Last week, breaches and cyberattacks occurred across several industries from the information services, electronics, media, government to the healthcare industry. A new turn of event, a ransomware gang has filed a SEC complaint against one of their alleged victims’ undisclosed breach. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. New turn of event: Ransomware gang files SEC complaint against one of their alleged victims’ undisclosed breach. The ALPHV/BlackCat ransomware gang has filed a U.S. Securities and Exchange Commission (SEC) complaint against one of their alleged victims for not complying with the 4-day rule to disclose a cyberattack. The threat actor listed the software company, MeridianLink, on their data leak website with a threat that they would leak the alleged stolen data unless a ransom is paid. However, the alleged lack of response from MeridianLink likely prompted the ransomware gang to exert more pressure by sending a SEC complaint about MeridianLink for not disclosing a cybersecurity incident that impacted “customer data and operational information”. The ransomware gang has published on their site screenshots of the form they filled, and also the reply they received from SEC to show that their submission was received. Although many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this is the first public confirmation that they have done so. LockBit ransomware exploits Citrix Bleeds vulnerability, more than 10,000 servers exposed. LockBit ransomware attacks exploits Critix Bleed vulnerability (CVE-2023-4966) to breach systems of large organisations, steal data and encrypt files. Although Citrix created a patch for the vulnerability more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances - many of which are in the U.S. Kevin Beaumont, a threat researcher, has been tracking the attacks against various companies. This includes the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. All of them had exposed Citrix servers that were vulnerable to the Citrix Bleed vulnerability. This was further confirmed by the Wall Street Journal, which obtained an email from the U.S. Treasury which mentioned that LockBit was responsible for the ICBC cyberattack, which was achieved by exploiting the Citrix Bleed flaw. As of 14 November,Yukata Sejiyama, a threat researcher, found that more than 10,400 Citrix servers are vulnerable to CVE-2023-4966. He found that there were vulnerable servers in large and critical organisations, all of which remained unpatched over a full month following the disclosure of the critical flaw. Truepill, a pharmacy provider, data breach has impacted 2.3 million customers. Postmeds, which does business as Truepill, a B2B-focused pharmacy platform, is sending notifications to recipients of a data breach which allows threat actors to access their sensitive personal information. According to the US Department of Health and Human Services Office for Civil Rights breach portal, the incident impacted 2,364,359 people. The data types that might have been accessed by the hackers include, full name, medication type, demographic information and name of prescribing physician. The notice clarified that social security numbers were not exposed. Postmeds is under legal fire as multiple class action lawsuits are being prepared across the country, arguing that the breach would have been prevented if Postmeds had better security that complies with the industry guidelines - specifically for not encrypting sensitive healthcare information stored on their servers. Samsung Electronics data breach affects UK store customers. Samsung Electronics data breach only impacted customers who made purchases from the Samsung UK online store between 1 July 2019 - 30 June 2020. The company is notifying customers of the data breach that exposed their personal information. Samsung discovered the breach on 13 November, and determined that it occurred due to the exploitation of a vulnerability in a third party application the company used. The notification to impacted customers details that the exposed data may include names, phone numbers, postal addresses and email addresses. Samsung emphasised that no credentials or financial information (such as credit card details, customer passwords) were affected by the breach. The representatives told BleepingComputer that they had taken all necessary steps to address the security issue, and the incident has been reported to the UK’s Information Commissioner’s Office. Nearly 9 million health records were compromised in a cyberattack against a medical transcription service provider. A cyberattack against Perry Johnson & Associates (PJ&A) has led to the personal and health information belonging to 8,952,212 Americans being compromised. The attack is the 2nd largest breach of U.S health-related data this year. PJ&A began writing to affected individuals on 31 October, advising them that their systems were breached between 27 March - 2 May, with the hackers gaining access to personal health information between 7 April - 19 April. However, the scale of the attack was only revealed when PJ&A notified the Department of Health and Human Services this week. The compromised information includes patients’ names, birth dates, addresses, medical record numbers, hospital account numbers, their diagnosis when admitted for care, and the dates and times they received treatment. Other data that may have been exposed includes social security numbers, insurance details, and clinical information from medical transcription files (e.g. test results, medications, names of treatment facilities, and healthcare providers). The company emphasised that no credit card, bank account information or usernames and password were compromised. Philippine Center for Investigative Journalism (PCIJ) website goes offline after cyberattack. An active hacking attack on PCIJ’s website forced them to temporarily take down their website to allow them to assess and prevent further damage, stated their Executive Director Carmela Fonbuena. The National Union of Journalists of the Philippines (NUJP) said this is the “most serious” attacks against the PCIJ in recent years. They added that the hackers’ intention is to make their website that specialises in investigative reporting inaccessible. Fobuena added that they are taking steps to protect their infrastructure and archives. Long Beach, California shut down portions of their IT network after a cyberattack. The Californian City of Long Beach has shut down portions of their IT network after a cyberattack, to prevent the spread of the attack to other devices. The City also stated that the systems are anticipated to be offline for upwards of several days. They also engaged a cybersecurity firm to investigate the incident and notified the FBI. While some of the City’s online services remained unavailable through the weekend, emergency services remained unaffected. As of now, it is unclear what type of cyberattack occurred and whether data was stolen. Toyota confirmed the breach after the Medusa ransomware gang claimed the attack. Toyota Financial Services (TFS) confirmed that they detected unauthorised access on some of its systems in Europe and Africa after Medusa ransomware listed TFS to their data leak site, and demanded a ransom payment of $8 million to delete allegedly stolen data. The ransomware gang has given Toyota 10 days to respond, with an option of extending the deadline for $10,000 per day. To show evidence that data was exfiltrated, the hackers published sample data that includes financial documents, spreadsheets, purchase invoices, hashed account passwords, cleartext user IDs and password, agreements, passport scans, internal organisation charts, financial performance reports, staff email addresses and more. Most of the documents are in German. This indicates that they managed to access systems servicing Toyota’s operations in Central Europe. TFS did take several systems offline to investigate the breach, and to reduce further risk. TFS spokesperson also told BleepingComputer that the process of bringing systems back online is already underway in most countries. Toronto Public Library confirms personal data stolen during a ransomware attack. The Toronto Public Library (TPL) confirmed that the personal information of employees, volunteers, donors and customers was stolen from a compromised file server during the October ransomware attack. The file server contains the data of TPL and the Toronto Public Library Foundation (TPLF) employees all the way from 1998. Information possibly stolen includes names, social insurance number, birth dates, home address, and possibly copies of government-issued identification documents provided to TPL by staff. TPL has not disclosed the type of customer data stolen and how many have been affected by the breach. TPL did state they did not pay the ransom and have reported the breach to the relevant authorities. From a photo of a ransom note shown on TPL workstation, it was found that Black Basta ransomware gang was behind the attack, and disrupted numerous services by the morning after the attack. TPL’s email services were minimally impacted and the library’s phone systems were not affected. TPL’s primary servers, which house sensitive data, were also not encrypted. This hints that the ransomware gang did not have full access to TPL’s networks and data. However as a precautionary measure, TPL shut down all other internal systems after the attack was detected. Ascentis, a loyalty marketing agency, fined S$10,000 over Starbucks Singapore data leak. Ascentis, the developer of an e-commerce platform owned by Starbucks Singapore, has been fined S$10,000 due to a data breach that resulted in the personal data of 332,774 Starbucks Singapore customers being put up for sale on a dark web forum. Personal data leaked included names, physical addresses, email addresses, telephone numbers, birth dates, membership details relating to the loyalty programme, and their last login dates to the platform. The Personal Data Protection Commission (PDPC) said in their judgement that Ascentis failed to disable their ex-employee’s admin account after he left. Furthermore, the account was not protected with a sufficiently complex password. Furthermore, the company did not assign rights for an admin account to the necessary employees, and did not implement multi-factor authentication - 2 data protection practices that could have prevented the breach. In determining the financial penalty, the PDPC noted that Ascentis cooperated with investigations, took prompt remedial actions, did not breach the Personal Data Protection Act before, and voluntarily accepted responsibility for the incident. Yamaha Motors Philippines ransomware attack: stolen employee’s personal information leaked. Yamaha Motor’s Philippines (YMPH) was hit by a ransomware attack, which led to some of their employees’ personal information being stolen and leaked. The company has been investigating the incident with external security experts, and are working on countermeasures and recovery measures to prevent further damage. Yamaha did state that the ransomware gang only breached a server at YMPH, and this attack did not impact the headquarters or any other subsidiaries within the Yamaha Motor group. The company has also reported the attack to relevant authorities. INC Ransom gang has claimed the attack, and leaked what they claim is data stolen from YMPH’s network. On their dark web leak site, they published multiple file archives with roughly 37GB of allegedly stolen data which contains employee ID information, backup fuels, corporate and sales information, among others. British Library confirms a ransomware attack behind ongoing major outage. The British Library has confirmed that a ransomware attack is behind the ongoing major outage that is affecting services across several locations. The British Library stated that they have taken protective measures to ensure the integrity of their systems, and are currently undertaking a forensic investigation into the attack. Although the attackers deployed ransomware payloads on their systems on 29 October, the IT outage still continues to impact their website, online systems, services, and certain onsite facilities which includes their Reading Rooms. The library expects that many of their services will be restored within the forthcoming weeks, but some disruptions might persist for an extended period. Reader Registration is available onsite, but the library can issue temporary passes only with limited access to facilities and collection items depending whether you are a lapsed or new Reader. Also the Business and IP Centre (BIPC) in St Pancras also operates under regular hours to provide business support, but onsite digital services are currently unavailable. Bloomberg Crypto used in phishing attack: Discord credentials stolen. The official Twitter account for Bloomberg Crypto was used pm 17 November to redirect users to a deceptive website that stole users’ Discord credentials. The profile contained a link to a Telegram channel which pushes visitors to join a fake Bloomberg Discord server with 33,968 members. According to ZachXBT, a scammer seized the old Telegram username (@BloombergNewsCryto) during the transition and used it as part of a phishing attack. Once entering the Discord server, a bot prompts visitors to use AltDentifier, a Discord Verification Bot. However, the link is to a deceptive page using an altered domain name (altdentifers) with an extra ‘s’ at the end of the original domain name (altdentifer.com). This phishing website is used to steal their Discord login credentials. The malicious link has been removed from the Bloomberg Crypto Twitter account 30 minutes after ZachXBT’s initial tweet. WP Fastest Cache plugin vulnerability exposes 600,000 WordPress sites to attacks. The WordPress plugin, WP Fastest Cache, is vulnerable to an SQL injection vulnerability (tracked as CVE-2023-6063) that allows unauthenticated attackers to retrieve private information or command execution. More than 600,000 websites still run the vulnerable version of the plugin, and are exposed to potential attacks. A fix has been made available by the WP Fastest Cache developer in version 1.2.2. All users of the plugin are highly recommended to upgrade to the latest version as soon as possible. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|