Earlier this week, threat actors behind the Cl0p ransomware group added Harvard University to their leak site alongside 1.3TB of data. It is believed that Cl0p exploited Oracle’s E-Business Suite vulnerability to gain access to internal systems via compromised email credentials. This vulnerability was patched in July, though it is likely that many organizations weren’t hurried to implement them, and may have been combined with another zero-day vulnerability that hadn’t yet received a software patch.
Banking trojan leverages GitHub for persistence
Researchers have been tracking a new campaign for the Astaroth banking trojan that has created multiple GitHub repositories to store malware configurations in case any of their command-and-control (C2) servers are taken down by law enforcement. Astaroth predominantly targets victims in South American countries, but has also been seen attacking organizations in Europe, stealing credentials and exfiltrating them to the attacker’s systems using Ngrok, a reverse proxy.
1.2 million individuals compromised in SimonMed breach
Officials for the medical imaging provider, SimonMed Imaging, have recently begun contacting nearly 1.2 million patients who may have been affected by a data breach that occurred at the end of January. The investigation into this incident also revealed that hackers had access to SimonMed’s network for nearly a week before the company was informed of the breach by one of their vendors. Threat actors from the Medusa ransomware group claimed responsibility for this attack and published 212GB of stolen data to their leak site, though SimonMed is no longer listed on the site, which could indicate that a ransom was paid to delete or not sell the data.
Group behind Salesforce hacks leak millions of records
In the weeks following the significant hacking campaign that exploited Salesforce instances across multiple organizations, threat actors behind the recently formed Scattered LAPSUS$ Hunters extortion group have added 39 victim organizations to their leak site and included a ransom demand to Salesforce to stop the data from being made fully available. Officials for Salesforce have refused to pay the ransom and claim that there is no substantiated evidence that any cyberattacks have occurred and that the posted data must be from old breaches, despite announcements from many of the victim organizations confirming otherwise.
Spanish clothing retailer suffers data breach
Over the weekend, staff for MANGO, a major clothing retailer based in Spain, identified a breach at one of their marketing vendors that had compromised customer data used in marketing campaigns. While personal contact information was exposed, MANGO officials have confirmed that no financial or banking details were accessed, though it is still possible that the leaked data could lead to additional phishing schemes. The threat group behind this attack is still unknown, as no group has yet to add MANGO to a data leak site.
