Last week, more data breaches and cyberattack occurred across several industries. Devastating impacts of cyberattacks have also been reported- from MGM Resorts reporting a loss of $100 million due to the September attack to PhilHealth being fully investigated by Philippines' authorities, which are recommending legal prosecution to the fullest extent allowed by law. Furthermore, new malware-as-a-service, phishing campaigns, vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Sony confirms data breach that affected 6,800 current and former employees. Sony is sending out notices to affected current and former Sony Interactive Entertainment (SIE) employees that their personal information has been compromised in a system breach that occurred in May. It was reported that the letters went out to about 6,800 affected employees. Sony disclosed in the letter that the breach was due to the exploitation of the zero-day vulnerability in the MOVEit Transfer platform. In the letter, Sony admitted that the data breach occurred on 28 May, 3 days before Sony was informed about the MOVEit breach. They also detected another breach on 2 June, whereby they detected unauthorised downloads. In response, they immediately took the platform offline, and remediated the vulnerability. Sony has also informed the affected employees that they are given Equifax credit monitoring and identity restoration services. Late last month, following allegations on hacking forums that Sony has been breached again, and 3.14GB of data has been stolen, Sony responded that they are investigating these recent claims. They told BleepingComputer that they “have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business. They took the server offline while investigations are ongoing, and so far they found no indications that their customers’ or business partners’ data were affected by this breach. NPC: More than 730GB of PhilHealth leaked which includes sensitive personal information. The National Privacy Commission (NPC) launched further investigation into the ransomware attack and data breach on the state health insurer, the Philippine Health Insurance Corp (PhilHealth).In a statement, the NPC stated that they had completed its initial analysis of 650GB worth of compressed files originating from the data dump claimed by Medusa, a ransomware group that admitted hacking into PhilHealth computers, and held the stolen information on a US$300,000 ransom. These data surfaced online on the dark web after the government did not meet their ransom demands. Upon extraction, the files revealed 734 GB worth of data, which includes sensitive personal information. Department of Information & Communications Technology undersecretary, Jeffrey Dy, observed copies of employees’ payroll, and details such as regional offices, memos, directives, working files and hospital bills. In terms of personal information, IDs and pictures were found. Although, a full inventory of the number of compromised personal information will take some time due to the sheer volume. Due to the findings, the NPC “has launched a sua sponte investigation to determine the full scope of the breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law”. The NPC also initiated an immediate proactive investigation into PhilHealth’s potential violations of the Data Privacy Act of 2012. The NPC has noted that PhilHealth have “implicitly acknowledged a degree of negligence on their part”, as an official admitted that the antivirus software PhilHealth was using was expired. The NPC also issued a public warning to those who try to access or download the leaked data as they will be held accountable and may face criminal charges. 23andMe, a genetics firm, suffered a credential stuffing attack: Confirms user data was stolen. 23andMe confirmed that they are aware of their users’ data circulating on hacker forums, and stated that this leak was due to a credential stuffing attack. The 23andMe spokesperson stated that the threat actors used exposed credentials from other breachers to access 23andME accounts and stole the sensitive data. A threat actor has leaked samples of data that was allegedly stolen from 23andMe, and offered to sell these data packs. The threat actor has offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many one purchased. The compromised information includes full names, usernames, profile photos, sex, birthdates, genetic ancestry results, and geographical location. It was found that the compromised accounts had opted in the ‘DNA Relatives’ feature, which allows users to find genetic relatives and connect with them. Users of 23andMe are encouraged to enable 2-factor authentication on the platform, and refrain from re-using passwords. Motel One Group disclosed data breach - payment card details accessed. Motel One, a low-budget hotel chain, suffered a ransomware attack and a subsequent data breach. Data exposed includes customers’ address data and 150 credit card details. The hotel chain also stated they had notified all customers impacted by the data breach, and notified relevant authorities. They also started an investigation into this breach. ALPHV (also known as BlackCat), a ransomware gang, claimed responsibility for the attack, and claimed they stole 5.5 terabytes of data, this includes nearly 24.5 million files. According to them, the stolen data includes “PDF and RTF booking confirmations for the past 3 years containing names, addresses, reservation dates, payment method and contact information”, as well as “customers’ credit card data and internal company documents.” European Telecommunications Standards Institute disclosed data breach: A database containing their online users stolen. The European Telecommunications Standards Institute (ETSI), a not-for-profit organisation that supports the development and testing of technical standards in the information and communication fields, has disclosed a data breach following a cyberattack on their member’s portal. ETSI has over 900 member organisations from 65 countries. ETSI announced that the cybercriminals had breached the “IT system dedicated to its members’ work”, stealing the list of their online members. ETSI believes that the users database has been exfiltrated. ETSI has fixed the vulnerability, and strengthened their IT security procedures. The organisation has also encouraged all online users to reset their passwords as a precautionary measure. D.C. Board of Elections confirms data breach: Voter information stolen. The District of Columbia Board of Elections (DCBOE) announced on Friday that hackers were able to access thousands of D.C. residents’ voter records in a data breach. In a release, DCBOE stated they were aware that RansomVC, a hacking group, allegedly got access to 600,000 lines of U.S. voter data on Thursday. The threat actor claims that stolen data includes but is not limited to the names, registration ID, voter ID, partial social security number, driver’s licence number, birth date, phone number, email. The board said it discovered a breach through their website and its hosting provider DataNet, and has since taken down its website as a precautionary measure. Notably, the breach did not involve a direct compromise of DCBOE’s servers and internal systems. D.C. Board of Elections confirms data breach: Voter information stolen. The District of Columbia Board of Elections (DCBOE) announced on Friday that hackers were able to access thousands of D.C. residents’ voter records in a data breach. In a release, DCBOE stated they were aware that RansomVC, a hacking group, allegedly got access to 600,000 lines of U.S. voter data on Thursday. The threat actor claims that stolen data includes but is not limited to the names, registration ID, voter ID, partial social security number, driver’s licence number, birth date, phone number, email. The board said it discovered a breach through their website and its hosting provider DataNet, and has since taken down its website as a precautionary measure. Notably, the breach did not involve a direct compromise of DCBOE’s servers and internal systems. MGM Resort reveals last month ransomware attack led to $100 million data loss. MGM Resorts reveals that September’s ransomware attack cost them approximately $100 million. In addition to losing $100 million in earnings, MGM also suffered approximately a little less than $10 million in expenses for risk remediation, legal fees, third-party advisory, and incident response measures. However, MGM Resorts did say they expect the latter costs to be covered by its cybersecurity insurance. MGM emphasises that this financial impact will be predominantly confined to Q3 2023, and does not expect a negative impact on their annual financial performance. Lyca Mobile investigates for data breach after cyberattack causes network disruption. Lyca Mobile disclosed that a cyberattack has caused an unexpected disruption on their network, and that the cybercriminals may have also compromised their customer’s data. The attack caused service provision interruptions in all but 4 countries. Customers and retailers reported that they were unable to access the company’s top-up portal. According to the press release, national and international calling services have also been affected. Lyca Mobile has launched an investigation to determine the impact of the cyberattack. The company also emphasised that all of their records are fully encrypted, which indicates that the firm suspects or has verified unauthorised access to their databases. Lyca Mobile says restoration efforts are underway, however certain operational services remained unavailable in some impacted markets. Hundreds of malicious info-stealing Python packages found stealing sensitive data. Researchers observed a malicious campaign that has been planting hundreds of info-stealing packages on open-source platforms that has counted to about 75,000 downloads. Researchers discovered 272 packages with code for stealing sensitive data from targeted systems. Package authors have been implementing more sophisticated layers and detection evading techniques, making the attack evolve more significantly since it was first discovered. Once the packages launch, it targets information such as: (1) running antivirus tools; (2) task lists, Wi-Fi passwords and system information; (3) credentials, browsing history, cookies and payment information stored on web browsers; (4) cryptocurrency wallet apps’ data; (5) discord badges, phone numbers, email addresses, and nitro status; (6) Minecraft and Roblox user data. The malware can also take screenshots and steal individual files from the compromised system such as Desktop, Pictures, Documents, Music, Videos and Downloads directories. It has also been reported that the malware also engages in app data manipulation. A list of the malicious packages can be found here. Researchers warn that about 100,000 industrial control systems are exposed online. It has been found that about 100,000 industrial control systems (ICS), which includes power grids, traffic light systems, security and water systems, were found on the public web. This exposed them to attackers who are finding vulnerabilities, and are at risk of unauthorised access. Exposed ICS also include units for critical infrastructure systems (such as sensors, actuators, switches, building management systems, and automatic tank gauges). BitSight, a cybersecurity company, alerted to the threat after identifying this issue in multiple sectors, impacting many Fortune 1000 companies in 96 countries. Phishing campaign targets Microsoft 365 accounts by abusing open redirects from indeed.com. A phishing campaign has been found to be targeting Microsoft 365 accounts of key executives in U.S. based organisations by abusing open redirects from Indeed.com, a job listing website. The threat actor uses EvilProxy, a phishing service, that can bypass multi-factor authentication (MFA) mechanisms. The targets of this phishing campaign are executives and high-ranking employees from various industries - electronic manufacturing, banking and finance, real estate, insurance and property management. Open redirects allow redirection to arbitrary locations which threat actors use to direct to a phishing page. As the link comes from a trustworthy party, it can bypass email security measures or be promoted on search engines without any suspicion raised. The targets receive emails with an indeed.com link that looks legitimate. However, when clicked, the URL will take the target to a phishing site that looks like the Microsoft authentic login page. When the user accesses their account via this server, the threat actor can capture the authentication cookies, which then allow them full access to the victim’s account. New feature-rich malware-as-a-service, named BunnyLoader emerges. Researchers found a new malware-as-service (MaaS) called BunnyLoader, which has been advertised on various hacker forums as a fileless loader that can steal and replace system clipboard contents. The malware has been developing rapidly, with updates adding new features and bug fixes. Their developers have been adding new functions such as multiple anti-detection mechanisms, and more info-stealing capabilities. Currently it can download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands. Zscaler researchers note that BunnyLoader has been gaining popularity among cybercriminals as a low-price, feature-rich malware. Atlassian released emergency security updates to patch critical zero-day vulnerability exploited in attacks. Atlassian, an Australian software company, released emergency security updates to fix a maximum severity zero-day vulnerability (tracked as CVE-2023-22515) in their Confluence Data Center and Server software. This vulnerability has been exploited in attacks. Atlassian Cloud sites are not affected by this vulnerability. Customers using the vulnerable versions are highly encouraged to immediately update to one of the fixed versions (i.e. 8.3.3. or later, 8.4.3 or later, 8.5.2 or later). Atlassian also urges customers that aren’t able to immediately update to shut down impacted instances or isolate them from Internet access. The company also recommends admins to check all Confluences instances for indicators of compromise. Indicators of compromise can be found here. Android released October security updates addressing zero-days flaws exploited in attacks. Google has released the October security updates for Android which addresses 54 unique vulnerabilities – including 2 that are known to be actively exploited (tracked as CVE-2023-4863 and CVE-2023-4211). Of the 54 fixes concerning Android 11-13, 5 are rated critical, and 2 concern remote code execution problems. Users of older Android systems are recommended to either upgrade to a newer model (as versions 10 or older are no longer supported) or use a 3rd party Android distribution that offers security updates for their models. Apple released new emergency security updates to patch new zero-days used to hack iPhones. Apple released new emergency security updates on Wednesday to patch 2 new zero-day vulnerabilities that are being actively exploited against versions of iOS before iOS 16.6. CVE-2023-42824 enables attackers to escalate privileges on unpatched iPhones and iPads. The list of impacted devices is quite extensive, and it includes iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. Apple also addressed CVE-2023-5217 which could allow arbitrary code execution (which means attackers can run any commands or code) after successful exploitation. Microsoft released emergency security updates for Edge, Teams and Skype to patch zero-days in open-source libraries. Microsoft released emergency security updates for Edge, Teams and Skype to patch 2 zero-day vulnerabilities in open-source libraries used in these 3 products. Both of which (CVE-2023-4683 and CVE-2023-5217) lead to crashes or allow arbitrary code execution after successful exploitation. The two security flaws only affect a limited number of Microsoft products, with the company patching Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions against CVE-2023-4863 and Microsoft Edge against CVE-2023-5217. The Microsoft Store will automatically update all affected Webp Image Extensions users. However, the security update will not be installed if Microsoft Store automatic updates are disabled. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|