AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the information services, legal, research, to the tech industry, with devastating consequences such as major outages and data leaks. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Idaho National Laboratory, one of the biggest U.S. nuclear research lab, data breached: Personal data of thousands of employees leaked SiegedSec, a hacking group, breached a human resources application belonging to Idaho National Laboratory (INL), a nuclear research lab, and claimed that they had accessed “hundreds of thousands of user, employee and citizen data”. SiegedSec posted a sample of the leaked data. Personal data stolen and leaked includes but not limited to full names, social security numbers, address, health care information, bank account information and routing numbers, types of accounts, and marital status. One file contained a detailed list of recent terminations with brief reasoning for the termination. Another file shows more than 6000 lines of active employee’s social security numbers. Furthermore, another leaked file contains over 58,000 lines of detailed current, retired and former employees’ data. Lori McNamara, an INL spokesperson, did confirm the breach which affected the servers that supported its Oracle HCM system, which supports its Human Resources applications. But did state that the lab is still investigating the extent of the impact of the breach, alongside with the FBI and CISA. Lori also stated that INL has taken immediate action to protect their employees’ data. This is worrying, as the scientists at INL work on some of the U.S most sensitive national security programs, which includes the protection of the U.S. critical infrastructure (e.g. power grid). This leaked employees’ data can be used by foreign intelligence agencies to penetrate the lab. The Canadian government discloses data breach after 2 of its contractors have been hacked. The Canadian government has disclosed that the sensitive information of an undisclosed number of government employees have been exposed as 2 of its contractors have been hacked last month. The contractors impacted by the breaches are Brookfield Global Relocation Services (BGSR) and SIRVA Worldwide Relocation & Moving Services - they are both providers of relocation services to Canadian government employees. Government related information stored on the compromised BGRS and SIRVA Canada systems data back to 1999, and belongs to a broad spectrum of Canadian government employees. This includes the Royal Canadian Mounted Police (RCMP), Canadian Armed Forces, and Government of Canada employees. Once the Canadian government was notified about the breach, they reported the breach to the relevant authorities. Although investigations are still underway, preliminary analysis suggests that those affected may have had their personal and financial information exposed. The government will provide credit monitoring and re-issue valid passports to current and former members of the public service, RCMP, and the Canadian Armed Forces who have relocated with BGRS or SIRVA during the last 24 years. It is highly recommended that those that may be affected to update their login credentials, enable multi-factor authentication, and monitor for suspicious and unusual activity on their financial and personal accounts. TmaxSoft, an enterprise software provider, leaked over 50 million sensitive records. TmaxSoft, a Korean IT company that develops and sells enterprise software, had their 2TB Kibana dashboard exposed for over 2 years. Cybernews researchers discovered this in January 2023, noting that the set of data was first spotted in June 2021. However, the company has not responded to their emails. It was found that over 56 million records have been leaked, although some entries are duplicates. The leaked data includes employees’ names, emails, phone numbers and contract numbers, content of sent attachments (documents and pdf), metadata of sent binaries (e.g. executable names, file path of where they are stored, version names), employees’ IPs, user agents, and URLs of accessed internal tools, as well as internal issue tracking messages. Most of the data leaked are company information and company emails. Furthermore, as TmaxSoft specialises in middleware solutions, the leaked data can be exploited in a supply chain attack. This would affect their clients and providers. Researchers also state that their competitors can exploit the leaked information related to their projects. Welltok data breach exposes nearly 8.5 million patients’ personal data. Welltok, a healthcare SaaS provider, has stated that due to the MOVEit data breach, 8,493,379 patients’ personal data in the U.S. have been exposed. This number placed the Welltok breach as the 2nd largest MOVEit data breach. Patient data exposed includes the patients’ full name, email address, physical address, and telephone numbers. For some, it also includes their social security number, Medicare/Medicaid ID numbers, and health insurance information. Impacted institutions are in various states. This includes Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts. Taj Hotel investigates claims of data breach that exposes the personal information of 1.5 million customers. Tata-owned Taj Hotel group suffered from a data breach that has exposed the personal information of over 1.5 million of their customers. According to the report, a threat actor called “Dnacookies” demanded $5,000 as ransom for the full dataset. The dataset apparently includes customers’ addresses, membership IDs, mobile numbers, and other personally identifiable information. The company has said that they are currently investigating the claims of the data breach, and have notified the relevant authorities. The spokesperson also stated that so far they found no suggestion of any current or ongoing security issue or impact on their business operations. CTS, an IT provider, cyberattack causes major outage impacting many UK law firms. A cyberattack on CTS, a managed service provider (MSP) for the UK legal sector, has resulted in a major outage that impacted numerous law firms and home buyers in the UK since Wednesday. In CTS 'published statement, the service outage impacted some of their services that they deliver to their clients. CTS are working with a third-party cyber forensics firm to investigate the incident, and assist in restoring their online services that have been impacted following the cyberattack. However, the company is unable to provide a timeline for when the affected systems will be fully restored. Local media reports that between 80-200 law firms could have been affected based on estimates shared by CTS clients. Throughout the week, it has been reported that people have been unable to buy or sell properties due to the outage, with no clear information on when the issue will be resolved. The Kansas Judicial Branch confirms data theft occurred during last month’s cyberattack. The Kansas Judicial Branch published an update confirming that the hackers stole sensitive files that contain the confidential information from their systems during last month’s cyberattack. With the hackers threatening to post the stolen data on the dark web site if their demands are not met. The stolen information includes Office of Judicial Administration files, district court case records on appeal, and other data, “some of which may be confidential under law”. Since last month’s cyberattack, multiple systems, which have been impacted, still remain offline. This includes Kansas Courts eFiling, Kansas Protection Order Portal, Kansas District Court Public Access, Appellate Case Inquiry System, Kansas eCourt Case Management, Kansas Attorney Registration, Kansas online marriage licence application, and the Central Payment Center. The Kansas authority estimates that they will need several weeks until all systems return to normal status. They have also promised to notify impacted individuals once the review of the stolen data is completed. AutoZone warns thousands of customers of MOVEit data breach. AutoZone, an auto parts giant, warns tens of thousands of their customers that they have suffered a data breach as a result of the MOVEit data theft attack. AutoZone informed the U.S. authorities on 21 November that they suffered a data breach, which resulted in the compromise of 184,995 customers’ data. After AutoZone determined that they had been impacted by the MOVEit data breach on 15 August, it took them 3 more months to determine the type of data the threat actors stole from their systems, and who had been impacted. Although the details on what type of data was compromised were censored, the listing mentions “full names” and “social security numbers”. In the letter to impacted individuals, the firm states that they will cover the cost of identity theft protection service, and advised them to remain vigilant for the next 2 years, and to report any suspicious activity to the relevant authorities. British Library HR documents leaked, & Rhysida ransomware gang claims responsibility for the attack. It was confirmed on 20th November by the British Library’s press office that stolen internal HR documents from the British Library had been leaked online. As a precautionary measure, they warned users to reset their passwords and change similar passwords used for other accounts. However, the library has yet to find evidence that the attackers have gained access to other information during the cyberattack. The Rhysida ransomware gang has claimed responsibility for the attack that caused a major ongoing IT outage at the British Library - with their online systems, services and certain onsite facilities still being impacted. The library estimates that many of their services will be restored within the next few weeks, but some disruptions might persist for a longer period. Rhysidia is auctioning off the stolen data, and is accepting bids from interested parties. The group leaked a low-resolution screenshot of what looks like an ID scan from the library’s compromised system. A critical-severity security vulnerability in ownCloud sharing app exposes administrator passwords and mail server credentials. OwnCloud, an open source file sharing software, is warning of 3 critical-severity security vulnerabilities that could severely impact Owncloud’s integrity. This includes a vulnerability that can expose administrator passwords and mail server credentials. The first flaw (CVE-2023-49103) can be used to steal credentials and configuration information, this impacts all environment variables of the web server. The recommended fix is to delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php’ file, disable the ‘phpinfo’ function in Docker containers, and change potentially exposed sensitive information such as the admin password, mail server, database credentials and Object-Store/S3 access keys. The second vulnerability is an authentication bypass issue, whereby unauthenticated attackers are able to access, modify or delete any file. OwnCloud recommends to deny the use of pre-signed URLs if no signing key is configured for the owner of the files. The last flaw is a subdomain validation bypass, which allows an attacker to input a crafted redirect URL that bypasses the validation code. This allows the redirection of callbacks to a domain controlled by the attacker. OwnCloud recommends hardening the validation code in the Oauth2 app. A temporary workaround, administrators can disable the “allow subdomains” option to disable the vulnerability. These vulnerabilities can potentially lead to the exposure of sensitive information, stealthy data theft, phishing attacks and more. Hence, it is highly recommended for ownCloud administrators to apply the recommended fixes as soon as possible and perform library updates to mitigate the risks. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the information services, electronics, media, government to the healthcare industry. A new turn of event, a ransomware gang has filed a SEC complaint against one of their alleged victims’ undisclosed breach. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. New turn of event: Ransomware gang files SEC complaint against one of their alleged victims’ undisclosed breach. The ALPHV/BlackCat ransomware gang has filed a U.S. Securities and Exchange Commission (SEC) complaint against one of their alleged victims for not complying with the 4-day rule to disclose a cyberattack. The threat actor listed the software company, MeridianLink, on their data leak website with a threat that they would leak the alleged stolen data unless a ransom is paid. However, the alleged lack of response from MeridianLink likely prompted the ransomware gang to exert more pressure by sending a SEC complaint about MeridianLink for not disclosing a cybersecurity incident that impacted “customer data and operational information”. The ransomware gang has published on their site screenshots of the form they filled, and also the reply they received from SEC to show that their submission was received. Although many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this is the first public confirmation that they have done so. LockBit ransomware exploits Citrix Bleeds vulnerability, more than 10,000 servers exposed. LockBit ransomware attacks exploits Critix Bleed vulnerability (CVE-2023-4966) to breach systems of large organisations, steal data and encrypt files. Although Citrix created a patch for the vulnerability more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances - many of which are in the U.S. Kevin Beaumont, a threat researcher, has been tracking the attacks against various companies. This includes the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. All of them had exposed Citrix servers that were vulnerable to the Citrix Bleed vulnerability. This was further confirmed by the Wall Street Journal, which obtained an email from the U.S. Treasury which mentioned that LockBit was responsible for the ICBC cyberattack, which was achieved by exploiting the Citrix Bleed flaw. As of 14 November,Yukata Sejiyama, a threat researcher, found that more than 10,400 Citrix servers are vulnerable to CVE-2023-4966. He found that there were vulnerable servers in large and critical organisations, all of which remained unpatched over a full month following the disclosure of the critical flaw. Truepill, a pharmacy provider, data breach has impacted 2.3 million customers. Postmeds, which does business as Truepill, a B2B-focused pharmacy platform, is sending notifications to recipients of a data breach which allows threat actors to access their sensitive personal information. According to the US Department of Health and Human Services Office for Civil Rights breach portal, the incident impacted 2,364,359 people. The data types that might have been accessed by the hackers include, full name, medication type, demographic information and name of prescribing physician. The notice clarified that social security numbers were not exposed. Postmeds is under legal fire as multiple class action lawsuits are being prepared across the country, arguing that the breach would have been prevented if Postmeds had better security that complies with the industry guidelines - specifically for not encrypting sensitive healthcare information stored on their servers. Samsung Electronics data breach affects UK store customers. Samsung Electronics data breach only impacted customers who made purchases from the Samsung UK online store between 1 July 2019 - 30 June 2020. The company is notifying customers of the data breach that exposed their personal information. Samsung discovered the breach on 13 November, and determined that it occurred due to the exploitation of a vulnerability in a third party application the company used. The notification to impacted customers details that the exposed data may include names, phone numbers, postal addresses and email addresses. Samsung emphasised that no credentials or financial information (such as credit card details, customer passwords) were affected by the breach. The representatives told BleepingComputer that they had taken all necessary steps to address the security issue, and the incident has been reported to the UK’s Information Commissioner’s Office. Nearly 9 million health records were compromised in a cyberattack against a medical transcription service provider. A cyberattack against Perry Johnson & Associates (PJ&A) has led to the personal and health information belonging to 8,952,212 Americans being compromised. The attack is the 2nd largest breach of U.S health-related data this year. PJ&A began writing to affected individuals on 31 October, advising them that their systems were breached between 27 March - 2 May, with the hackers gaining access to personal health information between 7 April - 19 April. However, the scale of the attack was only revealed when PJ&A notified the Department of Health and Human Services this week. The compromised information includes patients’ names, birth dates, addresses, medical record numbers, hospital account numbers, their diagnosis when admitted for care, and the dates and times they received treatment. Other data that may have been exposed includes social security numbers, insurance details, and clinical information from medical transcription files (e.g. test results, medications, names of treatment facilities, and healthcare providers). The company emphasised that no credit card, bank account information or usernames and password were compromised. Philippine Center for Investigative Journalism (PCIJ) website goes offline after cyberattack. An active hacking attack on PCIJ’s website forced them to temporarily take down their website to allow them to assess and prevent further damage, stated their Executive Director Carmela Fonbuena. The National Union of Journalists of the Philippines (NUJP) said this is the “most serious” attacks against the PCIJ in recent years. They added that the hackers’ intention is to make their website that specialises in investigative reporting inaccessible. Fobuena added that they are taking steps to protect their infrastructure and archives. Long Beach, California shut down portions of their IT network after a cyberattack. The Californian City of Long Beach has shut down portions of their IT network after a cyberattack, to prevent the spread of the attack to other devices. The City also stated that the systems are anticipated to be offline for upwards of several days. They also engaged a cybersecurity firm to investigate the incident and notified the FBI. While some of the City’s online services remained unavailable through the weekend, emergency services remained unaffected. As of now, it is unclear what type of cyberattack occurred and whether data was stolen. Toyota confirmed the breach after the Medusa ransomware gang claimed the attack. Toyota Financial Services (TFS) confirmed that they detected unauthorised access on some of its systems in Europe and Africa after Medusa ransomware listed TFS to their data leak site, and demanded a ransom payment of $8 million to delete allegedly stolen data. The ransomware gang has given Toyota 10 days to respond, with an option of extending the deadline for $10,000 per day. To show evidence that data was exfiltrated, the hackers published sample data that includes financial documents, spreadsheets, purchase invoices, hashed account passwords, cleartext user IDs and password, agreements, passport scans, internal organisation charts, financial performance reports, staff email addresses and more. Most of the documents are in German. This indicates that they managed to access systems servicing Toyota’s operations in Central Europe. TFS did take several systems offline to investigate the breach, and to reduce further risk. TFS spokesperson also told BleepingComputer that the process of bringing systems back online is already underway in most countries. Toronto Public Library confirms personal data stolen during a ransomware attack. The Toronto Public Library (TPL) confirmed that the personal information of employees, volunteers, donors and customers was stolen from a compromised file server during the October ransomware attack. The file server contains the data of TPL and the Toronto Public Library Foundation (TPLF) employees all the way from 1998. Information possibly stolen includes names, social insurance number, birth dates, home address, and possibly copies of government-issued identification documents provided to TPL by staff. TPL has not disclosed the type of customer data stolen and how many have been affected by the breach. TPL did state they did not pay the ransom and have reported the breach to the relevant authorities. From a photo of a ransom note shown on TPL workstation, it was found that Black Basta ransomware gang was behind the attack, and disrupted numerous services by the morning after the attack. TPL’s email services were minimally impacted and the library’s phone systems were not affected. TPL’s primary servers, which house sensitive data, were also not encrypted. This hints that the ransomware gang did not have full access to TPL’s networks and data. However as a precautionary measure, TPL shut down all other internal systems after the attack was detected. Ascentis, a loyalty marketing agency, fined S$10,000 over Starbucks Singapore data leak. Ascentis, the developer of an e-commerce platform owned by Starbucks Singapore, has been fined S$10,000 due to a data breach that resulted in the personal data of 332,774 Starbucks Singapore customers being put up for sale on a dark web forum. Personal data leaked included names, physical addresses, email addresses, telephone numbers, birth dates, membership details relating to the loyalty programme, and their last login dates to the platform. The Personal Data Protection Commission (PDPC) said in their judgement that Ascentis failed to disable their ex-employee’s admin account after he left. Furthermore, the account was not protected with a sufficiently complex password. Furthermore, the company did not assign rights for an admin account to the necessary employees, and did not implement multi-factor authentication - 2 data protection practices that could have prevented the breach. In determining the financial penalty, the PDPC noted that Ascentis cooperated with investigations, took prompt remedial actions, did not breach the Personal Data Protection Act before, and voluntarily accepted responsibility for the incident. Yamaha Motors Philippines ransomware attack: stolen employee’s personal information leaked. Yamaha Motor’s Philippines (YMPH) was hit by a ransomware attack, which led to some of their employees’ personal information being stolen and leaked. The company has been investigating the incident with external security experts, and are working on countermeasures and recovery measures to prevent further damage. Yamaha did state that the ransomware gang only breached a server at YMPH, and this attack did not impact the headquarters or any other subsidiaries within the Yamaha Motor group. The company has also reported the attack to relevant authorities. INC Ransom gang has claimed the attack, and leaked what they claim is data stolen from YMPH’s network. On their dark web leak site, they published multiple file archives with roughly 37GB of allegedly stolen data which contains employee ID information, backup fuels, corporate and sales information, among others. British Library confirms a ransomware attack behind ongoing major outage. The British Library has confirmed that a ransomware attack is behind the ongoing major outage that is affecting services across several locations. The British Library stated that they have taken protective measures to ensure the integrity of their systems, and are currently undertaking a forensic investigation into the attack. Although the attackers deployed ransomware payloads on their systems on 29 October, the IT outage still continues to impact their website, online systems, services, and certain onsite facilities which includes their Reading Rooms. The library expects that many of their services will be restored within the forthcoming weeks, but some disruptions might persist for an extended period. Reader Registration is available onsite, but the library can issue temporary passes only with limited access to facilities and collection items depending whether you are a lapsed or new Reader. Also the Business and IP Centre (BIPC) in St Pancras also operates under regular hours to provide business support, but onsite digital services are currently unavailable. Bloomberg Crypto used in phishing attack: Discord credentials stolen. The official Twitter account for Bloomberg Crypto was used pm 17 November to redirect users to a deceptive website that stole users’ Discord credentials. The profile contained a link to a Telegram channel which pushes visitors to join a fake Bloomberg Discord server with 33,968 members. According to ZachXBT, a scammer seized the old Telegram username (@BloombergNewsCryto) during the transition and used it as part of a phishing attack. Once entering the Discord server, a bot prompts visitors to use AltDentifier, a Discord Verification Bot. However, the link is to a deceptive page using an altered domain name (altdentifers) with an extra ‘s’ at the end of the original domain name (altdentifer.com). This phishing website is used to steal their Discord login credentials. The malicious link has been removed from the Bloomberg Crypto Twitter account 30 minutes after ZachXBT’s initial tweet. WP Fastest Cache plugin vulnerability exposes 600,000 WordPress sites to attacks. The WordPress plugin, WP Fastest Cache, is vulnerable to an SQL injection vulnerability (tracked as CVE-2023-6063) that allows unauthenticated attackers to retrieve private information or command execution. More than 600,000 websites still run the vulnerable version of the plugin, and are exposed to potential attacks. A fix has been made available by the WP Fastest Cache developer in version 1.2.2. All users of the plugin are highly recommended to upgrade to the latest version as soon as possible. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the shipping industry, banking, government to the healthcare industry. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Ports in Australia remain closed as Federal Police investigate a cybersecurity breach. DP World, which manages container terminals in Sydney, Melbourne, Brisbane and Fremantle, said they detected a cybersecurity incident on Friday, with ports closing that same night. It is expected for ports in Australia to remain closed for several days as the Australian Federal Police investigate the cybersecurity incident. Home Affairs Minister, Clare O’Neil said that the government has invoked the national crisis management framework (the National Coordination Mechanism), is receiving regular briefings and is “working with DP Word Australia to understand the impact of this incident and enable engagement across government”. It was also added that the Australian Signals Directorate’s Australian Cyber Security Centre is engaged with DP World, and is providing technical advice and assistance. Industrial and Commercial Bank Of China confirms ransomware attack. The Industrial and Commercial Bank of China (ICBC) confirmed their services were disrupted by a ransomware attack that impacted their systems on 8 November. This prevented the US Treasury from settling trades on behalf of other market players. ICBC stated that ICBC Financial Services disconnected and isolated impacted systems to contain the incident immediately after discovering the incident. It was also added that ICBC FS is conducting an investigation, and reported this incident to law enforcement. ICBC also highlighted that the incident did not impact the systems of the ICBC New York Branch, the ICBC Head Office, and other affiliated institutions domestically and abroad. McLaren Health Care: Data breach impacted 2.2 million people. McLaren Health Care is notifying 2.2 million people that a data breach occurred between late July and August this year and that their sensitive personal information has been exposed. McLaren published a statement on their website, alerted the U.S. authorities and impacted individuals. McLaren identified a security breach on 22 August, and investigations revealed that the breach had compromised their systems since 28 July. The exposed data includes full name, social security number, health insurance information, birth date, billing or claims information, diagnosis, physician information, medical record number, medicare/medicaid information, prescription/medication information, diagnostic results and treatment information. For each impacted individual, the specific types of exposed data differ. This depends on the type of information each shared with the organisation, and the services they received. All impacted individuals will receive an email on instructions to enrol to identity protection services for 12 months. McLaren also highly advised individuals to remain vigilant, monitor and review all financial and account statements, and to report any suspicious activity. Data breach at Singapore’s Marina Bay Sands affected the data of 650,000 lifestyle rewards members. Investigations found that an unknown third party had accessed customer data of about 665,000 non-casino reward programme members (Sands LifeStyle rewards programme members) on the 19 and 20 of October. The affected exposed data includes names, email addresses, phone numbers, country of residence, membership number and tier. In an email sent to MBS customers, chief operating officer Paul Town said that MBS “immediately took action” to resolve the issue. MBS also reported the incident to the relevant authorities in Singapore, and other countries where applicable. The resort also stated that there is no evidence so far that the unauthorised third party has “misused the data to cause harm to customers”. The State of Maine announced that the MOVEit data breach affected 1.3 million people. The State of Maine announced that their systems were breached after threat actors exploited the MOVEit vulnerability, and accessed the information of 1.3 million people, which also includes minors (which is close to the state’s population). The press release states that the State of Maine was aware of the MOVEit vulnerability on 31 May 2023, and found that cybercriminals had accessed and downloaded files belonging to certain agencies in the State of Maine between 28-29 May 2023. The exposed information includes full name, social security number, birth date, driver’s licence, state identification number, taxpayer identification number, and health insurance information. The exact data exposed for each individual varies depending on their interaction with Maine’s state agencies. The most impacted agency was Maine’s Department of Health and Human Services, which is then followed by the Maine Department of Education. Other departments affected, though to a lesser extent, are the Administrative and Financial Services, Workers’ Compensation, Bureau of Motor Vehicles, Corrections, Economic and Community Development, Professional and Financial Regulation, and Labor. The state also clarified that they delayed in notifying the public as they were conducting a thorough investigation. All affected citizens whose social security numbers or tax information was exposed will receive a free-of-charge 2 year credit monitoring and identity theft protection services. Okta confirms October data breach: 134 customers affected. Okta has confirmed details of their October breach, and reported that the incident led to 134 customers’ files being compromised or “less than 1 percent of Okta customers.” However, with so many high profile companies among Okta’s user base, 1 percent is still a concern. Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop, and this was the most likely avenue of how cybercriminals gained access to Okta’s systems via the compromise of the employee’s personal Google account or personal device. Okta troubles continued this week, as they also admitted that a third-party breach exposed records belonging to nearly 5,000 current and former employees. TransForm, a shared service provider, states that ransomware data breach affects 267,000 patients. TransForm, a shared service provider, published an update and clarified that it was a ransomware attack that recently impacted operations in multiple hospitals in Ontario, Canada. TransForm confirms that the attackers managed to steal a database containing information on 6.5 million patient visits, which corresponds to approximately 267,00 unique individuals. The ransomware attack happened in late October, and impacted 5 hospitals operating under the organisation’s umbrella. The incident caused operational disruptions, forcing healthcare providers to reschedule appointments, and redirect non-emergency cases to other clinics in the area. TransForm also emphasised that they did not pay the ransom. The organisation explained that the attackers compromised an operations file server that hosted employee data, and also the shared drive space used by the impacted hospitals. The shared drive has varying impact on the hospitals, as each opted to store different types and amounts of data in it, click here to find out more. Mr Cooper, a home loan service provider, found customers’ data exposed in data breach. Mr Cooper, the largest home loan servicer in the U.S., found evidence of customer data exposed during the 31 October cyberattack. Mr Cooper stated they are still investigating the nature of the compromised data, and will provide more information to the affected customers over the coming weeks. However, they did emphasise that customers’ financial information was not accessed as the impacted systems did not store such data. The company urged customers to monitor their credit reports and bank accounts, and to report any suspicious activity to their bank. The 31 October cyberattack forced the company to shut down their IT systems. This includes access to phone lines, support chatbot, and the online payment portal. OpenAI confirms DDoS attacks behind ChatGPT ongoing periodic outrages. OpenAi has confirmed that denial-of-service (DDoS) attacks were behind the “periodic outrages” that affected their API and ChatGPT services within the last 24 hours on 8 November. Those affected by these issues see “something seems to have gone wrong” errors, with ChatGPT adding that “There was an error generating a response” to their queries. OpenAI had said on 8 November in an update that they are working to mitigate this. As of 9 November, the incident has been resolved and status of their services have returned to normal. Sumo Logic disclose security breach: Recommends API key resets. Sumo Logic, a security and data analytics company, disclosed a security breach after finding out that their Amazon Web Services (AWS) account was compromised last week. The company detected evidence of the breach on 3 November, after discovering that an attacker used stolen credentials to gain access to a Sumo Logic AWS account. The company stated that their systems and networks were not impacted, and customer data remains encrypted. After detection, the exposed infrastructure was immediately locked down and rotated out every potentially exposed credential for their infrastructure. They also added extra security measures to further protect their systems. Sumo Logic highly advised customers to rotate credentials used to access its services or any credentials shared with Sumo Logic for accessing other systems. Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks. Threat actors are exploiting a zero-day vulnerability (identified as CVE-2023-47246) in SysAid, a service management software, to gain access to corporate servers for data theft and to deploy Clop ransomware. This vulnerability was discovered on 2 November after hackers exploited it to breach on-premise SysAid servers. The Microsoft Threat Intelligence team discovered the exploitation of the vulnerability and notified SysAid about the issue. After learning of the vulnerability, SysAid developed a patch for the vulnerability, which is available in a software update. All SysAid users are strongly advised and recommended to switch to version 23.3.36 or later. They also recommend conducting a thorough compromise assessment of their SysAid server, and reviewing any credentials or other information that would have been available to someone with full access to their SysAid server and checking any relevant activity logs for suspicious behaviour. A list of indicators of exploitation can be found here. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! |