Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: Meta Debuts Messenger End-to-End Encryption
Also, AeroBlade Cyberespionage Targets US Aerospace; Nissan Probes Cyber IncidentEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Meta debuted end-to-end encryption on Messenger, AeroBlade cyberespionage targeted U.S. aerospace, Trojan-Proxy threatened cracked apps, Tipalti investigated a ransomware attack, a Pennsylvania hospital faced lawsuits, Nissan probed a cyber incident and the U.S. FCC teamed up with states.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
Meta Debuts End-to-End Encryption on Messenger
The social media giant on Wednesday said it had rolled out long-promised default end-to-end encryption for its Messenger chat function. "Nobody, including Meta, can see what's sent or said, unless you choose to report a message to us," wrote Loredana Crisan, head of Messenger.
Meta and other online platforms have felt pressure from governments, particularly in the United Kingdom, to not encrypt communications or do so in a way that would leave them open to law enforcement. "We must be honest that in our view, this is a significant step back," Home Secretary James Cleverly said, the BBC reported. The British government approved this legislation, which has the potential to force messaging platforms such as Meta-owned WhatsApp and Signal to weaken encryption in the interests of stopping child sexual abuse material from propagating. Both firms have said they will withdraw from the U.K. market rather than do so (see: UK Parliament Approves Online Safety Bill).
In the United States, the government for decades has alternated between pressuring industry to give it backdoor access to encrypted communications and accepting encryption's benefits begrudgingly. Advocates of end-to-end encryption say its privacy protections prevent mass government surveillance and stymie hackers from extracting sensitive information from private conversations.
Signal President Meredith Whittaker has pushed back on the narrative that child abuse is primarily an online problem, telling interviewers that the "majority of child abuse happens in the family. When it doesn't happen in the family, it is perpetrated most likely by somebody who has been entrusted as an authority figure to care for children."
AeroBlade Cyberespionage Targets US Aerospace Sector
A previously unknown cyberespionage group dubbed AeroBlade by BlackBerry is targeting organizations in the U.S. aerospace sector. A two-phase campaign, operational in September 2022 and July, used spear-phishing with weaponized documents for initial network access, deploying a reverse-shell payload capable of data theft, BlackBerry said.
In the initial phase, phishing emails with Word attachments used remote template injection to download the second-stage malicious file, a document template .dotm
file. Malicious macros in the second stage created a reverse shell connecting to the attacker's command-and-control server. The heavily obfuscated DLL payload featured anti-analysis mechanisms, including sandbox detection and API hashing. Establishing persistence via the Windows Task Scheduler, the payload ensured survival through system reboots.
The 2023 samples proved more sophisticated than the previous campaign in September 2022, indicating the threat actors' ongoing refinement of tools. While the 2022 attempts focused on testing intrusion and infection chains, the 2023 attacks aimed at advanced data exfiltration. The origin and precise objectives of AeroBlade remain unknown. BlackBerry speculates motives such as selling stolen data, providing it to international aerospace competitors, or using information for extortion. The consistent use of the same lure documents and command-and-control IP address suggests a coordinated effort by the threat actors.
Trojan-Proxy Threat in Cracked Apps Uncovered
Kaspersky security researchers discovered Trojan-Proxy malware used to build proxy networks hiding in cracked applications distributed on unauthorized websites.
Users who look for free versions of proprietary software on the internet are easy marks for cybercriminals since they're already disposed to downloading executables from dodgy websites. Kaspersky said it has spotted infected software available in the form of a .pkg
file for MacOS computers. Unlike disc images, .pkg
files "can run scripts before and after actual installation."
The malware asks for administrator permissions - and since "an installer often requests administrator permissions to function, the script run by the installer process inherits those."
Other versions target Android, and Windows, all connecting to the same command-and-control server. Anti-malware vendors have not flagged any as malicious.
Tipalti Investigates Ransomware Attack
Major accounting software provider Tipalti is investigating a reported ransomware attack following extortion attempts by the BlackCat/Alphv gang. The California-based company has a customer base of 3,500, which includes Roblox and Twitch. Tipalti acknowledged the data breach claims and said it is investigating.
Pennsylvania Hospital Faces Lawsuits Over Data Breach
Warren General Hospital in Pennsylvania faces two proposed federal class action lawsuits following the disclosure of a data theft incident affecting nearly 170,000 individuals. The 85-bed acute care facility reported detecting suspicious activity on its network on Sept. 24, when an unknown actor accessed its computer systems for more than a week. Between Sept 15 and Sept. 23, a threat actors downloaded data including names, addresses, Social Security numbers, financial details and medical information. WGH collaborated with cybersecurity specialists and reported the incident to federal law enforcement. Two lawsuits allege negligence and breach of implied contract, seeking monetary damages and an injunctive order for improved data security practices. WGH did not respond to a request for comment.
Nissan Probes Cyber Incident
Japanese carmaker Nissan is probing a cyber incident affecting its financial systems in Australia and New Zealand, potentially compromising customer data. The incident, which extends to Nissan Financial Services and affects some dealer systems, is under investigation.
FCC Partners With States
The U.S. Federal Communications Commission announced Wednesday an initiative to strengthen cooperation between the commission and its state partners on privacy, data protection and cybersecurity enforcement. FCC Chairwoman Jessica Rosenworcel said the attorneys general of Connecticut, Illinois, New York and Pennsylvania have signed a memorandum of understanding. The pact means that federal and state investigators can share records, witness interviews, review consumer complaints and collaboratively take other critical steps to build a record against bad actors. "These new partnerships can provide critical resources for building cases and coordinating efforts to protect consumers and businesses nationwide," the FCC said.
With reporting from ISMG's Jayant Chakravarti in Pune, India; Marianne Kolbasuk McGee in the Boston exurbs; Prajeet Nair in Bengaluru, India; Mihir Bagwe in Mumbai, India; and David Perera in Washington, D.C.