Last week, breaches and cyberattacks occurred across several industries from the telecommunications, software, bakery to the IT sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as a malware campaign that has been found to have infected over 39,000 WordPress websites in the past 6 months, and MarineMax alleged stolen data being put up on sale for 15 bitcoin. In addition, a misconfiguration at Firebase has been found to expose 19 million plaintext passwords and over 125 million sensitive user records. Furthermore, new vulnerabilities have been found and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. 70 million AT&T accounts leaked online: AT&T claimed leaked data did not originate from their systems. As many as 70 million AT&T customers’ data are on sale on a data theft forum for a starting price of $200,000 and incremental offers of $30,000. The threat actor, ShinyHunters, has also offered a ‘buy it now’ option with a price of $1,000,000. Another threat actor, MajorNelson, has now offered the same data, although less than half of AT&T’s customer records, for free. The data is claimed to be stolen from a breach sometime in 2021 or earlier. However, AT&T claimed it did not originate from them and that their systems were not breached. AT&T has also told BleepingComputer that they have seen no evidence of a breach in their systems, The stolen information includes customers’ names, addresses, phone numbers, birthdates, and social security numbers. It is highly recommended for AT&T customers (especially those before and through 2021) to be vigilant against any phishing attacks - such as SMS and email phishing. Mintlify data breach: Customers’ GitHub tokens exposed. Mintlify, a documentation startup, publicly disclosed that 91 of their customers had their GitHub tokens exposed in a 1st March data breach. In a blog post, Mintlify stated that the data breach occurred due to a vulnerability in their own systems, which leaked the company’s internal admin credentials to customers. These credentials can be utilised to access the company’s internal endpoints to access other unspecified sensitive user information. Mintlify co-founder, Han Wang, stated that they have notified the affected customers, and they are currently working with GitHub to identify whether the compromised tokens were used to access private repositories. If these tokens were stolen, a threat actor could obtain the same level of access to a person’s source code. Fujitsu suffered a cyberattack, and attackers may have stolen customer’s information. Fujitsu, a Japanese technology giant, confirmed a cyberattack in a statement on Friday. In the statement, it was confirmed that it was a malware attack, whereby they detected malware on multiple work computers. Upon further investigation, they discovered that files that contained personal information and customer information may have been stolen. Fujitsu stated that they had disconnected the affected systems from their network, and are currently investigating how the malware compromised their network, and whether there was a data breach. As of now, Fujitsu did not elaborate on the nature of the attack, nor whose or the type of personal information that may have been stolen. Fujitsu has reported this incident to relevant authorities in Japan “in anticipation” that personal information may have been stolen. International Consolidated Airlines Group (IAG) warns Air Europa customers of data breach that has led to their personal data being compromised. IAG, the parent company of British Airways and Iberia, has sent an email to Air Europa’s customers that due to an October security incident, their personal data has been compromised. The exposed data includes customers’ names, birthdays, nationalities, ID cards or passport information, and phone numbers. The company stated that they do not have evidence of the leaked data being inappropriately used, and further stated that if “it were to happen, the resulting inconvenience would be limited in any case”. Update: IAG confirmed in a statement that they have not acquired Air Europa and would never email their customers directly. They further stated it is a matter for Air Europa and not IAG. Spa Grand Prix official email account hacked: Targeted fans to phish for their bank information. Threat actors have hacked into the official contact email of Spa Grand Prix, the Belgian Grand Prix event. The race organisers stated that the email account was hijacked on 17 March, and the threat actor has sent fraudulent emails to an undisclosed number of fans that informs the recipients of a €50 voucher via clicking an embedded link. The link that directs victims to a fake website similar to the official portal of the Spa Grand Prix, which asks for victims’ personal information such as their banking information. Once this security issue was noticed, SPA GP sent alert emails to their customers that the previous message was a phishing scam and warned them not to click on any links. Additionally, the organisation has asked their IT security subcontractor to put in additional security measures to prevent this incident from reoccuring. SPA GP has filed a complaint with the Belgian cyber police, and will also file a civil claim with an examining magistrate. Currently, an investigation is underway to determine the cause and circumstances that led to this attack. Greggs, a UK bakery chain, is the latest victim of POS system outages: Forced to close some stores. Greggs has fallen victim to point of sale (POS) system outages that has led to their stores being forced to close. On the morning of 20 March, it has been reported on social media that customers have been unable to pay with their cards or found their local branches of Greggs closed. This indicates that there could be a technical issue with their POS, which processes purchases. A statement from Greggs said that some stores have not been able to take card and cash payments, and that they had “resolved a technical issue” that affected tills in some of its shops and has apologised for the inconvenience. This incident has followed recent card payment outages in the UK from Sainsbury’s and Tesco, to McDonalds. Misconfiguration at Firebase exposed 19 million plaintext passwords. 3 cybersecurity researchers have found that due to misconfigured instances of Firebase, a Google platform that hosts databases, cloud computing and app development, has led to almost 19 million plaintext passwords being exposed on the public internet. The researchers scanned more than 5 million domains, and found 916 websites from organisations that either had no security rules enabled or had set them up incorrectly. They were able to find more than 125 million sensitive user records. This includes emails, names, passwords, phone numbers, and billing information with banking details. In particular, the problem of the exposed passwords gets worse, as 98% of them (19,867,627) are in plaintext. After analysing the data, the researchers tried to warn all impacted companies of improperly secured Firebase instances, and sent 842 emails over 13 days. Although just 1% of the site owners replied, a quarter of the notified site administrators have fixed the misconfiguration in their Firebase platform. However, some organisations that were contacted had unprofessional responses. For instance, an Indonesian gambling network that manages 9 websites mocked the researchers when they reported the problem and gave guidance on how to fix it. Unfortunately, this company accounted for the largest number of exposed bank account records (8 million) and plaintext passwords (10 million). Sign1, a malware campaign, has infected over 39,000 WordPress websites. Sign1, a previously unknown malware campaign, has been found to have infected over 39,000 websites in the past 6 months. This campaign has caused visitors to see unwanted redirects and pop-up ads. Sucuri, a website security firm, discovered the campaign after a client’s website randomly displayed popup ads to their visitors. The threat actors use WordPress custom HTML widgets or install the legitimate Simple Custom CSS and JS plugin to inject malicious JavaScript code. Based on Sucrui’s analysis, the malware generates dynamic URLs that change every 10 minutes to evade blocks. Furthermore, the malicious code checks for specific referrers and cookies before executing - they tend to target visitors from major sites like Google, Yahoo, Instagram and Facebook. Furthermore, the malware creates a cookie on the target’s browser so that the popup is only displayed once per visitor, making it less likely to generate reports towards the compromised website owner. Sucuri warns that Sign1 has evolved over the past 6 months, with infections increasing exponentially when a new version of the malware was released. The latest attack wave, which has been underway since January 2024, has claimed 2,500 sites. It is highly recommended for site administrators to use a strong/long password, and update your plugins to the latest version. Furthermore, it is best to remove unnecessary add-ons to reduce your attack surface. Rhysida ransomware group takes responsibility for the MarineMax cyberattack: Offers stolen data for 15 bitcoin. The Rhysida ransomware group has taken responsibility for the Marinemax, one of the largest retailers of recreational boats and yachts globally, cyberattack. MarineMax announced in a SEC filing earlier this month that they were targeted in an attack that led to some disruption. Now, the Rhysida ransomware group is auctioning the alleged stolen data from MarineMax on their website, with a starting price of 15 bitcoin ($950,000). As proof of MarineMax’s stolen data, they have published some screenshots that show financial documents and some spreadsheets. Due to their low resolution, it is unclear how sensitive the data is. However, MarineMax stated in their filing that they did not store sensitive data in the compromised environment. Saflok electronic locks security vulnerability can be exploited to open millions of doors. Dormakaba’s Saflok electronic locks have a security vulnerability, named Unsaflok, that can be exploited to forge keycards and open doors. This vulnerability impacts more than 3 million locks that are commonly used in hotels, and multi-family housing environments. It has been found that a total of more than 13,000 locations across 131 countries are likely affected. The vulnerable lock models include Saflok MT and the Quantum, RT, Sapphire and Confidant series devices, which are used in combination with the System 6000, Ambiance, and Community management software. According to the security researchers, an attacker can use a keycard from a property where the vulnerable locks are used, forge them and unlock any door on that property. Furthermore, any device that can write or emulate MIFARE Classic cards can be used in this attack. Dormakaba has worked on patches for this security vulnerability and has started rolling them out in November 2023. However, the process is slow and only 36% of affected locks have received the fix. The reason is that upgrading each hotel is an intensive process. The company has reported that till now they are unaware of any reported instances in which this vulnerability has been exploited, and has strongly recommended their customers to upgrade as soon as possible to address this vulnerability. Microsoft released a patch for an Xbox vulnerability. Microsoft has released a patch for an Xbox vulnerability (tracked as CVE-2024-2891) and it impacts Xbox Gaming Services. According to Microsoft, it has ‘important’ severity and this vulnerability can be easily exploited by a local attacker with low privileges to escalate permissions to the System. Microsoft has informed customers that app package versions 19.87.13001.0 and later to patch the vulnerability. For those users who have automatic updates enabled, the fix should be automatically delivered. Microsoft stated that although there is no evidence currently of malicious exploitation, the flaw has been assigned with an ‘exploitation more likely’ rating. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|