AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
The digital age has revolutionised the way we shop, but it has also opened the door to new threats. Europol has notified 443 online shops that they have been infected with credit card stealers in December 2023. This highlights the pervasive nature of cybercrime and the need for heightened vigilance. Join us as we explore the implications of this warning, the tactics used by cybercriminals, and steps businesses can make to protect themselves in an increasingly risky online shopping landscape. On Credit Card Stealers Threat actors have hacked online shops with malicious scripts that steal customers’ debit and credit cards. Skimmers (which are small snippets of JavaScript code) have been added to checkout pages or loaded from remote resources to evade detection. This is a major cybersecurity threat as digital skimming steals credit card information or payment card data from online stores’ customers. As the transaction data is intercepted during the online purchase checkout process, customers tend not to notice anything unusual. How Does Digital Skimming Work? Generally, there are 3 stages in a digital skimming attack:
What do these codes do? They intercept and steal payment card numbers, expiration dates, verification numbers, names and shipping addresses. This personal information will then be uploaded to the attackers’ servers. Consequences of Credit Card Stealers The consequences of the stolen data is that threat actors can use them to perform unauthorised transactions (e.g. online purchases) or resell them to other cybercriminals on the dark web. Unfortunately, these attacks can go undetected for weeks or even several months. Furthermore, cybercriminals can even collect large amounts of payment card details if the breached e-commerce platforms are highly popular. Scale of The Operation This 2 month international operation was coordinated by Europol and spearheaded by Greece, involved law enforcement from 17 countries and private entities such as Group-IB and Sansec. Tips for Business To Protect Themselves
What To Do If You Become A Victim?
Conclusion Europol's warning serves as a stark reminder of the ever-present threat of cybercrime in the digital age. By staying informed, exercising caution, and following best practices for online security, consumers can protect themselves from falling victim to credit card stealers and other malicious threats. Together, let us work towards a safer online shopping experience for all. Related Topics 26 Billion Records Compromised in Huge Data Leak - dubbed as “Mother of All Breaches”. 12.8 million authentication and sensitive secrets leaked on GitHub in 2023 Apple's Alarming Report: 2.6 Billion User Records Exposed By Data Breaches in Past 2 Years 71 Million Emails from Naz.API stolen account list added to Have I Been Pwned.
Back to Blog
The PuTTY project has released a security update to address a critical vulnerability (tracked as CVE-2024-31497) in PuTTY 0.68 through 0.80. This vulnerability could potentially allow attackers to access 60 cryptographic signatures that can be utilised to recover the private key used for their generation. This consequence of this critical vulnerability is that it will allow unauthorised access to SSH servers or sign commits as the developer. This can potentially lead to supply chain attacks on impacted software projects. This vulnerability is caused by how PuTTY generates temporary unique cryptographic numbers for the NIST P-521 curve used for SSH authentication. PuTTY is a popular open-source terminal emulator, serial console, and network file transfer application that supports SSH, Telnet, SCP, and SFTP. The developers have fixed the vulnerability in PuTTY version 0.81. However, it is noted that any P521 private keys generated using the vulnerable version of the tool should be considered unsafe and be replaced by new, secure keys. Listed below are confirmed software that uses the vulnerable PuTTY:
It should be noted that it is likely that there are more software tools impacted by this vulnerability, depending on the PuTTY version incorporated. It is highly advised that users check their tools and take the preventive action needed. More information is available here: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-042 https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from healthcare to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as UnitedHealth confirming that they paid the ransom to stop their patients’ data from being leaked. Furthermore, new vulnerabilities and patches for WP Automatic WordPress and Progress Flowmon have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. U.S. health conglomerate Kaiser notifies 13.4 million customers of data breach. On Thursday, Kaiser posted a notice in which they will be notifying millions of their members of a data breach that occurred earlier this month. The Kaiser Foundation Health Plan confirmed that 13.4 million current and former residents and patients had their information leaked to 3rd party trackers that were installed on their websites and mobile applications. These 3rd party vendors include Google, Microsoft Bing, and X(Twitter). The leaked data may include IP addresses, names, information that could indicate a member or patient has signed into a Kaiser Permanente account or service, details showing how a member or patient interacted with and navigated through the website and mobile app, and search terms used in the health encyclopaedia. Normally, this information is shared with an extensive network of marketers, advertisers, and data brokers. The organisation has stated that the trackers were discovered and removed following a voluntary internal investigation. Additional security measures have also been implemented to prevent this incident from reoccurring. As of now, Kaiser found no evidence of any member’s or patient’s personal information being misused. DPRK hacking groups breached South Korea’s defence contractors to steal information. The National Police Agency in South Korea issued an urgent warning on 23 April that North Korea hacking groups have breached defence industry entities to steal technology information. North Korean hacking groups - Lazarus, Andariel and Kimsuky have been found to have breached S.Korean defence companies via leveraging vulnerabilities in targets’ or subcontractors’ environments to plant malware to exfiltrate data. It was found that multiple companies had been compromised since late 2022 but were unaware of the breach until authorities informed them. The Korean police recommends both defence companies and their subcontractors to improve their network security segmentation, reset their passwords periodically, set up 2FA on all critical accounts, and block foreign IP addresses. LA County Health Services: Data breach has exposed thousands of patients’ data. The LA County of Health Services disclosed a data breach after approximately 6,085 patients’ personal and health information was exposed in a data breach due to a recent phishing attack that impacted over 2 dozen employees. In the data breach notification, 23 employees had their mailboxes compromised after their credentials were stolen in a February attack. Hence, attackers gained access to patients’ personal and health data that were stored in the employees’ email inboxes. The compromised information includes patients’ full name, birth date, home address, phone number, email address, medical record number, client identification number, dates of service, medical information (e.g. diagnosis/condition, treatment, test results, medications), and/or health plan information. Affected individuals are impacted differently. Upon discovering the breach, the organisation disabled the impacted email accounts and quarantined all suspicious incoming emails. No evidence has been found that the attackers have accessed or misused the exposed personal and health information. However, LA County Health Services do advise all affected patients to contact their healthcare providers to verify the content and accuracy of their medical records. UnitedHealth confirmed it paid the ransom to stop data leak. UnitedHealth Group confirmed on Monday that they have paid the ransom to the ransomware gang to protect patient data from being leaked. This followed the February cyberattack on their subsidiary, Change Healthcare. The company also confirmed that files containing personal information were compromised in the breach. In a statement to CNBC, the company said that they are currently working with law enforcement and multiple cybersecurity firms. The company has launched a call centre that will offer free identity theft protections and credit monitoring for 2 years. However, the call centre will not be able to offer any details about individual data impact due to the ongoing investigation and complexity of the data review. Concerned patients can visit their dedicated website for access to resources. Okta warns of a spike in proxy-driven credential stuffing attacks aimed at online services. Okta has warned of a surge in the frequency and scale of credential stuffing attacks aimed at online services. In an alert published, Okta warned that these attacks were facilitated by the broad availability of residential proxy services, lists of previously stolen credentials and scripting tools. Okta stated that they detected a surge in credential stuffing activity against user accounts from 19 April - 26 April 2024, from likely similar infrastructure. It was found that sometimes a user device has been infected with malware and became enrolled as a botnet, which allows threat actors to conceal their malicious traffic. From their observation, it seems that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users. To mitigate the risks of account takeovers, Okta recommends that organisations enforce users to switch to strong passwords, enable 2FA, deny requests originating from locations where they don't operate, and IP addresses with poor reputation, and add support for passkeys. Critical vulnerability in the WP Automatic Wordpress plugin is being exploited: More than 5.5 million attacks detected. Threat actors have started to exploit a critical severity vulnerability (tracked as CVE-2024-27956) in the WP Automatic plugin for Wordpress to create user accounts with administrative privileges and to plant backdoors for long-term access. This plugin is currently installed on more than 30,000 websites. This vulnerability is an SQL injection issue and it impacts WP Automatic versions before 3.9.2.0. It has been observed that more than 5.5 million attacks were trying to leverage this vulnerability, in which most were recorded on 31 March. It is highly recommended for administrators to update the WP Automatic plugin to version 3.92.1 or later. Maximum severity vulnerability found in Progress Flowmon: Patch available now. A top severity security vulnerability (tracked as CVE-2024-2389) in Progress Flowmon, a tool for monitoring network performance and visibility and used by more than 1,500 companies globally, has been found. An attacker can exploit the vulnerability to gain remote unauthenticated access to the Flowmon web interface and execute arbitrary system commands. This vulnerability impacts versions of the product v12.x and v11.x. It is highly encouraged for system administrators to upgrade to the latest releases - v12.3.4 and 11.1.14. The security update was released to all Flowmon customers either via automatic package download system or manually from the vendor's download centre. It is also highly recommended to upgrade all Flowmon modules afterwards. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
In the digital age, the protection of sensitive information is paramount. However, GitGuardian found that in 2023, GitHub users accidentally exposed 12.8 million authentication and sensitive secrets in over 3 million public repositories, with the vast majority of these secrets being still valid after 5 days. This incident serves as a stark reminder of the importance of robust cybersecurity measures and the need for increased vigilance. Join us as we delve into the details of this significant data breach, its implications for cybersecurity, and steps individuals and organisations can take to protect themselves. GitHub Leak: Unveiling the Scope In 2023, the number of authentication and sensitive secrets leaked on GitHub was 12.8 million. This is a 28% increase as compared to the previous year (10 million in 2022). Unfortunately, this is not surprising due to hard-coded credentials have always been one of the primary causes of security incidents in the software world. This is being exacerbated with the increasing complexity of digital supply chains. For instance, Sophos 2023 Report found that in 2023 compromised credentials was the top root cause of attacks for the first time. It was found that in the first half of the year, compromised credentials accounted for 50% of root causes, followed by vulnerability at 23%. What was Leaked The exposed secrets include account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, as well as other sensitive data that could give external actors unlimited access to a range of private resources and services. All of this can lead to data breaches and financial damage. In 2023 alone, over 1 million valid occurrences of Google API secrets, 250,000 Google Cloud secrets, and 140,000 AWS secrets were detected.The reasoning for this is that there has been an increase in the number of code repositories on Github, with a 22% increase (50 million) in new repositories added in the past year. Therefore, this enhances the risk of accidental and deliberate exposure of sensitive information. Countries with the Most Leaks The top 10 countries with the most leaks are India, United States, Brazil, China, France, Canada, Vietnam, Indonesia, S.Korea and Germany. Sectors with the Most Leaks The most affected sector was the IT sector (this also includes software vendors), as it encompasses 65.9% of all detected leaks. This is then followed by Education (20.1%), Science & Tech (7%), Retail (1.5%), Manufacturing (1.2%), and Finance & Insurance (1%). Generative AI Leaks Trend Generative AI tools are exponentially growing in terms of their use in 2023 as many businesses and employees utilise them. However, this has also led to an exponential growth in generative AI leaks on GitHub last year as well. GitGuardian observed that in 2023, there was a 1,212 increase in the number of OpenAI API keys leaked on GitHub as compared to 2022. It was averaged that 46,441 API keys were leaked per month - this was the highest growing data point in GitGuardian’s report. Although OpenAI leads drastically in the number of leaks detected on GitHub, open-source AI models repository HuggingFace had a steep increase in leaked secrets month after month. This could indicate that there is a growing interest among developers and researchers of this AI tool. Other AI tools that were found to have leaks include Cohere, Claude, Clarifai, Google Bard, Pinecone, and Replicate. Although these AI tools were found to have leaks at a much lower level as compared to OpenAI and HuggingFace. Troubling Trend of Leaks GitGuardian monitored how well authors fixed leaks via revoking the secret as soon as possible to reduce the impact of the incident. Unfortunately, more than 90% of the secrets still remained valid 5 days after being leaked. Furthermore, only 2.6% of the leaks were revoked within 1 hour after GitGuardian notified them of the leak via email. However, not all types of leaked secrets were revoked at the same rate. Based on their analysis, leaked WeChat App (97.7% still remain valid after 5 days) and Algolia keys (95.5% still remain valid after 5 days) were the most likely to remain exposed for over 5 days. This is then followed by Strip keys (88.3%) and Cloudflare API keys (81%). Developers should be more concerned about these keys as they would be prime targets in credential harvesting campaigns.
GitHub Rectification In February, Github enabled push protection as a default for all public repositories to prevent accidental exposure of secrets when pushing new code. Related Topics 26 Billion Records Compromised in Huge Data Leak - dubbed as “Mother of All Breaches”. Apple's Alarming Report: 2.6 Billion User Records Exposed By Data Breaches in Past 2 Years 71 Million Emails from Naz.API stolen account list added to Have I Been Pwned.
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from software, semiconductor, geospatial intelligence, consumer discretionary, gaming, telecom providers, smoke alarm, healthcare to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as the Change Healthcare ransomware attack that cost UnitedHealth $872 million. Furthermore, new vulnerabilities and patches have also been found and releasedIt is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Cisco’s Duo Multi-Factor Authentication (MFA) service breached. A 3rd party telephony service provider for Cisco’s Duo MFA service has been compromised by a social engineering cyber attack. Cisco Duo customers have been sent a notice to be on alert for any phishing attacks. In the notice sent to customers, the company explained that the 3rd party provider that handled SMS and VOIP MFA messaging traffic for them was breached on 1 April 2024. Reportedly, the threat actors utilised compromised employee credentials for the attack, and had managed to download SMS logs for specific users within a certain time frame once they were inside the service provider’s systems. In Cisco’s customer advisory, the attacker downloaded message logs for SMS messages that were sent to certain users under their Duo account between 1 March - 31 March 2024. The compromised information includes customers’ phone number, phone carrier, country and state to which each message was sent, as well as other metadata such as date and time of the message, type of message. However, no message content was compromised. In their advisory, Cisco Duo did not identify the breached telephony provider. Cisco advised impacted customers to notify anyone whose information was exposed, and to remain vigilant against any phishing attacks. Nexperia, a Dutch chipmaker, confirmed a data breach after a ransomware gang leaked stolen data. In a press statement on Friday, Nexperia disclosed that attackers managed to breach some of their IT servers in March 2024, which forced them to shut down the affected IT systems to contain the incident and implement extensive mitigation. Nexperia confirmed the incident after a ransomware group, Dunghill, claimed to have stolen 1 TB of confidential data and leaked a sample of the allegedly stolen files on 10 April 2024. The threat actors published images of microscope scans of electronic components, employee passports, non-disclosure agreements, and various other samples. However, the authenticity of the allegedly stolen data has not been confirmed by Nexperia. Dunghill claims that they plan to leak 371GB of design and product data, 246GN of engineering data, 96GB of commercial and marketing data, 41.5GB of corporate data, 109GB of client and user data, and 121.1GB of various files and miscellaneous data if the ransom demand is not paid. Nexperia has launched an investigation with the support of 3rd party experts to determine the nature and scope of the incident and to implement strong measures to prevent this incident from reoccurring. Nexperia also reported the incident to relevant authorities. UN investigating a ransomware attack that led to data theft. In a statement published on Tuesday, the United Nations Development Programme (UNDP) disclosed that they received a threat intelligence notification that a threat actor had hacked into their local IT infrastructure in UN city, Copenhagen, in late March. The stolen data included certain human resources and procurement information. The UN agency stated that actions were immediately taken to identify the source, contain the affected server and to determine the specifics of the exposed data, and the individuals impacted by this attack. Although the UN agency did not disclose the specific threat group, the 8Base ransomware gang added a new UNDP entry to their data leak website on 27 March. The attackers stated that they managed to exfiltrate large amounts of sensitive information, which includes personal data, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts and more. Space Eyes data breach exposed sensitive data from critical US government agencies. Intelgroup, a threat group, has claimed to breach Space-Eyes, a geospatial intelligence firm that works exclusively with US government agencies. This includes the Department of Justice, the Department of Homeland Security, various branches of the US Armed Forces, and crucial intelligence bodies such as the National Geospatial Intelligence Agency. The breach has allegedly compromised the digital infrastructure of the firm, which could expose the US national security data. IntelBroker claimed that they only took 10-15 minutes to access the sensitive data from Space-Eyes systems. Singapore’s Ministry of Education (MOE): A 3rd party data breach has compromised the personal data of parents and staff at 127 schools. A data breach at one of MOE’s vendors has resulted in the names and email addresses of parents and staff from 5 primary schools and 122 secondary schools being compromised. MOE stated that they were notified by Mobile Guardian, a device management app installed on personal learning devices used by students, that their user management portal was breached on Wednesday, with the incident occurring at the company’s headquarters in Surrey, UK. As Mobile Guardian’s management portal was used for administrative purposes, user’s name, email address, time zone, school name and whether the user was a parent or school staff has been accessed. MOE also stated that their own device management app was not affected by the data breach as it is separate from Mobile Guardian’s user management portal. The Ministry has stated that all affected parties have been informed of the breach, and recommended victims to be vigilant against any phishing emails. The ministry stated that they have expressed their concerns to Mobile Guardian, and have lodged a police report. Mobile Guardian has implemented further security measures such as locking down all administrative accounts in response to the incident, and have also apologised for the breach. A Hospital in France had to postpone procedures after a cyberattack. The Hospital Simone Veil in Cannes (CHC-SV) announced on Tuesday that they were cyberattacked, which led to a severe impact on their operations. CHC-SV is an important medical establishment in France, particularly in the region of Cannes. The hospital were forced to take all their computers offline earlier this week due to a cyberattack, and had only their telephone systems available for communication. The hospital did not disclose much details but stated they have not received any ransom demand. Investigations are currently underway. Although all their units are continuing operations, all data has been reverted to pen and paper, and some patients had to be diverted to other hospitals nearby. Furthermore, roughly 30% of all non-urgent surgical procedures scheduled this week were cancelled, and many non-urgent consultations were rescheduled for later. The hospital stated that as of now their priority is to restart patient care systems that contain test results and patient records. However, this is dependent on the progress of the technical investigations which could take a long time. Atlantic fisheries body confirms data theft after 8Base ransomware gang claims breach. The Atlantic States Marine Fisheries Commission (ASMFC) disclosed that their email systems were down, and was forced to create a temporary email address and phone number. Tina Berger, director of communications for ASMFC, stated that they are responding to a cyber incident that is affecting their systems, but did not confirm if it was a ransomware attack. On Monday, the 8Base ransomware gang added ASMFC to their data leak site, and gave officials 4 days to meet their ransom demand. The gang claimed to have stolen invoices, personal data, contracts and more. Home Depot suffered a 3rd party breach: 10,000 employees’ personal information leaked. Home Depot has disclosed that a 3rd party breach from their SaaS vendor has resulted in a subset of employee data being leaked. The incident was known when IntelBroker, a known threat actor, claimed that they stole 10,000 Home Depot employees’ personal information. A Home Depot spokesperson has confirmed that the Atlanta, Georgia-based company has suffered a data breach. The personal information exposed includes employees’ names, work email addresses, and User IDs that were utilised during testing of their systems. Home Depot did not disclose the identity of the breached vendor, and it is unclear if Home Depot or the external vendor has notified the impacted individuals about the breach. Frontier Communications, a telecom provider, suffers a cyberattack: Forced to shut down their systems causing operational disruption. Frontier Communications, a leading American telecommunications provider, was forced to partially shut down some of their systems during a cyberattack to avoid threat actors from laterally moving through the network. This has resulted in some operational disruption. Despite their response, Frontier has stated that the attackers could access some personally identifiable information. Frontier believes that they have contained the breach, and has since restored their affected core IT systems, and is working on restoring normal business operations. Despite the company’s assurances, many customers have reported that their Internet connection has been down and that the support phone numbers are playing pre-recorded messages instead of redirecting to a human operator. In their SEC filing, Frontier stated they are currently investigating the incident with cybersecurity experts, and has also notified the relevant authorities. Void Interactive suffers from a massive data breach: Over 4TB of data stolen, including full source code. Void Interactive, the developer of Ready or Not, suffers from a massive data breach whereby over 4TB of data has been stolen, and this includes over 2.1 million files. The ransomware group announced in March that they had accessed Void Interactive’s data. However, Void Interactive has not announced any breach or concern regarding Ready or Not. Insider Gaming has been shown the contents of the stolen data, and it includes all of the Ready or Not source code, and code for what appears to be console builds of the game and results of various performance tests. Insider Gaming was also shown images of the game running on the PlayStation 4 test kit. There was also build data for Xbox 1, Xbox Series X|S, and PlayStation 5. Fortunately, it seems that the personal information of players or staff members have not been compromised, and the stolen data seems to be centred around the game itself. Smoke Alarm Solutions, a smoke alarm company in Australia, suffers from data breach. One of Australia’s largest smoke alarm companies, Smoke Alarm Solutions, have left 762,856 documents, which totals to 107GB of sensitive customer information exposed online in a non-password protected database, for nearly 3 months. The files included more than 355,000 detailed invoice data from 2021-2024, records of inspections, estimates, compliance reports, electrical safety inspections, service quotes, and service reports. Furthermore, nearly 25,000 additional documents marked as “on-site quotes” contained names and email addresses of the business, agent or individual obtaining the quote. Cybersecurity researchers have warned that these sensitive customer information were “very likely” accessed by malicious actors. Mr Fowler, in a report on this incident, stated that this exposure is “perfect timing” as this came days after Australia’s consumer watchdog warned of a surge in fake invoice scams which have cost Australians more than $16 million. As it is likely the threat actors accessed these sensitive customer data to use for scams and phishing attempts. UnitedHealth reported Change Healthcare ransomware attack cost $872 million. UnitedHealth Group reported that the February ransomware attack has cost $872 million on their Q1 earnings. This total cost includes $593 million in direct cyberattack response costs and $279 million due to business disruptions. Currently, the company is still working to mitigate the cyberattack’s impact on their consumers and care providers, while expanding financial assistance to affected providers. This report comes 1 day after the RansomHub extortion gang started leaking documents that allegedly contain patient and corporate data stolen from Change Healthcare’s compromised systems. The threat actors also warned that they have 5 days to pay the ransom to stop the data from being sold. Forminator WordPress plugin vulnerability affects over 300,000 sites. The Forminator WordPress plugin has a critical vulnerability (CVE-2024-29980) that allows malicious actors to perform unrestricted file uploads to the server. Site admins that use this plugin are highly advised to upgrade to the latest version 1.29.3, which addresses this vulnerability as soon as possible. Since the release of the security update on 8 April 2024, roughly 180,000 site admins have downloaded the plugin. However, this means that there are still 320,000 sites that remain vulnerable to attacks. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Palo Alto has warned on 13 April 2024 that hackers were actively exploiting an unauthenticated remote code execution vulnerability in their PAN-OS firewall software (tracked as CVE-2024-3400) since 26 March 2024. This critical vulnerability can allow hackers to use compromised devices to breach internal networks, steal data and credentials. Patches for this critical vulnerability have been available since 14 April 2024. It is strongly recommended for users and administrators of affected versions to immediately upgrade to the latest version.
This vulnerability affects the following products:
Palo Alto Networks decided to disclose this flaw and release mitigations earlier as the flaw was being used in attacks. They also released mitigations so that customers could protect their devices until patches were complete. Volexity has provided a method to detect if a Palo Alto Networks firewall has been compromised:
More information is available here: https://security.paloaltonetworks.com/CVE-2024-3400 https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the streaming, business intelligence, veterinary, audio to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as Hoya receiving a $10 million ransomware demand for a file decryptor and for the allegedly 1.7 million stolen files to not be released. Additionally, it was found that a hacker that claimed responsibility for the Giant Tiger data breach has allegedly leaked 2.8 million customers’ records online. Furthermore, new vulnerabilities and patches have also been found and released for Microsoft, WordPressLG Smart TVs and Telegram Windows app. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. Roku confirmed a second security incident: About 576,000 user accounts were hacked. Roku, a streaming giant, has confirmed a second security incident, in which about 576,000 user accounts were accessed via credential stuffing. However, Roku stated that fewer than 400 user accounts were breached, and where the malicious hackers made fraudulent purchases of Roku hardware and streaming subscriptions using the payment data stored in those users’ accounts. The company stated that they have refunded the affected customers. Furthermore, they emphasised that the malicious hackers did not access sensitive user information or full credit card details. Following these incidents, Roku has implemented 2-factor authentication, which helps add another layer of security to their users’ accounts. Sisense, a company that sells big-data analytic tools, suffers a data breach: CISA issues a red-alert. CISA, the US government cybersecurity agency, issued a red-alert on Thursday warning of a compromise of Sisense customer data, and highly recommended Sisense customers to immediately reset their credentials and secrets. Although the exact nature of the breach is unclear, the alert could suggest a massive supply chain security incident that exposed data from thousands of companies globally. CISA stated that they are partnering with private industry partners to respond to the incident and advised Sisense’s customers to reset their credentials and secrets, and to investigate and report to CISA if any suspicious activity has been detected. CISA is taking an active role as this data breach directly impacts critical infrastructure sector organizations. Sisense, which provides business intelligence and analytics tools that help process massive volumes of data, is involved in organizations in the U.S. healthcare, manufacturing, retail and technology sectors, hence a supply chain breach can have severe consequences. Non-profit healthcare service provider, GHC-SCW, disclosed that a ransomware gang has stolen 533,000 individuals’ health data. Group Health Cooperative of South Central Wisconsin (GHC-SCW) disclosed that a ransomware gang breached their networks on 25 January and stole 533,809 individuals’ personal and medical information. The health data stolen includes individuals’ names, birth dates and/or deaths, addresses, telephone numbers, email addresses, social security numbers, member numbers, and Medicare and/or Medicaid numbers. The attackers could not encrypt the compromised devices, which allowed GHC-SCW to secure their systems and bring them back online after they were isolated to contain the breach. GHC-SCW stated that they have added security measures to prevent such breaches from reoccurring, such as strengthening existing controls, data backup and user training. Impacted individuals are recommended to monitor all communications from healthcare providers - such as electronic messages, billing statements, and other communications, and to report any suspicious activity to GHC-SCW immediately. UK’s CVS Group suffers a cyberattack: Veterinary operations disrupted. UK veterinary services provider CVS Group disclosed that they had suffered a cyberattack which resulted in their IT services being disrupted across the country. In an announcement published on the London Stock Exchange site, CVS Group stated that threat actors gained unauthorized access to some of their IT systems. In response, the company took their IT systems offline, which disrupted their operations considerably over the past week. CVS stated that they have engaged in 3rd party specialists to help investigate the attack and to restore IT services safely across its clinics. CVS also announced that this cyberattack has sped up their plan to migrate all IT infrastructure to the cloud, which is expected to extend the period of operational disruption by several weeks for UK-based practices. BoAt, an Indian audio giant, is investigating a possible data breach of 7.5 million customers. BoAt, India’s largest audio and wearables brand, is investigating a possible data breach that may have compromised more than 7.5 million customers after hackers uploaded a sample of their alleged customer data on a known cybercrime forum. The stolen alleged data includes customers’ full name, phone number, email address, mailing address, and order numbers. TechCrunch reviewed a portion of the data, and found that the data reviewed seems genuine based on checks against exposed phone numbers. The hackers claim that the breach occurred in March. In a statement, boAt stated they have launched an investigation into recent claims of a potential customer data leak but did not disclose specifics. It was found that the leaked data also include references to Shopify. India outlet Athenil reported that the alleged hackers claimed the data was obtained via using credentials stolen from boAt’s systems. AT&T is now notifying that the data breach has actually impacted 52 million customers. AT&T is notifying 52 million former and current customers that a data breach has exposed their personal data on a hacking forum. While the leak contained the personal information of more than 70 million people, AT&T is now saying that the data breach impacted a total of 51,226,382 customers. The reason for the large difference is that some customers had multiple accounts in the dataset. In their notification, the exposed information varied for individuals and accounts, and it may include customers’ full name, email address, mailing address, phone number, social security number, birthdate, AT&T account number and passcode. AT&T stated that for each impacted customer they will notify the type of personal information that has been stolen. However, the company has still not disclosed how the data was stolen, and why it took them 5 years to confirm that the stolen data belonged to them and alert the impacted customers. Hoya, an optic giant, received a $10 million ransomware demand. Hoya Corporation has been hit by a cyberattack recently which was conducted by the ‘Hunters International’ ransomware operation. The ransomware group has demanded a $10 million ransom for a file decryptor and for the alleged 1.7 million stolen files, which amounted to 2 TB of data, to not be released. Currently, no files have been released on the ransomware group’s site, and the threat actors have not publicly claimed responsibility for the Hoya attack. LeMagIT has posted evidence via screenshots from the ransomware operation’s negotiation panel that victims use to negotiate a ransom payment. The ransomware group has applied a “No Negotiation/No Discount policy” on Hoya. The company has not provided any update on the business status since 4 April 2024, hence it is assumed that their production remains impacted and remediation efforts are still underway. Giant Tiger data breach claimed by hacker who leaked 2.8 million records online. A threat actor has publicly claimed responsibility for the Canadian retail chain - Giant Tiger data breach that occurred in March 2024, and has claimed to have uploaded the “full” database of the stolen Giant Tiger customer records - which amounts to 2.8 million records on a hacker forum. The stolen customer records include over 2.8 million unique email addresses, names, phone numbers and physical addresses. As well as the “website activity” of Giant Tiger customers. As of 12 April, the leaked data set has been added to the “Have I Been Pwned?” database, which is a free online service that allows one to check if their data has been compromised in known data breaches. The number of breached records associated with this data breach that has been added to HIBP is 2,842,669. Microsoft resolved a security lapse that exposed internal passwords. Security researchers from SOCRader discovered an open and public storage server that was hosted on Microsoft’s Azure cloud service that stored internal information relating to Microsoft’s Bing search engine. The internal information stored included code, scripts and configuration files that contain passwords, keys and credentials used by Microsoft employees to access other internal databases and systems. However, the storage server itself was not protected with a password, and could be accessed by anyone on the internet. The exposed internal information could potentially assist malicious actors in identifying or accessing other places where Microsoft stores its internal files, and hence could result in more significant data leaks and even services being compromised. The researchers notified Microsoft of the security lapse on 6 February, and Microsoft resolved the security lapse on 5 March. 4 vulnerabilities found which could lead to over 90,000 LG Smart TVs being exposed to remote attacks. Bitdefender security researchers have found 4 vulnerabilities (CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, CVE-2023-632) that impact multiple versions of WebOS, the operating system used in LG smart TVs. The vulnerabilities allow different degrees of unauthorized access and control. This includes authorization bypass, privilege escalation, and command injection. Bitdefender explains that although the vulnerable LG WebOS service is supposed to be used only in local area networks (LAN) settings, an internet scan shows that 91,000 exposed devices are potentially vulnerable to the flaws. The vulnerabilities impact webOS 4.9.7 – 5.30.40 on LG43UM7000PLA, webOS 04.50.51 – 5.5.0 on OLED55CXPUA, webOS 0.36.50 – 6.3.3-442 on OLED48C1PUB, and webOS 03.33.85 – 7.3.1-43 on OLED55A23LA. Impacted users should apply the security update by selecting “Check for Update”. Thousands of WordPress sites compromised to promote crypto drainers. It has been discovered that over 2,000 compromised WordPress websites now display fake NFT and discount pop-ups to trick visitors into connecting their wallets to crypto drainers that would automatically steal their funds. According to MalwareHunterTeam, the threat actors have begun to monetize the hacked sites to display pop-ups promoting fake NFT offers and crypto discounts. And an Urlscan search showed that over 2,000 compromised websites have been loading the malicious scripts for the past week. To prevent falling victim to crypto drainers, only connect your wallet to trusted platforms. Furthermore, it is recommended to be vigilant against any unexpected pop-up windows, especially pop-ups that do not align with the website’s primary subject or design. Telegram released security patch to fix a Windows app zero-day vulnerability that could automatically launch Python scripts. Telegram has fixed a zero-day vulnerability in their Windows desktop app that could be used to bypass security warnings and automatically launch Python scripts. In a statement to BleepingComputer, Telegram disputes the existence of zero-click vulnerabilities as inaccurate. However, they have confirmed that they fixed the “issue” in the Windows app to prevent Python scripts from automatically launching when clicked. As stated it was a server-side fix that ensures that this issue no longer occurs, whereby when clicked it will cause Windows to ask what program you wish to open rather than automatically launching in Python. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public, tech, e-commerce, hotel, optical supplies to the healthcare sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as 4,4 million SurveyLama users’ personal information has been exposed and that Leicester City Council’s confidential documents have been leaked on the dark web after a ransomware attack. Additionally, it was found that the 2023 Hong Kong Cyberport data breach affected 13,362 staff and jobseekers. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. US cancer centre suffers a data breach: 827,000 patients’ information exposed. Cancer treatment and research centre, City of Hope, is starting to notify 827,000 individuals that their personal and health information has been compromised in a data breach. In a data breach letter filed with the Maine Attorney General's Office, the data breach occurred between 19 September - 12 October 2023, whereby an unauthorised 3rd party managed to access a subset of City of Hope systems and copied some files that contained the affected individual’s information. The stolen data includes affected individuals’ names, birth dates, email addresses, phone numbers, driver’s licence numbers, ID numbers, social security numbers, bank accounts numbers, credit card details, health insurance information and medical information. City of Hope also clarified that not every data type listed was compromised for every patient - the level of exposed information varied per case.Upon detection, City of Hope stated that they took steps to contain the breach, notified relevant authorities, and retained a cybersecurity firm to put in security measures to improve their system’s security. The cancer centre has also stated that so far there has been no identification of any identity theft or fraud pertaining to the stolen information. Affected individuals are offered complimentary identity monitoring services for 2 years. It is highly recommended for impacted individuals to monitor their banking statements, and be vigilant against phishing attacks, unsolicited communications or requests for additional information. Jackson County in state of emergency after a ransomware attack. Jackson County, Missouri, declared a state of emergency on 2 April 2024 after a ransomware attack took down some of their services on Tuesday. The Assessment, Collection and Recorder of Deeds offices at all County locations will likely be closed until the end of the week as the IT department works on restoring tax payment, marriage licence, and inmate search systems impacted in the incident. Fortunately, based on a statement published on Tuesday, the Kansas City Board of Elections and Jackson County Board of Elections are not affected by this system outage. Officials have alerted the relevant authorities of this incident, and are currently working with 3rd party IT security experts to investigate the attack. Jackson County Executive Frank White, Jr. declared a state of emergency to expedite IT orders, activate emergency workers, and protect against a ransomware attack. As White stated, all county staff are taking the necessary steps to protect resident data, county assets and continue essential services to mitigate the impact of the ransomware attack. County officials have confirmed that residents’ financial information is not affected as the compromised systems did not store residents’ financial data. Acuity confirms hackers have stolen old non-sensitive government data from its GitHub repositories. Acuity, a federal contractor that works with U.S. government agencies, has confirmed that hackers have breached its GitHub repositories and stole old non-sensitive government documents. In an emailed statement, Acuity stated that they identified a cybersecurity incident related to GitHub repositories that contained old and non-sensitive information. However, once they were aware of the zero-day vulnerability, Acuity did the relevant security updates and performed mitigating actions according to the vendor’s guidance. After an investigation, Acuity saw no evidence of impact on any of their clients’ sensitive data. Although Acuity did not provide additional information due to the ongoing investigation, IntelBroker (1 of the threat actors behind the attack) has leaked thousands of records that contain information that belongs to the Justice Department, State Department, DHS and FBI employees. IntelBroker also claimed that they stole Five Eyes intelligence alliance documents, which some contain allegedly classified information. Another threat actor, Sangierro, told BleepingComputer, that the breach occurred on 7 March 2024, and they allegedly exploited a vulnerability in an Acuity Tekton CI/CD server to steal GitHub credentials and access their private repositories. PandaBuy, a shopping platform, suffered a data leak that impacted 1.3 million users. PandaBuy, a shopping platform that allows international users to purchase from various e-commerce platforms in China such as Tmall, Taobao and JD.com, was allegedly breached by 2 threat actors that exploited multiple vulnerabilities. The 2 threat actors, Sanggiero and IntelBoker, claimed that they managed to steal data that contained but not limited to 3 million unique UserId, first name, last name, phone numbers, email addresses, login IP, orders data, orders ID, home addresses, zip and country. According to Have I Been Pwned, 1,348,407 PandaBuy accounts have been exposed in the breach. The threat actor has also provided a small sample of email addresses, customer names, order numbers and details, shipping addresses, transaction dates and times, and payment IDs as evidence. Troy Hunt, creator of HIBP, tested password reset requests using the leaked addresses and confirmed that at least 1.3 million email addresses are valid and come from PandaBuy. However, the rest were made-up and duplicate addresses, so the 3 million figure was inflated by the threat actors. It is highly recommended for those who have PandaBuy accounts to reset your password, and remain vigilant against any phishing attacks and scams. Chilean data centre and hosting provider, IxMetro Powerhost suffered a cyberattack. IxMetro Powerhost, a data centre, hosting and interconnectivity company in locations in the U.S, South America and Europe, suffered a cyberattack by a new ransomware gang called SEXi, which encrypted the company’s VMware ESXi servers and backup. On 1 April, PowerHost’s Chile division, IxMetro, warned customers that they suffered a ransomware attack early Saturday morning which had encrypted some of the company’s VMware ESXi servers that are used to host virtual private servers for customers. Customers that hosted their websites or services on these servers are down as the company attempts to restore terabytes of data from backups. In one update, PowerHost has warned their customers that they might not be able to restore the servers as the backups have also been encrypted. PowerHost CEO, Ricardo Ruben, stated that they had attempted to negotiate with the threat actors to receive a decryption key, however the ransomware gang has demanded 2 BTC per victim, which would be equal to $140 million. For impacted VPS customers who still have their website content, the company is offering to set up a new VPS so that customers can bring their sites back online. SurveyLama suffers a data breach: 4.4 million users’ personal information exposed. SurveyLama, an online platform that rewards registered users for completing surveys, suffered a data breach in February 2024 which resulted in the exposure of 4,426,879 million users’ sensitive data. In early February, Have I Been Pwned (HIBP’s) creator, Troy Hunt, received information about a data breach impacted the service. The exposed data types include full names, birth dates, email addresses, IP addresses, passwords, phone numbers, and physical addresses. SurveyLama has notified impacted users via email, and confirmed the security incident. It is highly recommended for SurveyLama account holders to reset their passwords immediately and on other platforms that use the same credentials. As of now, there is no evidence of the compromised data being posted publicly online, which makes the exposure currently limited. Hoya confirms a cyberattack has disrupted optics production and orders. Hoya Corporation, a global manufacturer of optical products, that the Group’s head quarter and several of their business divisions have suffered an IT system incident, which caused servers at some of their production plants and business divisions to go offline on 30 March. In response to the incident, Hoya isolated the affected servers and informed the relevant authorities in the impacted countries. The optics company has also hired 3rd party forensic investigators to determine the cause of the incident, and whether the hackers accessed or extracted any confidential or personal information stored on the compromised systems. As a direct result of this incident, some production plants and ordering systems for certain products have been impacted. Omni Hotels confirms cyberattack behind ongoing nationwide IT outage. Omni Hotels & Resorts has confirmed a cyberattack that caused a nationwide IT outage in the U.S., in which some locations are still affected. The hotel chain has stated that since 29 March, Omni Hotels & Resorts have been responding to a cyberattack on their systems. In response to the attack, Omni took down the impacted systems, and their IT teams are working to restore and bring them back online. Furthermore, they have launched an investigation with a 3rd party cyber security response team, which is still ongoing. According to Omni employees, the IT teams are manually restoring the affected systems from scratch, and have been informed that the systems will be available again on 4 April 2024. The outage triggered by the cyberattack has affected many of Omni’s services which includes their reservations, hotel room door lock, and point-of-sale systems. It has been reported that front desk employees have been experiencing issues with credit card payments, new reservations, and modifying already-made reservations. Leicester City Council confirms ransomware attack after confidential documents were leaked. Leicester City Council in England confirmed that the March cyber incident was a ransomware attack after it was discovered that the malicious actors had uploaded the stolen documents to their dark web extortion site. Leicester’s strategic director, Richard Sword, confirmed on 3 April that “a small number of documents” on their servers has been published by a ransomware group (the INC Ransom). According to Sword, INC Ransom published around 25 or so confidential documents. These confidential documents include rent statements, applications to purchase council housing and identification documents such as passport information. Sword also stated they are unable to be certain whether other documents have been extracted from their systems, although they do believe that the threat actors have. The council also stated that most of their systems and phone lines are now operating as per normal after it was decided to shut everything down on 7 March when the attack was detected. It is highly advised for people in Leicester to report if anyone claims to have their data to the Leicestershire Police using the non-emergency call service 101 or an online form. Hong Kong privacy watchdog found that the 2023 Hong Kong Cyberport data breach affected 13,632 staff and jobseekers. Hong Kong’s Office of the Privacy Commissioner for Personal Data found that 13,632 staff and job seekers' personal data had been stolen when hackers attacked Hong Kong’s Cyberport last year. The investigation found that out of the 13,682 affected, 8,000 had employment ties with the company which includes 5,292 unsuccessful applicants and former employees. Others were managerial staff, interns and business partners. The personal data stolen includes names, ID cards, passport numbers, financial information such as bank account numbers, medical reports, photos, birthdates, social media accounts and academic information. For each affected individual, the amount of stolen information varies. Furthermore, it was found that 13 Window systems and 2 virtual servers were compromised. The watchdog has slammed the organisation’s cybersecurity oversights as they had failed to implement sufficient and effective security measures to ensure their systems security. It was found that they did not keep information secure, and kept information over the intended retention period. They have also sent an enforcement notice to the government-funded technology hub last week demanding them to carry out a list of improvements and submit a report within 2 months. MarineMax, a yacht retailer, disclosed data breach after a cyberattack. MarineMax, a boat and yacht retailer, stated that employee and customers’ data were stolen after their systems were breached in a March cyberattack. On 1 April 2024, in a new 8-K filing, it was revealed that the hackers gained access and stole personally identifiable data that belonged to an undisclosed number of individuals. Although the company did not attribute the attack to a specific threat group, the Rhysida ransomware gang has claimed the attack and is selling the allegedly stolen data for 15 BTC (just over $1,000,000). Rhysida has also leaked screenshots of what appears to be MarineMax’s financial documents, employee driver’s licences and passports on their data leak site as evidence. LayerSlider WordPress plugin critical flaw impacts 1 million sites. The LayerSlider WordPress plugin that is used in over 1 million sites, has a critical flaw (tracked as CVE-2024-2879) which allows unauthenticated SQL injection. The flaw impacts versions 7.9.11 through 7.10.0 of the plugin, and this could allow attackers to extract sensitive data such as password hashes from the site’s database. This puts these sites at risk of complete takeover or data breaches. The developer released a security update on 27 March. All users of LayerSlider are highly recommended to upgrade to version 7.10.1 which addresses this critical vulnerability. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Security researchers, Red Hat, warned users that the latest versions of the “xz” tools and libraries in Linux distributions contain malicious code that appears to allow unauthorised access and gain remote access to the entire system.
This vulnerability is tracked as CVE-2024-3094, and has been scored a 10 out of 10 on the Common Vulnerability Scoring System (CVSSv3). Specifically, this critical vulnerability is present in XZ versions 5.6.0 and 5.6.1. Users who use these versions are highly advised to immediately downgrade to older versions that do not contain the malicious code. Red Hat has warned users to immediately stop usage of any Fedora 41 or Fedora Rawhide instances for work or personal activity until users can downgrade their XZ version. Red Hat has also reverted to 5.4.x versions of XZ in Fedora 40 beta. Linux administrators can verify which version of XZ is installed by querying their package manager. CISA and CSA have published advisories warning developers and users to downgrade to an uncompromised XZ version (e.g. 5.4.6 Stable) and to look out for any malicious or suspicious activity on their systems. For more information: https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-033 https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/#google_vignette
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the jewellery, discount retailer to the health industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as as 73 million AT&T customers’ data has been leaked on a hacker forum and that more than 2.8 million Point32Health customers’ personal information has been stolen in a breach. Additionally, 28 apps (including 17 free VPN apps) on Google Play have been found to turn Android devices into proxies, and that Google’s new AI search results encourage sites that push malware scams.
Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. New variant TheMoon malware infects 6,000 ASUS routers in 88 countries within 72 hours. Black Lotus Labs researchers have found a new variant of “TheMoon” malware botnet that has been infecting thousands of outdated small office and home office (SOHO) routers and IoT devices in 88 countries. The researchers have observed that 6,000 ASUS routers were targeted in under 72 hours during the latest TheMoon campaign which started in early March 2024. It is highly recommended to use strong admin passwords and upgrade your device’s firmware to the latest version to ensure that vulnerabilities are addressed. Common signs of malware infection on routers and IoTs include connectivity problems, overheating, and suspicious setting changes. Massachusetts health insurer has been hit by a data breach: More than 2.8 million individuals’ personal information stolen. Point32Health, the 2nd largest health insurer in Massachusetts, has announced that more than 2.8 million individuals’ personal information was stolen during an April 2023 ransomware attack. This ransomware attack impacted systems associated with Point32Health’s Harvard Pilgrim Health Care brand. In a notification letter, the company reports that they have identified signs that the data was copied and taken from Harvard Pilgrim systems from 28 March to 17 April 2023, and that these files may contain customers’ personal information. The stolen information includes names, addresses, birthdates, phone numbers, social security numbers, health insurance account information, financial account information, medical history, diagnoses, and treatment information. This week, the company filed a refreshed data breach notice to update the number of affected individuals to more than 2.86 million. The company is providing affected individuals with complimentary credit monitoring and identity protection services. Poh Heng Jewellery hit by data breach: Customers’ personal information could be compromised. Poh Heng Jewellery, a jewellery chain, notified their customers about a database breach that occurred on 25 March. The company has stated that the unauthorised access may have compromised their customers’ personal information. The compromised information could include customers’ names, telephone numbers, email addresses, residential addresses, member ID, birth dates and country of residence. Fortunately, no passwords and payment information were compromised. The company’s data protection officer, Ezekiel Chin, stated that once they discovered the breach, they immediately took action to secure their systems, and have reported the incident to relevant authorities. The company has recommended customers to be highly vigilant against phishing attempts, such as malicious links and websites whereby they request their passwords or other personal information. Giant Tiger, discount retailer, states customer data has been compromised in a 3rd party breach. Giant Tiger, a discount retailer, has announced that some of their customers’ contact information has been compromised in a third-party breach. The spokesperson for the company, Alison Scarlett, stated that the vendor would not be named, however the company was utilised by Giant Tiger to manage their customer communications and engagement. Furthermore, it was added that Giant Tiger is working to resolve the issue “as quickly and openly as possible”. In an email to customers, the retailer stated they discovered the security breach on 4 March, and concluded on 15 March that customer information was compromised. The compromised information varied between customers, and it included names and email addresses of those who subscribe to Giant Tiger emails. Furthermore, loyalty members and those who placed online orders for in-store pickups might have had their names, emails and phone numbers compromised. Some customers who placed online orders for home delivery may have had the same information and additionally their street addresses compromised. INC Ransom threatens to leak the stolen 3TB of NHS Scotland data. The INC Ransom extortion gang has threatened to publish 3 TB of data that is allegedly stolen after breaching the NHS of Scotland. In a post published on 27 March, the cybercriminals shared several sample documents with sensitive information about doctors and patients, including medical assessments, analysis results, and psychological reports. They stated that they would leak the data “soon” unless the NHS pays the ransom. A spokesperson for the Scottish Government has stated that the cyberattack only impacts NHS Dumfries and Galloway, which are one of the regional health boards that make up NHS Scotland. Furthermore, the government is working with multiple entities such as the health board, Police Scotland, National Crime Agency, and the National Cyber Centre, to determine the impact and plausible implications of the breach. NHS Dumfries and Gaolloway has confirmed that a ransomware group has leaked a small number of patients’ clinical data. All impacted patients will be informed by the NHS directly so that they can take appropriate measures to protect themselves. AT&T confirms 73 million customers’ data has been leaked on hacker forum. AT&T has now confirmed that 73 million current and former customers have been affected by a data breach after initially denying the leaked data originated from them. In a statement shared with BleepingComputer, AT&T stated that based on their preliminary analysis, the data set appears to be from 2019 or earlier, and has impacted approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders. Furthermore, security passcodes used to secure accounts were also leaked for 7.6 million customers. AT&T are reaching out to all 7.6 million impacted customers and have reset their passcodes. The company will notify all 73 million former and current customers about the breach and the following steps they should take. Free VPN apps on Google Play found to turn Android devices into proxies used for cybercrime and shopping bots. 17 VPN apps on Google Play have been found to use a malicious software development kit that turned Android devices into residential proxies that are likely used for cybercrime and shopping bots. Residential proxies are devices that route internet traffic through devices located in homes. This makes traffic appear legitimate and less likely to be blocked. Cybercriminals tend to use them to conceal malicious activities such as ad fraud, spam, phishing, credential stuffing and password spraying. A report published by HUMAN’s Satori threat intelligence team lists 28 apps on Google Play that secretly turned Android devices into proxy servers. Out of these, 17 apps were free VPN apps. The 28 apps are:
For safety precaution, it may be the safest to remove any of these apps that you used via uninstalling them. A Google spokesperson has confirmed that all 28 malicious apps have been removed from Google Play. Google’s new AI search results encourage sites that push malware scams. Google’s new AI-powered ‘Search Generative Experience’ algorithm has been found to recommend scam sites that redirect visitors to unwanted Chrome extensions, fake iPhone giveaways, browser spam subscriptions, and tech support scams. Lily Ray, a SEO consultant, found that Google’s SGE is recommending malicious websites within their conversational responses, making it easier for people to fall for scams. As since SGE links the websites within the answers, this can make malicious sites seem more trustworthy and believable. It was found that most redirects lead users to fake captchas or Youtube sites that attempt to trick the visitor into subscribing to browser notifications. Browser notifications are a common tactic scammers use to send visitors unwanted ads directly to the operating system desktop, even when you are not on the website. Google has reported that they continuously update their systems and ranking algorithms to protect against spam, and have taken actions to remove these spam out of Search. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! |