Update Number Two: DHL Admits 'Downtime Incident' Affecting Third-Party Supplier
N. Korean hackers are collaborating with Play ransomware gang, Colorado voting machines accidentally exposed BIOS passwords, Right-wing voter database for sale, Crypto app websites compromised by animation library supply chain attack, Threat actor claims attack on Peru's Interbank, much more
Sponsor Message
In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code.
Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."
According to one of its partners, DHL is suffering from a cyberattack on the provider of its tracking tool, which has wiped out the package delivery giant's tracking systems worldwide.
UK convenience group and grocery wholesaler Nisa warned its retailers today, October 31: “the DHL delivery tracking solution has encountered a cyber incident this morning that has affected all their systems globally.”
Transport tech firm Microlise reportedly provides DHL with the tracking tool. Nisa explained that this means DHL has "no visibility" of the progress of any of its deliveries.
The statement claimed Microlise is "working to isolate and recover all impacted systems to restore full functionality as soon as possible."
Nisa told store owners that there was no way for them to receive updates on their deliveries until the systems are restored.
Robert Mintz, senior manager of communications at DHL Express Americas, initially responded to Metacurity by saying that Nisa's claim was untrue.
But later Mintz backpedaled from the categorical denial to say: "DHL Supply Chain UK is aware of a downtime incident impacting a third-party supplier which we use. We can confirm this incident has not affected DHL-owned systems. However, as a precaution we have implemented appropriate safeguarding measures. We are working to resolve the situation and have implemented contingencies to ensure that service levels are maintained for those customers who may be potentially impacted.
The incident has no relation to or impact on any other operations of DHL Group (including DHL Express, DHL eCommerce or DHL Global Forwarding)."
Ed. Note: Metacurity has contacted Nisa and Microlise for confirmation and has not received any responses. (Better Retailing)
Researchers at Palo Alto Networks’ Unit42 say that Jumpy Pisces, a hacking group affiliated with North Korea’s Reconnaissance General Bureau, was involved in a Play ransomware attack identified by incident responders in September.
The researchers highlighted an investigation into a recent ransomware attack in which North Korean actors appeared to be collaborating with the financially minded Play ransomware gang.
The researchers did not identify the victim or where it is located but attributed the attack to Jumpy Pisces, a group that has been previously linked to North Korean state-sponsored activity.
Unit42 warned that the incident signaled North Korea’s deeper involvement in the ransomware landscape after the Justice Department previously implicated Jumpy Pisces actors in attacks involving the Maui ransomware.
The researchers added that they “expect their attacks will increasingly target a wide range of victims globally.” Defenders should view the North Korean group’s activity “as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.” (Jonathan Greig / The Record)
Related: Palo Alto Networks, SC Media, Tech Target
The Colorado Secretary of State’s office inadvertently included BIOS passwords for the state’s voting machines in a hidden tab on a spreadsheet on the department’s website, which has election officials scrambling days ahead of the election.
Secretary of State Jena Griswold said the employee responsible for the passwords ending up online no longer works for the state, and a personnel investigation is ongoing.
“We have people in the field working to reset passwords and review access logs for affected counties,” Griswold said. “This is out of an abundance of caution; we do not believe there is a security threat to Colorado's elections.”
Griswold said the online passwords were “partial” and insufficient to access the machines’ operating systems. While the personnel audit is still underway, the initial investigation indicates the leak was an accident.
Clerks are meanwhile working to assure the public about the scope of the leak and that the election systems are secure.
“You would need to have physical access to this equipment in order to do something nefarious with this leaked password,” said Democratic Boulder county clerk Molly Fitzpatrick, the current chair of the Colorado County Clerks Association.
She noted that counties must store their voting equipment in a room with strict key card access controls. Background checks are required for the few employees authorized to enter the area, which is under 24-hour video surveillance. (Bente Birkeland / CPR News)
Related: Gizmodo, KUSA-TV, Colorado Secretary of State, Associated Press, KUSA-TV, CBS News, The Independent, ZeroHedge News, The Federalist, Colorado House Republicans, Newsweek, StateScoop, New York Times, Le·gal In·sur·rec·tion, Blaze Media, Reuters
L2 Data, a leading political data company, is selling a voter database that identifies Americans based on their support for right-wing militias, the QAnon conspiracy theory, and the January 6 insurrection.
The company collects various information about voter preferences on issues such as defense, spending, and the economy. However, unlike other data companies, L2 measures or estimates voters’ support for the extreme right's most divisive and potentially threatening threads.
L2 says it developed its dataset by surveying some voters and then extrapolating the probable views of a wider group with similar preferences and behavior from voter records and consumer habits.
Those predictions are part of a larger dataset that includes a broad range of views held by both the right and left on issues such as climate change, race, and civil liberties.
The firm sells that broad set of information to a range of politicians and parties: According to FEC filings, Rep. Rob Menendez (D-NJ), Rep. Bob Good (R-VA), and PACs for both Democrats and Republicans have bought its data.
Although campaign records show that numerous national politicians have bought the L2 dataset, there is no evidence that they have used the information to target potential insurrectionists. Some experts say it could be helpful in identifying Americans most prone to political violence and finding ways to moderate those views. (Alfred Ng / Politico)
Taking legal action against spyware is very difficult because it is beset by oft-overwhelming hurdles, with many victims failing to get courts to take action against spyware manufacturers or countries that deployed the invasive technology against them.
One of the most high-profile plaintiffs is Hanan Elatr, the widow of slain Washington Post journalist Jamal Khashoggi. A federal court in Virginia almost precisely one year ago dismissed her case against NSO Group over allegations that Saudi Arabia spied on her and her husband before his murder, a legal result that she said was “very disappointing for me.” But a three-judge panel heard arguments in an appeal of that ruling Wednesday.
“There is no justice for Jamal,” she said, adding that the murder “also did destroy my life and my family’s life.
However, some cases have had good outcomes for plaintiffs. And some cases still show promise for them. The US Supreme Court, for instance, dealt a setback last year to NSO Group’s attempt to get the Meta case dismissed, and UK courts have allowed spyware cases to go forward twice in recent weeks against Bahrain and Saudi Arabia. (Tim Starks / Cyberscoop)
The front-end websites of several online crypto apps were compromised after attackers injected malicious code into an update of a popular and widely used animation library called Lottie Player.
Crypto security platform Blockaid said decentralized finance apps, including 1inch and TEN Finance, showed popups asking users to connect their wallets, which was actually for the crypto drainer Ace Drainer.
Gal Nagli, a security lead at cybersecurity firm Wiz, explained that the compromise was caused by a “massive supply chain attack” on the Lottie Player library. This library is a hugely popular service that provides animations for sites and apps, boasting users like Apple, Spotify, and Disney.
The attack is unique as it injected a malicious popup into a seemingly unaffected website. Attackers typically breach highly-followed social media accounts to trick followers into clicking phishing links on fake websites.
Jawish Hameed, the engineering vice president at LottieFile, which publishes the animations library, said the affected library versions had been removed and urged users to install the latest version.
He said that attackers compromised the GitHub account of a LottieFiles senior software engineer and pushed three malicious updates in three hours, adding that they had “removed the compromised account access.”
Nagli warned that websites that still use the affected library versions “are probably still vulnerable,” saying users should check if sites use the non-malicious packages, either version 2.0.4 or the latest 2.0.8. (Jesse Coghlan / Cointelegraph)
Related: Decrypt, Sonatype, crypto.news, BeInCrypto, Coinmarketcap, GitHub
Interbank, one of Peru's leading financial institutions, has confirmed a data breach after a threat actor who hacked into its systems leaked stolen data online.
Previously known as the International Bank of Peru (Banco Internacional del Perú), the company provides financial services to over 2 million customers.
"We have identified that some data of a group of clients has been exposed by a third party without our authorization. In light of this situation, we immediately deployed additional security measures to protect the operations and information of our clients," Interbank said.
While customers have been reporting that the bank's mobile app and online platforms stopped working throughout the day and during a separate outage reported two weeks ago, Interbank says that most of its operations are now back online and that its clients' deposits are secure.
Even though the bank has yet to disclose the exact number of customers whose data was stolen or exposed in the breach, as first spotted by Dark Web Informer, a threat actor who uses the "kzoldyck" handle is now selling data allegedly stolen from Interbank systems on several hacking forums.
The threat actor claims they were able to steal Interbank customers' full names, account IDs, birth dates, addresses, phone numbers, email addresses, and IP addresses, as well as credit card and CVV numbers, credit card expiry dates, info on bank transactions, and other sensitive information, including plaintext credentials. (Sergiu Gatlan / Bleeping Computer)
Researchers at Zimperium report that a new version of the FakeCall malware for Android hijacks outgoing calls from users to their banks, redirecting them to the attacker's phone number instead.
FakeCall (or FakeCalls) is a banking trojan focusing on voice phishing. In this type of phishing, victims are deceived by fraudulent calls impersonating banks asking them to convey sensitive information.
The goal of the latest version remains to steal people's sensitive information and money from their bank accounts.
In previous versions, FakeCall prompted users to call the bank from within an app, impersonating the financial institute. Then, a fake screen was overlaid that displayed the bank's actual number while the victim was connected with the scammers.
In the latest version analyzed by Zimperium, the malicious app sets itself as the default call handler and asks the user to approve this action upon installing the application through an Android APK.
The call handler in Android manages incoming and outgoing calls, essentially serving as the main interface that processes dialing, connecting, and ending calls.
When the malware prompts the user to set it as the default call handler, it gains permission to intercept and manipulate outgoing and incoming calls.
A fake call interface mimics the Android dialer, displaying trusted contact information and names, elevating the level of deception to a point that's hard for victims to realize.
What makes this malware so dangerous is that when a user attempts to call their financial institution, it secretly hijacks the call and redirects it to an attacker's phone number instead.
Zimperium has published a list of indicators of compromise (IoC), including app package names and APK checksums, so users can avoid the malicious apps that carry the malware. However, these are frequently changed by the threat actors. (Bill Toulas / Bleeping Computer)
Related: Zimperium, Ars Technica, BGR, Security Affairs
St. Anthony's Regional Hospital in Carroll, Iowa, reports that hackers breached its IT systems, accessing files and downloading patient records to an offsite location.
The incident happened in August, with cybercriminals first accessing St. Anthony’s network on the 14th. The breach was not discovered until the 26th, and criminals maintained partial access to the hospital’s systems until the 28th, St. Anthony confirmed.
There was no mention of a system outage or any impact on patient care delivery.
St. Anthony added that compromised records include protected health information, such as full names, addresses, dates of birth, Social Security numbers, financial information, and private medical information, such as treatments and diagnoses.
The hospital is offering legally required identity protection services to those affected. However, St. Anthony said there is no evidence that stolen information was used for fraud. Currently, the data is not posted for sale on dark web forums. (Chad Van Alstin / HealthExec)
Related: St. Anthony Regional Hospital
The Art Gallery of Ontario (AGO) says a "cybersecurity incident" hit its computer systems in September and may have resulted in a third party gaining unauthorized access to some customer information.
In a statement and an email to its members, the art gallery confirmed that an unauthorized third party gained access to its internal shared server but added, "the vast majority of customer data and credit card information was not impacted."
The gallery said it is notifying customers who may have been impacted after legal counsel and security specialists advised it to do so and in accordance with privacy legislation.
The AGO said the breach affected its systems between Sept. 9 and 18. It added that an investigation by security specialists was undertaken to "gain a clearer understanding of the breadth" of the breach. (CBC)
Related: The Globe and Mail
Best Thing of the Day: Embrace the Spooky Data
Simson Garfinkel, Chief Scientist at BasisTech, recounts a dinner talk he gave years ago on the concept of "spooky data," which leads to the inexplicable outcome of boosting a server's security by deleting its private cryptographic key.
Worst Thing of the Day: Community Notes Sucks at Content Moderation
According to the nonprofit Center for Countering Digital Hate (CCDH), the majority of accurate fact checks proposed by users in the form of Community Notes on X political posts are never shown to the public, showing that the feature is failing to identify misinformation.