Editor's Note: Welcome to this issue of Forcepoint Security News. It's curated news meant to provide a quick look at what's happening around the cybersecurity industry.
Forcepoint Security News
Here are the top security stories from recent weeks:
- GoDaddy Breach Widens, Includes Reseller Subsidiaries
- Panasonic Confirms Cyberattack and Data Breach
- California Pizza Kitchen Serves Up Employee SSNs in Data Breach
- WIRTE Hackers Target Governments in the Middle East
- APT37 Targets Journalists With Chinotto Multi-Platform Malware
The GoDaddy breach affecting 1.2 million customers has widened to include subsidiaries that resell GoDaddy Managed WordPress. The additional affected companies are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost. GoDaddy confirmed to researchers at Wordfence that several of these brands’ customers were affected by the security incident (and Wordfence provided breach-notification notices from two of them in a Tuesday posting). The stolen data included emails and customer numbers for 1.2 million active and inactive Managed WordPress customers, sFTP and database usernames and passwords for active customers (passwords are now reset), and SSL private keys “for a subset of active customers.” GoDaddy is in the process of issuing and installing new certificates for affected customers.
Tech manufacturing giant Panasonic has confirmed that on November 11 they discovered their network was accessed illegally this month during a cyberattack. Japanese outlets Mainichi and NHK said the breach actually started on June 22 and ended on November 3, which was later confirmed by Panasonic. NHK reported that the attacked servers stored information about Panasonic business partners and the company's technology, noting a ransomware incident last November involving a subsidiary of the company that also leaked business information.
California Pizza Kitchen (CPK) reported a data breach exposed the names and Social Security numbers (SSNs) of more than 100,000 current and former employees. According to a Data Breach Notification posted on the website of the Maine Attorney General, the “external system breach” occurred on Sept. 15 and affected 103,767 people. By October 4, investigators had confirmed that certain files on CPK’s systems “could have been accessed without authorization,” according to the notice. By the end of the initial review on Oct. 13, it was clear that the breach had delivered attackers the names of former and current employees in combination with their SSNs. At this time there is no indication that the information accessed has been abused by cybercriminals.
A hacking group named WIRTE has been linked to a government-targeting campaign conducting attacks since at least 2019 using malicious Excel 4.0 macros. The primary targeting scope includes high-profile public and private entities in the Middle East. Kaspersky analyzed the campaign, toolset, and methods, and concluded with low confidence that WIRTE has pro-Palestinian motives and is suspected to be part of the 'Gaza Cybergang'. WIRTE's phishing emails include Excel documents that execute malicious macros to download and install malware payloads on recipients' devices. The malware includes code that first performs three anti-sandbox checks before executing the main payload which is a stager script that downloads payloads and receives commands from a Command and Control server.
North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists using watering hole attacks, spear-phishing emails, and smishing attacks that deliver malware dubbed Chinotto, which is capable of infecting both Windows and Android devices. APT37 has been active since at least 2012 and is an advanced persistent threat (APT) group linked to the North Korean government with high confidence by FireEye. Chinotto allows the hacking group to control compromised devices, spy on their users via screenshots, deploy additional payloads, harvest data of interest, and upload it to attacker-controlled servers. The Android variants request extended permissions on compromised devices, and once granted, can use them to collect large amounts of sensitive data, including the victims' contacts, text messages, call logs, device info, and even audio recordings