Breach Roundup: US Ambassador to China's Email Hacked TooAlso: Linux Malware Infects 70K Routers; More MOVEit Fallout; Estée Lauder Breach
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, the U.S. ambassador to China was the latest victim of Chinese hacks, Linux malware infected 70,000 SOHO routers, the Norwegian data protection authority banned Meta's ads, the MOVEit breach affected 1.2 million customers, a Russian medical lab suffered a ransomware attack, and Estée Lauder shut down some systems after a breach.
US Ambassador to China Is Latest Victim in MS Exchange Hacks
U.S. Ambassador to China Nicholas Burns was the latest victim of recent Chinese hacks of email accounts of officials at 25 different organizations worldwide, including the U.S. State and Commerce departments, according to a report Thursday by The Wall Street Journal citing top-level sources. Chinese nation-state hackers are suspected of exploiting a zero-day vulnerability in Microsoft Office that was disclosed July 11. Microsoft said the threat actor, identified as Storm-0558, had been exploiting a token validation issue since May 15 and had used forged authentication tokens to gain access to the email accounts.
The hacks coincided with a European Parliament meeting on China policy and U.S. diplomatic trips to China. In addition to the ambassador, the hackers also targeted the email account of Assistant Secretary of State for East Asia Daniel Kritenbrink, who had accompanied Secretary of State Antony Blinken to China to help reestablish diplomatic relations.
Linux Malware Infects 70,000 SOHO Routers
A new botnet named AVrecon was discovered by the threat research team at Black Lotus Labs, Lumen Technologies. The sophisticated malware had remained undetected for at least two years since May 2021, infecting over 70,000 Linux-based small office/home office routers across 20 countries. The botnet managed to maintain its hold on more than 40,000 IP addresses.
AVrecon primarily targets Linux-based Arm devices and specifically focuses on SOHO routers. These routers typically lack standard endpoint security solutions and known vulnerabilities for extended periods - allowing attackers to capitalize.
AVrecon owes its success to its subtle approach. Instead of causing widespread disruptions, the malware operated quietly, allowing it to evade detection. It functioned primarily as a remote access Trojan and was primarily used for fraudulent activities, particularly generating ad revenue through unauthorized clicks on Facebook and Google ads.
When a router was infected, AVrecon transmitted the compromised device's information to an embedded first-stage command-and-control server. From there, the device received instructions to connect to other C2 servers. Black Lotus researchers uncovered 15 such servers in operation since at least October 2021. The malware encrypted communication between the compromised routers and C2 servers using x.509 certificates, making it difficult for researchers to assess the success of password-spraying attempts.
Norway's Data Protection Authority Bans Meta Behavioral Ads
Norway's data protection authority, Datatilsynet, on Wednesday issued an urgent order banning Meta from running behavioral advertising on Facebook and Instagram in Norway without obtaining users' consent. The ban will be in effect for an initial three months. Meta is still permitted to conduct other forms of targeted advertising, such as contextual targeting, which doesn't rely on tracking and profiling users. Meta can continue behavioral advertising if it acquires users' consent. Failure to comply with the ban and continue running privacy-hostile behavioral ads without users' choice could result in fines of up to approximately $100,000 per day.
The ban follows a ruling by the Court of Justice of the EU, which invalidated the legal basis Meta claimed for microtargeting users with ads in the region, known as legitimate interests. The CJEU ruling emphasized that legitimate interests are not a valid basis for Meta's surveillance advertising business.
Meta responded to the ban by suggesting an "ongoing debate" about the legality of its reliance on legitimate interests for behavioral ads, even though the CJEU recently clarified that this legal basis is invalid for such purposes.
In addition to the ban, the Norwegian DPA cautioned that it may refer the matter to the European Data Protection Board for further action, potentially leading to a ban on behavioral advertising across the entire EU.
1.2 Million More Individuals Affected by PBI's MOVEit Breach
U.S.-based population research service provider Pension Benefit Information is one of numerous organizations that suffered a major data breach due to the Clop ransomware group exploiting a zero-day vulnerability in its MOVEit Transfer software, sold by Progress Software. PBI recently reported in a filing with the Maine Attorney General's office that the breach compromised 371,359 individuals' details. In a separate filing with the U.S. Department of Health and Human Services Office for Civil Rights, however, the company revealed that the breach affected at least 1,209,825 individuals.
PBI, known for having one of the largest and most comprehensive obituary databases, offers population management solutions to thousands of organizations to help them comply with federal regulations.
PBI reported that Clop exploited a zero-day vulnerability in its MOVEit software on May 29 or May 30 and stole data, including clients' names, partial mailing addresses, Social Security numbers and dates of birth. PBI confirmed that its "core systems or software" remained unaffected by the breach, and said the vulnerability was patched by Progress Software on May 31, preventing further exploitation.
Russian Medical Lab Left Paralyzed After Ransomware Attack
Helix, a Russian medical laboratory, experienced a major cyberattack that left its systems paralyzed, resulting in the inability to deliver test results to customers for several days. The attack, which involved an attempt to infect the company's systems with ransomware, disrupted the functionality of Helix's website, mobile app and other e-health services. The lab's tech team managed to partially restore these services without paying a ransom, according to a statement the Russian state-owned news agency Tass issued on Monday.
Many individuals said they urgently needed the results for hospitalization purposes or to obtain COVID-19 tests. In response to the attack, the company reset all customer passwords and implemented stronger security protocols to prevent future incidents.
The responsible party behind the cyberattack remains unknown, and their motivation, whether financial or political, is still unclear.
Estée Lauder Suffers Breach, Shuts Down Some Systems
Cosmetics giant Estée Lauder fell victim to a serious ransomware breach for which the Alphv/BlackCat and Clop ransomware gangs claimed responsibility. Security researcher Dominic Alvieri and others reported the breach on Twitter and said the attack had gone live on Tuesday.
Estée Lauder confirmed an unauthorized third party had gained access to some of its systems and in response the company had taken down some systems and initiated an investigation.
Estée Lauder is focusing on remediation efforts, but it warned that the incident would cause disruptions to its business operations. The cosmetics company filed a statement with the Securities and Exchange Commission.
It is not yet clear if ransomware was deployed on the company's network or if the attack focused on data theft-based extortion.
Other Coverage From Last Week
- Microsoft Expands Logging Access After Chinese Hack Blowback
- White House Unveils Cyber Trust Label for Smart Devices
- Biden Administration Blacklists 2 Commercial Spyware Firms
- Spanish Police End a Decade on the Run for Ukrainian Hacker
- Number of Victims Breached Via MOVEit Zero-Day Keeps Climbing
- China Raises Cybersecurity Barriers to Tech Investments
- Threat Actors Customizing Tools for Mobile OS-Based Fraud