Search This Blog

Showing posts with label Cyberattacks. Show all posts

Kimsuky's Attacks Alerted German and South Korean Agencies


In a joint warning issued by the German and South Korean intelligence agencies, it has been noted that a North Korean hacker group named Kimsuky has been increasing cyber-attack tactics against the South Korean network. With sophisticated phishing campaigns and malware attacks, the group has been suspected of being behind the attacks. It is believed that the North Korean government is behind them. Cyberattacks continue to pose a major threat to businesses and governments throughout the world as a result of increasing cyberattacks. 

Kimsuky (aka Thallium and SmokeScreen) is a North Korean threat group that has developed a reputation for utilizing cutting-edge tools and tactics in its operations. There have been two upcoming attack tactics developed by the group that enhances the espionage capabilities of the organization. These tactics raise no red flags on security radars. There are several malicious Android apps and YouTube extensions being abused as well as Google Chrome extensions.   

Kimsuky is believed to have expanded its tactics to attack a wide range of organizations in both countries, according to the German Office for Information Security (BSI) and South Korea's National Intelligence Service (NIS). Initially targeting U.S. government agencies, research institutions, and think tanks, the group has now spread to businesses in the technology and defense sectors as well. 

Kimsuky appears to be using a new malware called "BookCove" to steal sensitive information from its targets, according to a statement issued by the company. A spear-phishing email is designed to appear like it has been sent from a reputable source, but in reality, the message contains malware. Upon clicking the link or attachment in an email that contains malware, the user's computer is infected with the malware. The hacker can have access to the victim's data and can monitor the activities of the victim as a result of this. \

Various South Korean and German agencies suggest that organizations should implement the necessary precautions to safeguard themselves against these threats. Security measures must be taken, such as multi-factor authentication and regular updates, and employees must be educated on the risks associated with phishing. 

North Korean hacking group, Kimsuky, has been operating since 2013, providing malware for PCs. Several sources claim that the group is linked to the Reconnaissance General Bureau of the North Korean government. This Bureau gathers intelligence and conducts covert operations on behalf of the government. 

According to research, the apps, which embed FastFire and FastViewer, are distributed through Google Play's "internal testing" feature. This gives third-party developers the ability to send apps to a "small set of trusted testers." 

Nevertheless, it bears mentioning that these internal app testing exercises cannot exceed 100 users per app, regardless of the number of users. This is regardless of when the app is released into production. There is no doubt that this campaign has a very targeted nature, which indicates its focus. 

Two malware-laced apps use Android's accessibility services to steal sensitive information ranging from financial to personal information. APK packages for each app are listed below with their respective names in APK format:

  • Com. viewer. fast secure (FastFi) 
  • (FastViewer) 
Organizations can take the following measures to protect themselves against Kimsuky's attacks 

A multi-factor authentication system protects the network and system from unauthorized access since it requires the attacker to possess at least two factors, such as a password and a physical device, such as a mobile phone. 

Even if cyber criminals could get past some existing security measures, this would make it far harder for them to access private data. In addition to the above-mentioned measures, organizations may also wish to consider taking the following measures to protect themselves: 
  • Maintaining a regular software update schedule is important. 
  • The best practices for protecting your company's information are taught to your employees. 
  • It is essential to use tools and techniques to detect and respond to advanced threats. 
A robust incident response plan is a crucial tool for organizations to develop to be prepared in case of an incident. If cyberattacks occur, they should be able to respond rapidly and effectively to mitigate their impact.

A growing number of companies are attacked by state-sponsored groups like Kimsuky due to cyberattacks. To reduce their risk of falling victim to these sophisticated cyber-espionage tactics, businesses and governments in Germany need to take proactive steps to protect themselves, including improving their security systems. 

Operating silently, Kimsuky has continuously evolved its TTPs to keep up with changing threats, as well as developing efficient tactics. The majority of attacks are conducted using phishing or spear-phishing. The most significant priority that must be addressed against this threat is to protect the accounts of individuals or organizations and other critical assets. Those involved in organizations and individuals are advised to keep abreast of the latest tactics and adhere to relevant agencies' recommendations.

Cybersecurity Experts are Scarce for Companies and SMBs


In 2023, more than half of small and midsized businesses (SMBs) intend to increase their expenditures on cybersecurity — which is a positive development since six out of ten firms (61%) do not have cybersecurity staff, about half (47%) do not have incident response plans, and 40% do not conduct formal awareness training on cybersecurity. 

A study by Huntress of IT professionals at small and medium-sized businesses with 250 to 2,000 employees published on March 15 indicates that although many of the respondent organizations have deployed a range of cybersecurity products, they found that they are not the only ones. Even though they tend to ignore basic defensive measures (email security (86%), endpoint protection (79%), and network protection (73%), the US Cybersecurity and Infrastructure Security Agency (CISA) recommended recently that workers supplement their password security with two-factor or multiple-factor authentication as a means of strengthening their password security.  

As a result of their lack of preparation, understaffing, and/or under-resourcing, a majority of these companies feel unprepared or under-resourced to respond to evolving threats. Many of these businesses face difficulties obtaining cybersecurity insurance coverage and ensuring their employees are properly trained on security issues. According to Huntress' report, several midsize companies know multiple cybersecurity layers are necessary. However, there are significant gaps in the tools and planning processes used by these businesses. 

Additionally, a full third of the respondents (34%) said they are unaware of advanced threats and do not believe they could detect them. 

According to Roger Koehler, CISO at Huntress, a substantial percentage of individuals are unaware that their identities have been targeted. For these organizations to remain protected, visibility is of the utmost importance. This is because malicious actors can spend weeks or even months sitting in their networks, gaining footholds, and gathering information to perform their attacks. 

According to the Huntress study, 14% of respondents in this business segment confirmed having experienced an attack within the last year. There was also 10% of IT professionals unsure whether there had been a cyberattack during the survey period. In the United States, there are about 6 million companies between the ages of 250 and 2000 that employ 250 to 2,000 people. Those numbers add up pretty quickly. 

Cyber Spending is Expected to Increase 

It was interesting to read that Huntress also found that 49% of organizations are planning to spend more money on cybersecurity in the upcoming year. This is to meet the staggering need for increased knowledge and preparedness in the cybersecurity arena. A proactive approach to cybersecurity on the part of such a large number of small and medium-sized businesses is encouraging, Koehler says, rather than simply reacting to attacks as they occur. As a result, the biggest challenge in spending that budget will be finding the right employees within the organization. 

"It seems that middle-sized businesses are not just waiting for an attack to occur and subsequently reacting to them, but are investing in preventative measures so that these attacks can be prevented before they ever take place," Koehler says. As well as having the right people on your team, midsize businesses could benefit from having the right people to deal with attacks.  It is estimated that there are 700,000 cybersecurity jobs available as of the end of last fall, which is an increase of 43% from the end of 2021. Finding cybersecurity professionals in high demand is becoming increasingly difficult with the increase in burnout and dissatisfaction among cyber professionals. 

Managed cybersecurity services will experience significant growth in the coming years, thanks to the combination of stronger budgets and a stronger market for talented cybersecurity professionals. An analysis by McKinsey published in October concluded that this is the case. Consultants for the company believe that managed security service providers will be able to capture the majority of market share, as well as security-and-operations management projects.

According to McKinsey's analysis, over the next two years, its forecasted shift of allocated security spending to internal compared to third-party services is expected to increase across all segments of the market. Whenever talent is an issue, companies will need to turn to outsourced services when it comes to achieving strong security results, as long as talent remains a challenge. 

Cloud Data Theft is Booming According to CrowdStrike


An industry-leading cybersecurity company known as CrowdStrike reported that it had seen the largest increase in adversaries in one year. This was in comparison with what it had observed in the past. There was an increase in cloud attacks by 95% according to the study, which identified 33 re-new threat actors, approximately three times as many cases from 2021 involving cloud-conscious actors as they did in 2022. 

As a result of these trends, CrowdStrike believes that it will become more common for e-currency and nation-state actors to use their tradecraft and knowledge to greatly exploit cloud environments in the future, it stated in its global threat report for 2023. 

There has been a shift among bad actors away from deactivating antivirus and firewall technologies, and away from efforts to tamper with logs. Instead, they have turned toward modifications to authentication processes and attacks on identities, according to the report. 

There has been a dramatic rise in identity theft as a result of a wide range of threats. Identifying and privileged access credentials are among the most common targets targeted by hackers. Why? On the dark web, attackers want to sell compromised information to third parties for high prices to become access brokers and make money off the stolen information. 

As attackers reinvent themselves as access brokers, CrowdStrike's report provides a sobering look at their emergence. There is a 20% increase in adversaries engaging in extortion campaigns and theft of data related to the cloud as per the report. 

A broader analysis revealed an increase of 33 new adversaries in just one year. This was the biggest increase in the number of adversaries ever! Recent telecommunications, BPO, tech, and BPO companies have been the victims of sophisticated attacks carried out by both Scattered Spider and Slippery Spider malware. 

Cloud Security is Hampered by Overcast Skies

In addition to the multitude of new and unknown threat actors that CrowdStrike's report uncovered, CrowdStrike's report also noted a surge in identity-based threats, cloud exploits, national intelligence services, and attacks that re-pointed to previously patched vulnerabilities as weapons of mass destruction.

CrowdStrikeFalcon OverWatch measures the break-through time of adversaries according to the report by determining how far a compromised host is from a second host within the victim environment or how long the adversaries have to move laterally within the victim environment to gain access to the compromised host. This report from the National Institute on Crime and Law Enforcement suggests that for interactive eCrime intrusions, the average breakthrough time has decreased from 98 minutes in 2021 to 84 minutes in 2022. 

To minimize costs and ancillary damages caused by attackers, CISOs and their teams must respond more quickly as the breach window shrinks, and as attack windows become shorter. The 1-10-60 rule is one that CrowdStrikes recommends security teams follow: detect threats within the first minute, understand them within the first 10 minutes, and respond within the first 60 minutes.

It is well known that hackers, nation-states, and cybercriminals are growing at an exponential rate around the world. 

In an announcement made by Meyers, CrowdStrike has added Syria, Turkey, and Columbia to its list of malicious host countries it has already identified. As a result of interactive intrusions, Meyers reported there was a 50% increase compared to last year. Human adversaries try to bypass the computer's and antivirus defenses, contributing to the rise in human-computer crime. 

The Microsoft company published 28 zero days and 1,200 patches; however, only two out of 28 of those patches and zero days were exploited by nation-nexus and cybercriminal adversaries, who circumvented patches and bypassed mitigations, exploiting legacy vulnerabilities such as Log4Shell and keeping up with ProxyNotShell and Follina vulnerabilities. 

Engineers and Cloud Defenders Must be Versatile 

A variety of techniques are used by attackers to inject themselves into cloud environments and move laterally once they have entered them. There’s no doubt that CrowdStrike’s data shows an increase in both the number of valid cloud accounts used for initial cloud access and the number of public-facing applications being deployed. Also, according to the company, there has been an increase in the number of actors who are attempting to discover cloud accounts as opposed to cloud infrastructures and using legitimate higher-privileged accounts when looking for cloud accounts. 

To be successful in the cloud computing field, engineers need to be more versatile than ever before. For a business or enterprise to succeed, they need to be able to manage, plan, architect, monitor, and anticipate issues regarding cloud security and manage them as part of a continuous process.

GOBruteforcer: an Active Web Server Harvester


Known as Golang, the Go programming language is relatively new. It is one of the most popular malware programmers interested in creating malware. Capable of developing all kinds of malware, such as ransomware, stealers, or remote access Trojans (RATs), it has proven to be a versatile platform that can deal with all kinds of malware. Golang-based botnets appear particularly attractive to attackers to gain access to their networks. 

The GoBruteforcer botnet malware is the latest version of a type of malware written in Golang and targeting web servers. This is specifically for those running PHPMyAdmin, MySQL, FTP, and Postgres database software. 

How GoBruteforcer Works?

Palo Alto Network's GoBruteforcer is compatible with more than one processor architecture, such as x86, x64, and ARM architectures. 

During the actual execution of the malicious code, some special conditions need to be met, such as the use of specific arguments during the execution process. Additionally, it relies on the installation of targeted services with weak passwords, which are already installed on the system. Whenever these conditions are met, it executes only if it satisfies all of the requirements. 

  • With the help of weak passwords, this malware aspires to gain access to vulnerable Unix-like platforms (commonly known as UNIX). 
  • To begin the attack, a scan is conducted for possible targets that have MySQL, Postgres, FTP, or PHPMyAdmin running on their servers. 
Expansion of Networks 

The software's source code has been updated to include a multi-scan module that can scan and find a much greater set of potential targets than before.
  • A Classless Inter-Domain Routing (CIDR) block was used by GoBruteforcer at the time of the attack to scan the network for vulnerabilities. A CIDR is a format of IP address ranges contained in a single network containing multiple IP addresses. A single IP address does not provide a huge range of targets for infiltration, unlike a range of IP addresses that are used for intrusion.
  • The application detects a host by scanning the network for any ports that have become open over time belonging to the aforementioned services when it finds the host. A brute-force attack is used to attempt to gain access to that machine. 
Aspects of the Postinfection Period

  • When GoBruteforcer is successful in detecting the intrusion, it deploys an IRC bot that collects the URL of the attacker for further use. 
  • Then it communicates with the C2 server and waits for the attacker to send it any further directives. 
  • A cron job is used to store the registration information for the IRC bot, which is used as a means of persistence. 
Using GoBruteforcer's multiscan feature, operators can use the tool to scan a wide range of devices across different networks all at once. 

As long as default passwords are changed and a strong password policy is implemented including two-factor authentication, you can significantly reduce the risks of attacks caused by brute force method.

Threat actors have always been attracted to targeting web servers due to their lucrative nature. An organization's web servers are an integral part of its operations, so allowing weak passwords to be used could lead to serious security threats. Weak (or default) passwords are more likely to be exploited by malware including GoBruteforcer. 

The GoBruteforcer bot has the capability of scanning multiple targets at once, allowing it to get into a wide range of networks, and this is what helps it to be able to do the job. Furthermore, GoBruteforcer seems to be actively being developed. Therefore, attackers are likely to change their strategies soon if they hope to target web servers with this tool.

ChatGPT Scams Up Since Darktrace Released It


Since the release of ChatGPT, Darktrace, a British cybersecurity firm, has warned that since the release of this application, criminals have been using an increase in the use of artificial intelligence to create sophisticated scams that con employees and compromise systems at businesses all over the world. 

As the Cambridge-based firm reported, operating profits had dropped 92% in the half-year to December. Furthermore, he said that artificial intelligence had made it easier for "hacktivists" to target businesses with ransomware attacks. 

Since ChatGPT was launched last November, the company has seen an increase in the number of convincing and complex scams by hackers. It said it was experiencing an increased number of attacks. 

While Darktrace has observed a steady increase in email-based attacks over the last few months since the release of ChatGPT, those attacks that use false links to trick victims into clicking them have declined as a result of ChatGPT's presence. As the complexity of the English language increased, in addition to the volume of the text, punctuation, and sentence length, other factors also increased. 

The results of this study indicate that cybercriminals might not just redirect their focus to creating more sophisticated social engineering scams. Instead, they are also likely to exploit victims' trust. 

Darktrace, on the other hand, told us that the phenomenon had not yet been accompanied by the emergence of a new wave of cybercriminals. Instead, it has been merely an adjustment in tactics. 

In spite of the fact that ChatGPT has not significantly lowered entry barriers for threat actors, it believes it has assisted adversaries with developing more targeted, personalized, and ultimately, successful attacks by enabling adversaries to create more sophisticated phishing emails. 

Aside from reporting its quarterly results, Darktrace also noted that in the last three months of last year, the number of companies signing up for its security products had shown a "noticeable" decline. 

In addition, Poppy Gustafsson and Cathy Graham, both of which are the chief financial officers for the company, have all received share awards in accordance with the vesting terms of their share awards, which has forced them to reduce their forecasts of free cash flow for this year as a result of the tax bill. 

A company with a market capitalisation of £1.9 billion, much slower than the heady heights of almost £7 billion it achieved after flotation months ago, has announced that in the six months to the end of December, its customer base has risen by a quarter from 6,573 to 8,178. 

In an interview with The Wall Street Journal, Darktrace, whose stock has been under continuous attack by short-sellers who doubt that the company can deliver what it promises in the cybersecurity arena dominated by the US, said it is not concerned by the recent slump in new orders.

Qakbot Distributes Malware Through OneNote


There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot. 

Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information. 

It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets. 

In-Depth Discussion of the Subject

  • As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email. 
  • Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.  
  • Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers. 
What Are The Key Players?

  • Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
  • Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns. 
A OneNote-Qakbot Campaign is Not New

According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.

  • This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email.  · 
  • Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
  • After downloading and installing Qbot through these attachments, it is now ready to use.  
Here are the Main Points

Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well. 

TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.   

Customers' Accounts Were Exposed in the Verizon breach


There have been a lot of talks lately about telecom companies and consumer data breaches. In the past few years, you are more likely to hear about T-Mobile announced in the headlines. There have been numerous attacks on the self-titled Un-carrier with disastrous results each time it was attacked. 

However, Verizon (and its customers) are not the only ones suffering this year - updated information has revealed that millions of Verizon subscribers have been subjected to data breaches, with their personal information being made publicly available. 

A Verizon contractor has apologized after failing to secure a large batch of customer information previously collected by the telecom company. Due to this vulnerability, over 6 million customer accounts have been exposed. Although it is unclear whether Verizon - the country's largest wireless carrier - will notify users infected, many believe they will. 

In some cases, customers' PIN codes were exposed as well, which are often used in conjunction with their names, addresses, phone numbers, account information, as well as basic information about how to contact customer service teams via phone. Some logs contained information about customer service calls stored in the cloud containing exposed data. 

As part of its commitment to security and privacy, Verizon is committed to protecting the personal information of its customers. 

A researcher with the cyber risk team at security vendor UpGuard, Chris Vickery, discovered that the data was exposed through a breach at the location. 

In a blog post Dan O'Sullivan, a cyber resilience analyst at UpGuard, wrote In a recent post, a cyber resilience analyst at UpGuard wrote that the data was contained in an unsecured Simple Storage Service (S3) bucket. This repository is controlled by NICE Systems, an Israeli company that is part of Verizon's partner network. 

It is also said that Verizon has said in a press statement that their agency supports a wireline self-service call center portal for small businesses and homes, and certain data is required for the project.

The data exposure was discovered by UpGuard on June 13; Verizon notified the company to lock out the bucket by June 22 as soon as it discovered it. It has been characterized as "troubling" from the perspective of UpGuard, and officials from NICE were unable to comment as of right now. 

UpGuard says 14 million customer records may have been exposed due to the breach. 

In an attempt to prove its point, Verizon denied the figure, saying Wednesday that 6 million accounts had been exposed to the vulnerability. 

The Verizon spokesman did not answer a question as to how Verizon came to this conclusion, although an analysis of access logs could have contributed. In response to a question about notification, Samberg declined to comment. 

Error in Redux Configuration

Vickery has made several data exposure discoveries this year, including Verizon. The search engine Shodan is an excellent tool to catalog staggering breaches. An internet-connected device is found by Shodan by searching for it on the internet. Researchers can detect unsecured internet-related systems and cloud instances by plugging specific search terms into Shodan, which helps discover insecure internet-connected systems and cloud instances. 

The configuration error appears to have been made by NICE and was caused by a rule that was set incorrectly in the S3 bucket, similar to the previous episodes of unintentionally exposed data detected by Vickery. 

The data was then available via the internet, which left it accessible to everyone. Having accessed the database and its many terabytes of contents with just the S3 URL was a convenient way to access and download the data, writes UpGuard's O'Sullivan in a post, and the files themselves were also accessible. 

Amazon S3 storage buckets do not have public access enabled by default, which is Amazon's policy. As part of Amazon's identity and access management controls, you can also control who has access to buckets and has enough permission to alter or delete data. It is also possible to block buckets based on HTTP referrers and IP addresses to make them off-limits to certain users. 

It seems unlikely that anyone at NICE would have disabled those security defaults, but it's possible. 

Exposure to Orange Data is Suspected

Aside from the information exposed in the S3 bucket, according to O'Sullivan, the information appears to have also been exposed by at least one other organization, Orange, which is also a partner of NICE. 

The data, he writes, appears less sensitive. However, it is noteworthy to see this type of information being included in a Verizon repository, even though it is internal to Orange. On the European market, Verizon's enterprise division competes directly with Orange's enterprise division. 

Data Security is at Risk

In contrast, Verizon has downplayed the idea that data has been exposed. Even though some personal information was included in the data set, the overwhelming majority of the information did not have any outside value. As Verizon confirmed in a statement, the company said that there were no Social Security numbers or Verizon voice recordings in the cloud storage area. 

Yet some security experts are skeptical about whether this leak will cause damage. In some customer records, the PIN was masked in some cases; however, this only affected a subset of accounts. 

It is believed that UPSGuard believes that unmasked PINs could be used by Verizon to gain access to account information. The PINs required for these accounts are fundamental to verifying callers as legitimate Verizon customers. This is preventing impersonators from accessing and changing Verizon account settings, writes O'Sullivan. 

Verizon says users cannot access online accounts using PINs. Samberg, Verizon's Chief Creative Officer, did not follow up with a question from the media about whether having a PIN alone might be enough for an individual to obtain an additional SIM card, but he did suggest that having a PIN might not be sufficient. 

Scammers are feared to be able to impersonate customers and obtain SIM cards by impersonating them as customers. 

Having the victim's phone number would give them the capability to use it to their advantage. Fraudsters would then receive messages from the victim including their two-factor authentication codes as part of the fraud scheme. To better block unauthorized access, a one-time passcode is now required for many online services, from banks to cloud storage providers. 

According to a report released by the U.S. National Institute of Standards and Technology, it is recommended that out-of-band authentication be avoided by using voice calls and SMS messages. 

A smartphone app, which you can find on your smartphone, is becoming increasingly popular among businesses - even wireless carriers - to enable users to receive a one-time code via the program. This method of sending one-time codes is generally considered to be a safer approach by security experts than sending them via voice or SMS communication.

Attack on Oakland City attributed to Play Ransomware


Oakland recently became the victim of a ransomware attack that disrupted the city's services and caused a state of emergency to be declared by the city. Cyberattacks are a real-world problem with real-world consequences and the recent attack on Oakland is a demonstration of the same. 

As shared on Twitter by cybersecurity analyst Dominic Alvieri, a security researcher, it appears that an attack on a cryptosystem was the work of the Play Ransomware gang. 

The Play Ransomware operation, also known as PlayCrypt, was launched in June 2022 and has been in operation for some time. The software not only adds the .play extension to the encrypted files but also leaves a note explaining how to contact the developers via email. 

As one of the most populous cities in the San Francisco Bay Area, Oakland has a population of over 440,000 people. It is located on the east side of the county. There is a great deal of economic and trade activity happening in this city, which is also the regional commercial center. 

The city’s authorities informed the public that it had been targeted by a ransomware attack on February 10, 2023. It impacted all network systems except 911 dispatch, fire and emergency services, and city financial systems. 

On February 14, 2023, the City of Oakland issued a local state of emergency to expedite restoring the impacted systems. This was done by bringing all its services back online as soon as possible. All business taxation obligations received a 45-day extension, as the city could not facilitate online payments. Parking citation services were also impacted by a lack of calls or payments. 

By February 20, 2023, IT specialists helped restore access to public computers, scanning, printing, library services, and wireless internet connectivity throughout the city’s facilities. However, the city’s non-emergency phone services (OAK311) and business tax licenses remained unavailable, while the online permit center returned to partial service.

The latest update on the City of Oakland website came on February 28, 2023, two weeks after the ransomware attack. The service status remains mostly unchanged. 

Play Claims Responsibility for the Attack 

The Play ransomware gang has now claimed responsibility for the attack on Oakland, listing them as victims on its extortion site on March 1, 2023. This was first spotted by security researcher Dominic Alvieri. 

Threat actors claim to have stolen documents containing private, confidential data, financial and government papers, identity documents, passports, personal employee data, and even information allegedly proving human rights violations. 

These documents were allegedly stolen during hackers' intrusion into Oakland City networks. They are now used as leverage to get the city’s administration to meet their demands and pay the ransom. 

As the name implies, Play Ransomware targets diverse sectors and regions, including economic, manufacturing, technological, real estate, transportation, education, healthcare, government, and a whole lot more. 

There are different rates for ransom demands based on the importance and size of the victim organization. Some victims have recovered their data by paying millions or thousands of dollars depending on the extent of the loss. 

Oakland has had 72 hours to respond to the threat actors' request to extort it, so they have threatened to publish the above documents by the end of tomorrow. No status updates are mentioned on the City of Oakland's portal that mentions data exfiltration, so the city's authorities have not yet confirmed that data has been stolen based on the updates the city has published on the portal.

Several companies, including Antwerp, Belgian City of Antwerp, H-Hotels, Rackspace, Arnold Clark, and A10 Networks, have been hit by this ransomware operation since then.

On the open market, there have been reports that the ransomware gang Play has been suspected of participating in the attack on Oakland. The Play gang is allegedly responsible for the Oakland attack. The website that they use for an extortion attack on March 1, 2023, lists them as one of the victims of the attack. Initially, Dominic Alvieri, a security researcher at the University of Illinois, became aware of this issue, after it was raised by another researcher. 

Threat actors have stolen sensitive personal information from businesses. Documents such as financial records, government documents, identity documents, passports, information concerning personnel, as well as evidence indicating that individuals have committed human rights violations, are some of the types of records that belong to this category. 

According to reports, some of these documents were stolen by cybercriminals during the intrusions into Oakland City's network. Now, those who wish to exploit the city administration for profit are using them to obtain extortion money through extortion to meet their demands and to initiate the payment of the ransom. 

The Play Ransomware ransomware is a powerful piece of malware that targets victims across a variety of sectors and regions, so it is also highly suited to targeting victims from many different sectors, as well as industries and areas, such as manufacturing, transportation, education, healthcare, government, and much more. The amount of ransom that is demanded on behalf of the victim organization depends on the size and importance of the organization.  

There are times when victims will be required to pay thousands or even millions of dollars to recover their lost data, so they may have to pay these fees as well.   The threat actors had given Oakland approximately 72 hours to comply with the extortion attempt, due to the threat that they would publish the above documents tomorrow. 

According to a post on the City of Oakland's portal, no mention has been made of data exfiltration at the time of this writing, nor have there been any updates posted regarding it. There are, therefore, no confirmations that the information has been stolen by the authorities in the city. Several organizations have been victimized by ransomware attacks recently, including H-Hotels, Rackspace, Arnold Clark, and A10 Networks, in addition to the city of Antwerp, Belgium.   

A GoAnywhere MFT hack Exposes Hatch Bank's Data Breach


Hackers exploited a zero-day vulnerability in Hatch Bank's internal file transfer software, allowing access to thousands of Social Security numbers from customers, according to Hatch Bank, a digital-first bank that provides infrastructure for fintech companies offering their brand credit cards. 

According to Hatch Bank, security breaches have affected almost 140,000 customers as hackers were able to access sensitive customer information from its Fortra GoAnywhere MFT secure file-sharing platform, which allows customers to access their online accounts from anywhere. 

In addition to providing small businesses with access to a variety of banking services, Hatch Bank is also a financial technology company. 

TechCrunch reported today that 139,493 of the customer data of someone impacted by a data breach had been stolen by hackers who exploited a vulnerability in GoAnywhere MFT software which was submitted to the Attorney General's office for investigation. 

Fortran experienced a cyber incident on January 29, 2023, after discovering that there was a vulnerability in their software. Based on the notification that Hatch Bank sent out, the company experienced a cyber incident. 

Fortra notified Hatch Bank of the incident on February 3, 2023, informing them that files contained on Fortra's GoAnywhere site had been compromised. According to Hatch, they were able to get hold of the data stolen and conducted a review of the data and found that the attackers had gotten hold of customer names as well as social security numbers. 

Affected customers of the bank are entitled to a free twelve-month credit monitoring service from the bank as part of their compensation package. 

Earlier this month, Community Health Systems (CHS) revealed it had suffered a data breach caused by the GoAnywhere MFT attack, making this the second confirmed breach in the past month. 

GoAnywhere Breaches Linked to Clop Ransomware

Despite Hatch Bank not disclosing which threat actor was responsible for the attack, BleepingComputer was told that the Clop ransomware gang conducted these attacks. 

Approximately 130 organizations were breached and their data was stolen. It has been claimed that Fortra's GoAnywhere MFT platform was exploited by the ransomware group to steal data for over ten days, exploiting the zero-day vulnerability in its platform. 

There is now a CVE-2023-0669 vulnerability that is being tracked and allows remote threat actors to access servers through a remote code execution vulnerability. After learning that the vulnerability in GoAnywhere was being actively exploited in attacks, GoAnywhere disclosed its vulnerability to its customers in early February. 

It was revealed that there was an exploit exploited in the platform on February 7th, only a day before it was patched. 

Fortra did not respond to our emails requesting more information about the attacks, and BleepingComputer was unable to independently confirm Clop's assertions that the attackers were behind them. 

It has been discovered that the GoAnywhere MFT was also linked to TA505, the hacking group well known for the deployment of Clop ransomware, according to Huntress Threat Intelligence Manager Joe Slowik. 

In December 2020, Clop utilized a similar tactic to steal data from companies worldwide by exploiting a zero-day vulnerability in Accellion's File Transfer Appliance (FTA) system, and the hacker was identified as Clop. 

With Accellion FTA, organizations have a secure way of sharing files with their clients, much like they would with GoAnywhere MFT. 

The Clop ransomware gang gave an ultimatum to the victims of these attacks, demanding a $10 million ransom in return. Data was intended to be protected from being published because it had been stolen. 

Numerous organizations have disclosed related breaches; Morgan Stanley, Qualys, Shell, and Kroger are a few of the most notable companies that published their reports related to the Accellion FTA attacks. Several other universities around the world, including Stanford Medicine, the University of Colorado, UCLA, and the University of Colorado-Boulder were also affected by the incident. 

In the event of a GoAnywhere MFT attack, Clop may well demand a similar ransom from those who are attacked by his code. The stolen data, however, will soon appear on the data leak site of the gang if the gang follows similar tactics in the future.

Tech Issues Persist at Minneapolis Public Schools


Students and staff from Minneapolis Public Schools returned to their school buildings this week. However, the ongoing issues resulting from a cyberattack that occurred in the district caused disruptions to continue for the remainder of the week. 

There was an update to the district's attendance and grades system on Tuesday, and the system was working without a hitch. There are still some teachers who have difficulty logging into the programs, said Greta Callahan, the teacher chapter president of the Minneapolis Federation of Teachers. It was decided to cancel Monday's after-school activities because there was a problem that needed to be addressed. 

There have been a few email updates from district officials to parents regarding the "technical difficulties" that have occurred due to an "encryption event", but they have not explained what caused them to have these difficulties. So far, some of the district's information systems have been unavailable for a week as a result of these problems. 

The description of an "encryption event" may seem vague, but a ransomware attack could be what was happening, according to Matthew Wolfe, vice president of cybersecurity operations at Impero Software, a company that provides education software among other things. 

School districts have become more and more targeted in recent years as a result of terrorist attacks. As a result of the rapid transition to distance learning at the beginning of the pandemic, Wolfe believes districts became easier targets for the aforementioned disease. 

"With the increase in the number of devices, more areas are likely to be affected," Mr. Alexander explained, adding that because of the push to make e-learning accessible to all students at home, protection is often pushed to the back burner. 

The recent spate of cyberattacks has made headlines repeatedly in recent months: A cyberattack in January forced schools in the Des Moines area to cancel classes. Los Angeles Unified, the country's second-largest school district, has been attacked by ransomware, reportedly from Vice Society, in the wake of the alleged attack. The dark web has been crawled by about 2,000 students following that incident, with their psychological examinations being uploaded. 

There had not been any update from the Minneapolis district by the end of the school day Tuesday about what caused the incident and its cause. At a closed meeting held Tuesday night, a presentation on security issues related to IT would be made to the school board members. 

The Minneapolis district has released an update on its investigation into whether personal information was compromised, and it has found no evidence of this. 

However, the staff was tasked with resetting the passwords and guiding students through the procedure. 

On Monday, as a result of teacher frustration, Callahan reported that teachers were having difficulties resetting student passwords. As a result, teachers had to come up with creative ways to come up with a wide variety of workshops and activities for the students since printers were also down. 

There is a need for more transparency in the district's administration, according to Callahan. There does not seem to be anything else involved in this process other than just hoping everything works out by Monday. 

Parents have repeatedly been informed that district officials have worked with external IT specialists and school IT personnel "around the clock" to investigate the root cause of this attack and to understand what is transpiring on the computer systems as a result of it. 

When a cyberattack occurs at any time of day or night, school IT professionals are unavoidably overwhelmed and try to protect their schools constantly. "They're going through a really tough time right now for a district and it's going to be a long process," he said. 

Despite recent events that indicate Minneapolis schools may have been targeted, Wolfe said he believes it's likely that the schools have been targeted because of a 2020 incident that nearly caused the school district to incur a $50,000 loss. It is cyber fraud that occurs when payments are made to a fraudulent account to defraud a legitimate contractor. 

Minneapolis Public Schools said in a statement that the money had been safely returned to the district. They added that additional protocols had been implemented as a result. 

That incident was covered in a Fox 9 report that was published in February. In his testimony, Wolfe stated that a hacker engaged in a targeted attack is looking for vulnerabilities in a potential target. 

Several stories have been reported in the news about staffing shortages in Minneapolis. These include the district's financial outlook, as well as the absence of a permanent superintendent in the district, Wolfe said. As Wolfe pointed out, even the fact that the district is preparing to launch a new website to the public may garner hacker interest. 

"There is no doubt that this is an easy target to steal from because of all those digital footprints," Wolfe told.   

Info-stealer Ransomware hit Government Organisations


Threat actors have targeted government entities with the PureCrypter malware downloader, which is used to deliver several information stealers and ransomware variants to targeted entities.  

According to a study conducted by researchers at Menlo Security, the initial payload of this attack was hosted on Discord by the threat actor. A non-profit organization was compromised to store more hosts for the campaign. 

Several different types of malware were delivered via the campaign, including Redline Stealer, Agent Tesla, Eternity, Black Moon, and Philadelphia Ransomware, researchers said in a statement. 

Several government organizations in the Asia Pacific (APAC) and North American regions have been targeted by PureCrypter's marketing campaign, according to researchers. 

Steps Involved in an Attack 

Firstly, the attacker sends an email with a Discord app link pointing to a password-protected ZIP archive containing a PureCrypter sample, which is then used to launch the attack. 

As of March 2021, PureCrypter began to become popular in the wild as a .NET malware downloader. Various types of malware are distributed by its operator on behalf of other cybercriminals through the use of the software. 

There is no content within this file, so when it is executed, it will deliver the next-stage payload from the compromised server of a non-profit organization, which in this case is a compromised command and control server.  

Researchers from Menlo Security examined Agent Tesla as the sample in their study. A Pakistan-based FTP server is connected to the Trojan as soon as it is launched, which receives all the stolen information on its server. 

The researchers discovered that when using leaked credentials in a breach, the threat actor took control of a particular FTP server and did not set it up themselves but rather used leaks of credentials to do so. As a result, the risk of identification was reduced and traceability was minimized. 

The Use of Agent Tesla Continues 

Cybercriminals use a malware family called Agent Tesla in their efforts to compromise Windows systems. In October 2020 and January 2021, it reached its peak in terms of usage. 

In a recent report released by Cofense, the company highlights the fact that Agent Tesla remains one of the most cost-effective and highly-capable backdoors in the market, and it has undergone continuous improvements and development during its lifespan.

Defense Intelligence recorded roughly one-third of all keylogger reports recorded by Defense Intelligence in the year 2022, which may be indicative of Tesla's keylogging activities. 

As a result of malware, the following capabilities can be observed: 

  • To gather sensitive information about the victim such as her password, all keystrokes the victim makes are recorded. 
  • A hacker can break into a web browser, email client, or file transfer application to steal passwords. 
  • The most effective way to protect confidential information on your desktop is to take screenshots of it as you use it. 
  • Obtain user names, passwords, and credit card numbers from the clipboard, as well as access clipboard contents. 
  • Send the stolen data to C2 via any of the following methods: FTP, SMTP, etc.
A feature of the attacks examined by Menlo Labs was that the threat actors managed to avoid detection by antivirus tools by injecting the AgentTesla payload into a legitimate process ("cvtres.exe") using process hollowing. 

Agent Tesla's communications with the C2 server, as well as its configuration files, are also encrypted with XOR. This is to protect them from network traffic monitoring tools used to monitor network traffic. 

According to Menlo Security, the threat actor behind PureCrypter is not one of the big players in the threat landscape. Nevertheless, it is worth taking note of its activities to determine whether or not it is targeting government agencies. 

As a result, it would be expected that the attacker would continue to use the compromised infrastructure for as long as possible before seeking out a new one. 

How Does Modern Software Work?


It is encouraging to see a thriving community within the cybersecurity industry clamoring to share experiences as conference season approaches. As a result of the call-for-speakers process, attendees can get a pretty clear idea of what's on the minds of the entire ecosystem of cybersecurity professionals across the globe. 

This year's "RSAC 2023 Call for Submissions Trends Report" examined several noteworthy trends related to open source, one of which was open source's ubiquity and decreasing resemblance to silos, a trend that has been observed in previous research about the RSAC 2023 call for submissions. There are both benefits and risks associated with the changes in modern software. 

Software Writing: Is It Still a Thing? 

There is no doubt that cybersecurity professionals spend much of their time discussing software and how it's assembled, tested, deployed, and patched to protect against malicious attacks. 

A company's software has a profound effect on its success, regardless of its size or sector. As scale and complexity have increased over time, teams and practices have evolved to meet these challenges. In light of this, Jennifer Czaplewski, senior director at Target, where she leads DevSecOps and endpoint security, says this has led to more assembly than the writing of software in the modern day. She is also a member of the program committee for the RSA Conference. This is not just a matter of opinion, it is a fact. According to estimates made by industry experts, 70% to almost 100% of all software across the industry contains open-source components. These are codes that can be directly attacked in small and large attacks. It creates a huge, shifting attack surface that everyone should be keeping an eye on, as well as an area of focus for everyone to work on. 

While you are designing and assembling code, you are bound to discover a lot of dependencies that you will have to deal with - both transitive and widespread. A team integrating the code will also need to better understand the process used to run, test and maintain it. This will enable them to bring these dependencies to the table more effectively. These dependencies extend much deeper than the actual code itself. 

 Are there any Software Developers Left? 

Even though cybersecurity professionals spend a lot of time talking about software, it comes as no surprise that they spend a lot of time discussing how it is assembled, tested, deployed, and patched. Each business, regardless of its size or sector, has been impacted by software to some extent or another. The growth of scale and complexity has led to the evolution of teams and practices as well. Therefore, DevSecOps and endpoint security are constantly being integrated as a result, and Jennifer Czaplewski, a senior director at Target and a member of the program committee for the RSA Conference, says "Modern software is being assembled more than it is being written." This is not an opinion but a fact. As much as 70% to nearly 100% of all software across the industry contains open source components - code that is targeted directly in attacks of all sizes - estimates suggest this is a huge, shifting attack surface that requires all companies' supply chains to be vigilant. This creates an area of focus for every industry.

Code assembly creates a wide range of dependencies that are natural artifacts that arise as a result of the assembly process. The team that is incorporating it also needs to understand the processes used to run, test, and maintain the code. This is because they are deeper than the actual code. 

There is no escaping today's reality - almost every organization today relies unavoidably on open-source software to run its operations, which has led to an increase in the demand for better methods of assessing risks, cataloging usage, tracking impacts, and making informed decisions about the integration of open source components into software stacks before, during, and after they have been integrated. 

Components of Success and Building Trust 

As a technology issue, open source isn't the only issue that concerns open source. Alternatively, there may be a problem with the process. There could also be an issue with the people involved. As you might expect, it touches everything, including top-level executives, heads of information security departments (CISDs), policymakers, and developers. It is vital to establish trust across each of these groups by building transparency, collaboration, and communication between them. It is apparent that the software bill of materials (SBOM) has become one of the primary elements for building trust and has become popular after the May 2021 executive order from President Biden. 

In recent years, people have been able to observe tangible and quantifiable results as a result of the implementation of this solution. These results include how well assets are managed, how quickly vulnerabilities are addressed, and how strongly software life cycle management is improved. DBOM (data) and HBOM (hardware) seem to have gained traction, which has led to the creation of additional BOMs, such as PBOM (pipeline) and CBOM (cybersecurity), with SBOM generating additional BOMs. Many are hopeful that the BOM movement will be able to lead to a uniform and systematic way to think about and approach problem-solving in the future, but only time will tell whether the benefits outweigh the heavy responsibility placed on developers. 

Several policies and collaborations have been put into place to encourage the practices that have led to the success of open-source software, including the Securing Open Source Software Act, the Supply Chain Levels for Software Artifacts (SLSA) framework, as well as the NIST Secure Software Development Framework (SSDF). A common goal, namely to ensure that software supply chains are secure by default, has enabled the entire community to work together. 

There is an overt focus on the downside of open-source code, including potential manipulation, attacks, and exploitation of it. This is leading to increased efforts to mitigate associated risks, both through the development process, analytical reports, and even technology, to mitigate those risks. There is a great deal of effort being put into preventing malicious components from being ingested into the body in the first place. 

As a result of this introspection and personal learning around software development, the software development life cycle (SDLC), and the supply chain generally, there have been a lot of benefits to the community at this moment in time. Indeed, open source can greatly impact the success of ... open source! The continuous integration/continuous delivery pipeline (CI/CD) that developers are accustomed to using relies heavily on open-source tools to integrate critical security controls during development. OpenSSF scorecards and the OpenSSF Secure Supply Chain Framework are both examples of promising initiatives that will help teams in assembling software by providing resources such as automated scoring and consumption-focused frameworks that protect developers against real-world threats related to OSS supply chains. Just two examples of promising activities that will assist teams in assembling software include the Secure Supply Chain (SSC) Framework. 

Bringing our Strengths Together Makes us Stronger 

Even though open-source software continues to change the game of software, it has already changed it. There has been an impact on the way software is developed all over the world due to it. In addition, it has expedited product development time. A reduction in development costs and stimulation of innovation have been two of the benefits. 

While it can be argued that the updated system has contributed to security in the long run, work needs to be done. To make the world safer, we must work together as a village by sharing ideas and best practices throughout our communities. This will enable us to build a more secure world.   

After a Cybersecurity Incident, the Indigo Website is Still Offline


Indigo's website is still down almost a week after what appears to be a cyberattack. This left the retailer with more questions than answers, leaving customers wondering what could have happened. 

It appears that the bookseller's website, which was listed on the TSX, turned dark on Wednesday, February 8. If you were trying to make a return or purchase an item using a debit, credit, or gift card and needed to do so, Indigo's brick-and-mortar stores were unable to process your transaction, which left you with no choice but to return or purchase an item using cash. 

It was reported to the company within a few hours that it had encountered a cyber security issue. The company communicated with its customers via its social media channels in the aftermath. 

During the weekend, the company had been making progress in restoring most physical store functionality, except for the ability to process returns as part of its response to the incident, which included changing the in-store payment technology.  

Although the website has been down for almost a week, the site remains down as of Tuesday afternoon. 

This is bad news for the business since it means that any online sales in the future will not be able to be processed. There are also problems for customers, like Gabriel Lee, who ordered a gift for his girlfriend online last week and was supposed to have it delivered by last Friday. However, on Valentine's Day, he is still waiting to hear when it will be delivered, and there is no indication as to when that might happen.   

He told CBC News in an interview that he does not believe there's any way to tell if the release will be this week or next week.  

On Tuesday, it was announced on social media that Indigo had not compromised the financial information of its customers, including their credit and debit cards. 

As CBC News reports in a report released on Thursday, several cybersecurity companies interviewed by CBC News claim that the incident looks like what is known as a ransomware attack from what the company has said about what has happened. When hackers attack a company's internal systems and disable them, they then demand a ransom to undo the damage that has been done to the company's internal systems. 

This issue is getting worse all the time. In 2021, when up-to-date data is available for the most recent year for which data is currently available, according to Statistics Canada, ransomware attacks accounted for 11 percent of all cyber security incidents. 

It is Becoming Increasingly Problematic 

A recent high-profile victim of ransomware was the grocery chain Sobeys. In November, the chain was hacked into and its pharmacies were inaccessible for four days as a result of the ransomware attack. Other in-store functions, like self-checkout machines, gift card redemption, and loyalty point redemption, were not functioning for about a week due to the outage of these functions. 

This incident cost the company about $25 million according to the company's most recent quarterly earnings report. 

As a cybersecurity expert, Cat Coode believes that Indigo is probably a victim of something similar that has created a potentially harmful situation. There is a substantial amount of evidence that indicates the outage was caused by something external, according to her. A major reason for this is the sheer number of systems that have to be integrated, both in-store and online. This might include inventory management and payment systems. 

The analysis of the two separate and distinct systems that were taken down indicates that this was a malicious attack and not an accident that occurred inside the organization. The fact that Cat Coode and her team saw two different systems down is a very strong indication. 

In every situation, the length of the outage depends on the cause, and the more extensive the damage will be, whichever the cause may be. Those are the words of Daniel Tsai, a lecturer in the Department of Law and Business Technology at Toronto Metropolitan University and the University of Toronto. He analyzes the issue in depth. 

He stated during an interview that a recommendation would have a significant impact on their sales and reputation. This is because consumers are generally interested in the reliability of a website, and if they cannot do that, they will not return. There will be stiffer punishment if this situation continues for a longer period. 

It is not unlikely, however, that sensitive consumer information, such as credit card details, may have been stolen from the retailer, even though Coode believes the retailer is likely the victim of an attack involving ransomware. 

Since there have been no announcements about a data breach, it appears that no one has taken the information out of the company, she said. 

There has been no breach but the minute the word breach is mentioned, you set off the alarm; you have to notify the privacy commissioner immediately. 

According to a fact sheet issued by the Office of the Privacy Commissioner of Canada, Canadian companies experiencing cybersecurity breaches involving the theft of customer data must notify the OPC of the breach "as soon as reasonably feasible." 

A spokesperson for the organization said on Friday that he was unable to provide any more information about this issue at the moment.  

There was a statement from Indigo spokesperson Melissa Perri on Tuesday, indicating that the company is working with third-party experts to investigate the situation and determine whether any data belonging to customers has been exposed.

Consenting to Cookies is Not Sufficient


While most companies are spending a great deal of their time implementing cookie consent notices, it is becoming increasingly evident that the number and size of developments and lawsuits relating to privacy are on the rise. As a result, companies and their customers are rarely protected by these notices, which is not a surprise.  

It is undeniable that transparency is a worthwhile endeavor. But, the fact remains that companies can be vulnerable to several potential threats that are often beyond their direct control.   

For example, the recent lawsuits involving the Meta Pixel, which also affect many U.S. healthcare companies and are affecting many doctors, are an ideal example of this issue.    

The issue lies in the way websites are designed and built, which contributes to the problem. Except for a few of the biggest tech companies, all of the websites are built using third-party cloud services that are hosted on the web. Among the services offered here are CRM, analytics, form builders, and also trackers for advertisers that take advantage of these functions. Various third parties have a great deal of autonomy over these decisions. However, they are not regulated properly. 

Many kinds of pixels are available on the internet, and many of them serve some purpose. Usually, marketers use this type of data when they want to target advertisements to potential customers. In addition, they want to see how effective their ads are when it comes to reaching them. It is also imperative to note that, by using these trackers, highly specific and detailed personal data is also being collected. This data is being incorporated into existing data portfolios. 

Financial and Healthcare Data are Being Misused 

In most cases, the risks associated with visiting a healthcare website are much higher than when you are visiting any other website. Facebook is not a suitable place for you to share the medical conditions that you are researching with your friends who use that service. This data is not something that you want to be included in your social graph, and you do not want it added. Therefore, the crux of the issue in these lawsuits can be summarized this way: Protected Health Information (PHI) is protected by HIPAA (Health Insurance Portability and Accountability Act), which the actions described in the preceding sentence violate. Seeing digital advertising through the lens of healthcare can also shine a light on how troubling it can be when tracking is used. This is when viewed through the lens of advertising.   

As far as financial services are concerned, the same rules apply. A similar consequence may occur if an unauthorized party gains access to personally identifiable information (PII) or financial data, such as Social Security Numbers or credit card numbers, as well as other confidential data, and it is not handled correctly. This could have dire consequences. Privacy is crucial to safety. Details about your private life should be kept private for the right reasons. Modern advertising practices do not mesh well with these aspects of our lives, which are all significant.   

In addition to the Meta Pixel case, two other recent lawsuits provide us with a deeper understanding of how complex and broad the problem is, and how far it extends.  

Analyzing Sensitive Data From a Different Perspective 

In a recent lawsuit, Oracle was accused of trying to use the 4.5 billion records they currently hold as a proxy system for tracking sensitive consumer data. They have deliberately chosen not to share with any third parties. For comparison, the global population is 8 billion people. The concept of re-identification of de-identified data is far from an invention, but it serves as a clear example of why it matters so much to gather all these pieces of data, no matter how random they may seem. A person can infer most of the details of their life with almost astonishing accuracy. This is if they have access to enough data from Oracle, or whoever gets hold of the data. The data will end up being used in the same way in the end as this is a certainty. 

In a recent case, web testing tools were used to record the sessions of users on a website. This was so that they could see how well users navigated the site as they worked through the steps. As web developers and marketers, it is extremely common for them to use these tools to make their user interfaces more usable. 

In short, some companies are being accused of wiretapping under the Wiretap laws because they are using these tools to gather information. The reason for this is that these tools are capable of transmitting a considerable amount of information without the user's knowledge and the website owner's knowledge. It is inconceivable to believe that such a thing could happen. Even though this may seem like a minor issue, it is very clear once you look at it through the lens of sensitive data.