AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from the public, tech, e-commerce, hotel, optical supplies to the healthcare sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as 4,4 million SurveyLama users’ personal information has been exposed and that Leicester City Council’s confidential documents have been leaked on the dark web after a ransomware attack. Additionally, it was found that the 2023 Hong Kong Cyberport data breach affected 13,362 staff and jobseekers. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. US cancer centre suffers a data breach: 827,000 patients’ information exposed. Cancer treatment and research centre, City of Hope, is starting to notify 827,000 individuals that their personal and health information has been compromised in a data breach. In a data breach letter filed with the Maine Attorney General's Office, the data breach occurred between 19 September - 12 October 2023, whereby an unauthorised 3rd party managed to access a subset of City of Hope systems and copied some files that contained the affected individual’s information. The stolen data includes affected individuals’ names, birth dates, email addresses, phone numbers, driver’s licence numbers, ID numbers, social security numbers, bank accounts numbers, credit card details, health insurance information and medical information. City of Hope also clarified that not every data type listed was compromised for every patient - the level of exposed information varied per case.Upon detection, City of Hope stated that they took steps to contain the breach, notified relevant authorities, and retained a cybersecurity firm to put in security measures to improve their system’s security. The cancer centre has also stated that so far there has been no identification of any identity theft or fraud pertaining to the stolen information. Affected individuals are offered complimentary identity monitoring services for 2 years. It is highly recommended for impacted individuals to monitor their banking statements, and be vigilant against phishing attacks, unsolicited communications or requests for additional information. Jackson County in state of emergency after a ransomware attack. Jackson County, Missouri, declared a state of emergency on 2 April 2024 after a ransomware attack took down some of their services on Tuesday. The Assessment, Collection and Recorder of Deeds offices at all County locations will likely be closed until the end of the week as the IT department works on restoring tax payment, marriage licence, and inmate search systems impacted in the incident. Fortunately, based on a statement published on Tuesday, the Kansas City Board of Elections and Jackson County Board of Elections are not affected by this system outage. Officials have alerted the relevant authorities of this incident, and are currently working with 3rd party IT security experts to investigate the attack. Jackson County Executive Frank White, Jr. declared a state of emergency to expedite IT orders, activate emergency workers, and protect against a ransomware attack. As White stated, all county staff are taking the necessary steps to protect resident data, county assets and continue essential services to mitigate the impact of the ransomware attack. County officials have confirmed that residents’ financial information is not affected as the compromised systems did not store residents’ financial data. Acuity confirms hackers have stolen old non-sensitive government data from its GitHub repositories. Acuity, a federal contractor that works with U.S. government agencies, has confirmed that hackers have breached its GitHub repositories and stole old non-sensitive government documents. In an emailed statement, Acuity stated that they identified a cybersecurity incident related to GitHub repositories that contained old and non-sensitive information. However, once they were aware of the zero-day vulnerability, Acuity did the relevant security updates and performed mitigating actions according to the vendor’s guidance. After an investigation, Acuity saw no evidence of impact on any of their clients’ sensitive data. Although Acuity did not provide additional information due to the ongoing investigation, IntelBroker (1 of the threat actors behind the attack) has leaked thousands of records that contain information that belongs to the Justice Department, State Department, DHS and FBI employees. IntelBroker also claimed that they stole Five Eyes intelligence alliance documents, which some contain allegedly classified information. Another threat actor, Sangierro, told BleepingComputer, that the breach occurred on 7 March 2024, and they allegedly exploited a vulnerability in an Acuity Tekton CI/CD server to steal GitHub credentials and access their private repositories. PandaBuy, a shopping platform, suffered a data leak that impacted 1.3 million users. PandaBuy, a shopping platform that allows international users to purchase from various e-commerce platforms in China such as Tmall, Taobao and JD.com, was allegedly breached by 2 threat actors that exploited multiple vulnerabilities. The 2 threat actors, Sanggiero and IntelBoker, claimed that they managed to steal data that contained but not limited to 3 million unique UserId, first name, last name, phone numbers, email addresses, login IP, orders data, orders ID, home addresses, zip and country. According to Have I Been Pwned, 1,348,407 PandaBuy accounts have been exposed in the breach. The threat actor has also provided a small sample of email addresses, customer names, order numbers and details, shipping addresses, transaction dates and times, and payment IDs as evidence. Troy Hunt, creator of HIBP, tested password reset requests using the leaked addresses and confirmed that at least 1.3 million email addresses are valid and come from PandaBuy. However, the rest were made-up and duplicate addresses, so the 3 million figure was inflated by the threat actors. It is highly recommended for those who have PandaBuy accounts to reset your password, and remain vigilant against any phishing attacks and scams. Chilean data centre and hosting provider, IxMetro Powerhost suffered a cyberattack. IxMetro Powerhost, a data centre, hosting and interconnectivity company in locations in the U.S, South America and Europe, suffered a cyberattack by a new ransomware gang called SEXi, which encrypted the company’s VMware ESXi servers and backup. On 1 April, PowerHost’s Chile division, IxMetro, warned customers that they suffered a ransomware attack early Saturday morning which had encrypted some of the company’s VMware ESXi servers that are used to host virtual private servers for customers. Customers that hosted their websites or services on these servers are down as the company attempts to restore terabytes of data from backups. In one update, PowerHost has warned their customers that they might not be able to restore the servers as the backups have also been encrypted. PowerHost CEO, Ricardo Ruben, stated that they had attempted to negotiate with the threat actors to receive a decryption key, however the ransomware gang has demanded 2 BTC per victim, which would be equal to $140 million. For impacted VPS customers who still have their website content, the company is offering to set up a new VPS so that customers can bring their sites back online. SurveyLama suffers a data breach: 4.4 million users’ personal information exposed. SurveyLama, an online platform that rewards registered users for completing surveys, suffered a data breach in February 2024 which resulted in the exposure of 4,426,879 million users’ sensitive data. In early February, Have I Been Pwned (HIBP’s) creator, Troy Hunt, received information about a data breach impacted the service. The exposed data types include full names, birth dates, email addresses, IP addresses, passwords, phone numbers, and physical addresses. SurveyLama has notified impacted users via email, and confirmed the security incident. It is highly recommended for SurveyLama account holders to reset their passwords immediately and on other platforms that use the same credentials. As of now, there is no evidence of the compromised data being posted publicly online, which makes the exposure currently limited. Hoya confirms a cyberattack has disrupted optics production and orders. Hoya Corporation, a global manufacturer of optical products, that the Group’s head quarter and several of their business divisions have suffered an IT system incident, which caused servers at some of their production plants and business divisions to go offline on 30 March. In response to the incident, Hoya isolated the affected servers and informed the relevant authorities in the impacted countries. The optics company has also hired 3rd party forensic investigators to determine the cause of the incident, and whether the hackers accessed or extracted any confidential or personal information stored on the compromised systems. As a direct result of this incident, some production plants and ordering systems for certain products have been impacted. Omni Hotels confirms cyberattack behind ongoing nationwide IT outage. Omni Hotels & Resorts has confirmed a cyberattack that caused a nationwide IT outage in the U.S., in which some locations are still affected. The hotel chain has stated that since 29 March, Omni Hotels & Resorts have been responding to a cyberattack on their systems. In response to the attack, Omni took down the impacted systems, and their IT teams are working to restore and bring them back online. Furthermore, they have launched an investigation with a 3rd party cyber security response team, which is still ongoing. According to Omni employees, the IT teams are manually restoring the affected systems from scratch, and have been informed that the systems will be available again on 4 April 2024. The outage triggered by the cyberattack has affected many of Omni’s services which includes their reservations, hotel room door lock, and point-of-sale systems. It has been reported that front desk employees have been experiencing issues with credit card payments, new reservations, and modifying already-made reservations. Leicester City Council confirms ransomware attack after confidential documents were leaked. Leicester City Council in England confirmed that the March cyber incident was a ransomware attack after it was discovered that the malicious actors had uploaded the stolen documents to their dark web extortion site. Leicester’s strategic director, Richard Sword, confirmed on 3 April that “a small number of documents” on their servers has been published by a ransomware group (the INC Ransom). According to Sword, INC Ransom published around 25 or so confidential documents. These confidential documents include rent statements, applications to purchase council housing and identification documents such as passport information. Sword also stated they are unable to be certain whether other documents have been extracted from their systems, although they do believe that the threat actors have. The council also stated that most of their systems and phone lines are now operating as per normal after it was decided to shut everything down on 7 March when the attack was detected. It is highly advised for people in Leicester to report if anyone claims to have their data to the Leicestershire Police using the non-emergency call service 101 or an online form. Hong Kong privacy watchdog found that the 2023 Hong Kong Cyberport data breach affected 13,632 staff and jobseekers. Hong Kong’s Office of the Privacy Commissioner for Personal Data found that 13,632 staff and job seekers' personal data had been stolen when hackers attacked Hong Kong’s Cyberport last year. The investigation found that out of the 13,682 affected, 8,000 had employment ties with the company which includes 5,292 unsuccessful applicants and former employees. Others were managerial staff, interns and business partners. The personal data stolen includes names, ID cards, passport numbers, financial information such as bank account numbers, medical reports, photos, birthdates, social media accounts and academic information. For each affected individual, the amount of stolen information varies. Furthermore, it was found that 13 Window systems and 2 virtual servers were compromised. The watchdog has slammed the organisation’s cybersecurity oversights as they had failed to implement sufficient and effective security measures to ensure their systems security. It was found that they did not keep information secure, and kept information over the intended retention period. They have also sent an enforcement notice to the government-funded technology hub last week demanding them to carry out a list of improvements and submit a report within 2 months. MarineMax, a yacht retailer, disclosed data breach after a cyberattack. MarineMax, a boat and yacht retailer, stated that employee and customers’ data were stolen after their systems were breached in a March cyberattack. On 1 April 2024, in a new 8-K filing, it was revealed that the hackers gained access and stole personally identifiable data that belonged to an undisclosed number of individuals. Although the company did not attribute the attack to a specific threat group, the Rhysida ransomware gang has claimed the attack and is selling the allegedly stolen data for 15 BTC (just over $1,000,000). Rhysida has also leaked screenshots of what appears to be MarineMax’s financial documents, employee driver’s licences and passports on their data leak site as evidence. LayerSlider WordPress plugin critical flaw impacts 1 million sites. The LayerSlider WordPress plugin that is used in over 1 million sites, has a critical flaw (tracked as CVE-2024-2879) which allows unauthenticated SQL injection. The flaw impacts versions 7.9.11 through 7.10.0 of the plugin, and this could allow attackers to extract sensitive data such as password hashes from the site’s database. This puts these sites at risk of complete takeover or data breaches. The developer released a security update on 27 March. All users of LayerSlider are highly recommended to upgrade to version 7.10.1 which addresses this critical vulnerability. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|