AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
Weekly Cyber News Update: 6 May - 12 May13/5/2024 Last week, breaches and cyberattacks occurred across several industries from the public, technology, watch, physical security to the healthcare sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as the University System of Georgia determined that the 2023 Clop Moveit breach led to 800,000 individuals’ data stolen, and that the Ohio Lottery ransomware attack has led to over 500,000 individuals’ data compromised. Additionally, a massive webshop fraud ring has stolen credit card information from over 850,000 people. Furthermore, new vulnerabilities and patches for Citrix have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. Dell data breach: 49 million customers’ personal data exposed. Dell disclosed via emails to their customers of a data breach that potentially exposed the personal information of approximately 49 million customers. The emails come after a threat actor, Menelik, claimed the breach on BreachForums and offered to sell the stolen data of 49 million customers and other information systems purchased from Dell between 2017-2024. In the email, Dell stated that an investigation is underway. The personal information stolen is believed to include customers’ name, physical address, and purchase order details. Menelik listed the stolen data which included customers’ full name, address, city, province, postal code, warranty plan, company name, Dell order number, Dell customer number, system shipped data, and unique 7-digit service tag of the system. However, the stolen information did not include any highly sensitive information such as financial information, email address and telephone number. Furthemore, the threat actor disclosed that the stolen database also contains entries from enterprise clients, partners, educational institutions, and other entries. It was also said that the top 5 countries with systems in the leaked database are the US, China, India, Australia and Canada. An investigation is currently underway, and have notified the relevant law enforcement. City of Witchia suffers a ransomware attack and is forced to shut down their IT network. The City of Wichita, Kansas, disclosed that they were forced to shut down some of their network after suffering a weekend ransomware attack. The City confirmed that they suffered an attack on 5 May 2024, whereby their IT systems were encrypted with ransomware. At this time, it’s unknown whether data has been stolen. As of now, Wichita continues to face disruption, with the latest status update saying the following services remain unavailable: autopayments for water bills, public Wi-Fi at certain locations, the Library’s online catalog, databases and some digital services, email communications for Library staff, self-service print release stations and self-check stations at the Library, automated materials handler at the Advanced Learning Library, most incoming phone call capability for the Library, Wi-Fi and phone services at neighborhood resource centers, public services including golf courses, parks, courts, and the water district, require residents to pay in cash or check while online payment platforms are shut down. In addition, some public safety services like the WFD and WPD have resorted to using “pen and paper” reports, and the Wichita Transit buses and landfill services can only accept cash payments. The LockBit ransomware gang has claimed responsibility for the attack as they have added Wichita to their extortion portal. They are threatening to publish all stolen files on the site by 15 May unless the City pays the ransom. Ascension suffers from a major cyberattack: Some of their systems were taken offline. Ascension, a U.S. healthcare provider, suffered a cyberattack that took down multiple essential systems including electronic health records, the MyChart platform for patient communication, and certain medication and test-ordering systems. Ascension disclosed the attack on 8 May, and stated that an investigation into the attack is underway. The provider has temporarily paused non-emergency medical procedures and appointments, and some hospitals are diverting emergency medical services. Patients were advised to bring relevant medical information to appointments due to system limitations. The company stated that investigation is currently underway to determine if any sensitive information was affected, and will notify and support impacted individuals according to all regulatory and legal guidelines. DocGo confirmed they suffered a cyberattack and patient health data were stolen. DocGo, a mobile medical care firm, confirmed that they suffered a cyberattack after threat actors breached their systems and stole patient health data. In a 8-K filing filed with the SEC, DocGo stated that they recently suffered a cyberattack, and are working with 3rd party cybersecurity experts to assist in the investigation. They have also notified relevant authorities. As part of their investigation, it was determined that hackers stole protected health information from a “limited number of healthcare records”. The company stresses that no other business units have been affected, and they have found no evidence of continued unauthorized access. Singapore’s watchdog investigating Citizen Watches data breach: Customers’ personal details stolen. The Personal Data Protection Commission (PDPC) is investigating a data breach that has resulted in the personal data of Citizen Watches customers stolen. In an email sent to impacted customers on 30 April, notified them of the 24 April 2024 breach that the company discovered on 25 April. The company stated that the attacker had stolen personal data from their remote server. The personal information stolen included customers’ name, contact details, email address, password, birth date, country/region, occupation, and income range. Citizen Watches stated that they had taken steps to prevent “any potential harm” to their customers, and had identified the root cause of the breach. MoD data breach: UK armed forces’ personal details compromised. A payroll system used by the UK’s Ministry of Defence has suffered from a data breach, which led to the personal information of an unknown number of current and past serving UK military personnel being compromised. The personal information compromised includes names and bank details. For a very small number of cases, the compromised data includes their personal addresses. The data relates to current and former members of the Royal Navy, Army, and Royal Air Force over a period of several years. As the system was managed by an external contractor, no operational MoD data has been obtained. MoD has taken immediate action and the system has been taken off-line, and investigations are ongoing. British Columbia investigating multiple cyberattacks on government networks. The Government of British Columbia is investigating multiple cyberattacks that have impacted the Canadian province’s government networks. Premier David Eby stated that there is no evidence that the attackers had accessed or stolen sensitive information from the compromised networks. The government is working with the Canadian Centre for Cyber Security and other agencies to determine the extent of the incidents and to implement additional security measures. The government has yet to disclose the number of cyberattacks that impacted their networks and when they were detected. Amberstone Security exposed nearly 1.3 million documents via an unprotected database. Amberstone Security, a UK-based physical security business, exposed 1,274,086 documents due to an unprotected database, according to an infosec researcher. A researcher stated that they stumbled upon data belonging to the company, which included thousands of pictures of its guards and pictures of individuals suspected of offenses including shoplifting. Among the exposed data, which dates back to 2017, was a folder that contained 99,151 snapshots of guards checking in their shifts, either by using a picture of themselves, their ID cards or both. The pictures taken of the ID cards displayed basic information such as their name, headshot, and the card’s expiry data. In some cases, their signature was shown too. In terms of suspected offenders, images of offenders were found seemingly caught in the act via CCTV or photographed by security personnel afterward. Many images clearly depicted the suspects and were captioned with information such as their names, birthdate, and nature of their alleged offense. In some cases, detailed descriptions of how a suspect operates were found. Spreadsheets with information about offenses, how they were committed, and whether violence was used or not were found. It is unclear if the exposed data has been accessed by threat actors. A day after being alerted to the exposed database, the company revoked public access to the database, and an investigation into this incident is underway. Massive webshop fraud ring stole credit card information from over 850,000 people. A massive network of 75,000 fake online shops called ‘BogusBazaar’ has tricked over 850,000 people in the US and Europe into making purchases, allowing criminals to steal their credit card information and attempt to process an estimated $50 million in fake orders. Furthermore, millions of stolen credit card details have been resold on dark web marketplaces. This allows other threat actors to purchase them and perform unauthorised online purchases. According to SRLabs’ report, the BogusBazaar network has attempted to process an estimated $50 million in fake purchases since the operation launched 3 years ago. Most of the victims are concentrated in the US and Western Europe. It is highly recommended for consumers to check the authenticity of an online shop by reading online reviews, checking for contact information, examining the return policy, checking for trust seals, browsing the website content in general, and checking its social media presence. University System of Georgia: Clop MOVEit breach led to the exposure of 800,000 individuals’ data. The University System of Georgia (USG) is sending data breach notifications to 800,000 affected individuals whose data was exposed in the 2023 Clop MOVEit attacks. USG determined that Clop had stolen sensitive files from their systems and began notifying impacted people. The notices were sent between 15 April - 17 April 2024 and it informed affected individuals that the threat actors had accessed their full or partial (last 4 digits) of their social security number, birth date, bank account number(s), and federal income tax documents with Tax ID number. It is presumed that this breach affects current and prior students, academic staff, contractors and other personnel. Also, the entry of the Office of the Maine Attorney General portal lists as well driver’s license number or identification card number as exposed data types, although these were not mentioned in the notice. USG is offering impacted individuals 12 months of identity protection and fraud detection services, and recipients are given until 31 July 2024 to enroll. Ohio Lottery ransomware attack: Over 500,000 individuals’ data compromised. The Ohio Lottery is sending data breach notification letters to 538,959 individuals that were affected by a cyberattack that hit their internal office network on Christmas Eve. The attackers managed to access affected people’s names, social security numbers, and other personal identifiers. The Ohio Lottery stated that no evidence was found that the stolen information had been used for fraud. However, they will provide free credit monitoring and identity theft protection services to all potentially affected individuals. The breach was claimed by the DragonForce ransomware gang, and claimed that they encrypted devices and stole documents that belonged to Ohio Lottery customers and employees. Citrix warns admins to manually mitigate PuTTY SSH client vulnerability. Citrix notified customers to manually mitigate a PuTTY SSH client vulnerability (tracked as CVE-2024-31497) that could allow attackers to steal a XenCenter admin’s private SSH key. This vulnerability impacts multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which bundle and use PuTTY to make SSH connections to guest VMs when clicking the “Open SSH Console” button. Citrix stated that the PuTTY components have been removed starting with XenCenter 8.2.6 and any versions after 8.2.7 will no longer include it. Those who want to mitigate the vulnerability can download the latest version of PuTTY and install it in place of the version bundled with older XenCenter releases. Those who do not wish to use the “Open SSH Console” functionality can remove the PuTTY component completely. Customers who wish to maintain the existing usage of PuTTY should replace the version installed on their XenCenter system with an updated version (version number of at least 0.81). That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from hospitality, software, aviation, pharmaceutical, to the debt collection industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as the UnitedHealthcare's CEO stating that the recent data breach may affect a third of US citizens. Additionally, Philadelphia Inquirer revealed that the May 2023 data breach have led to 25,549 individuals' personal and financial information stolen. Furthermore, new vulnerabilities and patches for GitLab and weak DMARC policies have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. Panda Restaurants disclose a March data breach: Corporate systems compromised and associates’ personal information stolen. Panda Restaurant Group, the parent company of Panda Express, Panda Inn and Hibachi-San, disclosed a data breach that occurred on 10 March 2024, which compromised some of their corporate systems. However, in-store systems, operations, and guest experience were unaffected. Furthermore, current and former associates’ data were stolen. The exposed information includes victims’ names or other personal identifiers, and their driver’s licence numbers or non-driver identification card numbers. The unauthorised hacker accessed their corporate systems between 7 March - 11 March 2024. As soon as they detected the incident, the company carried out remediation and recovery efforts, and started an investigation with 3rd party cybersecurity experts and law enforcement agencies to find the nature and extent of the breach. Panda has yet to disclose the total number of individuals whose personal information was accessed or stolen in this breach. Dropbox disclose data breach: Signs’, eSignature Service, customers impacted. Dropbox disclosed on 2 May 2024 that a threat actor managed to gain access to the Sign production environment and accessed customer information. The compromised personal information includes customers’ email addresses, usernames, phone numbers, hashed passwords, data on general account settings, and authentication data such as API keys, OAuth tokens and multi-factor authentication. It is noted that even users who only received or signed a document through Sign without creating an account had their names and email addresses compromised. Fortunately, there is no indication that payment information or customers’ files (signed documents and agreements) were accessed. Investigation is currently ongoing, but so far there is no evidence that other Dropbox products were impacted. The company is notifying impacted customers, logging them out of the Sign service, and resetting their passwords. In addition, API keys and OAuth tokens are being rotated. It is also highly advised for customers that use an authenticator app for MFA to reset it, and to change passwords on other online services which use the same password as Sign. Qantas loyalty app data breach: Customers’ able to access strangers’ travel information. Australia’s Qantas Airways stated on 2 May 2024 that they are investigating issues that impacted their frequent flyer application after media reports suggested there was a data breach that allowed users to access other passengers’ travel information - this includes their names, upcoming flights plans, points balance and boarding pass. Some users can see others’ full travel information, and one was able to cancel someone else’s tickets. The airlines apologised for this issue, and stated that this technical disruption was not a cyber security incident. Rather it was caused by a technology issue that may be related to recent system changes. London Drugs closed all stores following a ‘cybersecurity incident’. Canadian pharmacy chain, London Drugs, closed all their stores - over 80 outlets - over the weekend until further notice following a “cybersecurity incident”. A London Drugs spokesperson stated that a “cybersecurity incident” was behind the store closures, and declined to answer specific questions about the incident. Furthermore, their phone lines are temporarily taken down and people should go to their stores for urgent pharmacy needs.The giant stated that they immediately took counter security measures, and has started an investigation with 3rd party cybersecurity experts. As of then, they found no evidence that customer or employee data has been compromised. FBCS, a debt collection agency, warns 1.9 million individuals impacted by a data breach. Financial Business and Consumer Solutions (FBCS), a U.S licensed debt collection agency, is notifying 1,955,385 impacted individuals in the U.S. that the company suffered a data breach after they discovered that unauthorised actors had breached its network since 14 February 2024. The threat actor was able to view or acquire certain information on the FBCS network during the period of access. The compromised data includes customers’ full name, social security number, birth date, account information, and drivers licence number or ID card. It is highly recommended that impacted individuals stay vigilant against unsolicited communications and to monitor their account statements and credit reports for any suspicious activity. Philadelphia Inquirer revealed that May 2023 data breach have led to 25,549 individuals’ personal and financial information stolen. Philadelphia Inquirer revealed that attackers behind the May 2023 data breach have stolen 25,549 individuals’ personal and financial information. The information exposed during the breach includes individuals’ names, and other personal identifiers in combination with financial account numbers or credit/debit card numbers (in combination with security code, access code, password or PIN for the accounts). It is highly recommended that impacted individuals monitor their accounts for identity theft and fraud attempts. All impacted individuals are offered 24 months of free Experian credit monitoring and identity restoration services. UnitedHealthcare’s CEO: Recent data breach may affect a third of US citizens. Change Healthcare’s parent company UnitedHealth Group’s CEO, Andrew Witty, stated during a House hearing that “maybe a third” of US citizens may be affected by the recent data breach which led to personal information being stolen. Witty stated that he was reluctant to give a more precise answer as investigations are still ongoing, and they are trying to figure out exactly how many people were affected. During the hearing, Witty stated it will probably take “several months” before the company can notify victims of the data breach. So far, the company has found no evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data. It was found that hackers used compromised credentials to access a Change Healthcare Citrix portal that was not protected by MFA. Witty confirmed to senators that UnitedHealth did pay $22 million to the ransomware group. CISA: Actively exploited maximum severity GitLab vulnerability allows attackers to take over accounts. CISA warned on 1 May 2024 that attackers are actively exploiting a maximum-severity vulnerability (tracked as CVE-2023-7028) in GitLab that allows them to take over accounts via password resets. This flaw allows remote unauthenticated threat actors to send password reset emails to email accounts under their control to change the password and hijack targeted accounts without user interaction. Although, attackers are unable to exploit this vulnerability for accounts that have 2FA enabled. It is critical to patch systems where accounts are not protected with 2FA. This vulnerability impacts GitLab Community and Enterprise editions, and GitLab fixed it in 17.7.2, 16.5.6, and 16.6.4 and backported patches to versions 16.1.6, 16.2.9, and 16.3.7. Finland: Ongoing Android malware attacks attempting to breach online bank accounts. Finland’s Transport and Communications Agency (Traficom) warns of an ongoing malware attack that is attempting to breach online bank accounts. Multiple cases of attacks include SMS messages instructing users to call a number. The scammer will instruct victims to install a McAfee app for protection, which is malware that allows attackers to breach victim’s bank accounts. These messages are supposedly sent from banks or payment service providers like MobilePay. In one case, a victim lost 95,000 euros as the scammers managed to log into the victim’s banking account and transfer money. Traficom states that the campaign targets only Android devices. If you have installed the malware, immediately contact your bank for protection measures and restore “factory settings” on the infected device to erase all data and apps. NSA & FBI: North Korean hackers are exploiting weak email DMARC policies to mask attacks. The NSA and FBI jointly caution that APT43, a North Korea-linked hacking group, is exploiting weak email Domain-based Message Authentication Reporting and Conformance (DMARC) policies to mask spear phishing attacks. The attackers utilise this weakness to send spoofed emails which seems to come from credible sources such as journalists, academics, and other experts in East Asian affairs. NSA stated that these campaigns are utilised to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information that affects DPRK interests by gaining illicit access to targets’ private documents, research and communications. To mitigate the threat, it is advised for defenders to update their organisation’s DMARC security policy to use “v=DMARC1; p=quarantine;” or “v=DMARC1; p=reject;” configurations. It is also recommended for organisations to set other DMARC policy fields, such as ‘rua’ to receive aggregate reports about the DMARC results for email messages from the organisation’s domain. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from healthcare to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as UnitedHealth confirming that they paid the ransom to stop their patients’ data from being leaked. Furthermore, new vulnerabilities and patches for WP Automatic WordPress and Progress Flowmon have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. U.S. health conglomerate Kaiser notifies 13.4 million customers of data breach. On Thursday, Kaiser posted a notice in which they will be notifying millions of their members of a data breach that occurred earlier this month. The Kaiser Foundation Health Plan confirmed that 13.4 million current and former residents and patients had their information leaked to 3rd party trackers that were installed on their websites and mobile applications. These 3rd party vendors include Google, Microsoft Bing, and X(Twitter). The leaked data may include IP addresses, names, information that could indicate a member or patient has signed into a Kaiser Permanente account or service, details showing how a member or patient interacted with and navigated through the website and mobile app, and search terms used in the health encyclopaedia. Normally, this information is shared with an extensive network of marketers, advertisers, and data brokers. The organisation has stated that the trackers were discovered and removed following a voluntary internal investigation. Additional security measures have also been implemented to prevent this incident from reoccurring. As of now, Kaiser found no evidence of any member’s or patient’s personal information being misused. DPRK hacking groups breached South Korea’s defence contractors to steal information. The National Police Agency in South Korea issued an urgent warning on 23 April that North Korea hacking groups have breached defence industry entities to steal technology information. North Korean hacking groups - Lazarus, Andariel and Kimsuky have been found to have breached S.Korean defence companies via leveraging vulnerabilities in targets’ or subcontractors’ environments to plant malware to exfiltrate data. It was found that multiple companies had been compromised since late 2022 but were unaware of the breach until authorities informed them. The Korean police recommends both defence companies and their subcontractors to improve their network security segmentation, reset their passwords periodically, set up 2FA on all critical accounts, and block foreign IP addresses. LA County Health Services: Data breach has exposed thousands of patients’ data. The LA County of Health Services disclosed a data breach after approximately 6,085 patients’ personal and health information was exposed in a data breach due to a recent phishing attack that impacted over 2 dozen employees. In the data breach notification, 23 employees had their mailboxes compromised after their credentials were stolen in a February attack. Hence, attackers gained access to patients’ personal and health data that were stored in the employees’ email inboxes. The compromised information includes patients’ full name, birth date, home address, phone number, email address, medical record number, client identification number, dates of service, medical information (e.g. diagnosis/condition, treatment, test results, medications), and/or health plan information. Affected individuals are impacted differently. Upon discovering the breach, the organisation disabled the impacted email accounts and quarantined all suspicious incoming emails. No evidence has been found that the attackers have accessed or misused the exposed personal and health information. However, LA County Health Services do advise all affected patients to contact their healthcare providers to verify the content and accuracy of their medical records. UnitedHealth confirmed it paid the ransom to stop data leak. UnitedHealth Group confirmed on Monday that they have paid the ransom to the ransomware gang to protect patient data from being leaked. This followed the February cyberattack on their subsidiary, Change Healthcare. The company also confirmed that files containing personal information were compromised in the breach. In a statement to CNBC, the company said that they are currently working with law enforcement and multiple cybersecurity firms. The company has launched a call centre that will offer free identity theft protections and credit monitoring for 2 years. However, the call centre will not be able to offer any details about individual data impact due to the ongoing investigation and complexity of the data review. Concerned patients can visit their dedicated website for access to resources. Okta warns of a spike in proxy-driven credential stuffing attacks aimed at online services. Okta has warned of a surge in the frequency and scale of credential stuffing attacks aimed at online services. In an alert published, Okta warned that these attacks were facilitated by the broad availability of residential proxy services, lists of previously stolen credentials and scripting tools. Okta stated that they detected a surge in credential stuffing activity against user accounts from 19 April - 26 April 2024, from likely similar infrastructure. It was found that sometimes a user device has been infected with malware and became enrolled as a botnet, which allows threat actors to conceal their malicious traffic. From their observation, it seems that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users. To mitigate the risks of account takeovers, Okta recommends that organisations enforce users to switch to strong passwords, enable 2FA, deny requests originating from locations where they don't operate, and IP addresses with poor reputation, and add support for passkeys. Critical vulnerability in the WP Automatic Wordpress plugin is being exploited: More than 5.5 million attacks detected. Threat actors have started to exploit a critical severity vulnerability (tracked as CVE-2024-27956) in the WP Automatic plugin for Wordpress to create user accounts with administrative privileges and to plant backdoors for long-term access. This plugin is currently installed on more than 30,000 websites. This vulnerability is an SQL injection issue and it impacts WP Automatic versions before 3.9.2.0. It has been observed that more than 5.5 million attacks were trying to leverage this vulnerability, in which most were recorded on 31 March. It is highly recommended for administrators to update the WP Automatic plugin to version 3.92.1 or later. Maximum severity vulnerability found in Progress Flowmon: Patch available now. A top severity security vulnerability (tracked as CVE-2024-2389) in Progress Flowmon, a tool for monitoring network performance and visibility and used by more than 1,500 companies globally, has been found. An attacker can exploit the vulnerability to gain remote unauthenticated access to the Flowmon web interface and execute arbitrary system commands. This vulnerability impacts versions of the product v12.x and v11.x. It is highly encouraged for system administrators to upgrade to the latest releases - v12.3.4 and 11.1.14. The security update was released to all Flowmon customers either via automatic package download system or manually from the vendor's download centre. It is also highly recommended to upgrade all Flowmon modules afterwards. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from software, semiconductor, geospatial intelligence, consumer discretionary, gaming, telecom providers, smoke alarm, healthcare to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as the Change Healthcare ransomware attack that cost UnitedHealth $872 million. Furthermore, new vulnerabilities and patches have also been found and releasedIt is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Cisco’s Duo Multi-Factor Authentication (MFA) service breached. A 3rd party telephony service provider for Cisco’s Duo MFA service has been compromised by a social engineering cyber attack. Cisco Duo customers have been sent a notice to be on alert for any phishing attacks. In the notice sent to customers, the company explained that the 3rd party provider that handled SMS and VOIP MFA messaging traffic for them was breached on 1 April 2024. Reportedly, the threat actors utilised compromised employee credentials for the attack, and had managed to download SMS logs for specific users within a certain time frame once they were inside the service provider’s systems. In Cisco’s customer advisory, the attacker downloaded message logs for SMS messages that were sent to certain users under their Duo account between 1 March - 31 March 2024. The compromised information includes customers’ phone number, phone carrier, country and state to which each message was sent, as well as other metadata such as date and time of the message, type of message. However, no message content was compromised. In their advisory, Cisco Duo did not identify the breached telephony provider. Cisco advised impacted customers to notify anyone whose information was exposed, and to remain vigilant against any phishing attacks. Nexperia, a Dutch chipmaker, confirmed a data breach after a ransomware gang leaked stolen data. In a press statement on Friday, Nexperia disclosed that attackers managed to breach some of their IT servers in March 2024, which forced them to shut down the affected IT systems to contain the incident and implement extensive mitigation. Nexperia confirmed the incident after a ransomware group, Dunghill, claimed to have stolen 1 TB of confidential data and leaked a sample of the allegedly stolen files on 10 April 2024. The threat actors published images of microscope scans of electronic components, employee passports, non-disclosure agreements, and various other samples. However, the authenticity of the allegedly stolen data has not been confirmed by Nexperia. Dunghill claims that they plan to leak 371GB of design and product data, 246GN of engineering data, 96GB of commercial and marketing data, 41.5GB of corporate data, 109GB of client and user data, and 121.1GB of various files and miscellaneous data if the ransom demand is not paid. Nexperia has launched an investigation with the support of 3rd party experts to determine the nature and scope of the incident and to implement strong measures to prevent this incident from reoccurring. Nexperia also reported the incident to relevant authorities. UN investigating a ransomware attack that led to data theft. In a statement published on Tuesday, the United Nations Development Programme (UNDP) disclosed that they received a threat intelligence notification that a threat actor had hacked into their local IT infrastructure in UN city, Copenhagen, in late March. The stolen data included certain human resources and procurement information. The UN agency stated that actions were immediately taken to identify the source, contain the affected server and to determine the specifics of the exposed data, and the individuals impacted by this attack. Although the UN agency did not disclose the specific threat group, the 8Base ransomware gang added a new UNDP entry to their data leak website on 27 March. The attackers stated that they managed to exfiltrate large amounts of sensitive information, which includes personal data, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts and more. Space Eyes data breach exposed sensitive data from critical US government agencies. Intelgroup, a threat group, has claimed to breach Space-Eyes, a geospatial intelligence firm that works exclusively with US government agencies. This includes the Department of Justice, the Department of Homeland Security, various branches of the US Armed Forces, and crucial intelligence bodies such as the National Geospatial Intelligence Agency. The breach has allegedly compromised the digital infrastructure of the firm, which could expose the US national security data. IntelBroker claimed that they only took 10-15 minutes to access the sensitive data from Space-Eyes systems. Singapore’s Ministry of Education (MOE): A 3rd party data breach has compromised the personal data of parents and staff at 127 schools. A data breach at one of MOE’s vendors has resulted in the names and email addresses of parents and staff from 5 primary schools and 122 secondary schools being compromised. MOE stated that they were notified by Mobile Guardian, a device management app installed on personal learning devices used by students, that their user management portal was breached on Wednesday, with the incident occurring at the company’s headquarters in Surrey, UK. As Mobile Guardian’s management portal was used for administrative purposes, user’s name, email address, time zone, school name and whether the user was a parent or school staff has been accessed. MOE also stated that their own device management app was not affected by the data breach as it is separate from Mobile Guardian’s user management portal. The Ministry has stated that all affected parties have been informed of the breach, and recommended victims to be vigilant against any phishing emails. The ministry stated that they have expressed their concerns to Mobile Guardian, and have lodged a police report. Mobile Guardian has implemented further security measures such as locking down all administrative accounts in response to the incident, and have also apologised for the breach. A Hospital in France had to postpone procedures after a cyberattack. The Hospital Simone Veil in Cannes (CHC-SV) announced on Tuesday that they were cyberattacked, which led to a severe impact on their operations. CHC-SV is an important medical establishment in France, particularly in the region of Cannes. The hospital were forced to take all their computers offline earlier this week due to a cyberattack, and had only their telephone systems available for communication. The hospital did not disclose much details but stated they have not received any ransom demand. Investigations are currently underway. Although all their units are continuing operations, all data has been reverted to pen and paper, and some patients had to be diverted to other hospitals nearby. Furthermore, roughly 30% of all non-urgent surgical procedures scheduled this week were cancelled, and many non-urgent consultations were rescheduled for later. The hospital stated that as of now their priority is to restart patient care systems that contain test results and patient records. However, this is dependent on the progress of the technical investigations which could take a long time. Atlantic fisheries body confirms data theft after 8Base ransomware gang claims breach. The Atlantic States Marine Fisheries Commission (ASMFC) disclosed that their email systems were down, and was forced to create a temporary email address and phone number. Tina Berger, director of communications for ASMFC, stated that they are responding to a cyber incident that is affecting their systems, but did not confirm if it was a ransomware attack. On Monday, the 8Base ransomware gang added ASMFC to their data leak site, and gave officials 4 days to meet their ransom demand. The gang claimed to have stolen invoices, personal data, contracts and more. Home Depot suffered a 3rd party breach: 10,000 employees’ personal information leaked. Home Depot has disclosed that a 3rd party breach from their SaaS vendor has resulted in a subset of employee data being leaked. The incident was known when IntelBroker, a known threat actor, claimed that they stole 10,000 Home Depot employees’ personal information. A Home Depot spokesperson has confirmed that the Atlanta, Georgia-based company has suffered a data breach. The personal information exposed includes employees’ names, work email addresses, and User IDs that were utilised during testing of their systems. Home Depot did not disclose the identity of the breached vendor, and it is unclear if Home Depot or the external vendor has notified the impacted individuals about the breach. Frontier Communications, a telecom provider, suffers a cyberattack: Forced to shut down their systems causing operational disruption. Frontier Communications, a leading American telecommunications provider, was forced to partially shut down some of their systems during a cyberattack to avoid threat actors from laterally moving through the network. This has resulted in some operational disruption. Despite their response, Frontier has stated that the attackers could access some personally identifiable information. Frontier believes that they have contained the breach, and has since restored their affected core IT systems, and is working on restoring normal business operations. Despite the company’s assurances, many customers have reported that their Internet connection has been down and that the support phone numbers are playing pre-recorded messages instead of redirecting to a human operator. In their SEC filing, Frontier stated they are currently investigating the incident with cybersecurity experts, and has also notified the relevant authorities. Void Interactive suffers from a massive data breach: Over 4TB of data stolen, including full source code. Void Interactive, the developer of Ready or Not, suffers from a massive data breach whereby over 4TB of data has been stolen, and this includes over 2.1 million files. The ransomware group announced in March that they had accessed Void Interactive’s data. However, Void Interactive has not announced any breach or concern regarding Ready or Not. Insider Gaming has been shown the contents of the stolen data, and it includes all of the Ready or Not source code, and code for what appears to be console builds of the game and results of various performance tests. Insider Gaming was also shown images of the game running on the PlayStation 4 test kit. There was also build data for Xbox 1, Xbox Series X|S, and PlayStation 5. Fortunately, it seems that the personal information of players or staff members have not been compromised, and the stolen data seems to be centred around the game itself. Smoke Alarm Solutions, a smoke alarm company in Australia, suffers from data breach. One of Australia’s largest smoke alarm companies, Smoke Alarm Solutions, have left 762,856 documents, which totals to 107GB of sensitive customer information exposed online in a non-password protected database, for nearly 3 months. The files included more than 355,000 detailed invoice data from 2021-2024, records of inspections, estimates, compliance reports, electrical safety inspections, service quotes, and service reports. Furthermore, nearly 25,000 additional documents marked as “on-site quotes” contained names and email addresses of the business, agent or individual obtaining the quote. Cybersecurity researchers have warned that these sensitive customer information were “very likely” accessed by malicious actors. Mr Fowler, in a report on this incident, stated that this exposure is “perfect timing” as this came days after Australia’s consumer watchdog warned of a surge in fake invoice scams which have cost Australians more than $16 million. As it is likely the threat actors accessed these sensitive customer data to use for scams and phishing attempts. UnitedHealth reported Change Healthcare ransomware attack cost $872 million. UnitedHealth Group reported that the February ransomware attack has cost $872 million on their Q1 earnings. This total cost includes $593 million in direct cyberattack response costs and $279 million due to business disruptions. Currently, the company is still working to mitigate the cyberattack’s impact on their consumers and care providers, while expanding financial assistance to affected providers. This report comes 1 day after the RansomHub extortion gang started leaking documents that allegedly contain patient and corporate data stolen from Change Healthcare’s compromised systems. The threat actors also warned that they have 5 days to pay the ransom to stop the data from being sold. Forminator WordPress plugin vulnerability affects over 300,000 sites. The Forminator WordPress plugin has a critical vulnerability (CVE-2024-29980) that allows malicious actors to perform unrestricted file uploads to the server. Site admins that use this plugin are highly advised to upgrade to the latest version 1.29.3, which addresses this vulnerability as soon as possible. Since the release of the security update on 8 April 2024, roughly 180,000 site admins have downloaded the plugin. However, this means that there are still 320,000 sites that remain vulnerable to attacks. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the streaming, business intelligence, veterinary, audio to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as Hoya receiving a $10 million ransomware demand for a file decryptor and for the allegedly 1.7 million stolen files to not be released. Additionally, it was found that a hacker that claimed responsibility for the Giant Tiger data breach has allegedly leaked 2.8 million customers’ records online. Furthermore, new vulnerabilities and patches have also been found and released for Microsoft, WordPressLG Smart TVs and Telegram Windows app. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. Roku confirmed a second security incident: About 576,000 user accounts were hacked. Roku, a streaming giant, has confirmed a second security incident, in which about 576,000 user accounts were accessed via credential stuffing. However, Roku stated that fewer than 400 user accounts were breached, and where the malicious hackers made fraudulent purchases of Roku hardware and streaming subscriptions using the payment data stored in those users’ accounts. The company stated that they have refunded the affected customers. Furthermore, they emphasised that the malicious hackers did not access sensitive user information or full credit card details. Following these incidents, Roku has implemented 2-factor authentication, which helps add another layer of security to their users’ accounts. Sisense, a company that sells big-data analytic tools, suffers a data breach: CISA issues a red-alert. CISA, the US government cybersecurity agency, issued a red-alert on Thursday warning of a compromise of Sisense customer data, and highly recommended Sisense customers to immediately reset their credentials and secrets. Although the exact nature of the breach is unclear, the alert could suggest a massive supply chain security incident that exposed data from thousands of companies globally. CISA stated that they are partnering with private industry partners to respond to the incident and advised Sisense’s customers to reset their credentials and secrets, and to investigate and report to CISA if any suspicious activity has been detected. CISA is taking an active role as this data breach directly impacts critical infrastructure sector organizations. Sisense, which provides business intelligence and analytics tools that help process massive volumes of data, is involved in organizations in the U.S. healthcare, manufacturing, retail and technology sectors, hence a supply chain breach can have severe consequences. Non-profit healthcare service provider, GHC-SCW, disclosed that a ransomware gang has stolen 533,000 individuals’ health data. Group Health Cooperative of South Central Wisconsin (GHC-SCW) disclosed that a ransomware gang breached their networks on 25 January and stole 533,809 individuals’ personal and medical information. The health data stolen includes individuals’ names, birth dates and/or deaths, addresses, telephone numbers, email addresses, social security numbers, member numbers, and Medicare and/or Medicaid numbers. The attackers could not encrypt the compromised devices, which allowed GHC-SCW to secure their systems and bring them back online after they were isolated to contain the breach. GHC-SCW stated that they have added security measures to prevent such breaches from reoccurring, such as strengthening existing controls, data backup and user training. Impacted individuals are recommended to monitor all communications from healthcare providers - such as electronic messages, billing statements, and other communications, and to report any suspicious activity to GHC-SCW immediately. UK’s CVS Group suffers a cyberattack: Veterinary operations disrupted. UK veterinary services provider CVS Group disclosed that they had suffered a cyberattack which resulted in their IT services being disrupted across the country. In an announcement published on the London Stock Exchange site, CVS Group stated that threat actors gained unauthorized access to some of their IT systems. In response, the company took their IT systems offline, which disrupted their operations considerably over the past week. CVS stated that they have engaged in 3rd party specialists to help investigate the attack and to restore IT services safely across its clinics. CVS also announced that this cyberattack has sped up their plan to migrate all IT infrastructure to the cloud, which is expected to extend the period of operational disruption by several weeks for UK-based practices. BoAt, an Indian audio giant, is investigating a possible data breach of 7.5 million customers. BoAt, India’s largest audio and wearables brand, is investigating a possible data breach that may have compromised more than 7.5 million customers after hackers uploaded a sample of their alleged customer data on a known cybercrime forum. The stolen alleged data includes customers’ full name, phone number, email address, mailing address, and order numbers. TechCrunch reviewed a portion of the data, and found that the data reviewed seems genuine based on checks against exposed phone numbers. The hackers claim that the breach occurred in March. In a statement, boAt stated they have launched an investigation into recent claims of a potential customer data leak but did not disclose specifics. It was found that the leaked data also include references to Shopify. India outlet Athenil reported that the alleged hackers claimed the data was obtained via using credentials stolen from boAt’s systems. AT&T is now notifying that the data breach has actually impacted 52 million customers. AT&T is notifying 52 million former and current customers that a data breach has exposed their personal data on a hacking forum. While the leak contained the personal information of more than 70 million people, AT&T is now saying that the data breach impacted a total of 51,226,382 customers. The reason for the large difference is that some customers had multiple accounts in the dataset. In their notification, the exposed information varied for individuals and accounts, and it may include customers’ full name, email address, mailing address, phone number, social security number, birthdate, AT&T account number and passcode. AT&T stated that for each impacted customer they will notify the type of personal information that has been stolen. However, the company has still not disclosed how the data was stolen, and why it took them 5 years to confirm that the stolen data belonged to them and alert the impacted customers. Hoya, an optic giant, received a $10 million ransomware demand. Hoya Corporation has been hit by a cyberattack recently which was conducted by the ‘Hunters International’ ransomware operation. The ransomware group has demanded a $10 million ransom for a file decryptor and for the alleged 1.7 million stolen files, which amounted to 2 TB of data, to not be released. Currently, no files have been released on the ransomware group’s site, and the threat actors have not publicly claimed responsibility for the Hoya attack. LeMagIT has posted evidence via screenshots from the ransomware operation’s negotiation panel that victims use to negotiate a ransom payment. The ransomware group has applied a “No Negotiation/No Discount policy” on Hoya. The company has not provided any update on the business status since 4 April 2024, hence it is assumed that their production remains impacted and remediation efforts are still underway. Giant Tiger data breach claimed by hacker who leaked 2.8 million records online. A threat actor has publicly claimed responsibility for the Canadian retail chain - Giant Tiger data breach that occurred in March 2024, and has claimed to have uploaded the “full” database of the stolen Giant Tiger customer records - which amounts to 2.8 million records on a hacker forum. The stolen customer records include over 2.8 million unique email addresses, names, phone numbers and physical addresses. As well as the “website activity” of Giant Tiger customers. As of 12 April, the leaked data set has been added to the “Have I Been Pwned?” database, which is a free online service that allows one to check if their data has been compromised in known data breaches. The number of breached records associated with this data breach that has been added to HIBP is 2,842,669. Microsoft resolved a security lapse that exposed internal passwords. Security researchers from SOCRader discovered an open and public storage server that was hosted on Microsoft’s Azure cloud service that stored internal information relating to Microsoft’s Bing search engine. The internal information stored included code, scripts and configuration files that contain passwords, keys and credentials used by Microsoft employees to access other internal databases and systems. However, the storage server itself was not protected with a password, and could be accessed by anyone on the internet. The exposed internal information could potentially assist malicious actors in identifying or accessing other places where Microsoft stores its internal files, and hence could result in more significant data leaks and even services being compromised. The researchers notified Microsoft of the security lapse on 6 February, and Microsoft resolved the security lapse on 5 March. 4 vulnerabilities found which could lead to over 90,000 LG Smart TVs being exposed to remote attacks. Bitdefender security researchers have found 4 vulnerabilities (CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, CVE-2023-632) that impact multiple versions of WebOS, the operating system used in LG smart TVs. The vulnerabilities allow different degrees of unauthorized access and control. This includes authorization bypass, privilege escalation, and command injection. Bitdefender explains that although the vulnerable LG WebOS service is supposed to be used only in local area networks (LAN) settings, an internet scan shows that 91,000 exposed devices are potentially vulnerable to the flaws. The vulnerabilities impact webOS 4.9.7 – 5.30.40 on LG43UM7000PLA, webOS 04.50.51 – 5.5.0 on OLED55CXPUA, webOS 0.36.50 – 6.3.3-442 on OLED48C1PUB, and webOS 03.33.85 – 7.3.1-43 on OLED55A23LA. Impacted users should apply the security update by selecting “Check for Update”. Thousands of WordPress sites compromised to promote crypto drainers. It has been discovered that over 2,000 compromised WordPress websites now display fake NFT and discount pop-ups to trick visitors into connecting their wallets to crypto drainers that would automatically steal their funds. According to MalwareHunterTeam, the threat actors have begun to monetize the hacked sites to display pop-ups promoting fake NFT offers and crypto discounts. And an Urlscan search showed that over 2,000 compromised websites have been loading the malicious scripts for the past week. To prevent falling victim to crypto drainers, only connect your wallet to trusted platforms. Furthermore, it is recommended to be vigilant against any unexpected pop-up windows, especially pop-ups that do not align with the website’s primary subject or design. Telegram released security patch to fix a Windows app zero-day vulnerability that could automatically launch Python scripts. Telegram has fixed a zero-day vulnerability in their Windows desktop app that could be used to bypass security warnings and automatically launch Python scripts. In a statement to BleepingComputer, Telegram disputes the existence of zero-click vulnerabilities as inaccurate. However, they have confirmed that they fixed the “issue” in the Windows app to prevent Python scripts from automatically launching when clicked. As stated it was a server-side fix that ensures that this issue no longer occurs, whereby when clicked it will cause Windows to ask what program you wish to open rather than automatically launching in Python. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public, tech, e-commerce, hotel, optical supplies to the healthcare sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as 4,4 million SurveyLama users’ personal information has been exposed and that Leicester City Council’s confidential documents have been leaked on the dark web after a ransomware attack. Additionally, it was found that the 2023 Hong Kong Cyberport data breach affected 13,362 staff and jobseekers. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. US cancer centre suffers a data breach: 827,000 patients’ information exposed. Cancer treatment and research centre, City of Hope, is starting to notify 827,000 individuals that their personal and health information has been compromised in a data breach. In a data breach letter filed with the Maine Attorney General's Office, the data breach occurred between 19 September - 12 October 2023, whereby an unauthorised 3rd party managed to access a subset of City of Hope systems and copied some files that contained the affected individual’s information. The stolen data includes affected individuals’ names, birth dates, email addresses, phone numbers, driver’s licence numbers, ID numbers, social security numbers, bank accounts numbers, credit card details, health insurance information and medical information. City of Hope also clarified that not every data type listed was compromised for every patient - the level of exposed information varied per case.Upon detection, City of Hope stated that they took steps to contain the breach, notified relevant authorities, and retained a cybersecurity firm to put in security measures to improve their system’s security. The cancer centre has also stated that so far there has been no identification of any identity theft or fraud pertaining to the stolen information. Affected individuals are offered complimentary identity monitoring services for 2 years. It is highly recommended for impacted individuals to monitor their banking statements, and be vigilant against phishing attacks, unsolicited communications or requests for additional information. Jackson County in state of emergency after a ransomware attack. Jackson County, Missouri, declared a state of emergency on 2 April 2024 after a ransomware attack took down some of their services on Tuesday. The Assessment, Collection and Recorder of Deeds offices at all County locations will likely be closed until the end of the week as the IT department works on restoring tax payment, marriage licence, and inmate search systems impacted in the incident. Fortunately, based on a statement published on Tuesday, the Kansas City Board of Elections and Jackson County Board of Elections are not affected by this system outage. Officials have alerted the relevant authorities of this incident, and are currently working with 3rd party IT security experts to investigate the attack. Jackson County Executive Frank White, Jr. declared a state of emergency to expedite IT orders, activate emergency workers, and protect against a ransomware attack. As White stated, all county staff are taking the necessary steps to protect resident data, county assets and continue essential services to mitigate the impact of the ransomware attack. County officials have confirmed that residents’ financial information is not affected as the compromised systems did not store residents’ financial data. Acuity confirms hackers have stolen old non-sensitive government data from its GitHub repositories. Acuity, a federal contractor that works with U.S. government agencies, has confirmed that hackers have breached its GitHub repositories and stole old non-sensitive government documents. In an emailed statement, Acuity stated that they identified a cybersecurity incident related to GitHub repositories that contained old and non-sensitive information. However, once they were aware of the zero-day vulnerability, Acuity did the relevant security updates and performed mitigating actions according to the vendor’s guidance. After an investigation, Acuity saw no evidence of impact on any of their clients’ sensitive data. Although Acuity did not provide additional information due to the ongoing investigation, IntelBroker (1 of the threat actors behind the attack) has leaked thousands of records that contain information that belongs to the Justice Department, State Department, DHS and FBI employees. IntelBroker also claimed that they stole Five Eyes intelligence alliance documents, which some contain allegedly classified information. Another threat actor, Sangierro, told BleepingComputer, that the breach occurred on 7 March 2024, and they allegedly exploited a vulnerability in an Acuity Tekton CI/CD server to steal GitHub credentials and access their private repositories. PandaBuy, a shopping platform, suffered a data leak that impacted 1.3 million users. PandaBuy, a shopping platform that allows international users to purchase from various e-commerce platforms in China such as Tmall, Taobao and JD.com, was allegedly breached by 2 threat actors that exploited multiple vulnerabilities. The 2 threat actors, Sanggiero and IntelBoker, claimed that they managed to steal data that contained but not limited to 3 million unique UserId, first name, last name, phone numbers, email addresses, login IP, orders data, orders ID, home addresses, zip and country. According to Have I Been Pwned, 1,348,407 PandaBuy accounts have been exposed in the breach. The threat actor has also provided a small sample of email addresses, customer names, order numbers and details, shipping addresses, transaction dates and times, and payment IDs as evidence. Troy Hunt, creator of HIBP, tested password reset requests using the leaked addresses and confirmed that at least 1.3 million email addresses are valid and come from PandaBuy. However, the rest were made-up and duplicate addresses, so the 3 million figure was inflated by the threat actors. It is highly recommended for those who have PandaBuy accounts to reset your password, and remain vigilant against any phishing attacks and scams. Chilean data centre and hosting provider, IxMetro Powerhost suffered a cyberattack. IxMetro Powerhost, a data centre, hosting and interconnectivity company in locations in the U.S, South America and Europe, suffered a cyberattack by a new ransomware gang called SEXi, which encrypted the company’s VMware ESXi servers and backup. On 1 April, PowerHost’s Chile division, IxMetro, warned customers that they suffered a ransomware attack early Saturday morning which had encrypted some of the company’s VMware ESXi servers that are used to host virtual private servers for customers. Customers that hosted their websites or services on these servers are down as the company attempts to restore terabytes of data from backups. In one update, PowerHost has warned their customers that they might not be able to restore the servers as the backups have also been encrypted. PowerHost CEO, Ricardo Ruben, stated that they had attempted to negotiate with the threat actors to receive a decryption key, however the ransomware gang has demanded 2 BTC per victim, which would be equal to $140 million. For impacted VPS customers who still have their website content, the company is offering to set up a new VPS so that customers can bring their sites back online. SurveyLama suffers a data breach: 4.4 million users’ personal information exposed. SurveyLama, an online platform that rewards registered users for completing surveys, suffered a data breach in February 2024 which resulted in the exposure of 4,426,879 million users’ sensitive data. In early February, Have I Been Pwned (HIBP’s) creator, Troy Hunt, received information about a data breach impacted the service. The exposed data types include full names, birth dates, email addresses, IP addresses, passwords, phone numbers, and physical addresses. SurveyLama has notified impacted users via email, and confirmed the security incident. It is highly recommended for SurveyLama account holders to reset their passwords immediately and on other platforms that use the same credentials. As of now, there is no evidence of the compromised data being posted publicly online, which makes the exposure currently limited. Hoya confirms a cyberattack has disrupted optics production and orders. Hoya Corporation, a global manufacturer of optical products, that the Group’s head quarter and several of their business divisions have suffered an IT system incident, which caused servers at some of their production plants and business divisions to go offline on 30 March. In response to the incident, Hoya isolated the affected servers and informed the relevant authorities in the impacted countries. The optics company has also hired 3rd party forensic investigators to determine the cause of the incident, and whether the hackers accessed or extracted any confidential or personal information stored on the compromised systems. As a direct result of this incident, some production plants and ordering systems for certain products have been impacted. Omni Hotels confirms cyberattack behind ongoing nationwide IT outage. Omni Hotels & Resorts has confirmed a cyberattack that caused a nationwide IT outage in the U.S., in which some locations are still affected. The hotel chain has stated that since 29 March, Omni Hotels & Resorts have been responding to a cyberattack on their systems. In response to the attack, Omni took down the impacted systems, and their IT teams are working to restore and bring them back online. Furthermore, they have launched an investigation with a 3rd party cyber security response team, which is still ongoing. According to Omni employees, the IT teams are manually restoring the affected systems from scratch, and have been informed that the systems will be available again on 4 April 2024. The outage triggered by the cyberattack has affected many of Omni’s services which includes their reservations, hotel room door lock, and point-of-sale systems. It has been reported that front desk employees have been experiencing issues with credit card payments, new reservations, and modifying already-made reservations. Leicester City Council confirms ransomware attack after confidential documents were leaked. Leicester City Council in England confirmed that the March cyber incident was a ransomware attack after it was discovered that the malicious actors had uploaded the stolen documents to their dark web extortion site. Leicester’s strategic director, Richard Sword, confirmed on 3 April that “a small number of documents” on their servers has been published by a ransomware group (the INC Ransom). According to Sword, INC Ransom published around 25 or so confidential documents. These confidential documents include rent statements, applications to purchase council housing and identification documents such as passport information. Sword also stated they are unable to be certain whether other documents have been extracted from their systems, although they do believe that the threat actors have. The council also stated that most of their systems and phone lines are now operating as per normal after it was decided to shut everything down on 7 March when the attack was detected. It is highly advised for people in Leicester to report if anyone claims to have their data to the Leicestershire Police using the non-emergency call service 101 or an online form. Hong Kong privacy watchdog found that the 2023 Hong Kong Cyberport data breach affected 13,632 staff and jobseekers. Hong Kong’s Office of the Privacy Commissioner for Personal Data found that 13,632 staff and job seekers' personal data had been stolen when hackers attacked Hong Kong’s Cyberport last year. The investigation found that out of the 13,682 affected, 8,000 had employment ties with the company which includes 5,292 unsuccessful applicants and former employees. Others were managerial staff, interns and business partners. The personal data stolen includes names, ID cards, passport numbers, financial information such as bank account numbers, medical reports, photos, birthdates, social media accounts and academic information. For each affected individual, the amount of stolen information varies. Furthermore, it was found that 13 Window systems and 2 virtual servers were compromised. The watchdog has slammed the organisation’s cybersecurity oversights as they had failed to implement sufficient and effective security measures to ensure their systems security. It was found that they did not keep information secure, and kept information over the intended retention period. They have also sent an enforcement notice to the government-funded technology hub last week demanding them to carry out a list of improvements and submit a report within 2 months. MarineMax, a yacht retailer, disclosed data breach after a cyberattack. MarineMax, a boat and yacht retailer, stated that employee and customers’ data were stolen after their systems were breached in a March cyberattack. On 1 April 2024, in a new 8-K filing, it was revealed that the hackers gained access and stole personally identifiable data that belonged to an undisclosed number of individuals. Although the company did not attribute the attack to a specific threat group, the Rhysida ransomware gang has claimed the attack and is selling the allegedly stolen data for 15 BTC (just over $1,000,000). Rhysida has also leaked screenshots of what appears to be MarineMax’s financial documents, employee driver’s licences and passports on their data leak site as evidence. LayerSlider WordPress plugin critical flaw impacts 1 million sites. The LayerSlider WordPress plugin that is used in over 1 million sites, has a critical flaw (tracked as CVE-2024-2879) which allows unauthenticated SQL injection. The flaw impacts versions 7.9.11 through 7.10.0 of the plugin, and this could allow attackers to extract sensitive data such as password hashes from the site’s database. This puts these sites at risk of complete takeover or data breaches. The developer released a security update on 27 March. All users of LayerSlider are highly recommended to upgrade to version 7.10.1 which addresses this critical vulnerability. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the jewellery, discount retailer to the health industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as as 73 million AT&T customers’ data has been leaked on a hacker forum and that more than 2.8 million Point32Health customers’ personal information has been stolen in a breach. Additionally, 28 apps (including 17 free VPN apps) on Google Play have been found to turn Android devices into proxies, and that Google’s new AI search results encourage sites that push malware scams.
Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. New variant TheMoon malware infects 6,000 ASUS routers in 88 countries within 72 hours. Black Lotus Labs researchers have found a new variant of “TheMoon” malware botnet that has been infecting thousands of outdated small office and home office (SOHO) routers and IoT devices in 88 countries. The researchers have observed that 6,000 ASUS routers were targeted in under 72 hours during the latest TheMoon campaign which started in early March 2024. It is highly recommended to use strong admin passwords and upgrade your device’s firmware to the latest version to ensure that vulnerabilities are addressed. Common signs of malware infection on routers and IoTs include connectivity problems, overheating, and suspicious setting changes. Massachusetts health insurer has been hit by a data breach: More than 2.8 million individuals’ personal information stolen. Point32Health, the 2nd largest health insurer in Massachusetts, has announced that more than 2.8 million individuals’ personal information was stolen during an April 2023 ransomware attack. This ransomware attack impacted systems associated with Point32Health’s Harvard Pilgrim Health Care brand. In a notification letter, the company reports that they have identified signs that the data was copied and taken from Harvard Pilgrim systems from 28 March to 17 April 2023, and that these files may contain customers’ personal information. The stolen information includes names, addresses, birthdates, phone numbers, social security numbers, health insurance account information, financial account information, medical history, diagnoses, and treatment information. This week, the company filed a refreshed data breach notice to update the number of affected individuals to more than 2.86 million. The company is providing affected individuals with complimentary credit monitoring and identity protection services. Poh Heng Jewellery hit by data breach: Customers’ personal information could be compromised. Poh Heng Jewellery, a jewellery chain, notified their customers about a database breach that occurred on 25 March. The company has stated that the unauthorised access may have compromised their customers’ personal information. The compromised information could include customers’ names, telephone numbers, email addresses, residential addresses, member ID, birth dates and country of residence. Fortunately, no passwords and payment information were compromised. The company’s data protection officer, Ezekiel Chin, stated that once they discovered the breach, they immediately took action to secure their systems, and have reported the incident to relevant authorities. The company has recommended customers to be highly vigilant against phishing attempts, such as malicious links and websites whereby they request their passwords or other personal information. Giant Tiger, discount retailer, states customer data has been compromised in a 3rd party breach. Giant Tiger, a discount retailer, has announced that some of their customers’ contact information has been compromised in a third-party breach. The spokesperson for the company, Alison Scarlett, stated that the vendor would not be named, however the company was utilised by Giant Tiger to manage their customer communications and engagement. Furthermore, it was added that Giant Tiger is working to resolve the issue “as quickly and openly as possible”. In an email to customers, the retailer stated they discovered the security breach on 4 March, and concluded on 15 March that customer information was compromised. The compromised information varied between customers, and it included names and email addresses of those who subscribe to Giant Tiger emails. Furthermore, loyalty members and those who placed online orders for in-store pickups might have had their names, emails and phone numbers compromised. Some customers who placed online orders for home delivery may have had the same information and additionally their street addresses compromised. INC Ransom threatens to leak the stolen 3TB of NHS Scotland data. The INC Ransom extortion gang has threatened to publish 3 TB of data that is allegedly stolen after breaching the NHS of Scotland. In a post published on 27 March, the cybercriminals shared several sample documents with sensitive information about doctors and patients, including medical assessments, analysis results, and psychological reports. They stated that they would leak the data “soon” unless the NHS pays the ransom. A spokesperson for the Scottish Government has stated that the cyberattack only impacts NHS Dumfries and Galloway, which are one of the regional health boards that make up NHS Scotland. Furthermore, the government is working with multiple entities such as the health board, Police Scotland, National Crime Agency, and the National Cyber Centre, to determine the impact and plausible implications of the breach. NHS Dumfries and Gaolloway has confirmed that a ransomware group has leaked a small number of patients’ clinical data. All impacted patients will be informed by the NHS directly so that they can take appropriate measures to protect themselves. AT&T confirms 73 million customers’ data has been leaked on hacker forum. AT&T has now confirmed that 73 million current and former customers have been affected by a data breach after initially denying the leaked data originated from them. In a statement shared with BleepingComputer, AT&T stated that based on their preliminary analysis, the data set appears to be from 2019 or earlier, and has impacted approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders. Furthermore, security passcodes used to secure accounts were also leaked for 7.6 million customers. AT&T are reaching out to all 7.6 million impacted customers and have reset their passcodes. The company will notify all 73 million former and current customers about the breach and the following steps they should take. Free VPN apps on Google Play found to turn Android devices into proxies used for cybercrime and shopping bots. 17 VPN apps on Google Play have been found to use a malicious software development kit that turned Android devices into residential proxies that are likely used for cybercrime and shopping bots. Residential proxies are devices that route internet traffic through devices located in homes. This makes traffic appear legitimate and less likely to be blocked. Cybercriminals tend to use them to conceal malicious activities such as ad fraud, spam, phishing, credential stuffing and password spraying. A report published by HUMAN’s Satori threat intelligence team lists 28 apps on Google Play that secretly turned Android devices into proxy servers. Out of these, 17 apps were free VPN apps. The 28 apps are:
For safety precaution, it may be the safest to remove any of these apps that you used via uninstalling them. A Google spokesperson has confirmed that all 28 malicious apps have been removed from Google Play. Google’s new AI search results encourage sites that push malware scams. Google’s new AI-powered ‘Search Generative Experience’ algorithm has been found to recommend scam sites that redirect visitors to unwanted Chrome extensions, fake iPhone giveaways, browser spam subscriptions, and tech support scams. Lily Ray, a SEO consultant, found that Google’s SGE is recommending malicious websites within their conversational responses, making it easier for people to fall for scams. As since SGE links the websites within the answers, this can make malicious sites seem more trustworthy and believable. It was found that most redirects lead users to fake captchas or Youtube sites that attempt to trick the visitor into subscribing to browser notifications. Browser notifications are a common tactic scammers use to send visitors unwanted ads directly to the operating system desktop, even when you are not on the website. Google has reported that they continuously update their systems and ranking algorithms to protect against spam, and have taken actions to remove these spam out of Search. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the telecommunications, software, bakery to the IT sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as a malware campaign that has been found to have infected over 39,000 WordPress websites in the past 6 months, and MarineMax alleged stolen data being put up on sale for 15 bitcoin. In addition, a misconfiguration at Firebase has been found to expose 19 million plaintext passwords and over 125 million sensitive user records. Furthermore, new vulnerabilities have been found and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. 70 million AT&T accounts leaked online: AT&T claimed leaked data did not originate from their systems. As many as 70 million AT&T customers’ data are on sale on a data theft forum for a starting price of $200,000 and incremental offers of $30,000. The threat actor, ShinyHunters, has also offered a ‘buy it now’ option with a price of $1,000,000. Another threat actor, MajorNelson, has now offered the same data, although less than half of AT&T’s customer records, for free. The data is claimed to be stolen from a breach sometime in 2021 or earlier. However, AT&T claimed it did not originate from them and that their systems were not breached. AT&T has also told BleepingComputer that they have seen no evidence of a breach in their systems, The stolen information includes customers’ names, addresses, phone numbers, birthdates, and social security numbers. It is highly recommended for AT&T customers (especially those before and through 2021) to be vigilant against any phishing attacks - such as SMS and email phishing. Mintlify data breach: Customers’ GitHub tokens exposed. Mintlify, a documentation startup, publicly disclosed that 91 of their customers had their GitHub tokens exposed in a 1st March data breach. In a blog post, Mintlify stated that the data breach occurred due to a vulnerability in their own systems, which leaked the company’s internal admin credentials to customers. These credentials can be utilised to access the company’s internal endpoints to access other unspecified sensitive user information. Mintlify co-founder, Han Wang, stated that they have notified the affected customers, and they are currently working with GitHub to identify whether the compromised tokens were used to access private repositories. If these tokens were stolen, a threat actor could obtain the same level of access to a person’s source code. Fujitsu suffered a cyberattack, and attackers may have stolen customer’s information. Fujitsu, a Japanese technology giant, confirmed a cyberattack in a statement on Friday. In the statement, it was confirmed that it was a malware attack, whereby they detected malware on multiple work computers. Upon further investigation, they discovered that files that contained personal information and customer information may have been stolen. Fujitsu stated that they had disconnected the affected systems from their network, and are currently investigating how the malware compromised their network, and whether there was a data breach. As of now, Fujitsu did not elaborate on the nature of the attack, nor whose or the type of personal information that may have been stolen. Fujitsu has reported this incident to relevant authorities in Japan “in anticipation” that personal information may have been stolen. International Consolidated Airlines Group (IAG) warns Air Europa customers of data breach that has led to their personal data being compromised. IAG, the parent company of British Airways and Iberia, has sent an email to Air Europa’s customers that due to an October security incident, their personal data has been compromised. The exposed data includes customers’ names, birthdays, nationalities, ID cards or passport information, and phone numbers. The company stated that they do not have evidence of the leaked data being inappropriately used, and further stated that if “it were to happen, the resulting inconvenience would be limited in any case”. Update: IAG confirmed in a statement that they have not acquired Air Europa and would never email their customers directly. They further stated it is a matter for Air Europa and not IAG. Spa Grand Prix official email account hacked: Targeted fans to phish for their bank information. Threat actors have hacked into the official contact email of Spa Grand Prix, the Belgian Grand Prix event. The race organisers stated that the email account was hijacked on 17 March, and the threat actor has sent fraudulent emails to an undisclosed number of fans that informs the recipients of a €50 voucher via clicking an embedded link. The link that directs victims to a fake website similar to the official portal of the Spa Grand Prix, which asks for victims’ personal information such as their banking information. Once this security issue was noticed, SPA GP sent alert emails to their customers that the previous message was a phishing scam and warned them not to click on any links. Additionally, the organisation has asked their IT security subcontractor to put in additional security measures to prevent this incident from reoccuring. SPA GP has filed a complaint with the Belgian cyber police, and will also file a civil claim with an examining magistrate. Currently, an investigation is underway to determine the cause and circumstances that led to this attack. Greggs, a UK bakery chain, is the latest victim of POS system outages: Forced to close some stores. Greggs has fallen victim to point of sale (POS) system outages that has led to their stores being forced to close. On the morning of 20 March, it has been reported on social media that customers have been unable to pay with their cards or found their local branches of Greggs closed. This indicates that there could be a technical issue with their POS, which processes purchases. A statement from Greggs said that some stores have not been able to take card and cash payments, and that they had “resolved a technical issue” that affected tills in some of its shops and has apologised for the inconvenience. This incident has followed recent card payment outages in the UK from Sainsbury’s and Tesco, to McDonalds. Misconfiguration at Firebase exposed 19 million plaintext passwords. 3 cybersecurity researchers have found that due to misconfigured instances of Firebase, a Google platform that hosts databases, cloud computing and app development, has led to almost 19 million plaintext passwords being exposed on the public internet. The researchers scanned more than 5 million domains, and found 916 websites from organisations that either had no security rules enabled or had set them up incorrectly. They were able to find more than 125 million sensitive user records. This includes emails, names, passwords, phone numbers, and billing information with banking details. In particular, the problem of the exposed passwords gets worse, as 98% of them (19,867,627) are in plaintext. After analysing the data, the researchers tried to warn all impacted companies of improperly secured Firebase instances, and sent 842 emails over 13 days. Although just 1% of the site owners replied, a quarter of the notified site administrators have fixed the misconfiguration in their Firebase platform. However, some organisations that were contacted had unprofessional responses. For instance, an Indonesian gambling network that manages 9 websites mocked the researchers when they reported the problem and gave guidance on how to fix it. Unfortunately, this company accounted for the largest number of exposed bank account records (8 million) and plaintext passwords (10 million). Sign1, a malware campaign, has infected over 39,000 WordPress websites. Sign1, a previously unknown malware campaign, has been found to have infected over 39,000 websites in the past 6 months. This campaign has caused visitors to see unwanted redirects and pop-up ads. Sucuri, a website security firm, discovered the campaign after a client’s website randomly displayed popup ads to their visitors. The threat actors use WordPress custom HTML widgets or install the legitimate Simple Custom CSS and JS plugin to inject malicious JavaScript code. Based on Sucrui’s analysis, the malware generates dynamic URLs that change every 10 minutes to evade blocks. Furthermore, the malicious code checks for specific referrers and cookies before executing - they tend to target visitors from major sites like Google, Yahoo, Instagram and Facebook. Furthermore, the malware creates a cookie on the target’s browser so that the popup is only displayed once per visitor, making it less likely to generate reports towards the compromised website owner. Sucuri warns that Sign1 has evolved over the past 6 months, with infections increasing exponentially when a new version of the malware was released. The latest attack wave, which has been underway since January 2024, has claimed 2,500 sites. It is highly recommended for site administrators to use a strong/long password, and update your plugins to the latest version. Furthermore, it is best to remove unnecessary add-ons to reduce your attack surface. Rhysida ransomware group takes responsibility for the MarineMax cyberattack: Offers stolen data for 15 bitcoin. The Rhysida ransomware group has taken responsibility for the Marinemax, one of the largest retailers of recreational boats and yachts globally, cyberattack. MarineMax announced in a SEC filing earlier this month that they were targeted in an attack that led to some disruption. Now, the Rhysida ransomware group is auctioning the alleged stolen data from MarineMax on their website, with a starting price of 15 bitcoin ($950,000). As proof of MarineMax’s stolen data, they have published some screenshots that show financial documents and some spreadsheets. Due to their low resolution, it is unclear how sensitive the data is. However, MarineMax stated in their filing that they did not store sensitive data in the compromised environment. Saflok electronic locks security vulnerability can be exploited to open millions of doors. Dormakaba’s Saflok electronic locks have a security vulnerability, named Unsaflok, that can be exploited to forge keycards and open doors. This vulnerability impacts more than 3 million locks that are commonly used in hotels, and multi-family housing environments. It has been found that a total of more than 13,000 locations across 131 countries are likely affected. The vulnerable lock models include Saflok MT and the Quantum, RT, Sapphire and Confidant series devices, which are used in combination with the System 6000, Ambiance, and Community management software. According to the security researchers, an attacker can use a keycard from a property where the vulnerable locks are used, forge them and unlock any door on that property. Furthermore, any device that can write or emulate MIFARE Classic cards can be used in this attack. Dormakaba has worked on patches for this security vulnerability and has started rolling them out in November 2023. However, the process is slow and only 36% of affected locks have received the fix. The reason is that upgrading each hotel is an intensive process. The company has reported that till now they are unaware of any reported instances in which this vulnerability has been exploited, and has strongly recommended their customers to upgrade as soon as possible to address this vulnerability. Microsoft released a patch for an Xbox vulnerability. Microsoft has released a patch for an Xbox vulnerability (tracked as CVE-2024-2891) and it impacts Xbox Gaming Services. According to Microsoft, it has ‘important’ severity and this vulnerability can be easily exploited by a local attacker with low privileges to escalate permissions to the System. Microsoft has informed customers that app package versions 19.87.13001.0 and later to patch the vulnerability. For those users who have automatic updates enabled, the fix should be automatically delivered. Microsoft stated that although there is no evidence currently of malicious exploitation, the flaw has been assigned with an ‘exploitation more likely’ rating. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the streaming, fast food, ICT, financial to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as Nissan confirming that 100,000 people’s data has been breached and Stanford University confirming that 27,000 individual’s personal information has been compromised during a breach. Furthermore, new vulnerabilities have been found and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. French Employment Agency data breach exposes up to 43 million people’s data. France’s Employment Agency suffered a data breach that could potentially expose up to 43 million users’ data, and this affected users who registered over the past 20 years. French Travail, the French national employment agency, announced on 13 March 2024 that their IT systems and those of Cap Emploi, a government employment service, were breached. The exposed personal data includes names, birth dates, social security numbers, user IDs, email addresses, postal addresses, and phone numbers of France Travail and Cap Emploi users. Through a statement, the agency confirmed that login credentials, passwords and bank details were not compromised. Although this breach does not affect allowance payments, and users can still connect to their account, it is highly advised to be vigilant against any phishing attacks such as messages that pretend to be from their services, and identity theft. France Travail has notified relevant authorities, and investigations have started to determine whether sufficient data security measures were put in place in compliance with the EU’s GDPR. It was indicated that the malicious actor had gained unauthorised access to Cap Emploi’s systems around 6 February and French Travail that the threat actor impersonated a Cap Emploi civil service officer to do so. The agency started to notice suspicious activity in their IT systems a few days later. More than 15,000 Roku customers’ accounts were sold for as little as 50¢ each to make illegal purchases. Roku has disclosed a data breach whereby 15,363 customers accounts have been hacked in a credential stuffing attack. This has led to the hacked accounts being sold for as little as 50¢, which allows the purchasers to make fraudulent purchases of hardware and streaming subscriptions. Roku stated that once an account was breached, it allowed threat actors to change the account’s information which includes passwords, email addresses and shipping addresses. This allows threat actors to use stored credit card information without the account holder receiving order confirmation emails. Roku stated that they have secured the impacted accounts and forced a password reset upon detecting the incident. Furthermore, Roku’s security team said that any unauthorised purchases will be cancelled and will be refunded. Legitimate account holders who are impacted must visit “my.roku.com” and click on ‘Forgot password?’ to get a reset link. The International Monetary Fund (IMF) suffers a cyberattack: Email accounts breached. The IMF has disclosed that they have suffered a cyber incident which was detected on 16 February 2024 and it was determined that 11 IMF email accounts were compromised. The impacted email accounts have been re-secured, and so far they found no evidence of attackers gaining access to other systems or resources outside of the breached email accounts. Investigations into this breach are still ongoing. Due to security reasons, IMF no further details were disclosed. McDonald’s stated that the global outage was caused by a 3rd party service provider’s configuration change. McDonald’s blamed a 3rd party service provider’s configuration change for the global outage that forced many of their fast-food restaurants to close. According to a statement shared by the company’s Chief Information Officer Brian Rice, the global technology system outage began around midnight CDT on Friday. Rice stated that many markets are back online, and the rest are in the process of coming back online. Rice emphasised that the outage was not directly caused by a “cybersecurity event” rather it was caused by a configuration change. In a separate message sent to employees via the company’s OTP portal, McDonald’s stated that the issue is being resolved and that all impacted stores and systems are returning online. The massive IT outage impacted restaurants worldwide - such as in the US, the UK, Japan, Australia, Canada, the Netherlands, Italy, and New Zealand. Employees has shared on social media that they could not take orders, open cash registers, or process payments because POS systems were down. Acer confirms Philippines employees’ data has been leaked. Acer Philippines confirmed that employee data has been stolen during a cyberattack on their 3rd party vendor after a threat actor leaked the data on a hacking forum. On 12 March, a threat actor - ph1ns published a link to download a stolen database that contains Acer employee data on a hacking forum. The attacker told BleepingComputer that no ransomware or encryption was involved and that it was a pure data theft attack. They further confirmed that they were not attempting to extort the company, but they provided evidence that they wiped the data on the breached servers before they lost access. Acer Philippines emphasised that no customer data has been affected, and that their systems remained uncompromised. Acer has also notified relevant authorities, and an investigation of the breach is underway. Nissan confirms that 100,000 people's data has been exposed after a ransomware attack. Nissan Oceania is warning that a December 2023 ransomware attack has impacted 100,000 people due to a data breach. Nissan has confirmed that the hackers have stolen data on some current and former employees, and customers of Nissan, Mitsubishi, Renault, Skyline, Infiniti, LDV and RAM dealerships in the region. In an updated statement, Nissan will notify approximately 100,000 individuals of the data breach over the coming weeks on what information of theirs that was exposed, what they can do, and the forms of support available. Based on their estimates, about 10% of the impacted individuals had some form of government identification compromised. It includes approximately 4000 Medicare cards, 7,500 drivers licence, 220 passports, and 1300 tax file numbers. The remaining 90% had other personal information impacted which includes loan-related documents, employment details and birth dates. Unfortunately, Akira (the ransomware group that attacked them) has already leaked the stolen data via their extortion page on the dark web. Nissan will be providing free access to IDCARE, free credit monitoring services through Equifax in Australia and Centrix in New Zealand, and reimbursement for the replacement of compromised government IDs. It is highly recommended to be vigilant against any suspicious activity on their accounts and immediately report any suspicious activity to the authorities. Equilend January 2024 ransomware attack has led to a data breach of employee’s data. Equilend, a Fintech firm, is sending notification letters to their employees to inform them that their personal information has been compromised in a January 2024 ransomware attack. The personal information impacted are names, birthdates, social security numbers, and Equilend payroll information. In the notification letter, Equilend stated that they have found no evidence that any personal information has been used to commit identity theft or fraud. However, Equilend will be providing impacted individuals with complementary identity theft protection services. Stanford University data breach compromised 27,000 individuals’ personal information. Stanford University is starting to send notification letters to 27,000 individuals that their personal information has been stolen in a ransomware attack on Stanford’s Department of Public Safety (DPS). Akira ransomware group claimed responsibility for the attack. In the notification letter, it was stated that the stolen personal information includes individuals’ names, birthdates, social security numbers, passport numbers, driver’s licence numbers, government ID numbers and other information. Although, the type of personal information varies for each individual. For some individuals, other types of information leaked include biometric data, health/medical information, email address with password, username with password, security questions and answers, digital signature, and credit card information with security codes. The university also stated that they have found no evidence of the compromised information being misused. Impacted individuals are offered identity theft protection services including credit monitoring for free. Fortinent released patch for critical RCE vulnerability in endpoint management software. Fortinent has released a patch for a critical RCE vulnerability (tracked as CVE-2024-48788) in its FortiClient Enterprise Management Server (EMS) software. This vulnerability can allow attackers to gain remote code execution on vulnerable servers in low-complexity attacks that do not require user interaction. This vulnerability impacts FortiClient EMS versions 7.0 (7.0 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). Fortinent has not revealed if there is any evidence of this vulnerability being exploited in attacks before patching. Fortinent has also fixed another critical out-of-bounds write weakness (CVE-2023-42789) in the FortiOS and FortiProxy captive portal that could let unauthorized users to remotely execute unauthorised code or commands. 2 other high–severity flaws (tracked as CVE-2023-36554 and CVE-2023-47534) has also been patched this week, which allows attackers to execute arbitrary commands or code on vulnerable systems. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from life insurance, semiconductor, financial to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as the Play ransomware attack that resulted in 65,000 Switzerland government documents leaked, and UniCredit being fined $3.1 million for data breach by Italy privacy watchdog. Furthermore, new vulnerabilities have been found and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. American Express customer data exposed in third-party breach. Due to a hack at American Express’ merchant processor in which American Express Card member data was processed, American Express is warning customers that due to the 3rd party breach, customers’ credit cards were exposed. In a data breach notification filed with the state of Massachusetts, the company warned customers that their account information may have been compromised. The compromised data includes customers’ credit card account numbers, names and card expiration dates. However, it is not clear the amount of customers impacted, the merchant processor that was breached, and when the attack occurred. American Express stated that they have begun investigation into the breach, and that they have notified relevant authorities. Furthermore, the company stated that if a cardmember’s credit card is used to make fraudulent purchases, the customers would not be responsible for the charges. It is highly advised for customers to regularly review their bank statements for the next 12-24 months, and report any suspicious behaviour. The company also suggests enabling instant notifications via the American Express mobile app to receive fraud and purchase alerts. Furthermore, it is encouraged to request a new card number if your card information was stolen to prevent usage of your card from bad actors. Canada’s anti-money laundering agency hit by a cyberattack: Forced to go offline. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) announced that they had to take their corporate systems offline as a precaution due to a “cyber incident”. FINTRAC is a Canadian government agency that operates as their financial intelligence unit. In a statement posted on their website, the agency stated that intelligence or classified systems were not accessed. FINTRAC is collaborating with federal partners to restore their operations and enhance their defences to prevent similar incidents from reoccurring. Fidelity Investments Life Insurance Company (FILI) informing roughly 28,000 individuals of data breach. FILI is notifying 28,268 individuals that their personal information has been compromised due to a third party breach from services provider Infosys McCamish System (IMS). In their notification letter, FILI noted that the threat actor had obtained information held by IMS about the individual and their policy. The compromised information includes customers' names, birthdates, state of residence, social security numbers, bank account and routing numbers, and credit card numbers. However, as investigation is still ongoing, they are unable to determine with certainty exactly what personal information was accessed during the attack. The impacted individuals are offered a free 2 years of credit monitoring. Switzerland reports that the Play ransomware attack resulted in 65,000 government documents leaked. The National Cyber Security Centre (NCSC) of Switzerland released a report on their investigation of a data breach following a ransomware attack by the Play ransomware gang on Xplain, a Swiss technology and software solutions provider for various Swiss government departments. It was disclosed that 65,000 sensitive Federal government files were leaked in the breach. It was stated that out of approximately 1.3 million files published by Play ransomware, about 5% (65,000 documents) are relevant to the Federal Administration. 95% of those files impact the administrative units of the Federal Department of Justice and Police: the Federal Office of Justice, the Federal Office of Police, the State Secretariat for Migration, and the internal IT service centre. 3% of the data were from the Federal Department of Defence, and the Civil Protection and Sport. Around 5,000 documents contained sensitive information such as personal data (e.g. names, email addresses, telephone numbers, and addresses), technical details, classified information, and account passwords. A small set of a few hundred files contained IT system documentation, software or architectural data, and passwords. Jersey finance regulator suffers a data breach: Allowing access to nonpublic names and addresses. The Jersey Financial Services Commission (JFSC) has been hit by a data breach which allowed access to nonpublic names and addresses. In a statement, the watchdog stated that they detected a vulnerability in their registry system on 23 January 2023, and took action to resolve the issue. With an independent cybersecurity partner, they conducted a forensic review and identified that the vulnerability was caused by a misconfiguration in their 3rd party supplied registry system. In an update on their website, it was said that the JFSC’s corporate network was not compromised, and the breach did not link any individuals to a specific registered entity or any role held. However, 66,806 individuals did have their names and addresses accessed where it was not already public on the register. North Korea hacks 2 South Korean chip firms and stole engineering data. South Korea’s National Intelligence Service (NIS) warns that North Korean hackers are targeting domestic semiconductor manufacturers. NIS stated that these attacks have increased in the latter half of 2023 until recently, whereby they target internet-exposed servers vulnerable to flaws to access corporate networks. NIS mentioned that in December 2023 and February 2024, at least 2 cyberattacks on separate entities occurred, whereby the company’s configuration management and security policy servers were hacked. Reportedly, this resulted in sensitive data being compromised such as product design drawings and facility site photos. The 2 victims were not named in the report. However, NIS reports that they postulate that these cyberattacks are aimed at collecting valuable technical data which North Korea could utilise to develop their own chip-making program which can help to develop weapons. Italy privacy watchdogs fines UniCredit $3.1 million for data breach. Italy’s data protection authority has fined UniCredit, Italy’s second-largest bank, US$3.1 million for a 2018 data breach that resulted in approximately 788,000 customers and former customers. The bank responded that they will appeal the decision to court as no bank data had been compromised, and the incident had been immediately resolved. The 2018 data breach on their mobile banking platform resulted in approximately 788,000 customers and former customers’ data such as names, tax codes, and other identification codes. The authority stated that the sanctions took into account the large number of people involved in the data breach and the seriousness of the breach, as well as the timely adoption of corrective measures. Apple was fined $1.95 million by the European Commission for “abusive” App store rules. The European Commission has fined Apple US$1.95 million for allegedly abusing their market dominance in music streaming app distribution to prevent developers from promoting cheaper services outside the app. The Commission found that Apple applied restrictions on app developers which prevented them from informing iOS users about alternative and cheaper music subscription services available outside of the app, which is illegal under EU antitrust rules. The investigation began after Spotify and an e-book/audiobook distributor issued complaints on 2 Apple App Store policies: (1) charging a 30% commission fee on all subscription fees through Apple’s in-app purchase system, and (2) preventing developers from promoting cheaper membership options outside the app. The European Commission stated that although market dominance is not illegal under EU antitrust rules, dominant companies do have a special responsibility to ensure that they do not abuse their position. However, Apple stated that they believe that the European Commission has not found any evidence of consumer harm or proof of anti-competitive behaviour. Instead, Apple stated that Spotfiy is the primary benefactor of this decision, and that Spotify chose not to promote in-app subscriptions even though they were involved in the initial complaints. Furthermore, Apple stated that Spotify has the largest music streaming app in the world, and has met with the European Commission more than 65 times during the investigation. Furthermore, Spotify has 56% of Europe’s music streaming market, and pays Apple for none of the services that have helped them become one of the most recognisable brands in the world. Apple also attributed their App Store for Spotify’s pop[u;larity, and that Spotify utilises Apple’s tools and technology to build, update and share their app with Apple users around the world. Apple stated they respect the Commission’s decision, but they will be appealing the fine. Apple released emergency security updates to fix 2 zero-day vulnerabilities. Apple released emergency security updates to fix 2 iOS zero-day vulnerabilities (tracked as CVE-2024-23225 and CVE-2024-23296) which are exploited in attacks on iPhones. Both vulnerabilities allow bad actors to bypass kernel memory protections. Apple stated they addressed the flaws for devices running iOS 17.4, iPadOS 17.4, iOS 16.76 and iPad 16.7.6. The list of impacted devices includes:
That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! |