Cybersecurity News & Trends for July 22, 2022

Curating cybersecurity news and trends from major news outlets, trade pubs and infosec bloggers for the big stories of the week.

SonicWall moved some headlines this week with quotes and mentions from industry publications and general news outlets. Quite a few of the hits were thanks to SonicWall’s President and CEO, Bill Conner and others are attributed to the Threat Report earlier this year.

From industry news, Bleeping Computer reports that hackers are impersonating cybersecurity firms in a callback phishing scheme that has netted several victims. From Dark Reading, fake Google software updates are spreading a new ransomware campaign. Krebs On Security is calling out Experian after irregular online account management processes. TechCrunch and The Register report on a substantial healthcare data breach that exposed data from 1.9M patients. And finally, Hacker News and Bleeping Computer report that North Korean hackers target small and midsize businesses with the HØlyGhØst.

And remember, cybersecurity is everyone’s business. Be safe out there!

SonicWall News

Cyber Defense: Bill Conner of SonicWall on the 5 Things Every American Business Leader Should Do to Shield Themselves From A Cyberattack

Authority Magazine, Bill Conner Q&A: As a part of this series, I had the pleasure of interviewing Bill Conner, President and CEO of SonicWall, one of the world’s most trusted network security companies. With a career spanning more than 30 years across high-tech industries — previously leading key divisions of AT&T and managing Nortel’s $9 billion acquisition of Bay Networks and CEO of Entrust — Bill Conner is a corporate turnaround expert and global leader in cybersecurity, data protection and network infrastructure.

Marriott Hotels Super Another Data Breach

Intelligent CIO, SonicWall Mention: Bill Conner, CEO and President at SonicWall, also a GCHQ and NCSC advisor, has stated the criticality of this trend: “The recent breach of Marriott International is a stark example of the tireless work cybercriminals undertake to steal personal information. Not only does the Marriott breach damage brand reputation, but it also puts customers in a vulnerable position when sensitive information is comprised like passport numbers, credit card details and more.”

34 top UK Vendor Leaders Outline Channel Priorities

CRN UK, SonicWall Mention: While ConnectWise (2,500), Cisco (2,000), Fujitsu (1,500), Adobe (1,400) and SonicWall (1,200) all work with over 1,000 UK partners, others have narrower UK channels, with Check Point, F5 Networks and Mitel all working with 400 or fewer partners.

Mystery Hacker Says 1 billion People Exposed In ‘Biggest Hack in History’

The Independent, Bill Conner Quote: “Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all costs,” Bill Conner, CEO of cybersecurity firm SonicWall and adviser to GCHQ and Interpol, told The Independent.

Here Today, gone to Maui: That’s Your Data Captured by North Korean Ransomware

The Register, Threat Report Mention: “According to SonicWall, there were 304.7 million ransomware attacks in 2021, an increase of 151 percent. In healthcare, the percentage increase was 594 percent.”

Over-Qualified Workers Struggling to Find a Job

BBC, Terry Greer-King Quoted: “They move towards the peak of a pyramid,” explains Terry Greer-King, vice-president of EMEA at cybersecurity firm SonicWall. “As employees gain greater experience, there’s less breadth in terms of opportunities: trying something different would require scaling back down the pyramid.”

Staying Protected Amidst the Cyber Weapons Arms Race

Information Age, Immanuel Chavoya Byline: “Immanuel Chavoya, emerging threat detection expert at SonicWall, discusses how businesses can stay protected against customizable ransomware and the wider cyber weapons arms race.”

Ransomware Gangs Are Turning to Cryptojacking For A Quieter Life

TechMonitor, Terry Greer-King Quoted: “The toolkits from big RaaS gangs such as REvil are becoming much cheaper and easier to use, agrees Terry Greer-King, vice president for EMEA at SonicWall. “Only a few years ago, they needed to write their own malicious code. Now, anyone with bad intentions can buy a ransomware kit for as little as $50 on the dark web,” he says.”

Industry News

Hackers Impersonate Cybersecurity Firms in Callback Phishing Attacks

Bleeping Computer: In a new twist to the ongoing cybersecurity war, hackers pretend to be well-known cybersecurity firms in callback phishing email scams. Many phishing campaigns include links to landing pages that allow you to steal login credentials and emails with malicious attachments that install malware. In a new callback phishing campaign, the hackers impersonate a security company to warn recipients that malicious network intruders have compromised their workstations and that an in-depth security audit is required. These callback phishing campaigns are focused on social engineering, explaining in detail why they should be given access to a recipient’s device. In addition, they come complete with a dedicated phone number to schedule the security audit of their workstations.

That’s when the hack begins. The actors (literally what they are now) guide the victims through a process of installing remote administration tools (RATs) that gives them complete control over the workstation. With full access, the hackers can remotely install additional tools that allow them to spread laterally through the network, steal corporate data, and potentially deploy ransomware to encrypt devices.

Callback phishing campaigns became standard in 2021 with the launch of the BazarCall phishing campaigns used by the Conti ransomware gang to gain initial access to corporate networks. Since then, callback phishing campaigns have used various lures, including antivirus, support subscriptions, and online course renewals. AdvIntel’s Vitali Kremez told BleepingComputer that the campaign is believed to be conducted by the Quantum ransomware gang, who have launched their BazarCall-like campaign.

Fake Google Software Updates Spread New Ransomware

Dark Reading: The latest example of fake service hacks is the “HavanaCrypt,” a new ransomware tool researchers from Trend Micro recently discovered disguising as a Google Software Update application in the wild. According to Trend Micro, the malware’s command-and-control server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware.

Researchers also noted HavanaCrypt’s numerous techniques to check if it is running within a virtual environment. During encryption, they also mentioned the malware’s use code from KeePass Password Secure, an open-source key manager. And its use of the.Net function “QueueUserWorkItem”, to speed up encryption. Trend Micro says the malware is still developing because it doesn’t drop a ransom notice on the infected systems.

Experian, You Have Some Explaining to Do

Krebs: KrebsOnSecurity received two reports from readers last month about their Experian accounts being hacked. They were then updated with an email address that was not theirs. Both cases involved readers using password managers to create strong and unique passwords for Experian accounts. However, research suggests identity thieves were able to hijack the accounts simply by signing up for new reports at Experian using the victim’s personal information and a different email address.

In a written statement, Experian suggested that what happened to the individuals mentioned in the Krebs report was not an everyday occurrence and that its security and identity verification practices extend beyond what is visible to the user. However, Kreb’s analysis indicates that anyone can replicate the issues at will.

Due to the ongoing and risks of identity theft, KrebsOnSecurity has been urging Americans to put a security freeze on all credit files. A credit freeze prevents potential creditors from pulling your credit file. The downside is that you’ll have to release your files to open new lines of credit. But these days, caution is the watchword. Prevent identity thieves from creating accounts and taking control of your identity, Krebs advises his readers to – at minimum – to watch each major bureau closely.

1.9M Patient Records: One of 2022’s Biggest Health Data Breaches

TechCrunch: A ransomware attack on a little-known debt collection firm that serves hundreds of hospitals and medical facilities across the U.S. could be one of the most significant data breaches of personal and health information this year. The Colorado-based Professional Finance Company, known as PFC, contracts with “thousands” of organizations to process customer and unpaid patient bills and outstanding balances. On July 1, they reported that hackers hit their servers earlier in February.

PFC said in its data breach notice that more than 650 healthcare providers were affected by its ransomware attack, adding that the attackers took patient names, addresses, outstanding balances, and information relating to their accounts. In addition, PFC said that in “some cases,” dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.

Additionally, The Register reports that PFC confirmed that more than 1.91 million patients were affected by the cyberattack with the U.S. Department of Health and Human Services. Bayhealth Medical Center in Delaware said 17,481 patients were affected by the PFC breach, while Coleman County Medical Center in Texas disclosed that 1,159 of their patients were affected.

The attack on PFC is second only in size to a March 2022 data breach at Shields Health Care Group, a medical imaging company with facilities across New England, affecting an estimated two million patients.

North Korean Hackers Targeting Small and Midsize Businesses with HØlyGhØst Ransomware

The Hacker News: A new threat group in North Korea has been linked with ransomware development and use in cyberattacks against small businesses since September 2021. The group, which calls itself HØlyGhØst after the ransomware payload of the same name, is being tracked by the shopping mode Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or developing group of threat activity. Targeted entities are mainly small-to-midsize companies such as banks, manufacturing organizations, and event and planning companies.

According to Bleeping Computer, hackers DEV-0530 maintains an Onion (.onion) site that they use to interact with their victims. The group encrypts all files on the target devices and uses the file extension .h0lyenc, sends the victim a sample of the files as proof, and then demands payment in Bitcoin to restore access to the files. Ransom amounts demanded by DEV-0530 range anywhere between 1.2 and 5 bitcoins – at present value, about $20,000 to $100,000USD – although analysts report no successful ransom payments from its victims as of July 2022.