Cox Fixes API Vulnerability Exposing Millions of Modems to Attacks
Cox Communications recently addressed a critical authorization bypass vulnerability that left millions of their modems susceptible to remote attacks. Discovered by bug bounty hunter Sam Curry, this flaw allowed attackers to exploit backend APIs, reset modem settings, and access sensitive customer information. As the largest private broadband provider in the U.S., Cox serves nearly seven million homes and businesses across over 30 states. This vulnerability granted attackers permissions akin to ISP tech support, enabling them to steal personally identifiable information (PII) such as MAC addresses, emails, and phone numbers. Additionally, they could collect Wi-Fi passwords and execute unauthorized commands. Upon Curry’s discovery on March 3, Cox swiftly disabled the exposed APIs within six hours and patched the issue the following day. A subsequent investigation by Cox revealed no evidence of prior exploitation of this security flaw.
Collection Agency FBCS Ups Data Breach Tally to 3.2 Million People
Debt collection agency Financial Business and Consumer Solutions (FBCS) now reports that over 3.2 million individuals have been affected by a data breach in February. Initially, in late April, FBCS disclosed that around 1.9 million people had their sensitive information compromised in the February 14 incident. The compromised data includes full names, Social Security Numbers (SSNs), dates of birth, account details, and driver’s license numbers. On May 29, FBCS submitted a supplemental notice to the Office of the Maine Attorney General, revising the total number of affected individuals to 3,226,631. Impacted individuals are being notified and provided with instructions to enroll in a free 24-month credit monitoring and identity restoration service through CyEx. FBCS advises those affected to be vigilant against phishing, fraud, and social engineering attacks. To prevent future breaches, FBCS has implemented a new, more secure environment. No details have been released regarding the specifics of the breach.
FBI Recovers 7,000 LockBit Keys, Urges Ransomware Victims to Reach Out
The FBI is urging victims of LockBit ransomware attacks to come forward after securing over 7,000 decryption keys to help recover encrypted data for free. Bryan Vorndran, Assistant Director of the FBI Cyber Division, announced this at the 2024 Boston Conference on Cyber Security. The keys were obtained following the FBI’s disruption of LockBit’s operations, part of “Operation Cronos,” which took down the ransomware group’s infrastructure in February 2024. During the operation, law enforcement seized 34 servers containing over 2,500 decryption keys, leading to the creation of a free LockBit 3.0 Black Ransomware decryptor. Despite these efforts, LockBit remains active, having shifted to new servers and dark web domains. The FBI is contacting known victims and encouraging others to report incidents at ic3.gov. The U.S. State Department offers substantial rewards for information leading to the arrest or conviction of LockBit leaders and affiliates, reflecting the ongoing international efforts to combat ransomware.
Linux Version of TargetCompany Ransomware Targets VMware ESXi
Researchers have discovered a new Linux variant of TargetCompany ransomware, focusing on VMware ESXi environments. Active since June 2021 and also known as Mallox, FARGO, and Tohnichi, TargetCompany has primarily targeted databases in Asia. Despite a temporary setback in February 2022 with Avast’s decryption tool, the group resumed its activities by targeting Microsoft SQL servers.
Trend Micro reports that this new variant uses a custom shell script to gain administrative privileges, deliver the payload, and exfiltrate data. The script checks for VMware ESXi environments and sends victim information to a command and control server. It encrypts VM-related files and leaves a ransom note with decryption instructions. After its tasks, it deletes the payload to avoid detection.
Trend Micro attributes these attacks to an affiliate named “vampire,” with IP addresses linked to an ISP in China. Recommendations to mitigate risks include enabling MFA, creating backups, and keeping systems updated.
New Fog Ransomware Targets US Education Sector via Breached VPNs
A new ransomware operation called ‘Fog,’ launched in May 2024, is targeting the U.S. education sector using compromised VPN credentials. Discovered by Arctic Wolf Labs, Fog has not yet established an extortion portal, but BleepingComputer confirms that the gang steals data for double-extortion attacks.
Fog operators gain initial access using compromised VPN credentials from at least two different vendors. They then use “pass-the-hash” attacks on admin accounts to establish RDP connections to Windows servers running Hyper-V, or use credential stuffing followed by PsExec deployment.
Once inside, Fog disables Windows Defender and gathers system information before initiating multi-threaded encryption. The ransomware terminates processes, encrypts VM storage files, and deletes backups to hinder recovery. Encrypted files receive a ‘.FOG’ or ‘.FLOCKED’ extension.
A ransom note, named readme.txt, directs victims to a Tor site for negotiations. Ransoms demand hundreds of thousands of dollars, with larger amounts likely for bigger organizations. It’s unclear if Fog operates as a ransomware-as-a-service (RaaS) or by a small group of cybercriminals.
DDoS Attacks Target EU Political Parties as Elections Begin
Hacktivists are launching DDoS attacks on European political parties opposing their interests, reports Cloudflare. The attacks coincide with European Parliament elections, already underway in the Netherlands and soon to begin in 26 other EU countries. Cloudflare has mitigated three DDoS attack waves on election-related sites in the Netherlands, including political parties. On June 5 and 6, two attacks were recorded: the first peaked at 115 million requests per hour, and the second at 44 million requests per hour. The hacktivist group ‘HackNeT’ claimed responsibility for these attacks on Telegram, targeting the PVV (Party for Freedom) and FvD (Forum for Democracy). Both parties, right-wing nationalists, have expressed skepticism about the EU and NATO, showing sympathy toward Russia. Additionally, Germany’s Federal Ministry of the Interior reported a “serious cyberattack” on the CDU’s network on June 1, 2024. The CDU has been vocal against Russia’s actions in Ukraine and supports ongoing sanctions. German authorities are working to protect all Bundestag parties from similar threats.
Conclusion
In conclusion, the cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.