AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
Massive data leak shows Chinese firm foreign government and activists. I-Soon, a Chinese tech security company that competed for Chinese government contracts, was found to be able to breach foreign government systems, infiltrate social accounts and hack into personal computers. This was revealed by experts that analysed a massive data leak. The leaked documents from I-Soon showed that they compromised more than a dozen governments - such as the government office networks in India, Thailand, Vietnam and S.Korea. They breached “democracy organisations” in Hong Kong, universities, and the Nato military alliance as reported by SentinelLabs researchers. The leak contained hundreds of files that contained chat logs, presentations, and lists of targets. Lists of Thai and British government departments and screenshots of attempts to log in to an individual’s Facebook account were found. Furthermore, many of the files were versions of marketing materials, whereby the company listed targeting counterterrorism centres (such as in Pakistan and Afghanistan) as evidence of their ability to perform these tasks. There were also screenshots of arguments between an employee and supervisor over salaries, and a document describing software aimed at accessing a target’s Outlook emails. The company was also found to offer potential clients the ability to break into individuals’ accounts on X to monitor their activity, read their private messages and send posts. I-Soon also laid out how their hackers could access and take over a person’s computer remotely - allowing them to execute commands and monitor what they type. Other services include ways to breach iPhones and other smartphone operating systems, and custom hardware (e.g. power bank). Philippine education ministry hit by data leak: Over 210,000 school and tax records leaked. Jeremiah Fowler, a cybersecurity researcher, found a vulnerability that gave nearly full access to an online platform used by senior school students applying for government vouchers to cover their tuition costs. It was a serious potential security lapse as they were stored without password protection and hence was available to anyone with Internet access. This has resulted in the exposure of over 210,000 records of the Philippine education ministry. This cloud-stored database included 154 GB worth of tax filings, consent forms, government certifications, and employment and death certificates. The online application forms in particular contained the applicants’ full name, their photos, birthdate, gender, address, contact information, parents’ sources of income and properties owned. The Philippines’ National Privacy Commission stated that they were informed by Fowler of the breach in January, and that the vulnerability has been patched. Wyze security camera breach: 13,000 strangers able to look into other’s homes. After an outage on 16 February, as Wyze security cameras were brought back online, users started seeing images and videos in their Events that were not from their cameras. The company explained that due to the system becoming overloaded caused device IDs to be mapped incorrectly. This resulted in some accounts being connected to the wrong cameras. Wyze stated that the root cause was from a 3rd party caching client library that they recently integrated into their system. It has been estimated that 13,000 people were about to peek into someone else’s home. However, only 1500 of them enlarged a thumbnail or viewed a video. The company stated that 99% of their users weren’t impacted at all, and that they had already contacted all affected users. Fortunately, the breach resulted in only events being seen, and not a live view. As once Wyze discovered the problem, the events tab was immediately disabled. Wyze has stated that they have taken steps to ensure this incident would not reoccur. Critical infrastructure software maker confirms ransomware attack. PSI Software SE, a German software developer for complex production and logistics processes, confirmed that the cyber incident disclosed last week was a ransomware attack that impacted their internal infrastructure. The attack forced them to disconnect from several IT systems, including email, as a measure to mitigate data loss risk. This attack is alarming as if the attackers accessed PSI’s software code or data, they could pose risks to public services, energy and transport, as PSI serves critical infrastructure sectors. PSI says the investigation so far has not revealed any evidence that the attacker pivoted to customer systems. The company has informed all relevant authorities, and experts from the Federal Office for Information Security have been assisting them in incident response and remediation efforts. U-Haul informs customers that hackers accessed customer records using stolen credentials. U-Haul has started informing customers that a hacker used stolen account credentials to access an internal system for dealers and team members to track customer reservations. The exposed personal information includes full names, birthdates and drivers licence numbers. Fortunately, the breach system is not part of their payment system, hence the hackers did not access payment card data. U-Haul stated they had reset passwords for all affected accounts and implemented additional security safeguards and controls to prevent such incidents from happening again. Recipients of the data breach notification will receive a 1 year identity theft protection service. As of yet, U-Haul has not determined how many customers have been exposed from this incident. Insomniac Games suffered a ransomware attack: Impacted employees being notified that their personal data has been leaked online. Insomniac Games, a subsidiary under Sony, suffered a ransomware attack in November, and are currently sending data breach notification letters to impacted employees whose personal data was stolen and leaked online. 1.67 TB of documents were leaked on the dark web leak site after the game studio refused to pay the $2 million ransom. As a result, the leaked files included the personal information of their employees, former employees, and independent contractors. Furthermore, the leaked files included many ID scans and internal documents, such as contract information, licensing agreements, and screenshots of their upcoming Wolverine game. The company is extending the ID Watchdog services offered as part of their employees benefit package, with 2 additional years of complimentary credit monitoring and identity restoration beyond the current enrollment period. The company also had a dedicated call centre to answer questions from affected employees. Carousell fined S$58,000 over data leaks that affected more than 2.6 million users. Carousell, an e-commerce platform, has been fined S$58,000 over 2 data breaches. One of which resulted in at least 2.6 million customers’ data put up for sale, and the other resulted in 44,477 users’ data in Singapore, Malaysia, Indonesia, Taiwan and the Philippines being exposed. PDPC determined the financial penalty by taking account of some factors like Carousell’s cooperation with investigations, their “prompt and effective remediation actions” once the breaches were discovered, their first time being breached, and the second breach being “particularly sophisticated”. Over 28,500 Exchange servers are vulnerable to an actively exploited flaw. Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw (tracked as CVE-2024-21410) that are being actively exploited. Microsoft addressed this flaw on 13 February, however 28,500 servers are currently being identified as vulnerable. Furthermore, a threat monitoring service, Shadowserver, identified that there were approximately 97,000 potentially vulnerable servers. It is highly recommended to apply the Exchange Server 2019 Cumulative Update 14 (CU14) update released in the February 2024 Patch Tuesday. Hackers exploiting critical RCE flaw in WordPress Brick Builder Theme. Hackers are actively exploiting a critical RCE vulnerability (tracked as CVE-2024-25600) that impacts the Brick Builder Theme in Wordpress. This vulnerability can lead to attackers running malicious code on vulnerable sites. A fix became available on 13 February with the release of version 1.9.6.1. It was observed that in the post-exploitation phase, the attackers used specific malware to disable security plugins like Wordfence and Sucuri. Wordfence also confirmed that they had seen 24 detections of this vulnerability being exploited in a day, showing that this vulnerability is being actively exploited. It is highly recommended that Bricks users upgrade to version 1.9.3.1 immediately either by navigating “Appearance>Themes” in WordPress dashboard and clicking update or to manually update them. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the financial, healthcare, battery manufacturing, water utility to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as over 2.4 million Integris customers’ personal information being compromised. Additionally, it was found that 200,000 Facebook Marketplace users’ records were leaked on a hacker forum, and that a new Android and iOS malware tricks victims into scanning their face and ID documents. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. Bank of America warns customers of data breach that exposes their personal information after a vendor is hacked. Bank of America is warning customers of a data breach that exposes their personally identifiable information (PII) after one of their service providers, Infosys McCamish Systems (IMS) was hacked. According to details shared with the Attorney General of Texas, exposed customers’ PII includes their names, addresses, birthdate, social security numbers, and financial information such as credit and account card numbers. While Bank of America has yet to disclose how many customers were impacted by the data breach, an IMS breach notification letter filed with the Attorney General of Maine on behalf of Bank of America revealed that a total of 57,028 people were directly impacted. The letter details that Bank of America data that were compromised were data from deferred compensation plans. US Department of Defense notifies 20,600 individuals of data breach after cloud email server was leaked. The US Department of Defense is sending breach notification letters to over 20,600 individuals that their personal information was compromised in an email data spill last year. According to the letter, the Defense Intelligence Agency stated that numerous email messages were exposed to the Internet by a service provider between 3 - 20 February 2023. This breach is related to an unsecured US government cloud email server hosted on Microsoft’s cloud that was accessible from the internet without a password which spilled sensitive emails to the open internet. This means that anyone with a public IP address of the exposed cloud email server could assess the sensitive but unclassified emails by only using a web browser. DOD spokesperson stated that the affected server was identified and removed from public access on 20 February 2023, and the vendor has resolved the issues that resulted in the exposure. In the letter, it was also noted that the department has worked with Microsoft to understand how this data breach occurred and to put in place precautionary measures to prevent this from happening again. DOD stated that this incident involved multiple department organisations, and have obtained an Identity Protection Services contract for the affected individuals. Integris Health reported that the November data breach exposed almost 2.4 million people's personal information. Integris Health has reported to the US authorities that the November 2023 data breach has 2,385,646 people’s personal information exposed. In a notification Integris published last week the compromised patient data includes patients’ full name, birthdate, contact information, demographic information and social security number. However, it was clarified that the stolen data did not involve employment information, account credentials, financial information or driver licences. The threat actor has told BleepingComputer that they are selling the stolen data on a dark web marketplace for 2.3 million Integris patients (based on the number of social security numbers). Integris Health stated that all affected patients will receive individual notifications, and recipients need to remain vigilant and report any scams, theft or fraud attempts. Southern Water announced a major data breach potentially impacting hundreds of thousands of their customers. Southern Water, a water utility company in the South East of England, announced that it had suffered a major data breach that could impact between 235,000 - 470,000 of their customers. The breach occurred in January, and hackers accessed sensitive customer data during the attack. The company disclosed that 5-10% of their customer base might have had their personal data compromised. The stolen data includes customers’ birth dates, national insurance numbers, bank account details, and reference numbers as reported by BBC News. However, Southern Water has yet to confirm the specifics of the compromised data. The cyberattack has been claimed by the BlackBasta ransomware group, and they listed Southern Water on their dark web leak site. The ransomware group has threatened to release 750GB of sensitive corporate and customer data unless a ransom was paid. Their post also included screenshots of stolen documents, such as employee passports and identity cards. Southern Water stated that they are collaborating with cybersecurity experts to monitor the dark web for any signs of the stolen data being published. The company has reported this incident to the UK’s Information Commissioner’s Office, and they are continuing to investigate the impact of the breach, and are working on measures to prevent such attacks from occurring again. 100 Romanian hospitals forced to go offline after a ransomware attack. 100 Romanian hospitals took their systems offline after a ransomware attack hit their healthcare management system, the Hipocrate Information System (HIS), and their database was encrypted. 25 hospitals confirmed that their data was encrypted, and 75 other healthcare facilities using HIS took their systems offline as a precautionary measure. This attack affected various Romanian hospitals, including regional and cancer treatment centres. Most of the affected hospitals have backups of data that is relatively recent (1/2/3 days ago) except one whose data was saved 12 days ago. Since the systems were taken offline or shut down, doctors had to return to writing prescriptions and keeping records on paper. The incident is currently under investigation, and possibilities for recovery are being assessed. As of now, it is not known if patients’ personal or medical data has been stolen. 200,000 Facebook Marketplace users’ personal information leaked on a hacker forum. A threat actor, IntelBroker, leaked 200,000 Facebook Marketplace users’ records on a hacker forum. They claimed that the leaked database contained a wide variety of personally identifiable information which includes names, phone numbers, email addresses, Facebook IDs, and Facebook profile information. BleepingComputer has verified some of the leaked information by matching the email addresses and phone numbers on random records within the sample data shared by IntelBroker. This is particularly alarming as these personal information can be used for phishing attacks, and even SIM swap attacks. Health NZ is starting to notify around 12,000 individuals impacted by the data breach. Health New Zealand is starting to notify around 12,000 individuals who were impacted by an alleged unauthorised data release by a former employee. Health NZ chief executive, Margie Apa stated that the first group being contacted is a large number of COVID-19 vaccinators who had their personal information made available in a downloadable file on a blog. Upon discovery, Health NZ requested for the information to be removed, which was later taken down. Apa stated that Health NZ is pursuing legal avenues to have the data removed in accordance with the orders by the Employment Relations Authority. The company is continuing to work with the relevant authorities, and have local and international cybersecurity experts to work with them to assist and monitor signs of the data being disclosed online. Furthermore, Apa stated that they are strengthening their security measures and internal controls to prevent similar incidents from happening. Prudential Financial disclosed February cyberattack in SEC filing. Prudential Financial reported in a SEC filing that an unspecified threat actor accessed company administrative and user data, as well as a small percentage of user accounts associated with employees and contractors. In the filing, the company reported that they detected the breach on 5 February, and that the hacker gained access to their systems the day before. The company also reported that there is no evidence that the hacker took customer or client data. Prudential has reported the breach to all relevant authorities, and an investigation is ongoing to determine the full scope and impact of the breach. Varta, a German battery maker, had to stop production after a cyberattack. Varta announced on 13 February that they had suffered a cyberattack, whereby hackers targeted parts of their IT infrastructure, which caused them to shut down their IT system for security reasons. This caused severe disruption in 5 production units, and production had to stop at their plants. The scope and impact of the attack is currently under investigation and has yet to be determined. The company stated that they implemented the measures in its emergency plan and formed a task force that consists of cybersecurity experts and data forensics specialists, who will aid in system restoration. New ‘Gold Pickaxe’ Android, iOS malware trick victims into scanning their face and ID documents. Group-IB has found a new iOS and Android malware ‘GoldPickaxe’ employs a social engineering scheme to trick victims into scanning their faces and ID documents. It is believed that these are then used to generate deepfakes for unauthorised banking access. Group-IB analysts observed that the attacks primarily targeted the Asia-Pacific region, mainly Thailand and Vietnam. Victims are approached via phishing or smishing messages on the LINE app that are written in their local language, and these messages tend to impersonate government authorities or services. The messages tend to trick the victims into installing fraudulent apps, such as fake ‘Digital Pension’ apps hosted on websites that impersonate Google Play. For iOS users, the threat actors initially direct victims to a TestFlight URL to install the malicious app. However, when Apple removed the app, they switched to luring victims into downloading a malicious Mobile Device Management (MDM) profile that allows threat actors to take control of their device. Once the malware has been installed, it manipulates functions in the background, captures the victim’s face, intercepts incoming SMS, requests ID documents, and even proxy network traffic through the infected device. CISA: Roundcube email server is being actively exploited in cross-site scripting attacks. CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XXS) attacks. The flaw (tracked as CVE-2023-43770) is a persistent XSS bug that allows attackers access restricted information via maliciously crafted links in low-complexity attacks. The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6x before 1.6.3. It is highly recommended to update all productive installations of Roundcube 1.6x with the new version. CISA has ordered US Federal Civilian Executive Branch (FCEB) agencies to secure Roundcube webmail servers against this flaw within 3 weeks (by 3 March). Microsoft’s Patch Tuesday for February 2024 fixes 2 zero-days and 73 flaws. Microsoft’s February 2024 Patch Tuesday includes security updates for 2 actively exploited zero-days (tracked as CVE-2024-21351 and CVE-2024-21412) and 73 flaws. This patch fixes 5 critical vulnerabilities which includes denial of service, remote code execution, information disclosure and elevation of privileges vulnerabilities. The total count of 73 flaws does not include 6 Microsoft Edge flaws fixed on 8 February and 1 Mariner flaw. To view the full report to access the full description of each vulnerability, click here. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public sector, IT, automotive, telecommunications, ride-sharing to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as over 2 million job seeker’s personal information stolen after compromising 65 legitimate job listing and retail sites. In other news, Denmark has issued an injunction to stop schools from funnelling student data to Google, and a new password stealing malware has been found to be spreading through fake advertisements on Facebook. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. A French healthcare services firm suffered a data breach: Data of policyholders and healthcare professionals in France exposed. French healthcare services firm Viamedis announced on LinkedIn that they were hit by a cyberattack that exposed the data of policyholders and healthcare professionals in France. The exposed data includes beneficiary’s birth date, social security number, marital status, name of health insurer and guarantees open to 3rd party payment. Viamedis clarified that the breached systems did not store people’s banking information, postal details, telephone numbers, and email addresses. The company has stated that they will be sending different notifications about the type of data exposed to healthcare professionals. The company has informed impacted health organisations, filed a complaint with the public prosecutor, and notified the relevant authorities. Viamedis has also stated that investigation is still underway to determine the impact and scope of the breach. Along with Viamedis, it was also found that Alemery, another operator responsible for managing 3rd party payments for supplementary health insurance also suffered a data breach. From both companies, it was found that the data breach affects approximately 33 million insured French citizens in total. Almerys stated that the hackers did not breach their central system, but did access a portal used by health professionals. The company has filed complaints with the public prosecutor and an investigation is underway. With 33 million citizens affected, this makes it one of the largest data breaches in France. Major data breach in Thailand exposes nearly 20 million elderly Thai citizens’ personal information. The Department of Older Persons (DOP) which is under the Ministry of Social Development and Human Security in Thailand has been breached resulting in the personal identifiable information (PII) of 19,718,687 elderly Thai citizens leaked. This exposed information includes their names, ID card numbers, phone numbers, emails, salaries and personal photographs. The breach has resulted in at least 14 cases of cybercrime, with the origin of the breach still unidentified. After the discovery of the leak, the DOP immediately lodged a complaint with the Thai cyber police and the Committee for the Protection of Personal Information. The incident is currently under investigation to determine the origin of the leak - if it was the result of insider access or external hacking. HPE investigates claims of a new data breach after data for sale on a hacking forum. Hewlett Packard Enterprise (HPE) is investigating a new data breach after it was discovered that a threat actor has put up allegedly stolen data for sale on a hacking forum. The threat actor has claimed it contains HPE credentials and other sensitive information. The company has told BleepingComputer that they have not found any evidence of a data breach nor any impact to HPE products or services, and no ransom was requested, but they are investigating the threat actor’s claims. The threat actor, IntelBroker, has shared screenshots of the claimed stolen HPE credentials but has yet to disclose the source of the stolen data or how they obtained them. The threat actor claim that the stolen data includes CI/CD access, System logs, Config Files, Access Tokens, HPE StoreOnce Files (serial numbers warrant etc), Access passwords as well as email services. Hyundai Motor Europe suffered a BlackBasta ransomware attack. Hyundai Motor Europe was hit by a BlackBasta ransomware attack, with the threat actors claiming to have stolen 3TB of corporate data. As told to BleepingComputer, Hyundai Motor Europe is investigating the attack in which BlackBasta managed to access a “limited part of [their] network”. Investigations are currently underway, and Hyundai Motor Europe are currently working with 3rd party cybersecurity and legal experts. The company also adds that relevant authorities have been notified. In an image seen by BleepingComputer, BlackBasta shared lists of folders that were allegedly stolen from numerous Windows domains, including those from KIA Europe. Although it is unclear the exact type of data stolen, the folder names indicate its related to various departments at the company - legal, sales, human resources, accounting, IT and management. Internal Verizon breach exposed more than 63,000 employees’ personal data. 63,206 Verizon employees (which is about half of the company’s workforce) have become victims of a data breach which resulted from a staff member gaining unauthorised access to a file that contains personnel records. Majority of employees impacted were current Verizon employees, but there is also a small number impacted that were former employees. In a letter sent to affected employees, Verizon stated that they discovered the breach on 12 December, and that around 21st September 2023, the staff member obtained the file “without authorisation and in violation of company policy”. The compromised personal information includes the employees’ name, address, social security number or another national identifier, gender, union affiliation, birth date, and compensation information. In the letter, the company further states that they have no evidence that the compromised information has been misused or shared outside of Verizon, and that they are working to enhance their technical controls to prevent this type of situation from recurring. In their data breach notification filed with the Office of the Maine Attorney General, the breach was described as “inadvertent disclosure, insider wrongdoing”. From their internal review of the incident, the breach was not of malicious intent, and hence did not refer the incident to law enforcement. Verizon has also arranged to provide complimentary credit monitoring and identity protection services to those impacted for 24 months. HopSkipDrive confirmed data breach: More than 155,00 drivers’ personal information compromised. In a filing with Maine’s attorney general last week, HopSkipDrive, a student rideshare startup, confirmed that they had suffered a cybersecurity incident in June that resulted in a data breach that affected 155,394 drivers’ personal information. The stolen data includes their names, email addresses, postal addresses, driver licence numbers, and other non-driver identification card numbers. HopSkipDrive spokesperson, Campbell Millum, said that those affected include people who drive on their platform or who applied to drive on their platform, and that no employee or customer data was accessed in the breach. In a letter sent to those compromised, HopSkipDrive stated that they became aware of the cybersecurity breach after receiving an email from an unknown threat actor. After which, they launched an investigation with 3rd party experts which determined that the incident occurred between 31 May - 10 June 2023. HopSkipDrive stated that they are committed to strengthening their systems to prevent such incidents from occurring again. Threat group stole over 2 million job seekers’ personal information in SQL injection and XSS attacks. ResumeLooters, a threat group, has stolen 2,079,027 job seekers’ personal data after compromising 65 legitimate job listing and retail sites. The attackers mainly focus on the APAC region, targeting sites in Taiwan, China, India, Thailand, Vietnam and Australia to steal job seekers’ names, email addresses, phone numbers, education, employment history, and other relevant information. According to Group-IB, which followed the threat group since its beginning, ResumeLooters attempted to sell the stolen data through Telegram channels. ResumeLooters primarily use SQL injection and cross-site scripting (XXS) to breach targeted sites. After identifying and exploiting security weaknesses on target sites, ResumeLooters injects malicious scripts into a website’s HTML, which will display phishing forms to steal visitors’ information. Denmark issues an injunction to stop schools from funnelling student data to Google. The Danish data protection authority (Datatilsynet) has issued an injunction to stop schools from funnelling student data to Google through the use of Chromebooks and Google Workspace services. This issue was brought to the agency’s attention around 4 years ago via a concerned parent. The agency has now decided that the method of transferring students’ personal data to Google does not have a legal basis for all disclosed purposes. Therefore, 53 municipalities in Denmark must adjust their data processing practices. The municipalities are ordered to: (1) Cease the transfer of personal data to Google or obtain a clear legal basis for such transferred, (2) Analyse and document how personal data is processed before using tools like Google Workspace, and (3) Ensure that Google refrains from processing any data it receives for non-complementary purposes. Non-permissible cases are purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome Browser, including measuring performance or developing new features and services for these platforms. The agency’s decision does not directly translate to a ban on Chromebooks (which are widely used in Danish schools) but it does impose significant restrictions on how personal data can be shared with Google. New password-stealing malware spreading via Facebook ads. A new password-stealing malware called Ov3r_Stealer, is being spread through fake job advertisements on Facebook. This malware is aimed to steal account credentials and cryptocurrency. The fake job ads are for management positions which invites them to apply for an Account Manager position in digital advertising. But it will lead users to a Discord URL where a PowerShell script downloads the malware payload from a GitHub repository. Trustwave analysts who discovered the malware states that this malware campaign is a severe threat to many potential victims due to how extensively Facebook is used as a social media platform. Ov3r_Stealer attempts to steal data from a broad range of apps such as cryptocurrency wallet apps, web browsers, browser extensions (e.g. Google Authenticator, FreeOTP), Discord, Filezilla and many others. The malware will collect the information they can find on the infected computer every 90 minutes and send it to a Telegram bot. This also includes the victim’s geolocation information and a summary of the stolen data. Ivanti warns of new authentication bypass vulnerability: Urges admins to patch new Connect Secure immediately. On 8 February, Ivanti warned of a new authentication bypass vulnerability (tracked as CVE-2024-22024) that impacts Connect Secure, Policy Secure and ZTA gateways.They have urged admins to secure their appliances immediately. This flaw lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without the need of user interaction or authentication. Ivanti stated that they have so far found no evidence of their customers being exploited via this vulnerability but it is critical for their customers to take action immediately to ensure that they will be protected fully. CISA: New Fortinet RCE bug is being actively exploited. CISA confirmed on 11 February that attackers are actively exploiting a critical remote code execution (RCE) bug (tracked as CVE-2024-21762) that has been patched by Fortinent last Thursday. This bug can let unauthenticated attackers to remotely execute arbitrary code using malicious HTTP requests. It is highly recommended that admins immediately update to the latest version to prevent this from happening. However, if admins cannot immediately deploy security updates, they can remove the attack vector by disabling SSL VPN on the device. CISA has ordered US federal agencies to secure FortiOS and FortiProxy devices against this vulnerability within 7 days (by 16 February). That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
In a digital era where information is currency, a newly released Apple commissioned report sends shockwaves through the cybersecurity landscape. According to the study, a staggering 2.6 billion personal records have been compromised in data breaches over the past two years. Furthermore, many indicators show that the number of data breaches has gotten worse in 2023. This isn't just a statistic; it's a stark reminder of the relentless onslaught that our digital identities face. As stated, this report shows compelling evidence that data breaches “have become an epidemic” that endangers sensitive and personal information globally. The Magnitude of Breach The study titled ‘The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase’ was conducted by MIT professor Dr Stuart Madnick. It provides a summary of the major data breaches, and highlights some trends. The report shows that data breaches have more than tripled between 2013-2022 - exposing 2.6 billion personal records in the past 2 years alone (1.1 billion in 2021 and 1.5 billion in 2022) - and have continued to get worse in 2023. In the first 9 months of 2023, the number of data breaches in the U.S. have already increased by nearly 20% as compared to all of 2022. For US organisations, this is an all-time high. This trend of sharp increases in data breach can also be seen globally. The report also shows that attacks targeting cloud infrastructure nearly doubled from 2021 to 2022. According to a 2023 report, over 80% of data breaches involved data stored in the cloud. This occurs as (1) there's a mass migration of data to the cloud due to the various benefits it offers, and (2) as cloud services are based on new technology, cloud misconfigurations caused by errors that expose a cloud environment, tend to occur. According to the NSA, “cloud misconfigurations are the most prevalent cloud vulnerability”. In this report, a list of examples of major data breaches that occurred globally in 2023 were compiled. For instance, in Asia Pacific, Toyota (cloud misconfiguration) led to over 2.15 million customers’ location data over 10 years being compromised, PhilHealth in the Philippines (corporate ransomware) led to over 13 million customers’ personal data being compromised, and Latitude Financial (vendor exploitation) led to over 14 million customers’ personal data being compromised. To read the study in full, here’s the link: The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase Key Factors That Contributed to The Increased Threat to Personal Data: 1. Ransomware attacks have increased in quantity and are more dangerous than ever. In 2023, ransomware attacks increased quantitatively like never before, and have become more sophisticated and aggressive. This is easily reflected in which it was found that more ransomware attacks were reported through September 2023 than in all of 2022. Additionally, in the first 3 quarters of 2023, the number of ransomware attacks increased by nearly 70% as compared to the first 3 quarters of 2022. Furthermore, hackers are becoming more organised, often through ransomware gangs. Hackers are relying on more sophisticated tools including generative AI, have higher budgets and on more efficient organisational structures. Ransomware gangs behave like companies - crafting a public web presence, providing customer service, and offering opportunities to other threat actors to rent out ransomware software. Cyberattacks have also become more threatening, and more likely to target organisations with sensitive data - e.g. healthcare facilities, education institutions, governments. Unlike before, hackers have shifted their strategies to cause the most harm possible. They are now more likely to leak corporate and consumers’ personal data when a ransom is not paid. This shift has caused ransomware attacks to be detrimental to consumers, as their data has been exposed more often. To make things worse, it has been found that in recent years, hackers are more likely to leak data even after receiving a ransom. Hence, even if organisations did pay the ransom, it is often not enough to protect consumers. 2. Cyberattacks On Vendors Are Increasing. Attacks on vendors often lead to many other organisations that depend on these vendors being data breaches. As virtually every organisation globally relies on a wide range of vendors and software for daily operations. In many cases, these vendors are small or medium sized companies that do not have sufficient resources to allocate to security. Hence, vendor attacks can impact virtually all organisations, even those with the strongest security measures. This is evident from the report which shows that 98% of organisations that work with a vendor that experienced a data breach in the last 2 years. The wide-reaching impacts of a vendor attack can be seen by the MOVEit transfer service data breach. In which, an unpatched vulnerability led to hackers compromising the data of organisations that utilised their service and steal sensitive data from their customers. The hackers were able to infiltrate more than 2,300 organisations globally (this included private companies such as Shell, IBM, government entities and contractors, financial & public institutions), and more than 65 million individuals have been impacted so far. A Call For Action: End-To-End Encryption This report highlights the prevalence of data breaches and the detrimental consequences these will have for individuals. Therefore, keeping personal data safe must be at the forefront of organisations’ priorities. This message is further brought back to home as recent cyberattacks have shown that organisations can only be as secure as their “least secure link”. This is why, in the last year, technology platforms and other industry players have expanded the use of end-to-end encryption. This is a method in which companies can protect their data by ensuring that only the sender and receiver can access and modify the data. Hence, it protects sensitive information such as personal and financial information. Navigating the Digital Storm As individuals and businesses grapple with the repercussions of this data breach tsunami, the report serves as a guidepost. It not only elucidates the scale of the challenge but empowers readers with insights to fortify their defences. Cybersecurity is no longer a luxury; it's a necessity. Let us navigate the digital storm armed with knowledge, fortified by encryption, and united in our commitment to a more secure digital future. Related Topics 26 Billion Records Compromised in Huge Data Leak - dubbed as “Mother of All Breaches”. Unmasking Phishing: Your Guide to Spotting The Signs of Phishing The Rise Of Phishing: Safeguarding Against Digital Deception Protect Yourself: Best Practices to Combat Phishing Attacks
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public sector, football, IT services, software to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as Johnson Controls confirming that a ransomware attack cost them $27 million and that corporate data were stolen, and Clorox confirming that a ransomware attack has cost them $49 million. Malicious apps have been found on Google Play that contains malware that can steal your personal data such as contacts and messages, and even record your phone calls. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Football Australia investigating possible data breach: Reportedly ticket buyers’ personal data and players’ contracts and documents exposed. Football Australia said they are investigating a possible data breach following the publication of Cybernews’ report that the football governing body had potentially exposed ticket buyers’ personal data and players’ passports, contracts and other personal information are exposed, and may have been leaked online. Cybernews reported that Football Australia leaked secret keys that potentially open access to 127 buckets of data - as they left plain-text Amazon Web Services (AWS) keys (which includes Secret keys) hardcoded into the HTML page of its subdomain. In 1 publicly accessible bucket, it contained personal information, contracts and documents of football players. According to the researchers, the exposed data includes personal identifiable information of players, ticket purchase information, internal infrastructure details, source code of the digital infrastructure, and scripts of the digital infrastructure. The team believes that the most likely reason behind the leak is human error. Football Australia fixed the issue once they were informed about it, and are investigating this issue. Canada’s foreign affairs department was hit by a data breach. Global Affairs Canada (GAC), the foreign affairs department of the Canadian government, is investigating a data breach in its internal network. From early investigation, a data breach was indicated and that there has been unauthorised access to the personal information of users, including employees. The data breach affected the remote access to GAC’s network and several employees were asked to stop working remotely. This breach affected 2 internal drives, emails, calendars, and contacts of several staff members. An email sent to staff members stated that the GAC’s internal systems were vulnerable between 30 December 2023 - 24 January 2024, and the information of anyone using a Secure Integrated Global Network (SIGNET) laptop is possibly exposed. SIGNET is the secure network used by the GAC. It was found that the breach occurred because the Virtual Private Network (VPN) managed by Shared Services Canada was compromised. GAC is currently contacting those affected with mitigation measures to ensure that sensitive and personal information is secured. Furthermore, GAC has also stated that they will continue to take “several steps” to protect employee’s personal information and safeguard their corporate networks. GAC is also working with IT partners to restore full connectivity as soon as possible. Cloudflare breach: Hackers accessed source code and internal documents. Cloudflare disclosed that their internal Atlassian server was breached by a suspected nation-state attack. In which, the hackers utilised stolen credentials to gain unauthorised access to their Atlassian server, and hence managed to access some documentation and some of their source code. The breach occurred between 14-24 November 2023, and was detected on 23 November 2023. The company stated that the hackers were “sophisticated” and “operated in a thoughtful and methodical manner”. As a precautionary measure, the company rotated more than 5,000 production credentials, physically segmented test and staging systems, performed forensic triage on 4,893 systems, reimaged and rebooted all systems on the company’s global network, including all Atlassian servers and machines accessed by the attackers. It was found that the attackers used 1 access token and 3 service account credentials stolen during a previous compromise linked to Okta’s breach from October 2023 that Cloudflare failed to rotate. It was estimated that 76 source code repositories were exfiltrated - almost all were related to how backup works, how the global network is configured and managed, how identity works at Cloudflare, remote access, and their use of Terraform and Kubernetes. The attackers also tried hacking into Cloudflare's data centre in Sao Paulo but failed. The company stated that based on what the attackers accessed, it appears that they were seeking information about the architecture, security and management of their global network. AnyDesk disclosed hackers breached their production servers. AnyDesk, a remote access solution that is popular with the enterprise, confirmed that they were cyberattacked, and hackers managed to gain access to their production systems - their source code and private code signing keys were stolen during the attack. In a statement shared with BleepingComputer, AnyDesk first learned of the attack after detecting indications of an incident on their production servers. After conducting a security audit, it was found that their systems were compromised and activated a response plan with CrowdStrike. It was found that the attackers stole source code and code signing certificates. As a response to the attack, AnyDesk revoked security-related certificates and remediated or replaced systems as necessary. The company also reassured their customers that AnyDesk is safe to use and that there is no evidence of end-user devices being affected by the attack. Furthermore, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing similar/same passwords used on other sites. AnyDesk stated that my.anydesk II went under maintenance, and stated that this maintenance is related to the cybersecurity incident. It is strongly recommended that all users switch to the new version of the software, as the old code signing certificate will soon be revoked. Lurie Children’s Hospital suffered a cyberattack: Hospital forced to take their systems offline. Lurie Children’s Hospital in Chicago was forced to take their IT systems offline after a cyberattack. This resulted in the disruption of normal operations and even in some cases the delay in medical care. On 1st February 2024, the hospital announced that they are actively responding to a cyberattack which forced them to take their network systems offline to prevent further spread of the attack. They are currently investigating the attack with the support of experts, and are working with law enforcement agencies. The hospital stated that the attack impacted the hospital's internet, email, phone services, and ability to access the MyChat platform. The hospital highly recommends those that suffer from an emergency to dial 911 or visit their nearest emergency department. Local media has reported that due to the attack, scheduled procedures have been delayed, ultrasound and CT scan results are unavailable, and prescriptions are given in paper form. Furthermore, the hospital has reverted back to a first-come, first-served basis, prioritising emergency situations. Johnson Controls confirmed September 2023 ransomware attack costs $27 million & corporate data stolen. Johnson Controls International confirmed that a September 2023 ransomware attack cost them $27 million in expenses, and their corporate data were stolen. The September 2023 ransomware attack forced the company to shut down large portions of its IT infrastructure, which affected customer-facing systems. The Dark Angels ransomware gang were behind the attack, and claimed to have stolen over 27 TB of data, and demanded $51 million to delete the stolen data and provide a file decryptor. In a quarterly report filed with US SEC, the company confirmed that they suffered a ransomware attack that resulted in data being exfiltrated, and that the expenses associated with responding and remediating the cyberattack totaled to $27 million. Johnson Controls expect this cost to rise as they are still investigating the type of data stolen, and are still working with external cybersecurity forensics and remediation experts. Clorox confirmed that the August 2023 cyberattack cost $49 million. Clorox disclosed in a report filed with the SEC that the August 2023 cyberattack, which caused significant disruption in their operations which ultimately affected their consumer products, cost them $49 million by the end of 2023. In their 2024 Q2 Quarterly report, the costs incurred was related to 3rd party consulting services which included IT recovery and forensic experts and other professional services to investigate and remediate the attack, as well as, incremental operating costs that are incurred from the resulting disruption to their business operations. Clorox acknowledged that they are still working to recover from the attack but expects to still incur costs related to the cyberattacks in the future. More malicious Android apps with malware found on Google Play. An Android remote access trojan (RAT) known as VajraSpy was found in 12 malicious apps, 6 of which were available on Google Play from 1 April 2021 - 10 September 2023. It has since been removed from Google Play. These malicious apps were disguised as messaging or new apps. These malicious apps, once downloaded, will steal personal data such as contacts and messages. Depending on the granted permissions, these apps can even record their phone calls. ESET researchers found the 12 Android apps, 6 of which were uploaded on Google Play, where they were downloaded roughly 1,400 times. The apps that were available on Google Play are: Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat. VajraSpy apps available outside Google Play are also malicious, and are: Hello Chat, Yahoo Talk, TikTalk, Nidus, GlowChat, Wave Chat. CISA orders federal agencies to disconnect from Ivanti VPN appliances by Saturday due to multiple vulnerabilities being exploited. CISA has ordered U.S. federal agencies to disconnect from all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs before Saturday. This required action is part of 2024 first emergency directive that was issued last week that mandates Federal Civilian Executive Branch agencies to urgently secure all ICS and IPS devices on their network against 2 zero-day flaws in response to active extensive exploitation in the wild by multiple threat actors. Ivanti appliances are currently being targeted via 2 vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The company has also warned of a 3rd actively exploited zero-day (CVE-2024-21893). On Wednesday, Ivanti released security patches for some software versions affected by the 3 flaws, and also provided mitigation instructions for devices that do not have the patch. On 31st January, Ivanti highly recommended customers to factory reset vulnerable appliances before patching. This will help to prevent attackers from being on their network between software upgrades. Mastodon's critical vulnerability allows attackers to impersonate and take over accounts. Mastodon, a free and decentralised social networking platform, has fixed a critical vulnerability (tracked as CVE-2024-23932) that allows attackers to impersonate and take over accounts. The flaw stems from insufficient origin validation in Mastodon hence this allows attackers to impersonate users and take over their accounts. The flaw was rated 9.4, and impacts all Mastodon versions before 3.5.17, 4.0.13, 4.1.13, and 4.2.5. The patch for the flaw was released 2 February 2024, and all Mastodon server administrators are highly recommended to upgrade as soon as possible to protect users. Updating to the latest version is important as this flaw can be leveraged to completely compromise Mastodon servers, which allows them to access sensitive user information, communications and plant backdoors. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
It was revealed by security researchers that a massive database that contains no less than 26 billion leaked records were found on an unsecured page dubbed “Mother of all Breaches (MOAB)”, and runs to 12 terabytes in size. It contains 26 billion records, over 3,800 folders, with each folder corresponding to a separate data breach.
According to the research team, although the leaked data contains mostly information from past data breaches, it still holds new data that were not published before. Who is affected by this data leak? Many companies and organisations have been impacted by this breach.
The leak also includes records of various government organisations in the U.S., Germany, Brazil, Philippines, Turkey and more. Why Is This Important? A data leak of this scale has never occurred before, and the consequences of this breach will be detrimental. As many people do reuse their usernames and passwords, malicious threat actors can embark on credential-stuffing attacks (where hackers take leaked passwords and email addresses, use those combinations across the web and see what accounts they can get into). For instance, if users use the same passwords for their Twitter account and their Gmail account, attackers can use these leaked credentials to attack your more vital or sensitive accounts. To add on, this massive data leak can cause users whose data has been leaked to become victims of spear-phishing attacks or receive high level spam emails. How Do I Protect Myself Now? 1. Change Passwords On All Impacted Sites Immediately change the passwords for the affected accounts to prevent further unauthorised access. As a rule of thumb, you should change your passwords frequently for all your accounts. It is important that your passwords are strong. This includes ensuring that your passwords are at least 16 characters in length, including a mix of numbers, lower and uppercase, and special characters. Read more: Password Security Tips: How To Fortify Your Password Security 2. Turn on MFA (Multi-Factor Authentication) or 2FA (Two-Factor Authentication). MFA isn't just an option; it's a necessity. By using another form of ID, such as security tokens, biometrics, SMS authorisation codes or authenticator apps will help add an extra layer of security. This will make it harder for hackers to gain unauthorised access to your online accounts, even if they steal your password. It is highly recommended to turn on MFA wherever possible, starting with very important accounts such as your email, social media and financial services accounts. 3. Check if your data has been leaked. Do check if you have been victims to this breached data through services like Have I Been Pwned. These services can help you check if your details have already been made public or in danger of being used maliciously. 4. Stay alert and regularly monitor your accounts. Keep a close eye on your bank statements, credit reports, and other sensitive accounts for any unauthorised activity. If you notice anything unusual, report it immediately to the respective institution and take necessary action. Be vigilant against any phishing and spear phishing attempts that might occur. Always be suspicious of calls or emails from unknown sources. Related Topics Unmasking Phishing: Your Guide to Spotting The Signs of Phishing The Rise Of Phishing: Safeguarding Against Digital Deception Protect Yourself: Best Practices to Combat Phishing Attacks |