Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: CISA Proposes Security for Bulk Data Sales
Also: Payment Card Theft Trends, Internet Archive UpdateEvery week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, the U.S. federal government took further steps to limit bulk data transfers to China, Visa warned about payment card theft, the Internet Archive is still recovering and the official tally for the Change Healthcare breach reached 100 million. Also, Ukrainian cyber defenders fought a phishing campaign, civil society groups urged European Union members to reject the UN cybercrime treaty, TA866 was up to no good and hackers used virtual hard drive files to spread malware. Finally, Sir Isaac Newton is now verified on Google Scholar.
See Also: Gartner Guide for Digital Forensics and Incident Response
US Proposes Data Security Rules to Counter Foreign Threats
The U.S. federal government took an additional step to issue regulations prohibiting or restricting the bulk transfer of Americans' sensitive personal data to countries including China. The proposal stems from a February executive order spurred by concern that foreign governments use commercial access to data such as biometric and genomic data, health care data, geolocation information, vehicle telemetry information and financial transaction data as a precursor to intimidation or blackmail and for their own artificial intelligence research and development (see: Biden Executive Order Targets Bulk Data Transfers to China).
The proposed rule, due to be officially published on Oct. 29, would also require data brokers engaged in restricted transactions to follow security requirements established by the Cybersecurity and Infrastructure Security Agency. Among the proposed security requirements is the maintenance of audit logs, identity management processes for identifying which clients have access to different data sets and data minimization. Some data might be best kept encrypted in order to deny access from a proscribed country, which also would include Russia.
Visa Warns of Resurgence in Physical and Digital Scams
Payment card services giant Visa said Wednesday that fraudsters are reverting to older methods, including credit card theft to quickly use stolen card information for gift cards, goods or online transactions.
Scammers aren't entirely going back to the 20th century, the report allows. A new tactic highlighted by Visa in a biannual threats report is "digital pickpocketing," in which scammers initiate mobile payments by tapping a point-of-sale device near wallets in crowded areas.
Government impersonation scams are also on the rise, with the average victim in the United States losing $14,000. Fraudsters pose as officials from agencies like the U.S. Postal Service and Internal Revenue Service, often shifting toward cash payments to evade detection.
Authentication bypass scams also saw an uptick, with criminals exploiting one-time-password phishing to access accounts. Generative AI allowing thieves to pose as authoritative sources makes these scams more convincing.
Visa also highlighted token provisioning fraud and ransomware as key threats, particularly for third-party providers. Attacks on third-party providers increased, affecting millions.
Internet Archive Still Recovering From Cyberattacks
The Internet Archive's crawl back to normalcy hit a bump when a threat actor sent many of the digital library’s users a spoofed email after apparently stealing a stolen access token for the site's Zendesk account.
The nonprofit site earlier this month came under a sustained distributed denial-of-service attack. It also had to grapple with the theft of 31 million account holder data including email addresses (see: Internet Archive Data Breach Exposes 31 Million Accounts).
The archive on Monday restored its Wayback Machine online snapshot trawler in read-only mode, writing in an update that "features like uploading, borrowing, reviewing items, interlibrary loan and other services are not yet available."
The update acknowledged the spoofed emails, saying a hacker "disclosed archive.org email and encrypted passwords to a transparency website, and also sent emails to patrons by exploiting a third-party helpdesk system."
A hacker told Bleeping Computer the Internet Archive exposed Zendesk authentication tokens in a GitLab instance.
Change Healthcare Breach Officially Affects 100 Million
The ransomware attack on Change Healthcare has officially impacted 100 million individuals, states an updatedbreach report submitted to federal regulators. Initially, the Tennessee medical billing intermediary reported the breach affecting only 500 people in July, but the U.S. Department of Health and Human Services Office for Civil Rights has since revised the figure (see: Why Did Change Health Lowball Its 1st Breach Report to Feds?)
Company CEO Andrew Witty had previously hinted at the scale of the breach, testifying before Congress in April that the attack likely affected one-third of Americans or roughly 100 million people. The breach, attributed to the ransomware group BlackCat, compromised the protected health information of millions, including numerous healthcare providers.
The attack caused weeks of IT outages at Change Healthcare, severely disrupting claims processing, payments and other critical healthcare operations for thousands of healthcare provider clients. The financial impact of the breach has been staggering, with UHG reporting to analysts that the incident has cost the company nearly $3 billion to date (see: Change Healthcare's Breach Costs Could Reach $2.5 Billion).
RDP Files Masquerade as Zero Trust Communications
The Ukrainian Government Computer Emergency Response Team reported Tuesday a widespread phishing campaign targeting the military, state authorities and industrial enterprises. The emails, falsely promoting "integration" with Amazon services and Microsoft, contained malicious remote desktop protocol configuration files. When opened, the files established outbound connections to attackers' servers, potentially compromising sensitive local resources such as disks, network drives and printers.
The activity, tracked as UAC-0215, has a broad geographical footprint and appears to have been in preparation since at least August. CERT-UA advised organizations to block RDP files at mail gateways and to restrict RDP connection capabilities.
Civil Society Urges EU to Reject UN Cybercrime Convention
Civil society organizations called on European Union members to reject the United Nations Cybercrime Convention during an upcoming General Assembly vote. The joint letter, signed by human rights groups, tech companies and security researchers, highlighted concerns over the draft treaty's broad scope, which could lead to increased government surveillance and erosion of democratic freedoms.
Critics say the draft convention allows for intrusive domestic and cross-border surveillance with minimal limitations, risking misuse against dissenting voices. Provisions for collecting electronic evidence and international cooperation could facilitate human rights violations and conflict with existing EU data protection laws, signatories said.
Financially Motivated Group Spreading Malware via Malspam
A financially driven threat actor tracked as TA866, also known as Asylum Ambuscade, is spreading custom malware through maladvertising, researchers from Cisco Talos said.
Active since at least 2020, TA866's uses malicious links in emails, PDFs, and ads to redirect victims to traffic distribution systems like 404 TDS, operated by threat actors offering malware installation services. Once users click, attackers deploy various malware strains, including Screenshotter for screen data collection, AHK Bot for credential theft, and Looper for persistence.
Cisco Talos said that TA866 tailors its tools based on target environments, adjusting its infection chains post-compromise. After gaining initial access, the group conducts reconnaissance and may deploy additional malware such as the CSharp-Streamer remote access trojan. Researchers believe TA866 could be linked to other campaigns using the same tools.
Malware Hidden in Virtual Disk Files Bypasses Antivirus and Email Security
Cybercriminals are exploiting the limited detection capabilities of virtual hard drives to deliver malware such as Remcos and XWorm RATs through seemingly benign emails, researchers from Cofense Intelligence said. Traditional email security systems and antivirus software struggle to scan virtual drives, treating them as black boxes, typically leaving them unscanned or flagged as "unscannable."
That's an opening for hackers to embed malicious content within virtual hard drive files, often altering file hashes to evade detection. In tests, only one out of 62 antivirus engines on VirusTotal detected malware delivered through these files.
Once opened, malicious .vhd
and .vhdx
files trigger malicious payloads. Cofense said this type of attack appears targeted at older Windows systems, which are more susceptible to automatic malware execution via virtual disk files.
Sir Isaac Newton Has a Verified Google Scholar Profile
A surprising discovery surfaced on Google Scholar: Sir Isaac Newton, the Enlightenment-era physicist and polymath, appears as a "Professor of Physics" at MIT with a "verified email" from the institution. "Good for him," opined Jay Cummings, a math professor at California State University who shared the finding on X.
Google Scholar only verifies the email address associated with the profile, not the user's identity. Setting up a profile involves entering basic information and can include an email verification step, which cab be easily completed in moments.
Other Stories From Last Week
- AI Industry Coalition Seeks to Codify US Safety Institute
- Critical OPA Vulnerability Exposes Windows Credentials
- Retaining EU Adequacy Crucial to UK Economy: Lawmaker
- CISA Ramping Up Election Security Warnings as Voting Begins
- ICS Detection Improves, Response Still Lacking
With reporting from Information Security Media Group's Akshaya Asokan in Southern England and Marianne Kolbasuk McGee in Massachusetts.