Ransomware affiliate arrested, UK hospital hacked, Cloudflare's lost logs - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – Episode Summary

Podcast Details

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Ransomware affiliate arrested, UK hospital hacked, Cloudflare’s lost logs
Release Date: December 2, 2024

1. Arrest of Ransomware Affiliate Mikhail Mataev

Timestamp: [00:07]

In a significant development in the fight against cybercrime, Russian police announced the arrest of Mikhail Mataev, a notorious ransomware affiliate known by aliases such as Waza Waka. Mataev has been allegedly linked to major ransomware operations, including Lockbit, Conti, and Babuk.

Key Points:

Location of Arrest: Kaliningrad, a Russian province bordered by Poland and Lithuania.
Charges:
- Under Russian Law: Creating malicious software to destroy, block, modify, or copy data and bypass computer security measures.
- Under U.S. Jurisdiction: Involvement in multiple ransomware attacks, for which the FBI had placed a $10 million bounty on his head.

Notable Quote: Steve Prentice remarked, “Mikhail Mataev’s apprehension marks a pivotal moment in international efforts to dismantle ransomware networks” [00:07].

2. UK Hospitals Targeted by Inc Ransomware Gang

Timestamp: [00:07]

Liverpool’s Alder Hay Children’s Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust have fallen victim to an attack by the Inc Ransomware gang. This breach has exposed sensitive patient and donor information, including personal details and financial documents spanning from 2018 to 2024.

Key Points:

Data Compromised:
- Full names, addresses, medical reports, hospital numbers, dates of birth, and financial documents.
Gang’s Claim: Inc Ransomware has published a sample of the stolen data, asserting no connection to the concurrent Wirral University Teaching Hospital attack, which was attributed to the Ransom Hub operation.

Notable Quote: Steve Prentice highlighted, “The extent of the data compromise underscores the relentless targeting of healthcare institutions by ransomware groups” [00:07].

3. Cloudflare Experiences Significant Log Loss

Timestamp: [00:07]

Cloudflare reported a major incident where 55% of logs were lost over a span of 3.5 hours due to a misconfiguration in their log forwarder component. This disruption impacted Cloudflare’s log collection service, which is critical for traffic monitoring, security incident investigations, and site optimizations.

Key Points:

Service Volume: Handles over 50 trillion customer event logs daily, with approximately 4.5 trillion sent to customers.
Cause: A misconfiguration led to a system pause and a subsequent spike when automatic resolution was attempted.
Response: Cloudflare has implemented several measures to prevent future occurrences.

Notable Quote: Steve Prentice noted, “The Cloudflare log loss incident highlights the delicate balance between system configuration and operational resilience” [00:07].

4. Cyberattack on Italian Soccer Team Bologna FC

Timestamp: [00:07]

Bologna FC, a prominent Italian soccer team, suffered a cyberattack resulting in the theft of approximately 200 gigabytes of data. The RansomHub ransomware gang has claimed responsibility, threatening to release the compromised information unless their demands are met.

Key Points:

Stolen Data Includes:
- Financial documents, medical records of players, confidential customer and employee data, and business plans.
Legal Implications: The stolen data is alleged to demonstrate violations of European data protection laws and regulations from football governing bodies like FIFA and WAFA.
Club's Statement: Bologna FC warned of criminal offenses for those distributing the stolen material and indicated potential public release of the data.

Notable Quote: Steve Prentice commented, “The attack on Bologna FC not only threatens the club’s data integrity but also its compliance with stringent European regulations” [00:07].

5. South Dakota Politicians Appointed to Key Cybersecurity Roles

Timestamp: [00:07]

As the incoming presidential administration takes shape, three prominent Republicans from South Dakota are set to assume significant roles within the nation’s cybersecurity framework.

Key Appointments:

Governor Christy Noem: To lead the Department of Homeland Security, emphasizing cybersecurity as South Dakota’s next big industry.
Senator Mike Rounds: Will oversee a key cybersecurity subcommittee, having previously served on the Senate Armed Services Subcommittee on Cybersecurity.
Senator John Thune: Appointed as Senate Majority Leader, bringing his experience from chairing the Senate Commerce Committee, focusing on privacy, tech bills, and artificial intelligence standards.

Notable Quote: Steve Prentice observed, “The appointment of South Dakota’s leaders to pivotal cybersecurity positions signifies a strategic investment in the nation’s cyber defense capabilities” [00:07].

6. Uganda's Central Bank Hit by $16.8 Million Cyberattack

Timestamp: [00:07]

Uganda's Central Bank suffered a significant cyberattack attributed to the threat actor group Waste. The attackers successfully siphoned off approximately $16.8 million, a portion of which was transferred to Japan. Assistance from UK authorities enabled the freezing and partial recovery of the stolen funds.

Key Points:

Attacker’s Origin: The Waste group is believed to be based in Southeast Asia.
Response: Collaboration between Uganda’s central bank and UK authorities mitigated some of the financial losses.

Notable Quote: Steve Prentice highlighted, “The sophisticated nature of the Uganda Central Bank attack underscores the evolving tactics of international cybercriminal groups” [00:07].

7. Emerging Phishing Tool: Rockstar2FA Targets Microsoft 365 Credentials

Timestamp: [00:07]

Researchers at Trustwave have identified a new phishing toolkit named Rockstar2FA, which specifically targets Microsoft 365 accounts. This toolkit is capable of bypassing multi-factor authentication (MFA) through adversary-in-the-middle (AitM) attacks.

Key Features:

Methodology: Theft of passwords and session cookies by creating a proxy server between the user and the legitimate website.
Evolution: Rockstar2FA is an updated version of the DadSec phishing kit.
Unique Aspect: Current campaigns themed around automotive websites, potentially exploiting user interests in cars.

Notable Quote: Steve Prentice stated, “The advancement of phishing tools like Rockstar2FA represents a growing threat to secure authentication systems, necessitating enhanced defensive measures” [00:07].

8. Upcoming Event: Super Cyber Friday – Hacking the AI Supply Chain

Timestamp: [00:07]

Listeners are encouraged to participate in the upcoming Super Cyber Friday event, which will feature an in-depth discussion on hacking the AI supply chain. The session aims to explore the broader risks associated with integrating AI across SaaS platforms beyond just data control.

Event Details:

Topic: Hacking the AI Supply Chain
Date & Time: 1 PM Eastern / 10 AM Pacific
Registration: Available on the CISO Series events page.

Notable Quote: Steve Prentice invited listeners, “Join us as we delve into securing the AI supply chain, an increasingly critical aspect of modern cybersecurity” [00:07].

Conclusion

In this episode of Cyber Security Headlines, host Steve Prentice provided a comprehensive overview of major cybersecurity incidents and developments, ranging from high-profile arrests and ransomware attacks to significant breaches in healthcare and financial institutions. The discussion underscored the persistent and evolving nature of cyber threats, the importance of robust security measures, and the strategic appointments aimed at bolstering national cybersecurity. Listeners were also informed about emerging threats like the Rockstar2FA phishing toolkit and invited to engage in upcoming educational events addressing critical topics in the cybersecurity landscape.

For more detailed stories behind these headlines, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, December 2, 2024. I'm Steve Prentice. Ransomware Affiliate Mikhail Mataev Arrested Russian police have announced the arrest of Mataev, known by a few aliases, including Waza Waka and who was also allegedly linked to Lockbit, Conti and Babuk operations. He was apprehended in Kaliningrad, a Russian province sandwiched between Poland and Lithuania. In addition to being pursued by Russian authorities, the FBI also had a $10 million bounty on its head. Mataev faces charges under Russian law for creating programs to destroy, block, modify or copy data or bypass computer security measures, and he also faces charges levied by the U.S. justice Department for his alleged role in multiple ransomware attacks. Another UK hospital system attacked Liverpool's Alder Hay Children's Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust have been attacked by the Inc Ransomware gang. This gang has already published a sample of the allegedly stolen data, which quote includes the full names and addresses of supposed patients and donors. The amount of money said donors have given to the hospital patients medical reports including unique hospital numbers and dates of birth and financial documents. The gang claims this data goes back to 2018 and runs right up to 2024. This attack is unrelated to the one on Wirral University Teaching Hospital that we reported on on Friday's newscast, even though the two hospital systems are physically located close to each other across the River Mersey. The Wirral attack, by the way, has been attributed to the Ransom Hub operation. Cloudflare says it lost 55% of logs pushed to customers for 3.5 hours. This story pertains to a bug that appeared on November 14 in the Internet security company's log collection service, one that allows its customers to monitor the traffic on their websites and filter it based on certain criteria. This data is also used to investigate security incidents, DDoS attacks, traffic patterns and to perform site optimizations. This is a big service, amounting to over 50 trillion customer event logs every day, of which around 4.5 trillion are sent to customers. The incident was caused by a misconfiguration in a log forwarder component in Cloudflare's pipeline. The pause then created a massive spike once the system tried to resolve itself. Cloudflare has now implemented several measures to prevent future occurrences, huge thanks to our sponsor Vanta. As third party breaches continue to rise, companies are increasingly vigilant, which means more time spent on manual security reviews with Vanta Questionnaire Automation, Security and Compliance teams can complete security reviews up to five times faster, giving you time back to focus on running your security and compliance programs. Over 8,000 global companies like Zoom Info, Smart Recruiters and NOIBU use Vanta to save time on security reviews. Visit vanta.com to learn more about questionnaire automation, I.e. v A N T A.com Italian soccer team Bologna FC suffers a cyberattack this attack included the theft of data, which the club says will likely be released soon. In the same statement, the club said that the attack targeted its internal systems and warned that anyone who gains possession of or distributes the material would be committing a criminal offense. Separately, the RansomHub ransomware gang claimed responsibility for the attack, stating it was in possession of 200 gigabytes of data, including financial documents, medical records of players, confidential data on customers and employees, as well as business plans. They also stated that the stolen information will show the club is violating European data protection laws as well as other regulations from football bodies like FIFA and wafa. South Dakota Politicians Pegged to have Bigger Roles on Cybersecurity the incoming presidential administration will see three prominent Republicans from South Dakota take on roles in the nation's cybersecurity portfolio. Governor Christy Noem is slated to lead the Homeland Security Department, Senator Mike Rounds will be in charge of a key cybersecurity subcommittee, and John Thune will become Senate Majority Leader. Rounds was the first senator to serve on the Senate Armed Services Subcommittee on Cybersecurity. Thune's past tenure as chairman of the Senate Commerce Committee gave him jurisdiction over and oversight of privacy and tech bills, making it a legislative focus for him. He was also part of the long stalled push to pass a data privacy measure and sponsored a bill on artificial intelligence standards. According to cyberscoop, Christi Noem stood alone in rejecting department cyber grants to state and local governments, but has signed cyber legislation into law and has promoted cybersecurity as her state's next big industry. Uganda's Central Bank Loses Millions in cyberattack this attack is being attributed to a threat actor group called Waste, who apparently made off with the equivalent of $16.8 million. The group, which appears to be based in Southeast Asia, transferred part of the stolen funds to Japan. However, Uganda's central bank, with help from UK authorities, was able to freeze and recover some of the Money. Phishing tool Rockstar2FA targets Microsoft365 CREDS Researchers at Trustwave are warning of a phishing as a Service toolkit named Rockstar 2fa, which apparently targets Microsoft 365 accounts and bypasses multi factor authentication via adversary in the middle Attacks this tool is an updated version of the dadsec phishing kit. The attacks involved theft of a victim's password and session cookie through the creation of a proxy server between a target user and the website the user wishes to visit, which itself is a phishing site. Trustwave points out a unique feature of this current campaign being websites whose common theme is cars. Remember to mark your calendar for Super Cyber Friday this week. We are tackling an emerging topic this week, spending an hour talking about hacking the AI supply chain. Often when we talk about securing AI, we're looking at how to control data going into them. But as these become increasingly integrated across SaaS platforms, we need to understand the broader supply chain to manage the risk. It all starts at 1pm Eastern 10am Pacific. Head on over to our events page@csoseries.com to register. I'm Steve Prentice reporting for the CSO series.
[07:08]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.

Cyber Security Headlines – Episode Summary

Podcast Details

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Ransomware affiliate arrested, UK hospital hacked, Cloudflare’s lost logs
Release Date: December 2, 2024

1. Arrest of Ransomware Affiliate Mikhail Mataev

Timestamp: [00:07]

Key Points:

Location of Arrest: Kaliningrad, a Russian province bordered by Poland and Lithuania.
Charges:
- Under Russian Law: Creating malicious software to destroy, block, modify, or copy data and bypass computer security measures.
- Under U.S. Jurisdiction: Involvement in multiple ransomware attacks, for which the FBI had placed a $10 million bounty on his head.

Notable Quote: Steve Prentice remarked, “Mikhail Mataev’s apprehension marks a pivotal moment in international efforts to dismantle ransomware networks” [00:07].

2. UK Hospitals Targeted by Inc Ransomware Gang

Timestamp: [00:07]

Key Points:

Data Compromised:
- Full names, addresses, medical reports, hospital numbers, dates of birth, and financial documents.
Gang’s Claim: Inc Ransomware has published a sample of the stolen data, asserting no connection to the concurrent Wirral University Teaching Hospital attack, which was attributed to the Ransom Hub operation.

Notable Quote: Steve Prentice highlighted, “The extent of the data compromise underscores the relentless targeting of healthcare institutions by ransomware groups” [00:07].

3. Cloudflare Experiences Significant Log Loss

Timestamp: [00:07]

Key Points:

Service Volume: Handles over 50 trillion customer event logs daily, with approximately 4.5 trillion sent to customers.
Cause: A misconfiguration led to a system pause and a subsequent spike when automatic resolution was attempted.
Response: Cloudflare has implemented several measures to prevent future occurrences.

Notable Quote: Steve Prentice noted, “The Cloudflare log loss incident highlights the delicate balance between system configuration and operational resilience” [00:07].

4. Cyberattack on Italian Soccer Team Bologna FC

Timestamp: [00:07]

Key Points:

Stolen Data Includes:
- Financial documents, medical records of players, confidential customer and employee data, and business plans.
Legal Implications: The stolen data is alleged to demonstrate violations of European data protection laws and regulations from football governing bodies like FIFA and WAFA.
Club's Statement: Bologna FC warned of criminal offenses for those distributing the stolen material and indicated potential public release of the data.

Notable Quote: Steve Prentice commented, “The attack on Bologna FC not only threatens the club’s data integrity but also its compliance with stringent European regulations” [00:07].

5. South Dakota Politicians Appointed to Key Cybersecurity Roles

Timestamp: [00:07]

As the incoming presidential administration takes shape, three prominent Republicans from South Dakota are set to assume significant roles within the nation’s cybersecurity framework.

Key Appointments:

Governor Christy Noem: To lead the Department of Homeland Security, emphasizing cybersecurity as South Dakota’s next big industry.
Senator Mike Rounds: Will oversee a key cybersecurity subcommittee, having previously served on the Senate Armed Services Subcommittee on Cybersecurity.
Senator John Thune: Appointed as Senate Majority Leader, bringing his experience from chairing the Senate Commerce Committee, focusing on privacy, tech bills, and artificial intelligence standards.

6. Uganda's Central Bank Hit by $16.8 Million Cyberattack

Timestamp: [00:07]

Key Points:

Attacker’s Origin: The Waste group is believed to be based in Southeast Asia.
Response: Collaboration between Uganda’s central bank and UK authorities mitigated some of the financial losses.

Notable Quote: Steve Prentice highlighted, “The sophisticated nature of the Uganda Central Bank attack underscores the evolving tactics of international cybercriminal groups” [00:07].

7. Emerging Phishing Tool: Rockstar2FA Targets Microsoft 365 Credentials

Timestamp: [00:07]

Key Features:

Methodology: Theft of passwords and session cookies by creating a proxy server between the user and the legitimate website.
Evolution: Rockstar2FA is an updated version of the DadSec phishing kit.
Unique Aspect: Current campaigns themed around automotive websites, potentially exploiting user interests in cars.

8. Upcoming Event: Super Cyber Friday – Hacking the AI Supply Chain

Timestamp: [00:07]

Event Details:

Topic: Hacking the AI Supply Chain
Date & Time: 1 PM Eastern / 10 AM Pacific
Registration: Available on the CISO Series events page.

Notable Quote: Steve Prentice invited listeners, “Join us as we delve into securing the AI supply chain, an increasingly critical aspect of modern cybersecurity” [00:07].

Conclusion

For more detailed stories behind these headlines, visit CISOseries.com.