New Malware Leaves Victims Anywhere but on Cloud9. Unhappy Campers. Medibank Hackers Publish Highly Sensitive Patient Data.

Posted on November 11th, 2022.

At a glance.

• New malware leaves victims anywhere but on Cloud9.
• Unhappy campers.
• Medibank hackers publish highly sensitive patient data.

New malware leaves victims anywhere but on Cloud9.

Researchers at security firm Zimperium have discovered a previously undocumented malware strain that masquerades as an extension for Chromium-based web browsers. Dubbed Cloud9, the malicious extension not only steals the user’s data by harvesting cookies, clipboard data, and keystrokes, but it can also assume complete control over a compromised machine, enlisting it into a botnet to mine crypto and even carry out DDoS attacks. The malware is not available on any official browser extension store, but is instead distributed through threat actor communities. Cybercriminals then deliver Cloud9 to victims through various methods, the most popular of which is side-loading the extension through fake executables and malicious websites disguised as Adobe Flash Player updates. As the Hacker News explains, The malware has been linked to the Keksec malware group (aka Kek Security, Necro, and FreakOut), which is infamous for its DDoS and mining-based malware and botnets. Because it’s JavaScript-based and is either offered for free or sold for a small fee, Cloud9 is easily available to novice cybercriminals looking for a cheap attack method. In his report, Zimperium researcher Nipun Gupta warned, "Users should be trained on the risks associated with browser extensions outside of official repositories, and enterprises should consider what security controls they have in place for such risks.”

Unhappy campers.

CWGS Group, owner of recreational vehicle retail stores Camping World and Good Sam, has disclosed a data breach in which an unauthorized party gained access to sensitive customer data, JDSupra reports. According to the company’s filing with the Massachusetts Attorney General, CWGS first detected suspicious activity within its computer system on February 9, 2022. After securing its systems, the company launched an investigation that revealed an intruder had accessed CWGS’s systems between January 14 and February 13. The compromised data include names, dates of birth, Social Security numbers, driver’s license and government ID numbers, tax ID numbers, payment card and financial account numbers, digital and electronic signatures, and login credentials. Though CWGS completed its review of the impacted data in July, it waited until November 7 to notify the victims, stating that public disclosure of the breach was delayed under advisement from law enforcement. 

Medibank hackers publish highly sensitive patient data.

Another day, another development in the breach of Medibank, Australia’s leading insurance provider. Following the advice of cyber experts, Medibank refused the attackers’ ransom demand of $10 million, and TechCrunch reports that threat actors connected to the Russian-speaking REvil ransomware gang yesterday began publishing records stolen in the breach, including customers’ names, birth dates, passport numbers, and information on medical claims. The thieves separated the data sample into “good” and “naughty” lists, with the latter including diagnosis codes linking victims to drug addiction, alcohol abuse, and HIV. 

Then this morning, BBC News reports the thieves released a separate file exposing data on customers’ pregnancy terminations. Medibank CEO David Koczkar has urged the public not to seek out the files, stating, "These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care." It’s rumored the leaked data include info on high-profile Australians (Prime Minister Anthony Albanese has stated he is a Medibank customer), and screenshots show negotiation correspondence between the ransomware group and Koczkar. Although Medibank spokesperson Liz Green stated, “Based on our investigation to date into this cybercrime we currently believe the criminal did not access credit card and banking details,” the negotiation dialogue suggests the threat actors plan to leak “keys for decrypting credit cards.”

Sam Curry, Chief Security Officer at Cybereason, wrote with contempt of the extortionists' release of medical data:

"The latest news about data leaks involving Medibank’s customers dealing with serious addictions is a gutless and spineless move by this band of hackers. It’s interesting to learn that Medibank didn’t have cyber insurance, but overall, no insurance can put the data back and erase the leakage or undo the harm caused by arrogant, judgmental hackers who have decided to dox patients in pain, seeking help and trying to fix their lives. There's nothing remotely cute with what the hackers are doing as the greedy cowards hide behind the inherent anonymity of the internet.

"There will undoubtedly be lessons to learn from what Medibank and their patients are going through, but only time will tell what these are. The hackers here are proving themselves to be vile and greedy, hiding behind anonymity. Medibank is in the hot seat and has the hardest of decisions to make. We will be able to tell after if they made the right decisions, but let's not play Monday morning quarterback. Some mistakes are forgive-able in the heat of the moment, and should be distinguished from errors in character or motivation. So far, Medibank looks to be trying to do the right things and deserves the benefit of the doubt and the public should seek to avoid bayonetting the wounded until the dust settles.

"While it now looks like the hackers breached Medibank many weeks ago, there isn't a big screen that's green and suddenly turns red when a compromise happens. Dwell time is not an indication of incompetence, and no one should read anything into a longer dwell time alone. Instead, it is very much an indication of how low, slow and hard to detect the attackers can be. It is their goal to spread incredibly stealthily and to time their attack on their timetable, not the defenders."

Text and image source: The Cyber Wire.