WordPress’s Elementor is vulnerable (again), the U.S. Department of Transportation is breached, 5.8 million medical records are posted online after PharMerica incident. Here are the latest threats and advisories for the week of May 19, 2023.
By John Weiler
Threat Advisories and Alerts
Australian and U.S. Governments Release Advisory on BianLian Ransomware Group
The Australian Cyber Security Centre (ACSC) has released a joint cybersecurity advisory with the U.S. outlining typical threat vectors and signs of ongoing attacks by the BianLian ransomware group. It is a relatively new group that uses trusted Remote Desktop Protocol (RDP) credentials to gain network access before employing novel techniques to create off-site copies of sensitive data and hold it for ransom. The advisory contains technical details and recommendations for network administrators.
Password Reset Vulnerability Found in Essential Addons for Elementor Plugin
The Cyber Security Agency of Singapore (CSA) is urging anyone who uses the Essential Addons for Elementor plugin to update to the latest version. Similar to an Elementor vulnerability that appeared last month, this security flaw makes it possible for threat actors to reset the password of any user, including a website administrator. Any domain that uses versions 5.4.0 to 5.7.1 should update to the latest version of the plugin to avoid a breach.
Emerging Threats and Research
Security Incident at the DoT Involves Data on More Than 230,000 Employees
TRANServe, a U.S. Department of Transportation's (DoT) transit benefit program used by federal employees, was infiltrated by unauthorized users. The program’s databases stored private personal information on 114,000 current federal employees and 123,000 former federal employees, including their names, addresses, phone numbers and public transportation payment methods. The TRANServe website has been taken down until the investigation is resolved.
Capita Data Breach Update: Customers Told to Assume Personal Data Stolen
As is to be expected with any corporate data breach, Capita has more bad news regarding its minor ‘IT issue’ on March 31. At the time, the company claimed no evidence of access to personally identifiable information. But in an abrupt change of tone, customers are now receiving notices telling them to assume their data was breached. It’s possible that the update was motivated by reports of stolen Capita records appearing on the Black Basta ransomware website.
Mustang Panda Group Exploits Router Firmware to Create Untraceable Mesh Network
Researchers have tied a Chinese state-sponsored group to a new and advanced type of malware targeting network routers. The group, known as Mustang Panda, is using a firmware backdoor to infect devices, monitor traffic and spread itself deeper into compromised networks. It’s unclear how the malware is delivered, but researchers have confirmed that it could be used to create a mesh network that makes it incredibly hard to pinpoint the origin or destination of malicious communications.
PharMerica Is Money Message’s Latest Victim, 5.8 Million Americans Affected
The Money Message ransomware group is claiming responsibility for a data breach involving the medical records of nearly six million Americans hosted by PharMerica. The pharmacy services provider said that stolen data includes names, addresses, dates of birth, social security numbers (SSNs), medications and health insurance information. The Money Message group (the same one that breached MSI earlier this month) eventually posted all 4.7 terabytes of data online.
Election-Timed Cyberattack Temporarily Shuts Down the Philadelphia Inquirer
Last weekend, The Philadelphia Inquirer was the victim of a cyberattack that temporarily halted the newspaper's operations, including its print and online publications. The incident seemed to coincide with the city’s mayoral election, two days after the breach was first detected. The Inquirer hasn’t released any information about whether anyone’s personal information was exfiltrated or who was responsible for the attack. The publication is working with a cybersecurity firm to investigate the attack and restore its systems.
To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.