Major Cyber Attacks in Review: November 2023

In November 2023, the digital landscape witnessed a series of major cyber attacks, creating ripples across industries. From disruptive ransomware attacks to the infiltration of renowned healthcare organizations such as Henry Schein and McLaren, each incident underscored the pressing need for fortifying our digital defenses.

Throughout this blog post, we will outline the significant cyberattacks of November 2023, reflecting on their impact and emphasizing the crucial lessons for safeguarding our business.

Ransomware Disrupted 70+ German Municipalities

A ransomware attack has disrupted local government services in over 70 municipalities in western Germany. The attack targeted the local municipal service provider Südwestfalen IT, encrypting its servers. This affected the city’s finances, residents, cemeteries, and registry offices, while internal and external communication, including email and phone services, were mostly non-functional.

To prevent the ransomware infection from spreading, access to the infrastructure was restricted, severely limiting local government services. Town halls in the affected region, primarily in North Rhine-Westphalia, experienced disruptions, with many online systems down.

The incident has prompted German police and cybersecurity agencies to launch an investigation, while affected city administrations worked to restore services and provide in-person assistance.

Henry Schein Healthcare Fell Victim to BlackCat Ransomware, Again

American healthcare company Henry Schein has experienced another cyberattack by the BlackCat/ALPHV ransomware gang, following a previous attack in October. It first disclosed on October 15 that it had to take some systems offline to contain another cyberattack that impacted its business one day before. On November 22, Henry Schein revealed that certain applications and its e-commerce platform were taken down again in another attack claimed by the BlackCat ransomware gang.

The company has restored its U.S. e-commerce platform and recovered its platforms in Canada and Europe shortly after. Despite the disruptions, Henry Schein was reportedly still receiving orders through alternative channels and continuing to ship to customers. The ransomware gang added Henry Schein to its dark web leak site, claiming responsibility for breaching the company’s network and allegedly stealing 35 terabytes of sensitive data. This marked the third time since October 15 that BlackCat has encrypted Henry Schein’s systems after gaining unauthorized access.

Socks5Systemz Botnet: A Rising Threat

A newly discovered proxy botnet named Socks5Systemz has been infecting approximately 10,000 systems worldwide since October. Despite being in existence since 2016, the botnet remained undetected until recently. The malware is distributed through PrivateLoader and Amadey malware loaders, leveraging various attack vectors such as phishing, exploit kits, malvertising, and trojanized executables.

During the latest infection, the attackers used backconnect servers to communicate with port 1074/TCP. Upon installation, the malware loaders execute a file named previewer.exe, leading to the activation of the botnet. The botnet, a 300 KB 32-bit DLL, employs a Domain Generation Algorithm (DGA) system to connect with its Command and Control server and receive commands for compromising machines.

Infected devices are utilized as proxy servers, which are then sold to other threat actors. A user named ‘boost’ was identified selling access to compromised accounts and proxies through two subscription tiers on a Telegram channel. BitSight identified at least 53 servers associated with Socks5Systemz, located in Europe, serving various purposes such as a proxy bot, backconnect, custom DNS, and proxy check online.

LinkedIn Data Leak: USDoD Hacker Exposed Personal Details of 35M Users

A hacker, known by the alias USDoD, leaked a LinkedIn database containing the personal information of over 35 million users on the hacker forum named BreachForums.

The hacker confirmed obtaining the LinkedIn database through web scraping. The allegedly leaked database primarily includes publicly available information from LinkedIn profiles, such as full names and bios. While it contains millions of email addresses, it is a relief to note that there is no inclusion of passwords in the “leaked” data.

Troy Hunt of HaveIBeenPwned analyzed over 5 million accounts from the database, determining that it is a mixture of information from various sources, including public LinkedIn profiles, fabricated email addresses, and other sources. Although some data may be fabricated, the individuals, companies, domains, and many of the email addresses are legitimate. The incident raises concerns about the potential impact, especially for high-ranking US government officials and institutions.

You can read more about the incident and the USDoD hacker on our blog post: Unmasking USDoD, The Enigma of the Cyber Realm

Perry Johnson & Associates (PJ&A) Medical Transcription Service Faced Major Data Breach

A significant data breach occurred at PJ&A, a medical transcription service based in the U.S. The breach impacted close to 9 million patients.

The cyberattack, which began as early as March 2023, was disclosed in a filing with the U.S. Department of Health and Human Services. PJ&A revealed that stolen data included patient names, date of birth, addresses, medical records and hospital account numbers, admission diagnoses, dates and times of service, and some Social Security numbers (SSN). Additionally, insurance and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, treatment facilities, and healthcare providers’ names, were compromised.

Northwell Health and Cook County Health, customers of PJ&A, have confirmed the impact on their patients, with 3.89 million and 1.2 million affected, respectively.

OpenAI Targeted in DDoS Attacks by Anonymous Sudan

The DDoS attack on OpenAI was one of the major incidents that garnered great attention during November 2023.

OpenAI faced a DDoS attack, with evidence of the incident surfacing on SkyNet’s Telegram channel, a known DDoS provider. The attack was initiated by Anonymous Sudan, specifically targeting the OpenAI login portal.

It is important to note that Anonymous Sudan threat actors had conducted a “test attack” on OpenAI, in June. Furthermore, these attacks came shortly after OpenAI DevDay, held in San Francisco on November 6, 2023. Anonymous Sudan persisted with attacks in the following days, demanding acknowledgment of their involvement. Although OpenAI acknowledged the cyberattacks, they did not officially attribute them to Anonymous Sudan.

Later on, the threat actor claimed to possess an exploit that is capable of bypassing Cloudflare protection, enabling attackers to easily bring down any Cloudflare-protected website with as little as 10K requests per second. This exploit, or vulnerability, was available for purchase at $5,000. The actor also started to openly endorse the DDoS provider (which they used in OpenAI attacks) on the official Anonymous Sudan Telegram channel.

On further news, OpenAI CEO Sam Altman, recognized for leading the development of technologies like ChatGPT and DALLE, had been dismissed. The company’s CTO served as interim CEO in Altman’s absence, while Anonymous Sudan boldly asserted their influence, suggesting that Sam Altman’s firing from OpenAI was a result of his inability to safeguard ChatGPT from their DDoS attacks.

Nevertheless, Altman has returned to OpenAI, and the threat actors’ claims proved false.

According to the latest news, the threat group known as “Termux Israel” has commented on these recent attacks, stating that Anonymous Sudan targeted OpenAI because of the company’s collaboration with Israel, causing “minor disruptions.” Following that, Termux Israel threatened to shut down Anonymous Sudan’s Telegram channel.

McLaren Health Care Data Breach Exposed 2.2M Individuals

McLaren Health Care has confirmed that the sensitive personal information of approximately 2.2 million individuals has been affected in a data breach. The breach occurred between late July and August, with suspicious activity detected on August 22, 2023.

Potentially impacted files were reviewed, confirming the inclusion of certain individuals’ data, leading to the disclosure of the breach to the Maine Attorney General.

Exposed information varies by individual and may include some combination of certain individuals’ names, Social Security numbers, health insurance information, date of birth, and medical information. including billing information, diagnosis, physician information, medical record number, Medicare/Medicaid information, prescription/medication information, and diagnostic and treatment information.

The company notified U.S. authorities and affected individuals, and secured its network. McLaren recommends that impacted individuals remain vigilant and monitor their financial statements, and provides identity theft protection services.

In early October 2023, the ALPHV/BlackCat ransomware group claimed responsibility for the breach, accusing McLaren of attempting to cover it up. The group added McLaren to its list of victims and asserted ongoing access to the organization’s network.

Poloniex Cryptocurrency Platform Lost Over $100M to Hackers

Hackers stole over $100 million from the cryptocurrency trading platform Poloniex, taking Bitcoin and Ethereum. Poloniex confirmed the theft and pledged to fully reimburse affected users. In an unusual move, the platform offered a 5% bounty to the hacker in exchange for returning the funds, urging a response within 7 days before involving law enforcement.

The company faced criticism for its lax customer controls and trading of dubious coins. The crypto entrepreneur behind Poloniex, Justin Sun, assured users that Poloniex maintains a healthy financial position, successfully identifying and freezing a portion of the hacker’s assets. Estimates of the stolen amount varied, with different security firms putting the losses between $114 million and $130 million, including Ethereum, TRX, and Bitcoin.

Crypto security experts suggested that this incident follows a trend of headline-grabbing attacks, such as those on Exactly Protocol and Harbor Protocol in August which caused millions worth of coins stolen.

Ethereum ‘Create2’ Function Abused: $60M Stolen from 99,000 Victims

Malicious actors exploited Ethereum’s ‘Create2’ function, circumventing wallet security alerts and pilfering $60 million in cryptocurrency from 99,000 victims over six months, as reported by Web3 anti-scam experts at ‘Scam Sniffer.’ Create2, an opcode introduced in Ethereum’s ‘Constantinople’ upgrade, facilitates the creation of smart contracts, offering flexibility but also introducing security implications.

Create2 abuse involves generating contract addresses without a history of malicious transactions, bypassing security alerts. Victims, tricked into signing a malicious transaction, have assets transferred to a pre-calculated address, irreversibly losing their funds. Address poisoning, another form of abuse, creates addresses similar to legitimate ones, deceiving users into sending assets to threat actors.

Since August 2023, Scam Sniffer recorded 11 victims losing nearly $3 million, with one victim transferring $1.6 million to a deceptive address. In early August 2023, a Binance operator mistakenly sent $20 million to scammers who employed the ‘address poisoning’ trick but noticed the error quickly and froze the recipient’s address.

Scammers use lookalike addresses, akin to clipboard-hijacking malware tactics, increasing the chances of successful deception. Earlier in 2023, MetaMask issued a warning about scammers using freshly generated addresses that match the victim’s recent transactions. When performing cryptocurrency transactions, it is always recommended to verify the recipient’s address thoroughly before approving it.

Truepill Data Breach Impacted 2.36M Patients

Truepill, a virtual pharmacy and mail-order prescription drug firm based in the U.S., reported a data breach affecting approximately 2.36 million patients. The breach, discovered on August 30, involved threat actors gaining access to a subset of files used for pharmacy management and fulfillment services.

At least six proposed federal class action lawsuits have been filed against Truepill, alleging negligence and failure to comply with federal regulations, including HIPAA and the Federal Trade Commission Act, along with California state privacy laws.

The compromised files included patient names, medication types, demographic information, and/or prescribing physician names. Fortunately, Social Security numbers were not affected, as the company does not handle this information.

Truepill promptly collaborated with cybersecurity experts to secure its IT environment, but investigations revealed that attackers had accessed the files between August 30 and September 1. In response, the company is bolstering its security protocols, enhancing technical safeguards, and providing additional cybersecurity awareness training to employees.

Welltok Data Breach Affected 8.5M Patients

Welltok, a healthcare SaaS provider, disclosed a data breach affecting nearly 8.5 million U.S. patients. The breach occurred on July 26, 2023, when the MOVEit Transfer server was compromised despite prompt application of security updates.

Patient data, including full names, email addresses, physical addresses, and telephone numbers, was exposed. Some individuals also had sensitive information like Social Security Numbers, Medicare/Medicaid ID numbers, and certain Health Insurance details compromised. The breach impacted institutions across multiple states, including Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts.

The breach’s confirmed impact is reported to be 8,493,379 people, making it the second-largest MOVEit data breach after Maximus, which affected 11 million individuals.

KyberSwap Cyberattack Resulted in $54.7M Cryptocurrency Theft

KyberSwap revealed a cyberattack resulting in the theft of approximately $54.7 million worth of cryptocurrency.

The attackers employed a ‘complex sequence of actions’ to facilitate exploitative swaps, enabling the withdrawal of users’ funds into their wallets. The company, claiming to be facing one of the most sophisticated incidents in DeFi history, paused deposits, initiated an investigation, and engaged in negotiations with the attackers to recover funds. As part of the effort, a 10% bounty was offered as an incentive for the safe return of exploited funds.

Okta Security Breach Impacted All Users of Customer Support System

Okta’s recent security breach in October impacted all users of the Customer Support System, including some Okta employees, contrary to the company’s initial assessment.

Threat actors accessed a customer report containing user names, company names, and mobile phone numbers of all users using the Okta Customer Support System, although most fields were blank. For over 99% of the listed customers, the compromised information was limited to full names and email addresses.

While the company initially reported a 1% impact, the actual extent was revealed to be significantly larger. The breach affects all Okta Workforce Identity Cloud and Customer Identity Solution customers, except those in the FedRamp High and DoD IL4 environments.

Though there is no evidence of active exploitation, Okta warned of heightened phishing and social engineering risks, urging customers to implement robust Multi-Factor Authentication (MFA). The focus is particularly on Okta administrators, emphasizing the critical need for MFA to safeguard both the support system and Okta admin consoles.

Learn more about the Okta Support System breach in our blog post: Security Breach in Okta Support System Continues Sparking Concerns

Dollar Tree Was Breached: Nearly 2M Individuals Affected

Dollar Tree faced a third-party data breach affecting nearly 2 million individuals due to a hack at service provider Zeroed-In Technologies. The incident occurred between August 7 and 8, 2023, with personal information of Dollar Tree and Family Dollar employees being compromised, including names, dates of birth, and Social Security numbers (SSNs).

While the extent of the accessed files could not be fully confirmed, Zeroed-In is offering affected individuals a twelve-month identity protection and credit monitoring service. The breach also potentially impacted other Zeroed-In customers, though confirmation is pending. Family Dollar spokesperson stated that Zeroed-In informed them of the security incident, affecting both current and former employees.

Enhancing Cybersecurity Defenses with SOCRadar XTI

Leverage SOCRadar Extended Threat Intelligence, equipped with advanced monitoring algorithms. It actively tracks threat actors, malware, vulnerabilities, and associated trends, delivering timely insights on emerging issues. The platform seamlessly integrates asset monitoring and real-time alerts, providing actionable intelligence. This empowers organizations to proactively secure themselves against potential threats, elevating their overall cybersecurity defenses.

Sign up for SOCRadar Freemium to stay vigilant against the evolving cyber threats and enhance your overall security posture.