Breach Roundup: Filipinos Under Fire From 'Mustang Panda'Also, Kansas State Courts' Post-Attack Outage Continues; Confidential Data Stolen
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, the advanced persistent threat group "Mustang Panda" targeted the Philippine government; Kansas state courts warned of data theft; cybersecurity officials warned of actively exploited flaws in Sophos, Oracle and Microsoft products; AutoZone detailed data lost to Clop; and Optus' CEO resigned over a serious network outage.
Mustang Panda Hackers Target Philippine Government
Security researchers have tied a China-aligned hacking group with the codename Mustang Panda - aka Stately Taurus - to a series of phishing attacks, including attacks against the government of the Philippines, exacerbating existing tensions in the South China Sea. The news follows Palo Alto Networks' Unit 42 threat intelligence team tracking the same hacking group running three separate August campaigns targeting organizations in the South Pacific. Attackers targeted legitimate software, including Solid PDF Creator and SmadavProtect, via DLL side-loading tactics and mimicked Microsoft traffic to disguise their command-and-control connections, experts found. They said the group's targets regularly align with Beijing's geopolitical interests.
Kansas Courts Confirm Data Theft
The Kansas state court system warned that the "security incident" it suffered last month had led to hackers stealing sensitive files containing confidential information. The incident resulted in numerous systems going offline, including an electronic filing system used by attorneys, electronic payment systems and case management systems for district and appellate courts. More than five weeks post-attack, these services remain offline.
Kansas' state court system said attackers have threatened to leak stolen data if their ransom demands - the state did not specify what those are - don't get met. The state said stolen information appears to include Office of Judicial Administration files and district court case records on appeal, including sensitive and confidential data.
CISA Adds to Exploited Vulnerabilities List
The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday added bugs in products from Sophos, Oracle and Microsoft to its list of known exploited vulnerabilities. One exploited flaw is in Sophos Web Appliance and allows unauthenticated attackers to execute arbitrary code. Sophos patched the flaw in April, and the affected appliance was officially at end of life in July. CISA's known exploited vulnerabilities list also includes four other Sophos product vulnerabilities.
Other recent additions to the list include a vulnerability in Oracle WebLogic Server, which experts warn a China-affiliated threat actor has been exploiting to target government and critical infrastructure in Taiwan. Another listing details a vulnerability designated CVE-2023-36584, which attackers can use to bypass Windows' Mark of the Web security feature.
AutoZone Details Clop Attack
Auto parts retailer AutoZone reported suffering a ransomware attack at the hands of the Clop group, leading to the exposure of information tied to 185,000 individuals. The data theft dates from May, when the retailer was one of over 2,600 organizations hit when Clop - aka Cl0p - began its mass exploitation of a vulnerability in MOVEit secure file transfer software, allowing it to steal data being stored on MOVEit servers (see: Known MOVEit Attack Victim Count Reaches 2,618 Organizations).
AutoZone confirmed the attack in August, and its ongoing investigation identified the full extent of the data breach only this month. Clop had listed the retailer as a victim on its data leak site in July, claiming it stole 1.1 gigabytes of internal and employee data. AutoZone said exposed information included full names and Social Security numbers.
Optus CEO Resigns Amid Network Outage
Kelly Bayer Rosmarin, CEO of Australia's second-largest telecommunications carrier, Optus, resigned following a 12-hour networkwide outage affecting nearly half of Australia's population. The outage occurred just days after a parliamentary hearing in which Optus executives admitted having no contingency plan for a disruption of such scale. Chief Financial Officer Michael Venter will step in as interim CEO.
Rosmarin, who took the helm in April 2020, faced numerous challenges during her tenure, including a massive data breach exposing 10 million Australians' personal data, leading to lawsuits and regulatory investigations. The recent network blackout further strained Optus' reputation and highlighted telecommunications infrastructure concerns. Singtel, Optus' parent company, promised to work to regain customer trust and confidence, citing ongoing efforts to mitigate the outage's impact.
Other Coverage From Last Week
- Security Firm COO Hacked Hospitals to Drum Up Business
- CISA Urges Patching as Hackers Exploit 'Looney Tunables' Bug
- Australia Unveils AU$587 Million Strategy to Defeat Cybercrime
- Election Integrity Fears in Europe Provoke Joint Exercise
- Report Details Aftermath of ICBC LockBit Ransomware Attack
- Leading Nuclear Energy Testing Lab Suffers Major Data Breach