Breach Roundup: Barracuda ESG Appliance Users Face HackingAlso: Franklin Templeton, Teen DraftKings Hacker, Black Basta Claims Rheinmetall
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between May 19 and May 25, the spotlight was on flaws in the firmware underlying Barracuda Networks Email Security Gateway appliances, another GoAnywhere data breach that affected Franklin Templeton Canada, an American teenager out on bail and facing federal charges for hacking a sports betting website, a ransomware gang making an apparently false claim about the Philadelphia Inquirer while another ransomware gang made a real claim about Germany's Rheinmetall. Also, a Massachusetts community college discloses a data breach, a Spanish teenage hacker is freed from prison and Dole puts a price tag on its ransomware attack.
Hack Alert: Barracuda ESG
Barracuda Networks said Friday it had identified a serious remote command injection vulnerability - designated CVE-2023-2868 - in its Email Security Gateway appliances. The vendor updated all affected devices Saturday with a patch.
Barracuda pushed a second patch Sunday as part of what it characterized as a containment strategy, after it discovered that multiple ESG devices had already been exploited by attackers prior to the first patch getting installed.
"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take," Barracuda said in a Tuesday security alert, adding that it "also reached out to these specific customers." Affected customers need to review their IT environments for signs of attackers accessing or remaining in their network, it said. The vulnerability existed only in Barracuda appliances. "No other Barracuda products, including our SaaS email security services, were subject to this vulnerability," the company said.
Franklin Templeton Canada
The Canadian branch of multinational investment firm Franklin Templeton notified customers of a data breach resulting from a hacking incident at regulatory compliance service provider InvestorCOM. The breach compromised nearly 90,000 clients' personal information, including their payment card numbers and three-digit security codes.
The breach is yet another example of hackers exploiting the n-day flaw in GoAnywhere file transfer software tracked as CVE-2023-0669. Franklin Templeton Canada told victims in letters transmitted this week that InvestorCOM spotted on March 22 a compromise that occurred on Jan. 30. InvestorCOM notified Franklin Templeton Canada on April 4. The investment firm said hackers did not obtain customer Social Security numbers or birthdates and that investor holdings were not affected. InvestorCOM acknowledged the hacking incident in a May 1 statement.
Teen Charged for Hacking Sports Betting Accounts
The U.S. Department of Justice charged 18-year-old Joseph Garrison of Wisconsin for hacking approximately 60,000 accounts on DraftKings, a popular sports betting platform. The prosecutors' complaint alleges that Garrison performed credential stuffing attacks in a campaign that began in November 2022. The teenage hacker and accomplices allegedly broke into about 1,600 accounts with a monetary balance and stole about $600,000.
Law enforcement raided Garrison's residence in February and found on his computer OpenBullet and SilverBullet, programs used to execute credential stuffing attacks. Prosecutors say Garrison also previously ran a hacked account marketplace dubbed "GoatShop," earning $800,000.
A judge released Garrison on a $100,000 personal recognizance bond following a May 18 court appearance in the U.S. District Court for the Southern District of New York. Garrison faces charges that include unauthorized access to a protected computer, wire fraud and identity theft and a maximum combined sentence of up to 57 years, if found guilty.
Update on Philadelphia Inquirer
The Cuba ransomware gang on Tuesday asserted it had been behind The Philadelphia Inquirer hacking incident that interrupted publishing operations earlier this month. Cuba added the newspaper to its dark web leak site but removed it after The Inquirer reported that files putatively originating from the newspaper and posted online by Cuba did not appear to have come from within the company.
Black Basta Claims Rheinmetall Attack
The Black Basta ransomware-as-a-service group claimed responsibility for an April cyberattack at the German automotive and arms producer Rheinmetall. On Saturday, the group listed Rheinmetall on its extortion site along with samples of the data allegedly stolen from the German company.
The published data samples include nondisclosure agreements, technical documents, passport scans and purchase orders. A Rheinmetall spokesperson confirmed the attribution of the attack to Black Basta ransomware group. "Rheinmetall is continuing to work on resolving an IT attack by the ransomware group Black Basta. This was detected on 14 April 2023. It affects the Group's civilian business. Due to the strictly separated IT infrastructure within the Group, Rheinmetall's military business is not affected by the attack. The relevant authorities have been informed. Rheinmetall has filed a criminal complaint with the Cologne public prosecutor's office."
Bristol Community College in Massachusetts
A December 2022 cyberattack on Bristol Community College that affected internet connectivity across all four campuses of the Massachusetts educational institution also exposed sensitive data of 56,000 individuals, the college disclosed Tuesday in a data breach notice. Affected data includes birthdates; government identifiers, including Social Security and driver's license numbers; payment card data; and medical and health insurance policy information.
Spanish High Court Releases Teen Hacker
The Spanish National Court agreed to the release José Luis Huertas, the 19-year-old hacker known as Alcasec, who has been in prison since early April after being arrested for stealing and selling the taxpayer data of nearly 600,000 Spaniards.
Spanish media reported that the court decided to free Huertas after he assisted police with the investigation and returned the 13 bitcoins he had obtained by selling the illicit data. Huertas must report every 15 days to the court closest to his residence, cannot leave Spain and had his passport confiscated, sources told newspaper ABC.
Update on Dole's Ransomware Attack
A February ransomware attack cost fruit and vegetable processing giant Dole $10.5 million in direct costs, the company disclosed in a quarterly earnings report. About $4.8 million of those costs were related to continuing operations. Dole says the incident was particularly disruptive of its fresh vegetables and Chilean businesses.
Other Coverage From Last Week
- CommonSpirit Ups Cost Estimate on Its 2022 Ransomware Breach
- NY AG Fines Practice Management Firm $550K in 2020 Breach
- EU Committee Probes TikTok, UK's Updated GDPR
- Home Health Gear Firm Says Breach Affects Nearly 1.9 Million
- IT Worker Admits Piggybacking on Hacker's Extortion Attempt
- Facebook Ordered to Suspend Data Transfers to US From Europe
- Apple Fixes 3 Zero-Days Exploited in the Wild
With reporting from ISMG's Mathew J. Schwartz in the United Kingdom.