[Security Weekly] Microsoft’s Customer Support Tools Compromised by Nobelium
1st Week of July 2021
1. Microsoft’s customer support tools compromised by Nobelium for targeted attacks
Microsoft officially announced that the Russian state-sponsored hacking group Nobelium, also known as APT29, had gained access to a customer support agent’s computer, leading to subsequent cyberattacks targeting Microsoft customers. A highly sophisticated hacking group, Nobelium is infamous for being behind the SolarWinds supply chain attack.
Microsoft stated that the hackers gained access to its customer support tools and deployed information-stealing malware, which allowed them to obtain the customers’ account information, as well as subscription, contact, and billing information. The information was used to launch targeted brute force attacks and phishing campaigns on specific customers, of which 57% were IT companies and 20% were governmental institutions.
Moreover, 45% of the targeted customers were located in the US, followed by 10% in the UK, and significant numbers from Canada and Germany. A total of 36 countries were targeted. Even though most of the attacks were unsuccessful, three entities were compromised so far.
2. Mercedes-Benz USA discloses customer data exposure by third-party vendor
Mercedes-Benz USA revealed on June 24 that one of its vendors leaked sensitive customer data from its cloud storage system. The unnamed vendor was in charge of collecting and managing data entered by customers and potential buyers, then using them for digital marketing and sales.
The exposed database contained data entered between January 1, 2014 and June 19, 2017. Yet, it remained unclear how the leak happened and for how long the database was left exposed. Fortunately, Mercedes-Benz stated that its own IT systems were not compromised, and that there had been no evidence suggesting misuse of the leaked data.
What is worrying is that for nearly 1,000 customers, sensitive personal information including dates of birth, social security numbers (SSN), driver’s licence numbers, credit card information, and self-reported credit scores, was among the data exposed. Mercedes Benz has begun contacting these customers.
Data breaches due to third-party vendor mistakes have become increasingly common. Volkswagen and Audi suffered a similar incident less than a month ago, where over 3.3 million personal records were leaked due to a vendor’s cloud misconfiguration.
3. Brazilian medical diagnosis giant Grupo Fleury hit by REvil ransomware
Fleury S.A. (Grupo Fleury), the largest medical diagnosis provider in Brazil, was forced to shut down its IT systems and business operations after being hit by the REvil ransomware. Conducting over 75 million medical exams per year at over 200 testing centers across the country, the company is crucial to Brazil’s healthcare system.
Fleury shut down major parts of its systems on June 22 to prevent the ransomware from spreading, and informed the public about delays in its services. Its website remained unavailable, meaning that patients and physicians were unable to book for exams online. It later announced on June 24 that it had begun to recover its operations at major hospitals.
According to sources from Bleeping Computer, the REvil ransomware gang issued a ransom note of $5 million in exchange for the decryption key and the destruction of all stolen data. Due to the nature of the company, the attackers may have stolen highly sensitive personal and medical data. It was unclear whether Fleury had paid the ransom. Yet, as of now, the attackers have neither released the data nor put them for sale.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security