29 October 2021 | Asia Cyber Summary

In the spotlight this week:

  • Third-party data breach in Singapore hits healthcare provider

  • Large DDoS attack shuts down KT's nationwide network

  • Hackers exploited popular BillQuick billing software to deploy ransomware

  • Popular NPM library hijacked to install password-stealers

  • Over 10 million Android users targeted by premium SMS scam apps

Third-Party Data Breach in Singapore Hits Healthcare Provider

Another third-party security breach has been reported in Singapore, this time, affecting patients of Fullerton Health and compromising personal data that included bank account details in a few cases. The healthcare services provider said none of its own IT systems, network, and databases were impacted by the breach. It filed reports with both the police and Personal Data Protection Commission, which oversees Singapore's Personal Data Protection Act.

Fullerton Health said it is still working to ascertain the number and identity of individuals affected by the breach. Digital forensic and cybersecurity professionals have been roped in to help with its investigations, the healthcare provider said, adding that they also are trying to determine the root cause and full extent of the breach.

Large DDoS Attack Shuts Down KT's Nationwide Network

South Korea telco KT said that the temporary nationwide shutdown of its network was caused by a large-scale distributed denial-of-service (DDoS) attack. Users were unable to use credit cards, trade stocks, or access online apps during that time period. Some large commercial websites were also shut down during the outage. General access to the internet has since been restored for KT users in most areas of the country.

A KT spokesperson said that, during the outage, the company's crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack. Federal police and the Ministry of Science and ICT said they were also looking into the matter in collaboration with KT.

Hackers Exploited Popular BillQuick Billing Software to Deploy Ransomware

Cybersecurity researchers disclosed a now-patched critical vulnerability in multiple versions of a time and billing system called BillQuick that's being actively exploited by threat actors to deploy ransomware on vulnerable systems.

CVE-2021-42258, as the flaw is being tracked. Hackers can use this to access customers' BillQuick data and run malicious commands on their on-premises Windows servers. This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.

Popular NPM Library Hijacked to Install Password-Stealers

Hackers hijacked the popular UA-Parser-JS NPM library, with millions of downloads a week, to infect Linux and Windows devices with cryptominers and password-stealing trojans in a supply-chain attack. The library is used in over a thousand other projects, including those by Facebook, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and many more well-known companies.

All infected Linux and Windows users should change their passwords, keys, and refresh tokens, as they were likely compromised and sent to the threat actor. While changing all passwords and access tokens may sound like a huge undertaking, by not doing so, the threat actor can compromise other accounts, creating the conditions for further supply-chain attacks.

Over 10 Million Android Users Targeted by Premium SMS Scam Apps

A global fraud campaign has been found leveraging 151 malicious Android apps with 10.5 million downloads to rope users into premium subscription services without their consent and knowledge.

The premium SMS scam campaign — dubbed "UltimaSMS" — involves a wide range of categories of apps, including keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games. The scam is distributed via advertising channels on popular social media sites such as Facebook, Instagram, and TikTok, luring unsuspecting users with what the researchers say are "catchy video advertisements".

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.