[Security Weekly] Medibank Refuses Ransom Demand, Customer Data Leaked Online
November 2022, Issue II
1. Medibank refuses ransom demand, customer data leaked online
After a ransomware attack hit Australia’s largest private health insurer, over 9.7 million customer records are now at risk of exposure. On November 7, Medibank announced that it would not be paying a ransom to the hackers. The decision is backed by the Australian government, as it now considers passing a law to ban ransom payments to cybercriminals.
However, the Russian-based ransomware operator has since then started publishing compromised personal data on the dark web day after day, with highly sensitive data of socially vulnerable groups purposefully selected. On November 10, the attackers leaked abortion-related insurance claim records. On November 13, another file containing mental health treatment records was leaked.
It appears that the attackers are leaking these data in small portions in hope that the public would pressure Medibank and the government to get back to the ransom negotiation table. As one of the worst data breaches in Australia, the government requested the public to not search for the data online as it could discourage vulnerable groups from receiving medical care.
2. GitHub launches new feature to enable private vulnerability reporting
GitHub, the world’s largest open-source software development platform and repository, launched a new feature on November 9 that enables security researchers to report vulnerabilities newly discovered in open-source projects to their respective project maintainers through a direct and private channel.
Prior to this new feature, there had been no official channel to report vulnerabilities, leading to many of them being reported publicly or through unsafe channels, making it common for a vulnerability to be exposed prior to a fix becoming available.
With this new feature, every time a researcher reports a bug or vulnerability, the project maintainer will receive a notification via the platform, and choose to accept, reject, or ask more questions about the reported issue, allowing for a streamlined vulnerability reporting process and minimizing the chance of unwanted vulnerability exposure.
Open-source project maintainers can activate this feature for their projects for free. A beta version has been made available. GitHub plans to make its official launch in early 2023.
3. Billbug hacker group actively targets government agencies in Asian countries
Billbug hacker group, also known as Lotus Blossom or Thrip, is actively running a campaign targeting government agencies, defence organizations, and certificate authorities in multiple Asian countries.
The group’s recent activities were discovered by Semantec, which has been tracking the group since 2019, where it was found to utilize Hannotog and Sagerunex backdoors. These backdoors were both observed in the latest attacks. Billbug is also known to avoid detection by blending custom malware with existing tools and utilities on the targeted system.
One of the victims in the latest campaign is a certificate authority. This raises concern as the attacker could potentially utilize compromised digital certificates to sign their malware as a trusted identity.
Billbug appears to gain initial entry into the compromised networks by exploiting vulnerabilities in public-facing web applications. To effectively prevent such attacks, an advanced web application firewall (WAF) like WAPPLES is necessary.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security