AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the mortgage, e-commerce, telecommunications to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, with millions of individual's personal data compromised, services still remain disrupted, and internal services leaked. Additionally, new phishing campaign and malicious Chrome extensions has been found. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Mr Cooper, a mortgage lending firm, data breach affects 14.7 million people. Mr Cooper (previously Nationstar Mortgage LLC) one of the largest mortgage lending firms in the U.S, is sending data breach notifications warning that the October data breach has exposed the data of close to 14.7 million customers who have, or previously had, mortgages with the company. The information exposed includes customers’ full names, home address, phone number, social security number, birth date, and bank account number. In the notice sent to impacted customers, the company stated that they immediately took steps to identify and remediate the data breach which includes locking down their systems, changing account passwords, and restoring their systems. The company also notes that they have been monitoring the dark web, and so far have not seen any evidence that the exposed data has been further shared, published or misused. Furthermore, impacted customers are offered a 24-month identity protection service, which the company highly encourages to enrol, and also urges customers to remain vigilant against unsolicited communications. Hong Kong’s privacy watchdog determined 320,000 Carousell users’ data was leaked in a security breach. The Office of the Privacy Commissioner for Personal Data investigation revealed that the 2022 January security breach has led to over 320,000 Hong Kong users’ data being compromised. They found that the data of 2.6 million users of Carousell globally has been leaked, including over 320,000 from Hong Kong. The Office found that Carousell, prior to a system migration in January 2022, did not assess the impact on privacy, had incomplete code review procedures, and lacked effective measures to detect abnormal activities. Hence, the company failed to prevent or detect users’ personal data being stolen, which violates Hong Kong’s personal data protection regulations. The Office since requested Carousell to rectify the situation in writing, and have also provided the investigation report to Singapore’s privacy watchdog, where the company’s headquarters are located. Xfinity 3rd party data breach impacts 35.9 million customers. In a data breach notification to customers published this week, Xfinity stated that they discovered during a routine cybersecurity exercise on 25 October that attackers had access to their systems from 16-19 October. This data breach was through the CitrixBleed vulnerability. Based on their Maine Attorney General Office filing, 35,879,455 customers were impacted by the breach. The information exposed includes customers’ names, contact information, birth dates, usernames, hashed passwords, last 4 digits of their social security number, and/or secret questions and answers. However, the full scope of the impact of the breach is still under investigation. Xfinity spokesperson has stated that as of now, they are not aware of any customer data being leaked nor of any attacks on their customers. The company is recommending customers to reset their passwords, and are also encouraging users to turn on 2-factor authentication. It is also highly encouraged to change similar passwords used on different platforms to prevent credential stuffing attacks. VF Corporation, owner of Vans and Supreme, confirms a cyberattack that encrypted systems and stole customers’ personal data. VF Corporation, owner of apparel brands such as Vans, Supreme and The North Face, has confirmed a cyberattack which the company first detected on 13 December. In a filing with federal regulators, hackers disrupted the company’s operations via the encryption of some of their IT systems, and stole the company’s data which includes personal data. The company still continues to experience operational disruptions, this includes their “ability to fulfil orders”. In their filing, the corporation stated that the retail stores they operate are still open globally, and that consumers can purchase available merchandise inline. However, it is unclear when the orders are expected to ship, and the company’s spokesperson did not say when. As of now, the company has yet to say how they were compromised, and the scope of the impact of the cyberattack. St Vincent’s Health Australia data breach: Unknown amount of data has been stolen. In a statement, St Vincent’s Health Australia said that the attack was first detected on 19 December. Although the hacker did not perform any actions “since early morning..of 20 December”, it was later determined that some data had been stolen. Currently, the hospital is investigating this data breach, and are determining what data has been removed. For this investigation and to assist in containing the attack, the organisation has seeked help from the government, agencies and external security experts. These include the National Office of Cyber Security, Services Australia, the Department of Health and Aged Care, and relevant state and territory agencies. Additionally, they are also seeking to determine what data may have been accessed by the hackers but were not stolen. The organisation added that they are still operating and delivering services. ESO Solutions, a healthcare software provider, data breach affects 2.7 million patients. ESO Solutions, a provider of software products for healthcare organisations and fire departments, disclosed that a ransomware attack has compromised the personal data of 2.7 million patients. According to the notification, the attack occurred on 28 September, and data was exfiltrated before the hackers encrypted some of their systems. During their investigation of the attack, the company discovered that the attackers accessed a machine that contained sensitive personal data. Furthermore, they were able to determine that the attack impacted patients associated with its customers - this includes hospitals and clinics in the U.S. Personal data exposed includes patients’ full name, birth dates, phone number, patient account/medical record number, injury type and date, diagnosis information, treatment type and data, procedure information, and their social security number. The exact types of data exposed vary per individual, and it also depends on the details the patients provided to the healthcare organisations using ESO’s software and the care services they received. The company has informed the relevant authorities, and all impacted customers were notified on 12 December, with some of the affected hospitals sending notices of the breach to their patients in the days that followed. To mitigate the risk of the data breach, ESO are offering 12 months of identity monitoring service coverage to all notice recipients. As of now, the healthcare providers confirmed to be impacted by ESO’s ransomware attack are: Mississippi Baptist Medical Center, Community Health Systems Merit Health Biloxi, Merit Health River Oaks, ESO EMS Agency, Forrest Health Forrest General Hospital, HCA Healthcare Alaska Regional Hospital, Memorial Hospital at Gulfport Health System, Providence St Joseph Health (Providence Kodiak Island Medical Center), Providence Alaska Medical Center, Universal Health Services (UHS) Manatee Memorial Hospital, Desert View Hospital, Ascension Providence Hospital in Waco London Public Library still battling 13 December cyberattack: Services still remain disrupted, and 3 branches closed. The London Public Library is still working to restore their systems after being cyber attacked on 13 December. The attack not only limited the services offered by the library, but also closed 3 of the 16 branches (Carpenter, Lambeth and Glanworth). They will continue to stay closed until 2 January. The library stated that they had immediately engaged with third party cybersecurity experts that are continuing to work with them to repair the damage made from the attack. The system outrage took down the library’s online catalogue, staff emails, phone lines, website, public Wi-Fi of the library, printing, and access to public computers. Furthermore, the Libby app is not accessible for library patrons. As of now, the investigation has yet to determine whether personal information has been compromised. Google & Twitter ads promoting crypto drainer that stole $59 million from 63k victims. Blockchain threat analysts at ScamSniffer found that over 10,000 phishing websites contained a cryptocurrency drainer (called MS Drainer), which has already stolen $59 million from 63,210 victims over the past 9 months, from March 2023 to today. It was found that Google and Twitter ads are promoting these sites. A drainer is able to drain funds from a user’s cryptocurrency wallet without their consent. In Google Search, MS Drainer is promoted via malicious ads that are shown for keywords related to DeFi platforms (e.g. Zapper, Lido, Stargate, Orbiter Finance, Defillama, and Radiant). These ads exploit Google Ads’ tracking template loophole that makes the URL appear to belong to the imitated official domain. A redirection will occur, taking the victims to a phishing site. On Twitter (also known as X), ads for MS Drainer are so copious that these ads account for 6 out of the 9 phishing ads on their feeds. Notably, many of the scam ads on Twitter are posted from legitimate “verified” accounts (those with the blue ticks). Cryptocurrency scams have always performed well on X, but with trustworthy, hacked accounts now promoting ads with malicious sites, the success rates of these phishing attacks are expected to rise. It is highly recommended for users to be vigilant around cryptocurrency-related ads, and always beware when signing up to new platforms. Mint Mobile latest data breach exposes customer data. Mint Mobile, a mobile virtual network operator owned by T-Mobile, has disclosed that a data breach has exposed their customers’ personal information, which data can be used to perform SIM swap attacks. The company is notifying impacted customers via email which states that they had suffered a security incident and the attacker managed to obtain customer information. The exposed customer data includes customers’ name, telephone number, email address, SIM serial number and IMEI number (a device identifier similar to a serial number), and a brief description of service plan purchased. Mint Mobile has stated that customers do not need to take any action and customers can call customer support with any questions. Ubisoft is investigating alleged data breach after images of the company's internal services leaked. Ubisoft, a French video game publisher, are investigating an alleged data breach after images of the company’s internal software and developer tools were leaked online. These leaked screenshots were shared by a research collective called VX-Underground. In a tweet, VX-Underground stated that an unknown threat actor compromised Ubisoft on 20 December, and had access for roughly 48 hours until administration revoked their access once they realised something was off. The unknown threat actor had planned to exfiltrate around 900GB of data until they lost access. The threat actor also claimed they gained access to the Ubisoft Sharepoint server, Microsoft Teams, Confluence, and MongoDB Atlas panel - they even shared screenshots of their access to some of these services. The threat actors even stated that they attempted to steal Rainbow 6 Siege user data but lost access once they were detected. 3 malicious fake VPN Chrome extensions downloaded 1.5 million times. 3 malicious Chrome extensions posing as VPN were downloaded 1.5 million times. According to ReasonLabs, these malicious extensions were spread via an installer hidden in pirated copies of popular video games such as Grand Theft Auto, Assassins Creed, and The Sims 4. These malicious extensions act as browsing hijackers, cashback hack tools, and data stealers. It was reported that the malware targets over 100 cashback extensions, and the extensions help to redirect profits to the attackers. Furthermore, the extensions also enable data exchange of instructions and commands, IDing the victim, exfiltrating sensitive data, and more. ReasonLabs had notified Google of their findings, and Google has removed the malicious extensions from the Chrome Web Store, but only after they have been downloaded 1.5 million times. The installation of these malicious extensions are automatic and forced, and does not involve the user or require any action from the user. It is highly recommended to routinely check the extensions installed in your browser, and always check for new reviews in the Chrome Web Store to see if others are reporting malicious behaviour. New phishing campaign steals your Instagram backup accounts to bypass 2FA. A new phishing campaign is imitating a ‘copyright infringement’ email in attempts to steal your Instagram backup codes, which allows hackers to bypass two-factor authentication (2FA). The latest phishing emails impersonate Meta, with the email content warning Instagram users that they received copyright infringement complaints. The email will prompt the user to fill out an appeal form to resolve the issue. By clicking the button, the victim will be taken to a phishing site that impersonates Meta’s actual violations portal. When the victim clicks on another button labelled ‘Go to Confirmation Form’. This will redirect them to another phishing page which impersonates Meta’s “Appeal Center” portal, where the victims are requested to enter their username and password. After which, the phishing site will ask the victim if their account has 2FA and to enter one of the 8-digit backup codes. When configuring 2FA on Instagram, they will also provide an 8-digit backup code that can be used to regain access to accounts if you are unable to verify your account using 2FA. It is highly recommended to remember that when you have access to your 2FA codes/keys, there is never a reason to enter your backup codes other than within the Instagram website or app. Google releases the 8th emergency update to fix Chrome zero-day exploited in attacks. Google has released the 8 emergency update to fix another Chrome zero-day vulnerability (tracked as CVE-2023-7024) exploited in the wild. This high-severity vulnerability is due to a heap buffer overflow weakness in the open-source WebRTC framework in Google Chrome. This allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. The bug was discovered and reported by Google’s Threat Analysis Group. Individuals who prefer not to update manually can rely on their web browser to automatically check for new updates and install them upon the next launch. That is all! I hoped that you had a merry Christmas and a Happy New Year! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public sector, IT, automotive non-profits to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, with millions of personal and financial data being stolen and exposed. Furthermore, new vulnerabilities were found and the last round of 2023 patches have also been released for Apple, Microsoft, Adobe, Cisco, Android, WordPress and more. It is highly recommended to immediately update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. MongoDB suffers from a cyberattack: Customer data was exposed. In an email sent to MongoDB customers, they have confirmed that MongoDB, a database management company, has fallen victim to a security incident which resulted in unauthorised access to certain corporate systems. While investigations are underway, they have confirmed that hackers have accessed customer account metadata and contact information. Although once the breach was detected on 13 December, and they activated their incident response process, they believed that the unauthorised access may have been ongoing for some time before being detected. In the email, the company urged customers to be cautious of any potential social engineering and phishing attacks. MongoDB also assured customers that as of now, there is no indication that the data stored in MongoDB Atlas, a cloud-based database service, has been accessed. In an update on 16 December, MongoDB reported a spike in login attempts, which caused issues for customers attempting to access the MongoDB Atlas and Support Portal. However, the company clarified that this issue is not related to the security incident, and advised affected users to try again in a few minutes. The company highly recommends customers to be vigilant, and activate practices such as MFA and regularly rotating their passwords. UK defence ministry fined US$439,000 for Afghan data breach. The UK’s data protection regulator has fined the Ministry of Defence (MoD) US$439,000 for a series of email data breaches that revealed details of over 265 Afghans who were seeking relocation to Britain after the Taliban took control of Afghanistan. The Information Commissioner’s Office (ICO) stated that the personal information of the affected were leaked due to the department not putting in place operating procedures to ensure group emails were sent securely to the Afghan nationals who had worked for or with the British government. The MoD had sent an email to a distribution list of Afghan nationals eligible for evacuation on 20 September 2021 with all applicants copied, causing the personal information of 245 people to be accidentally disclosed. With MoD's own investigation, they also found 2 similar breaches during the same month, compromising 265 email addresses in total. The ICO added that the data disclosed could have resulted in a threat to life if the data had fallen into Taliban’s hands. The MoD had recognised the severity of the issue, and repeated that apology, adding that they would set out further details on the measures it was implementing to address the ICO’s concerns in due course. U.S. nuclear research lab data breach impacts 45,000 people. The Idaho National Laboratory (INL) confirmed that the attackers stole the information of more than 45,000 individuals after they breached the cloud-based Oracle HCM HR management platform last month. In the breach notification letters filed with the Maine Attorney General’s Office this week, the attackers exfiltrated the data of 45,047 current and former employees (this includes postdocs, graduate fellows, and interns), as well as their dependents and spouses. The breach did not affect employees hired after 1 June 2023. Although the laboratory is still investigating the incident’s full impact, it was revealed that multiple forms of sensitive personally identifiable information (PII) was affected. This includes employees’ names, social security numbers, salary information, and banking details. INL also clarified that the breach did not impact INL’s own network, or other networks or databases used by employees, lab customers or other contractors. Delta Dental of California data breach exposes the information of 7 million patients. Delta Dental of California and its affiliates warn that a data breach has so far impacted 6,928,932 customers’ personal information due to the MOVEit Transfer software breach. According to Delta Dental of California data breach notification, the company suffered unauthorised access by threat actors via the MOVEit file transfer software application. The company learned about the compromise on 1 June 2023, and after an internal investigation, confirmed that unauthorised actors had accessed and stolen data from its systems between 27-30 May 2023. The second, more lengthy investigation found that close to 7 million customers were impacted, and the personal information exposed includes their names, financial account numbers, credit/debit card numbers, and security codes. Delta Dental of California is providing 24 months of free credit monitoring and identity theft protection services to impacted patients. It is highly recommended that customers of Delta Dental of California be cautious with unsolicited communications to avoid falling for phishing attacks. Norton Healthcare ransomware attack may have resulted in 2.5 million patients’ data stolen. Norton Healthcare, which runs 8 hospitals and more than 30 clinics in Kentucky and Indiana, has admitted that threat actors may have stolen 2.5 million patients’ sensitive information during the May ransomware attack. From the data breach disclosure filed with the Main Attorney General’s office, it was found that the attackers have accessed patients’ names, contact information, social security numbers, birth dates, as well as plausibly accessed their drivers’ licence, government ID numbers, financial account information and digital signatures. To add on,the health information, insurance information and medical ID numbers belonging to former patients, employees and employee dependents and beneficiaries are also at risk. In a statement on their website, Norton determined that the threat actors gained access to certain network storage devices between 7-9 May 2023, but did not access Norton Healthcare's medical record system or Norton MyChart. BlackCar ransomware affiliates claimed responsibility for the attack, and listed the healthcare system on their leak site on 25 May. Norton Healthcare stated that measures are being taken to further enhance their network security safeguards. Toyota warns customers of data breach that exposes their personal and financial information. Toyota Financial Services (TFS) warns customers that their personal and financial information has been exposed during a cyberattack that was detected last month in their Europe and Africa division. All data has been leaked on Medusa’s extortion portal on the dark web as it could be that Toyota has not negotiated a ransom payment with the cybercriminals. Earlier this month, Toyota Kreditbank GmbH in Germany was identified as one of the impacted divisions. The following customers’ data compromised includes their full name, residential address, contract information, lease-purchase details, and their International Bank Account Number (IBAN). However, it must be noted that internal investigations are still ongoing, and it could be possible that attackers accessed additional information. Toyota has promised to promptly update affected customers should the internal investigation reveal further data exposure. Close to 1 million non-profit donors’ details were exposed in an unsecured online database of DonorView. Infosec researcher, Jeremiah Fowler, found 948,029 records of personally identifiable information that belongs to donors that sent money to nonprofits were found exposed in an online database. The database is owned and operated by DonorView - a provider of a cloud-based fundraising platform that is used by schools, charities, religious institutions, and groups that focus on charitable or philanthropic goals. The exposed data includes donor names, addresses, phone numbers, emails, payment methods and more. A document seen by Fowler revealed children’s names, medical conditions, names of their attending doctors, and information on whether the child’s image could be used in marketing materials. It was found that in just a single document, more than 70,000 names and contact details were exposed. All of them believed to be donors to nonprofits. Fortunately, within days of Fowler filing a disclosure report, their database was secured. Although the database is now secured, Fowler noted that it could not be determined how long the information was exposed for, nor was it clear if the data had been accessed by unauthorised parties. Americold, a cold storage giant, confirms over 129,000 employees and their dependents' information has been stolen in an April malware attack. In notification letters sent to impacted employees, Americold has confirmed that 129,611 current and former employees, and their dependents, have been affected by the April data breach. The company revealed that the attackers were able to steal some data off their network, and it includes some of their personal information. The personal information stolen includes a combination of names, address, social security numbers, driver’s licence/state ID number, passport number, financial account information (e.g. bank account and credit card numbers), and employment-related health insurance and medical information. Ransomware group claims they have breached Kraft Heinz’s systems. Snatch, a ransomware group, has claimed on their website that they have breached the systems of Kraft Heinz. The post, which was created on 16 August, indicates that the attack occurred months ago. In a statement, the food giant stated they are investigating the claims of a cyberattack, and whether a cyberattack on a decommissioned marketing website is related to Snatch’s claims. They stated that their internal systems are “operating normally” and that they are unable to verify the cybercriminals' allegations as they currently do not see any evidence of the cyberattack. The ransomware group has not published any files as proof of their claims. Review says Northern Island Police data breach is caused by widespread security flaws. In August, the surnames and initials of 9,500 the Police Service of Northern Ireland (PSNI) staff were released by mistake within an Excel spreadsheet following a Freedom of Information (FOI) request. The PSNI and the Policing Board commissioned an independent review of the incident which was carried out by Pete O’Doherty, a temporary commissioner of the City of London Police. The report found that a tab that contained the sensitive information regarding officers and staff had been hidden in a spreadsheet, and was not noticed by 6 staff members before it was released in the FOI. According to the report, the breach “was a consequence of many factors, and fundamentally a result of PSNI not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.” The review noted that PSNI was adopting a “light touch approach” to data protection and security, having no strategy in that regard, and that data protection officer (DPO) has no direct reporting responsibility to the most senior level of the organisation, which is a legal requirement. Furthermore, it was also found that the 2018 Data Protection Act had not yet been fully embedded within the force. The review also added that based on the information provided, the data breach was not the result of a credible threat being made against PSNI. Last Patch of 2023: Microsoft, Adobe, Apple, Google, Cisco, WordPress, VMware and Atlassian releases patches for flaws. These are the latest patches that these companies have released, which helps patch numerous vulnerabilities that they have detected. Apple: Although last week, Apple has released the December patches, there are 2 concerning vulnerabilities (tracked as CVE-2023-42916 and CVE-2023-42917) in the WebKit that affect AppleTVs and Watches, plus some older iPhones and iPads. These vulnerabilities can be exploited against versions of iOS before iOS 16.7.1. The released patches address vulnerabilities in older iPhones and iPads, all models of AppleTV HD and AppleTV 4K, and Apple Watch Series 4 and later. Microsoft: Patches for 34 flaws have been released, with just over 30 Window patches never being listed as under attack or publicly known before today. Of these, 4 are rated critical (this includes 3 RCE and 1 spoofing bug) and 29 as important. Adobe: Adobe addressed 212 vulnerabilities in 9 patches that helps further secure Prelude Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects, and Substance3D Designer. None of these are being exploited in the wild. The bulk of the bugs (185 CVEs) are in Experience Manager, and are all important or moderate-rated cross-site scripting bugs. Google: The December security updates for Android fix 85 vulnerabilities. This includes 3 that “may be under limited, targeted exploitation”. These 3 all affect Qualcomm components, and has been announced by Qualcomm back in October that these 3 flaws were under targeted attacks. WordPress: A 9.8/10 rated critical severity vulnerability (tracked as CVE-2023-6553) in a WordPress plugin called Backup Migration, can let attackers gain remote code execution to fully compromise vulnerable websites. A patch (Backup Migration 1.3.8 plugin version) has been released hours after Wordfence reported the critical security flaw. It is highly recommended to secure their websites against this CVE by updating to the latest version. Atlassian: Has pushed updates to fix 5 high-severity rated vulnerabilities. All of these are denial-of-service flaws, and they affect Bamboo, Bitbucket, Jira and Confluence Data Center and Server. Cisco: Published a security advisory about a vulnerability (tracked as CVE-2023-50164) in Apache Struts that may affect a long list of their products containing the software. Although this issue is still being investigated. They highly recommend updating to Struts 2.5.33 or Struts 6.3.0.2 or greater. VMware: Has released a patch that fixes a moderate-rated privilege escalation vulnerability (tracked as CVE-2023-34064) in the VMware Workspace ONE Launcher product. FortiGuard: Has released a patch that fixes a double free vulnerability (tracked as CVE-2023-41678) in FortiOS and FortiPAM HTTPSd daemon. This high-severity bug could allow authenticated attackers to achieve arbitrary code execution via specially crafted commands. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public sector, automotive, shipbuilding, to the IT industry, with devastating consequences such as disruption in operation, data theft, and data leaks. Additionally, a sharp increase (nearly 30-fold increase!) has been found in Adobe-themed phishing attacks that targets specific businesses and mass credential campaigns by hackers that exploits Outlook and WinRAR vulnerabilities via phishing emails. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Nissan Australia & New Zealand suffers a cyberattack, with a potential data breach. Nissan is investigating a cyberattack that targeted their systems in Australia and New Zealand, which may have let hackers access customers’ personal information. Nissan informed their Nissan Oceania division customers of a potential data breach, warning them that there is a risk of scams in the upcoming days. A statement on their Australia and New Zealand websites informs that the systems of the Australian and New Zealand Nissan Corporation and Financial Services “have been subject to a cyber incident”. The company is currently determining the impact of the cyberattack, and are working to restore affected systems. Nissan clarifies that their dealers’ network have not been impacted, and all vehicle and service queries may be submitted and there will be no delays in processing them. HTC confirmed a cyberattack after BlackCat ransomware group leaked stolen data. HTC Global Services, a IT services and business consulting company, has confirmed that it suffered from a cyberattack after BlackCat ransomware group leaked photos of what they claimed to be stolen data from the company. The stolen data includes passports, contact lists, email addresses, and confidential documents. In a statement, the firm confirmed the cyber attack, stated they have enlisted cybersecurity experts, and are currently investigating and addressing the situation to ensure “the security and integrity of user data”. 23andMe updates user agreements to prevent data breach lawsuits. As 23andMe faces multiple lawsuits for the October credential stuffing attack that led to customers’ data theft, the company has modified their Terms of Use on 30 November to make it more difficult to take part in class-action lawsuits against the company. Provisions include increasing the initial dispute period from 30-60 days, and requiring customers to first have a telephone or videoconference with 23andMe to try and resolve the dispute. The new Terms also contain stronger language to prevent a party from bringing a class-action lawsuit against 23andMe - by stating that customers can bring disputes by only “in an individual capacity, and not as class-action or collective action or class arbitration”. 23andMe claims that these changes were added to provide more details and clarity around the dispute process. Navy contractor Austal USA confirms cyberattack after data leak. Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) confirmed that they suffered a cyberattack and are currently investigating the impact of the incident. On 6th December, the Hunters International ransomware and data extortion group claimed to have breached Austal USA and leaked some of the stolen data as evidence. Afterwhich, a spokesperson for the company confirmed the attack, adding that Austal USA were able to quickly mitigate the incident resulting in no impact on operations. Relevant authorities have also been informed of the incident. Hunters International has threatened to publish more stolen data in the following days. This includes compliance documents, recruiting information, finance details, certifications and engineering data. Austal USA did not share if the hackers were able to access data about engineering schematics or other proprietary US Navy technology. Nearly 30-fold increase in Adobe-theme phishing targeting businesses. Security researchers have warned of a sharp increase in phishing emails carrying Adobe InDesign links with attackers targeting specific organisations and users. Since October, there has been a near 30-fold increase in malicious emails with Adobe InDesign links. Many of the phishing links seen by researchers have the “.ru” domain, and are hosted behind a content delivery network (CDN) that acts as a proxy for the source site. This helps to hide the content source, and makes it more difficult to detect and block the attacks. The phishing emails carry legitimate brand logos, which are likely copied from other contents or scraped from websites by the attackers. The logos probably have been chosen as they are known and trusted by the targets. Other tactics used include using a publishing program to create highly convincing social engineering attacks, and moving recipients to another web page once the link is clicked so there is no known malicious URL in the main body of the message for security tools to detect and block. Hackers breach US government agencies using Adobe ColdFusion exploit. CISA (The U.S. Cybersecurity and Infrastructure Security Agency) is warning about hackers actively exploiting a critical vulnerability (identified as CVE-2023-26360) in Adobe ColdFusion to gain initial access to government servers. This vulnerability allows executing arbitrary code on servers running Adobe ColdFusion 2018 Update 15 and older, and 2021 Update 5 and earlier. The vulnerability is still being leveraged in attacks, whereby the exploitation of the vulnerability has impacted 2 federal agency systems in June. The agency notes that “both servers were running outdated versions of software which are vulnerable to various CVEs”. Luckily, in both cases the attacks were detected and blocked before the hackers were able to exfiltrate data or move laterally, and the compromised assets were removed from crucial networks within 24 hours. It is highly recommended for federal organisations and state services to upgrade ColdFusion to the latest available version, apply network segmentation, set up a firewall or WAF, and enforce signing software execution policies. Fancy Bear group exploits vulnerabilities in Outlook and WinRAR in mass credential campaigns. Fancy Bear group has carried out several mass attack campaigns via exploiting known flaws in Outlook and WinRAR (identified as CVE-2023-23397 and CVE-2023-39931). Security researchers detected that since March 2023, Fancy Bear has been engaging in phishing activity in which they leveraged patched vulnerabilities to send high-volume campaigns to targets in Europe and North America. They use the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing and technology sector targets to either disclose user credentials or initiate follow-on activity. It has been observed that over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023. In September, Fancy Bear sent malicious emails from different Portugal email addresses exploiting the WinRAR vulnerability. The email senders spoofed geopolitical entities, and used the BRICS Summit and a European Parliament meeting as subject to entice targets to open the emails. They use this vulnerability to initiate remote code execution with the purpose of extracting NTLM credentials and information about the victim systems. Amazon sues REKK fraud gang that stole millions of dollars worth of products. Amazon’s Customer Protection and Enforcement team has taken legal action against REKK, an underground store refund scheme, that resulted in millions of dollars worth of products stolen from Amazon’s online platforms. This lawsuit targets 20 members of REKK, as well as 7 former Amazon employees who acted as malicious insiders. REKK operates as an Organised Retail Crime (ORC) gang across online forums and social media, whereby they provide illicit refunds for individuals in exchange for a fee. Individuals seeking free items like iPads or Macbooks, purchase an item, and then pay REKK a fee, usually a percentage of the product cost, to secure a deceptive refund. The customers placed an order through Amazon’s online retail platform and then provided the order details to the fraudulent refund service. REKK then requests a refund, manipulates Amazon’s support representatives via social engineering tactics, unauthorised access to Amazon systems, and bribes insiders to secure a refund without returning the purchased products. In November 2019., REKK claimed on Nulled to have fraudulently refunded over 100,000 orders across various retailers (e.g. LuLuLemon, bol., Samsung, ASOS, Nike, and Home Depot) to more than 30,000 customers worldwide, not just limited to Amazon. Fake WordPress security advisory pushes a malicious plugin that infect sites. WordPress administrators are being emailed fake WordPress security advisories for a fake vulnerability (tracked as CVE-2023-45124) to infect sites with a malicious plugin. The emails that imitate WordPress warn that a new RCE flaw was detected on the admin’;s site, and urge them to download and install a plugin that allegedly addresses the security issue. Clicking on the email’s ‘Download Plugin’ button will take the victim to a fake landing page at ‘en-gb-wordpress[.]org’ that looks identical to the legitimate ‘wordpress.com’ site. The entry to the fake plugin shows a likely inflated download count of 500,000, along with multiple fake user reviews elaborating on how the patch restored their compromised site and helped them defend against hacker attacks. The malicious plugin hides itself from the list of installed plugins, so a manual search on the site’s root directory is required to remove it. Although it is not clear what the malicious plugin does, PatchStack speculates that it might be used for injecting ads on compromised sites, performing visitor redirection, stealing sensitive information, or even blackmailing owners by threatening to leak their website’s database contents. New 5Ghoul attack impacts 5G phones with Qualcomm and MediaTek chips. A new set of vulnerabilities, collectively called 5Ghoul, in 5G modems by Qualcomm and MediaTek. This impacts 710 5G smartphone models from Android and Apple, routers and USB modems. 5Ghoul consists of 14 vulnerabilities in mobile communication systems, 10 of which have been publicly disclosed and 4 withheld for security reasons. 5Ghoul attacks range from temporary service disruptions to network downgrades. Vulnerable smartphone brands include POCO< Black, Lenovo, AGM, Google, TCL, Redmi, HTC, Microsoft, and Gigaset. Both Qualcomm and MediaTek released security bulletins last Monday for the disclosed 5Ghoul vulnerabilities. Security updates have already been made available to device vendors 2 months ago. However, given the complexity of software supply, especially on Android, it will be a while before the fixes reach the end users via security updates. Signs of a 5Ghoul attack include loss of 5G connections, inability to reconnect until the device is rebooted, and consistent drop to 4G despite the availability of 5G network in the area. If you are worried about the 5Ghouls vulnerabilities, the only solution is to avoid using 5G entirely until fixes are available. WordPress addresses POP chain vulnerability that exposes websites to RCE attacks. WordPress has released version 6.4.2 that addresses a Property Oriented Programming (POP) chain vulnerability that allows attackers to run arbitrary PHP code on the target website. Although the RCE vulnerability is not directly exploitable in core, the WordPress security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations. Due to the need for object injection on installed and active plugins or themes, the presence of an exploitable POP chain in WordPress core significantly increases the overall risk for WordPress sites. It is highly recommended for administrators to update to the latest WordPress version. Even if most updates install the new version automatically, it is highly advised to check manually if the update completed. Atlassian publishes critical RCE flaws across multiple products. Atlassian has published security advisories for 4 critical RCE vulnerabilities (identified as CVE-2023-22522, CVE-2023-22523, CVE-2023-22524, and CVE-2022-1471), that impacts Confluence, Jira, and BitBucket servers, along with a companion app for macOS. All RCE vulnerabilities received a critical-severity score of least 9.0 out of 10, based on Atlassian’s internal assessment. The company marked none of the security vulnerabilities as being exploited in the wild. However, due to the popularity of Atlassian products and their extension deployments in corporate environments, system administrators should prioritise applying the available updates. December 2023 Android security updates tackle 85 vulnerabilities, including critical zero-click RCE flaw. Google announced on 4 December that the December 2023 Android security updates tackle 85 vulnerabilities, including a critical severity zero-click RCE flaw (tracked as CVE-2023-40088) found in Android's System component and doesn’t require additional privileges to exploit. User interaction is not needed for exploitation. As usual, Google released 2 patch sets with the December security updates month, identified as the 2023-12-01 and 2023-12-05 security levels. The latter includes all the fixes from the first set and additional patches for the 3rd party closed-source and Kernel components. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public sector, communications, retail, electric power, gaming, automotive to the healthcare industry, with devastating consequences such as major outages and data leaks. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Okta amidst hackers stole all customer support users’ data during a recent cyber breach. Okta, a U.S. access and identity management giant, admits that hackers stole information on all users of its customer support system in a network breach 2 months ago. The company notified customers that the hackers downloaded a report which contained data of clients that use its customer support system. The compromised data includes the clients’ names and email addresses. In some cases, the hackers may have also accessed the client’s phone numbers, usernames and details of some employee roles. Okta’s follow-up analysis also found that the hackers accessed “additional reports and support cases” which contained the contact information of all Okta-certified users and some Okta Customer Identity Cloud customer contacts. Some Okta employee information was also included in these reports but the company has not confirmed how many of their employees are affected. Okta said in a statement that there is no evidence as of current that this information is being actively exploited, but notified their customers as the compromised file increases their risk of phishing and social engineering attacks. The company also emphasised that none of their government customers were affected by the breach, and that their Auth0 support case management system was not impacted. Okta advises all customers to use multi-factor authentication and to use phishing-resistant authentication such as physical security keys. The British Library has started contacting customers as the Rhysida ransomware group leaks most of the stolen data. The Rhysida ransomware group has published most of the data they claimed to have stolen from the British Library a month after the attack was disclosed. From a cursory look of the files leaked, it appears to show data related to various British Library departments, functions and stakeholders. Rhysida’s website indicates that 490,191 files are included in the leak - totalling 573 GB. The site appears to show that 90% of the data has been uploaded, alongside a small message that suggests at least some of the data was sold. The British Library has posted an update on their website confirming Rhysida’s claims and advised customers to change similar passwords used on other websites. According to disclosure notices sent to customers, Rhysida has accessed the library’s CRM databases, and “at a minimum” contain names and email addresses of most of its customers. Customers’ postal addresses or telephone numbers may also be included if a customer used certain library services (which was not specified). The British Library has posted on their blog, which is separate from the downed website, the services that are and are not available, which has largely remained unchanged since the previous status updates. Other than the restoration of their Wi-Fi networks and card payment terminals. Line operator reports massive data breach that compromised 440,000 personal records. LY Corp reported a massive data breach on Monday which resulted in 440,000 items of personal data being leaked. This includes more than 300,000 linked to Line messaging app users. This was the result of unauthorised access to an affiliate’s computer system in October. The leaked users’ data includes their age group, gender and some of their service use histories. Information regarding the company's business partners and employees were also leaked, such as their names, email addresses and affiliations. However, the company did state that financial information such as users’ bank accounts and credit cards were not leaked, as well as their chat messages. They also have found no reports of misuse so far. The company confirmed the data leak occurred on 29 October but took a month to announce as they required time to confirm the scale of the breach. LY Corp has also reported the case to the relevant authorities, and are also contacting users, business partners and impacted customers of the leak. Certis Security Australia suffered an email breach: Compromising personal information of employees and partners. Certis Security Australia, a physical security company, has suffered a breach in their email system. The company stated that no customer data was affected, however the personal information of some employees and partners has been accessed. The information accessed includes their names, birth dates, addresses, phone numbers and tax file numbers. The company had “isolated and removed access” to their email systems by the unauthorised actors to reduce the likelihood of damage to their systems or data loss. They also engaged with a third party cyber security specialist to provide them with assistance. Capital Health Hospitals suffers a cyberattack causing IT outages. Capital Health Hospitals and physician offices in New Jersey are suffering from IT outages after a cyberattack hit the non-profit organisation’s network earlier this week. The healthcare system manages 2 hospitals (Regional Medical Center & Capital Health Medical Center), an outpatient facility, and dozens of New Jersey primary and specialty care practices. Capital Health confirmed that both hospitals are currently accepting incoming patients under protocols established for system downtime. The non-profit stated that they are currently prioritising safe patient care, while working to restore the network and address the impact of this cyberattack. Capital Health is working with third-party forensic and IT experts to restore the impacted services. They also had notified the relevant authorities immediately after the cyberattack was detected. As of now, surgical schedules are minimally impacted, with outpatient radiology being unavailable, and neurophysiology and non-invasive cardiology testing being rescheduled. Capital Health expects that their systems will continue to be down for at least another week, and could not provide a timeline for when the ongoing issues will be resolved. Dollar Tree suffers third-party data breach: Close to 2 million individuals’ personal information affected. Dollar Tree, a discount chain, was impacted by a third-party data breach that affected 1,977,486 people after ZeroedIn, a workforce analytics service provider, was data breached. ZeroedIn detected that the threat actor had unauthorised access to certain systems between 7-8 August. After investigation, they determined that some of the files accessed or stolen by the attackers contained personal information. The accessed data pertained to certain customers, including Dollar Tree and Family Dollar. ZeroedIn notified Dolar Tree of the incident after determining that some of the compromised information pertained to “certain individuals associated with them”. The personal information stolen includes the names, birth dates and social security numbers of applicants, current and former employees of Dollar Tree. ZeroedIn may face a class-action lawsuit over this breach as data breach lawyers at Console & Associates announced that they are investigating the matter on behalf of impacted individuals. A ransomware attack on Ardent hospitals caused disruption in 6 states. Ardent Health Services, a healthcare provider that operates 30 hospitals across 6 U.S. states, disclosed that their systems were hit by a ransomware attack. The incident led to the provider to take their entire network offline, suspending all user access to their information technology applications - this includes corporate servers, Epic software, internet and clinical programs. They have also reported the incident to relevant authorities and hired external experts to investigate the extent and the impact of the attack. Impacted hospitals are currently diverting all patients requiring emergency care to other hospitals in their area, but they can still provide medical screening and stabilising care to patients arriving at their emergency rooms. Patient care services are still active in Ardent’s clinics, although certain non-urgent elective surgeries have been temporarily halted as they are working to restore encrypted systems. Ardent will be directly contacting individuals requiring rescheduling of appointments or procedures. Ardent could not provide a definitive timeline for the restoration process. Ardent has also yet to confirm if any patient health or financial data has been compromised during the attack as investigations are still ongoing. Slovenia’s largest power provider, HSE, suffered a ransomware attack. Slovenian power company, Holding Slovenske Elektrarne (HSE), has suffered a ransomware attack that compromised its systems and encrypted files. Although the company has said the attack did not disrupt electric power production. The local news reported that the HSE suffered a ransomware attack on 22 November, with the company containing it on 24 November. The company has reported to the relevant authorities and are engaged with external experts to mitigate the attack and prevent the virus from spreading to other systems across Slovenia. A statement has also been issued that no operational disruption or significant economic damage is expected. According to spokespersons, the impairment is limited to the websites of Sostanj Thermal Power Plants and the Velenje Coal Mine. Ransomware attack on ‘Ethyrial: Echoes of Yore’ game wiped all players' accounts. A ransomware attack on ‘Ethyrial: Echoes of Yore’ game destroyed 17,000 players’ accounts, deleting their in-game items and progress. As announced on the game’s official Discord server, ransomware actors attacked the main server and encrypted all data - this includes local backup drives, and demanded payment for the encryption key. The game developers did not trust that paying the ransom would guarantee the encryption key, hence they decided to rebuild the server and create new account and character databases. The game developers have also stated that they will manually restore everything (the players’ items and progress) that was lost during the attack when the servers are back up. The game developer also promised that they will increase the frequency of taking offline account database backups, implement a P2P VPN for remote connections to the development server, and whitelisting specific IPs which are allowed access to the development server. DP World confirms data stolen in early November cyberattack. DP World, an international logistics giant, confirmed that data was stolen during the 10 November cyberattack. The company found that some of their files were accessed by the attackers, and a “small amount” of data was exfiltrated from DP World Australia network. Investigations showed that customer data were not affected, however some of the impacted data did include the personal information of current and previous employees of DP World Australia., However, the company stated no ransomware payloads or encryption was used during the attack. Regarding the impact of the cyberattack, DP World established that the cyberattack only affected its Australian business. All impacted individuals will be notified to take the appropriate measures, and they will also receive support from a specialist team and service coverage to mitigate identity theft and fraud risks. YanFeng Automotive Interiors suffers from a cyberattack: The QiLin ransomware group claims responsibility. YanFeng, one of the world’s largest automotive parts suppliers, has suffered a cyberattack, which the Qilin ransomware group claims responsibility for. Earlier this month, it was reported that Yanfeng was impacted by a cyberattack that directly affected Stellantis, forcing the car company to stop production at its North American plants. Although the Chinese company remained unresponsive to inquiries, its main website was inaccessible until 28 November. The Qilin ransomware group has claimed the attack on Yanfeng by adding them to their data leak site. They have published multiple samples to prove their alleged access to Yanfeng systems and files. This includes financial documents, non-disclosure agreements, quotation files, technical data sheets, and internal reports. The threat actors have threatened to release all the possessed data, but no specific deadline was set. A U.S. water facility was breached via exposed Unitronics PLCs. CISA (Cybersecurity & Infrastructure Security Agency) warns that hackers breached a U.S. water facility via hacking into Unitronics programmable logic controllers (PLCs) exposed online. PLCs are essential control and management devices, and hackers compromising them would have severe consequences, such as being able to contaminate water supply by altering chemical dosing or even halt water supply. Luckily the water facility attack did not compromise portable water safety for the served communities. CISA did emphasise that the water facility was breached as hackers took advantage of poor security practices rather than exploiting a zero-day vulnerability in a product. CISA has recommend system administrators to:
The Japanese Space Agency, JAXA, hacked in a cyberattack over the summer. The Japanese Aerospace Exploration Agency (JAXA) suffered a cyberattack over the summer, which may have put sensitive space-related technology and data at risk. The security breach was discovered this autumn when the law enforcement authorities alerted JAXA that their systems were compromised. In a press conference, Chief Cabinet Secretary of Japan Hirozaku Matsuno, revealed that the attackers gained access to the agency’s Active Directory (AD) server, which is a crucial component that oversees JAXA’s network operations. The server likely contains critical information such as employees’ credentials. JAXA is now working with the government cybersecurity experts and law enforcement to determine the extent of the compromise. Apple fixes 2 new iOS zero-day vulnerabilities in emergency updates. Apple has released emergency security updates to fix 2 zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that are being exploited in attacks. These vulnerabilities impact iPhone, iPad and Mac devices. The 2 vulnerabilities were found in the WebKit browser engine, and allows attackers to gain access to sensitive information via an out-of-bounds weakness, and gain arbitrary code execution via a memory corruption bug on vulnerable devices. The emergency update will address the security flaws for devices running iOS 17.1.2, iPad 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2. It is highly recommended that all users of these devices update their devices immediately. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! |