Brain Cipher Ransomware, Infostealer Tracks Users, TeamViewer Russian Hackers – Cybersecurity News [July 01, 2024]

Welcome back to our weekly bulletin, where we bring you the latest cybersecurity information so you can stay safe against the latest attacks and malicious campaigns. We’ll share details about the new Brain Cipher ransomware, how info stealers could track users linked to child abuse sites, the corporate attack on Team Viewer, the story of a scorned employee stealing patient healthcare data, and the latest crypto drainer phishing attack on Ethereum. Stay tuned!

Everything About Brain Cipher: The Ransomware Behind Indonesia’s Data Center Attack

A new ransomware operation called Brain Cipher is making headlines worldwide after the recent attack on Indonesia’s National Data Center. 

Indonesia has been building temporary National Data Centers to securely store the servers used by the government’s online services. One of these was attacked this week, and the threat actors encrypted all data and disrupted many services like immigration, event permits, and passport control. The government shared the news of the attack, highlighting how the threat actors had disrupted over 200 government agencies.

Brain Cipher was launched earlier this month and has been targeting organizations worldwide. They’ve quickly set up a data leak site and spread their operations. Each victim system has a unique ID of encryption that can be entered into a Tor negotiation site to start communication with the gang. The threat actors breach corporate networks and gain Windows domain admin credentials to deploy ransomware on the entire network.

The ransomware gang has based its encryptor on the leaked LockBit 3.0 and has been demanding ransoms between $20,000 and $8 million.

Infostealer Malware Tracks Users Linked to Child Abuse Websites

Information-stealing malware logs have helped identify thousands of pedophiles after law enforcement investigations have started using stolen credentials. 

Image sourced from medium.com

This new use was actually done by Recorded Future’s Insikt Group, who also shared a detailed report where they explained how they were able to identify 3,324 unique accounts that were used to access illegal portals that distributed CSAM (Child Sexual Abuse Material).

Information-stealing malware like Redline and Vidar often have stealer logs that maintain a collection of the stolen data. These malware also collect credentials and browser information, which is transmitted back to the threat actors. The same data also exposes all credentials, email, and other accounts used by CSAM users.

Analysts at Insikt used such logs captured between 2021 and 2024, which helped them identify accounts that consumed or distributed CSAM content, and they were able to find out the real-world identities of the account holders via other web accounts, browsing history, and crypto wallet addresses and transactions. 

The researchers released the report to show how infostealer data could aid law enforcement in tracking down pedophiles and prosecuting them. 

TeamViewer Attributes Corporate Cyberattack to Russian State Hackers

TeamViewer has shared that Midnight Blizzard, a Russian state-sponsored hacking group, has breached its corporate network. 

The product is widely used by enterprises and consumers for RMM. The internal corporate network was breached on 26 June when the threat actors used an employee’s credentials to access the network. They did outline that an investigation is ongoing and it has not revealed any indication that the threat actors had access to the production environment or the information of the customers.

The organization stressed that they keep the production and corporate networks separate and recommended all users enable MFA (Mutli-Factor Authentication) and set up allowlists only to allow authorized individuals to make and monitor network connects for all-around safety and protection. 

Midnight Blizzard is a major threat actor group that also breached Microsoft’s systems back in March 2024. 

Ex-IT Employee Accessed Data of Over 1 Million US Patients

Pennsylvanian healthcare system giant Geisinger announced a data breach that was conducted by a former employee. 

The employee worked for Nuance, an IT service provider that was contracted by the healthcare organization. Geisinger detected unauthorized access to the patient database by this employee and reported the incident to Nuance, who promptly took action and blocked the access. This happened in November 2023, and Nuance also informed law enforcement authorities about the incident, which led to charges against the employee, who was later arrested.

As per the investigation, the employee could access full names, contact numbers, residential addresses, birth dates, transfer codes, and medical record numbers of the patients. The incident did not put the financial information or the SSNs (Social Security Numbers) of the patients at risk, but it is still unclear how the former employee exploited said data. Geisinger has notified all the employees who were impacted by the breach.

If you received this notification, it’s best to review your statements and notify health insurance immediately if you come across an unexpected entry. On the other hand, Lynch Carpenter announced that they’ll conduct an investigation on the incident scope and explore the potential class action lawsuit against the healthcare giant. 

Ethereum Mailing List Breach Puts 35,000 at Risk of Crypto-Draining Attack

This week, a threat actor was able to get into Ethereum’s mailing list provider and got access to 35,000 email addresses that they leveraged for a phishing attack.

The phishing attack campaign started on 23 June, and the threat actor sent emails to 35,794 stolen addresses with embedded links that led them to a malicious site with a crypto drainer. Ethereum disclosed the incident in a blog post that the threat actor lured recipients with an announcement of a possible Lido DAO collaboration where they could get a 6.8% APY on staked ETH.

When the victims clicked on the “Begin Staking” button, they were redirected to a malicious website designed to promote the same scheme and asked the users to connect their wallets. Once they did, the crypto drainer would empty their wallets. Ethereum has launched an internal investigation to identify the threat actor behind the attack and has already blocked them from sending more such emails. 

Ethereum shared that it has also taken additional measures and will migrate some of its email services to other providers to prevent similar attacks in the future.

This incident underscores the importance of implementing strong phishing protection solutions to prevent phishing attacks and protect valuable data. It serves as a reminder for individuals to stay alert and confirm the legitimacy of emails, particularly those involving financial activities.