Cybersecurity Weekly: California phished, ransomware tied to Hafnium, MobiKwik breach
A phishing attack leads to a breach at California State Controller. The Hades ransomware gang exhibits connections to Hafnium. MobiKwik suffers a major data breach. All this, and more, in this week’s edition of Cybersecurity Weekly.
1. Phish leads to breach at California State Controller
A phishing attack last week gave attackers access to email and files at the California State Controller’s Office, an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers.
2. Hades ransomware gang exhibits connections to Hafnium
The Hades ransomware gang has several unique characteristics that set it apart from the rest of the pack, including potentially having more than extortion on the to-do list. In one Hades ransomware attack, the Awake team identified a Hafnium domain as an indicator of compromise within the timeline of the Hades attack.
3. MobiKwik suffers major breach
Popular Indian mobile payments service MobiKwik came under fire after 8.2 terabytes of data began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month. The leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them.
4. New bugs could let hackers bypass Spectre attack mitigations
Cybersecurity researchers disclosed two new vulnerabilities in Linux-based operating systems that could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory. The flaws impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20.
5. PHP's Git server hacked to insert secret backdoor to its source code
In another instance of a software supply chain attack, unidentified actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a secret backdoor into its source code. The two malicious commits were pushed to the self-hosted php-src repository hosted on the git.php.net server.
6. Flaws in Ovarro TBox RTUs could open industrial systems to remote attacks
As many as five vulnerabilities have been uncovered in Ovarro's TBox remote terminal units that could open the door for escalating attacks against critical infrastructures, like remote code execution and denial-of-service. Researchers found that of all the internet-accessible TBox RTUs that were found online, nearly 62.5% of the devices required no authentication.
7. SolarWinds hackers accessed DHS chief's email
The attackers behind the SolarWinds hack managed to access email accounts belonging to several top officials in government. According to the Associated Press, an email account that belonged to Chad Wolf, the former acting head of the Department of Homeland Security, was allegedly breached.
8. 30 Docker images downloaded 20M times in cryptojacking attacks
Cybersecurity researchers discovered 30 malicious Docker images, downloaded 20 million times, that were involved in cryptojacking operations. Half of the discovered images were using a shared mining pool, by which they estimated that threat actors mined $200,000 worth of cryptocurrencies in a two-year period.
9. Harris Federation hit by ransomware attack
A ransomware attack hit the IT systems of London-based nonprofit multi-academy trust Harris Federation on Saturday, March 27. Once discovered the ransomware infection, the IT staff at the nonprofit organization has taken its systems offline along with the email, landline phone systems and students’ devices.
10. Scammers target universities in ongoing IRS phishing attacks
The IRS is warning of ongoing phishing attacks impersonating the IRS and targeting educational institutions. The attacks use tax refund payment baits and mainly focus on universities' staff and students with .edu email addresses. These phishing messages use subject lines such as Tax Refund Payment or Recalculation of your tax refund payment.