Frontier Communications Faces Data Breach Impacting 750,000 Customers
Frontier Communications, a prominent U.S. telecom provider, is alerting 750,000 customers about a data breach following a mid-April 2024 cyberattack by the RansomHub ransomware group. The attack led to unauthorized access to customers’ personal information, including full names and Social Security Numbers. Although no financial data was compromised, the breach has raised significant concerns. Frontier detected the breach on April 14, 2024, and has since taken steps to enhance network security and notified regulatory authorities. Impacted customers are being offered one year of free credit monitoring and identity theft protection services through Kroll.
In the wake of the attack, Frontier had to temporarily shut down some systems, causing internet outages for many users. RansomHub has threatened to leak the stolen data unless their demands are met by June 14, 2024. Customers are advised to remain vigilant, reset passwords, and monitor financial accounts closely.
Black Basta Exploits Windows Zero-Day Vulnerability for Ransomware Attacks
The Black Basta ransomware gang has been linked to a zero-day exploitation of a Windows privilege escalation vulnerability (CVE-2024-26169). This high-severity flaw (CVSS v3.1: 7.8) in the Windows Error Reporting Service allows attackers to elevate their privileges to SYSTEM level.
Microsoft addressed this issue on March 12, 2024, in their Patch Tuesday updates. However, Symantec’s report indicates that the Black Basta gang, associated with the Cardinal cybercrime group, exploited the flaw before it was fixed. They deployed the CVE-2024-26169 exploit tool after initial infections using the DarkGate loader, a method they’ve employed since the QakBot takedown.
The exploit tool manipulates the Windows file werkernel.sys to create a registry key, launching a shell with SYSTEM privileges. Findings show the tool was in use up to 85 days before the patch, suggesting active exploitation. To defend against such attacks, users are urged to apply the latest Windows security updates promptly.
Police Arrest Specialist Behind Conti and LockBit Ransomware Crypters
Ukrainian cyber police have arrested a 28-year-old Russian man in Kyiv for his role in assisting the Conti ransomware and LockBit ransomware operations. Known for making malware undetectable by antivirus software, the suspect also conducted at least one attack himself. The arrest, which took place on April 18, 2024, was part of ‘Operation Endgame,’ a coordinated effort to dismantle botnets and apprehend their operators.
The investigation, supported by information from Dutch police, linked the suspect to a ransomware attack on a Dutch multinational. The arrested individual specialized in developing custom crypters that rendered ransomware payloads fully undetectable (FUD), significantly aiding the cybercrime syndicates. Additionally, the man was found to have sold his crypting services to both Conti and LockBit, boosting their success rates on breached networks.
During searches in Kyiv and the Kharkiv region, authorities seized computer equipment, mobile phones, and handwritten notes. Charged under Part 5 of Article 361 of the Ukrainian Criminal Code, the suspect faces up to 15 years in prison. The investigation into his activities and involvement in ransomware attacks continues.
Phishing Emails Exploit Windows Search Protocol to Distribute Malware
A new phishing campaign has been discovered that uses HTML attachments to abuse the Windows search protocol (search-ms URI) to distribute malicious scripts. This technique leverages the Windows Search protocol, which is a Uniform Resource Identifier (URI) allowing applications to perform searches with specific parameters in Windows Explorer. Attackers exploit this protocol to push batch files from remote servers. The attack begins with a phishing email containing an HTML attachment disguised as an invoice within a ZIP archive, helping it evade antivirus scans. When the HTML file is opened, it uses thetag to automatically redirect the browser to a malicious URL. If the redirect fails, an anchor tag provides a clickable link to the malicious URL as a fallback.
The URL initiates a Windows Search on a remote host, displaying a single shortcut (LNK) file named as an invoice. When clicked, this shortcut triggers a batch script (BAT) hosted on the server, potentially executing malicious operations. Trustwave SpiderLabs researchers recommend mitigating this threat by deleting registry entries associated with the search-ms/search URI protocol, though caution is advised as this may impact legitimate applications: bash Copy code reg delete HKEY_CLASSES_ROOT\search /f reg delete HKEY_CLASSES_ROOT\search-ms /f This proactive measure helps prevent the abuse of the Windows Search protocol in such phishing attacks.
Ascension Hacked After Employee Downloaded Malicious File
Ascension, a major U.S. healthcare system, revealed that a ransomware attack in May 2024 was caused by an employee mistakenly downloading a malicious file. The attack disrupted the MyChart electronic health records system, phones, and various ordering systems, forcing the healthcare provider to take devices offline on May 8.
The incident led to manual tracking of procedures and medications, pausing non-emergent procedures and tests, and diverting emergency services. An investigation found that attackers accessed and stole data from only seven of the approximately 25,000 servers, potentially including Protected Health Information (PHI) and Personally Identifiable Information (PII).
Although Ascension is still restoring affected services, there is no evidence that Electronic Health Records (EHR) systems were compromised. The Black Basta ransomware gang is suspected to be behind the attack. Ascension operates 140 hospitals, 40 senior care facilities, and reported $28.3 billion in revenue for 2023.
Conclusion
In conclusion, the cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.