Last week, breaches and cyberattacks occurred across several industries from the public sector, football, IT services, software to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as Johnson Controls confirming that a ransomware attack cost them $27 million and that corporate data were stolen, and Clorox confirming that a ransomware attack has cost them $49 million. Malicious apps have been found on Google Play that contains malware that can steal your personal data such as contacts and messages, and even record your phone calls. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. Football Australia investigating possible data breach: Reportedly ticket buyers’ personal data and players’ contracts and documents exposed.
Football Australia said they are investigating a possible data breach following the publication of Cybernews’ report that the football governing body had potentially exposed ticket buyers’ personal data and players’ passports, contracts and other personal information are exposed, and may have been leaked online. Cybernews reported that Football Australia leaked secret keys that potentially open access to 127 buckets of data - as they left plain-text Amazon Web Services (AWS) keys (which includes Secret keys) hardcoded into the HTML page of its subdomain. In 1 publicly accessible bucket, it contained personal information, contracts and documents of football players. According to the researchers, the exposed data includes personal identifiable information of players, ticket purchase information, internal infrastructure details, source code of the digital infrastructure, and scripts of the digital infrastructure. The team believes that the most likely reason behind the leak is human error. Football Australia fixed the issue once they were informed about it, and are investigating this issue. Canada’s foreign affairs department was hit by a data breach. Global Affairs Canada (GAC), the foreign affairs department of the Canadian government, is investigating a data breach in its internal network. From early investigation, a data breach was indicated and that there has been unauthorised access to the personal information of users, including employees. The data breach affected the remote access to GAC’s network and several employees were asked to stop working remotely. This breach affected 2 internal drives, emails, calendars, and contacts of several staff members. An email sent to staff members stated that the GAC’s internal systems were vulnerable between 30 December 2023 - 24 January 2024, and the information of anyone using a Secure Integrated Global Network (SIGNET) laptop is possibly exposed. SIGNET is the secure network used by the GAC. It was found that the breach occurred because the Virtual Private Network (VPN) managed by Shared Services Canada was compromised. GAC is currently contacting those affected with mitigation measures to ensure that sensitive and personal information is secured. Furthermore, GAC has also stated that they will continue to take “several steps” to protect employee’s personal information and safeguard their corporate networks. GAC is also working with IT partners to restore full connectivity as soon as possible. Cloudflare breach: Hackers accessed source code and internal documents. Cloudflare disclosed that their internal Atlassian server was breached by a suspected nation-state attack. In which, the hackers utilised stolen credentials to gain unauthorised access to their Atlassian server, and hence managed to access some documentation and some of their source code. The breach occurred between 14-24 November 2023, and was detected on 23 November 2023. The company stated that the hackers were “sophisticated” and “operated in a thoughtful and methodical manner”. As a precautionary measure, the company rotated more than 5,000 production credentials, physically segmented test and staging systems, performed forensic triage on 4,893 systems, reimaged and rebooted all systems on the company’s global network, including all Atlassian servers and machines accessed by the attackers. It was found that the attackers used 1 access token and 3 service account credentials stolen during a previous compromise linked to Okta’s breach from October 2023 that Cloudflare failed to rotate. It was estimated that 76 source code repositories were exfiltrated - almost all were related to how backup works, how the global network is configured and managed, how identity works at Cloudflare, remote access, and their use of Terraform and Kubernetes. The attackers also tried hacking into Cloudflare's data centre in Sao Paulo but failed. The company stated that based on what the attackers accessed, it appears that they were seeking information about the architecture, security and management of their global network. AnyDesk disclosed hackers breached their production servers. AnyDesk, a remote access solution that is popular with the enterprise, confirmed that they were cyberattacked, and hackers managed to gain access to their production systems - their source code and private code signing keys were stolen during the attack. In a statement shared with BleepingComputer, AnyDesk first learned of the attack after detecting indications of an incident on their production servers. After conducting a security audit, it was found that their systems were compromised and activated a response plan with CrowdStrike. It was found that the attackers stole source code and code signing certificates. As a response to the attack, AnyDesk revoked security-related certificates and remediated or replaced systems as necessary. The company also reassured their customers that AnyDesk is safe to use and that there is no evidence of end-user devices being affected by the attack. Furthermore, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing similar/same passwords used on other sites. AnyDesk stated that my.anydesk II went under maintenance, and stated that this maintenance is related to the cybersecurity incident. It is strongly recommended that all users switch to the new version of the software, as the old code signing certificate will soon be revoked. Lurie Children’s Hospital suffered a cyberattack: Hospital forced to take their systems offline. Lurie Children’s Hospital in Chicago was forced to take their IT systems offline after a cyberattack. This resulted in the disruption of normal operations and even in some cases the delay in medical care. On 1st February 2024, the hospital announced that they are actively responding to a cyberattack which forced them to take their network systems offline to prevent further spread of the attack. They are currently investigating the attack with the support of experts, and are working with law enforcement agencies. The hospital stated that the attack impacted the hospital's internet, email, phone services, and ability to access the MyChat platform. The hospital highly recommends those that suffer from an emergency to dial 911 or visit their nearest emergency department. Local media has reported that due to the attack, scheduled procedures have been delayed, ultrasound and CT scan results are unavailable, and prescriptions are given in paper form. Furthermore, the hospital has reverted back to a first-come, first-served basis, prioritising emergency situations. Johnson Controls confirmed September 2023 ransomware attack costs $27 million & corporate data stolen. Johnson Controls International confirmed that a September 2023 ransomware attack cost them $27 million in expenses, and their corporate data were stolen. The September 2023 ransomware attack forced the company to shut down large portions of its IT infrastructure, which affected customer-facing systems. The Dark Angels ransomware gang were behind the attack, and claimed to have stolen over 27 TB of data, and demanded $51 million to delete the stolen data and provide a file decryptor. In a quarterly report filed with US SEC, the company confirmed that they suffered a ransomware attack that resulted in data being exfiltrated, and that the expenses associated with responding and remediating the cyberattack totaled to $27 million. Johnson Controls expect this cost to rise as they are still investigating the type of data stolen, and are still working with external cybersecurity forensics and remediation experts. Clorox confirmed that the August 2023 cyberattack cost $49 million. Clorox disclosed in a report filed with the SEC that the August 2023 cyberattack, which caused significant disruption in their operations which ultimately affected their consumer products, cost them $49 million by the end of 2023. In their 2024 Q2 Quarterly report, the costs incurred was related to 3rd party consulting services which included IT recovery and forensic experts and other professional services to investigate and remediate the attack, as well as, incremental operating costs that are incurred from the resulting disruption to their business operations. Clorox acknowledged that they are still working to recover from the attack but expects to still incur costs related to the cyberattacks in the future. More malicious Android apps with malware found on Google Play. An Android remote access trojan (RAT) known as VajraSpy was found in 12 malicious apps, 6 of which were available on Google Play from 1 April 2021 - 10 September 2023. It has since been removed from Google Play. These malicious apps were disguised as messaging or new apps. These malicious apps, once downloaded, will steal personal data such as contacts and messages. Depending on the granted permissions, these apps can even record their phone calls. ESET researchers found the 12 Android apps, 6 of which were uploaded on Google Play, where they were downloaded roughly 1,400 times. The apps that were available on Google Play are: Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat. VajraSpy apps available outside Google Play are also malicious, and are: Hello Chat, Yahoo Talk, TikTalk, Nidus, GlowChat, Wave Chat. CISA orders federal agencies to disconnect from Ivanti VPN appliances by Saturday due to multiple vulnerabilities being exploited. CISA has ordered U.S. federal agencies to disconnect from all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs before Saturday. This required action is part of 2024 first emergency directive that was issued last week that mandates Federal Civilian Executive Branch agencies to urgently secure all ICS and IPS devices on their network against 2 zero-day flaws in response to active extensive exploitation in the wild by multiple threat actors. Ivanti appliances are currently being targeted via 2 vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The company has also warned of a 3rd actively exploited zero-day (CVE-2024-21893). On Wednesday, Ivanti released security patches for some software versions affected by the 3 flaws, and also provided mitigation instructions for devices that do not have the patch. On 31st January, Ivanti highly recommended customers to factory reset vulnerable appliances before patching. This will help to prevent attackers from being on their network between software upgrades. Mastodon's critical vulnerability allows attackers to impersonate and take over accounts. Mastodon, a free and decentralised social networking platform, has fixed a critical vulnerability (tracked as CVE-2024-23932) that allows attackers to impersonate and take over accounts. The flaw stems from insufficient origin validation in Mastodon hence this allows attackers to impersonate users and take over their accounts. The flaw was rated 9.4, and impacts all Mastodon versions before 3.5.17, 4.0.13, 4.1.13, and 4.2.5. The patch for the flaw was released 2 February 2024, and all Mastodon server administrators are highly recommended to upgrade as soon as possible to protect users. Updating to the latest version is important as this flaw can be leveraged to completely compromise Mastodon servers, which allows them to access sensitive user information, communications and plant backdoors. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|