European Investment Bank Suffers Cyberattack

Every week, Information Security Media Group rounds up cybersecurity incidents around the world. This week, attackers hit European Investment Bank; a California pensioners’ fund suffered a cyberattack related to MOVEit; UPS Canada disclosed a data breach; and a new Android malware campaign spread GravityRAT spyware.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

EIB Confirms Outage Caused by Cyberattack

The European Investment Bank fell victim to a cyberattack this week as hackers successfully infiltrated the company’s systems. This incident coincided with threats from Russian hackers indicating their intentions to destabilize Western financial markets.

On Monday, the EIB took to Twitter to confirm the ongoing cyberattack, revealing that the firm’s websites, eib.org and eif.org, had been experiencing severe availability issues. The attack rendered the bank’s website completely inaccessible, while the European Investment Fund’s website, which is responsible for aiding small and medium-sized businesses with financial accessibility, remained functional but displayed noticeable alterations.

The EIB, headquartered in Luxembourg City, serves as the development bank for the European Union. With a workforce exceeding 3,000 employees and a balance sheet surpassing 500 billion euros, the institution plays a pivotal role in supporting economic growth within the region.

This cyberattack occurred shortly after Russian-speaking hackers had issued warnings, expressing their intent to target Western financial institutions due to their perceived support for Ukraine.

The California Public Employees’ Retirement System become the latest state government agency to suffer from the fallout of a cyberattack triggered by the compromise of MOVEit, a widely used file transfer software product, by the Clop ransomware group, which exploited a zero-day vulnerability in MOVEit.

CalPERS’ third-party vendor, PBI Research Services, notified the largest public employee pension fund in the United States on June 6 about the breach. Unauthorized access allowed an individual to download sensitive data from the pension fund, including personal information such as names, birthdates and Social Security numbers. PBI Research assists CalPERS in managing enrollees’ information to ensure accurate payments and prevent overpayments. The attack did not affect CalPERS’ internal IT systems, and regular payments remained functional.

CalPERS serves over 2 million active members, comprising current and retired state workers and teachers and has assets totaling approximately $440 billion as of June 2022. The breach primarily affected retired members and their spouses, and CalPERS is in the process of informing them about the incident.

Progress Software’s MOVEit software has been widely adopted by public and private organizations globally. Progress Software subsequently revealed two additional vulnerabilities and issued several patches to address the security flaws.

Clop has been publicizing data stolen from some private sector victims on its extortion site, but it said it refraining from publishing data obtained from government agencies.

UPS Canada Discloses Data Breach

Multinational shipping company UPS Canada mailed a data breach notification to its Canadian customers.

Between February 2022 and April 2023, UPS networks were infiltrated by unauthorized access, giving the hacker access to delivery information and potentially customers’ phone numbers. This breach enabled malicious actors to engage in activities such as smishing by using the obtained phone numbers.

Android GravityRAT

Eset researchers found that a new Android malware campaign is spreading the latest version of GravityRAT by masquerading as chat apps. The malware, active since August 2022, uses a Trojanized chat app called BingeChat to infiltrate mobile devices and target WhatsApp backup files. These backups, intended to facilitate data transfer between devices, can contain unencrypted sensitive information, including text and media files.

GravityRAT, which is operated by the SpaceCobra group, emerged in 2015 but began focusing on Android in 2020. In the latest campaign, the malicious app is distributed through bingechat.net and relies on invitation-based registration, making it challenging for analysis. BingeChat requests various permissions upon installation, posing as a standard instant messaging app. Before registration, it sends call logs, contacts, messages, device location and basic information to the threat actor’s command-and-control server. It also steals media and document files, including WhatsApp backups with file extensions such as crypt14 and crypt32.

Asus Issues Patch for Highly Critical Wi-Fi Router Flaws

Taiwanese computer hardware manufacturer Asus on Monday issued urgent firmware updates for vulnerabilities found in its Wi-Fi router products and warned users of remote code execution attacks.

The firmware update includes fixes for nine security flaws, some of which are classified as having “high” or “critical” severity. Among the critical vulnerabilities are CVE-2022-26376, a critical memory corruption weakness in the Asuswrt firmware that could lead to denial-of-service attacks or code execution, and CVE-2018-1160, an out-of-bounds write Netatalk vulnerability that can enable arbitrary code execution on unpatched devices.

The affected router models encompass a range of devices including GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000 and TUF-AX5400. Users are advised to promptly update their routers to mitigate the security risks associated with these vulnerabilities.

Iowa School District Confirms Ransomware Attack

Iowa’s largest school district, Des Moines Public Schools, on Monday confirmed a ransomware attack that triggered a shutdown of network systems on Jan. 9, 2023. The school received a ransom demand but has not paid the hackers.

The school district will be contact closing to 6,700 individuals whose data was affected by the breach.

The attack resulted in the cancellation of all classes for several days starting Jan. 10, after internet and network services were taken offline during the investigation.

“The cyberattack against DMPS included a ransom demand. No ransom has been or will be paid in response to this attack based on the advice of our cybersecurity experts and what is in the best interest of the school district and community,” Des Moines Public Schools said.

Other Coverage From Last Week