.png)
Global pharmaceutical solutions provider, Cencora, announced a significant cybersecurity breach on February 21, as disclosed in a filing with the Securities and Exchange Commission (SEC). The breach resulted in unauthorised access and exfiltration of personal information from the company's systems. The precise nature of the stolen data, including whether it pertains to employees or customers, remains unspecified. In response, Cencora has initiated containment measures and launched a comprehensive investigation, engaging law enforcement and external cybersecurity specialists. Despite the breach, the company reports no material impact on its operational capabilities or information systems. The incident's potential effect on Cencora's financial status or operational outcomes is still under evaluation.
Risk:
The breach poses significant risks, particularly regarding the potential exposure of sensitive personal information. This incident highlights the broader threat landscape facing the healthcare sector, which is increasingly targeted by cybercriminals, including ransomware attacks. Although no ransomware group has claimed responsibility, the breach's nature underscores the persistent vulnerability of healthcare entities, especially those not directly involved in providing medical services. The high-profile status of Cencora, with its extensive employee base and substantial annual revenue, further amplifies these risks, making it an attractive target for financially motivated attackers.
Recommendations:
Vigilance Against Phishing: Individuals associated with Cencora should be on high alert for phishing attempts. Cybercriminals often use stolen personal information to craft convincing phishing emails.
Monitor Financial and Credit Reports: Potential exposure of personal data warrants close monitoring of financial accounts and credit reports for unusual activities or unauthorised transactions.
Use of Strong, Unique Passwords: It is advisable to change passwords for accounts associated with Cencora and ensure each account has a strong, unique password.
Enable Multi-Factor Authentication (MFA): Where available, activating MFA provides an additional security layer, making unauthorised access more challenging.
Stay Informed on the Breach: Follow updates from Cencora regarding the breach. The company may offer services such as credit monitoring or identity theft protection to affected individuals.
Educate on Cybersecurity Best Practices: Awareness and education on cybersecurity hygiene can mitigate the risk of falling victim to secondary attacks leveraging stolen data.
A newly discovered phishing kit, dubbed CryptoChameleon, has been specifically designed to target users of well-known cryptocurrency services, executing attacks primarily on mobile devices. This kit enables attackers to replicate single sign-on pages of major cryptocurrency platforms like Binance, Coinbase, Gemini, Kraken, and others, employing a mix of email, SMS, and voice phishing techniques. The goal is to deceive users into revealing sensitive information, such as usernames, passwords, password reset URLs, and even photo IDs, affecting hundreds of victims, predominantly in the United States.
CryptoChameleon's strategy includes crafting phishing pages that mimic legitimate login screens, complete with CAPTCHA tests to evade automated detection tools. The phishing attempts have been notably successful against employees of the Federal Communications Commission (FCC) and users of various cryptocurrency platforms. Attackers distribute these phishing pages through unsolicited communications, posing as customer support to address a purported account hack, further asking victims for two-factor authentication codes or to "wait" while verifying information.
This attack kit also allows for customisation, including tailoring phishing pages with victims' phone number details and choosing between a six or seven-digit token request, enhancing the illusion of legitimacy. The one-time passwords provided by victims are then used by attackers to gain unauthorised access to accounts. Lookout's report highlights that CryptoChameleon employs tactics similar to those of known threat actor groups, indicating a trend of successful phishing strategies being adopted and adapted among cybercriminals.
The rise of CryptoChameleon coincides with the increasing popularity of phishing-as-a-service (PhaaS) platforms, such as LabHost, which target financial institutions with sophisticated tools for capturing credentials and two-factor authentication codes. This evolution in phishing techniques underscores the critical need for vigilance and advanced security measures among cryptocurrency users and financial institutions alike.
Risk:
The CryptoChameleon phishing kit represents a significant threat to individual and organisational cybersecurity, especially within the cryptocurrency sector. By leveraging a combination of communication channels and creating highly convincing phishing sites, attackers can bypass traditional security measures like CAPTCHA and two-factor authentication (2FA), leading to unauthorised access to personal and financial accounts. The ability to customise phishing pages with personal details such as phone numbers increases the success rate of these attacks, posing a considerable risk of financial loss and identity theft.
Recommendations:
Exercise Caution with Unsolicited Communications: Be sceptical of unexpected emails, SMS, or voice calls, especially those requesting personal information or action related to account security.
Verify Contact Authenticity: Directly contact the company through official channels if you receive a suspicious communication purportedly from a service provider.
Use Advanced Authentication Methods: Where possible, utilise advanced 2FA methods, such as biometric verification or physical security keys, which are less susceptible to phishing attacks.
Educate on Phishing Tactics: Familiarise yourself with the latest phishing techniques, including those used in the CryptoChameleon campaign, to better recognize and avoid fraudulent attempts.
Monitor Account Activity: Regularly check your accounts for unauthorised access or transactions, especially if you suspect you've interacted with a phishing attempt.
Implement Security Software: Use reputable cybersecurity software that offers real-time protection against phishing and other cyber threats.
Report Phishing Attempts: Notify the affected service provider and relevant authorities about any phishing attempts to help prevent further attacks.
The emergence of the CryptoChameleon phishing kit underscores the evolving sophistication of cyber threats, especially in the cryptocurrency domain. Individuals and organisations should adopt a proactive and informed approach to cybersecurity, incorporating both technical safeguards and heightened awareness of phishing tactics, to mitigate the risks posed by such advanced attacks.
The Five Eyes intelligence alliance has released a cybersecurity warning regarding the exploitation of vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways. The warning specifically points out that the Integrity Checker Tool (ICT) deployed by Ivanti may fail to accurately detect compromises, enabling attackers to maintain root-level access even after device resets.
As of January 10, 2024, Ivanti has acknowledged five security flaws in its products, with four being actively exploited by threat actors to introduce malware:
CVE-2023-46805: An authentication bypass issue in a web component.
CVE-2024-21887: A command injection flaw in a web component.
CVE-2024-21888: A privilege escalation issue in a web component.
CVE-2024-21893: An SSRF vulnerability in the SAML component.
CVE-2024-22024: An XXE vulnerability in the SAML component.
Mandiant's recent report unveils the placement of a malware variant named BUSHWALK in directories ICT does not scan, circumventing detection measures. Furthermore, Eclypsium's findings indicate that ICT overlooks scanning certain directories, potentially allowing backdoors to remain undetected.
Risk:
The active exploitation of these vulnerabilities poses a substantial risk, as attackers can gain persistent, unauthorised access to affected systems. This threat is exacerbated by the ICT's inability to fully detect such compromises, challenging the security posture of organisations utilising Ivanti gateways.
Recommendations:
Comprehensive Security Review: Organisations should conduct a thorough security assessment of Ivanti gateways to identify potential compromises.
Update and Patch Management: Ensure all Ivanti products are updated promptly to mitigate known vulnerabilities. Prioritise the application of patches for the vulnerabilities listed above.
Enhanced Monitoring and Detection: Implement advanced monitoring and detection strategies to identify suspicious activities indicative of a compromise.
Reconsider Use of Affected Devices: Assess the risks associated with continuing the operation of Ivanti Connect Secure and Ivanti Policy Secure gateways within your network. Consider alternatives if the risk is deemed too high.
Educate Staff: Raise awareness among IT staff and users about these vulnerabilities and the importance of vigilance in detecting phishing attempts or unusual system behaviour.
Follow Ivanti Updates: Stay informed about Ivanti's security updates and the forthcoming ICT version, which promises improved visibility and detection capabilities.
*Subscribe to our newsletter
.svg)
.png)
.png)