Last week, more cyberattacks and data breaches occurred across several industries, with some having even more devastating consequences.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Cybercriminals completely wiped out all CloudNordic servers and customer data. CloudNordic has stated to customers that a ransomware group has shut down all of CloudNordic’s systems, and wiped out the company and customers’ websites and email systems. Furthermore, it seems that the backups and production data has also been wiped. With the ransomware that has encrypted the Danish cloud provider’s servers, customers have been told to consider that all of their data has been lost. CloudNordic also stated that they are not going to pay the ransom to the ransomware group to restore the information and systems. Although data and systems have been lost, CloudNordic did also state that they found no evidence of a data breach, whereby information has been exfiltrated out. As of 23 August, CloudNordic has stated they are putting back customers’ web and email servers online, however without data. To restore services, CloudNordic has uploaded detailed instructions for 2 options to do so. A French government agency suffers a data breach which exposed 10 million people's data. Pole emploi, France’s government unemployment registration and financial aid agency, informs that there has been a data breach that exposed the data of 10 million individuals. The press release stated that it was due to the violation of one of their provider’s information systems. Furthermore, they stated that job seekers registered in February 2022, and former users of the job center are potentially affected by this data breach. Although the agency did not state how many were impacted by this breach, Le Parisien reports an estimated 10 million people were impacted. This is based on the number of registered individuals in February 2022 and accounted for those that had registered prior but their data were not deleted from the agency’s systems yet. The compromised data includes full names and social security numbers. Pole emploi highly recommended for registered job seekers to be cautious with incoming communications, and a dedicated phone support line has been set up to address any questions or concerns compromised individuals may have about the breach. Christie’s data breach exposed GPS coordinates of collectors’ artworks. Hundreds of Christie’s auction house clients, who had uploaded photographs of their paintings and sculptures for the auction house’s review were impacted by a data breach. This breach exposed the exact location of the art owned by Christie’s clients. This cybersecurity incident was discovered by researchers Martin Tschirisch and Andre Zilch, when their friend requested to check how secure the action house’s data was. They estimated that around 10% of the uploaded images contained exact GPS coordinates - whereby these images contain not just the street address of where they were taken but the artworks’ exact location. In July, the researchers alerted Christie’s to this breach, however this vulnerability was only fixed this week. Rhysidia ransomware group sells Prospect Medical Holdings Data. Rhysida ransomware group has claimed that they have exfiltrated 1.3 terabyte SQL database and 1 terabytes of “unique files” from Prospect Medical Holdings, and are selling the data for 50 bitcoin on their data leak site. The data Rhysidia claims to have includes 500,000 social security numbers, patient files, passports, driver’s license, legal and financial documents. Prospects Medical Holdings as of Thursday has stated on their website that their chain is currently experiencing a systemwide outrage, and they are currently working to resolve the issue. The U.S. Department of Health and Human Services have issued an alert and warned that Rhysida are focusing their attacks against healthcare and public health sector organizations. Data of donors to Australian charities such as Cancer Council and Canteen have been leaked onto the dark web. Thousands of donors from more than 70 Australian charities had their personal information leaked onto the dark web after Pareto Phone, a Brisbane-based telemarketer, was hacked by cybercriminals. It has been reported that this data breach could affect more than 50,000 Australians, and that for some of the charities, credit card data were also stolen. It was further reported that some stolen data was up to 15 years old. The Cancer Council, Canteen and Fred Hollows Foundation have confirmed that donor information has been published on the dark web. The Fred Hollows Foundation stated that 1,700 of their donors were affected, and claimed that donors’ data have been retained without the charity’s knowledge as they have worked with Pareto Phone only during 2013-2014. Medecins Sans Frontieres (MSF) also accused Pareto Phone of retaining their donors’ data without their knowledge. Canteen stated that 2,600 donors have all been contacted, and the information leaked included names, birth date, addresses, email addresses and phone numbers. The Cancer Council stated they are waiting for Pareto Phone to confirm the numbers of their donors that are affected, and has severed ties with them. Pareto Phone’s CEO Chris Smedley apologized for the distress the breach caused, and stated that they are working with forensic specialists to analyze the affected files. Metropolitan Police investigating a suspected data breach. The Metropolitan Police is currently investigating a possible data breach after “unauthorized access” was detected to the systems of one of their suppliers. The supplier held the officers' and staffs’ names, ranks, photos, vetting levels and pay numbers. The possible data breach has been reported to the National Crime Agency (NCA) and the information commissioner. The Met’s spokesperson was unable to say when the breach occurred or how many personnel have been affected, but did state that the breached supplier did not hold personal information such as phone numbers, addresses, and financial details. Kroll suffers from data breach after employee fell victim to SIM swapping attack. Kroll, a risk and financial advisory solutions provider, disclosed on Friday that one of their employees fell victim to a SIM swapping attack. Kroll stated that the cybercriminal targeted the employee’s T-Mobile account on 19 August, and without any authority or contact from Kroll or their employee, transferred the employee’s phone number to the cybercriminal’s phone with their request. This allowed the cybercriminal to gain access to files containing personal information of bankruptcy claimants in BlockFi, FTX and Genesis. Kroll also stated they had immediately secured the 3 affected accounts, and had notified impacted individuals via email. FTX and BlockFi clarified that user passwords and clients funds were not impacted, as well as that their own systems were not breached either. American Express confirms APAC employees’ details were leaked. American Express has confirmed that a former employee has gained access to Asia Pacific employee data (this includes both former and current) after accidentally being given access to a third-party payroll company. This was shared anonymously on The Aussie COrporate account whereby the anonymous poster also stated that the data accessed included bank account details, names, addresses, payment histories, and tax file numbers. The poster also stated that all APAC employees were affected, and they have offered 2 years of identity theft protection service to ex- and current employees impacted by this breach. When CyberSecurity Connect reached out to Amex, they confirmed that no payment data or bank details were accessed by the former employee, and that only “certain” employees were affected. They also stated that no American Express Card member data were impacted. 2.6 million Duolingo users’ data have been leaked on a hacking forum. Data from 2.6 million users of Duolingo, a language learning platform, have been leaked on a hacking forum. The leaked data includes names, login names, email addresses and internal service-related details. This data was offered for sale on the now defunct Breached hacking forum in January 2023 for $1500. Duolingo spokesperson stated the data were obtained by data scraping public profile information, and they had no indication that their systems were compromised. However, it is important to note that with users’ email addresses and names compromised, this will allow for more realistic phishing attacks. This can lead to more people falling for these scams. Tesla says May data breach caused by 2 ex-employees. Tesla has stated that the cause of the data breach that affected more than 75,000 former and current company employees was due to 2 former employees. The 2 former employees leaked 75, 735 individuals’ personal information to a foreign media outlet - Handlesblatt. The leaked information includes names, addresses, phone numbers, employment-related records and social security numbers. The German media outlet has assured Tesla that they would not publish the information, and they are “legally prohibited from using it inappropriately”. The outlet gained more than 23,000 internal documents which contained 100GB of confidential data. This included employees’ personal information, customer bank details, production secrets, and customer complaints about Tesla’s Full Self-Driving (FSD) features. Tesla has filed lawsuits against the 2 ex-employees allegedly responsible for the breach. Mounting evidence that Akira ransomware targets Cisco VPN products to breach organizations. There is mounting evidence that Akira ransomware targets Cisco VPN products as an attack vector to breach organization networks, steal and encrypt their data. Sophos first found Akira’s abuse of VPN accounts in May, when researchers found that Akira breached a network using “VPN access using Single Factor authentication”. Another incident responder, Aura, also stated on Twitter that Akira were using Cisco VPN accounts that were not protected via MFA. Other researchers have also found the same findings. This is troubling as Cisco VPN solutions are widely used across many industries. A Cisco spokesperson has confirmed with BleepingComputer that their VPN products support MFA. Customers can configure logging on Cisco ASAs, and they recommend sending logging data to a remote syslog server. This will improve correlation and auditing of network and security incidents across various devices. TP-Link smart bulbs and Tapo app could allow attackers to steal victim’s WiFi password. Researchers from Italy and the UK discovered 4 vulnerabilities in the TP-Link Tapo L530E smart bulb and their Tap app that could allow hackers to steal their victim’s WiFi password. The vulnerabilities: (1) allow hackers to impersonate the device during session key exchange step, (2) allows hackers to retrieve Tapo user passwords and manipulate Tapo devices, (3) makes cryptographic scheme predictable due to the lack of randomness during symmetric encryption, and (4) allows hackers to replay messages during the 24 hour period where session keys are kept valid. WIth the most worrying attack scenario being the bulb impersonation and the retrieval of Tapo user account. The researchers have disclosed their findings to TP-Link, and the vendor acknowledges the findings and would implement patches to fix these vulnerabilities. As of now, TP-LInk has only released 2 fixes for 2 products: Tapo L350(TW) V1 and Tapo L350(EU/US) V2, other products’ patches are currently being released. It is highly recommended to keep these devices isolated from critical networks, update to the latest patches, and ensure to protect your accounts with MFA and strong, unique passwords. New HiatusRAT malware campaign targeted the U.S. Department of Defense. A new HiatusRAT malware campaign has targeted a server that belongs to the U.S. Department of Defense. This is a significant shift in attack as the attacks were previously focused on organizations from Latin America and Europe. Researchers observed that a U.S. military procurement system and Taiwan-based organizations were targeted. Researchers recommend defense contractors to exercise caution and monitor their networking devices for the presence of HiatusRAT. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|