Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Breach. Show all posts
Webshell
Authentication Breach CVE202531324 Cybersecurity malware NetWeaver Patch SAP servers VisualComposer Vulnerability Webshell

Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild

 

Security researchers have issued a warning about a severe vulnerability affecting SAP systems, with over 1,200 instances potentially exposed to remote exploitation. This comes after SAP disclosed a critical flaw in the NetWeaver Visual Composer’s Metadata Uploader earlier this week.

The NetWeaver Visual Composer is a development environment designed for building web-based business applications without coding. It is widely used to develop dashboards, forms, and interactive reports. The Metadata Uploader enables developers to import external metadata into the platform, establishing connections with remote data sources such as databases, web services, and other SAP systems.

SAP has identified the vulnerability as CVE-2025-31324, assigning it the highest severity rating of 10 out of 10. The flaw arises due to a lack of authentication in the Metadata Uploader, allowing attackers to upload malicious files without needing authorization.

Cybersecurity company Keeper, known for its password management and digital vault solutions, highlights the growing need for secure authentication frameworks. The platform utilizes zero-knowledge encryption and provides tools such as two-factor authentication, secure storage, dark web monitoring, and breach alerts.

Upon discovering the issue, SAP first released a workaround, followed by a comprehensive patch in late April. The company is now urging all users to implement the fix immediately. Multiple cybersecurity firms — including ReliaQuest, watchTowr, and Onapsis — have observed real-world exploitation of the flaw. According to reports, attackers have been using it to deploy web shells on compromised servers.

SAP, however, stated to BleepingComputer:

"It is not aware of any attacks that impacted customer data or systems."

There is some discrepancy in the actual number of affected systems. While the Shadowserver Foundation identified 427 exposed servers, Onyphe reports as many as 1,284 vulnerable SAP instances, with 474 already compromised.
Read more »
Ransomware
Akira Attack Breach Cloud Cybersecurity Data Encryption Extortion FBI Hitachi malware Ransomware

Hitachi Vantara Takes Servers Offline Following Akira Ransomware Attack

 

Hitachi Vantara, a subsidiary of Japan's Hitachi conglomerate, temporarily shut down several servers over the weekend after falling victim to a ransomware incident attributed to the Akira group.

The company, known for offering data infrastructure, cloud operations, and cyber resilience solutions, serves government agencies and major global enterprises like BMW, Telefónica, T-Mobile, and China Telecom.

In a statement to BleepingComputer, Hitachi Vantara confirmed the cyberattack and revealed it had brought in external cybersecurity specialists to assess the situation. The company is now working to restore all affected systems.

“On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

Although the company has not officially attributed the breach to any specific threat actor, BleepingComputer reports that sources have linked the attack to the Akira ransomware operation. Insiders allege that the attackers exfiltrated sensitive data and left ransom notes on infiltrated systems.

While cloud services remained unaffected, sources noted that internal platforms at Hitachi Vantara and its manufacturing arm experienced disruption. Despite these outages, clients operating self-hosted systems are still able to access their data.

A separate source confirmed that several government-led initiatives have also been impacted by the cyberattack.

Akira ransomware first appeared in March 2023 and swiftly became notorious for targeting a wide range of sectors worldwide. Since its emergence, the group has reportedly compromised more than 300 organizations, including high-profile names like Stanford University and Nissan (in Oceania and Australia).

The FBI estimates that Akira collected over $42 million in ransom payments by April 2024 after infiltrating over 250 organizations. According to chat logs reviewed by BleepingComputer, the gang typically demands between $200,000 and several million dollars, depending on the scale and sensitivity of the targeted entity.

Keywords: ransomware, cybersecurity, Hitachi, Akira, cloud, breach, data, FBI, malware, attack, encryption, extortion, hacking, disruption, recovery, infrastructure, digital, protection
Read more »
Ransomware
Breach Compliance Cybersecurity Data Breach DaVita dialysis Healthcare Hospital incident ITsecurity patientcare Ransomware

DaVita Faces Ransomware Attack, Disrupting Some Operations but Patient Care Continues

 

Denver-headquartered DaVita Inc., a leading provider of kidney care and dialysis services with more than 3,100 facilities across the U.S. and 13 countries, has reported a ransomware attack that is currently affecting parts of its network. The incident, disclosed to the U.S. Securities and Exchange Commission (SEC), occurred over the weekend and encrypted select portions of its systems.

"Upon discovery, we activated our response protocols and implemented containment measures, including proactively isolating impacted systems," DaVita stated in its SEC filing.

The company is working with third-party cybersecurity specialists to assess and resolve the situation, and has also involved law enforcement authorities. Despite the breach, DaVita emphasized that patient care remains ongoing.

"We have implemented our contingency plans, and we continue to provide patient care," the company noted. "However, the incident is impacting some of our operations, and while we have implemented interim measures to allow for the restoration of certain functions, we cannot estimate the duration or extent of the disruption at this time," the company said.

With the investigation still underway, DaVita acknowledged that "the full scope, nature and potential ultimate impact on the company are not yet known."

Founded 25 years ago, DaVita reported $12.82 billion in revenue in 2024. The healthcare giant served over 281,000 patients last year across 3,166 outpatient centers, including 750+ hospital partnerships. Of these, 2,657 centers are in the U.S., with the remaining 509 located in countries such as Brazil, Germany, Saudi Arabia, Singapore, and the United Kingdom, among others. DaVita also offers home dialysis services.

Security experts warn that the scale of the incident could have serious implications.

"There is potential for a very large impact, given DaVita’s scale of operations," said Scott Weinberg, CEO of cybersecurity firm Neovera. "If patient records were encrypted, sensitive data like medical histories and personal identifiers might be at risk. DaVita has not reported data exfiltration, so it’s not clear if data was stolen or not."

Weinberg added, "For dialysis patients needing regular treatments to survive, this attack is extremely serious. Because of disrupted scheduling or inaccessible records, this could lead to health complications. Ransomware disruptions in healthcare may lead to an increase in mortality rates, especially for time-sensitive treatments such as dialysis."

The breach may also bring regulatory challenges due to DaVita’s international footprint.

"Regulations can differ with respect to penalties and reporting requirements after a breach based on the country and even the state in which the patients live or were treated," said Erich Kron, security awareness advocate at KnowBe4.

"A serious cybersecurity incident that affects individuals in multiple countries can be a legal nightmare for some organizations," Kron said. "However, this is something that organizations should plan for and be prepared for prior to an event ever happening. They should already know what will be required to meet regulatory standards for the regions in which they operate."

In a separate statement to Information Security Media Group, DaVita added, "We have activated backup systems and manual processes to ensure there's no disruption to patient care. Our teams, along with external cybersecurity experts, are actively investigating this matter and working to restore systems as quickly as possible."

This cyberattack mirrors similar recent disruptions within the healthcare industry, which continues to be a frequent target.

"The healthcare sector is always considered a lucrative target because of the serious sense of urgency whenever IT operations are disrupted, not to mention potentially disabled," said Jeff Wichman, director of incident response at Semperis. "In case of ransomware attacks, this serves as another means to pressure the victim into paying a ransom."

He added, "At this time, if any systems administering dialysis have been disrupted, the clinics and hospitals within DaVita’s network are most certainly operating machines manually as a last resort and staff are working extremely hard to ensure patient care doesn’t suffer. If any electronic machines in their network are down, the diligence of staff will fill the gaps until electronic equipment is restored."

DaVita joins a growing list of specialized healthcare providers facing cybersecurity breaches in 2025. Notably, Community Care Alliance in Rhode Island recently reported a hack that impacted 115,000 individuals.

In addition, DaVita has previously disclosed multiple health data breaches. The largest, in July 2024, affected over 67,000 individuals due to unauthorized server access linked to the use of tracking pixels in its patient-facing platforms.
Read more »
VPN
Breach Cyber Security DomainControllers Hackers Ransomware Reconnaissance VPN

Majority of Human-Operated Cyberattacks Target Domain Controllers, Warns Microsoft

 

Microsoft has revealed that nearly 80% of human-operated cyberattacks involve compromised domain controllers, according to a recent blog post published on Wednesday. Alarmingly, in over 30% of these incidents, attackers use the domain controller—a central system in corporate IT networks—to spread ransomware across the organization.

A breached domain controller can give hackers access to password hashes for every user in the system. With these credentials, cybercriminals can identify and exploit privileged accounts, including those held by IT administrators. Gaining control of these accounts allows attackers to escalate their access levels.

"This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack," Microsoft stated.

One such attack, observed by the tech giant, involved a group known as Storm-0300. The hackers infiltrated a company’s systems by exploiting its virtual private network (VPN). After acquiring administrator credentials, they tried to access the domain controller through the remote desktop protocol (RDP). Once inside, they carried out a series of actions including reconnaissance, bypassing security measures, and escalating their privileges.

Despite the growing frequency of attacks, Microsoft emphasized the difficulty in protecting domain controllers due to their critical role in network management and authentication.

Defenders often face the challenge of “striking the right balance between security and operational functionality,” the blog noted.

To improve protection, Microsoft suggested enhancing domain controllers’ ability to differentiate between legitimate and malicious activity—an essential step toward minimizing server compromises.

Jason Soroko, senior fellow at cybersecurity firm Sectigo, stressed the importance of proactive security measures.

"Ultimately, even the most advanced defense mechanisms may falter if misconfigured or if legacy systems create vulnerabilities. Hence, vigilant customer-side security practices are critical to fortifying these systems against modern cyberthreats," Sectigo said.

While Microsoft offers strong protective tools, their success hinges on users maintaining up-to-date systems and activating features like multifactor authentication.


Read more »
SparkCat
Android app removal Apple Breach Cyber Security Cybersecurity Data Google iOS malware SparkCat

Apple and Google Remove 20 Apps Infected with Data-Stealing Malware


Apple and Google have removed 20 apps from their respective app stores after cybersecurity researchers discovered that they had been infected with data-stealing malware for nearly a year.

According to Kaspersky, the malware, named SparkCat, has been active since March 2024. Researchers first detected it in a food delivery app used in the United Arab Emirates and Indonesia before uncovering its presence in 19 additional apps. Collectively, these infected apps had been downloaded over 242,000 times from Google Play Store.

The malware uses optical character recognition (OCR) technology to scan text displayed on a device’s screen. Researchers found that it targeted image galleries to identify keywords associated with cryptocurrency wallet recovery phrases in multiple languages, including English, Chinese, Japanese, and Korean. 

By capturing these recovery phrases, attackers could gain complete control over victims' wallets and steal their funds. Additionally, the malware could extract sensitive data from screenshots, such as messages and passwords.

Following Kaspersky’s report, Apple removed the infected apps from the App Store last week, and Google followed soon after.

Google spokesperson Ed Fernandez confirmed to TechCrunch: "All of the identified apps have been removed from Google Play, and the developers have been banned."

Google also assured that Android users were protected from known versions of this malware through its built-in Google Play Protect security system. Apple has not responded to requests for comment.

Despite the apps being taken down from official stores, Kaspersky spokesperson Rosemarie Gonzales revealed that the malware is still accessible through third-party websites and unauthorized app stores, posing a continued threat to users.
Read more »
Ransomware
Breach Cyber Attacks CyberCrime Cybersecurity Data Hacking Insider Threat Ransom note Ransomware

Cybercriminals Entice Insiders with Ransomware Recruitment Ads

 

Cybercriminals are adopting a new strategy in their ransomware demands—embedding advertisements to recruit insiders willing to leak company data.

Threat intelligence researchers at GroupSense recently shared their findings with Dark Reading, highlighting this emerging tactic. According to their analysis, ransomware groups such as Sarcoma and DoNex—believed to be impersonating LockBit—have started incorporating these recruitment messages into their ransom notes.

A typical ransom note includes standard details about the company’s compromised state, data breaches, and backup destruction. However, deeper into the message, these groups introduce an unusual proposition:

"If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In another instance, the ransom note offers financial incentives:

"Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc."

The note then instructs interested individuals on how to install malicious software on their workplace systems, with communication facilitated via Tox messenger to maintain anonymity.

Kurtis Minder, CEO and founder of GroupSense, stated that while his team regularly examines ransom notes during incident response, the inclusion of these “pseudo advertisements” is a recent development.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," said Minder. "I don't know the right answer, but obviously these notes do get passed around." He further noted that cybercriminals often experiment with new tactics, and once one group adopts an approach, others tend to follow suit.

For anyone tempted to respond to these offers, Minder warns of the significant risks involved: "These folks have no accountability, so there's no guarantee you would get paid anything. You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to analyze past ransomware communications for any early signs of this trend. Minder anticipates discovering more instances of these ads in upcoming investigations.
Read more »
UnitedHealth cyberattack
Breach Change Healthcare data Data Breach Healthcare cybersecurity Medical Data breach Ransomware attack UnitedHealth cyberattack

UnitedHealth Confirms Change Healthcare Cyberattack Impacted 190 Million People

 

UnitedHealth Group has officially disclosed that the February ransomware attack on its subsidiary, Change Healthcare, affected approximately 190 million individuals in the U.S.—nearly twice the previously estimated figure.

The healthcare giant confirmed the revised number in a statement to TechCrunch on Friday, after market hours.

“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, a UnitedHealth spokesperson, in an email to TechCrunch. “The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”

UnitedHealth also stated that there is no evidence suggesting the stolen data has been misused. “The company is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis,” the spokesperson added.

The cyberattack, which occurred in February 2024, stands as the most significant medical data breach in U.S. history. It led to prolonged disruptions across the healthcare sector. Change Healthcare, a leading health tech provider and claims processor, handles vast amounts of patient data, medical records, and insurance information.

Hackers behind the attack stole an extensive volume of sensitive health and insurance data, some of which was leaked online. Reports indicate that Change Healthcare paid at least two ransom payments to prevent further exposure of the compromised files.

Initially, UnitedHealth estimated the number of impacted individuals to be around 100 million when it filed a preliminary report with the Office for Civil Rights, a division of the U.S. Department of Health and Human Services that oversees data breaches.

According to Change Healthcare’s breach notification, the cybercriminals accessed and stole:

  • Names, addresses, phone numbers, and email addresses
  • Dates of birth and government-issued ID numbers (Social Security, driver’s license, passport)
  • Medical diagnoses, prescriptions, lab results, imaging, and treatment plans
  • Health insurance details
  • Financial and banking data related to patient claims
The breach has been attributed to the ALPHV ransomware group, a Russian-language cybercrime network. During congressional testimony, UnitedHealth CEO Andrew Witty revealed that attackers gained access through a stolen credential that lacked multi-factor authentication, highlighting a critical security lapse.

As the healthcare industry grapples with the aftermath, this breach underscores the urgent need for enhanced cybersecurity measures to safeguard sensitive medical data.


Read more »
Unauthorized
Breach Casio Cyber Attacks Cyberattack Cybersecurity Data Disruption losses restructuring services Unauthorized

Casio Hit by Cyberattack Causing Service Disruption Amid Financial Challenges

 

Japanese tech giant Casio recently experienced a cyberattack on October 5, when an unauthorized individual accessed its internal networks, leading to disruptions in some of its services.

The breach was confirmed by Casio Computer, the parent company behind the iconic Casio brand, recognized for its watches, calculators, musical instruments, cameras, and other electronic products.

"Casio Computer Co., Ltd. has confirmed that on October 5, its network was accessed by an unauthorized third party," the company revealed in a statement today. Following an internal review, the company discovered the unauthorized access led to system disruptions, which have caused some services to be temporarily unavailable. Casio mentioned it cannot provide further details at this stage, as investigations are still ongoing. The company is working closely with external specialists to assess whether personal data or confidential information was compromised during the attack.

Although the breach has disrupted services, Casio has yet to specify which services have been impacted.

The company reported the cyber incident to the relevant data protection authorities and quickly implemented measures to prevent further unauthorized access. BleepingComputer reached out to Casio for more information, but a response has not yet been provided.

So far, no ransomware group has claimed responsibility for the attack on Casio.

This attack comes nearly a year after a previous data breach involving Casio's ClassPad education platform, which exposed customer data from 149 countries, including names, email addresses, and other personal information.

The recent cyberattack adds to the company's challenges, as Casio recently informed shareholders of an expected $50 million financial loss due to significant personnel restructuring.
Read more »
US semiconductor manufacturer
Breach Data Microchip Technology attack Play ransomware ransomware cyberattack US semiconductor manufacturer

Play Ransomware Claims Attack on US Semiconductor Manufacturer Microchip Technology

 

The Play ransomware group has claimed responsibility for last week's cyberattack on the American semiconductor company Microchip Technology. On Tuesday, the group added Microchip Technology to its data leak site, as noted by multiple cybersecurity researchers. Play is notorious for its use of custom tools and double-extortion tactics, which involve both encrypting victims' files and threatening to release stolen data.

Microchip Technology reported last week that intruders had disrupted "certain servers and some business operations." Upon discovering the breach, the company took immediate steps to isolate the affected systems, shut down some services, and initiate an investigation.

Microchip Technology has not commented on the Play gang's involvement in the attack. The company produces products such as microcontrollers, embedded security devices, and radio frequency devices, which it supplies to sectors including automotive, industrial, aerospace, and defense. In 2024, its sales reached $7.6 billion.

The Play group typically gives its victims 72 hours to pay a ransom before making stolen data public. However, Kevin O’Connor, a researcher at U.S.-based cybersecurity firm Adlumin, noted that in this case, the timeline was extended, with Play claiming responsibility a week after Microchip Technology reported the incident to the SEC (Securities and Exchange Commission). O'Connor added that while it's not uncommon for ransomware groups to delay data release, it often indicates ongoing negotiations.

Adlumin's research suggests that the Play ransomware operation has significantly expanded over the past year, likely due to its shift to an affiliate model, complicating the attribution of attacks. O'Connor also mentioned that it's still unclear whether the core group or its affiliates were behind the attack on Microchip Technology.

Play ransomware was first identified in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) has reported that the group typically encrypts systems after data exfiltration, impacting various businesses and critical infrastructure organizations across North America, South America, Europe, and Australia. According to Trend Micro's research published in July, the majority of Play's attacks this year have been concentrated in the United States.
Read more »
US Cybersecurity
Breach CISA critical infrastructure risk Cyber Security Data Analytics Information Security supply chain attacks US Cybersecurity

CISA Investigates Sisense Breach: Critical Infrastructure at Risk

 

In the fast-paced landscape of cybersecurity, recent events have once again brought to light the vulnerabilities that critical infrastructure organizations face. The breach of data analytics company Sisense, under investigation by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the importance of robust security measures in protecting sensitive data and systems. 

Sisense, a prominent American business intelligence software company, found itself at the center of a security incident impacting not only its own operations but also critical infrastructure sector organizations across the United States. 

With offices in New York City, London, and Tel Aviv, and a clientele including major players like Nasdaq, ZoomInfo, Verizon, and Air Canada, the breach sent shockwaves through the cybersecurity community. CISA's involvement underscores the severity of the situation, with the agency actively collaborating with private industry partners to assess the extent of the breach and its implications for critical infrastructure. 

As investigations unfold, the focus is on understanding the nature of the compromise and mitigating potential risks to affected organizations. In response to the breach, CISA has issued recommendations for all Sisense customers to reset any credentials and secrets that may have been exposed or used to access the company's platform and services.

This proactive measure aims to prevent further unauthorized access and protect sensitive information from exploitation. Sisense's Chief Information Security Officer, Sangram Dash, echoed CISA's advice in a message to customers, emphasizing the importance of promptly rotating credentials used within the Sisense application. This precautionary step aligns with best practices in cybersecurity, where rapid response and mitigation are essential to minimizing the impact of security incidents. 

Additionally, customers are urged to report any suspicious activity related to potentially exposed credentials or unauthorized access to Sisense services to CISA. This collaborative approach between organizations and government agencies is crucial in addressing cybersecurity threats effectively and safeguarding critical infrastructure from harm. The incident involving Sisense is not an isolated event. 

Similar supply chain attacks have targeted critical infrastructure organizations in the past, highlighting the need for heightened vigilance and resilience in the face of evolving cyber threats. One such attack, involving the 3CX breach a year ago, had far-reaching consequences, impacting power suppliers responsible for generating and distributing energy across the grid in the United States and Europe. 

As organizations grapple with the aftermath of the Sisense breach, lessons learned from this incident can inform future cybersecurity strategies. Proactive measures such as continuous monitoring, regular security assessments, and robust incident response plans are essential for mitigating risks and protecting critical infrastructure assets. 

The Sisense breach serves as a wake-up call for the cybersecurity community, emphasizing the interconnected nature of cyber threats and the imperative of collaboration in defending against them. By working together and adopting a proactive stance, organizations can bolster their defenses and safeguard critical infrastructure from cyber adversaries.
Read more »
online transactions
Adobe Breach Cyber Security E Commerce Magento online transactions

E-commerce Breach: Hackers Target Magento, Steal Payment Data

 




In a concerning development for e-commerce security, hackers have been discovered exploiting a critical flaw in the popular Magento platform, leaving numerous online stores vulnerable to data breaches. The vulnerability, identified as CVE-2024-20720 with a severity score of 9.1, was acknowledged and addressed by Adobe in security updates released on February 13, 2024.

The exploit involves injecting a persistent backdoor into e-commerce websites, allowing threat actors to execute arbitrary commands and potentially steal sensitive payment data. Security experts from Sansec revealed that attackers are utilising a cleverly crafted layout template stored in the database to automatically insert malicious code into the system.

By combining the Magento layout parser with the beberlei/assert package, hackers can execute system commands, particularly targeting the checkout cart section of affected websites. This malicious code, facilitated by the 'sed' command, enables the installation of a payment skimmer, designed to capture and transmit financial information to compromised Magento stores under the attackers' control.

This incident underlines the urgency for e-commerce businesses to promptly apply security patches provided by Magento to mitigate the risk of exploitation. Failure to do so could leave them susceptible to financial losses and reputational damage.

The exploitation of vulnerabilities within the Magento platform has become an ongoing concern within the realm of e-commerce security. Since its acquisition by Adobe in 2018 for a significant $1.68 billion, Magento has grown to power more than 150,000 online stores worldwide. However, this widespread adoption has inadvertently made it an enticing target for cybercriminals seeking to exploit weaknesses in its infrastructure. One notable example of such exploitation is the MageCart attacks, which have highlighted the persistent threat posed by outdated and unsupported versions of Magento.

Given the prevalence of these vulnerabilities, it is pivotal for online merchants to prioritise cybersecurity measures to safeguard their customers' sensitive data and uphold trust within the e-commerce ecosystem. This necessitates a proactive approach that includes regular software updates, the implementation of robust security protocols, and continuous monitoring for any suspicious activities.

Industry stakeholders are urged to collaborate closely to enhance cybersecurity resilience and protect the integrity of online transactions. By staying informed and proactive, businesses can effectively combat cyber threats and uphold the security of their e-commerce operations.



Read more »
Ransomware
Birmingham Breach Computer Hacking cyber attack Cyber Attacks Ransomware

Birmingham City Computers Breached by Hackers, Mayor Confirms

 



Birmingham Mayor Randall Woodfin’s office has officially acknowledged that the city’s computer systems fell victim to a cyberattack almost a month ago. The incident came to light in a memo sent to city employees, obtained by AL.com, confirming that hackers gained unauthorised access to the city’s networks.

Timeline of Events

The disruption was first noticed on March 6, prompting an immediate investigation into the unexpected activity that disrupted various computer systems. City officials are actively working to restore full functionality to the affected systems, although the investigation into the breach is ongoing. Rick Journey, the mayor’s communications director, emphasised the city’s commitment to ensuring the security of its network.

Impact on Operations

The cyberattack has caused significant disruptions, with employees resorting to pen and paper for tasks like timekeeping due to the network outage. Despite these challenges, critical public safety and public works services have remained unaffected. However, law enforcement agencies have faced limitations, including difficulties in accessing databases to check vehicle theft reports and outstanding warrants.

What Does It Mean for Employees?

Addressing concerns about payroll and employee compensation, city officials reassured employees that payroll processing will continue as scheduled. Payroll coordinators are available to address any individual questions or concerns regarding payment accuracy. Despite the disruption, city authorities are committed to ensuring that employees receive their salaries on time.

Response and Investigation

Following the breach, the city has enlisted the support of third-party specialists to investigate the extent of the disruption and its impact on operations. While specific details about the cyberattack remain limited due to the ongoing investigation, officials have stressed that the 911 emergency system remains fully functional.

A Potential Ransomware Attack 

Multiple government sources have indicated that the cyberattack is likely a ransomware attack, wherein hackers demand payment in exchange for restoring access to the city’s data. Despite the severity of the incident, city officials have reiterated that emergency services have not been compromised.

This incident dials on the mounting challenges municipalities face in safeguarding against cybersecurity breaches. As authorities delve deeper into the matter, concerted efforts are underway to bolster cybersecurity measures, emphasising the critical need to strengthen defences against potential future threats. 


Read more »
XZ Utils Library
Breach CISA advisory Data Breach LZMA Malicious actor Microsoft XZ Utils Library

Critical Security Alert Released After Malicious Code Found in XZ Utils

 

On Friday, Red Hat issued a high-priority security alert regarding a discovery related to two versions of a widely-used data compression library called XZ Utils (formerly known as LZMA Utils). It was found that these specific versions of the library contained malicious code intentionally inserted by unauthorized parties. 

This code was designed with the malicious intent of allowing remote access to systems without authorization. This unauthorized access can lead to serious security threats to individuals and organizations utilizing these compromised versions of the library, potentially leading to data breaches or other malicious activities. 

The discovery and reporting of the issue have been attributed to Microsoft security researcher Andres Freund. It was revealed that the malicious code, which was heavily obfuscated, was introduced through a sequence of four commits made to the Tukaani Project on GitHub. These commits were attributed to a user named Jia Tan (JiaT75). 

What XZ Utils Used For? 

XZ is a compression tool and library widely utilized on Unix-like systems such as Linux. It is renowned for its ability to significantly reduce file sizes while maintaining fast decompression speeds. This compression is achieved through the implementation of the LZMA (Lempel-Ziv-Markov chain algorithm) compression algorithm, which is well-regarded for its efficient compression ratios. 

Let’s Understand the Severity of the Attack 

The breach has garnered a critical CVSS score of 10.0, indicating the most severe level of threat. This vulnerability has been found to impact XZ Utils versions 5.6.0 and 5.6.1, which were released on February 24 and March 9, respectively. 

The Common Vulnerability Scoring System (CVSS) is a widely used tool in the cybersecurity sector, offering a standardized approach to evaluate the gravity of security vulnerabilities found in computer systems. Its main objective is to aid cybersecurity experts in prioritizing the resolution of these vulnerabilities based on their urgency. 

"Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code," an IBM subsidiary reported. 

Additionally, Red Hat clarified that while no versions of Red Hat Enterprise Linux (RHEL) are affected by this security flaw, evidence indicates successful injections within xz 5.6.x versions designed for Debian unstable (Sid). It is also noted that other Linux distributions may potentially be impacted by this vulnerability. 

In response to the security breach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken action by issuing its own alert.  "CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems".  

CISA is advising users to downgrade their XZ Utils installations to a version unaffected by the compromise. Specifically, they recommend reverting to an uncompromised version such as XZ Utils 5.4.6 Stable.
Read more »
Vulnerabilities and Exploits
Breach data security IT Companies Threat Detection Vulnerabilities and Exploits

End-User Risks: Enterprises on Edge Amid Growing Concerns of the Next Major Breach

 

The shift to remote work has been transformative for enterprises, bringing newfound flexibility but also a myriad of security challenges. Among the rising concerns, a prominent fear looms large - the potential for end-users to inadvertently become the cause of the next major breach. 

As organizations grapple with this unsettling prospect, the need for a robust security strategy that addresses both technological and human factors becomes increasingly imperative. Enterprises have long recognized that human error can be a significant factor in cybersecurity incidents. However, the remote work surge has amplified these concerns, with many organizations now expressing heightened apprehension about the potential for end-users to inadvertently compromise security. 

A recent report highlights that this fear is not unfounded, as enterprises increasingly worry that employees may become the weak link in their cybersecurity defenses. The complexity of the remote work landscape adds a layer of difficulty to security efforts. Employees accessing sensitive company data from various locations and devices create a broader attack surface, making it challenging for IT teams to maintain the same level of control and visibility they had within the confines of the corporate network. 

This expanded attack surface has become a breeding ground for cyber threats, and organizations are acutely aware that a single unintentional action by an end-user could lead to a major breach. Phishing attacks, in particular, have become a prevalent concern. Cybercriminals have adeptly adapted their tactics to exploit the uncertainties surrounding the pandemic, capitalizing on the increased reliance on digital communication channels. End-users, potentially fatigued by the constant influx of emails and messages, may unwittingly click on malicious links or download infected attachments, providing adversaries with a foothold into the organization's systems. 

While end-users can be the first line of defense, their actions, if not adequately guided and secured, can also pose a significant risk. Enterprises are grappling with the need to strike a delicate balance between enabling a seamless remote work experience and implementing stringent security measures that mitigate potential threats arising from end-user behavior. Education and awareness emerge as critical components of the solution. Organizations must invest in comprehensive training programs that equip employees with the knowledge and skills to identify and thwart potential security threats. 

Regularly updated security awareness training can empower end-users to recognize phishing attempts, practice secure online behavior, and promptly report any suspicious activity. Moreover, enterprises need to implement advanced cybersecurity technologies that provide an additional layer of protection. AI-driven threat detection, endpoint protection, and multi-factor authentication are crucial elements of a modern cybersecurity strategy. These technologies not only bolster the organization's defenses but also alleviate some of the burdens placed on end-users to be the sole gatekeepers of security. 

Collaboration between IT teams and end-users is paramount. Establishing open communication channels encourages employees to report security incidents promptly, enabling swift response and mitigation. Additionally, organizations should foster a culture of cybersecurity responsibility, emphasizing that every employee plays a crucial role in maintaining a secure digital environment. As the remote work landscape continues to evolve, enterprises must adapt their cybersecurity strategies to address the shifting threat landscape. 

The concerns about end-users being the potential cause of the next major breach underscore the need for a holistic approach that combines technological advancements with ongoing education and collaboration. By fortifying the human element of cybersecurity, organizations can navigate the complexities of remote work with confidence, knowing that their employees are not unwittingly paving the way for the next significant security incident.
Read more »
Hackers
Breach Crypto cryptocurrency Cyber Attacks Data Breach Hackers

Another Crypto Exchange Hacked, Following CoinEx Hack by Three Days

 

In the midst of a challenging year for crypto exchanges, Remitano, a centralized exchange, fell prey to a hack on September 14, 2023, losing nearly $2.7 million in digital currencies.

The breach unfolded at around 12:45 PM on Thursday when an unidentified address with no transaction history began receiving funds from one of the exchange's hot wallets. Cyvers, a blockchain analytics firm, swiftly identified these suspicious transactions and promptly alerted the crypto community.

The attacker managed to siphon off a total of $2.7 million in digital assets, comprising $1.4 million in Tether USDT, $208,000 in USD Coin (USDC), and $2,000 in Ankr tokens. Notably, Tether promptly intervened by freezing the alleged hacker's address, safeguarding approximately $1.4 million worth of USDT before any further transactions or conversion of the stolen funds could occur.

U.S. authorities are attributing this incident to the Lazarus Group, a cybercrime organization based in Korea believed to be operating in tandem with the North Korean government. This group has been linked to several hacks in 2023.

Remitano, a peer-to-peer centralized crypto exchange and payment processor, specializes in serving emerging markets, including Pakistan, Ghana, Venezuela, Vietnam, South Africa, and Nigeria. As of now, the exchange has not issued any official statement regarding the alleged hack.

The Lazarus Group has been responsible for some of the most significant hacks in 2023, amassing nearly $200 million in ill-gotten gains, constituting around 20% of all crypto hacks this year.

On September 4, 2023, the group targeted the prominent crypto casino, Stake, making off with over $41 million in digital assets. Despite the breach, Stake resumed operations shortly thereafter, assuring users that their funds were secure.

Then, on September 12, 2023, CoinEx fell victim to a massive hack believed to be orchestrated by the Lazarus Group. Cyvers warned the crypto firm to halt all withdrawals and deposits upon detecting multiple suspicious transactions, but the response came too late. The group absconded with over $27 million in crypto assets, with subsequent reports indicating the actual amount exceeded $55 million.

Following the Stake incident, the Federal Bureau of Investigation (FBI) disclosed several addresses associated with the group and advised crypto exchanges to refrain from transactions involving these addresses.

Since its inception in 2009, the Lazarus Group is said to have stolen over $2.3 billion in crypto assets. The group gained notoriety for its 2014 hack of Sony Pictures Entertainment, which resulted in over $35 million in IT repair costs.
Read more »
Vulnerability
Australia Breach Customer Cyber Attacks Data Energy Experts Investigation Ransomware Report Security Software threat UK Vulnerability

Cyberattack Strikes Australian Energy Software Company Energy One

 

Energy One, an Australian company specializing in software solutions and services for the energy industry, has fallen victim to a cyber assault.

In an announcement made on Monday, the company revealed that the breach was identified on August 18 and had repercussions for certain internal systems both in Australia and the United Kingdom.

“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.

Energy One is actively engaged in an inquiry to ascertain the extent of the impact on customer-related systems and personal data. The organization is also committed to tracing the initial point of intrusion employed by the attacker.

Though detailed specifics about the attack are presently undisclosed, the company's official statement strongly suggests the possibility of a deliberate ransomware attack.

To facilitate the investigation, cybersecurity specialists have been enlisted, and competent authorities in both Australia and the UK have been informed about the incident.

According to a recent report by Searchlight Cyber, a British threat intelligence firm, malevolent actors have been peddling opportunities for initial access into energy sector enterprises globally, with prices ranging from $20 to $2,500.

Perpetrators of cybercrime can exploit various avenues, including Remote Desktop Protocol (RDP) access, compromised login credentials, and vulnerabilities in devices like Fortinet products.
Read more »
Password
AI Breach Cyber Security Data Data Safety data security Password

AI can Crack Your Password in Seconds, Here’s how to Protect Yourself

 

Along with the benefits of emerging generative AI services come new hazards. PassGAN, a sophisticated solution to password cracking, has just emerged. Using the most recent AI, it was able to hack 51% of passwords in under a minute and crack 71% of passwords in less than a day. 

Microsoft raised attention to the security problems that would accompany the rapid growth of AI last month when it announced its new Security Copilot suite, which will assist security researchers in protecting against malicious use of current technologies.

Home Security Heroes recently released a study demonstrating how frighteningly powerful the latest generative AI is at cracking passwords. The company ran a list of over 15,000,000 credentials from the Rockyou dataset through the new password cracker PassGAN (password generative adversarial network), and the results were shocking.

51% of all popular passwords were broken in under a minute, 65% in under an hour, 71% in under a day, and 81% in under a month. PassGAN is able to "autonomously learn the distribution of real passwords from actual password leaks," which is why AI is making such a difference in password cracking. Rather than having to do manual password analysis on leaked password databases, PassGAN is able to "autonomously learn the distribution of real passwords from actual password leaks."

How to Prevent AI Password Cracking

Sticking to at least 12 characters or more of capital and lowercase letters plus numbers (or symbols) distinguishes between easily or rapidly cracked passwords and difficult-to-crack passwords. For the time being, all passwords with 18 characters that include both letters and numbers are protected against AI cracking.

Seeing how powerful AI can be for password cracking is a good reminder to not only use strong passwords but also to check:
  • Utilising 2FA/MFA. (non-SMS-based whenever possible)
  • Avoid reusing passwords across accounts.
  • When feasible, use password generators.
  • Passwords should be changed on a frequent basis, especially for important accounts.
  • Avoid using public WiFi, especially for banking and other similar accounts.
On the Home Security Heroes website, there is a program that allows you to test your own passwords against AI. However, it's best not to enter any of your genuine passwords if you want to check out the AI password analyser - instead, enter a random one.
Read more »
User Safety
Breach Data Breach Data Safety data security Twitter User Data User Privacy User Safety

Twitter Data Breach: Hacker Posted List of Hacked Data of 400M Users

 

One of the biggest Twitter data breaches has resulted in the selling of 400 million Twitter users' personal information on the dark web. The news was released just one day after the Irish Data Protection Commission (DPC) said that it was looking into a prior Twitter data leak that affected more than 5.4 million users, according to CyberExpress. 

In late November, the previous breach was discovered. The hacker released a sample of the data on one of the hacker sites as evidence that the data is real. Email, username, follower count, creation date, and, in some situations, the users' phone numbers are all included in the sample data.

What's shocking is that the hacker's sample data includes information from some pretty well-known user accounts. The user data in the sample data includes the following:

  • Alexandria Ocasio-Cortez
  • SpaceX
  • CBS Media
  • Donald Trump Jr.
  • Doja Cat
  • Charlie Puth
  • Sundar Pichai
  • Salman Khan
  • NASA's JWST account
  • NBA
  • Ministry of Information and Broadcasting, India
  • Shawn Mendes
  • Social Media of WHO

The sample data includes the data of many more well-known users. The majority of them will point to the social media staff, but if the data leak is real, it will be disastrous. While other threat actors have not verified the data yet, Alon Gal in his LinkedIn post states that "The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email / phone and retrieve a Twitter profile, this is extremely similar to the Facebook 533m database that I originally reported about in 2021 and resulted in a $275,000,000 fine to Meta."

Meanwhile, In his post, the hacker writes, "Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imagine the fine of 400m users breach source. Your best option to avoid paying $276 million USD in GDPR breach fines like Facebook did (due to 533m users being scraped) is to buy this data exclusively."

The hacker states he is open to the 'Deal' going through a middle man and further stated, "After that I will delete this thread and will not sell this data again. And data will not be sold to anyone else which will prevent a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing and other things that will make your users Lose trust in you as a company and thus stunt the current growth and hype that you are having also just imagine famous content creators and influencers getting hacked on twitter that will for sure Make them ghost the platform and ruin your dream of twitter video sharing platform for content creators, also since you Made the mistake of changing twitter policy that got an immense backlash."
Read more »
Threat Groups
Breach Cyber Attacks Deep Instinct MuddyWater Syncro Threat Groups

MuddyWater: Iran-Backed Threat Group’s Latest Campaign Abuses Syncro Admin Tool


Iran-sponsored cyber threat group, MuddyWater has now altered its tactics, it is now utilizing a remote administration tool, Syncro, that is being used in order to gain control of the target devices. 

What is Syncro? 

Syncro is a highly integrated and easy-to-use remote access platform that allows Remote monitoring and management (RMM) and automation of tasks, streamlining users’ operations to get established, run, and grow their managed service provider (MSP) operations.  

Syncro’s unified and customizable solutions allow users to conduct business operations, that could be streamlined with its integrated invoicing, billing, contract management, automated remediation, and much more so that one can focus on generating revenue. Additionally, their tool offers users a 21-day trial.  

Prior to its most recent campaign, which researchers from Deep Instinct estimate started sometime in September, MuddyWater had employed a separate legitimate remote administration tool, named RemoteUtilities.  

According to the latest report by Deep Instinct, which mentions details of the MuddyWater attacks that recently took place on an Egyptian data hosting company, as well as the Israeli insurance and hospitality industries.  

"MuddyWater is not the only actor abusing Syncro […] It has also been observed recently in BatLoader and Luna Moth campaigns," the Deep Instinct team stated in the report. 

Moreover, MuddyWater has now joined BatLoader and Luna Moth threat groups, which have also been using Syncro in order to take control of devices. 

Security teams are cautioned by Deep Instinct which provided MuddyWater's indicators of compromise, to keep an eye out for unusual remote desktop apps inside their organisations. 

Read more »
User Security
Breach Data Data Breach Information User Data User Privacy User Security

LastPass Experiences its Second Major Data Breach in 4 Months

 

LastPass's data breach in August permitted a hacker to infiltrate the company again and steal customer data. LastPass announced on Wednesday that it was investigating the breach, which involved a third-party cloud storage service linked to company systems. 
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” the company wrote in a blog post(Opens in a new window). 

It is unknown what data was stolen. LastPass, on the other hand, has stated that customers' passwords should be safe because the company does not store(Opens in a new window) information on the "Master Password" that customers use to access the encrypted password vaults on the platform.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” the company said.  

Nonetheless, the incident demonstrates that the August breach at LastPass was more serious than previously thought. At the time, the company confirmed that the August breach only affected internal software development systems and did not include any customer password information. Despite this, the hacker was able to steal portions of the company's source code as well as some proprietary LastPass technical information, which likely paved the way for the subsequent intrusion.

LastPass also announced in September that it had completed its investigation into the breach with the assistance of cybersecurity firm Mandiant. According to the findings, the hacker only had access to the internal systems for four days. 

There was also no evidence of tampering. However, it appears that LastPass did not uncover all of the possible ways the hacker could use the access to breach the company again. LastPass did not identify the third-party cloud storage service used by the hacker to breach the company a second time. LastPass, on the other hand, has been sharing the cloud storage service with its affiliate GoTo. Private equity firms currently own both companies.

In response to the new breach, LastPass has implemented additional security measures and increased monitoring of its IT infrastructure. It has also contacted Mandiant and law enforcement to inquire about the hack.
Read more »
Subscribe to: Posts (Atom)