AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
Last week, breaches and cyberattacks occurred across several industries from software, semiconductor, geospatial intelligence, consumer discretionary, gaming, telecom providers, smoke alarm, healthcare to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as the Change Healthcare ransomware attack that cost UnitedHealth $872 million. Furthermore, new vulnerabilities and patches have also been found and releasedIt is highly recommended to not only be aware of them but to also update them as soon as possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Cisco’s Duo Multi-Factor Authentication (MFA) service breached. A 3rd party telephony service provider for Cisco’s Duo MFA service has been compromised by a social engineering cyber attack. Cisco Duo customers have been sent a notice to be on alert for any phishing attacks. In the notice sent to customers, the company explained that the 3rd party provider that handled SMS and VOIP MFA messaging traffic for them was breached on 1 April 2024. Reportedly, the threat actors utilised compromised employee credentials for the attack, and had managed to download SMS logs for specific users within a certain time frame once they were inside the service provider’s systems. In Cisco’s customer advisory, the attacker downloaded message logs for SMS messages that were sent to certain users under their Duo account between 1 March - 31 March 2024. The compromised information includes customers’ phone number, phone carrier, country and state to which each message was sent, as well as other metadata such as date and time of the message, type of message. However, no message content was compromised. In their advisory, Cisco Duo did not identify the breached telephony provider. Cisco advised impacted customers to notify anyone whose information was exposed, and to remain vigilant against any phishing attacks. Nexperia, a Dutch chipmaker, confirmed a data breach after a ransomware gang leaked stolen data. In a press statement on Friday, Nexperia disclosed that attackers managed to breach some of their IT servers in March 2024, which forced them to shut down the affected IT systems to contain the incident and implement extensive mitigation. Nexperia confirmed the incident after a ransomware group, Dunghill, claimed to have stolen 1 TB of confidential data and leaked a sample of the allegedly stolen files on 10 April 2024. The threat actors published images of microscope scans of electronic components, employee passports, non-disclosure agreements, and various other samples. However, the authenticity of the allegedly stolen data has not been confirmed by Nexperia. Dunghill claims that they plan to leak 371GB of design and product data, 246GN of engineering data, 96GB of commercial and marketing data, 41.5GB of corporate data, 109GB of client and user data, and 121.1GB of various files and miscellaneous data if the ransom demand is not paid. Nexperia has launched an investigation with the support of 3rd party experts to determine the nature and scope of the incident and to implement strong measures to prevent this incident from reoccurring. Nexperia also reported the incident to relevant authorities. UN investigating a ransomware attack that led to data theft. In a statement published on Tuesday, the United Nations Development Programme (UNDP) disclosed that they received a threat intelligence notification that a threat actor had hacked into their local IT infrastructure in UN city, Copenhagen, in late March. The stolen data included certain human resources and procurement information. The UN agency stated that actions were immediately taken to identify the source, contain the affected server and to determine the specifics of the exposed data, and the individuals impacted by this attack. Although the UN agency did not disclose the specific threat group, the 8Base ransomware gang added a new UNDP entry to their data leak website on 27 March. The attackers stated that they managed to exfiltrate large amounts of sensitive information, which includes personal data, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts and more. Space Eyes data breach exposed sensitive data from critical US government agencies. Intelgroup, a threat group, has claimed to breach Space-Eyes, a geospatial intelligence firm that works exclusively with US government agencies. This includes the Department of Justice, the Department of Homeland Security, various branches of the US Armed Forces, and crucial intelligence bodies such as the National Geospatial Intelligence Agency. The breach has allegedly compromised the digital infrastructure of the firm, which could expose the US national security data. IntelBroker claimed that they only took 10-15 minutes to access the sensitive data from Space-Eyes systems. Singapore’s Ministry of Education (MOE): A 3rd party data breach has compromised the personal data of parents and staff at 127 schools. A data breach at one of MOE’s vendors has resulted in the names and email addresses of parents and staff from 5 primary schools and 122 secondary schools being compromised. MOE stated that they were notified by Mobile Guardian, a device management app installed on personal learning devices used by students, that their user management portal was breached on Wednesday, with the incident occurring at the company’s headquarters in Surrey, UK. As Mobile Guardian’s management portal was used for administrative purposes, user’s name, email address, time zone, school name and whether the user was a parent or school staff has been accessed. MOE also stated that their own device management app was not affected by the data breach as it is separate from Mobile Guardian’s user management portal. The Ministry has stated that all affected parties have been informed of the breach, and recommended victims to be vigilant against any phishing emails. The ministry stated that they have expressed their concerns to Mobile Guardian, and have lodged a police report. Mobile Guardian has implemented further security measures such as locking down all administrative accounts in response to the incident, and have also apologised for the breach. A Hospital in France had to postpone procedures after a cyberattack. The Hospital Simone Veil in Cannes (CHC-SV) announced on Tuesday that they were cyberattacked, which led to a severe impact on their operations. CHC-SV is an important medical establishment in France, particularly in the region of Cannes. The hospital were forced to take all their computers offline earlier this week due to a cyberattack, and had only their telephone systems available for communication. The hospital did not disclose much details but stated they have not received any ransom demand. Investigations are currently underway. Although all their units are continuing operations, all data has been reverted to pen and paper, and some patients had to be diverted to other hospitals nearby. Furthermore, roughly 30% of all non-urgent surgical procedures scheduled this week were cancelled, and many non-urgent consultations were rescheduled for later. The hospital stated that as of now their priority is to restart patient care systems that contain test results and patient records. However, this is dependent on the progress of the technical investigations which could take a long time. Atlantic fisheries body confirms data theft after 8Base ransomware gang claims breach. The Atlantic States Marine Fisheries Commission (ASMFC) disclosed that their email systems were down, and was forced to create a temporary email address and phone number. Tina Berger, director of communications for ASMFC, stated that they are responding to a cyber incident that is affecting their systems, but did not confirm if it was a ransomware attack. On Monday, the 8Base ransomware gang added ASMFC to their data leak site, and gave officials 4 days to meet their ransom demand. The gang claimed to have stolen invoices, personal data, contracts and more. Home Depot suffered a 3rd party breach: 10,000 employees’ personal information leaked. Home Depot has disclosed that a 3rd party breach from their SaaS vendor has resulted in a subset of employee data being leaked. The incident was known when IntelBroker, a known threat actor, claimed that they stole 10,000 Home Depot employees’ personal information. A Home Depot spokesperson has confirmed that the Atlanta, Georgia-based company has suffered a data breach. The personal information exposed includes employees’ names, work email addresses, and User IDs that were utilised during testing of their systems. Home Depot did not disclose the identity of the breached vendor, and it is unclear if Home Depot or the external vendor has notified the impacted individuals about the breach. Frontier Communications, a telecom provider, suffers a cyberattack: Forced to shut down their systems causing operational disruption. Frontier Communications, a leading American telecommunications provider, was forced to partially shut down some of their systems during a cyberattack to avoid threat actors from laterally moving through the network. This has resulted in some operational disruption. Despite their response, Frontier has stated that the attackers could access some personally identifiable information. Frontier believes that they have contained the breach, and has since restored their affected core IT systems, and is working on restoring normal business operations. Despite the company’s assurances, many customers have reported that their Internet connection has been down and that the support phone numbers are playing pre-recorded messages instead of redirecting to a human operator. In their SEC filing, Frontier stated they are currently investigating the incident with cybersecurity experts, and has also notified the relevant authorities. Void Interactive suffers from a massive data breach: Over 4TB of data stolen, including full source code. Void Interactive, the developer of Ready or Not, suffers from a massive data breach whereby over 4TB of data has been stolen, and this includes over 2.1 million files. The ransomware group announced in March that they had accessed Void Interactive’s data. However, Void Interactive has not announced any breach or concern regarding Ready or Not. Insider Gaming has been shown the contents of the stolen data, and it includes all of the Ready or Not source code, and code for what appears to be console builds of the game and results of various performance tests. Insider Gaming was also shown images of the game running on the PlayStation 4 test kit. There was also build data for Xbox 1, Xbox Series X|S, and PlayStation 5. Fortunately, it seems that the personal information of players or staff members have not been compromised, and the stolen data seems to be centred around the game itself. Smoke Alarm Solutions, a smoke alarm company in Australia, suffers from data breach. One of Australia’s largest smoke alarm companies, Smoke Alarm Solutions, have left 762,856 documents, which totals to 107GB of sensitive customer information exposed online in a non-password protected database, for nearly 3 months. The files included more than 355,000 detailed invoice data from 2021-2024, records of inspections, estimates, compliance reports, electrical safety inspections, service quotes, and service reports. Furthermore, nearly 25,000 additional documents marked as “on-site quotes” contained names and email addresses of the business, agent or individual obtaining the quote. Cybersecurity researchers have warned that these sensitive customer information were “very likely” accessed by malicious actors. Mr Fowler, in a report on this incident, stated that this exposure is “perfect timing” as this came days after Australia’s consumer watchdog warned of a surge in fake invoice scams which have cost Australians more than $16 million. As it is likely the threat actors accessed these sensitive customer data to use for scams and phishing attempts. UnitedHealth reported Change Healthcare ransomware attack cost $872 million. UnitedHealth Group reported that the February ransomware attack has cost $872 million on their Q1 earnings. This total cost includes $593 million in direct cyberattack response costs and $279 million due to business disruptions. Currently, the company is still working to mitigate the cyberattack’s impact on their consumers and care providers, while expanding financial assistance to affected providers. This report comes 1 day after the RansomHub extortion gang started leaking documents that allegedly contain patient and corporate data stolen from Change Healthcare’s compromised systems. The threat actors also warned that they have 5 days to pay the ransom to stop the data from being sold. Forminator WordPress plugin vulnerability affects over 300,000 sites. The Forminator WordPress plugin has a critical vulnerability (CVE-2024-29980) that allows malicious actors to perform unrestricted file uploads to the server. Site admins that use this plugin are highly advised to upgrade to the latest version 1.29.3, which addresses this vulnerability as soon as possible. Since the release of the security update on 8 April 2024, roughly 180,000 site admins have downloaded the plugin. However, this means that there are still 320,000 sites that remain vulnerable to attacks. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|