Breach Roundup: Mexico in Hacker Spotlight – Source: www.databreachtoday.com

Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response

Also: Critical WHOIS Vulnerability Exposes Internet Security Flaw in .mobi Domains

Anviksha More (AnvikshaMore) •
September 12, 2024    

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, cyberthreats are rising in Mexico; the FBI warned of BEC scams; U.K. police arrested a hacking suspect; Avis, Slim CD, Medicare and Fortinet disclosed breaches; Highline public schools reopened after a cyberattack; a critical flaw was found in WHOIS; and Konni upped its attacks on Russia, South Korea.

See Also: Cloud NGFW : Best-in-class security and unparalleled simplicity on AWS

Google on Wednesday reported a surge in cyberespionage, ransomware and financial fraud in Mexico, the world’s 12th largest economy.

A shifting global economy and U.S. geopolitical tensions with China have make Mexico the top U.S. trading partner and also a target of Beijing influence-building operations. Annual trading volume between the United States and Mexico amounts to nearly $1.6 trillion.

A Google Threat Analysis Group and Mandiant analysis found Mexico is attracting cyberespionage hackers from across the globe, but primarily from China, Russia and North Korea. Chinese espionage groups have been particularly active, targeting Mexican government agencies, universities and news organizations. North Korean actors focus on cryptocurrency firms, while Russian activity has decreased over the past couple of years as Moscow focuses on Ukraine and NATO countries.

Commercial spyware is a perennial threat in Mexico, where journalists, activists and politicians have been targets of smartphone hacking campaigns. Cybercrime is a significant concern as well, and ransomware and extortion affect Mexico across multiple industries. TAG observed attacks on banking credentials, cryptomining and the sale of compromised access, and three of the most frequently observed cybercrime groups in Mexico serve as initial access brokers for extortion groups. These groups use phishing, malvertising and infected USB drives to launch their attacks. Mexican businesses most often appear in the ransomware leak sites of the LockBit, BlackCat/Alphv and 8Base.

Malware distribution campaigns frequently use tax- and finance-themed lures to convince recipients to open malicious links or files. Mandiant has observed a financially motivated threat actor it tracks as UNC4948 distributing SimpleLoader malware and malicious browser extensions using emails that appear to originate from the Mexican Tax Administration Service.

Another financially motivated hacking group tracked as UNC5176 spoofed Mexico’s state-owned electric utility, the Comisión Federal de Electricidad.

The FBI advised corporations to be vigilant against business email compromise scams, which generated nearly $55.5 billion in losses globally over the past decade. According to the FBI’s Internet Crime Complaint Center, more than 305,000 BEC incidents occurred between October 2013 and December 2023, with 158,436 victims in the United States and 6,545 internationally. The scams often involve hacked email accounts, which allow threat actors to craft convincing requests for money transfers.

The FBI said it observed a 9% increase in global losses between December 2022 and December 2023. The growing use of custodial accounts, third-party payment processors and cryptocurrency exchanges contributed to the rising losses.

The U.K. National Crime Agency arrested a teenager for alleged hacking Transport of London earlier this month.

The British law enforcement agency said it detained a 17-year-old, unnamed suspect on Sept. 5 for violation of the Computer Misuse Act in relation to the hack of the transit authority.

The attack, which took place on Sept. 2, led to tube riders experiencing problems with contactless payments and deteriorated the authority’s ability to offer Dial-a-Ride, a public transport service for wheelchair users and others with disabilities (see: Breach Roundup: Transport for London Still Feels Cyberattack).

An estimated 4 million journeys are made per day using the London Underground subway system, which is wholly owned by Transport for London.

The teenager posted bail after being questioned by British law enforcement agencies.

Although TfL initially stated the attack did not result in any data breach, in a Thursday update, the agency said the attacker accessed travel card data of 5,000 commuters, including their bank account numbers and sort codes.

Live subway arrival information and travel card services continue to be affected, the update says.

Car rental giant Avis notified nearly 300,000 customers of a data breach caused by unauthorized access to one of its business applications. The company discovered the breach, which affected 299,006 individuals, on Aug. 5. The company described the breach as “insider wrongdoing,” but the notice doesn’t specify if an employee was responsible.

Stolen data includes customer names and unspecified personal details. The Parsippany, New Jersey-based firm, part of Avis Budget Group, is reviewing its security systems to prevent future breaches.

Payment software provider Slim CD reported a data breach that affected 1.7 million individuals and exposed sensitive credit card information including names, addresses, card numbers and expiration dates. The breach occurred in mid-June, and the company said there is no evidence of identity theft or fraud related to the incident.

The Florida-based company said Friday that the unauthorized access to its systems began in August 2023, but the actual breach occurred mid-June this year and lasted about a day. The company did not provide details about the attackers or the nature of the breach.

Highline Public Schools in Washington state reopened on Thursday after a cyberattack forced the district to close its K-12 schools for three days. The district announced that while it has restored parts of its digital network securely, internet access will not be available.

The cyberattack, disclosed on Sunday, left Highline unable to manage key operations such as school bus routes, attendance tracking and emergency communications. All 34 schools in its district of 17,500 students were affected.

A cybersecurity experiment revealed a critical vulnerability in the outdated WHOIS system, specifically affecting the .mobi top-level domain. Researchers discovered that by purchasing the expired domain dotmobiregistry.net, previously used as the WHOIS server for .mobi, they could manipulate queries from government entities, cybersecurity tools and certificate authorities. This flaw could allow attackers to issue fraudulent TLS/SSL certificates for major domains such as google.mobi and microsoft.mobi.

After acquiring the unrenewed domain in December 2023, the researchers set up a rogue WHOIS server and received over 135,000 unique queries in a few days. Systems belonging to military and government entities continued referencing the expired server.

The most alarming finding was the vulnerability of CAs, such as GlobalSign, which accepted manipulated WHOIS data to verify domain ownership. The researchers demonstrated this by tricking the CA into issuing a certificate for micrsoft.mobi to a fraudulent email.

The U.S. Centers for Medicare and Medicaid Services and the Wisconsin Physicians Service Insurance Corp. notified nearly 947,000 individuals that their protected health information was breached involving the 2023 MOVEit attack (see: Known MOVEit Attack Victim Count Reaches 2,618 Organizations).

The organizations said Friday that WPS notified CMS on July 8 and that the affected data includes personal health information such as Medicare claims data. WPS is a CMS contractor that handles Medicare claims and related services.

WPS conducted a review of its MOVEit file transfer system in May with help from a third-party cybersecurity firm. On July 8, WPS determined that some of the affected files contained individuals’ personal information, including identifying information such as Social Security numbers and birthdates, as well as Medicare beneficiary identifiers.

CMS and WPS said they are unaware of any reports of identity fraud or improper use of the breached information.

Cybersecurity company Fortinet said Thursday that it suffered unauthorized access to a third-party, cloud-based, shared file drive that compromised “limited data related to a small number of Fortinet customers.”

The company, currently valued at about $50 billion, told Australian business publication Capital Brief that the security incident did not affect its operations, products or services.

“We have communicated directly with customers as appropriate,” a company spokesperson said. “To date, there is no indication that this incident has resulted in malicious activity affecting any customers.” Capital Brief reported that the security breach affected the data of Fortinet’s Asia-Pacific arm.

North Korean-linked hacking group Konni, associated with the state-sponsored Kimsuky group, ramped up cyberespionage efforts targeting Russia and South Korea, according to a report from South Korean cybersecurity firm Genians.

Konni since 2021 has focused on high-profile targets, including the Russian Ministry of Foreign Affairs, the Russian Embassy in Indonesia and various South Korean enterprises. The group typically uses phishing emails related to taxes, scholarships and finance to infect systems with malware.

Other Coverage From Last Week

• Election Experts Still Demanding More Federal Cyber Support
• French Cyber Agency Warns of APT28 Hacks Against Think Tanks
• NoName Apparently Allies With RansomHub Operation
• Bashing Windows Bugs, Take 2: Microsoft Restores Nixed Fixes
• US Prepares to Gather AI Foundational Model Developer Info

With reporting from Information Security Media Group’s Prajeet Nair in Bengaluru, India; Jayant Chakravarti in Pune, India; Akshaya Asokan in Southern England; and Marianne Kolbasuk McGee in the Boston exurbs.