Last week, breaches and cyberattacks occurred across several industries from mining, media entertainment, telecommunications, automotive, mass media to the healthcare sector. Additionally, 361 million stolen email addresses that were leaked on Telegram have been added to Have I Been Pwned, and LastPass had an almost 12-hour outage due to a bad update on their Google Chrome extension. Furthermore, new vulnerabilities and patches for Zyxel end-of-life NAS devices have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. 361 million stolen email addresses that were leaked on Telegram added to HIBP.
361 million email addresses were stolen via password-stealing malware, credential stuffing attacks and data were leaked in numerous Telegram cybercrime channels. These stolen emails have been added to Have I Been Pwned data breach notification service, which allows anyone to check if their emails have been compromised. The researchers who shared 122 GB of credentials with Troy Hunt, the owner of HIBP, stated they collected them from many Telegram channels. According to Hunt, the data is massive, with 151 million unique email addresses not previously seen by HIBP. Alongside those addresses were also passwords, and in many cases, the website the data pertains to. Major London hospitals impacted by ransomware attack. Major hospitals in London have declared a critical incident after a cyber attack led to operations being cancelled and emergency patients being diverted elsewhere. On Monday, Synnovis, a provider of pathology and diagnostic service provider, was the victim of the incident. Hence, this impacts King’s College Hospital, Guy’s and St Thomas’ - including the Royal Brompton and the Evelina London Children’s Hospital. Professor Ian Abbs, CEO of Guy’s and St Thomas’ NHS Foundation Trust, stated that the Synnovis ransomware attack has a major impact on their service delivery, with blood transfusions being particularly affected. Some activities had to be cancelled or redirected to other providers. Impacted hospitals have also cancelled some healthcare procedures (this includes surgeries) or redirected them to other providers as they could not perform them “safely”. The NHS stated that emergency care is still available. However, urgent and emergency care at the impacted hospitals will also likely be affected as quick-turnaround blood test results are no longer available. GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs have also been affected. An alert on Synnovis’ customer service portal warns that all systems are currently inaccessible due to issues at its data centre. The NHS apologised for the inconvenience and stated that they are working with the National Cyber Security Centre to understand the impact of the attack. Multiple high profile TikTok accounts hijacked via zero-day vulnerability. Over the past week, attackers have hijacked high-profile TikTok accounts of multiple companies and celebrities. This was done via exploiting a zero-day vulnerability in TikTok’s direct messages feature. User accounts that belonged to Sony, CNN, and others had to be taken down after being compromised to prevent abuse. As Forbes reported, attackers hack the account via DMs, whereby targets only need to open the malicious messages to be compromised. They did not download a payload or click embedded links. TikTok spokesperson, Jason Grosse, stated that they have taken measures to stop this attack from occurring again, and are working directly with affected account owners to restore access. Furthermore, according to initial analysis, Groose stated that only a “small number” of TikTok accounts have been compromised. Although they have not revealed the exact number of impacted users and have not shared any details regarding the exploited vulnerability until the underlying flaw is fixed. Australian mining company, Northern Minerals, discloses a data breach: Some of their stolen data published on the dark web. Northern Minerals issued a statement on 4 June warning that there had been a data breach which resulted in some of their stolen data being published on the dark web. The stolen data included corporate, operational, and financial information, and some details related to current and former personnel, and some shareholder information. The company stated that they have informed the relevant authorities and that impacted individuals will be informed via personalised notices. On 3 June, the BianLian ransomware group claimed responsibility for the attack by adding Northern Minerals to their extortion page. The data published on the dark web includes operational details, Australian and foreign projects’ documents, research and developmental data, financial information, employees’ personal data, data of shareholders and potential investors, and email archives of Northern Minerals’ chairman and those of the executive director and CFO. Frontier Communications warns 750,000 of a data breach. Frontier Communications is warning 750,000 customers that their information was exposed in a data breach after an April cyberattack was claimed by the RansomHub ransomware operation. The cyberattack allowed hackers to access customers’ personal information stored on their systems. The sample of the notice submitted to the Office of the Maine AG censored the types of data exposed. However, it was confirmed that 751,895 customers’ full names and social security numbers were compromised. The telco stated that no financial information was exposed, and that the relevant authorities had been informed. As of now, an investigation into the impact of the breach is underway, and additional measures have been implemented to strengthen their network security. Furthemore, the company is supplying 1 year credit monitoring and identity theft services to affected customers. While Frontier did not share much details about the incident, at the time, the company had to shut down some of their systems to contain the attack. The data breach notifications came after RansomHub extortion group claimed responsibility for the attack on 4 June, and threatened to leak 5GB of allegedly stolen data during the attack, which contains 2 million customers’ information. The group posted a screenshot which contained customer information such as their full name, birth date, physical address, social security number, email address, subscription status, and service notes. It is highly recommended for Frontier customers to be vigilant against unsolicited communications, reset your account passwords, and monitor your bank statements. Club Penguin fans breached Disney’s Confluence server: Stole 2.5GB of data. Club Penguin fans hacked Disney’s Confluence server, which stores documentation for various business, software and IT projects used internally by Disney, and managed to steal 2.5GB of internal corporate data. This week, an anonymous person uploaded a link to “Internal Club Penguin PDFs” on the 4Chan message board, and the link goes to a 415MB archive that contains 137 PDFs. These PDFs contain old internal information about Club Penguin, including emails, design schematics, documentation and character sheets. According to an anonymous source, Disney’s Confluence servers were breached using previously exposed credentials. The source states that the threat actors were initially looking for Club Penguin data, but they ended up downloading 2.5GB of data about Disney’s corporate strategies, advertising plans, Disney+, internal developer tools, business projects, and internal instructure. The data, seen by BleepingComputer, included documentation on a wide range of initiatives and projects, and information on internal developer tools named Helios and Communicore, which have not been previously disclosed publicly. Although the Club Penguin data is fairly old, the rest of the data circulating on Discord is far newer, with information from 2024. Disney has yet to reply on the breach. Advance Auto Parts stolen data for sale after the Snowflake attack. A threat actor is selling an alleged stolen 3TB of data from Advance Auto Parts, a leading automotive aftermarket parts provider, after breaching the company’s Snowflake account. As the threat actor revealed, the massive archive of data stolen from Advance’s Snowflake cloud storage environment includes 380 million customer profiles (this includes their name, email, mobile, phone number, address and more), 140 million customer orders, 44 million loyalty/gas card numbers (with customers’ details), auto parts/part numbers, sales history, employment candidate information with SSNs, driver’s licence numbers, and demographic information, transaction tender details. BleepingComputer was able to confirm that a large number of the stolen customer records are legitimate. The threat actor is selling the stolen Advance’s data for $1.5 million, and stated that the data were stolen in a recent attack targeting cloud storage company Snowflake customers. The threat actor stated that Advance is not the only Snowflake customer whose data was exfiltrated. New York Times source code stolen from their Github repositories, and leaked online. The New York Times confirmed that internal source code and data were stolen from their Github repositories in January 2024, and leaked on the 4chan message board. As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data, in which all source code belongs to the New York Times. The threat actor claims there are around 5 thousand repos (whereby the threat actor thinks there are less than 30 that are additionally encrypted), and 3.6 million files total. The threat actor shared a text file with BleepingComputer, which contained a complete list of 6223 folders stolen from the NYT’s GitHub repository. The folder names indicate that a wide variety of information was stolen. This includes IT documentation, infrastructure tools, and source code, which allegedly includes the viral Wordle game. A ‘readme’ file in the archive states that the threat actor used an exposed GitHub token to access the company’s repositories and steal the data. The NYT stated that the breach occurred in January 2024 after credentials for a cloud-based 3rd party code platform was exposed, and that the code platform was GitHub. The company stated that this data breach did not affect its internal corporate systems, and their operations. LastPass states that an almost 12-hour outage caused by a bad update on their Google Chrome extension. On 6 June, LastPass users were unable to access their password vaults or log into their accounts, and were seeing “404 Not Found” errors. On that day, LastPass stated on their status page that they resolved the issue, and that the almost 12-hour outage was caused by a bad update to the Chrome extension, which resulted in load issues on their backend infrastructure. Throughout Friday, LastPass updated that performance is now stable and operational. However, users continued to complain that since they installed the 6 June update, they have been unable to log into LastPass, or that certain features did not work. It is unclear what changes were made to the Chrome extension which caused such an effect, but it is likely that the extension was creating too many requests, which DDoS the platform. Zyxel released an emergency security update to address 3 critical vulnerabilities impacting end-of-life NAS devices. Zyxel Networks released an emergency security update to address 3 critical vulnerabilities impacting older NAS devices that have reached end-of-life. The flaws impact NAS326 running firmware versions 5.21(AAZF.16) and earlier, and NAS542 running firmware versions 5.21(ABAG.13)Co and older. The vendor addressed 3 critical vulnerabilities, which allows attackers to perform command injection and remote code execution. However, 2 of the vulnerabilities allowing privilege escalation and information disclosure were not fixed in the end-of-life products. The 3 vulnerabilities fixed by Zyxel are CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974. Although both NAS models reached the end of their support period on 31 December 2023, Zyxel released fixes for the 3 critical vulnerabilities due to their severity. Although Zyxel did not observe the vulnerabilities being exploited in the wild, as there are now public proof-of-concept exploits, owners should apply the security updates as soon as possible. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|