RIBridges System Data Breach: Impact on Rhode Island Residents
Rhode Island’s RIBridges system, an integrated platform for managing public assistance programs, recently experienced a significant data breach following a ransomware attack by the Brain Cipher ransomware group. Managed by Deloitte, the system was taken offline on December 13, 2024, to address the threat and safeguard sensitive information. Investigations revealed that personal details, including names, Social Security numbers, and some banking information, were likely stolen.
Programs impacted include Medicaid, SNAP, TANF, and others crucial to public welfare. Authorities advise affected residents to reset passwords, secure their banking accounts, and consider credit monitoring. Deloitte is cooperating with law enforcement and has assured continued efforts to resolve the issue. Meanwhile, Rhode Islanders can still apply for programs through paper-based methods. Letters are being sent to inform affected households, while a dedicated helpline has been established for support. This breach underscores the vulnerabilities of digital public systems.
Texas Tech University System Data Breach Exposes 1.4 Million Patients’ Data
The Texas Tech University Health Sciences Center (TTUHSC) and its El Paso counterpart experienced a significant cyberattack in September 2024, potentially compromising sensitive data for 1.4 million individuals. This public academic health institution, part of the Texas Tech University System, confirmed that unauthorized access occurred between September 17 and 29, leading to the theft of files containing highly sensitive information.
Exposed data varies by individual and may include personal identifiers such as Social Security numbers, medical diagnoses, and treatment details. Impacted individuals are being notified and offered free credit monitoring services.
The attack, attributed to the Interlock ransomware group, reportedly resulted in 2.6 TB of stolen data now circulating on dark web forums. Affected patients are urged to monitor their accounts for suspicious activity, review health insurance statements for inaccuracies, and remain vigilant against phishing attempts to mitigate further risks.
HiatusRAT Malware Targets Web Cameras and DVRs with Brute-Force Attacks
The FBI has issued a warning about HiatusRAT malware attacks exploiting vulnerabilities in web cameras and DVRs, primarily targeting Chinese-branded devices. These attacks leverage unpatched systems or those that have reached their end of life, focusing on vulnerabilities such as CVE-2017-7921 and CVE-2020-25078.
Threat actors employ tools like Medusa, an open-source brute-force utility, to exploit weak passwords and gain access to devices with exposed TCP ports, including 23, 8080, and 554. Hikvision and Xiongmai devices are the primary targets. Once compromised, infected devices are converted into SOCKS5 proxies for command-and-control communications, enabling attackers to deploy additional payloads.
The FBI advises isolating vulnerable devices or restricting their network access to mitigate risks. Cybersecurity professionals are urged to report signs of compromise and implement stronger password policies to counter brute-force attacks. This marks a shift in HiatusRAT’s focus, aligning with broader strategic interests.
Beware of Phishing Emails Targeting Ledger Wallet Users
A new phishing scam targeting Ledger hardware wallet users is attempting to steal recovery phrases by masquerading as a data breach alert. These fraudulent emails claim that Ledger has experienced a security breach exposing recovery phrases, urging recipients to verify their phrase via a “secure” link.
Victims who click the link are redirected to a fake website resembling Ledger’s official site. This phishing page prompts users to input their 12, 18, or 24-word recovery phrase, which attackers then harvest to access cryptocurrency wallets and steal funds.
To protect yourself, never share your recovery phrase online or enter it on any website or app. Always type ledger.com directly into your browser to ensure you’re accessing the legitimate site. Remember, Ledger will never ask for your recovery phrase. Be cautious of unsolicited emails, especially those urging immediate action under the guise of security concerns.
Phishing Campaign Targets 20,000 Microsoft Azure Accounts via HubSpot
A sophisticated phishing campaign has targeted automotive, chemical, and industrial manufacturing companies in Germany and the UK, aiming to steal Microsoft Azure credentials. Using HubSpot’s legitimate Form Builder tool, attackers created deceptive forms to redirect victims to credential-harvesting pages disguised as Microsoft Outlook or Azure login portals.
The campaign, active from June to September 2024, compromised approximately 20,000 accounts by leveraging links embedded in DocuSign-branded emails or PDFs. These emails bypassed many security tools due to the inclusion of legitimate HubSpot links, although they failed key authentication checks like SPF and DKIM.
In successful breaches, attackers used VPNs to mimic the victim’s location and engaged in “tug-of-war” battles over account control by repeatedly resetting passwords.
This incident highlights the risks of abusing legitimate services like HubSpot to bypass defenses. Organizations are advised to enhance email authentication protocols and train staff to recognize phishing attempts.
Russian Hackers Exploit RDP in Man-in-the-Middle Attacks
Russian hacking group APT29 has been employing advanced techniques involving Remote Desktop Protocol (RDP) to execute man-in-the-middle (MiTM) attacks, compromising sensitive data and credentials. Using PyRDP, a specialized MiTM tool, attackers intercept RDP sessions, enabling them to access victims’ filesystems, steal clipboard data, and execute malicious scripts in the background.
This campaign targets government, military, and corporate entities across multiple countries, including the U.S., France, and Ukraine. The attackers deploy 193 RDP proxy servers to redirect connections to backend servers under their control, making the sessions appear legitimate.
By tricking victims into connecting to rogue RDP servers via phishing emails, the hackers gain unrestricted access to local resources like drives and networks. APT29 further obscures their infrastructure using VPNs, TOR nodes, and proxies. To mitigate risks, users should avoid connecting to unverified RDP servers and remain cautious of phishing attempts containing RDP configurations.
Romanian NetWalker Affiliate Sentenced for Ransomware-as-a-Service Crimes
Daniel Christian Hulea, a Romanian affiliate of the NetWalker ransomware operation, has been sentenced to 20 years in prison after pleading guilty to crimes involving ransomware-as-a-service activities. Hulea was part of a global network that leveraged ransomware variants like NetWalker to target hospitals, schools, and municipal services, extorting victims during the COVID-19 pandemic.
Court documents reveal Hulea profited significantly from these ransomware-as-a-service operations, collecting nearly $21.5 million in bitcoin payments. Investigations have also uncovered links between NetWalker and Alpha ransomware, with indications that the former’s code may be fueling new ransomware variants.
As part of his sentence, Hulea must forfeit over $21 million in assets, including a luxury Bali resort funded through ransomware proceeds. The case underscores the ongoing threat posed by ransomware-as-a-service models, which empower cybercriminals to deploy evolving ransomware variants to devastating effect.
Krispy Kreme Targeted by Play Ransomware in Recent Cyberattack
The Play ransomware gang has claimed responsibility for a November cyberattack on Krispy Kreme that disrupted its online ordering system and impacted business operations. The company, which generates 15.5% of its sales through digital orders, reported the breach in a recent SEC filing. Krispy Kreme quickly responded by enlisting cybersecurity experts to investigate and secure its systems.
Play ransomware operators allege they stole sensitive data, including financial records, payroll information, and confidential client documents, threatening to release the data as part of their double-extortion strategy. Known for targeting high-profile victims, Play ransomware has previously attacked organizations such as Rackspace and the City of Oakland.
This incident underscores the persistent threat of Play ransomware, which has been active since 2022, leveraging stolen data to pressure victims into ransom payments. Businesses are reminded to prioritize cybersecurity measures to defend against these increasingly common attacks.
Suspected LockBit Developer Charged for Role in Ransomware Operations
The US Department of Justice has charged Rostislav Panev, a dual Russian-Israeli national, for his involvement in developing the LockBit ransomware and its data theft tool, StealBit. Panev is accused of managing infrastructure used by the LockBit gang and collaborating on ransomware customizations, including work that incorporated elements of the Conti ransomware source code.
Israeli authorities discovered LockBit and Conti source code, as well as credentials for LockBit’s control panel, on Panev’s computer at the time of his arrest. This repository allegedly contained tools used by LockBit affiliates to create tailored ransomware builds for victims. Panev reportedly earned over $230,000 in cryptocurrency during his tenure with the group, receiving monthly payments laundered through illicit services.
Panev is the latest to face charges in the global crackdown on LockBit, which continues to disrupt operations. Investigators also linked the development of “LockBit Green” to the repurposed Conti encryptor.
Conclusion
In conclusion, the rise of ransomware attacks like those targeting Krispy Kreme, LockBit’s expansive operations, and other sophisticated threats underscores the critical need for proactive cybersecurity measures. Organizations must remain vigilant and adopt robust security protocols to mitigate these ever-evolving threats.
As experts in ransomware recovery and cybersecurity, we provide tailored solutions, including Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization has been affected by ransomware or seeks to strengthen its defenses, contact us today to regain control and safeguard your systems.