Last week, more data breaches, cyberattacks and ransomware attacks occurred across several industries - from hotels and casinos, to the public sector, with some having even more devastating consequences. Furthermore, new malware, vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Pizza Hut Australia has been data breached: 193,000 customers’ personal information exposed. Pizza Hut Australia is sending data breach notifications to their customers, which warned that the cyberattackers have gained unauthorised access to Pizza Hut Australia systems that store customers’ personal information who made online orders - this includes customer record details and online order transactions. This incident impacted 193,000 customers. The information exposed in this data breach includes customers’ full name, delivery address, delivery instructions, email address, phone number, masked credit card data, and encrypted passwords for online accounts. In the notice, the company does recommend to their customers to consider updating their password despite being “one-way encrypted” in the database. They also urged customers to be aware of phishing attacks and any suspicious links that are sent to them via unsolicited communications. Pizza Hut did state that the Office of the Australian Information Commissioner (OAIC) has been fully informed about the situation. Hong Kong Consumer Council has been attacked by ransomware: Warns of suspected data breach. Hong Kong’s consumer watchdog, the Consumer Council, said on Friday that a cyberattack occurred on their computer system, which was identified on Wednesday. This attack caused damage to about 80% of their systems, and disrupted their hotline services and price comparison tools. Also it was found that a “data transfer volume of 65GB higher than usual was observed”. However, the Consumer Council has not yet confirmed if a data breach has occurred, and not yet determined the scope of the data leak. This may potentially affect current and former staff, job applicants, and subscribers to the monthly CHOICE magazine. The potentially at risk data includes the HKID number of current and former staff, their family members, and credit card information for around 8,000 subscribers of the council’s monthly CHOICE magazine. A ransomware note was also left, and claimed to have obtained employee and client data during the attack. They have demanded a ransom of US$500,000 to be paid by Saturday night, and up to US$700,000 if the deadline was not met. However, Chan, Consumer Council chairperson, stated that they will not pay the ransom, and will support police investigations. This incident has also been reported to the Privacy Commissioner’s Office. Greater Manchester Police suffered a third-party data breach that exposed officers and staff personal data. The UK’s Greater Manchester Police (GMP) has been affected by a third-party breach, whereby the breach occurred in one of their suppliers that produces GMP’s staff ID cards. This breach has exposed the personal data of GMP’s officers and staff. Although financial details and home addresses were not exposed, their names, ranks and photographs from warrant badges have been exposed. Also, GMP has not yet determined the number of impacted officers and staff, and the nature of the data. GMP also did not state the identity of the third-party supplier. The assistant Chief Constable of GMP did disclose that breach involved ransomware. Although they did not disclose the ransomware attacker’s identity, and if they received any ransomware demands. A national investigation into this breach which involved regulatory and law enforcement agencies have begun. This third-party data breach may also impact undercover officers and agents working on special missions. Hence, the National Crime Agency (NCA) has stepped in to prevent this possibility. Hotel hackers redirect customers to a fake Booking.com payment page, stealing their cards. Security researchers discovered a multi-step stealing campaign that has hackers breaching the systems of hotels, booking sites, and travel agencies, and then use their access to steal customers’ financial information. Through this approach and a fake Booking.com payment page, these hackers have a higher chance of success at collecting credit card information. Researchers at Akamai found that cybercriminals will establish communication with a hotel, and via a special request or medical condition, they will send documents via a URL. The URL leads to info-stealing malware that collects sensitive information such as credentials or financial information. After the info-stealer is executed on the original target (the hotel), the cybercriminal can access messaging with legitimate customers. Cybercriminals can now send phishing messages that look like legitimate requests from the now-compromised hotel, booking service or travel agency. The message tends to ask for additional credit card verification, and is written in such a way that it looks like a genuine interaction. What makes it more legitimate is that these phishing messages are delivered through the booking platform sites itself. The victim will receive a link for the alleged card verification, which will show a fake Booking.com payment page. It is highly recommended for users to not click on unsolicited links, even if they look legitimate. Ensure to check URLs for indicators of deception, and be suspicious of messages that are urgent or threatening that ask for immediate action. It is also highly recommended to contact the company directly at their official email address or phone number to get clarifications about the message. MGM restored casino operation 10 days after ransomware attack. MGM Resorts’ hotel and casino operations were restored 10 days after the devastating ransomware attack, Some sources say MGM has been losing more than US$8 million per day. Although MGM hotel and casinos are operating normally now, MGM are still working to restore online hotel booking, and some MGM Rewards functionality. Furthermore, some MGM workers beg to differ. An alleged MGM employee wrote that MGM employees are significantly affected, whereby their entire employment information has been hacked into, and have not gotten any answers from MGM. Additionally, they have “no schedule…no vacation (PTO) hours…All info pertaining to my 401…Time card and tokes made…Attendance points” MGM as of yet, has not provided any information about what information was compromised in this attack or how much sensitive data may have been stolen by the attackers. PhilHealth temporarily shut down their system to contain cyberattack. In a statement on Saturday , the Philippine Health Insurance Corporation (PhilHealth) informed the public that they had to temporarily shut down some of their systems to contain a cyberattack. They also stated that they are investigating this incident, and are implementing containment measures against the cyberattack. PhilHealth did state that they will issue an advisory once the affected systems are online again. As of 23 September, their website is inaccessible. The Department of Information and Communications Technology and other concerned agencies are involved in this investigation. Clorox Company says cyberattack is still disrupting operations. The Clorox Company, the manufacturer and marketer of bleach and other household cleaning products, has stated that they don’t expect operations to return to normal until the end of the month due to “widescale disruption to operations” caused by last month cyberattack. In the latest update to the SEC, the company stated they are operating at a “lower rate of order processing” and only just “begun to experience an elevated level of consumer product availability issues.” Clorox also stated that they do believe that the cybercriminals’ activity has been contained. However, the attack has damaged parts of their IT infrastructure, and hence they are currently repairing the infrastructure, and re-integrating the systems that were taken offline. A return to normal automated order processing is scheduled for 25 September. At the vast majority of their manufacturing sites, production has been resumed and full production is expected to occur over time. However, Clorox is unable to estimate how long it will take them to resume fully normalised operations. The International Criminal Court experienced a cyberattack, where hackers accessed their systems. The International Criminal Court (ICC), the only permanent war crimes tribunal, has said they had experienced a cyberattack last week as hackers managed to access their internal systems. ICC confirmed on Tuesday that they detected an “anomalous activity affecting its information systems”. ICC immediately utilised security measures to respond to the incident and to mitigate its impact. Further assistance was also provided by the Host Country (the Netherlands) authorities to place additional response and security measures. The nature of the incident remains unclear, and it is not yet known whether any data in their systems was accessed or exfiltrated. National Student Clearinghouse data breach affects 890 schools. National Student Clearinghouse, a US educational non-profit, has disclosed a data breach affecting 890 schools across the United States. In a breach notification letter, Clearinghouse stated that the cybercriminals managed to gain access to their MOVEit managed file transfer server, and stole files that contain personally identifiable information (PII). The stolen PII includes names, birth dates, contact information, social security numbers, student ID numbers, and school related records such as enrollment records, degree records and course-level data. According to the data breach notification letters, the exposed data varies for each impacted individual. The list of affected educational organisations by this breach can be found here. Clearinghouse has stated that after learning about the incident, they immediately started an investigation with cybersecurity experts, as well as coordinated with law enforcement. City of Dallas says Royal ransomware attack compromised their networks using a stolen account. The City of Dallas, Texas, said that the Royal ransomware attack managed to gain access to the City’s network via the use of a stolen domain service account. This attack forced them to shut down all IT systems in May. Royal managed to gain access to the compromised systems between 7 April to 4 May, which allowed the cybercriminals to collect and exfiltrate 1.169TB worth of files. Royal also deployed the ransomware payloads on 3 May, using legitimate Microsoft administrative tools to encrypt servers. After the attack was detected, the City took high-priority servers offline to impede Royal’s progress. They also started the process of restoring all servers, which took just over 5 weeks. The City reported that the personal information of 26,212 Texas residents, and a total of 30,253 individuals was potentially exposed in this attack. The personal information compromised includes names, addresses, social security information, health information, health insurance information, and other such information. The Dallas City Council has set a budget of US$8.5 million for the ransomware attack restoration efforts, with the final costs to be shared later. Air Canada discloses data breach: Employees data and “certain records” stolen. Air Canada has disclosed a data breach that occurred this week in which hackers managed to obtain limited access to their internal systems. This breach resulted in some of employees’ data and “certain records” stolen. Fortunately, customer data was not accessed, and the airlines’ flight operation systems and customer-facing systems were not affected. The airline has contacted affected parties, and relevant law enforcement. Hackers infect Android devices with malware using fake Youtube clones. The APT36 hacking group has been observed using at least 3 Android apps that mimic Youtube to infect devices with CapraRAT, their signature remote access trojan (RAT). Once the malware is installed on the victim’s device, it can harvest data, record audio and video, or access sensitive communication information. Essentially, it operates like a spyware tool. It is highly recommended for Android users to only download apps from Google Play, Android’s official app store. As these malicious apps are distributed outside of Google Play. What makes it worse is that the interface of these malicious apps attempts to imitate Google’s real Youtube app, but it rather resembles a web browser rather than the native app. New sophisticated backdoor Deadglyph malware used against government agencies. A new and sophisticated backdoor malware ‘Deadglyph’ was seen used in an attack against a government agency in the Middle East. This malware is attributed to a state-sponsored hacking group from the UAE - Stealth Falcon APT. This hacking group has been known for targeting activists, journalists and dissidents for almost a decade. The Deadglyph malware is modular, which means that cybercriminals can create new modules as needed to tailor attacks, which can be pushed down to victims to perform additional malicious functionality. ESET believes that there are 9-14 different modules but could only obtain 3: a process creator, an information collector, and a file reader. The information collector feeds information such as the victims’ operating system, network adapters, installed software, drives, services, drivers, processes, users, environment variables and security software. The process creator executes specified commands as a new process, and gives the result to the Orchestrator. The file reader module reads the content of files and passes it to the Orchestrator, while also giving the operators the option to delete the file after reading. Although ESET was only able to uncover some of the malware’s capabilities, it is evident that Deadglyph is a serious threat. New info-stealing malware ‘LuaDream’ used to target telcos. ‘Sandman’, a previously unknown threat actor, is using a modular info-stealing malware ‘LuaDream,’ to target telecommunication service providers in the Middle East, Western Europe, and South Asia. The operational style of Sandman is to keep a low profile to evade detection while performing lateral movement and maintaining long-term access to breached systems to maximise cyber-espionage operations. SentinelLab reports that the workstations targeted were assigned to managerial personnel, this indicates that they are interested in privileged or confidential information. Sandman joins a growing list of advanced attackers that are targeting telecom companies for espionage, who use unique stealthy backdoors that are challenging to detect and stop. Update your Apple devices now: Patches for zero-days flaws that are used to plant spyware. On Thursday, Apple released urgent security updates for all Apple devices (iPhones, iPads, Macs, Apple Watch and Safari users) to patch 3 zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) that are being actively exploited. It was found that between May and September 2023, the attackers exploited these vulnerabilities in attacks using decoy SMS and WhatsApp messages to target former Egyptian MP Ahemed Eltantawy. The 3 vulnerabilities, which were discovered by Maddie Stone, essentially form part of an exploit chain, which are used together to gain access to a target’s device. The latest update essentially blocked an exploit used to plant the Predator spyware on the phone of the former Egyptian MP. Predator spyware can steal the contents of a person’s phone when planted, often via spoofed text messages that link to malicious websites. The list of affected devices includes a wide range of older and newer device models:
It is highly recommended for all Apple users to update their devices now. GitLab urges users to install security updates to patch a critical pipeline flaw. GitLab has released security updates to address a critical severity vulnerability (CVE-2023-5009) that basically allows attackers to run pipelines (a series of automated tasks) as other users via scheduled security scan policies. This could result in attackers accessing sensitive information or being able to abuse the impersonated user’s permissions to run code, modify data, or trigger specific events within the GitLab system. This is potentially damaging, as such a compromise could result in loss of intellectual property, damaging data leaks, supply chain attacks, and other high-risk scenarios. This flaw impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 to 16.2.7, and versions 16.3 to 16.3.4. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|