Daily News Update: Saturday, March 29, 2025 (Australia/Melbourne)
A breach at Oracle Health compromised patient data, with Oracle allegedly shifting responsibility to hospitals and avoiding documentation. A Walmart subsidiary is investigating claims of a Clop ransomware attack, potentially linked to the Cleo file transfer vulnerability.
Oracle Health Breach Compromises Patient Data
A breach at Oracle Health has impacted multiple US healthcare organisations and hospitals, with patient data stolen from legacy servers. Oracle Health became aware of the breach on February 20, 2025, involving unauthorised access to legacy Cerner data migration servers.
The threat actor used compromised customer credentials to breach the servers after January 22, 2025, and copied data to a remote server. The stolen data included patient information from electronic health records.
Oracle Health is telling hospitals that they will not notify patients directly and that it is their responsibility to determine if the stolen data violates HIPAA laws.
After being acquired by Oracle in 2022, the healthcare software-as-a-service (SaaS) company Cerner was merged into Oracle Health, with its systems migrated to Oracle Cloud.
Not only are they putting the onus on their customers - hospitals - to determine if stolen data violates HIPAA laws, they've reportedly "directed customers to communicate only with its Chief Information Security Office (CISO) over the phone and not via email." It's not a stretch to interpret this as an attempt to avoid a paper trail that could be subpoenaed in the case of a law suit, which tells you all you need to know about their priorities as a business.
Readers will remember the other big story of the week being an alleged breach of Oracle Cloud, which Oracle has vehemently denied despite it being validated by numerous researchers and customers who have seen the stolen data.
If you're a customer or prospective customer of Oracle or Oracle Cloud, I'd encourage you to consider how their handling of these breaches reflects their security culture, and if you'd trust them to secure your data or applications.
Bleeping Computer | "Oracle Health breach compromises patient data at US hospitals"
Sam's Club Investigates Clop Ransomware Breach Claims
Sam's Club, owned by Walmart, is investigating claims of a Clop ransomware breach. The Clop ransomware gang added Sam's Club to its dark web leak site but has not yet provided proof of the breach. The gang claims Sam's Club "doesn't care about its customers, it ignored their security."
Clop has recently been extorting victims breached through a zero-day vulnerability (CVE-2024-50623) in Cleo secure file transfer software. Western Alliance Bank, a victim of the Cleo vulnerability, notified nearly 22,000 customers of a data breach.
Bleeping Computer | "Retail giant Sam’s Club investigates Clop ransomware breach claims"
Arkana Group Claims WideOpenWest (WOW!) Breach
The cybercrime group Arkana claimed to have stolen subscriber account data from WideOpenWest (WOW!), a US cable operator.
They released a music video in Russian, alleging the theft of data on 403,000 customers, including usernames, passwords, partial credit card details, and email addresses. Arkana is demanding a ransom payment, threatening to sell or leak the data if negotiations fail.
Hudson Rock's analysis suggests the breach occurred in September 2024 after a WOW! employee's computer was infected with info-stealer malware. Arkana allegedly gained control of WOW!'s backend systems, including Symphonica and Appian Cloud.
"Arkana has not only stolen sensitive data but is also attempting to blackmail WOW! with the threat of leaking or selling the information. They even claimed they have the ability to push malware to the company’s customers." -Hudson Rock
The Register | "Cyber-crew claims it cracked American cableco, releases terrible music video to prove it"
Cardiff City Council Confirms Data Breach
Cardiff City Council's director of children's services, Deborah Driffield, confirmed a data breach at the UK organisation. The details of the breach, including the type and amount of data compromised, remain unclear. The council is working with the Welsh government and Data Cymru to mitigate the risks.
Cybersecurity is one of the five "elevated" corporate risks the council faces, particularly when working with third parties. The council aims to improve its cybersecurity risk rating from the highest tier to upper-medium by the end of the year through improved security products, staff training, phishing exercises, and better security tools.
The Register | "Cardiff's children's chief confirms data leak 2 months after cyber risk was 'escalated'"
Hackers Target Taiwan with Malware via Fake Messaging Apps
Hackers have been targeting users in Taiwan with PJobRAT malware delivered through malicious instant messaging apps, SangaalLite and CChat. Sophos researchers reported that the apps mimicked legitimate platforms and were available for download on multiple WordPress sites.
The campaign, which ran for nearly two years, targeted specific individuals. The latest PJobRAT malware gives attackers greater control over infected devices, allowing them to steal data from various applications, infiltrate networks, and remove the malware remotely after completing their activity.
The Android RAT was first identified in 2019, and was linked to attacks on Indian military personnel via fake dating and messaging apps in 2021.
The Record | "Hackers target Taiwan with malware delivered via fake messaging apps"
Morphing Meerkat PhaaS Uses DNS-over-HTTPS for Evasion
A new phishing-as-a-service (PhaaS) operation, Morphing Meerkat, uses DNS over HTTPS (DoH) to evade detection. Discovered by Infoblox, the platform also leverages DNS email exchange (MX) records to identify victims’ email providers and dynamically serve spoofed login pages for over 114 brands.
Active since at least 2020, Morphing Meerkat provides a complete toolkit for launching effective and evasive phishing attacks.
It features a centralized SMTP infrastructure, impersonates numerous email and service providers, and delivers messages in multiple languages. The phishing kit queries the victim’s email domain’s MX record using DoH via Google or Cloudflare to load a matching fake login page.
Credentials are exfiltrated via AJAX requests, and real-time forwarding using Telegram bot webhooks is possible. Infoblox recommends tighter DNS control and blocking access to adtech and file-sharing infrastructure.
Bleeping Computer | "Phishing-as-a-service operation uses DNS-over-HTTPS for evasion"
Microsoft Stream Classic Domain Hijacked for Spam
The legacy domain for Microsoft Stream classic, microsoftstream.com, was hijacked to display a fake Amazon site promoting a Thai online casino. This caused SharePoint sites with embedded videos from the old domain to display the spam page. Microsoft Stream classic was deprecated in September 2020, with users instructed to migrate to SharePoint by April 2024.
The domain hijack, which may have involved DNS modification, occurred on March 27, 2025. Microsoft has taken action to block access to the impacted domain but has not disclosed how the hijack occurred.
Fortunately, the attackers did not attempt to distribute malware.
Bleeping Computer | "Hijacked Microsoft Stream classic domain spams SharePoint sites"
Ubuntu Linux Security Bypasses Require Manual Mitigations
Three security bypasses have been discovered in Ubuntu Linux’s unprivileged user namespace restrictions, potentially allowing local attackers to exploit kernel vulnerabilities. These issues impact Ubuntu versions 23.10 and 24.04, where unprivileged user namespaces restrictions are enabled.
Qualys researchers found that these restrictions can be bypassed in three ways: via aa-exec, busybox, and LD_PRELOAD. Canonical is developing improvements to AppArmor protections but does not consider these findings as vulnerabilities per se.
Recommended hardening steps include enabling kernel.apparmor_restrict_unprivileged_unconfined=1, disabling broad AppArmor profiles for busybox and Nautilus, and applying a stricter bwrap AppArmor profile for applications relying on user namespaces.
Bleeping Computer | "New Ubuntu Linux security bypasses require manual mitigations"
OpenAI Increases Bug Bounty Rewards
OpenAI has increased its maximum bug bounty reward for critical security vulnerabilities from $20,000 to $100,000. The company's services are used by 400 million users weekly.
OpenAI will also offer bounty bonuses for qualifying reports within specific categories, such as doubling payouts for Insecure Direct Object Reference (IDOR) vulnerabilities until April 30, with a maximum reward of $13,000. Model safety issues, jailbreaks, and safety bypasses are out of scope.
Bleeping Computer | "OpenAI now pays researchers $100,000 for critical vulnerabilities"
Personal Info on Federal Judges Widely Accessible Online
A recent study found that more than half of U.S. appellate court judges have their personal data, including home addresses, phone numbers, names of relatives, and case rulings, listed on people search sites.
Incogni's research showed that about 50 out of 270 judges studied appear on five or more data broker sites. This highlights the risks judges face as they are increasingly targeted by doxxing, threats, and violent retaliation.
Legislation to fight the problem is gaining momentum, with states like New Jersey and Vermont passing laws to protect judges' personal data.
The Record | "Report: Personal info on federal judges is widely accessible online, leading to safety risks"
