Breaches reported at U-haul and the Department of Defense. Plus, researchers uncovered a massive sophisticated phishing campaign that hijacked over 8k subdomains from trusted domains including MSN, Marvel, and eBay.

Happy almost Spring. In the latest edition of Threat Matrix, we highlight emerging digital security threats from around the globe so you can keep your business safe.

No one was safe this month. We mean no one. Not eBay, not Cornell University, not The Guardian, not U-Haul, not even the Department of Defense. We’ll get into all the digital dirt.

Is your business cyber-ready? Are you sure? Youc an find out in just two minutes by taking our interactive Cybersecurity Checklist. Also, be sure to sign-up for a free cyber security risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your digital network that are the cause of the vast majority of breaches. 
‍

• READ: 2024 Upfort Phishing Attack Report

8k+ subdomains from trusted brands hijacked in massive phishing campaign

A sophisticated operation of subdomain hijacking has compromised over 8,000 domains, including prominent brands like MSN, Marvel, and eBay.

The campaign exploits abandoned subdomains to circulate millions of spam and phishing emails daily, leveraging the credibility of trusted domains to bypass security measures.
‍

Researchers identified a single threat actor, "ResurrecAds," behind the operation, which systematically scans the internet for vulnerable domains and orchestrates the distribution of malicious emails using a vast network of hijacked assets. In response, the researchers developed a SubdoMailing checker tool to help domain owners reclaim control over compromised assets and mitigate future exploits.

via Guardio Labs / Medium

“Five Eyes” agencies joint advisory re: Russian hacking group

Advisory warns about recent tactics of the cyber espionage group APT29, known as Midnight Blizzard, and its evolving techniques, including targeting cloud environments. The report details how APT29, likely part of the Russian SVR intelligence services, exploits weaknesses like service and dormant accounts, cloud-based token authentication, and bypassing multi-factor authentication to gain access. 

via Bleeping Computer
‍
‍

FBI warns healthcare sector of “BlackCat” ransomware attacks

Recent warnings from the U.S. government highlight the resurgence of BlackCat ransomware attacks targeting the healthcare sector, with nearly 70 leaked victims since mid-December 2023. Despite a law enforcement operation late last year, BlackCat managed to regroup, switching to a new TOR data leak portal and expanding its targets to include critical infrastructure organizations. 

via The Hacker News

Cencora Pharmaceuticals hit by cyberattack and data theft

Cencora, a leading pharmaceutical services provider, revealed a cyberattack resulting in data theft from its corporate IT systems. While containing the incident, the company initiated investigations with law enforcement and cybersecurity experts, aiming to ascertain the full extent of the breach's impact, which remains uncertain.

Despite earlier claims by the Lorenz ransomware group in 2023, Cencora asserts that the recent breach is unrelated to the ongoing Optum Change Healthcare ransomware attack, emphasizing ongoing efforts to manage the situation and ensure data security.

via Bleeping Computer
‍
‍

U-Haul alerts 67,000 customers of data breach impact

U-Haul has notified 67,000 customers of a data breach that occurred late last year, compromising personal information. Although credit card data remained secure, unauthorized access to a system used for reservations and customer records prompted U-Haul to launch an investigation alongside cybersecurity experts. 

via Dark Reading

Department of Defense employee information breached

The Department of Defense has alerted thousands of current and former employees regarding a data breach, initially detected in early 2023 but with notifications starting only recently. The breach involved emails containing personally identifiable information inadvertently exposed by a Defense Department service provider, originating from an unsecured cloud email server. While no evidence of misuse has been found, affected individuals are urged to sign up for identity theft protection as investigations and engagement with the service provider continue.

via DefenseScoop

Want to stay in the cyber know? Be sure to subscribe to our monthly Level Up Security newsletter to get all the latest cyber threats, security tips, information about next-gen tools, and more—delivered right to your inbox.