Last week, there were data breaches and ransomware attacks from a range of industries and countries. With more organizations - banks, hotels, universities among the latest MOVEit mass-hack victims. Furthermore, new vulnerabilities have been found and important patches to update.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Deutsche Bank AG confirmed service provider breach exposed customer data. Deutsche Bank AG has confirmed that a data breach on one of their service providers has exposed their customers’ data in a likely MOVEit Transfer data-theft attack. The German bank has stated that the incident impacted customers in Germany who used their account switching service in 2016, 2017, 2018 and 2020. Although the number of impacted customers has not been determined, the bank has said only a limited amount of personal data was exposed during this breach. Deutsche Bank has also informed impacted clients on the breach, the direct impact of the breach and the precautionary measures clients should take. The bank also stated that cybercriminals cannot gain access to accounts using the exposed data, but they might try to initiate unauthorized direct debits. In response, the bank has extended the period of unauthorized direct debits returns to 13 months. HCA Healthcare data breach: 11 million patients affected. American healthcare operator, HCA Healthcare, has confirmed that they had been targeted by hackers in a cyberattack. HCA Healthcare is the largest for-profit health system in America. The data breach has resulted in at least 11 million patients’ personal data leaked online on hacker forums. The breach occurred on the 5th July, and the majority of the 11 million patients came from 20 states including California, Florida, Georgia, and Texas. The compromised data includes names, home addresses, phone numbers, data birth, email addresses, gender, appointment dates and location. Initially, the cybercriminals attempted to hold this data for ransom, but when HCA did not meet demands, they started to post now-for-sale data on hacker forums. Telekom Malaysia confirms data breach. Telekom Malaysia (TM) has confirmed a recent data breach that involves Unifi customers’ personal information. This includes names, national identification, passport numbers and contact details. The company also stated that no financial information was affected. TM stated that the breach has been contained and proactive steps have been taken to protect data across its platforms. Furthermore, they have notified customers of the data breach and warn them of phishing tactics that include online scams, suspicious links and unsolicited phone calls. The company also reported this breach to relevant authorities. 12,000 SBI employees’ data leaked on Telegram channels. In a massive data breach, more than 12,000 State Bank of India (SBI) employees’ data was leaked on Telegram channels. The leaked data include employees’ names, address, contact numbers, SBI Passbooks, PAN numbers, account numbers, photo IDs, Aadhar Card and Voter Card. The threat actor claimed to exploit an unprotected database which potentially gave unrestricted access to the financial details of millions of consumers such as bank balances and recent transactions. The same threat actor has also allegedly dumped the data on publicly accessible online forums whereby 4000 more employees’ data were leaked. Some of the threat actors have also put the leaked data up for sale in some dark web forums. Razer investigates the Razer Gold data breach. Razer is investigating an alleged data breach related to its Razer Gold, a virtual gaming credits platform. The firm stated that they are aware of the potential breach on Monday. This comes after a post surfaced on a hacker forum on Saturday whereby they claimed to have stolen data from Razer, which includes source codes, encryption keys, backend access log-ins and database for “Razer.com and its products”. The hackers included screenshots of the alleged breach as proof - listing folders that appear to contain API details, merchant vouchers and payment channels. The hackers have the entire set of data for sale for US$100,000 in Monero cryptocurrency, although they are willing to negotiate a sale for sale. Razer has stated that once investigations are concluded, they will report this matter to the relevant authorities. 1st Source data compromised by MOVEit data breach. Financing firm 1st Source Corp stated on Monday that a 3rd party gained access to data of their commercial and individual clients due to the MOVEit data-theft attack. The company did not disclose the scale of the data breach but they did state that they are in the process of identifying and notifying the impacted clients. Radisson Hotels Americas impacted by MOVEit data-theft attack. A spokesperson from Choice Hotels, which acquired Radisson Hotels Group in 2022, stated that a “limited number of guest records” were accessed by the hackers during the MOVEit data-theft attack. However, they did not state how many guests had been affected. They are currently still investigating this breach, and when affected guests are identified, they will send out data breach notification letters. Honeywell devices’ security flaws could be exploited to disrupt critical industries. Researchers at Armis discovered 9 vulnerabilities in Honeywell devices that are used in critical industries. If exploited, this would allow hackers to cause physical disruption and potentially impact the safety of human lives. The vulnerabilities are found in Honeywell’s Experion distributed control system (DCS) products. These are control systems that are utilized to control large industrial processes across critical industries, such as energy, oil, gas mining and pharmaceuticals, whereby high availability and continuous operations are critical. 7 of these vulnerabilities have been given a critical-severity rating - which means threat actors can remotely run unauthorized code on both the Honeywell servers and controllers. The vulnerabilities allow for unauthenticated access - this allows the threat actors to exploit the flaws without having to log into the controller. Honeywell had made patches available for the vulnerabilities and urged all affected organizations to promptly apply them. The Bangladesh government takes down exposed citizens’ data on the website. The Bangladeshi’s e-Government Computer Incident Response Team (CIRT) stated that they had taken down citizens’ sensitive data that was left exposed on a government website. In a press release, CIRT said that they had “promptly” addressed the data breach. The State Minister for Information and Communication Technology, Zunaid Ahmed Palak stated that citizens’ information was exposed not due to the government website being hacked but rather due to the vulnerability of the website. Bangladesh’s Home Minister, Asaduzzaman Khan Kamal reportedly said that the law enforcement agencies are investigating the incident. Colorado State University (CSU): Data breach impacts both staff and students. CSU has confirmed that the personal information of current and former staff and students were stolen during the MOVEit Transfer data-theft attack. CSU informed their students and staff on 12 July 2023 that the attackers have gained access to the personal data of staff and students. The personal information stolen include, full names, birth date, student or employee identification numbers, social security number, and demographic information (gender, ethnicity, level and area of education). The stolen data goes as far back as 2021. This data breach was due to a compromise of the University’s service vendors, and all these providers used the MOVEit Transfer platform. CSU is currently carrying out investigations to determine the impact of the stolen data, and will send out individual notification letters to those impacted. Microsoft is still unsure how hackers stole the Azure AD signing key. Microsoft have stated they are still unsure how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key that was used to breach the Exchange Online and Azure AD accounts of roughly 25 organizations, including government agencies, and they are still investigating this method. The incident was reported by the US government officials after they discovered unauthorized access to several government agencies’ Exchange Online email services. Microsoft has already revoked all valid MSA signing keys to block all attempts to generate new access tokens and moved the newly generated ones to the key store that they use for enterprise systems. While they no longer detected any key-related malicious activity, they have stated that attackers have now switched to other techniques. Microsoft: Unpatched Office zero-day exploited against NATO Summit attendees. On Tuesday, Microsoft disclosed that RomCom Russian cybercrime group exploited an Office zero-day that is yet to be patched in recent phishing attacks against NATO Summit attendees. The attackers used malicious documents impersonating the Ukrainian World Congress organization to install malware payloads including MagicSpell loader and the RomCom backdoor. Blackberry researchers stated that if successfully exploited, it will allow attackers to “conduct a remote code execution (RCE)- based attack by crafting malicious docx. or .rtf documents designed to exploit the vulnerability”. Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in high-complexity attacks requiring user interaction. This vulnerability can allow attackers to access sensitive information, turn off system protection, and deny access to the compromised system. New APT RCE exploit targeting critical industries. Rockwell Automation, in coordination with CISA, has analyzed a new remote code executive (RCE) exploit linked to an unnamed Advanced Persistent Threat (APT) group could be utilized to target unpatched ControlLogix communications modules, which are commonly used in manufacturing, electric, oil and gas, and liquified natural gas industries. The targeted vulnerability (CVE-2023-3595) is caused by an out-of-bounds write weakness that will allow attackers to gain remote code execution or trigger denial-of-service through maliciously crafted CIP messages. If successful, attackers can manipulate the module’s firmware, wipe the module memory, alter data traffic, establish persistent control and this could potentially impact the industrial process it supports. Rockwell strongly recommends customers to apply the security patches they have released for all affected products. CISA warned Rockwell customers to patch the critical RCE vulnerability to foil potential attacks. Google Play to enforce organizations registration to curb malware submissions. Google Play is requiring all new developer accounts to register as an organization to provide a valid D-U-N-S (Data Universal Numbering System) number before submitting apps. This is a part of the effort to curb the constant invasion of malware on Google Play and hence to enhance the platform’s security and trustworthiness. By requiring a D-U-N-S number from software developers, Google will increase the difficulty of malicious apps to re-register on the app store as they will have to create a new company to return to the platform. Additionally, more information about the developer will be added under the changed “App support” (from “Contact details) such as it will now include the company name, complete office address, website URL and phone number. This is additional to the current details available such as developer’s name, email and location. Google will also regularly verify information provided by app developers, and will suspend the account to publish apps if any inconsistencies are found. Zimbra urges admins to manually fix a zero-day vulnerability that can be exploited in attacks. Zimbra are urging admins to manually fix a zero-day vulnerability that can be actively exploited to target and compromise Zimbra Collaboration Suite (ZCS) email servers. The company warned of this vulnerability and stated that a patch is planned to be released in the July patch release. Although a patch was not provided yet, it did provide a fix that admins can manually apply to remove the attack vector. The fix can be found here. Admins must prioritize this as multiple Zimbra bugs have been explored to breach hundreds of vulnerable email servers globally in recent years. WordPress AIOS plugin used by over a million sites, logged plaintext passwords. The All-In-One Security WordPress security plugin, which is used by over a million WordPress sites, has been found to not only record user logins attempted but also to log plaintext passwords to the site’s database. This is especially dangerous as malicious admins could use people’s login details to take over their accounts, and attackers that gain access to the site’s database can exfiltrate user passwords in plaintext. Updraft have offered development builds of the upcoming patch release to concerned users 2 weeks ago, however those attempting to install this reported website problems and that the password logs weren’t removed. On 11 July, the AIOS vendor released version 5.2.0 which included a patch to prevent the record of plaintext passwords and to clear out old entries. As of 14 July, only a quarter of AIOS users have applied the update, which means 750,000 sites still remain vulnerable. Websites using AIOS must update to the latest version, and it is recommended to ask users to reset their passwords. Cisco SD-WAN vManage impacted by critical-severity vulnerability that affects REST API. Cisco published a security bulletin informing of a critical-severity vulnerability (tracked as CVE-2023-20214) in the request authentication validation for the REST API of Cisco-SD-WAN vManage software. This flaw can be exploited by sending a specially crafted API request to the affected vManage instances. This could allow attackers to “retrieve information from and send information to the configuration of the affected Cisco vManage instance”. This can enable attackers to read sensitive information from the compromised system, modify certain configurations, disrupt network operations, and more. Cisco SD-WAN vManage has released fixes for versions that are affected by this vulnerability. Read here for versions that have fixes. However, there won’t be any fixes for versions 20.7 and 20.8 (they are also impacted), hence users are advised to migrate to a different release. Versions between 18.x and 20.xd are not impacted by this vulnerability. Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|