Breach Roundup: SEC Fines 11 Orgs for Record-Keeping FailureAlso, North Korean Hackers Breached Russian Missile Maker
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Wall Street fined firms for using WhatsApp, North Korean hackers breached a Russian missile maker, Ivanti backtracked, ransomware attacks cost manufacturers $46B, a cyberattack shut down Gemini North Observatory, ad fraud targeted Android users and healthcare workers' personal information was breached.
11 Wall Street Firms Fined for Using WhatsApp
U.S. federal regulators on Tuesday fined 11 brokerage firms and investment advisers a total of $549 million for using smartphone texting apps such as WhatsApp and Signal to conduct company business. Wells Fargo, BNP Paribas, Societe Generale and Bank of Montreal received the highest penalties from the Securities and Exchange Commission and the Commodity Futures Trading Commission.
Regulatory norms mandate financial institutions to keep records and ensure that employees don't conduct company affairs through unauthorized communication channels. The SEC charged these firms for their inability to properly maintain and preserve official communications made by their employees.
This is the second time in less than a year that the SEC has fined Wall Street firms for record-keeping failure.
The SEC says all the fined firms acknowledged their violations of record-keeping provisions of securities laws and have begun implementing compliance strategies to monitor off-channel communications by their employees.
North Korean Hackers Breached Russian Missile Maker
North Korean hacklers orchestrated a cyberespionage operation lasting at least five months that targeted a significant Russian missile developer. Researchers from SentinelLabs observed North Korean hackers they track as ScarCruft implanting digital backdoors into the systems of Moscow-based rocket design firm NPO Mashinostroyeniya.
The intrusion began around late 2021 and persisted until May 2022 when the company's internal communications reportedly detected the hacker activity. The infiltrators exploited the IT environment, enabling them to navigate email traffic, traverse networks, and extract data. While it remains uncertain whether data was exfiltrated or what information was accessed, the incident illustrates North Korea's willingness to target friendly countries.
The hack was discovered inadvertently when an IT staff member mistakenly leaked internal communications during an attempt to investigate the North Korean attack. This lapse provided insights into the company's operations, which hold significant importance to Russia and were previously sanctioned following Russia's 2014 illegal annexation of the Crimean Peninsula.
NPO Mashinostroyeniya, a prominent entity in hypersonic missiles, satellite technologies and advanced ballistic armaments, plays a pivotal role in areas of keen interest to North Korea, aligning with its mission to develop critical technological advancements.
Ivanti Backtracked, Said Latest Bug Affects All Versions
IT solutions provider Ivanti backtracked on its initial assessment that a security vulnerability in its Endpoint Manager Mobile tool only affected a few versions of the platform and revealed that the flaw affects all versions.
On Aug. 2, Ivanti disclosed details of CVE-2023-35082, a critically rated flaw that affected a tool called MobileIron Core, up to version 11.2. The flaw allows unauthorized actors to potentially access user information and make changes to the server. The company patched the flaw in MobileIron Core's 11.3 upgrade.
On Monday, Ivanti said CVE-2023-35082 affects all versions, depending on personalized configurations.
Rapid7 researcher Stephen Fewer, credited with finding the original vulnerability, said the CVE-2023-35082 flaw shares its origin with another vulnerability - CVE-2023-35078, suggesting that the vulnerabilities stem from the same underlying issue.
CVE-2023-35078 is a remote unauthenticated API access flaw assigned a 10 on the CVSS scale. Hackers chained the earlier flaw with CVE-2023-35081 to target the Norwegian government beginning in April or possibly earlier, according to the U.S. and Norway cybersecurity agencies (see: Ivanti Norway Hacks Began in April, Says US CISA).
Ransomware Attacks Cost Manufacturers $46B
The manufacturing sector suffered a financial loss of $46.2 billion inflicted by ransomware attacks between 2018 and July 2023, said British company Comparitech.
Comparitech's analysis focused the ramifications of downtime caused by ransomware incidents. The more than $40 billon cost incurred excludes the ransoms paid on the 478 attacks since 2018. Comparitech analysts observed only four recorded instances of a ransom being paid by a manufacturer in the past five years. Still, "many companies will withhold this information in fear it makes them more vulnerable to these attacks,” the company said. The low rate of successful extortion has not stopped gangs from attacking manufacturers, with an average of $11.2 million demanded per incident.
The biggest cost stems from downtime. Comparitech observed an average downtime cost of $8,662 per minute.
Cyberattack Shuts Down Gemini North Observatory
The U.S. National Optical-Infrared Astronomy Research Laboratory identified a cyberattack attempt on its systems, which led to the suspension of observations at the Gemini North telescope in Hawaii. NOIRLab said damage was averted but investigations are ongoing. Lab staff identified the attack on Aug. 1 and in a Wednesday update said remote observations at two telescope are still unavailable.
Ad Fraud Targets Android Users
Cybersecurity experts at McAfee's Mobile Research Team exposed an adware campaign targeting Korean Android users involving apps from Google Play secretly displaying ads while the device's screen is off, violating Google Play policies and defrauding advertisers. The campaign employed 43 rogue apps and accumulated 2.5 million downloads, affecting categories such as TV/DMB players, music downloaders, news and calendar apps. The adware's advanced tactics evaded detection, granting remote modification capabilities via Firebase Storage or Messaging. McAfee identified adware permissions that enable background activities, leading to potential phishing and unseen ads. The team reported the apps to Google, which removed them or updated them to comply with Google policy.
British Columbia Healthcare Workers' Personal Info Breached
A significant data breach affected thousands of healthcare workers in British Columbia. The hackers targeted three websites hosted on servers at the Health Employers Association of BC. The breach occurred between May 9 and June 10 and was detected on July 13. The breach may have compromised personal data such as passport information, driver's licenses, birthdates and social insurance numbers linked to 240,000 email addresses. Although no ransom was demanded, the exact vulnerability remains undisclosed due to an ongoing police investigation.