Last week, there were data breaches and ransomware attacks from a range of industries and countries, which has resulted in data leaks from multiple organizations. With more victims of MOVEit theft-attack are being added to the list. New ransomware operations, new vulnerabilities have been found and important patches to update. Furthermore, governments from different countries have been taking actions to protect their citizens against cybersecurity risks.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. VirusTotal data leak affects 5,600 customers. VirusTotal apologized on Friday for leaking information of over 5,600 customers after an employee mistakenly uploaded a 313KB CSV file containing customers’ information to the platform last month. The data leak only impacted Premium account customers, with the leaked file containing their names and corporate email addresses. Those impacted include but not limited to official U.S entities and government agencies in Germany, Netherlands,Taiwan and the United Kingdom. The file contained information on employees of national authorities and large corporations such as Allianz, BMW, Deutsche Telekom, Bundesbank etc. VirusTotal assured that this data leak was a result of human error, and not due to a cyberattack or vulnerabilities in VirusTotal. The leaked file was only accessible to VirusTotal partners and cybersecurity analysts with a Premium account on the platform. Hence, anonymous or free accounts were unable to access the leaked file. Roblox data leak: 4,000 developer profiles and personal information made public. Roblox, a massive gaming platform has suffered a major data breach which led to the leakage of personal information of those who attended the Roblox Developer Conference between 2017-2020. Personal information released included names, phone numbers, email addresses, birth dates, and the physical addresses of almost 4,000 developers. From the website, haveibeenpwned it seems that the original data breach occurred on 18 December 2020, with the information of this breach only coming to light on 18 July 2023, with a total of 3,943 accounts compromised. The sites notes that with the above information leaked, it also even included each individual’s t-shirt size. Roblox have stated they have begun investigations, and have engaged with independent experts to support the investigation. They have also stated they will be vigilant in monitoring and vetting the cybersecurity posture of Roblox and their third-party vendors. Estee Lauder breached: 2 ransomware groups claim responsibility. Estee Lauder has disclosed on 18 July, that they have suffered a cybersecurity incident whereby unauthorized groups have gained access to some of their systems and obtained data. Estee Lauder has started investigations with third party cybersecurity experts, and are currently still assessing the nature and scope of the data compromised. 2 ransomware groups have claimed responsibility for the attack. First is the Clop ransomware group that claims to have stolen 131GB of information and their archives via the MOVEit theft-attack, which has impacted more than 400 organizations worldwide. The second group is the BlackCat/Alphv ransomware gang, which on 18 July claimed that they still had access to the company’s systems, despite Microsoft and Mandiant being brought in for incident response. They have also threatened to reveal more information about the data stolen unless the cosmetic giant responds. Sophos impersonated by new SophosEncrypt ransomware. Sophos, a cybersecurity vendor, is being impersonated by SophosEncrypt, a new ransomware-as-a-service, with the threat actors using the company name for their operation. This was discovered by MalwareHunterTeam, it was initially thought that it was a part of a red team exercise by Sophos. However, the Sophos X-Ops team tweeted that they did not create this encryptor. Sophos have released a report on this ransomware, with their analysis that the ransomware seems to have the capability to do many things beyond encrypting files, which is unusual when compared to most contemporary ransomware. The ransomware also seems to emphasize methods for the target to communicate with the attacker that most ransomware groups no longer use. Also it seems that the IP address is associated with “Cobalt Strike command-and-control automated attacks that attempt to infect internet-facing computers with crypto mining software”. The JumpCloud breach linked back to North Korean state-backed hackers. According to multiple security researchers, US-based enterprise software company JumpCloud was breached by North Korean state-backed hackers who appear to be financially motivated to steal cryptocurrency. JumpCloud Chief Information Security Officer Bob Phan confirmed that “fewer than 5 JumpCloud customers….and fewer than 10 devices in total were impacted.” While JumpCloud did not name or attribute the hackers to a particular nation, researchers at CrowdStrike and SentinelOne have attributed the breach to North Korea-backed hackers, Lazarus. Mandiant has also attributed the hack to North Korea. Over 15,000 Citrix servers are likely vulnerable to CVE-2023-3519 attacks. Thousands of Citrix Netscaler ADC and Gateway servers have been exposed online. They are probably vulnerable against a critical remote code execution (RCE) bug which is exploited by unauthenticated threat actors as a zero-day. Shadowserver Foundation security researchers identified at least 15,000 appliances that were exposed to attacks that leveraged the flaw (CVE-2023-3519). On 18 July, Citrix released security updates to address this RCE vulnerability, and urged customers to install the patches as soon as possible. CISA also ordered U.S federal agencies last Wednesday to secure Citirix networks on their networks by 9 August. They have also warned that the bug was already used to breach the systems of a U.S. critical infrastructure organization. U.S government launched Cyber Trust Mark - loT security labeling program. The U.S government has launched Internet of Things (loT) cybersecurity labeling program called U.S. Cyber Trust Mark, that aims to protect Americans against the security risks associated with internet-connected devices. This program aims to help Americans to make informed decisions that they are buying internet-connected products that include strong cybersecurity protections against cyber threats and attacks. The U.S. Cyber Trust Mark will be a shield logo that would appear on products that meet the established cybersecurity criteria. Established by the National Institute of Standards and Technology (NIST), the criteria will include standards such as requiring devices to have unique and strong passwords, protect both stored and transmitted data, offer regular security updates and have incident detection capabilities. The full list of standards has not yet been finalized, and will be completed by the end of 2023. The U.S Cyber Trust Mark will also include a QR code that will link to a national registry of certified devices and provide up-to-date security information as they did not want to create a label that states this product “had been certified and then stayed secured forever”. GitHub warns developers of Lazarus hackers targeting them to infect their devices. GitHub cautions of a social engineering campaign that is targeting developers’ accounts in the cybersecurity, cryptocurrency, blockchain and online gambling sectors to infect their devices with malware. The campaign is linked to North Korean state-backed Lazarus hacking group. GitHub has identified that they are targeting personal accounts of employees of technology companies by either using compromised legitimate accounts or creating fake personas of developers and recruiters. These are used to contact and initiate conversations with developers and employees in the above said sectors. After establishing trust, the hackers will invite them to collaborate on a project. However, these projects utilize malicious NPM dependencies that download further malware to targets’ devices. The Norwegian Data Protection Authority (DPA) banned Facebook & Instagram behavioral advertising. The DPA, Norwegian’s data privacy watchdog, has temporarily banned behavioral advertising on Meta’s Facebook and Instagram as they consider that the practice of Meta is illegal. The ban prohibits the practice unless Meta gets explicit consent from Norwegian users to process their data. As stated by the DPA, Meta extensively monitors the users’ actions, and are tracking their activities across its platforms. Meta utilizes content preferences, location information and information users’ posts on Facebook and Instagram to build personalized profiles that makes targeted advertising much easier. The Norwegian DPA stated that if Meta fails to comply with the decision, there would be a daily penalty of roughly $100,000. This is a temporary ban of 3 months which starts on 4 August, however the DPA are considering contacting the European Data Protection Board to extend the decision beyond the 3-month ban. U.S government banned European spyware vendors - Intellexa and Cytrox. The U.S. government has banned the European commercial spyware manufacturers due to risks to the U.S. national security and foreign policy interests. The 4 commercial entities banned are: Intellexa S.A from Greece, Intellexa Limited from Ireland, Cytrox Holdings ZRT from Hungary, and Cytrox AD from North Macedonia. This was due to the 4 companies’ involvement in trafficking cyber exploits used to gain unauthorized access to the devices of high-risk individuals globally such as politicians, executives, journalists and activists. New NoEscape ransomware operation believed to be a rebrand of Avaddon. NoEscape launched in June this year when it started to target organizations in double-extortion attacks. These threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers. They will threaten their victims to release the stolen data publicly if a ransom is not paid. The ransom tends to range between hundreds of thousands of dollars to over $10 million. It is believed that they are a rebrand of Avaddon ransomware gang who shut down operation in 2021 after the FBI and Australian law enforcement released Avaddon advisories. They also shared victims’ decryption keys with BleepingComputer in an anonymous tip. Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|