Here are the top security stories from recent weeks:
- Kaseya Patches Zero-Day Vulnerabilities Used in Supply Chain Ransomware Attack
- Attackers Use Kaseya Ransomware Attack to Spread Cobalt Strike Backdoor in Fake Security Updates
- Morgan Stanley Reports Data Breach After Vendor Affected by Accellion Hack
- U.S. Insurance Company CNA Notifies Customers of Data Breach After Ransomware Attack
- U.S. Fashion Retailer Guess Notifies Customers of Data Breach After Ransomware Attack
On July 11, Kaseya, an IT solutions provider for MSPs and enterprises, patched the three zero-day vulnerabilities used in a widespread supply chain ransomware attack on July 2. The attack used vulnerabilities in Kaseya’s Virtual System/Server Administrator (VSA) remote monitoring and management platform to spread REvil ransomware. 50 direct Kaseya customers and around 1,500 smaller downstream businesses were affected by the ransomware attack that is being likened to the SolarWinds supply chain attack.
Attackers are using the recent Kaseya VSA ransomware attack as a lure to launch a campaign spreading Cobalt Strike via fake Microsoft security update emails. Victims who fall for the fake update and install the malicious executable end up giving the threat actors persistent remote access. Cobalt Strike is a legitimate tool used by network penetration testers, but threat actors are using it to bypass security controls to deliver malware and exfiltrate data.
Investment banking firm Morgan Stanley reports a data breach after being affected by the Accellion FTA server supply chain attack. Guidehouse, a third-party vendor providing account maintenance services, notified Morgan Stanley in May 2021 that attackers hacked its Accellion FTA server, stealing stock plan documents. While the stolen files were encrypted, the attackers also stole the decryption key. Files stolen include personal information including stock plan participants’ names, addresses, dates of birth, social security numbers, and corporate company names.
CNA Financial Corporation, the seventh-largest commercial insurer in the U.S., is notifying customers of a data breach after it was hit by Phoenix CryptoLocker ransomware in March. The company said over 75,000 individuals were affected by the data breach, including customers, contractors, and current and former employees. Stolen files from the data breach contained personal information such as names and social security numbers. During the initial ransomware attack on March 21, over 15,000 CNA devices were encrypted.
Guess is notifying customers of a data breach after it was a victim of a ransomware attack in February. Personal information of customers including social security numbers, driver’s license numbers, passport numbers, financial account numbers, and credit/debit card numbers were accessed. Over 1,300 individuals were affected, and DarkSide ransomware group is purported to have been behind the initial ransomware attack on Guess.