Last week, more data breaches, cyberattacks and ransomware attacks occurred across several industries, with some having even more devastating consequences. TikTok has been fined by the EU, and a new attack has been discovered that can steal numerical passwords over Wi-Fi. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Facebook Messenger phishing campaign targets roughly 100,000 business accounts per week. Threat actors are using fake and compromised Facebook accounts to send out roughly 100,000 Messenger phishing messages to target Facebook business accounts with password-stealing malware. The threat actors trick the targets into downloading a RAR/ZIP archive containing a stealer that grabs cookies and passwords stored in the victim's browser. Guardio Labs researchers warn that roughly 1 out of 70 targets will be ultimately compromised. The researchers also found that these phishing messages are sent mainly to Facebook users in North America, Europe, Australia, Japan and Southeast Asia. Guardio Lab also reports that approximately 7% of all Facebook’s business accounts have been targeted, with 0.4% having downloaded the malicious archive. MGM Resorts cyber attacked and forced to shut down IT systems. MGM Resorts International disclosed on 11 September that they had identified a “cybersecurity issue” that has affected some of their systems, which includes their main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines. After detecting the issue, they shut down certain systems to protect their systems and data. It appears that the outrage started on Sunday night and computer systems in the resorts were down. All MGM websites that used the same domain name as the main one (mgmresorts.com) had been offline for hours. Their MGM Rewards app was also not working, displaying a persistent error message. Furthermore, it was reported that some guests’ room keys were not working, and slot machines displayed a temporarily unavailable message. MGM has stated they have begun an investigation, and also have notified relevant law enforcement. These issues still persisted on Friday, with booking capabilities still being unavailable, and MGM Resorts offering penalty-free room cancellations through 17 September. Casino Giant, Caesars confirms data breach and ransom payment for stolen customer data. Caesars Entertainment, one of the largest U.S. casino chains, has stated that they had paid a ransom to prevent their customers’ data, which was stolen in a data breach, to be leaked online. A Wall Street Journal report says that Caesars paid roughly US$15 million, which is half of the attackers’ initial demand of US$30 million. Caesars stated that the attackers stole their loyalty program database, which stored customers’ driver license numbers and social security numbers. Although they did state that there is “no evidence that any member passwords/PINS, bank account information or payment card information (PCI) were acquired by unauthorized actors.” The company also highlighted that customers not enrolled in Caesars’ loyalty program were not impacted by the data breach, and they will notify all affected customers over the coming weeks. The company also stated that they have notified relevant law enforcement, and begun investigation into the cyberattack. Although Caesars did not link the attack to a specific cybercrime gang or actor, a Bloomberg report claimed that the attack was conducted by Scattered Spider, a financially motivated threat group. It uses a combination of social engineering, multi-factor fatigue, and SMS credential phishing attacks to steal user credentials and breach targets’ networks. This is the 2nd casino chain impacted by a cyberattack recently, with MGM Resorts International being impacted earlier this week as seen above. Airbus data breached, employees’ information stolen. Airbus, the aerospace giant, has been data breached due to a third party vendor. Hudson Rock, a cybercrime intelligence company, published evidence that a cybercriminal “USDoD” posted 3,200 Airbus vendors’ personal information on a hacking forum. The leak seems to be a simple data dump. USDoD also explained that they had managed to access the information via the exploitation of a Turkish airline’s employee access. Through this, the team managed to trace to a Turkish computer infected with information-stealing malware in 2023. They also managed to provide evidence that the infected computer belongs to “an employee of Turkish Airlines, and contains 3rd party login credentials details for Airbus.” The computer became infected due to an attempt of downloading an unauthorized version of Microsoft. Airbus has told The Register that they had launched an investigation, stating that an account associated with an Airbus customer had been attacked, but did not confirm the identity of said customer. Furthermore, they had taken follow-up measures to prevent the compromisation of their systems. Dymocks confirms 1.2 million customers’ information was shared on the dark web after last week’s data breach. In an email sent to their customers on Friday, Dymocks has confirmed that 1.24 million customers’ information were stolen and made available on the dark web. Although they did state that investigations are still ongoing. Dymocks also confirmed that the stolen information includes customers’ names, birthdate, email addresses, postal address, gender, and membership details for Booklovers (such as account status and card ranking). Mark Newman, Dymocks’ CEO also iterated that no information of customers’ passwords, identification, and highly sensitive information such payment information or credit card details were published on the dark web. Also the email stated that it appears that the data breach occurred to the compromise of an external data partners’ systems. Dymocks’ customers are urged to remain vigilant against potential fraud and scams. Cyberport data breached - Staff and job applicants’ data stolen and leaked. Cyberport, Hong Kong tech hub, apologized on Thursday after a data breach led to sensitive staff information being offered for sale on the dark web. The files stolen included their staff, former employees and job applicants’ personal data, as well as credit card records during the mid-August cyberattack. The leaked personal information includes individuals’ names, phone numbers or email address, identity card number, birth date, social media accounts, academic and bank account details, and health information. They have begun investigation into the extent of the data leak and have also pledged to invest resources needed to strengthen network security. Cyberport CEO, Peter Yan King, has said in a media briefing that the data breach was confined to “some information stored in some parts of some servers” and maintained that there are no system-wide security loopholes, and there is no evidence of human error in the data breach. The cybercriminals reportedly demanded Cyberport to pay US$30,000 for the return of the data by Tuesday or the data would be sold on the dark web. Shell: Australian BG Group affected by MOVEit breach. Shell announced on Friday that they had identified a cybersecurity incident that involved some employees at Australia’s BG Group, which is the latest company to be affected by the MOVEit breach. Shell identified that there was unauthorized access to some personal information of the affected individuals, and had made attempts to notify them. Shell stated that although the compromised data was from 2013, and some may be out of data, there is still a risk of identity theft for the impacted individuals, and they could also be targeted by phishing campaigns.A person with direct knowledge has said that Shell has begun informing affected employees in early July. Rollbar discloses data breach - customer access tokens stolen. Rollbar, a software bug-tracking company, disclosed a data breach after unknown threat actors hacked into their systems in early August and managed to gain access to their customer access tokens. Rollbar discovered the data breach on 6 September when reviewing their warehouse logs and discovered that a service account was used to log into the cloud-based bug monitoring platform. Once inside Rollbar’s systems, the threat actors searched the company's data for cloud credentials and coin wallets. Rollbar stated that once they were aware of this access, they disabled the service account, and started an investigation. The investigation so far has found that the attackers had accessed sensitive customer information, including usernames, email addresses, account names, and project information such as environment names and service link configuration. More importantly, customers’ project access tokens were stolen. The company has stated that access tokens allowing access to Rollbar project data have expired, and for those allowing to send data to an active project will expire in 30 days. ORBCOMM ransomware attack caused service outage disrupts trucking fleet management ORBCOMM, a trucking and fleet management solutions provider, confirmed that a ransomware attack has caused recent service outages that prevent trucking companies from managing their fleets. ORBCOMM customers have reported that since 6 September, they have been unable to track their transported inventory or use Blue Tree Electronic Logging Devices (ELD), forcing truckers to switch to paper logs. After being contacted by BleepingComputer, ORBCOMM then stated that they have experienced a ransomware attack which has temporarily impacted their FleetManager platform and BT product line. They also said that all of the other systems and service offerings are completely operational. However, due to ongoing investigation, no further information could be shared. On 15 September, the US Federal Motor Carrier Safety Administration issued a waiver allowing truckers to continue using paper logs until the service is restored, and no later than 29 September. Ransomware attack exposed Manchester Police officers’ personal data. UK Greater Manchester Police (GMP) stated on 14 September that some of their employees’ personal information was affected by a third-party supplier that suffered a ransomware attack. The third-party supplier is a supplier for GMP and other organizations across the UK. GMP does not believe that the compromised data includes financial information. However, GMP did not provide details on what types of information might have been compromised in this attack. Data from Academy of Medicine, Singapore leaked on the dark web. The Academy of Medicine, Singapore (AMS) had their servers hit by a ransomware attack, which they discovered on 13 July. Last Sunday (11 September), the personal information of some 50 doctors, including senior figures in the medical fraternity, was put up on the dark web for free. The affected doctors include both locals and foreigners, ranging from the academy’s directors to their teachers, and students undergoing advanced specialist training in Singapore. In the 13.69GB database, information leaked includes NRIC numbers, home addresses, log-in credentials for AMS’ social media accounts, and a list of AMS’ staff and their mobile phone numbers. The staff contact list was correct as of May, and there is an earlier version from 2019 in a folder labeled “To be deleted”. The folder also contains a 2021 contract which lists the recipient’s home address, and 5 letters that were dated 23 March 2022, showing the recipient’s home address. Another folder also contains letters from Brunei’s Public Service Department which outlines the allowances that 7 Bruneian doctors would receive as they undergo specialist training in Singapore. AMS had immediately taken their servers offline once they discovered their servers were compromised. They also immediately started working with cybersecurity and legal experts to review and strengthen their cybersecurity infrastructure while investigations were ongoing. AMS have also alerted relevant law authorities, as well as informed their members and individuals who have had dealings with the academy about the data breach. EU fines TikTok €345 million over child data breaches. The Ireland’s Data Protection Commission (DPC) has hit TikTok with a €345 million fine for child data breaches, and have given 3 months to TikTok to bring their processing to comply with their regulations. The DPC began examining TikTok’s compliance with GDR in relation to platform settings and personal data processing for under 18 users. DPC also looked at TikTok’s age verification measures for people under 13, which they found no infringement. Although they did find TikTok to not properly assess the risks to younger people registering on the platform. DPC emphasized in their ruling that when children sign up on TikTok, their accounts are set to public by default which allows anyone to view or comment on their content. DPC also criticized TikTok’s “family pairing” mode, where the parent or guardian status was not verified by the platform. In response to the fine, TikTok “respectfully disagrees” with the verdict, and are evaluating how to proceed. A TikTok spokesperson said that DPC’s criticisms were focused on settings and features that were 3 years ago, however they made long changes before the investigation began, such as setting all under 16 accounts to private by default. TikTok also insists they closely monitor the age of their users and when needed, take action - the platform says they deleted almost 17 million accounts globally in the first 3 months of 2023 due to suspicions that they belonged to people under 13. Associated Press warns that AP Stylebook breach led to phishing attack. The Associated Press warns that an old third-party AP Stylebook site (that is no longer in use) has been breached, allowing for 224 customers’ data to be stolen, and using the stolen data to conduct phishing attacks. The stolen data includes customers’ names, email addresses, street addresses, city, state, zip code, phone number and User ID. For customers who enter tax-exempt IDs such as social security numbers or employer identification numbers, have been stolen as well. Once AP learnt of the phishing attack, they took the old site offline to prevent further attacks. At the end of July, the company started to alert AP Stylebook customers of the phishing attacks, warning that emails that came from ‘[email protected][.]id’ with a subject similar to “Regarding AP Stylebook Order no. 07/20/2023 06:48:20 am”. AP Also requires all AP Stylebook customers to reset their passwords. New WiKI-Eve attack steals numerical passwords over WiFi. WiKI-Eve, a new attack, can deduce individual numeric keystrokes at an accuracy rate of up to 90% and hence enabling to steal numerical passwords via intercepting the cleartext transmissions of smartphones connected to modern WiFi routers. They do so by exploiting beamforming feedback information (BFI), which allows devices to send feedback about their position to routers so the routers can direct their signals more accurately. However, as the data is in cleartext form, this means that the data can be intercepted and readily used without needing to crack an encryption key or carry out hardware hacking. This security gap was discovered by a team of university researchers in China and Singapore. What they found:
CISA: Government agencies are to patch security vulnerabilities to secure iPhones against spyware attacks. The U.S. CISA has ordered federal government agencies to patch security vulnerabilities that are being exploited as part of a zero-click iMessage exploit chain that infect iPhones with NSO Group’s Pegasus spyware by 2nd October 2023. This warning comes after Citizen Lab disclosed that the 2 flaws (tracked as CVE-2023-41064 and CVE-2023-41061) were used to compromise fully-patched iPhones belonging to a Washington DC-based civil society organization. Citizen Lab also warned Apple customers to apply emergency updates issued on Thursday immediately, and also urged individuals that are susceptible to targeted attacks to enable Lockdown Mode. The list of impacted devices is extensive due to the flaws affecting both older and newer devices:
Adobe warns of zero-day vulnerability in Acrobat and Reader exploited in attacks. Adobe has released security updates to patch a zero-day vulnerability (tracked as CVE-2023-26369) in Acrobat and Reader that can be exploited in cyberattacks. This vulnerability does affect both Windows and macOS systems. This vulnerability has been classified by Adobe with a maximum priority rating, with Adobe strongly recommending administrators to install the update as soon as possible, ideally within a 72 hour window. The list of affected products and versions are:
Adobe has also addressed more security flaws in Adobe Connect (tracked as CVE-2023-29306 and CVE-2023-29306) and Adobe Experience Manager (tracked as CVE-2023-38214 and CVE-2023-38215) software. These flaws can be exploited to access cookies, session tokens or other sensitive information that is stored in victims’ web browsers. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|