Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberattaccks. Show all posts
Hacker attack
Cyberattaccks Data Breach Data Leak Data protection Data Safety User Data data security Hacker attack

Hacker Claims Responsibility for University of Pennsylvania Breach Exposing 1.2 Million Donor Records

 

A hacker has taken responsibility for the University of Pennsylvania’s recent “We got hacked” email incident, claiming the breach was far more extensive than initially reported. The attacker alleges that data on approximately 1.2 million donors, students, and alumni was exposed, along with internal documents from multiple university systems. The cyberattack surfaced last Friday when Penn alumni and students received inflammatory emails from legitimate Penn.edu addresses, which the university initially dismissed as “fraudulent and obviously fake.”  

According to the hacker, their group gained full access to a Penn employee’s PennKey single sign-on (SSO) credentials, allowing them to infiltrate critical systems such as the university’s VPN, Salesforce Marketing Cloud, SAP business intelligence platform, SharePoint, and Qlik analytics. The attackers claim to have exfiltrated sensitive personal data, including names, contact information, birth dates, estimated net worth, donation records, and demographic details such as religion, race, and sexual orientation. Screenshots and data samples shared with cybersecurity publication BleepingComputer appeared to confirm the hackers’ access to these systems.  

The hacker stated that the breach began on October 30th and that data extraction was completed by October 31st, after which the compromised credentials were revoked. In retaliation, the group allegedly used remaining access to the Salesforce Marketing Cloud to send the offensive emails to roughly 700,000 recipients. When asked about the method used to obtain the credentials, the hacker declined to specify but attributed the breach to weak security practices at the university. Following the intrusion, the hacker reportedly published a 1.7 GB archive containing spreadsheets, donor-related materials, and files allegedly sourced from Penn’s SharePoint and Box systems. 

The attacker told BleepingComputer that their motive was not political but financial, driven primarily by access to the university’s donor database. “We’re not politically motivated,” the hacker said. “The main goal was their vast, wonderfully wealthy donor database.” They added that they were not seeking ransom, claiming, “We don’t think they’d pay, and we can extract plenty of value out of the data ourselves.” Although the full donor database has not yet been released, the hacker warned it could be leaked in the coming months. 

In response, the University of Pennsylvania stated that it is investigating the incident and has referred the matter to the FBI. “We understand and share our community’s concerns and have reported this to the FBI,” a Penn spokesperson confirmed. “We are working with law enforcement as well as third-party technical experts to address this as rapidly as possible.” Experts warn that donors and affiliates affected by the breach should remain alert to potential phishing attempts and impersonation scams. 

With detailed personal and financial data now at risk, attackers could exploit the information to send fraudulent donation requests or gain access to victims’ online accounts. Recipients of any suspicious communications related to donations or university correspondence are advised to verify messages directly with Penn before responding. 

 The University of Pennsylvania breach highlights the growing risks faced by educational institutions holding vast amounts of personal and donor data, emphasizing the urgent need for robust access controls and system monitoring to prevent future compromises.
Read more »
Vulnerabilities and Exploits
Cyberattaccks Cyberattacks Cybersecurity LockBit ransomware Ransomware Vulnerabilities and Exploits

Ransomware Clop and LockBit Attacked PaperCut Servers

 


A Microsoft spokesperson stated in a statement that recent attacks that exploited two vulnerabilities in the PaperCut print management software are likely associated with an affiliate program for the Clop ransomware. 

PaperCut Application Server was updated last month with two vulnerabilities that could allow remote attackers to execute unauthenticated code and access information.

CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: This vulnerability affects all PaperCut MF/NG versions 8.0 or later on all OS platforms, as well as the application server. It impacts both the application server and the site server. 

CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: A vulnerability in PaperCut MF or NG versions 15.0 or later is present on each application server platform, causing unauthenticated information disclosure.

It was notified last week that a vulnerability had been exploited in the wild by Trend Micro, and PaperCut sent an alert out to users. Customer servers must be updated as soon as possible to ensure security.

“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” a tweet by Microsoft Threat Intelligence reads.  

Last week, Microsoft Threat Intelligence identified “Lace Tempest” as one of the threat actors exploiting these bugs, according to a report about BR11 and TA505. 

FIN11, an organization involved in the acceleration of the Accellion FTA extortion campaign, is linked to the infamous Clop ransomware gang. Dridex is reportedly another example of malware linked to TA505 and responsible for Locky. 

Fortra's file-sharing software GoAnywhere has been exploited before by crypto-ransomware campaigns associated with the Clop ransomware affiliate. The affiliate also utilized the Raspberry Robin worm widely distributed in the cybersecurity community post-compromise to perform post-compromise activities.

PaperCut NG and PaperCut MF have flaws that affect both solutions. A remote code execution attack can be conducted on a PaperCut Application server using CVE-2023-27350 by an unauthenticated attacker, while a remote code execution attack on PaperCut MF or NG might also allow an unauthenticated attacker to steal information about users stored in PaperCut MF or NG, such as their names, full names, e-mail addresses, department information, and credit card numbers.

In addition to accessing hashed passwords retrieved from internal PaperCut accounts, attackers exploiting this vulnerability can also retrieve passwords retrieved from external directory sources, such as Microsoft 365 and Google Workspace (although they are not able to access password hashes retrieved from external directory sources such as Microsoft 365 and Google Workspace). 

There have previously been reports indicating that Lace Tempest, also known as DEV-0950, is a Clop affiliate. Lace Tempest has been detected using GoAnywhere exploits and Raspberry Robin malware as part of ransomware campaigns. PaperCut has been targeted since April 13 due to software vulnerabilities. 

Clop has Targeted This Target

It appears that the exploitation of PaperCut servers fits the overall pattern we have seen over the last three years about the Clop ransomware gang. 

Although the Clop operation continues to encrypt files and send them to victims in attacks, BleepingComputer has reported that the operation prefers to steal data from victims. This is so that it can be used to extort them for ransom. 

In 2020, Clop, a Chinese threat actor, exploited one of Accellion's zero-day vulnerabilities, the Accellion FTA, from which he stole data from approximately 100 companies as part of this new shift in tactics.

A zero-day vulnerability in the GoAnywhere MFT secure file-sharing platform has recently been exploited by the Clop gang to steal data from 130 companies due to zero-day vulnerabilities.
Read more »
Subscribe to: Comments (Atom)