Search This Blog

Showing posts with label Data. Show all posts

Bitter APT and Transparent Tribe Campaigns on Social Media

 

Facebook's parent company, Meta, has recently shut down two cyberespionage efforts on its social networking networks. Bitter APT and Transparent Tribe threat groups were behind these campaigns. Both groups have been based in South Asia.

About Bitter APT:

The first group discovered was Bitter APT or T-APT-17, which targeted firms in the government, engineering, and energy industries. The group used social engineering against targets in India, the United Kingdom, New Zealand, and Pakistan.

To install malware on target devices, it exploited a combination of hijacked websites, URL shortening services, and third-party file hosting companies. To interact with and fool their victims, the hackers impersonated activists, journalists, and young women. Bitter also utilised Dracarys, a new Android malware that exploits accessibility services.

Transparent Tribe

Transparent Tribe, also known as APT36, is less complex than Bitter APT. It employs social engineering techniques as well as widely available malware. Its most recent campaign targeted citizens in India, Pakistan, Afghanistan, Saudi Arabia, and the United Arab Emirates. 

Human rights advocates and military officials were the primary targets of the campaign. The hackers pretended to be recruiters for bogus and real firms, as well as young ladies and military personnel.

In conclusion

Social media has become a playground for cybercriminals of all sorts. Cyberspies utilise these platforms to gather intelligence and lure victims to external sites where malware may be downloaded. As a result, users are advised to exercise caution while befriending strangers online.

Google Fined $60M+ for Misleading Australians About Collecting Location Data

 

Google was fined $60 million by the Australian Competition and Consumer Commission (ACCC) for deceiving Australian Android users about the collection and utilization of their location data for over two years, between January 2017 and December 2018. 

According to the Australian Competition watchdog, the tech giant continued to follow some of its customers' Android phones even after they deleted "Location History" in the device's settings. While consumers were misled to believe that option would deactivate location tracking, another account setting, "Web & App Activity," which was enabled by default, allowed the firm to "collect, retain, and use personally identifiable location data." 

According to the ACCC, based on available data, more than 1.3 million Australian Google accounts have been impacted. 

"Google, one of the world's largest companies, was able to keep the location data collected through the 'Web & App Activity' setting and that retained data could be used by Google to target ads to some consumers, even if those consumers had the "Location History" setting turned off," stated ACCC Chair Gina Cass-Gottlieb. 

"Personal location data is sensitive and important to some consumers, and some of the users who saw the representations may have made different choices about the collection, storage and use of their location data if the misleading representations had not been made by Google." 

In October 2019, Australia's competition watchdog initiated proceedings against Google. The Australian Federal Court ruled in April 2021 that Google had violated the Australian Consumer Law by deceiving customers regarding the gathering and use of their location data. 

By 20 December 2018, Google has taken corrective action and resolved all faults that had led to this fine, with users no longer being shown deceptive information implying that halting location history will stop collecting information about the areas they go with their devices. 

"Companies need to be transparent about the types of data that they are collecting and how the data is collected and may be used so that consumers can make informed decisions about who they share that data with," Cass-Gottlieb added.

Reddit Enabled Attackers to Perform Mod Actions due to IDOR Flaw

 

Due to a vulnerability in Reddit, attackers were able to execute moderator activities or elevate normal users to mod status without the necessary authorization.  Since Reddit admins have the ability to pin or remove content, block other users, and modify subreddit metadata, the weakness may have allowed for all sorts of mischief. 

According to a recent HackerOne report, a bug researcher with the handle 'high ping ninja' discovered that while attempting to access the mod logs using GraphQL, Reddit failed to validate if the user was a moderator of a certain subreddit. 

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained. 

On August 3, an insecure direct object reference (IDOR) flaw was reported and patched on the same day. Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied data. 

The word IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access restrictions being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur with vertical privilege escalation. 

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes. The researcher received a $5,000 bug reward for his discovery.

Hacker Uses New RAT Malware in Cuba Ransomware Attacks

 

A member of the Cuba ransomware operation is using previously unknown tactics, methods, and procedures (TTPs), such as a novel RAT (remote access trojan) and a novel local privilege escalation tool. 

Researchers at Palo Alto Networks Unit 42 dubbed the threat actor 'Tropical Scorpius,' and he is most certainly an associate of the Cuba ransomware operation. In Q1 2022, Cuba ransomware received a slight version, including a modified encryptor with more nuanced choices and the addition of quTox for live victim help. 

Tropical Scorpius, on the other hand, represents a change in tactics, perhaps making the Cuba operation more risky and obtrusive. Tropical Scorpius employs the standard Cuba ransomware payload, which has remained essentially unchanged from the operation's inception in 2019. 

Since June 2022, one of the new ways has been leveraging a legal but invalidated NVIDIA certificate stolen and released by LAPSUS to certify a kernel driver dropped during the early stages of an infection. The driver's job is to find and stop processes associated with security products in order to assist threat actors in evading discovery in the compromised environment. 

Tropical Scorpius then downloads a local privilege escalation tool that includes an attack for CVE-2022-24521, a flaw in the Windows Common Log File System Driver that was resolved as a zero-day in April 2022.

According to Unit 42, the hackers used an exploitation approach that appears to have been inspired by security researcher Sergey Kornienko's extensive write-up. Tropical Scorpius then downloads ADFind and Net Scan to accomplish lateral movement. This is also the time when the threat actor introduces a new tool capable of retrieving cached Kerberos credentials.

Another innovative approach discovered by Unit 42 researchers is the use of a ZeroLogon hack tool to get DA (domain administrator) credentials by exploiting CVE-2020-1472. Finally, Tropical Scorpius deploys "ROMCOM RAT," previously unknown malware that handles C2 connections through ICMP queries sent via Windows API calls.

ROMCOM RAT supports the following 10 commands:
  • Return connected drive information
  • Return file listings for a specified directory
  • Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder
  • Upload data to C2 as ZIP file, using IShellDispatch to copy files
  • Download data and write to worker.txt in the %ProgramData% folder
  • Delete a specified file
  • Delete a specified directory
  • Spawn a process with PID Spoofing
  • Only handled by ServiceMain, received from C2 server and instructs the process to sleep for 120,000 ms
  • Iterate through running processes and gather process IDs
On June 20, 2022, Tropical Scorpius created a fresh version of ROMCOM and uploaded it for testing on VirusTotal, which referred to the same C2 address (hardcoded). The second version introduced ten new commands to the current ten, providing more complex execution, file upload, and process termination options for remote activities. Furthermore, the updated version allows you to get other payloads from the C2, such as a desktop snapper named "Screenshooter."

The introduction of Tropical Scorpius and its new TTPs implies that Cuba ransomware is becoming a more serious threat, even if the specific RaaS isn't the most prevalent in terms of victim count. Cuba, on the other hand, has chosen to keep a low profile and employ a gentler double-extortion strategy, thus the real number of victims is unclear.

Since June 2022, the group has published the stolen data of four victims on the Onion site's "free" area, although their "paid" offers haven't been updated in a long time. Given the time necessary for negotiation and extortion, the outcomes of the 'Tropical Scorpius' update may be seen in the second half of the year.


Sneak Peek: Hive’s RaaS Techniques

 

With the average ransomware pay-out expected to reach $541,010 in 2021 and some affiliates earning up to 80% of each ransom payment, it's no wonder that RaaS setups are claimed to assist nearly two-thirds of ransomware operations. 

Indeed, service providers, such as Hive, are giving threat actors a head start in their criminal careers. Hive is a new RaaS group that was discovered in June 2021. However, its aggressive tactics and frequent variation improvements have turned it into a powerful opponent in the space. While other ransomware operators, like as REvil, dominated news in its first year, 

Hive gained prominence in November 2021 by hitting Media Markt, Europe's largest consumer electronics shop.The attack piqued the interest of the RaaS industry, causing the platform's victim count to soon rise into the hundreds, with the bulk of these victims being IT and real estate enterprises in the United States. 

How Hive Set Up a "Sales Department" 

The Menlo Labs research team examined interactions between the Hive ransomware gang and some of its victims in order to better comprehend this new and formidable RaaS group. Hive ransomware exploits a variety of attack vectors, including hijacked VPN credentials, weak RDP servers, and phishing emails with a Cobalt Strike payload. The examined programme was highly active, with attackers using the Hive platform putting considerable pressure on their targets. 

The Labs team discovered that Hive provides compromised victims a unique identification before encrypting their data, generally during unsociable hours, after reviewing some of the network traffic. Once this is accomplished, information about the victim is released on Hive's dark web data leak sites (DLS). The victim is then emailed an automatically created ransom letter with a link to the website, login credentials, and a call to action to contact Hive's "sales department." 

When the victim logs in, a live chat between the victim and a Hive admin is opened, during which the ransom is sought - generally in the form of Bitcoin - in return for a decryptor, a security report, and a file tree highlighting exactly what was stolen.

Hive was utilising malware written in Golang by its developers at the time the communications were reviewed by the Menlo Labs team, with the samples acquired being obfuscated to prevent detection and analysis.

However, Microsoft has now announced that Hive has produced a new variation that uses a different programming language, switching from Golang to Rust. The migration is expected to give Hive with various benefits that Rust has over other programming languages, including the use of string encryption as a strategy to make it more elusive.

Surprisingly, the new variant will also employ a different cryptographic technique.While the Golang variation embeds one encrypted key in each file it encrypts, the Rust variant has been proven to construct two sets of keys in memory, use them to encrypt the files, and then save the sets to the root of the disc it encrypts, both with the.key extension. While the new variant's key set creation differs from the previous set examined by the Menlo Labs team, its file encryption is remarkably comparable.

With these changes, the Hive danger is projected to grow much more. As a result, enterprises must prepare to battle RaaS and ransomware more extensively in the future.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

 

Security experts have discovered another Chinese information operation that is attempting to improve the country's image overseas by utilising a large number of fake news sites and social media assets. 

The content, which is available in 11 languages, tries to win hearts and minds over to Beijing's way of thinking by undermining criticism of the Xinjiang genocide and the deterioration of democracy in Hong Kong. 

According to Mandiant, among the Communist Party opponents targeted in the campaign are Chinese billionaire Guo Wengui and German anthropologist Adrian Zenz, who is known for his study on Uyghur oppression. The campaign's most striking feature is that it appears to leverage infrastructure owned by local public relations business Shanghai Haixun Technology, a company that promotes "positive thinking." 

According to Mandiant in a blog post, the word "positive energy" is particularly loaded in China since it is frequently used by the Xi Jinping government to refer to communications that reflect Beijing positively. As a result, Mandiant dubbed the information operations effort "HaiEnergy." 

“While we do not currently have sufficient evidence to determine the extent to which Haixun is involved in, or even aware of HaiEnergy, our analysis indicates that the campaign has at least leveraged services and infrastructure belonging to Haixun to host and distribute content,” the firm explained. 

“In total, we identified 72 websites (59 domains and 14 subdomains) hosted by Haixun, which were used to target audiences in North America, Europe, the Middle East and Asia.” 

The campaign has solely relied on Haixun's internet infrastructure to post information and host websites. In reality, those sites share significant commonalities, indicating a coordinated strategy, including: 
  • Nearly all the English language sites are built with a Chinese-language HTML template
  • Several of the sites that include a domain and subdomain are disguised to appear as different, independent sites
  • Many of the sites link directly to other sites in the network
  • The same articles are often published across multiple sites
If Haixun is actively involved in this effort, it would be a continuation of a pattern in which threat actors utilise "info ops for hire" organisations to perform their dirty work, according to Mandiant. The one advantage is that it does not appear to have paid off on this occasion.

“We note that despite the capabilities and global reach advertised by Haixun, there is at least some evidence to suggest HaiEnergy failed to generate substantial engagement,” the report concluded.

“Most notably, despite a significantly large number of followers, the political posts promoted by inauthentic accounts we attribute to this campaign failed to gain much traction outside of the campaign itself.”

Hacker Offers 5.4 million Twitter Account Details for $30,000

 

A threat actor acquired data from 5.4 million Twitter accounts by exploiting a now-patched vulnerability in the popular social networking site. Hacker is currently selling the stolen information on the prominent hacker site Breached Forums. 

In January, a Hacker report claimed the discovery of a vulnerability that may be used by an attacker to identify a Twitter account using the linked phone number/email, even if the user has elected to avoid this in the privacy settings. 

“The vulnerability allows any party without any authentication to obtain a Twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” reads the description in the report submitted by Zhirinovskiy via bug bounty platform HackerOne. 

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number but an attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities” Twitter acknowledged the vulnerability and rewarded Zhirinovskiy with a $5,040 prize. 

The website Restore Privacy uncovered the advertising for the massive data trove on Breached Forums. A hacker has published a database of 5.4 million Twitter users. 

Database of 5.4 million Twitter users

According to the seller, the database comprises data (email addresses and phone numbers) from people ranging from celebrities to businesses. The vendor additionally included a data sample in the form of a csv file. 

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy. 

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.” 

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.

Neopets Hacked, 69 Million Accounts Potentially Breached

 

The virtual pet website Neopets has announced that it has been hacked. JumpStart Games, as announced yesterday on Twitter and the official forums, is requesting that all 69 million accounts reset their passwords. 

"Neopets recently became aware that customer data may have been stolen," reads the official Twitter announcement. "We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data." 

The hacker responsible, as first reported by Neopets community site JellyNeo (via Polygon), has been found offering the whole Neopets database and source code for 4 Bitcoins (approximately $100,000). For an extra cost, the hacker would provide live access to the database. It's unclear whether this hack involves credit card information. Neopets charges a fee to eliminate adverts from the site and gain access to the forums and other premium services. In-game cash called NeoCash is also utilised for numerous microtransactions. 

Neopets, which debuted in 1999, were a brief phenomenon. Neopets, a website where players take care of a virtual pet, soon grew to millions of users, with original developer Adam Powell selling the service to Viacom for $160 million in 2005. Viacom eventually sold the site to JumpStart Games, which still owns it. The Neopets themselves require frequent food and care, yet even if neglected, they will not perish. 

One may also take them on a tour to Neopia (the Neopets world), where they and their Neopet can participate in a variety of minigames and enjoy the site's comprehensive social features. Although it is no longer at its peak, Neopets still has a committed user base. This isn't the first time that Neopets has been compromised. In 2016, a similar data breach compelled all Neopets users to change their passwords. 

This current attack is also unlikely to help the site's tattered reputation, especially in light of the recent announcement of the Neopets Metaverse Collection, a new NFT initiative that fans have slammed as a brazen cash grab.

Predatory Sparrow's Assault on Iran's Steel Industry

 

Predatory Sparrow, also known as Gonjeshke Darande, has accepted full responsibility for last month's cyberattacks on various Iranian steel factories and has now posted the first batch of top-secret papers on its Twitter account. 

The group distributed a cache of around 20 terabytes of data. It includes company paperwork revealing the steel plants' links to Iran's strong Islamic Revolutionary Guard Corps. The group stated in a series of tweets in both English and Persian that the cache was only the beginning of what will be disclosed. 

While claiming responsibility for the June 27 attack, the group also posted a photo and video purportedly showing damage to equipment at the state-owned Khouzestan Steel Company, one of Iran's biggest steel manufacturing factories. Although both the steel firm and the Iranian government denied any serious impact, sources suggest that the attack hampered industrial operations. 

The Predatory Sparrow group explained that the attacks were carried out with caution in order to safeguard innocent people. The group also stated that the hacks were in reaction to the Islamic Republic's actions. The group goes on to say that the enterprises were targeted by international sanctions and that they will continue to operate despite the limitations. 

Regardless of Predatory Sparrow's insistence that the attacks are autonomous, it is suspected that the Israeli government is supporting the hacktivist group, given the sophistication of the operation, the nature of the attacks, and the message preceding, during, and after what looks to be an attack. Aside from the steel facilities attack, the Predatory Sparrow group has claimed responsibility for other digital attacks on key Iranian targets, including the one that crippled Iran's state-controlled gasoline distribution in October 2021 and the one that hit the Iranian railway system in August 2021. While the Iranian government continues to deny the group's accusations, each cyber strike raises new concerns.

ATC Healthcare, Community of Hope & The People Concern Disclose Data Breaches

 

ATC Healthcare in New York made a news statement disclosing a breach in December 2021. Their press statement is not as clear or extensive as an updated notice on their website, thus this description is based on the website notice: 

ATC noticed strange behaviour with various staff email accounts on December 22, 2021. The email accounts were accessed without authorisation at various occasions between February 9, 2021, and December 22, 2021, according to the investigation. 

At the time of the incident, the compromised email accounts contained the following data: names, Social Security numbers, driver's licence numbers, financial account information, usernames and passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures, and employer-assigned identification numbers. 

As is typically the case, investigators were unsure exactly what data had been accessed, thus notifications were made to all individuals who may have been affected. They do not appear to be providing any free services and highlight that there is no conclusive proof that any data was read, copied, or exfiltrated. 

Community of Hope D.C. (COHDC) 

COHDC learnt of a data security problem involving unauthorised access to one of its employees' email accounts on February 7, 2022. According to reports, the issue was uncovered after the account's authorised user saw spam messages being sent from the account. 

An investigation indicated that between January 27 and February 7, 2022, an unauthorised actor may have accessed specific files and data housed within a single Outlook 365 email account. Individuals' Social Security numbers, driver's licence numbers, financial information, health insurance information, and health diagnostic information may have been obtained. COHDC appears to have made arrangements with IDX to assist and serve the individuals affected. The complete notification is available on the COHDC website.   

The People Concern 

The People Concern (TPC) in California discovered that an unauthorised user accessed workers' email accounts on various days between April 6, 2021, and December 9, 2021, however, they do not identify when they initially detected an issue. 

As in previous incidents, investigators were unable to identify whether emails or data in the email accounts were accessed. TPC gathers information on community members and staff such as their name, date of birth, Social Security number, health insurance information, and medical information about the care they may have gotten in one of their programmes. TPC is giving IDX services to people whose SSN or driver's licence information may have been compromised. 

Advocates, Inc. 

Advocates, Inc. in Massachusetts published a news release on June 28. 

"According to the release, on October 1, 2021, Advocates was informed that Advocates' data had been copied from its digital environment by an unauthorized actor. Investigation revealed that an unknown actor gained access to and obtained data from the Advocates network between September 14, 2021, and September 18, 2021. The unauthorized individual was able to acquire personal and protected health information including name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information."

A further look at their website notice suggests that the identification of additional impacted persons was ongoing until June. As they put it:

"Advocates is not aware of any evidence of the misuse of any information potentially involved in this incident. However, beginning on January 3, 2022, Advocates mailed notice of this incident to potentially impacted individuals for which Advocates had identifiable address information. Advocates then worked diligently with experts to review the impacted data set and identify any additional potentially impacted individuals with address information. That process was completed on June 9, 2022, and on June 28, 2022, Advocates provided notice of this incident to those individuals."

Latest Phishing Campaign Deploys Malware and Steals Critical Information

A phishing campaign on a massive scale is targeting Windows PC and wants to deploy malware that can hack usernames, passwords, contents of the crypto wallets, and credit card credentials. Malware named RedLine Stealer is provided as a malware-as-a-service scheme, giving amateur level cybercriminals the option to steal various kinds of critical personal information, for amounts as much as $150. The malware first surfaced in 2020, but RedLine recently added a few additional features and is widely spread in large-scale spam campaigns in April. 

The phishing email campaign includes a malicious attachment which, if active, starts the process of deploying malware. Hackers target users (mostly) from Europe and North America. The malware uses CVE-2021-26411 exploits discovered in Internet Explorer to send the payload. The vulnerability was revealed last year and patched, to limit the malware's impact on users who are yet to install the security updates. Once executed, RedLine Stealer does starting recon against the target system, looking for information that includes usernames, the type of browser that the user has, and if an antivirus is running in the system. 

After that, it finds information to steal and then extracts passwords, credit card data, and cookies stored in browsers, crypto wallets, VPN login credentials, chat logs, and information from files. Redline can be bought from the dark web, hackers are offered services on different hierarchical levels, this shows how easy it has become to buy malware. Even noob hackers can rent the software for $100 or get a lifetime subscription for $800. 

The malware is very simple, but very effective, as it can steal vast amounts of data, and inexperienced hackers can take advantage of this. ZDNet reports "it's possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability." The users should keep their operating systems updated, anti-virus and apps updated, to prevent known vulnerabilities from getting exploited for distributing malware.

Medical Device Cybersecurity: What Next in 2022?

 

A survey report on medical device cybersecurity was published by Cybellum, along with trends and predictions for 2022. It's worth noting that medical device cybersecurity has become a very challenging task. 

With medical devices increasingly becoming software-driven machines and the rapid pace at which cybersecurity risk emerges as a result of new vulnerabilities, complex supply chains, new suppliers, and new product lines, keeping the entire product portfolio secure and compliant at all times appears to be impossible. Learning from peers and attempting to identify the best path forward is now more crucial than ever. 

Security experts from hundreds of medical device manufacturers were asked what their biggest challenges are and how they plan to tackle them in 2022 and beyond in this poll. The following are some of the intriguing findings from the survey about medical device manufacturers' security readiness: 
  • The top security difficulty for respondents is managing an expanding number of tools and technologies, which is partially explained by a lack of high-level ownership. 
  • Seventy-five percent of respondents said they don't have a dedicated senior manager in charge of device security. 
  • Almost 90% of respondents acknowledged that companies need to improve in critical areas including SBOM analysis and compliance readiness. 
  • In 2022, nearly half of companies increased their cybersecurity spending by more than 25%. 
  • A dedicated response team (PSIRT) is not in existence at more than 55% of medical device makers. 
David Leichner, CMO at Cybellum said, “We embarked on this survey to gain a more comprehensive understanding of the main challenges facing product security teams at medical device manufacturers, as part of our effort to help to better secure the devices. Some of our findings were quite surprising and highlight serious gaps that exist both in processes for securing medical devices and in regulation compliance.”

Dark Data: A Crucial Concern for Security Experts

 

BigID recently released a research paper that examines the current problems that businesses face in safeguarding their most critical information. A number of important findings emerged from the research:
  • Dark data is extremely concerning to 84 per cent of businesses. This is data that businesses aren't aware of, but which accounts for more than half of all data in existence and can be extremely sensitive or vital. 
  • Unstructured data is the most difficult to manage and safeguard for eight out of ten businesses. Unstructured data generally comprises a variety of sensitive information and is challenging to scan and identify due to its inherent complexity. 
  • More than 90% of businesses have trouble implementing security standards involving sensitive or important data. Data policy reach and enforcement are crucial for proper data asset management, remediation, and security. 
Data is an organization's most valuable asset, relying on it every day to make critical strategic and operational choices. Unfortunately, most of this data is highly sensitive or critical, and it can be exposed accidentally or maliciously in some instances. 

Dimitri Sirota, CEO of BigID stated, “Data is the fuel that drives a company forward. However, a lot of this data is personal and as it accumulates, so does cyber risk. You owe it to your customers, partners, and employees to keep this data safe, let alone to keep your business running. This report reinforces the fact that most continue to struggle to confidently protect their most valuable data.” 

Sensitive or essential data is being spread throughout the environment at unprecedented rates, thanks to the rapid rise of public, private, hybrid, and multi-cloud models. As the scope of this type of data grows, so does the risk to the organisation. 

The research looks into the most significant security issues, the core causes of these problems, and practical ways to improve data security so that teams can protect their most valuable data assets.

CitySprint Confirms Security Breach, Personal Data of Drivers May be Compromised

 

CitySprint, a same-day delivery company, has issued a warning to couriers after discovering a data breach that may have given hackers access to sensitive personal information. A security issue was confirmed in an email sent to hundreds of drivers on April 7th. 

Self-employed drivers transport items across the UK for CitySprint, which was recently acquired by package delivery behemoth DPD Group. These drivers provide personal information to CitySprint using the company's iFleet interface, which includes photos of their driver's licence, car shots, and weekly earnings data. The delivery company claims that it shut down the iFleet system and restricted access to it as soon as it became aware of "the incident." 

CitySprint currently claims that it has no confirmation that personal data has been accessed, but it does not rule out the possibility. For the time being, the business's investigations are ongoing, and it has deployed forensic cybersecurity professionals to completely and comprehensively examine the event and analyse what data, if any, has been exposed. 

It states, “Our security checks, which are not quite complete yet have shown that so far, no personal data was compromised. The remaining checks will confirm if any of your data may have been affected. Therefore, as a precautionary measure, we have informed the Information Commissioner’s Office of the incident.” 

CitySprint claims it takes personal data protection "very seriously" and is investigating IT working processes across the company. Some drivers are clearly dissatisfied with the way the company handles their personal information. 

CitySprint includes several pieces of advice in its email for drivers on what to do if their personal information is compromised online. Change their passwords to something strong and unique, enable two-factor authentication on accounts that provide it, and consider signing up for an identity theft protection service. 

On 13th April, CitySprint offered the following statement, “We recently detected an apparent malicious attempt by a third party to access confidential data from our courier management platform. As soon as this issue was discovered, we took immediate steps to close off external access to this and launched a full and thorough investigation, led by independent cybersecurity experts. 

Now that this investigation has concluded, we are pleased to confirm that we believe that no personal data has been compromised. This incident has been reported to the proper authorities and we are in contact with couriers who contract with us about this as a matter of precaution.”

Caketap: A New Unix Rootkit Used to Steal ATM Banking Data

 

Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions. 

The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020. Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems. 

Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received. The various commands observed by the analysts are as follows: 

• Add the CAKETAP module back to the loaded modules list 
• Change the signal string for the getdents64 hook 
• Add a network filter (format p) 
• Remove a network filter 
• Set the current thread TTY to not to be filtered by the getdents64 hook 
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions. 

Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. 

Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response. In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected. 

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report. 

Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks. 

LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity. 

LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.

Over 40 Billion Records Exposed in 2021

 

According to Tenable's analysis of 1,825, breach data incidents publicized between November 2020 and October 2021, at least 40,417,167,937 records were exposed globally in 2021. This is risen from 730 publicly announced incidents with just over 22 billion data exposed over the same period in 2020. 

Organizations can efficiently prioritize security operations to stop attack paths and protect key systems and assets by studying threat actor behavior. Many of the events investigated for this research can be easily mitigated by fixing legacy flaws and fixing misconfigurations, which can help limit attack routes. 

In 2021, ransomware had a huge impact on businesses, accounting for about a 38% of all data breaches.  and unsecured cloud databases were responsible for 6% of all breaches. SSL VPNs that haven't been patched remain an ideal entry point for cyberespionage, exfiltrating sensitive and proprietary data, and encrypting networks. 

Threat groups, particularly ransomware, have been progressively exploiting Active Directory flaws and misconfigurations. When security controls and code audits are not in place, software libraries and network stacks that are frequently utilized among OT devices might create additional threats. 

Cyberespionage operations used the software supply chain to acquire sensitive data, whereas ransomware groups preferred physical supply chain disruption as a technique to extract payment. Data breaches wreaked havoc on the healthcare and education sectors the most. 

Claire Tills, Senior Research Engineer, Tenable stated, “Migration to cloud platforms, reliance on managed service providers, software and infrastructure as a service have all changed how organizations must think about and secure the perimeter.”  

“Modern security leaders and practitioners must think more holistically about the attack paths that exist within their networks and how they can efficiently disrupt them. By examining threat actor behaviour we can understand which attack paths are the most fruitful and leverage these insights to define an effective security strategy. ” 

Fixing assets is difficult enough given the sheer frequency of vulnerabilities revealed, but in 2021 it became much harder due to partial patches, vendor miscommunications, and patch bypasses. 

There were 21,957 common vulnerabilities and exposures (CVEs) reported in 2021, up 19.6% from 18,358 in 2020 and 241% more than the 6,447 declared in 2016. The number of CVEs increased at an average yearly percentage growth rate of 28.3 percent from 2016 to 2021.

City of Grass Valley, California, Suffers Data Breach

 

After discovering about the breach, Grass Valley stated that they took quick steps to safeguard their networks, alerted law enforcement, and launched an investigation with the help of a cybersecurity firm.

The information of employees, citizens, and others was duplicated and transmitted to another network, according to more details about a significant data breach at the City of Grass Valley, California. The city council previously admitted that "unauthorised access" to its networks occurred between April 13 and July 1, 2021, according to a statement. 

The scope of the attack has now been determined, with the malicious actor transferring files outside of the city's network, including the financial and personal information of "individuals associated with Grass Valley," according to the investigation. The following information was accessed: 
  • Grass Valley employees, former employees, spouses, dependents, and individual vendors, name and one or more of the following: Social Security number, driver’s license number, and limited medical or health insurance information. 
  • Individual vendors that were employed by the city, name, and Social Security number. 
  • Individuals whose information may have been provided to the Grass Valley Police Department, name and one or more of the following: Social Security number, driver’s license number, financial account information, payment card information, limited medical or health insurance information, passport number, and username and password credentials to an online account.
  • Individuals whose data was provided to the Grass Valley Community Development Department in loan application documents, name and one or more of the following: Social Security number, driver’s license number, financial account numbers, and payment card numbers. 
Grass Valley stated it started contacting those affected on January 7 and has notified the appropriate authorities, including law enforcement. For everyone affected by the hack, the city is also providing free credit monitoring services. 

It noted, “Grass Valley sincerely regrets that this incident occurred and apologizes for any inconvenience or concern. To help prevent something like this from happening again, Grass Valley continues to review its systems and is taking steps to enhance existing security protocols.”

Morgan Stanley to Pay $60M to Resolve Data Security Lawsuit

 

Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology. 

The settlement offer awaits the approval of New York District Judge Analisa Torres. The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019. 

Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission. 

As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error. 

Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures. 

Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources. Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016. 

The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.

Report: PYSA Emerges as Top Ransomware Actor in November

 

As per NCC Group, a UK-based risk mitigation organisation, PYSA and Lockbit were the most significant ransomware attacks in November 2021.

Lockbit has been a leading ransomware threat since August of this year, with Conti dominating the landscape as well. Conti's popularity began to fade in November, and PYSA took its place. The total number of organisations infected with PYSA climbed by 50% last month. 

The number of hacked governmental institutions has also increased by 400 per cent, according to the NCC Group. PYSA is for 'Protect Your System Amigo,' and it has been active since late 2019, mostly targeting the education, healthcare, and government sectors.

In March 2021, the FBI issued a warning about PYSA. PYSA was thought to only target Windows systems until September 2021, but the evidence was discovered that the ransomware was getting prepared to target Linux PCs as well. 

NCC Group noted, “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organizations.” 

In November, the total number of ransomware assaults was 1.9 per cent higher than in October, with firms in North America and Europe being hit the hardest. According to the NCC Group, ransomware affected 154 companies in North America last month (140 in the United States and 14 in Canada). A total of 96 European victims have been identified, the majority of whom are from the United Kingdom (32), France (14), Italy, and Germany (11 each). 

“The industrial sector continued to be the most targeted sector in November. Meanwhile, automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%,” NCC Group stated. 

The cybersecurity firm also saw the Everest ransomware group providing paid access to their victims' infrastructure in November. Other groups are also anticipated to forego a ransom demand in the future and instead grant access to the compromised infrastructure.

MediaMarkt Struck by Hive Ransomware, Initial $240 Million Ransom Demand

 

A Hive ransomware operation hit MediaMarkt, a German multinational chain of consumer electronics stores, with the threat actors initially demanding a ransom of $240 million. IT systems in the Netherlands and Germany were closed down as a result of the incident and store operations were hampered. 

With over 1,000 stores in 13 countries, MediaMarkt is Europe's largest consumer electronics retailer. It employs around 53,000 people and has total sales of €20.8 billion. At the start of this week, a ransomware attack targeted MediaMarkt, encrypting servers, workstations and creating an outage of IT services to stop the attack from propagating. 

The ransomware attack, according to BleepingComputer, affected several retail stores across Europe, particularly in the Netherlands. While online sales are unaffected, affected stores' cash registers are unable to accept credit cards or generate receipts. The system shutdown is also restricting returns due to the inability to search for previous purchases. Employees are instructed to avoid encrypted systems and to turn off networked cash registers on the network. 

As per screenshots of alleged internal communications posted on Twitter, the hack compromised 3,100 servers. However, at this moment, BleepingComputer has been unable to verify those claims. The Hive Ransomware organization is behind the attack, according to BleepingComputer, and requested a huge, but unrealistic, $240 million ransom to acquire a decryptor for encrypted files. 

Ransomware groups frequently demand high ransoms at first to allow for negotiation, and they generally only get a portion of what they demand. However, BleepingComputer has been told that during the attack on MediaMarkt, it was almost automatically dropped to a significantly smaller amount. 

While it is unclear whether unencrypted data was captured in the attack, Hive ransomware is known to steal files and post them on its 'HiveLeaks' data breach site if a ransom is not paid. When BleepingComputer contacted MediaMarkt about the hack, they received the following response: 

“The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services. MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible. The company will provide information on further developments on the topic. - MediaMarkt.”

About the Hive ransomware 
Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware is a data encryption malware that has gained notoriety as a result of strikes against the Memorial Health System, where employees were made to work with paper charts as their computers were encrypted. Altus Group was another victim, with hackers stealing corporate information and data from the software supplier, which were then made public on HiveLeaks. 

Hive has also created variants to encrypt Linux and FreeBSD servers, which are often used to host virtual machines.