Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: Zeus Banking Trojan Leader Pleads Guilty
Also: Polish Prime Minister Says Previous Administration Deployed Pegasus SpywareEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, the Zeus leader pleaded guilty, Prudential detected hackers, U.S. telecoms have to report breaches, Microsoft patched zero-days, researchers said Chinese threat intel is faulty, ransomware hit Romanian healthcare entities, Juniper was breached and Poland allegedly previously used Pegasus.
See Also: Gartner Guide for Digital Forensics and Incident Response
Zeus Banking Trojan Leader Pleads Guilty
The accused leader of the Zeus cybercrime group pleaded guilty in U.S. federal court to charges that include his leadership role in spreading BokBot malware.
Ukrainian national Vyacheslav Igorevich Penchukov - alias Vyacheslav Andreev and "Tank" - pleaded guilty to one count of conspiracy to commit a racketeer-influenced and corrupt organizations offense for his role in the Zeus group and one count of conspiracy to commit wire fraud related to his BokBot activities. The 37-year-old faces up to 40 years in prison.
Swiss authorities arrested Penchukov in 2022 at the behest of U.S. authorities (see: Arrest of Ukrainian in Cybercrime Case Shows Patience Pays).
The Zeus banking Trojan, first detected in 2009, allowed financially motivated hackers to obtain bank information including logon credentials, resulting in millions of dollars in losses for victims, the Department of Justice said.
In 2018, Penchukov led a new effort to distribute BokBot, also known as IcedID. The malware stole credentials but also acted as an initial access vector for ransomware. When the University of Vermont Medical Center was hit by BokBot, the incident caused $30 million in losses "and left the medical center unable to provide many critical patient services for over two weeks, creating a risk of death or serious bodily injury to patients," the Justice Department said.
Cybersecurity reporter Brian Krebs reported in 2022 that Penchukov had been able to avoid prosecution in Ukraine for years through political connection he had with the family of Russia-aligned former Ukrainian President Viktor Yanukovych. The FBI listed Penchukov on its most wanted list for nearly a decade.
Prudential Financial Detects Hacking Incident
Prudential Financial disclosed Monday to U.S. federal regulators that hackers, likely cybercriminals, had gained unauthorized access to "administrative and user data from certain information technology systems" as well as a "small percentage" of employee and contractor user accounts.
The company said it had not permitted the threat actor to linger long. Prudential said it had detected the Feb. 4 breach the next day and "immediately" activated a cyber incident response plan.
Prudential serves over 50 million customers globally, providing insurance, retirement planning and wealth management services.
FCC Gives Telecoms Deadline for Reporting Data Breaches
The U.S. Federal Communications Commission said a December update to data breach reporting rules for telecoms will go into effect within a month. In a Monday update to its December party-line vote to require telecoms to report any breach involving personal identifiable information, the agency said it will expect compliance starting on March 13.
In approving the updated rules, which are outlined in a report and order, the agency said data breaches have grown in frequency and severity over the past two decades. Under rules in effect for the past 16 years, the agency required telecoms to only report breaches involving subscriber data - officially known as "customer proprietary network information." CPNI includes information such as dialed telephone number, call duration and call time. The FCC broadened the definition of a breach to include "inadvertent access, use, or disclosure of customer information" except in cases in which a telecom employee acquires the information in good faith and the data is not improperly used.
Microsoft's February 2024 Patch Tuesday
Microsoft's February 2024 Patch Tuesday addresses 73 security vulnerabilities, including two zero-days actively being exploited in the wild.
The first, tracked as CVE-2024-21351, has a CVSS score of 7.6 and is a Windows SmartScreen security feature bypass vulnerability. It allows malicious actors to inject code into SmartScreen, potentially leading to data exposure or system unavailability.
The other zero-day, tracked as CVE-2024-21412, has a CVSS score of 8.1 and is an Internet Shortcut Files security feature bypass vulnerability. An attacker can exploit it to send a crafted file to bypass security checks, requiring user interaction to execute.
Another flaw, tracked as CVE-2024-21413, has a CVSS score of 9.8 and is a Microsoft Outlook remote code execution vulnerability. Successful exploitation enables attackers to bypass Office Protected View and gain high privileges.
Chinese Cyberespionage Allegations Lack Technical Evidence
Threat intelligence reports emanating from Chinese sources lack technical evidence that would give them credibility, said researchers at Sentinel Labs. In a Monday analysis, the cybersecurity company said state secrecy laws likely stymie Chinese cybersecurity firms from publishing technical data, but "claims of U.S. hacking without supporting technical are derided - and rightfully so."
The researchers cite a September 2022 report that alleges the U.S. National Security Agency hacked a university that conducts aerospace and space research and has ties with the Chinese military as an example of China's substandard reporting. State-linked cybersecurity firm Qihoo 360 and the National Computer Virus Emergency Response Center - known as CVERC - published a report that "redacted half of each IP number and the last two digits of each calendar date in the report." The IP redaction was likely made to comply with state secrecy laws, while hiding the dates was likely an attempt "to hide that the alleged operation would have been more than a decade old at the time of the report’s publication."
"Analysts should not lower their standards to help the PRC achieve its objective of changing global public opinion on Chinese and US hacking. Instead, claims made by Chinese firms and the government should be held to the same, rigorous analytical standards the global cybersecurity community has self-imposed," the report says.
Romanian Healthcare Facilities Feel Effects of Ransomware Hit
The Romanian National Cyber Security Directorate said approximately 100 medical facilities had been affected by a ransomware attack on a third-party healthcare management system - either directly or because they went offline as a precaution.
The directorate said no specific group has claimed responsibility for encrypting the servers of Hippocrates Information System but that the attackers had used Backmydata ransomware, a variant of the Phobos ransomware family. Hackers have demanded a ransom of 3.5 BTC, which is approximately $171,000. The authorities recommended that hospitals not pay any ransom.
Juniper Support Portal Breach
Juniper Networks' support portal recently exposed customer data - including product details, warranty status and serial numbers - due to a support portal upgrade.
KrebsOnSecurity first reported the inadvertent data exposure. The exposed data included device model and serial numbers, location, status and support contract details. Juniper Networks said identifiable customer data wasn't compromised. The company is investigating the root cause of the defect. The misconfiguration likely originated from a Salesforce-backed support website upgrade announced in September 2023.
Polish PM Says Previous Administration Used Pegasus Spyware
New Polish Prime Minister Donald Tusk said on Tuesday that he possesses proof of the previous government's illegal use of Pegasus spyware that contains a substantial list of hacking victims. Tusk claimed the spyware, which allows access to a mobile device's data, was deployed unlawfully during the administration headed by the populist right-wing party Law and Justice.
Tusk made the announcement during a news briefing alongside Polish President Andrzej Duda, a political opponent aligned with the previous government. Tusk said he had asked the justice minister and prosecutor general to provide Duda with documents that "confirm 100% the purchase and use of Pegasus in a legal and illegal manner," The Associated Press reported.
Tusk, who assumed power in December after Law and Justice's eight-year rule, said that a special parliamentary commission is investigating the government's use of spyware.
The European Parliament in June accused Hungary, Poland and Greece of violations of European Union law for their use of commercial spyware against opposition figures and others (see: European Parliament Condemns Commercial Spyware).
Other Coverage From Last Week
- Hackers Are Exploiting a Critical FortiOS SSL VPN Bug
- North Korean Hackers Target South Korean President's Office
- Hackers Try to Extort $50 From Child; 2 Million More at Risk
- Hack at Software Services Firm Affects 57,000 BoA Customers
- Account Takeover Campaign Hits Execs in Microsoft Azure
- Ransomware Disrupts Hospital Services in Romania and France
With reporting from Information Security Media Group's Mihir Bagwe in Mumbai, India and David Perera in Washington, D.C..