Community Health Center (CHC), a leading Connecticut healthcare provider, is notifying over 1 million patients of a data breach that impacted their personal and health data.

The non-profit organization provides primary medical, dental, and mental health services to more than 145,000 active patients.

CHC said in a Thursday filing with Maine’s attorney general that unknown attackers gained access to its network in mid-October 2024, a breach discovered more than two months later, on January 2, 2025.

While the threat actors stole files containing patients’ personal and health information belonging to 1,060,936 individuals, the healthcare organization says they didn’t encrypt any compromised systems and that the security breach didn’t impact its operations.

[…]

Depending on the affected patient, the attackers stole a combination of:

• personal (names, dates of birth, addresses, phone numbers, emails, Social Security numbers) or
• health information (medical diagnoses, treatment details, test results, and health insurance.

A CHC spokesperson was not immediately available when BleepingComputer reached out for more details on the incident.

While CHC said the hackers didn’t encrypt any of its systems, more ransomware operations have switched tactics to become data theft extortion groups in recent years.

[…]

In response to this surge of massive healthcare security breaches, the U.S. Department of Health and Human Services (HHS) proposed updates to HIPAA (short for Health Insurance Portability and Accountability Act of 1996) in late December to secure patients’ health data.

Source: US healthcare provider data breach impacts 1 million patients

Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.

The devices were infected with what appears to be a variant of cd00r, a publicly available “invisible backdoor” designed to operate stealthily on a victim’s machine by monitoring network traffic for specific conditions before activating.

It’s not yet publicly known how the snoops gained sufficient access to certain organizations’ Junos OS equipment to plant the backdoor, which gives them remote control over the networking gear. What we do know is that about half of the devices have been configured as VPN gateways.

Once injected, the backdoor, dubbed J-magic by Black Lotus Labs this week, resides in memory only and passively waits for one of five possible network packets to arrive. When one of those magic packet sequences is received by the machine, a connection is established with the sender, and a followup challenge is initiated by the backdoor. If the sender passes the test, they get command-line access to the box to commandeer it.

As Black Lotus Labs explained in this research note on Thursday: “Once that challenge is complete, J-Magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software.”

While it’s not the first-ever discovered magic packet [PDF] malware, the team wrote, “the combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory-only agent, makes this an interesting confluence of tradecraft worthy of further observation.”

[…]

The malware creates an eBPF filter to monitor traffic to a specified network interface and port, and waits until it receives any of five specifically crafted packets from the outside world. If one of these magic packets – described in the lab’s report – shows up, the backdoor connects to whoever sent the magic packet using SSL; sends a random, five-character-long alphanumeric string encrypted using a hardcoded public RSA key to the sender; and if the sender can decrypt the string using the private half of the key pair and send it back to the backdoor to verify, the malware will start accepting commands via the connection to run on the box.

[…]

These victims span the globe, with the researchers documenting companies in the US, UK, Norway, the Netherlands, Russia, Armenia, Brazil, and Colombia. They included a fiber optics firm, a solar panel maker, manufacturing companies including two that build or lease heavy machinery, and one that makes boats and ferries, plus energy, technology, and semiconductor firms.

While most of the targeted devices were Juniper routers acting as VPN gateways, a more limited set of targeted IP addresses had an exposed NETCONF port, which is commonly used to help automate router configuration information and management.

This suggests the routers are part of a larger, managed fleet such as those in a network service provider, the researchers note.

[…]

Source: Mysterious backdoor found on select Juniper routers • The Register

A Volkswagen software subsidiary called Cariad experienced a massive data leak that left 800,000 EV owners exposed, according to reporting by the German publication Spiegel Netzwelt. The leak allowed personal information to be left online for months, including movement data and contact information.

This included precise location data for 460,000 vehicles made by VW, Seat and Audi. According to reports, the information was accessible via the Amazon cloud storage platform.

[…]

VW said in a statement reviewed by the German press agency DPA that the error has since been rectified, so that the information is no longer accessible. Additionally, the company noted that the leak only pertained to location and contact info, as passwords and payment data weren’t impacted. It added that only select vehicles registered for online services were initially at risk

[…]

Source: Huge Volkswagen data leak exposed the locations of 460,000 EV drivers

This article then states that because it required technical expertise to access the locations, you shouldn’t be worried, which is quite frankly a retarded position to take: it is exactly those people with technical expertise that are the ones looking for these vulnerabilities and interested in exploiting them. Location data is extremely sensitive.

Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven’t even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting “highly targeted individuals,” which includes a new warning (PDF) about text messages.

“Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals,” the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it’s better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it’s only really speaking about high-value targets. The telecommunications hack mentioned above has been called the “worst hack in our nation’s history,” according to Sen. Mark Warner (D-VA).

source: Feds Warn SMS Authentication Is Unsafe

The tool, named “EagleMsgSpy,” was discovered by researchers at U.S. cybersecurity firm Lookout. The company said at the Black Hat Europe conference on Wednesday that it had acquired several variants of the spyware, which it says has been operational since “at least 2017.”

Kristina Balaam, a senior intelligence researcher at Lookout, told TechCrunch the spyware has been used by “many” public security bureaus in mainland China to collect “extensive” information from mobile devices. This includes call logs, contacts, GPS coordinates, bookmarks, and messages from third-party apps including Telegram and WhatsApp. EagleMsgSpy is also capable of initiating screen recordings on smartphones, and can capture audio recordings of the device while in use, according to research Lookout shared with TechCrunch.

A manual obtained by Lookout describes the app as a “comprehensive mobile phone judicial monitoring product” that can obtain “real-time mobile phone information of suspects through network control without the suspect’s knowledge, monitor all mobile phone activities of criminals and summarize them.”

[…]

Lookout notes that EagleMsgSpy currently requires physical access to a target device. However, Balaam told TechCrunch that the tool is still being developed as recently as late 2024, and said “it’s entirely possible” that EagleMsgSpy could be modified to not require physical access.

Lookout noted that internal documents it obtained allude to the existence of an as-yet-undiscovered iOS version of the spyware.

Source: Researchers uncover Chinese spyware used to target Android devices | TechCrunch

The Biden administration on Friday hosted telco execs to chat about China’s recent attacks on the sector, amid revelations that US networks may need mass rebuilds to recover.

Details of the extent of China’s attacks came from senator Mark R Warner, who on Thursday gave both The Washington Post and The New York Times insights into info he’s learned in his role as chair of the Senate Intelligence Committee.

Warner told the Post, “my hair is on fire,” given the severity of China’s attacks on US telcos. The attacks, which started well before the US election, have seen Middle Kingdom operatives establish a persistent presence – and may require the replacement of “literally thousands and thousands and thousands” of switches and routers.

The senator added that China’s activities make Russia-linked incidents like the SolarWinds supply chain incident and the ransomware attack on Colonial Pipeline look like “child’s play.”

Warner told The Times the extent of China’s activity remains unknown, and that “The barn door is still wide open, or mostly open.”

The senator, a Democrat who represents Virginia, also confirmed previously known details, claming it was likely Chinese state employees could listen to phone calls – including some involving president-elect Donald Trump – perhaps by using carriers’ wiretapping capabilities. He also said attackers were able to steal substantial quantities of data about calls made on networks.

[…]

Source: China’s telco attacks mean ‘thousands’ of boxes compromised • The Register

A critical zero-day vulnerability in Palo Alto Networks’ firewall management interface that can allow an unauthenticated attacker to remotely execute code is now officially under active exploitation.

According to the equipment maker, the vulnerability requires no user interaction or privileges to exploit, and its attack complexity is deemed “low.” There’s no CVE number assigned to the flaw, which received a 9.3 out of 10 CVSSv4.0 rating, and currently has no patch.

Exploitation potentially allows a miscreant to take control of a compromised firewall, providing further access into a network. That said, the intruder must be able to reach the firewall’s management interface, either internally or across the internet.

Palo Alto Networks earlier urged network hardening of its products – recommending locking off access to the interface, basically – after learning of an unverified, mystery remote code execution (RCE) flaw in its devices’ PAN-OS some days ago. But in a late Thursday update, it confirmed it “has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet.”

Because of this, customers must “immediately” make sure that only trusted, internal IPs can access the management interface on their Palo Alto firewall systems — and cut off all access to the interface from the open internet.

[…]

Source: Mystery Palo Alto Networks 0-day RCE now actively exploited • The Register

What’s claimed to be more than 183 million records of people’s contact details and employment info has been stolen or otherwise obtained from a data broker and put up for sale by a miscreant.

The underworld merchant, using the handle KryptonZambie, has put a $6,000 price tag on the information in a cybercrime forum posting. They are offering 100,000 records as a sample for interested buyers, and claim the data as a whole includes people’s corporate email addresses, physical addresses, phone numbers, names of employers, job titles, and links to LinkedIn and other social media profiles.

We believe this information is already publicly available, and was gathered up by a data-broker called Pure Incubation, now called DemandScience. That biz told us it was aware of its data being put up for sale, and sought to clarify what had been obtained – business-related contact details that are already out there.

“It is also important to note that we process publicly available business contact information, and do not collect, store, or process consumer data or any type of credential information or sensitive personal information including accounts, passwords, home addresses or other personal, non-business information,” a DemandScience spokesperson said in an email to The Register.

Seems to us this is the circle of data brokerage life. One org scrapes a load of info from the internet to profit from, someone else comes along and gets that info one way or another to profit from, sells it to others to profit from…

[…]

In a subsequent report by HIBP founder and Microsoft regional director Troy Hunt, which includes a screenshot of an email from DemandScience – sent to someone whose info was in the data peddled by KryptonZambie – that blamed the leak on a “system that has been decommissioned for approximately two years.”

[…]

After coming across the pile of data for sale, and hearing from someone whose personal information was swept up in the affair, Hunt said he decided to check whether his own info was included. He did find a decade-old email address and an incorrect job title.

“I’ll be entirely transparent and honest here – my exact words after finding this were ‘motherfucker!’ True story, told uncensored here because I want to impress on the audience how I feel when my data turns up somewhere publicly,” Hunt wrote.

We couldn’t have said it any better ourselves. ®

Source: Business records on 100M+ people swiped, put up for sale • The Register

In October, video game giant Activision said it had fixed a bug in its anti-cheat system that affected “a small number of legitimate player accounts,” who were getting banned because of the bug.

In reality, according to the hacker who found the bug and was exploiting it, they were able to ban “thousands upon thousands” of Call of Duty players, who they essentially framed as cheaters. The hacker, who goes by Vizor, spoke to TechCrunch about the exploit, and told their side of the story.

“I could have done this for years and as long as I target random players and no one famous it would have gone without notice,” said Vizor, who added that it was “funny to abuse the exploit.”

[…]

In 2021, Activision released its Ricochet anti-cheat system, which runs at the kernel level in an attempt to make it even harder for cheat developers to get around it.

Vizor said they were able to find a unique way to exploit Ricochet, and use it against the players it was supposed to protect. The hacker realized Ricochet was using a list of specific hardcoded strings of text as “signatures” to detect hackers. For example, Vizor said, one of the strings was the words “Trigger Bot,” which refers to a type of cheat that automatically triggers a cheater’s weapon when their crosshair is over a target.

Vizor said they could simply send a private message — known as a “whisper” in the game — that included one of these hardcoded strings, such as “Trigger Bot,” and get the player they were messaging banned from the game.

“I realized that Ricochet anti-cheat was likely scanning players’ devices for strings to determine who was a cheater or not. This is fairly normal to do but scanning this much memory space with just an ASCII string and banning off of that is extremely prone to false positives,” said Vizor, referring to how the game was effectively scanning for banned keywords, regardless of context.

[…]

“If you know what signature the anti-cheat is looking for, I find a mechanism to get those bytes in your game process and you get banned,” said the person, who asked to remain anonymous. “I can’t believe [Activision] are banning people on a memory scan of ‘trigger bot.’ That is so incredibly stupid. And they should have been protecting the signatures. That’s amateur hour.”

Apart from random players, Vizor said they targeted some well-known players, too. In the period of time Vizor was using the exploit, some video game streamers posted on X that they had been banned, and then unbanned, once Activision fixed the bug.

The company was alerted of the existence of the bug when Zebleer published details of the exploit on X.

“It was nice to see it get fixed and see unbans,” said Vizor. “I had my fun.”

Source: Hacker says they banned ‘thousands’ of Call of Duty gamers by abusing anti-cheat flaw | TechCrunch

What this article misses is that anti-cheat programs have kernel level access to your system. This means that they are able to not only read anything anywhere on your system, but they are also able to alter whatever they like on your system. It’s not just spyware, but a potential virus or ransomware application just waiting to be hijacked. The ease with which this was exploited shows how dangerous these programs are. Expect more exploits through this route, as they are coded extremely poorly, apparently.

U.S. money transfer giant MoneyGram has confirmed that hackers stole its customers’ personal information and transaction data during a cyberattack last month.

The company said in a statement Monday that an unauthorized third party “accessed and acquired” customer data during the cyberattack on September 20. The cyberattack — the nature of which remains unknown — sparked a week-long outage that resulted in the company’s website and app falling offline.

MoneyGram says it serves over 50 million people in more than 200 countries and territories each year.

In its statement Monday, MoneyGram said its investigation is in its “early stages” and is working to determine which consumers were affected by this issue. The company did not say how many customers might be affected. When reached, MoneyGram spokesperson Sydney Schoolfield did not comment beyond the company’s statement.

The stolen customer data includes names, phone numbers, postal and email addresses, dates of birth, and national identification numbers. The data also includes a “limited number” of Social Security numbers and government identification documents, such as driver’s licenses and other documents that contain personal information, like utility bills and bank account numbers. MoneyGram said the types of stolen data will vary by individual.

MoneyGram said that the stolen data also included transaction information, such as dates and amounts of transactions, and, “for a limited number of consumers, criminal investigation information (such as fraud).”

TechCrunch previously reported that MoneyGram had subsequently notified U.K. data protection regulators of a data breach as required under U.K. law.

Source: MoneyGram says hackers stole customers’ personal information and transaction data | TechCrunch

And… why was this data not encrypted?

[…] A pro-Palestenian hacktivist group called SN_BLACKMETA has taken responsibility for the hack on X and Telegram. “They are under attack because the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of ‘Israel,’” the group said on X when someone asked them why they’d gone after the Archive.

The group elaborated on its reasoning in a now-deleted post on X. Jason Scott, an archivist at the Archive, screenshotted it and shared it. “Everyone calls this organization ‘non-profit’, but if its roots are truly in the United States, as we believe, then every ‘free’ service they offer bleeds millions of lives. Foreign nations are not carrying their values beyond their borders. Many petty children are crying in the comments and most of those comments are from a group of Zionist bots and fake accounts,” the post said.

SN_BLACKMETA also claimed responsibility for a six-day DDoS attack on the Archive back in May. “Since the attacks began on Sunday, the DDoS intrusion has been launching tens of thousands of fake information requests per second. The source of the attack is unknown,” Chris Freeland, Director of Library Services at the Archive said in a post about the attacks back in May.

SN_BLACKMETA launched its Telegram channel on November 23 and has claimed responsibility for a number of other attacks including a six-day DDoS run at Arab financial institutions and various attacks on Israeli tech companies in the spring.

It’s been a hard year for the Internet Archive. In July, the site went down due to “environmental factors” during a major heat wave in the U.S. Last month it lost an appeal in the lawsuit Hachette and other major publishers launched against it.

“If our patrons around the globe think this latest situation is upsetting, then they should be very worried about what the publishing and recording industries have in mind,” Kahle said in a post about the DDoS attack in May. “I think they are trying to destroy this library entirely and hobble all libraries everywhere. But just as we’re resisting the DDoS attack, we appreciate all the support in pushing back on this unjust litigation against our library and others.”

[…]

Source: Hacktivists Claim Responsibility for Taking Down the Internet Archive

Well done SN_BLACKMETA – you have just played into Israels hands. People who were on the fence about Palestine in the West well definitely now lean towards Israel and away from Palestine 🙁

[…] Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

[…]

The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,”

[…]

The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia’s web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles’ features to any customer account they created. “It’s really simple. They weren’t checking if a user is a dealer,” says Rivera. “And that’s kind of a big issue.”

Kia’s web portal allowed lookups of cars based on their vehicle identification number (VIN). But the hackers found they could quickly find a car’s VIN after obtaining its license plate number using the website PlateToVin.com.

More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles’ features were linked with any particular account. “Dealers have way too much power, even over vehicles that don’t touch their lot,” Rivera says.

Source: Flaw in Kia’s web portal let researchers track, hack cars | Ars Technica

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company’s Microsoft Sharepoint server.

Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet’s Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download.

[…]

The threat actor, known as “Fortibitch,” claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay.

In response to our questions about incident, Fortinet confirmed that customer data was stolen from a “third-party cloud-based shared file drive.”

[…]

Earlier today, Fortinet did not disclose how many customers are impacted or what kind of data has been compromised but said that it “communicated directly with customers as appropriate.”

A later update shared on Fortinet’s website says that the incident affected less than 0.3% of its customer base and that it has not resulted in any malicious activity targeting customers.

[…]

In May 2023, a threat actor claimed to have breached the GitHub repositories for the company Panopta, who was acquired by Fortinet in 2020, and leaked stolen data on a Russian-speaking hacking forum.

Source: Fortinet confirms data breach after hacker claims to steal 440GB of files

Ouch. A 440GB leak is huge.

[…]

Today, a group of six computer scientists are revealing a new attack against Apple’s Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device’s virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes.

“Based on the direction of the eye movement, the hacker can determine which key the victim is now typing,” says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple’s headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime.

[…]

 

Source: Apple Vision Pro’s Eye Tracking Exposed What People Type | WIRED

Around 1.7 million people will receive a letter from Florida-based Slim CD, if they haven’t already, after the company detected an intrusion dating back nearly a year.

Slim CD provides payment processing solutions, thus credit card numbers along with their expiry dates are among the data types potentially compromised in the incident.

The cardholder’s name and address may also be affected, meaning potential for financial fraud should that data be sold, although Slim CD says it hasn’t detected any misuse of the data.

[…]

Among the questions we put to the company was why it took so long for the break-in to be detected, and whether it believed there were any failures in its ability to detect such incidents.

A postmortem carried out by the company and third-party experts revealed that the intrusion began on August 17, 2023, but was only discovered “on or about” June 15 this year.

[…]

There was no apology in the letter [PDF] sent to the 1.693 million potentially affected customers, who were instead encouraged to order a free credit report and remain vigilant against any malicious account activity.

Source: 1.7M potentially pwned by payment services provider breach • The Register