Ransomware/Malware Activity
Leading Australian Healthcare Company Discloses Data Breach Impacting 223,000 Individuals
On October 17, 2022, Australian Clinical Labs (ACL) disclosed a data breach that occurred in February 2022 impacting Metlab Pathology, a business that was acquired by ACL in December of 2021. ACL is a leading Australian healthcare company that performs pathology services to approximately ninety (90) hospitals and conducts 6 million tests annually. In a cyber security incident and data breach notification for Metlab Pathology, ACL explained that Metlab became aware of unauthorized third-party access to its IT system in February 2022. Metlab was then contacted by the Australian Cyber Security Centre (ACSC) in March 2022 and was told that the company potentially suffered a ransomware attack. Metlab confirmed that it did not believe any information had been compromised in March but had communications with ACSC again in June 2022 and was told that information had been posted on the dark web. Through forensic investigations, ACL determined that 223,000 individuals have been affected by the data breach, with the majority being located in NSW and Queensland. The records that were exposed were also determined to include roughly 17,500 "individual medical and health records associated to a pathology test", approximately 28,200 "credit card numbers and individuals' names", and roughly 128,600 Medicare numbers (not copies of cards) and an individual's name." ACL emphasized that there is currently no evidence of misuse of the exposed information or demand made by Quantum, the threat actor responsible, of Medlab or ACL. Quantum uploaded the 86 gigabytes (GB) of leaked data in June, which consisted of “patient and employee details, financial reports, invoices, contracts, forms, subpoenas, and other private documents.” CTIX analysts will continue to monitor for data breaches across the globe involving sensitive information and report details as necessary.
Threat Actor Activity
APT41 Actors Believed to be Behind Influence Campaign Targeting American Voters
A new cyber influence campaign has emerged targeting voters in the Unites States, days before midterm elections. The operation, dubbed DRAGONBRIDGE, is believed to be operated by Chinese APT41 threat actors with the end goal of disrupting United States elections to benefit the People's Republic of China. The threat actors are from a well-known Chinese cyberespionage threat organization (APT41) that has targeted entities throughout the global healthcare, telecommunications, and video game industries since 2012. Since 2019, several DRAGONBRIDGE campaigns were launched by APT41 threat actors targeting social media propaganda, disinformation campaigns against mining corporations, and the more recent American election influence campaign. DRAGONBRIDGE has been active for several months with the most recent activity involving distribution of a video on social media platforms discouraging American voters from voting in the upcoming midterms. The video goes on to criticize the legislative process and how it is not beneficial to American citizens, claiming American democracy is built on political infighting, partisanship, polarization, and division. CTIX will continue to monitor threat actor activity worldwide and provide additional updates accordingly.
Vulnerabilities
Google Quickly Patches 7th Chrome Zero-day Vulnerability in 2022
Google has released an urgent security update for the Chrome browser to patch a critical zero-day vulnerability that is being actively exploited in-the-wild. This flaw, tracked as CVE-2022-3723, is described as a type confusion vulnerability within the Chrome V8 JavaScript engine. MITRE explains that type confusion vulnerabilities occur when a program "allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.” Malicious threat actors could exploit this vulnerability to access memory locations that shouldn't be reachable, allowing them to pilfer sensitive data, cause a system crash, or perform arbitrary code execution within the vulnerable application. This vulnerability was reported to Google by Avast researchers on October 25, 2022. Google is currently withholding the details of the exploit as well as what kind of threat actors are exploiting it to allow as much of the Chrome user base as possible to implement the latest patch. Google has stated that if the flaw exists in a third-party library that other projects depend on, they will continue to restrict the details until those libraries have mitigated this flaw. This is the seventh (7) zero-day vulnerability in 2022 for Google Chrome, and the third (3) type confusion vulnerability in the V8 JavaScript engine this year. CTIX analysts urge all Chrome and Chromium (Microsoft Edge, Brave, Opera, Vivaldi, etc.) users to ensure that they have implemented this latest patch and are running version 107.0.5304.87 for macOS/Linux and 107.0.5304.87/.88 for Windows.
- Bleeping Computer: CVE-2022-3723 Article
- The Hacker News: CVE-2022-3723 Article
- Google: Chrome Patch Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
