Last week, more data breaches occurred across several industries such as the public, healthcare, and telecommunications sectors. New phishing campaigns, class-action lawsuits, new vulnerabilities and patches have also been found.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. ShopBack fined S$74,000 due to the leak of more than 1.4 million customers’ personal data. ShopBack, a Singapore online cashback portal, has been fined S$74,400 (US$54,600) by Singapore’s cybersecurity agency, Personal Data Protection Commission (PDPC), over a data leak that affected more than 1.4 million of their customers. Personal data compromised included names, email addresses, mobile numbers, bank account numbers, and partial credit card information. Cybercriminals managed to enter ShopBack’s servers and extracted the data via the use of an access key with full administrative privileges, which remained in a private repository on the GitHub platform for 15 months. Discord.io exposed more than 760,000 users’ personal data. Discord.io, a custom invite service for Discord, has suffered a data breach that exposed more than 760,000 users’ personal data. The breach was discovered on 14 August, after a database that contained Discord.io users’ personal information was put up for sale on the dark web. The legitimacy of the database was confirmed by Discord.io. Discord.io has shut down all operations and services, and have launched an investigation into the breach. From the latest update, investigation has revealed that the hacker managed to gain access to the database via a vulnerability in the website’s code. The site stated to ensure this incident won’t occur again they will do a complete rewrite of the website’s code, and an overhaul of their security practices. The data leaked is extensive, and includes both sensitive and non-sensitive information. Potentially sensitive information leaked includes username, discord ID, email address, billing address (before the site started using secure payment service, Stripe), salted and hashed passwords. The non-sensitive information leaked includes internal user ID, information about user avatar, user status, user coin balance, User API keys, user registration data, last payment data and expiration date of premium memberships. Although Discord is not affiliated with Discord.io and have revoked the OAuth tokens for any Discord user that has used Discord.io, they have also recommended that users enable 2-factor authentication to protect their accounts, and suggested setting up SMS authentication. UK police data breach exposed victims’ information. The UK’s Norfolk and Suffolk police constabularies have disclosed the exposure of 1,230 individuals’ personal information, including victims of crime, witnesses and suspects. The data also included descriptions of offences such as domestic incidents, sexual offences, assaults, thefts and hate crimes. From the official statement, a technical issue has resulted in some raw data, that belongs to the constabularies, to be included within the files produced in response to the Freedom of Information (FOI) requests in question. The statement continues to say that although the data was hidden from those that opened the file, it should not have been included in the first place. The statement also states that they have started the process of contacting those individuals impacted, and will be done either via letter, phone and/or face-to-face, depending on the type of information impacted and the support required. Large QR code phishing campaign targeted a major energy organization. Cofense has observed a large phishing campaign that utilizes QR codes to target the Microsoft credentials of users from a wide array of industries such as manufacturing, insurance, technology and financial services. The most notable target was a “major Energy company based in the US”. They received about 29% of the over 1000 emails that contained the malicious QR codes. Most emails’ QR code delivers phishing links or redirects, with the majority of them being Bing redirect URLs. The FBI warned last year that cybercriminals are utilizing QR code scans to direct victims to malicious sites to steal their data, to embed malware to gain access to their device, and redirecting payment for cybercriminal use. CISA warns of the exploitation of a new file transfer bug in Citrix ShareFile. CISA, the U.S. government’s cybersecurity agency, warned that cybercriminals are exploiting a newly discovered vulnerability (CVE-2023-24489) in Citrix ShareFile, an enterprise file transfer software. This flaw was given a vulnerability severity rating of 9.8 out of 10, and it is a bug that could allow an unauthenticated attack to remotely compromise customer-managed Citrix ShareFile storage zones controllers, with no passwords needed. They have added this vulnerability to their Known Exploited Vulnerabilities (KEV). CISA warned that this vulnerability poses a “significant risk to the federal enterprise”, and made it a requirement for federal civilian executive branch agencies to apply the vendor patches by 6 September. GreyNoise have observed that since CISA’s publication of this flaw, they found a “significant spike” in attacker activity. It is highly recommended to apply the vulnerability patch as soon as possible. Colorado:More than 4 million people personal information impacted by IBM MOVEit breach. The Colorado Department of Health Care Policy & Financing (HCPF) states that 4,091,794 individuals’ personal and health information are impacted by the IBM MOVEit breach. HCPF clarified that their systems were not directly compromised, and the data exposure occurred via their contractor, IBM, which utilized the MOVEit software. The investigation revealed that the cybercriminals managed to access and likely stole files that contained certain Health First Colorado and CHP+ members’ information. This includes full names, social security numbers, medicaid IB number, medicare ID number, birth date, home address, contact information, income information, demographic data, clinical data (i.e. diagnosis, lab results, treatment, medication), and health insurance information. This is dangerous as this information can be used to launch effective phishing or social engineering attacks, which can help cybercriminals with identity or bank fraud activity. For those impacted, HCPF will provide 2 years of credit monitoring services to help counteract any fraud attempts. Multiple class-action lawsuits filed after MOVEit data breach. Attorneys at leading consumer-rights law firm, Hagen Berman have filed 5 nationwide class-action lawsuits against Progress Software and other organizations for compromising the personal information of the estimated 40 million people. The compromised personal information included contact information, birth date, social security numbers, pension information, billing data, banking information and medical records. The firm intends to file additional complaints against other co-defendants involved in the data breach. According to them, the full scope of involved parties is still being revealed, and those affected will be made aware through mailed letters detailing the MOVEit data breach. Advocate Aurora Health to pay US$12.25 million to settle web tracker claims. According to a preliminary settlement plan in Wisconsin federal court, Advocate Aurora Health has agreed to pay US$12.25 million to settle consolidated class action claims that the Illinois-based hospital chain invaded patient privacy by utilizing tracking codes on its websites and patient portal. This consolidated class-action lawsuit was filed after the disclosure of a web-tracker related HIPAA breach that affected 3 million individuals. At the time of its breach report, they stated that it had embedded tracking technologies, which included Meta Pixel, Google Analytics, and other 3rd party tools into their website, patient portal, and some scheduling apps, to “better understand patient needs and preferences”. However, the disclosure of the patients’ personal or health information was done without their consent or knowledge. Since then, the entity has disabled the tracking tools or removed them from its websites, app and patient portal. The settlement is subject to the court’s final approval, for which the hearing date has not yet been set. LinkedIn accounts targeted in a widespread hijacking campaign. Many LinkedIn accounts are being targeted by a widespread account hijacking campaign, which has resulted in many accounts being locked out for security reasons or ultimately hijacked by the attackers. Cyberint reported that many LinkedIn users have been complaining about the account takeovers or lockouts, and the inability of LinkedIn support to resolve the problems. Many users have been frustrated with the lack of response, and Linkedin Support being unhelpful in recovering the breached accounts. Some users have even been pressured to pay a ransom to have their account back or their accounts will be deleted. Signs of a breakout is evident via Google Trends, whereby searches on LinkedIn account hack or recovery recorded an increase of over 5,000% in the past few months. The attacker appears to use leaked credentials or brute-force to take control of a large number of LinkedIn accounts. For accounts that are protected by strong passwords and/or 2-factor authentication, the multiple takeover attempts resulted in a temporary account lock imposed by the platform as a protection measure. Users then have to verify ownership by providing additional information and also update their passwords before being allowed to sign back in. When hackers successfully take over LinkedIn accounts, they will replace the email address with one from the “rambler.ru” service. After which, hackers will change the account password, preventing original users from accessing their accounts. In some cases, hackers will demand a small ransom, for some their accounts will be deleted without asking for anything. U.S. real estate property listings disrupted by ransomware attack. Rapattoni-hosted multiple listing services have been disrupted by an apparent ransomware attack. This has led to the disruption of property listings nationwide whereby real estate agents’ are unable to list or update property information. Since the attack disrupted multiple regional MLS providers to automatically carry out many processes, many have returned to manual processes. Cincy MLS, which supports 7,500 real estate agents in Cincinnati, have created a Facebook page for agents to manually share listing information. House listing apps, such as Zillow, have also been affected, and are forced to input data manually. The attack occurred on 8 Aug, and as of last Tuesday afternoon, Rapattoni’s production system remained offline. The company has not yet stated whether it was hit by ransomware. Cybercriminals use VPN provider’s certificate to sign malware. Bronze Starlight, a China-aligned advanced persistent threat (APT) group, was discovered by SentinelLabs targeting the Southeast Asian gambling industry utilizing signed malware using a valid certificate by the Ivacy VPN provider. Using a valid certificate will allow them to bypass security measures, avoid raising system alerts, and blend with legitimate software and traffic. The certificate belongs to PMG PTE LTD, a Singaporean vendor of the VPN product ‘Ivacy VPN’. SentinelLabs stated that VPN providers are critical targets as they “enable threat actors to potentially gain access to sensitive user data and communications”. DigiCert has revoked and invalidated the certification in early June 2023 as it breach the “Baseline Requirements” guidelines. Play ransomware group targeting Managed Service Providers. The Adlumin Threat Research team discovered a concerning global campaign that utilizes Play ransomware. The Play ransomware group is targeting security managed service providers (MSPs) to gain initial access. They are targeting midsize financial, software, legal and logistic industries in the U.S., Australia, United Kingdom and Italy. The director of Adlumin stated that it’s hard for cyber defenders to detect the attack as it initially appears as a legitimate administrative access, and often gives attackers free reign over the target’s network and IT assets. Furthermore, the group also utilizes intermittent encryption to avoid setting off defenses that look for whole file modifications. Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|