Hackers Breached American Water Works Systems, Forced Some Systems Offline

Check out our sponsor, Anchore. which helped bring you today's issue:

Anchore enables organizations to secure software supply chains and automate compliance to save time and reduce risk. Built for cloud-native applications and air-gapped environments, organizations can generate SBOMs and fix vulnerabilities while maintaining continuous government and industry compliance.

In an SEC filing, American Water Works, which supplies drinking water and wastewater services to more than 14 million people, said hackers had breached its computer networks and systems and disconnected or deactivated some systems to contain the cyberattack.

The company said it doesn’t believe water or wastewater operations have been affected but noted that it can’t yet predict the full impact of the incident. However, the attack also forced it to shut down its online customer portal service, MyWater, and pause billing services.

It also said it doesn’t expect the cyberattack to have a material effect on the company or its finances.

US government officials and cybersecurity researchers have been warning in recent months that hackers are increasingly targeting water infrastructure. Earlier this year, the US accused the state-sponsored Chinese hacking campaign known as Volt Typhoon of infiltrating some of the country’s water facilities, among other things. The Biden administration urged states to be on guard for cyberattacks against water systems, citing ongoing threats from groups linked to the governments of Iran and China. (Lynn Doan / Bloomberg)

Related: SEC, American Water, Associated Press, Fast Company, CBS News, Bleeping Computer, The Record, Silicon Angle, TechCrunch, St. Louis Post-Dispatch, Security Week, HackRead, Cyberscoop, Slashdot

US money transfer giant Moneygram said that an unauthorized third party “accessed and acquired” customer data during a cyberattack on September 20.

The cyberattack, the nature of which remains unknown, sparked a week-long outage that caused the company’s website and app to fall offline.

The stolen customer data includes names, phone numbers, postal and email addresses, dates of birth, and national identification numbers. The data also includes a “limited number” of Social Security numbers and government identification documents, such as driver’s licenses and other documents that contain personal information, like utility bills and bank account numbers. MoneyGram said the types of stolen data will vary by individual.

MoneyGram said that the stolen data also included transaction information, such as dates and amounts of transactions, and “for a limited number of consumers, criminal investigation information (such as fraud).” (Zack Whittaker / TechCrunch)

Related:  Android Authority, BleepingComputer, Information Age, MoneyGram, SC Media

In an SEC filing, home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data.

ADT says credentials were stolen from a third-party business partner, allowing threat actors to breach its systems. In response to the attack, ADT terminated the unauthorized access and began investigating the incident with third-party cybersecurity experts. As part of its investigations, it was determined that encrypted account data for employees was stolen in the attack.

ADT warns that their containment measures have caused some disruption to the Company's information systems, likely as they were shut down to prevent the further spread of the attack.

However, shutting down IT systems also prevents legitimate access to internal applications and data, temporarily disrupting business operations while servers and workstations are investigated and restored as necessary.

The company says its investigation does not indicate that customers' data or security systems have been compromised.

This is the second ADT breach in two months, with the company warning in August that they suffered a data breach after a threat actor leaked 30,800 customer records, including customer emails, complete addresses, user IDs, and the products purchased, on a hacking forum. (Lawrence Abrams / Bleeping Computer)

Related: SEC, The Cyber Express, Reuters, BornCity, MarketWatch

Qantas Airlines said that two employees working for India SATS, a partnership between Air India and Singapore’s biggest ground-handling company, SATS, used their positions to steal frequent flyer points from customers.

Employees of India SATS, the ground handler Qantas uses in India, are able to access all of the airline’s flight bookings.

Using this access, employees altered customer bookings and changed frequent flyer details using a partner airline booking system to send the earned points to an account they controlled.

The theft affected over 800 bookings in July and August 2024, potentially compromising passport data.

“As part of the access they had to do their job, they may have had access to some customers’ passport details,” Qantas told the media.

“There’s no evidence this has been used in any way.”

In August, the two contractors were stopped and suspended, and customers reportedly had their frequent flyer points restored and bookings fixed. (Daniel Croft / Cyber Daily)

Related: Daily Mail, The Australian, The Senior

The First Nations Health Authority in British Columbia, Canada, says online hackers gained access to personal information, including medical test results and insurance claims, during a cybersecurity breach last May.

The health authority says it has concluded its investigation, and "the impact of the cybersecurity incident is not the same for everyone."

However, it says hackers gained access to information such as first and last names, home addresses, email addresses, personal health numbers, insurance claim details, and tuberculosis screening test results for certain people.

Those with compromised information could also include First Nations individuals and immediate non-First Nations family members who lived in First Nations communities in B.C. and had a tuberculosis screening test before March 29, 2016.

The health authority says it will offer support, such as a two-year subscription to a credit monitoring service, to everyone whose status card number was affected. (Brenna Owen / The Canadian Press)

Related: First Nations Health Authority, First Nations Health Authority, Toronto Star

The US Justice Department announced that ​Ukrainian national Mark Sokolovsky pleaded guilty to his involvement in the Raccoon Stealer malware cybercrime operation.

​Ukrainian national Mark Sokolovsky has pleaded guilty to his involvement in the Raccoon Stealer malware cybercrime operation.

According to the unsealed indictment, Sokolovsky (also known online as raccoon-stealer, Photix, and black21jack77777) was arrested in March 2022 in the Netherlands.

At the same time, the FBI dismantled Raccoon Infostealer's infrastructure in a joint action with law enforcement authorities in the Netherlands and Italy, also taking the malware offline.

Around the time of Sokolovsky's arrest, the Raccoon Stealer cybercrime gang suspended operations, claiming that one of the lead developers had been killed during the invasion of Ukraine. Since then, the operation has been relaunched two times, with new versions featuring new data theft capabilities.

​After taking down the malware's infrastructure in March 2022, the FBI collected some of the data stolen by cybercriminals using the malware and created a website that helps anyone check if their data is in the US government's archive of Raccoon Infostealer stolen information. (Sergiu Gatlan / Bleeping Computer)

Related: Justice Department, Cyber Daily

In an advisory, the US Department of Health and Human Services reports that at least one US healthcare entity has been victim to a new strain of ransomware called Trinity.

HHS is warning hospitals of the threat posed by the ransomware group, noting that its tactics and techniques make it “a significant threat” to the US healthcare and public health sector.

The department’s Health Sector Cybersecurity Coordination Center “is aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently,” officials said. The advisory said the ransomware was first spotted around May 2024.

At least seven victims of the Trinity ransomware have been identified so far, two of which are healthcare providers. One is based in the UK, and the other is a US-based gastroenterology services provider that had 330 GB of data stolen. The facility, which was not identified but is listed on Trinity’s leak site, currently has a banner on its website saying it is experiencing technical issues and has limited access to phone systems. 

Researchers have reported another incident involving a New Jersey-based dental group. 

The advisory notes that the ransomware strain “shares similarities with two other ransomware groups – 2023Lock and Venus — suggesting possible connections or collaborations among these threat actors.” (Jonathan Greig / The Record)

Related: HHS

Cryptocurrency scammers briefly hacked the LEGO website to promote a fake Lego token that could be purchased with Ethereum.

During the breach, the hacker replaced the main banner for the official LEGO website with an image showing crypto tokens branded with the "LEGO" logo and text stating, "Our new LEGO Coin is officially out! Buy the new LEGO Coin today and unlock secret rewards!"

Clicking the "Buy now" link brought visitors to the Uniswap cryptocurrency platform, where you could purchase the LEGO scam token using Ethereum.

According to LEGO Reddit moderator "mescad," the breach occurred at 9 PM EST last Friday and lasted approximately 75 minutes until 10:15 PM ET, when the site was restored.

Overall, the attack failed, with only a few people purchasing the LEGO token for a few hundred dollars. (Lawrence Abrams / Bleeping Computer)

Related: Tech Radar, Engadget, Newsweek, Cybernews, Screen Rant, ReadWrite, PCMag, SC Media, NewsBytes, The Cryptonomist, Gizmodo

The US Supreme Court declined to take on a case concerning the ownership of 69,370 Bitcoin worth $4.38 billion that the US government seized from the dark web marketplace Silk Road.

The request for review was brought by Battle Born Investments, a company that claimed it had purchased rights to the seized Bitcoin through a bankruptcy estate.

The Supreme Court’s refusal to hear the case could clear the US government to sell the stack of Bitcoin.

The US government already moved about $2 billion worth of the Silk Road-linked Bitcoin on July 29. The transfers were tied to the Marshals Service, which uses Coinbase Prime to custody seized cryptocurrencies. (Brayden Lindrea / Cointelegraph)

Related: Decrypt

In September, Apple released the new version of its computer operating system, macOS 15, also known as Sequoia, which broke the functionality of several cybersecurity products, including those made by CrowdStrike and Microsoft.

Three weeks later, on Friday, Apple released the first update to macOS 15, claiming to have fixed those issues. In the macOS 15.0.1 release notes, Apple says that the update “improves compatibility with third-party security software.” (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Apple, MacRumors, 9to5Mac, NewsBytes, AppleInsider, Macworld, Ars Technica, O'Grady's PowerPage

Best Thing of the Day: Threat Intelligence Researchers Thank You

One of the most influential academics in artificial intelligence, Geoffrey E. Hinton, has been awarded the Nobel Prize in physics for training artificial neural networks and laying the foundations for today’s machine learning applications and will share the 11 million-krona ($1.1 million) award with fellow scientist John J. Hopfield.

Worst Thing of the Day: Oh Goody, More Ransomware Groups

Researchers at Secureworks report a 30% year-over-year rise in active ransomware groups, which they say demonstrates the fragmentation of an established criminal ecosystem.

Closing Thought