Personal Data of 2.5M Genworth Policyholders and 769K Retired California Employees and Beneficiaries Hacked

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

The data breach of MOVEit file transfer software claimed more victims. The California Public Employees Retirement system (CalPERS), US’ largest public pension fund, announced that the MOVEit hack had exposed data of nearly 769,000 retired employees and beneficiaries.

The attack did not directly compromise CalPERS internal network system, rather their outsourced partner, PBI Research Services/Berwyn Group was affected by the file transfer application’s vulnerability. Closely following CalPERS announcement, US-based Genworth Financial also revealed that the same vendor’s hacking had exposed nearly 2.5 million policyholders’ data.

On June 6, 2023, CalPERS was notified of the breach, including details of the personal information downloaded by the unauthorized threat actors. Information included first and last names, date of birth, and social security numbers. It might also include names of former or current employers, spouse or domestic partner, and child or children’s details, stated CalPERS’ notification.

Similarly, on June 16, 2023, PBI notified Glenworth of the May 29-30, 2023, data breach incident. The downloaded files included personal details of policyholders’ and insurance agents like agent ID, social security number, name, date of birth, full address, and policy number. Glenworth clarified that none of its internal network system nor business operations were affected.

Nevertheless, both CalPERS and Glenworth had deployed necessary safeguards to protect the information of affected individuals, including an offering of free credit monitoring and identity theft protection services. The organizations also announced the issuance of written letters with instructions to avail these services.

The Clop ransomware gang also known as TA505 has claimed responsibility for the MOVEit Transfer attack and threatened to expose the extracted data on their dark web site. The attack which occurred last month has already claimed several victims including BBC , Ireland’s HSE, Nova Scotia government, New York City Department of Education, among others.

China-Linked Threat Actors Utilize Infected USB Drives to Spread Malware

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Check Point Research (CPR) recently discovered a new version of self-propagating malware that spreads through infected USB drives. The cybersecurity company identified this trojan in early 2023, while investigating a cyberattack incident at a European healthcare institution.

The malware has been linked to the Chinese-based espionage threat actor, Camaro Dragon, whose modus operandi is quite similar to Mustang Panda and LuminousMoth.

The primary target of the threat actor has generally been Southeast Asian countries, as CPR found similar USB-related infections in Myanmar, South Korea, Great Britain, India, and Russia. However, the current malware incident revealed the global reach of this group.

During the investigation, it was revealed that the European hospital was not the primary target. The malware had spread due to an employee’s compromised USB drive. The employee had participated in a conference in Asia and used his USB to share his presentation, which led to the drive being infected.

Upon his return to Europe, the employee introduced the USB to the hospital’s computer system when led to the spread of the malware.

The investigation further revealed that the malware is a part of a set of tools discussed by Avast in its 2022 report. The tools were dubbed as SSE. The infection chain starts when the target connects the infected USB flash drive to launch the malicious Delphi launcher known as HopperTick. The main payload variant of the malware, WispRider functions both as a backdoor and tool to infect devices when they connect to a machine.

WispRider also has additional features like bypassing SmadAV, an Indonesian antivirus solution popular in Southeast Asia. To avoid detection, it also deploys DLL side-loading using security software components of two gaming companies and G-DATA, warned CPR.

‘’The ability to propagate autonomously and uncontrollably across multiple devices enhances this threat’s reach and potential impact. This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted,’’ said CPR.

The increasing usage of USB drives as a vector to spread malware by Chinese threat actors has been cited in various industry reports, including the 2022 Mandiant report on China and UNC4191’s cyber espionage activity.