their tax portal, which were then analyzed by both Google and Adobe. Fortunately, no additional tax or other personal information was divulged in the leak, which the government was quick to resolve.

Study Reveals Top Brands Used in Phishing Campaigns

After gathering data from nearly 600 million email boxes over the last year, researchers once again determined that PayPal was the most impersonated company for phishing attacks in 2019. The data also revealed that phishing campaigns disguised as PayPal were using an average of 124 unique URLs daily to propagate the malicious content. Many other top companies used in phishing campaigns in 2019 were financial institutions, as they are easy troves of consumer information.

Australia Debates Retention Period for Consumer Data

The Australian government has just begun debating changes to their current data retention period, which is currently two years (or significantly longer than any comparable nation’s policy). Storing data for that length of time can be extremely dangerous, especially given the rise in data breaches in recent years. While Australia believes it’s two-year limit to be a good balance, there is currently no management of who actually has access to the data and several amendments are introduced to improve the privacy of Australian citizens.

Cyber News Rundown: Emotet Targets Tax Season

Tax Season Brings Emotet to the Front

As Americans prepare for tax season, Emotet authors have started a new campaign that imitates a W-9 tax form requested by the target. As with most malicious phishing, an attached document asks users to enable macros when viewing the files. This campaign can be particularly dangerous, because many people don’t spend much time looking at W-9s since they are only sent to contractors and clients who often quickly sign and return them. Emotet infections can further harm companies by downloading additional info-stealing malware and using infected machines to distribute spam campaigns.

Australian Logistics Company Faces Delays After Ransomware Attack

Toll Group, a major transportation company in Australia, fell victim to a ransomware attack this week that forced them to take several vital systems offline. Due to company cybersecurity policies, no customer data was accessed and the damage was minimized by a quick response from their team. While many customers have been able to conduct business as normal, some are still experiencing issues as they wait for all of Toll Group’s systems to return to normal operation.

Cryptomining Botnet Found on DoD Systems

A bug bounty hunter recently found an active cryptocurrency mining botnet hidden within systems belonging to the U.S. Department of Defense (DoD). The bug was also being used as a silent backdoor for additional malware execution. Unfortunately, the misconfigured server had already been illicitly accessed and the attackers had installed a cryptominer to obtain Monero coins, but officials for the DoD worked quickly to secure the system before further damage could be inflicted.

Maze Ransomware Targets Multiple French Industries

At least five French law firms and a construction corporation have fallen victim to the Maze ransomware variant, which is known for quickly exfiltrating sensitive information. Maze authors also made an announcement that they will begin releasing the stolen data if the victims refuse to pay the ransom. Though only two of the law firms have had their data posted so far, the remaining firms are expected to be exposed if the ransom is not paid.

British Charity Falls for Impersonation Scam

The British housing charity Red Kite recently fell victim of an impersonation scam in which nearly $1 million was redirected to a scammer’s account. By disguising their domain and illicitly accessing previous Red Kite email threads, the attackers were able to impersonate a contracting company without payment system safeguards stopping the payment or notifying victims that anything was abnormal until it was too late.

Cyber News Rundown: Magecart Hackers Arrested

Indonesian Magecart Hackers Arrested

At least three individuals were arrested in connection to the infamous Magecart information stealing malware. Thanks to the combined efforts of several international law enforcement agencies, numerous servers issuing commands to awaiting Magecart scripts have been taken down in both Indonesia and Singapore. While these are not the only individuals who have profited from the Magecart code, they are the first to be identified and brought to justice.

German City Suffers Cyberattack

The City of Potsdam, Germany, is recovering from a cyberattack that took down parts of its administration systems. Fortunately, the systems were being actively monitored and were quickly taken offline to prevent data from being removed. It seems, after further investigation, that the servers were not fully patched with the latest updates. This could have allowed the attackers to move and execute malware freely.

Job Listings Used to Commit Fraud

A new wave of data theft has hit the job hunting crowd, making life harder for people looking to be hired. Cybercriminals have been creating phony sites with job listings for the purpose of absconding with the information one would normally provide an employer after accepting an offer. Though these types of scams have been executed in the past, they tend to reappear occasionally due to their continued success.

UK Court Freezes Bitcoin Wallet

After falling victim to a ransomware attack that shut down more than 1,000 computers, a Canadian insurance company took advantage of their cybersecurity policy to pay out a nearly $1 million ransom. By working with a cyber analysis firm, the company was able to track their ransom payment through the blockchain to a final wallet, which was then frozen by the currency exchange to stop further transactions and to identify the owners of the wallet. Though this may sound positive for the victims, they may be the target of additional negative repercussions like having their stolen data published or being attacked again.

South Carolina Water Company Shutdown

The Greenville Water service in South Carolina was hit with a cyberattack that took down all their systems for around the last week. As they continue to restore systems to proper function, officials have stated that no customer data was accessed, nor is any payment card data actually stored there. Fortunately, Greenville Water was able to return to normal functions within a week and informed customers that late fees would not be issued for payments made during the outage.