AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
In the digital age, information is power, and the practice of data scraping has emerged as a potent means of acquiring vast amounts of data quickly. However, this seemingly innocent technique holds significant dangers for both organizations and individuals.
In this article, we delve into the world of data scraping, exploring its mechanics, a real life case study of data scraping, its potential harms, and strategies to safeguard against its insidious effects. What Is Data Scraping? Data scraping, also known as web scraping, involves the automated extraction of data from websites and online sources. This technique utilizes specialized software or scripts to navigate websites and harvest data from systems owned by third parties. They extract the data, collate it, and store it either in a database or into a portable format like CSV. Initially intended for legitimate purposes like data analysis and market research, data scraping has been exploited for various malicious reasons. In particular, cybercriminals are obtaining data from data scraping to make their phishing attacks more efficient. Through scraping, not only do cybercriminals know which employees are most vulnerable to attack but also the positions in which they can exploit to deceive recipients into providing sensitive data. Real Life Case Study One very recent example was data scraping of Duolingo users’ public profile information that led to the data from 2.6 million users being leaked on a hacking forum. The compromised data included real names, login names, email addresses and internal service-related details. Cybercriminals were able to data scrape Duolingo users’ information due to an exposed application programming interface (API). This allows the retrieval of user profile information. Due to this exposed API, this allowed unauthorized access to email addresses that were associated with Duolingo accounts. Although Duolingo confirmed that the data was sourced from publicly available profiles, the fact that email addresses were also leaked is in fact alarming as this can facilitate targeted phishing attacks, and users’ email addresses are also not public information. This recent example of data scraping shows the importance of proactive security measures. As scammers now have Duolingo users’ email addresses and real names, this will allow for more realistic phishing attempts. This is worrying as this means that more people could fall for these scams. Regulators Urge The Tackling Of Data-Scraping Privacy Risks The very real impact of data scraping on privacy is especially evident by the joint statement signed by regulators from a dozen of international privacy watchdogs, such as Hong Kong’s OPCPD, Australia’s OAIC, and UK’s ICO. The statement urged mainstream social media platforms and operators of websites that host publicly accessible websites to protect user’s personal information from third-party data scraping. They also warned these platforms and operators that they do face a legal responsibility to protect users’ personal data in most markets as personal information is subject to data protection and privacy laws. As stated “mass data scraping of personal information can constitute a reportable data breach in many jurisdictions.” The joint statement had a clear message - mainstream social media sites need to be proactive about protecting their users’ personal information from scraping. The letter even contained recommended measures to reduce the risks of user’s personal data being scraped. They also included advice for individuals on how to protect themselves from the risks of scraping. Dangers of Data Scraping To Organizations
Dangers of Data Scraping To Individuals
Safeguarding Against Data Scraping Risks
Takeaway Data scraping, initially hailed as a tool for streamlining data extraction, has transformed into a double-edged sword capable of undermining privacy and intellectual property rights - posing risks for both organizations and individuals alike. As technology advances, so too must our understanding of the potential dangers of data scraping. By implementing robust security measures, adhering to legal regulations, and adopting cautious online practices, we can collectively protect ourselves and our digital world from the perils of data scraping. In this interconnected age, vigilance is key to safeguarding the integrity of information and the sanctity of our digital experiences. Related Topics When Cybercriminals Go Phishing: Email Threats On The Rise The Rise Of Phishing: Safeguarding Against Digital Deception Protect Yourself: Best Practices to Combat Phishing Attacks The Common Signs Of Being Cyberattacked 7 Types of Cyber Security Measures SMEs Need to Protect Their Business
Back to Blog
Last week, more cyberattacks and data breaches occurred across several industries, with some having even more devastating consequences.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Cybercriminals completely wiped out all CloudNordic servers and customer data. CloudNordic has stated to customers that a ransomware group has shut down all of CloudNordic’s systems, and wiped out the company and customers’ websites and email systems. Furthermore, it seems that the backups and production data has also been wiped. With the ransomware that has encrypted the Danish cloud provider’s servers, customers have been told to consider that all of their data has been lost. CloudNordic also stated that they are not going to pay the ransom to the ransomware group to restore the information and systems. Although data and systems have been lost, CloudNordic did also state that they found no evidence of a data breach, whereby information has been exfiltrated out. As of 23 August, CloudNordic has stated they are putting back customers’ web and email servers online, however without data. To restore services, CloudNordic has uploaded detailed instructions for 2 options to do so. A French government agency suffers a data breach which exposed 10 million people's data. Pole emploi, France’s government unemployment registration and financial aid agency, informs that there has been a data breach that exposed the data of 10 million individuals. The press release stated that it was due to the violation of one of their provider’s information systems. Furthermore, they stated that job seekers registered in February 2022, and former users of the job center are potentially affected by this data breach. Although the agency did not state how many were impacted by this breach, Le Parisien reports an estimated 10 million people were impacted. This is based on the number of registered individuals in February 2022 and accounted for those that had registered prior but their data were not deleted from the agency’s systems yet. The compromised data includes full names and social security numbers. Pole emploi highly recommended for registered job seekers to be cautious with incoming communications, and a dedicated phone support line has been set up to address any questions or concerns compromised individuals may have about the breach. Christie’s data breach exposed GPS coordinates of collectors’ artworks. Hundreds of Christie’s auction house clients, who had uploaded photographs of their paintings and sculptures for the auction house’s review were impacted by a data breach. This breach exposed the exact location of the art owned by Christie’s clients. This cybersecurity incident was discovered by researchers Martin Tschirisch and Andre Zilch, when their friend requested to check how secure the action house’s data was. They estimated that around 10% of the uploaded images contained exact GPS coordinates - whereby these images contain not just the street address of where they were taken but the artworks’ exact location. In July, the researchers alerted Christie’s to this breach, however this vulnerability was only fixed this week. Rhysidia ransomware group sells Prospect Medical Holdings Data. Rhysida ransomware group has claimed that they have exfiltrated 1.3 terabyte SQL database and 1 terabytes of “unique files” from Prospect Medical Holdings, and are selling the data for 50 bitcoin on their data leak site. The data Rhysidia claims to have includes 500,000 social security numbers, patient files, passports, driver’s license, legal and financial documents. Prospects Medical Holdings as of Thursday has stated on their website that their chain is currently experiencing a systemwide outrage, and they are currently working to resolve the issue. The U.S. Department of Health and Human Services have issued an alert and warned that Rhysida are focusing their attacks against healthcare and public health sector organizations. Data of donors to Australian charities such as Cancer Council and Canteen have been leaked onto the dark web. Thousands of donors from more than 70 Australian charities had their personal information leaked onto the dark web after Pareto Phone, a Brisbane-based telemarketer, was hacked by cybercriminals. It has been reported that this data breach could affect more than 50,000 Australians, and that for some of the charities, credit card data were also stolen. It was further reported that some stolen data was up to 15 years old. The Cancer Council, Canteen and Fred Hollows Foundation have confirmed that donor information has been published on the dark web. The Fred Hollows Foundation stated that 1,700 of their donors were affected, and claimed that donors’ data have been retained without the charity’s knowledge as they have worked with Pareto Phone only during 2013-2014. Medecins Sans Frontieres (MSF) also accused Pareto Phone of retaining their donors’ data without their knowledge. Canteen stated that 2,600 donors have all been contacted, and the information leaked included names, birth date, addresses, email addresses and phone numbers. The Cancer Council stated they are waiting for Pareto Phone to confirm the numbers of their donors that are affected, and has severed ties with them. Pareto Phone’s CEO Chris Smedley apologized for the distress the breach caused, and stated that they are working with forensic specialists to analyze the affected files. Metropolitan Police investigating a suspected data breach. The Metropolitan Police is currently investigating a possible data breach after “unauthorized access” was detected to the systems of one of their suppliers. The supplier held the officers' and staffs’ names, ranks, photos, vetting levels and pay numbers. The possible data breach has been reported to the National Crime Agency (NCA) and the information commissioner. The Met’s spokesperson was unable to say when the breach occurred or how many personnel have been affected, but did state that the breached supplier did not hold personal information such as phone numbers, addresses, and financial details. Kroll suffers from data breach after employee fell victim to SIM swapping attack. Kroll, a risk and financial advisory solutions provider, disclosed on Friday that one of their employees fell victim to a SIM swapping attack. Kroll stated that the cybercriminal targeted the employee’s T-Mobile account on 19 August, and without any authority or contact from Kroll or their employee, transferred the employee’s phone number to the cybercriminal’s phone with their request. This allowed the cybercriminal to gain access to files containing personal information of bankruptcy claimants in BlockFi, FTX and Genesis. Kroll also stated they had immediately secured the 3 affected accounts, and had notified impacted individuals via email. FTX and BlockFi clarified that user passwords and clients funds were not impacted, as well as that their own systems were not breached either. American Express confirms APAC employees’ details were leaked. American Express has confirmed that a former employee has gained access to Asia Pacific employee data (this includes both former and current) after accidentally being given access to a third-party payroll company. This was shared anonymously on The Aussie COrporate account whereby the anonymous poster also stated that the data accessed included bank account details, names, addresses, payment histories, and tax file numbers. The poster also stated that all APAC employees were affected, and they have offered 2 years of identity theft protection service to ex- and current employees impacted by this breach. When CyberSecurity Connect reached out to Amex, they confirmed that no payment data or bank details were accessed by the former employee, and that only “certain” employees were affected. They also stated that no American Express Card member data were impacted. 2.6 million Duolingo users’ data have been leaked on a hacking forum. Data from 2.6 million users of Duolingo, a language learning platform, have been leaked on a hacking forum. The leaked data includes names, login names, email addresses and internal service-related details. This data was offered for sale on the now defunct Breached hacking forum in January 2023 for $1500. Duolingo spokesperson stated the data were obtained by data scraping public profile information, and they had no indication that their systems were compromised. However, it is important to note that with users’ email addresses and names compromised, this will allow for more realistic phishing attacks. This can lead to more people falling for these scams. Tesla says May data breach caused by 2 ex-employees. Tesla has stated that the cause of the data breach that affected more than 75,000 former and current company employees was due to 2 former employees. The 2 former employees leaked 75, 735 individuals’ personal information to a foreign media outlet - Handlesblatt. The leaked information includes names, addresses, phone numbers, employment-related records and social security numbers. The German media outlet has assured Tesla that they would not publish the information, and they are “legally prohibited from using it inappropriately”. The outlet gained more than 23,000 internal documents which contained 100GB of confidential data. This included employees’ personal information, customer bank details, production secrets, and customer complaints about Tesla’s Full Self-Driving (FSD) features. Tesla has filed lawsuits against the 2 ex-employees allegedly responsible for the breach. Mounting evidence that Akira ransomware targets Cisco VPN products to breach organizations. There is mounting evidence that Akira ransomware targets Cisco VPN products as an attack vector to breach organization networks, steal and encrypt their data. Sophos first found Akira’s abuse of VPN accounts in May, when researchers found that Akira breached a network using “VPN access using Single Factor authentication”. Another incident responder, Aura, also stated on Twitter that Akira were using Cisco VPN accounts that were not protected via MFA. Other researchers have also found the same findings. This is troubling as Cisco VPN solutions are widely used across many industries. A Cisco spokesperson has confirmed with BleepingComputer that their VPN products support MFA. Customers can configure logging on Cisco ASAs, and they recommend sending logging data to a remote syslog server. This will improve correlation and auditing of network and security incidents across various devices. TP-Link smart bulbs and Tapo app could allow attackers to steal victim’s WiFi password. Researchers from Italy and the UK discovered 4 vulnerabilities in the TP-Link Tapo L530E smart bulb and their Tap app that could allow hackers to steal their victim’s WiFi password. The vulnerabilities: (1) allow hackers to impersonate the device during session key exchange step, (2) allows hackers to retrieve Tapo user passwords and manipulate Tapo devices, (3) makes cryptographic scheme predictable due to the lack of randomness during symmetric encryption, and (4) allows hackers to replay messages during the 24 hour period where session keys are kept valid. WIth the most worrying attack scenario being the bulb impersonation and the retrieval of Tapo user account. The researchers have disclosed their findings to TP-Link, and the vendor acknowledges the findings and would implement patches to fix these vulnerabilities. As of now, TP-LInk has only released 2 fixes for 2 products: Tapo L350(TW) V1 and Tapo L350(EU/US) V2, other products’ patches are currently being released. It is highly recommended to keep these devices isolated from critical networks, update to the latest patches, and ensure to protect your accounts with MFA and strong, unique passwords. New HiatusRAT malware campaign targeted the U.S. Department of Defense. A new HiatusRAT malware campaign has targeted a server that belongs to the U.S. Department of Defense. This is a significant shift in attack as the attacks were previously focused on organizations from Latin America and Europe. Researchers observed that a U.S. military procurement system and Taiwan-based organizations were targeted. Researchers recommend defense contractors to exercise caution and monitor their networking devices for the presence of HiatusRAT. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
In the age of digital connectivity, passwords are one of the weakest links in the defense against cyber threats. Cybercriminals tend to constantly attack passwords as they are one of the easiest and effective methods to breach your environment. Furthermore, passwords are often the only defense against unauthorized access to your sensitive information or accounts. Hence, this situation is advantageous for these cybercriminals to play in.
From brute force attacks to credential stuffing, understanding these password attack strategies is crucial for fortifying your online security. This is essential as based on Verizon's report on data breach, more than 80% of web application breaches were resulted from password-related issues. In this article, we will unravel the top 8 password attacks and arm you with effective strategies to fend off these cyber threats and protect your digital world. Top 8 Types Of Password Attacks 1. Brute Force Attacks Brute force attacks involve relentless guessing of passwords until the correct combination is found. Cybercriminals tend to utilize a large list of common or compromised passwords. This attack can be laborious and resource-intensive, as it involves going through all possible character permutations until the password is correctly identified. However, cybercriminals can also use a computer that can “guess” billions of passwords each second, using today’s high powered CPU power. What this does is that it proactively guesses legitimate users’ passwords “by force”. This attack is a highly effective method for cybercriminals to gain access to victim’s accounts. A recent example of brute force attack is the recent LinkedIn mass account hijacking campaign. For some of the attacks, the cybercriminals appear to use brute force to take control of a large number of LinkedIn accounts. What You Can Do To deter brute force attacks, it is highly recommended to:
2. Dictionary Attacks Attackers use large databases of common words and phrases to guess passwords, which is similar to a dictionary. This is a brute-force hacking method. How cybercriminals utilize this is by entering every word in a dictionary and derivatives of those words, and previously leaked passwords or key phrases to break into password-protected assets. One example of a dictionary attack is the cybercriminal would use a program to try common words and phrases such as “password” and “123456”, until they achieve the correct password. If an user’s account password is easily guessable such as “password123”, their account will be easily broken in using a dictionary attack. What You Can Do To deter dictionary attacks, it is highly recommended to:
3. Credential Stuffing Cybercriminals exploit reused credentials from previous breaches to gain unauthorized access. In short, it’s a type of attack whereby stolen usernames and passwords are utilized by cybercriminals to gain unauthorized access to victim’s accounts on a range of online services and websites (i.e. online banking, social media, e-commerce platforms). Credential stuffing tends to be an automated hack whereby large numbers of stolen usernames and password combinations are attempted to try to break in. Credential stuffers account for more than 90% of all login traffic on many of the largest websites and cause of 2nd-hand data breaches. What You Can Do To deter credential stuffing, it is highly recommended to:
4. Keylogger Attacks This is a type of password attack whereby the cybercriminals utilize malware to record the keystrokes on a victim’s computer. This can involve both hardware and software. This allows cybercriminals to steal a range of sensitive data, from the victim's password to credit card numbers. Keyloggers can be installed on the victim’s computer in a myriad of ways: phishing email, malicious software that the victim downloads, and/or a malicious website. What You Can Do To deter keylogger attacks, it is highly recommended to:
5. Phishing Phishing is a type of attack that aims to manipulate users into providing sensitive information or performing actions via disguising cybercriminals as trustworthy. This is commonly attempted through the use of legitimate-looking emails and/or spoof websites. Cybercriminals tend to use personalized messages that often exploit internal information to appear authentic and convincing. These messages tend to usually convey a sense of urgency, to make the victim transfer funds quickly. One example was when cybercriminals impersonated the office manager of a small safety management business and emailed the facilities manager of a food distribution company to notify about outstanding invoices and that payment details have changed. To make the email look legitimate:
The targeted victim was tricked and replied to the email with the requested information. The cybercriminal followed up with the “new” bank information and asked that payments be made to this account. When the victim did not respond, the scammer sent a succession of emails to pressure them that a reply is of utmost urgency (common technique used in phishing). Luckily, cybersecurity analysts managed to step in just in time to ensure no transfer of payments were made. What You Can Do To deter phishing attacks, it is highly recommended to:
6. Rainbow Table Attacks This is a type of attack whereby cybercriminals gain access to a database and use precomputed hash values to crack passwords. This is a more sophisticated form of the dictionary attack, and this attack is often used to crack complex or long passwords. What You Can Do To deter rainbow table attacks, it is highly recommended to:
7. Password Spraying Password spraying involves attempting one or two common passwords across many different accounts. Cybercriminals utilize this method to avoid detection or account lockout. As the account lockout threshold is commonly set up to 5 incorrect attempts in many organizations. This method is often successful as people tend to either use the same password for multiple accounts or commonly-used passwords. Furthermore, by avoiding the account lockout threshold, cybercriminals can successfully attempt a myriad of passwords across the organization without triggering default protective mechanisms. What You Can Do To deter password spraying, it is highly recommended to:
8. Social Engineering Attacks Social engineering attacks involve manipulating victims to perform actions or revealing sensitive information such as their passwords. This includes phishing, baiting and tailgating, and can be carried out through emails, phone calls or even in-person interactions. This is often successful as cybercriminals tend to impersonate someone victims are likely to trust or believe to be a legitimate authority figure. As shown in the example under ‘Phishing Attacks’, cybercriminals were able to impersonate the office manager and tricked the victim by making the email look legitimate via usage of the manager’s real signature with the company’s contact information and logo, and the address looked almost identical to the real company mimicked. Another example was when cybercriminals incorporated CAPTCHA, an extra verification product, to reassure users that they are safe. Truist, a financial corporation that was targeted by threat actors using this method. Victims were sent an email that had a hyperlink called “Finish To-Do List”. When they clicked on the link, victims were redirected to a page with a Truist-branded CAPTCHA, and also had to input their phone number. After inputting this information, victims were then taken to a Truist-branded credential-harvesting page where the threat actors stole their information. What You Can Do To deter social engineering attacks, it is highly recommended to:
Takeaway The battle to safeguard your digital fortress against password attacks is ongoing. Understanding the strategies that cybercriminals employ empowers you to take proactive steps to defend against them. By adopting strategies such as but not limited to strong, unique passwords, embracing multi-factor authentication, and staying educated about evolving cyber threats, you can ensure that your online world remains secure. Remember, your digital presence is only as strong as its weakest password – fortify it with knowledge and vigilance to ensure a safer and more secure digital future. Related Topics The Rise Of Phishing: Safeguarding Against Digital Deception Protect Yourself: Best Practices to Combat Phishing Attacks When Cybercriminals Go Phishing: Email Threats On The Rise The Common Signs Of Being Cyberattacked 7 Types of Cyber Security Measures SMEs Need to Protect Their Business
Back to Blog
Last week, more data breaches occurred across several industries such as the public, healthcare, and telecommunications sectors. New phishing campaigns, class-action lawsuits, new vulnerabilities and patches have also been found.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. ShopBack fined S$74,000 due to the leak of more than 1.4 million customers’ personal data. ShopBack, a Singapore online cashback portal, has been fined S$74,400 (US$54,600) by Singapore’s cybersecurity agency, Personal Data Protection Commission (PDPC), over a data leak that affected more than 1.4 million of their customers. Personal data compromised included names, email addresses, mobile numbers, bank account numbers, and partial credit card information. Cybercriminals managed to enter ShopBack’s servers and extracted the data via the use of an access key with full administrative privileges, which remained in a private repository on the GitHub platform for 15 months. Discord.io exposed more than 760,000 users’ personal data. Discord.io, a custom invite service for Discord, has suffered a data breach that exposed more than 760,000 users’ personal data. The breach was discovered on 14 August, after a database that contained Discord.io users’ personal information was put up for sale on the dark web. The legitimacy of the database was confirmed by Discord.io. Discord.io has shut down all operations and services, and have launched an investigation into the breach. From the latest update, investigation has revealed that the hacker managed to gain access to the database via a vulnerability in the website’s code. The site stated to ensure this incident won’t occur again they will do a complete rewrite of the website’s code, and an overhaul of their security practices. The data leaked is extensive, and includes both sensitive and non-sensitive information. Potentially sensitive information leaked includes username, discord ID, email address, billing address (before the site started using secure payment service, Stripe), salted and hashed passwords. The non-sensitive information leaked includes internal user ID, information about user avatar, user status, user coin balance, User API keys, user registration data, last payment data and expiration date of premium memberships. Although Discord is not affiliated with Discord.io and have revoked the OAuth tokens for any Discord user that has used Discord.io, they have also recommended that users enable 2-factor authentication to protect their accounts, and suggested setting up SMS authentication. UK police data breach exposed victims’ information. The UK’s Norfolk and Suffolk police constabularies have disclosed the exposure of 1,230 individuals’ personal information, including victims of crime, witnesses and suspects. The data also included descriptions of offences such as domestic incidents, sexual offences, assaults, thefts and hate crimes. From the official statement, a technical issue has resulted in some raw data, that belongs to the constabularies, to be included within the files produced in response to the Freedom of Information (FOI) requests in question. The statement continues to say that although the data was hidden from those that opened the file, it should not have been included in the first place. The statement also states that they have started the process of contacting those individuals impacted, and will be done either via letter, phone and/or face-to-face, depending on the type of information impacted and the support required. Large QR code phishing campaign targeted a major energy organization. Cofense has observed a large phishing campaign that utilizes QR codes to target the Microsoft credentials of users from a wide array of industries such as manufacturing, insurance, technology and financial services. The most notable target was a “major Energy company based in the US”. They received about 29% of the over 1000 emails that contained the malicious QR codes. Most emails’ QR code delivers phishing links or redirects, with the majority of them being Bing redirect URLs. The FBI warned last year that cybercriminals are utilizing QR code scans to direct victims to malicious sites to steal their data, to embed malware to gain access to their device, and redirecting payment for cybercriminal use. CISA warns of the exploitation of a new file transfer bug in Citrix ShareFile. CISA, the U.S. government’s cybersecurity agency, warned that cybercriminals are exploiting a newly discovered vulnerability (CVE-2023-24489) in Citrix ShareFile, an enterprise file transfer software. This flaw was given a vulnerability severity rating of 9.8 out of 10, and it is a bug that could allow an unauthenticated attack to remotely compromise customer-managed Citrix ShareFile storage zones controllers, with no passwords needed. They have added this vulnerability to their Known Exploited Vulnerabilities (KEV). CISA warned that this vulnerability poses a “significant risk to the federal enterprise”, and made it a requirement for federal civilian executive branch agencies to apply the vendor patches by 6 September. GreyNoise have observed that since CISA’s publication of this flaw, they found a “significant spike” in attacker activity. It is highly recommended to apply the vulnerability patch as soon as possible. Colorado:More than 4 million people personal information impacted by IBM MOVEit breach. The Colorado Department of Health Care Policy & Financing (HCPF) states that 4,091,794 individuals’ personal and health information are impacted by the IBM MOVEit breach. HCPF clarified that their systems were not directly compromised, and the data exposure occurred via their contractor, IBM, which utilized the MOVEit software. The investigation revealed that the cybercriminals managed to access and likely stole files that contained certain Health First Colorado and CHP+ members’ information. This includes full names, social security numbers, medicaid IB number, medicare ID number, birth date, home address, contact information, income information, demographic data, clinical data (i.e. diagnosis, lab results, treatment, medication), and health insurance information. This is dangerous as this information can be used to launch effective phishing or social engineering attacks, which can help cybercriminals with identity or bank fraud activity. For those impacted, HCPF will provide 2 years of credit monitoring services to help counteract any fraud attempts. Multiple class-action lawsuits filed after MOVEit data breach. Attorneys at leading consumer-rights law firm, Hagen Berman have filed 5 nationwide class-action lawsuits against Progress Software and other organizations for compromising the personal information of the estimated 40 million people. The compromised personal information included contact information, birth date, social security numbers, pension information, billing data, banking information and medical records. The firm intends to file additional complaints against other co-defendants involved in the data breach. According to them, the full scope of involved parties is still being revealed, and those affected will be made aware through mailed letters detailing the MOVEit data breach. Advocate Aurora Health to pay US$12.25 million to settle web tracker claims. According to a preliminary settlement plan in Wisconsin federal court, Advocate Aurora Health has agreed to pay US$12.25 million to settle consolidated class action claims that the Illinois-based hospital chain invaded patient privacy by utilizing tracking codes on its websites and patient portal. This consolidated class-action lawsuit was filed after the disclosure of a web-tracker related HIPAA breach that affected 3 million individuals. At the time of its breach report, they stated that it had embedded tracking technologies, which included Meta Pixel, Google Analytics, and other 3rd party tools into their website, patient portal, and some scheduling apps, to “better understand patient needs and preferences”. However, the disclosure of the patients’ personal or health information was done without their consent or knowledge. Since then, the entity has disabled the tracking tools or removed them from its websites, app and patient portal. The settlement is subject to the court’s final approval, for which the hearing date has not yet been set. LinkedIn accounts targeted in a widespread hijacking campaign. Many LinkedIn accounts are being targeted by a widespread account hijacking campaign, which has resulted in many accounts being locked out for security reasons or ultimately hijacked by the attackers. Cyberint reported that many LinkedIn users have been complaining about the account takeovers or lockouts, and the inability of LinkedIn support to resolve the problems. Many users have been frustrated with the lack of response, and Linkedin Support being unhelpful in recovering the breached accounts. Some users have even been pressured to pay a ransom to have their account back or their accounts will be deleted. Signs of a breakout is evident via Google Trends, whereby searches on LinkedIn account hack or recovery recorded an increase of over 5,000% in the past few months. The attacker appears to use leaked credentials or brute-force to take control of a large number of LinkedIn accounts. For accounts that are protected by strong passwords and/or 2-factor authentication, the multiple takeover attempts resulted in a temporary account lock imposed by the platform as a protection measure. Users then have to verify ownership by providing additional information and also update their passwords before being allowed to sign back in. When hackers successfully take over LinkedIn accounts, they will replace the email address with one from the “rambler.ru” service. After which, hackers will change the account password, preventing original users from accessing their accounts. In some cases, hackers will demand a small ransom, for some their accounts will be deleted without asking for anything. U.S. real estate property listings disrupted by ransomware attack. Rapattoni-hosted multiple listing services have been disrupted by an apparent ransomware attack. This has led to the disruption of property listings nationwide whereby real estate agents’ are unable to list or update property information. Since the attack disrupted multiple regional MLS providers to automatically carry out many processes, many have returned to manual processes. Cincy MLS, which supports 7,500 real estate agents in Cincinnati, have created a Facebook page for agents to manually share listing information. House listing apps, such as Zillow, have also been affected, and are forced to input data manually. The attack occurred on 8 Aug, and as of last Tuesday afternoon, Rapattoni’s production system remained offline. The company has not yet stated whether it was hit by ransomware. Cybercriminals use VPN provider’s certificate to sign malware. Bronze Starlight, a China-aligned advanced persistent threat (APT) group, was discovered by SentinelLabs targeting the Southeast Asian gambling industry utilizing signed malware using a valid certificate by the Ivacy VPN provider. Using a valid certificate will allow them to bypass security measures, avoid raising system alerts, and blend with legitimate software and traffic. The certificate belongs to PMG PTE LTD, a Singaporean vendor of the VPN product ‘Ivacy VPN’. SentinelLabs stated that VPN providers are critical targets as they “enable threat actors to potentially gain access to sensitive user data and communications”. DigiCert has revoked and invalidated the certification in early June 2023 as it breach the “Baseline Requirements” guidelines. Play ransomware group targeting Managed Service Providers. The Adlumin Threat Research team discovered a concerning global campaign that utilizes Play ransomware. The Play ransomware group is targeting security managed service providers (MSPs) to gain initial access. They are targeting midsize financial, software, legal and logistic industries in the U.S., Australia, United Kingdom and Italy. The director of Adlumin stated that it’s hard for cyber defenders to detect the attack as it initially appears as a legitimate administrative access, and often gives attackers free reign over the target’s network and IT assets. Furthermore, the group also utilizes intermittent encryption to avoid setting off defenses that look for whole file modifications.
Back to Blog
In the vast expanse of the digital world, cybercriminals have perfected the art of deception to exploit human vulnerabilities. For threat actors, the most preferred method of attack are still emails. Among their most cunning tactics is phishing – a technique that uses fraudulent emails to lure individuals into divulging sensitive information. A report by OpenText Cybersecurity, examined more than 13 billion emails sent in 2022, and found that email threats are on the rise. Approximately 56% of emails were spam, phishing, and emails with attached malware. This is a 12.5% increase compared to the previous year. Of the 7.3 billion emails that had these threats, over 1 billion emails were phishing emails. Furthermore, the report found that there are phishing spikes at various times of the year. Holiday and tax season remains the most active times for URL phishing and fraud. The Anatomy of Phishing Attacks Phishing attacks are like modern-day Trojan horses, using emails that appear genuine to entice recipients into taking actions that compromise their security. Cybercriminals invest time in crafting deceptive emails with the following elements:
Most Popular Phishing Tactics According to the report, these are the most popular phishing tactics utilized by threat actors to scam businesses. Spear-Phishing & Business Email Compromise (BEC) Attacks As said above, cybercriminals tend to make emails more personalized and complex to deceive recipients. This is known as spear-phishing. For BEC attacks, cybercriminals tend to use spear-phishing tactics to deceive recipients into believing they are involved in a real business transaction, with the goal of getting the recipients’ financial account information. They do so by conducting extensive reconnaissance on their potential targets. They utilize information from company websites, Linkedin, publicly disclosed financial information etc. to craft spear-phishing messages. One popular BEC technique cybercriminals utilize is using a domain with a name that is very similar to a real and well-known company OR creates one or more email addresses that look similar to those of real employees. Furthermore, the email itself may look legitimate, with the text, style and logo that is similar to the organization’s standard email template. ‘Live Off The Land’ Attacks There are an increasing number of phishing attacks that leverage legitimate services, such as Google and Amazon Web Services, to fool users. Threat actors tend to use known and trusted URLs that will redirect users to malicious sites or host the phishing payload itself. Leverage Current Events Threat actors like to use current events to pressurize recipients to comply with their demands. For instance, threat actors can send a malicious email pretending to originate from the U.S Internal Revenue Service (IRS) which contains a malicious file that will deliver malware. These messages also usually convey a sense of urgency, hence pushing recipients to make rush decisions due to their panic, confusion or worry. Incorporate Technology That Recipients Finds Reassuring Internet users are familiar with CAPTCHA technologies as a security product or for extra verification, i.e. having to choose those squares that contain photos of cars, traffic lights or bicycles. Threat actors now regularly integrate CAPTCHA technologies into phishing attacks to deceive users into thinking they are safe, and their site/page is legitimate which actually hosts threats. One example is Truist, a financial corporation that was targeted by threat actors using this method. Victims were sent an email that had a hyperlink called “Finish To-Do List”. When they clicked on the link, victims were redirected to a page with a Truist-branded CAPTCHA, and also had to input their phone number. These helped to add credibility to the link, however this also now made victims’ phone numbers available for future mobile attacks. After inputting this information, victims were then taken to a Truist-branded credential-harvesting page where the threat actors stole their information. Why Phishing Emails Get the Most Bites Based on the above, we further explain why phishing emails are gaining in popularity, and why many still fall for phishing emails.
Staying Ahead: Strategies to Defend Against Phishing These are some best practices that you can adopt to defend you and your organization against phishing attacks and ensure their online safety.
Takeaway Phishing emails represent a strategic manipulation of human psychology in the digital realm. Their effectiveness lies in exploiting trust, urgency, and cognitive overload. However, knowledge is power, and by understanding the tactics used by cybercriminals, individuals and organizations can arm themselves against these deceitful attempts. Through education, awareness, and adopting cybersecurity best practices, we can take a proactive stance in thwarting phishing attacks and fortifying our digital landscapes. Remember, the next email might not be what it seems; always stay vigilant and question before you click. Cyber Security For Organizations with TAFA With the current cyber environment, organizations are facing increasingly sophisticated cyber threats. To protect against these threats, it is necessary to utilize cybersecurity solutions that can prevent zero-day and advanced cyber threats and also help ensure regulatory compliance. With our prevention first and zero-trust approach to security using machine learning (ML) and artificial intelligence (AI), TAFA Shield will strengthen your company's ability to prevent and block cyber attacks and threats. To learn more information about TAFA Shield and how we can help your company, do not hesitate to contact us for more information. Related Topics The Rise Of Phishing: Safeguarding Against Digital Deception Protect Yourself: Best Practices to Combat Phishing Attacks The Common Signs Of Being Cyberattacked 7 Types of Cyber Security Measures SMEs Need to Protect Their Business
Back to Blog
In the ever-evolving landscape of cybersecurity, traditional antivirus software is no longer sufficient to combat the sophisticated and rapidly evolving threats. As cybercriminals become more adept at evading detection, the integration of machine learning (ML) and artificial intelligence (AI) has emerged as a game-changing approach to enhance the effectiveness of cybersecurity defenses. This is especially important as cyber attacks are rapidly increasing and evolving. For instance, it has been estimated that 560,000 new pieces of malware are detected every day, and there are now more than 1 billion malware programs circulating. This is especially true on the organization level. Depending on the size of the organization, there could be up to several hundred billion time-varying signals that need to be analyzed to accurately calculate risk. Hence, analyzing and improving cybersecurity defense is NOT a human-scale problem anymore. As a team of human experts cannot possibly address all of them. To make things worse, cybercriminals are increasingly utilizing AI to craft malicious content that are very convincing and execute sophisticated attacks. For instance, WormGPT, a black-hat-based tool has recently been launched by cybercriminals and it has the potential to conduct various social engineering attacks and Business Email Compromise (BEC) attacks, also known as whaling. Cybercriminals have long been using ChatGPT and other AI-based tools to generate malicious emails that seem legitimate to trick employees to give sensitive information. Hence, the use of AI in cybersecurity is essential in order to catch up with these malicious tactics. In this article, we will explore the role of machine learning and AI in cybersecurity and discuss why traditional antivirus solutions are becoming obsolete. The Power of Machine Learning and AI in Cybersecurity: “Time is the new currency in cybersecurity both for the defenders and the attackers” Chris McCurdy, General Manager, IBM AI and machine learning have become critical technologies in information security as they are effective tools for combating cyberattacks. It has been reported that 61% of organizations stated they will not be able to identify critical threats without AI, while 69% believe that AI is necessary to respond to cyberattacks. As we explore the power of machine learning and AI in cybersecurity, we will also frame the current pain points in cybersecurity. These pain points can be treated under the umbrella of machine learning and AI technologies.
Benefits of Machine Learning and AI Increase Speed Of Detection And Response As machine learning and AI can analyze large amounts of data in seconds. This makes them much faster than manually detecting threats, making them less time consuming. Furthermore, they can mitigate risk in near real-time, causing vast improvement in response times. This is especially important with the emergence of increasing sophisticated and ever-evolving cyber threats. From IBM’s report, security AI and automation had the biggest impact on speed of breach identification and containment for the surveyed company. Organizations that heavily utilized both AI and automation experienced a data breach lifecycle that was 108 shorter compared to organizations that did not deploy these technologies (214 days versus 322 days). Improve Accuracy And Efficiency Machine learning and AI security systems provide improved accuracy and efficiency as compared to traditional security solutions. As they are able to scan a myriad of devices and systems for potential vulnerabilities much faster than the time it would take human operators to do the same task. Additionally, they can also recognize patterns that may be difficult for the human eye to detect. This leads to a more accurate detection of potential cyber threats and malicious activities Cost Savings Machine learning and AI are cost-effective strategies as they reduce the effort and time required to detect and respond to threats. Hence, this lowers the cost of defending against cyber threats. According to Ponemon Institute, machine learning and AI can potentially save an average of more than $2.5 million in operating costs. Furthermore, they can automate tedious security tasks, freeing valuable resources to focus on other business areas. IBM’s report identified that AI and automation is the BIGGEST cost saver, with a saving of an average of US$1.76 million compared to those that had limited or no use. Improve Your Organization’s Security Posture Machine learning and AI helps strengthen cybersecurity over time as more data is analyzed and they become more proficient at identifying suspicious activities. Furthermore, they can overcome one of the security challenges: human error and negligence. Why Antivirus Solutions Are Becoming Obsolete:
Takeaway As cyber threats become increasingly sophisticated and dynamic, the integration of machine learning and AI in cybersecurity is revolutionizing the defense against these malicious activities. The power of these technologies lies in their ability to analyze vast amounts of data, detect anomalies, and respond in real-time. With their adaptive nature and predictive capabilities, machine learning and AI are reshaping the cybersecurity landscape, rendering traditional antivirus solutions obsolete. As organizations strive to protect their digital assets, embracing these advanced technologies becomes crucial for staying ahead of evolving cyber threats and ensuring robust security in the digital age. Cyber Security For Organizations with TAFA With the current cyber environment, organizations are facing increasingly sophisticated cyber threats. To protect against these threats, it is necessary to utilize cybersecurity solutions that can prevent zero-day and advanced cyber threats and help ensure regulatory compliance. With our prevention first and zero-trust approach to security using machine learning (ML) and artificial intelligence (AI), TAFA Shield will strengthen your company's ability to prevent and block cyber attacks and threats. To learn more information about TAFA Shield and how we can help your company, do not hesitate to contact us for more information. Related Topics Cybersecurity Wake-Up Call: The Skyrocketing Breach Costs of 2023 At All-Time High Ransomware Payments Skyrocket in 2023: The Unprecedented Surge and its Implications7 Types of Cyber Security Measures SMEs Need to Protect Their Business The Common Signs Of Being Cyberattacked
Back to Blog
Last week, more cyberattacks and data breaches occurred across several industries. In particular, the government, public, and healthcare sectors have been particularly affected. New ransomwares, adware, phishing campaigns and patches have also been found. Read on to receive a quick summary of what happened this week in the space of cybersecurity. The Police Service of Northern Ireland suffered ‘critical’ data breaches. The Police Service of Northern Ireland (PSNI) suffered a “monumental” data breach on 8 August, after their employees’ personal identifying information was published online. The data published included the surname, initials, rank/grade, role and location of more than 100,000 serving officers and staff of the PSNI. This data breach occurred when data was accidentally posted online after a Freedom of Information (FoI) request. The data was accessible for 3 hours before it was taken down. In a statement, Chris Todd, the assistant chief constable, stated that this incident was “unacceptable” and it was due to “human error”. The Information Commissioner’s Office (ICO) was alerted to the breach and an investigation into this incident has been launched. On 9 August, it was revealed that PSNI is also investigating a secondary data breach following the theft of a spreadsheet that contains the names of more than 200 serving officers and staff, as well as police-issue radio and laptop, from a private vehicle on 6 July. EY breach exposed over 30,000 Bank of America customers. EY has stated that 30,210 Bank of America customers have been exposed due to the MOVEit Transfer attacks. EY’s US branch has started contacting individuals impacted by the recent data breach. According to EY’s letter that was sent on 9 August to impacted individuals, they learned about the incident on 31 May and launched an investigation to understand the scope of the issue. From the investigation, they found that neither EY nor Bank of America’s internal systems were affected, but a massive amount of sensitive data were exposed. The exposed data includes full names, addresses, financial account information, debit or credit card numbers, social security numbers and government-issued ID numbers. EY stated that the Bank of America will provide exposed clients with a “complimentary 2-year membership in an identity theft protection service.” Cyberattack caused the suspension of Gemini North Observatory. The U.S National Optical-Infrared Astronomy Research Laboratory (NOIRLab) detected a cyber incident on their computer systems on 1 August 2023. For precaution, the Gemini Observatory computer systems were shut down. The Gemini website and proposal tools are also currently offline. Both telescopes will be closed while NOIRLab IT team conducts an investigation and develops a recovery plan with NSF’s cyber specialists.On 9 August 2023, it was updated that as a precautionary measure, they have also disconnected the Mid-Scale Observatories (MSO) network on Cerro Tololo and at SOAR. Hence, the Victor M. Blanco 4-meter Telescope and SOAR Telescope are unavailable. Missouri’s Department of Social Services disclosed that healthcare information was exposed in a data breach. Missouri’s Department of Social Services (DSS) disclosed that protected Medicaid healthcare information was exposed in a data breach after IBM suffered the MOVEit transfer theft attack. The information exposed may include impacted people names, department client number, birth date, benefit eligibility status or coverage, and medical claims information. DSS stated they are currently reviewing the files associated with this data breach, and it will take some time to analyze the data and fully determine the scope of this breach. DSS also said that the investigation so far has shown that only 2 social security numbers were exposed, and no banking information has been identified. DSS is sending out notifications to all Missouri Medicaid participants that were enrolled in May 2023 as a precaution, and suggests that individuals freeze their credit to prevent cyber criminals from opening new accounts or borrowing money under their name. DSS also highly recommends monitoring credit reports for unusual activity. The UK Electoral Commission disclosed a data breach that exposed 8 years of voter data. The UK Electoral Commission disclosed a massive data breach that exposed the personal information of registered voters in the United Kingdom between 2014 and 2022, as well as the names of those registered as overseas voters. Threat actors had accessed the government agency’s servers that held its email, control systems, and copies of electoral registers. However, those that voted anonymously, were not included in the exposed election registers. The exposed voter information includes (1) personal data contained in the email system of the Commission: full name, email address, home address (if included in a webform or email), personal and/or business contact number, content of the webform and email that may contain personal data, any personal images sent to the Commission; (2)and also the personal data contained in Electoral Register entries: full name, home address in register entries, and date on which a person achieves voting age that year. Furthermore, the threat actors also had access to the Commission’s email server, exposing any internal and external communications with the agency. It is highly recommended for all UK voters to be aware of targeted phishing emails that attempt to gather more sensitive information such as passwords, financial information, or account numbers. If any suspicious emails are received, do NOT click on any links. Knight ransomware distributed via fake TripAdvisor complaints. The Knight ransomware, a recent rebrand of the Cyclop Ransomware-as-a-Service, is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints. Felix, the Sophos researcher who discovered this campaign, said that the emails included ZIP file attachments named “TripAdvisorComplaint.zip”. A newer version of this campaign was spotted, which now includes an HTML attachment. When the HTML file is opened, it will open what appears to be a browser window to TripAdvisor. The fake browser window pretends to be a complaint submitted to a restaurant, asking the user to review it. However, clicking the ‘Read Complaint’ button will ultimately lead to the opening of a malware. The ransomware will also create a ransom note that demands $5,000. Industrial PLCs globally impacted by CODESYS V3 RCE flaws. Millions of PLC (programmable logic controllers) used in industrial environments globally are at risk to 15 vulnerabilities in the CODESYS V3 software development kit. This will allow remote code execution (RCE) and denial of service (DoS) attacks. This could allow threat actors to shut down power plants or even steal information from critical infrastructure environments. According to the IEC 61131-13 standard, over 500 device manufacturers use the CODESYS V3 SDK for programming on more than 1000 PLC models. The vendor has released security updates to address the identified vulnerabilities in April 2023. However, due to the nature of those devices, they are not frequently updated to fix security issues. It is highly recommended for administrators to upgrade to CODESYS V3 V3.5.19.0 as soon as possible. Microsoft also recommends disconnecting POLCs and other critical industrial devices from the internet. Google Play apps with 2.5 million installs secretly load advertisements when the phone's screen is off. Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements when a phone’s screen is off. McAfee’s Mobile Research Team discovered these malicious Android apps and reported them to Google, which Google subsequently removed from Google Play store. These apps were mainly media streaming apps and news aggregators, and the target audience were predominantly Korean. Although these apps are considered adware, they can still pose potential user profiling risks, exhaust battery life, consume significant internet data, and perpetuate fraud against advertisers. Rhysida ransomware operation behind recent attacks on healthcare. The Rhysida ransomware operation is gaining reputation after recent attacks on healthcare and public health sector organizations. Rhysida is a relatively new Ransomware-as-a-Service group, which prior were mainly focused on entities in other industries. A bulletin published by the U.S. The Department of Health and Human Services (HHS) last week warned that the Rhysidia scale of activities has grown to dangerous proportions, and recently demonstrated a focus on the healthcare and public sector. Rhysida’s victims are distributed globally, with victims across Western Europe, Australia, North and South Australia. Code leaks are resulting in an increase in new ransomware actors. When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the expertise to develop their own ransomware variants. This has led to more actors entering the space, and an increasing emergence in the number of ransomware variants. This has led to more frequent attacks, and new challenges for cybersecurity professionals. Talos has consistently found various malicious campaigns since the start of 2023 where cybercriminals have used new ransomware variants based on leaked source code or builders. Google to combat threat actors with weekly security updates. Google has changed the bi-weekly security update schedule to weekly for Google Chrome. This is to address the growing patch gap problem that allows cybercriminals extra time to exploit published zero-day and n-day (the exploitation of a known and patched security issue) flaws. This is due to the transparency of Chromium, an open-source project, that allows anyone to view its source code and scrutinize developer fixes. Hence, this allows cybercriminals to identify flaws before fixes reach the massive user base of stable Chrome releases and exploit them. With weekly updates, Google will further minimize the patch gap and reduce the window of n-day exploitation opportunity to a single week. Although this is not perfect, this will definitely positively affect Chrome security. EvilProxy phishing campaign: 120,000 phishing emails sent to over a hundred organizations Microsoft 365 accounts. Researchers from Proofpoint found that 120,000 phishing emails were sent to over a hundred organizations in an attempt to steal Microsoft 365 accounts. EvilProxy has become one of the more popular phishing platforms to target MFA-protected accounts. Researchers warned of the surge in successful cloud accounts takeover incidents in the past 5 months, which primarily impacts high-ranking executives. They found that attackers tend to prioritize “VIP” targets, and ignore those lower in the hierarchy. Of those accounts breached, 39% were C-level executives, 9% were CEOs and vice-presidents, 16% were chief financial officers, and the rest were employees with access to sensitive information or financial assets. Proofpoint has observed a very large-scale campaign supported by EvilProxy, which combines brand impersonation, bot detection evasion and open redirections. EvilProxy service has been observed to send emails that impersonate popular brands like Adobe, DocuSign and Concur. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
In an era where the digital landscape is integral to our lives, the security of sensitive information has taken center stage. This is where Information Security Management (ISM) comes into play. ISM is not just a technological measure; it's a strategic approach that ensures the confidentiality, integrity, and availability of data. ISM may be driven by both corporate security policies (internally) and by regulations (externally) such as the Personal Data Protection Act [PDPA], the Payment Card Industry Data Security Standard [PCI-DSS], and Health Insurance Portability and Accessibility Act [HIPAA]. In this article, we explore the essence of ISM, its paramount importance, and the myriad benefits it offers to organizations and individuals alike. A Summary
What is Information Security Management? Information Security Management is a comprehensive strategy that encompasses processes, policies, practices, and technologies designed to protect the confidentiality, availability and integrity of an organization's information assets from threats and vulnerabilities. These assets include digital data, intellectual property, customer information, and more. ISM aims to mitigate risks and prevent unauthorized access, alteration, or destruction of sensitive information. Objectives of Information Security Management Information security at the organizational level is focused around the protecting of data:
The Importance of Information Security Management
Benefits of Information Security Management
Takeaway Information Security Management is not just a technological measure; it's a strategic imperative. By prioritizing the confidentiality, integrity, and availability of data, organizations can navigate the complex digital landscape with confidence. From risk mitigation and cost savings to reputation enhancement, the benefits of ISM are far-reaching. In a world where data is both a prized asset and a potential liability, embracing ISM is the key to securing the digital frontier and fostering a safer, more resilient digital future. Related Topics 7 Types of Cyber Security Measures SMEs Need to Protect Their Business The Common Signs Of Being Cyberattacked Why do businesses need to be cyber secure? Is it as important as emphasized everywhere?
Back to Blog
Ransomware has emerged as a digital epidemic, disrupting businesses, organizations, and individuals on an unprecedented scale. The year 2023 has witnessed an alarming trend: ransomware payments are soaring to new heights. According to Chainanalysis, ransomware is the only cryptocurrency crime category that has seen a rise in revenue, with all the others (hacks, malware, scams, abuse material sales, darknet market and fraud shops) recording a decline.
The trajectory of these payments is a cause for concern, shedding light on the evolving tactics of cybercriminals and the challenges faced by victims. In this blog post, we delve into the details of this disconcerting trend, explore the factors contributing to the surge, and discuss strategies to mitigate the impact of ransomware attacks. The Ransomware Payments Surge: A Disturbing Reality Chainanalysis report revealed a startling reality: ransomware payments are reaching record-breaking levels in 2023. In fact they state that ransomware attackers are on their way to their second-biggest year ever, as they have extorted at least $449.1 million through June. It was even revealed that the cumulative yearly ransomware revenue for 2023 has reached 90% of the 2022 total figure in the first half of the year. Understanding the Ransomware Ecosystem Why was there such a huge surge in ransomware payments? As it turns out, analysts believe that the driving force behind this steep increase in revenue is that cybercriminals have returned to targeting large organizations that can be extorted for large sums of money. Infamous ransomware groups like Clop, LockBit, BlackBasta, ALPHV/Blackcat, are leading this trend of high-range payments. For instance, Clop has an average payment size of $1.7million, and a median payment figure of $1.9 million. Clop ransomware gang is responsible for the MOVEit transfer theft-attack, which has impacted over 601 organizations as of 8 August 2023. This number of impacted organizations are still increasing! However, this is not to say that small ransomware payments are decreasing. Rather, small ransomware payments have also been observed to have grown. These ransomware as a service (RaaS) operations include Dharma, Phobos, and STOP/DJVU, with their average payment size of 2023 are $265, $1,719, and $619 respectively. Although it is important to note that these ransom amounts do vary depending on the target’s organizational size. The Tug of War: To Pay or Not to Pay Victims of ransomware attacks often find themselves caught in a moral and financial dilemma. Paying the ransom can facilitate data recovery, but it also fuels the cybercriminal economy and emboldens attackers. However, it is important to note that government agencies such as CISA, NCSC, FBI, ANSSI and CSA warn against paying the ransom. As payments do not guarantee that cybercriminals would provide decryption and that all files will be recovered. Furthermore, this will embolden cybercriminals to target more organizations, and even further encourage other threat actors to engage in the distribution of ransomware. Additionally, experts in the field also hypothesize that with this yearly decrease of organizations that are willing to pay the ransom, cybercriminals might further increase their ransom demands, and will aim to compensate these losses via huge payments from those that give into the demands. The Importance of Robust Cybersecurity Measures Prevention is the first line of defense against ransomware attacks. Organizations need to implement robust cybersecurity measures such as ensuring to regularly update their software, maintain secure and up-to-date data backups, carry out employee training, utilize advanced threat detection tools, and endpoint security solutions such as Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR). These measures would help to fortify an organization’s defenses by helping to detect and neutralize ransomware attacks before they propagate within the network.
Takeaway The surging trajectory of ransomware payments in 2023 underscores the urgent need for robust cybersecurity measures and proactive defense strategies. By understanding the ransomware ecosystem, making informed decisions about payment, and investing in preventive measures, organizations and individuals can stand strong against the onslaught of cyber threats. Let us unite in our commitment to cybersecurity excellence, fortifying our digital landscapes and working together to create a safer and more resilient online world. Securing Your Organization With TAFA With the current cyber environment, organizations are facing increasingly sophisticated cyber threats. To protect against these threats, it is necessary to utilize cybersecurity solutions that can prevent zero-day and advanced cyber threats, and help ensure regulatory compliance. With our prevention first and zero-trust approach to security using Machine Learning (ML) and Artificial Intelligence (AI), TAFA Shield will strengthen your company's ability to prevent and block cyber attacks and threats. Not only do we protect your endpoints, but we also proactively detect and respond to cyber threats, provide managed SOC services to further improve your security posture, and lastly provide you with professional cybersecurity services that delivers guidance, support and expertise in designing, implementing and managing cybersecurity solutions tailored to your specific needs. Furthermore, with our comprehensive customized vulnerability assessment and penetration testing (VAPT) service, not only do we ensure the safety and security of your organization’s operation and data, but also we ensure that you will meet the required industrial and regulatory compliances. To learn more information about TAFA Shield ,our MSSP service, and our VAPT service, and how we can help your company, do not hesitate to contact us for more information. Related Topics Unraveling the MOVEit Data Breach: More Than 554 Organisations & 37 Million Individuals Affected Cybersecurity Wake-up Call: The Skyrocketing Breach Costs of 2023 At All-Time High The Common Signs Of Being Cyberattacked 7 Types of Cyber Security Measures SMEs Need to Protect Their Business
Back to Blog
Last week was overrun by data breaches from a range of sectors. In particular, government agencies have been hit hard by these data breaches. New vulnerabilities and patches have also been found, and it is highly recommended to update them.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. U.S. government contractor, Serco Inc, disclosed data breach from MOVEit theft-attack - over 10,000 people personal information stolen. Serco Inc, Americas division of multinational outsourcing company Serco Group, disclosed a data breach after attackers stole the personal information of over 10,000 individuals. This data breach occurred due to their 3rd party vendor. CBIZ, being one of the many victims of the MOVEit attack. Personal information compromised included any combination of these: name, social security number, birth date, mailing address, Serco and/or personal email address, and selected health benefits for the year. Serco is collaborating with CBIZ to investigate the breach and the extent of its impacts, as well as focusing on implementing security measures that would prevent such incidents from happening again. Rilide, malicious Chrome malware. new campaign targeting crypto users and enterprise employees. The Rilide Stealer Chrome browser extension has returned with new campaigns that now targets crypto users and enterprise employees to steal their credentials and crypto wallets. The first discovered version of Rilide browser extension impersonates legitimate Google Drive extensions to hijack the browser, monitor all user activity and steal information such as email account credentials or cryptocurrency assets. Now, Trustwave Spiderlabs, discovered a new version of Rilide, that can overcome restrictions from Google’s new extension specifications and has added additional code to evade detection. Furthermore, this malware extension also now targets banking accounts. Trustwave researchers have found that Rilide is gaining popularity among hackers with the use of multiple droppers for Rilide and the fact that there were several potentially authentic Rilide source code leaks which exposed the source code to many hackers. Furthermore, with this malicious Chrome extension being continuously improved on by threat actors, Rilide’s activity in the wild is unlikely to decrease. Hackers posed as technical support staff on Microsoft Teams to breach government agencies. Microsoft security researchers stated last Wednesday that the Russian state-sponsored hacking group, APT29, posed as technical support staff on Microsoft Teams to compromise dozens of global organizations, including government agencies. This social engineering campaign was carried out via the usage of previously compromised Microsoft 365 accounts to create new technical support-themed domains. Via these domains, hackers sent Microsoft Teams messages that manipulate users to grant approval for multi-factor authentication, which allows them to gain access to victim’s user accounts and exfiltrate sensitive information. This campaign has targeted or breached fewer than 40 unique global organizations, which included government agencies, non-governmental organizations, IT services, technology, discrete manufacturing, and media sectors. Mondee security lapse exposed database with sensitive customer information. Anurag Sen, a good-faith security researcher found Mondee’s exposed database that contains 1.7 terabytes of sensitive customer information which included names, gender, birth dates, home addresses, passport numbers, detailed flight and hotel itineraries, ticket and booking details, and unencrypted credit card numbers and expiry dates. To add on, the database also contained non-customer testing data generated by Mondee developers. TechCrunch, via Sen’s alert, found that the database was also accessible from an easily guessable domain of a Mondee subsidiary’s website.Much of the data appears to relate to Mondee subsidiary, TripPro, a travel agent platform. Although when reached by email, Mondee spokesperson did not acknowledge the incident or provide comment. The database became inaccessible a short time after TechCrunch contacted Mondee - meaning that they secured the exposed database. 1.7 million Oregon residents’ health data accessed by MOVEit hackers. Hackers behind the MOVEit attack have accessed the health data of 1.7 million Oregon citizens via Performance Health Technology (PH Tech). PH Tech have confirmed the attack, and stated that the compromised information includes patients’ names, birth date, Social Security numbers, email address, postal address, member and plan ID numbers, insurance authorizations, diagnosis and procedure codes, and claims information. Salesforce zero-day exploited by Hackers in Facebook phishing attack. Hackers have exploited a zero-day vulnerability in Salesforce’s email services and SMTP servers to launch a phishing campaign that targets Facebook accounts. Hackers are able to bypass Salesforce’s sender verification safeguards and quirks in Facebook’s web games platform to mass-send these malicious emails. Through the use of Salesforce, a reputable email gateway, hackers are able to evade email gateways and filtering rules. This ensures that malicious emails will reach the target’s inbox. Guardio Labs analysts discovered the campaign and have helped Salesforce with the remediation process. This vulnerability was solved a month later on 28 July. Meta have removed the violating pages, however Meta engineers are still trying to figure out why the existing protections failed to stop these attacks. It is highly recommended to not fully depend on email protection solutions, but to also double-check every email you receive to prevent falling for these phishing attacks. U.S. & Norwegian cybersecurity agencies: Hackers exploited Ivanti zero-day flaw since April. The U.S. and Norwegian cybersecurity agencies, CISA and NCSC-NO respectively, have warned that hackers have exploited the zero-day flaw in Invanti’s mobile endpoint management software undetected for at least 3 months (since April). It was confirmed last week that 12 Norwegian ministries have been exploited via this zero-day flaw. Both agencies have also urged agencies to search their systems for potential compromise using their catalog of Known Exploited Vulnerabilities and immediately report any issues. Ivanti released a patch for its 1st vulnerability (CVE-2023-35078) on 23 July, and another for the 2nd vulnerability (CVE-2023-35081) on 28 July. According to Shodan, more than 2,200 MobileIron user portals are currently exposed online, including over a dozen connected to U.S. government agencies. At least 640 Citrix servers have been breached and backdoored with web shells in ongoing attacks. Shadowserver Foundation security researchers have disclosed that attackers had deployed web shells on at least 640 Citrix Netscaler ADC and Gateway servers in a series of attacks that was targeting a critical RCE vulnerability (CVE-2023-3519). This vulnerability was previously exploited to breach the network of a U.S. critical infrastructure organization. Citrix released security updates on 18 July to address the RCE vulnerability. They have acknowledged that vulnerable appliances have been exploited, and urge customers to install the patches immediately. The vulnerability mainly impacts unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server). Hot Topic notifies customers on data breach that resulted in sensitive information being compromised. Hot Topic, an American apparel retailer, notifies customers about multiple cyberattacks that occurred between 7 February and 21 June, that resulted in their sensitive information being exposed to hackers. The company stated that hackers used stolen account credentials and accessed the Rewards platform multiple times, potentially stealing customer data as well. The information that may have been exposed includes customers’ full name, email address, order history, phone number, birth date, shipping address, and the last 4 digits of saved payment cards. Hot Topic highly recommends customers to reset their account passwords, and utilize a strong and unique password. It is also highly recommended to reset your account credentials on other platforms where you might have used the same credentials. Canon warns of Wi-Fi security risks of inkjet printers if memory is not wiped before discarding. Canon is warning users of their inkjet printers that others can gain access to the data stored in the printers if their Wi-Fi connection settings that are stored in the devices’ memories are not wiped during initialization. This flaw could help malicious third-party gain unauthorized access to a Canon printer user’s network that the printer was connected to. This would allow them to access shared resources, steal data or even launch other privacy-invading attacks through the use of other vulnerabilities. The vendor has published a document to help users to check if this flaw impacts their printer models. Canon highly recommends owners of impacted printers to wipe their Wi-Fi settings before a third party has access to the printer. The Colorado Department of Higher Education disclosed a massive data breach. The Colorado Department of Higher Education (CDHE) stated they suffered a ransomware attack on 19 June 2023, and this data breach impacts on students, past students, and teachers. The data stolen from CDHE’s systems spanned 13 years between 2004 and 2020. It includes full names, social security numbers, birth dates, addresses, proof of addresses (statements/bills), photocopies of government IDs, and for some, police reports or complaints regarding identity theft. Due to this, the CDHE is providing free access to identity theft monitoring for 24 months to those impacted. Impacted students and teachers may include those who: attended a public institution of higher education in Colorado between 2007-2020, attended a Colorado public high school between 2004-2020, had a Colorado K-12 public school educator license between 2010-2014, participated in the Dependent Tuition Assistance Program from 2009-2013, participated in Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017, and those who obtained a GED between 2007-2011. It is highly recommended for those impacted to be careful of phishing emails that attempt to gain more information such as your financial information, account numbers or passwords. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! |