Search This Blog

Showing posts with label Data Breach. Show all posts

30 Million Data Theft Hacktivists Detained in Ukraine

The Security Service of Ukraine's (SSU) cyber division has eliminated a group of hackers responsible for the data theft or roughly 30 million people. 

According to SSU, its cyber branch has dismantled a group of hacktivists who stole 30 million accounts and sold the data on the dark web. According to the department, the hacker organization sold these accounts for about UAH 14 million ($375,000). 

As stated by the SSU, the hackers sold data packs that pro-Kremlin propagandists bought in bulk and then utilized the accounts to distribute false information on social media, generate panic, and destabilize Ukraine and other nations. 

YuMoney, Qiwi, and WebMoney, which are not permitted in Ukraine, were used by the group to receive funds.The police discovered and seized many hard drives containing stolen personal data, alongside desktops, SIM cards, mobile phones, and flash drives, during the raids on the attackers' homes in Lviv, Ukraine. 

By infecting systems with malware, fraudsters were able to gather sensitive data and login passwords. They targeted systems in the European Union and Ukraine. According to Part 1 of Article 361-2 of the Ukrainian Criminal Code, unauthorized selling of material with restricted access, the group's organizer has been put under investigation.

The number of people detained is still unknown, but they are all charged criminally with selling or disseminating restricted-access material stored in computers and networks without authorization. There are lengthy prison terms associated with these offenses.

The gang's primary clients were pro-Kremlin propagandists who utilized the stolen accounts in their destabilizing misinformation efforts in Ukraine and other nations.

The SSU took down five bot farms that spread misinformation around the nation in March and employed 100,000 fictitious social media profiles. A huge bot farm with one million bots was found and destroyed by Ukrainian authorities in August.

The SSU discovered two further botnets in September that were using 7,000 accounts to propagate false information on social media.

Malware producers are frequently easier to recognize, but by using accounts belonging to real people, the likelihood that the operation would be discovered is greatly reduced due to the history of the posts and the natural activity.






Optus Data Breach: Australia’s Telco Giant Confirms Data of Millions of Users Compromised

 

Australia’s second largest Telecom Company, Optus has recently become a victim of a cyberattack that attack apparently led to the exposure of personal data of its current as well as former customers. According to Trevor Long, a Sydney-based tech analyst, the attack is the biggest breach of personal data from any Australian firm. 

The firm states that as soon as the attack was detected, it worked towards containing the attack, subsequently shutting it down before customers could suffer any harm. The company believes that one of the networks was still exposed to the test network with internet access. 

The data breach notification read, “Following a cyberattack, Optus is investigating the possible unauthorized access of current and former customer [..] Upon discovering this, Optus immediately shut down the attack.” 

In the wake of the attack, the firm confirmed that its customers' private data could be compromised since the attackers had an access to the customer identity database and opened it to other systems via Application Programming Interface (API). The firm further told that its network was accessed from an external source.  

The exposed data, as per the firm’s statement in a press release included customers’ names, dates of birth, contact numbers, email addresses, residential addresses, and identity documents numbers such as passport and driving licenses. The company’s services on the other hand, including mobile and home internet, have not been compromised and the attackers were void of access to messages and phone calls. 

Is Human Error Responsible For The Breach? 

At a media briefing, when asked about the possibility of a human error being responsible for the breach, Optus CEO Kelly Bayers Rosemarin stated that “I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so will not be divulging details about that.” 

The company has denied any claims of a human error that could execute this data breach. The CEO also apologized to the firm’s customers, stating it was challenging to offer immediate advice unless the case investigation was complete. 

The CEO also mentioned the strong cyber defense softwares invested in Telco pertaining to the attacks. She further said that this attack should be a wake-up call for all organizations in order to avoid becoming a victim of a data breach. 

Email Phishing Attack Revealed by American Airlines

Several passengers of American Airlines are being warned that their personal information might have been compromised as a result of threat actors getting access to employee email accounts. 

The airline said that a phishing attempt led to hackers gaining access to the mailboxes of a limited number of employees. The stolen email accounts held some consumers' personal data. The airline noted in notice letters distributed on Friday, September 16th, that there is no proof that the disclosed data was misused.

The hack was detected on July 5th by American Airlines, which then swiftly protected the affected email accounts and recruited a cybersecurity forensics company to look into the security incident.

American Airlines had hired a cybersecurity forensics company to look into the incident. The inquiry revealed that unauthorized actors had obtained the personal information of both customers and workers. Although they did not say how many consumers were impacted, they did say that names, dates of birth, addresses, emails, phone numbers, passport numbers, and even certain medical information could have been exposed.

American Airlines issued the following statement to BleepingComputer by the Manager for Corporate Communications. "American Airlines is aware of a phishing campaign that resulted in a small number of team members' mailboxes being improperly accessed."

A very small amount of customers' and workers' personal information was found in those email accounts, according to American Airlines, which also provided a two-year membership to Experian's IdentityWorks.

With regard to the incident, the company stated "data security is of the utmost importance and we provided customers and team members with precautionary support. We also are actively developing additional technical safeguards to avoid a similar incident from happening in the future, even though we have no proof that any personal information has been misused."

In March 2021, the Passenger Service System (PSS), which is used by many airlines worldwide, including American Airlines, was infiltrated. SITA, a leading provider of air information technology, revealed that hackers broke into its systems.

To help employees recognize targeted phishing attacks, firms must ensure that staff receives adequate security training. Organizations' IT and security departments should explain to staff how communications will be handled. It is crucial to always inform people about how to recognize phishing emails. 












Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach

 

Uber revealed more details about the security incident that occurred last week on Monday, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group. 

The financially motivated extortionist group was dealt a massive blow in March 2022 when the City of London Police arrested seven suspected LAPSUS$ gang members aged 16 to 21. Two of them were charged for their actions weeks later. The hacker responsible for the Uber breach, an 18-year-old teenager known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

As the company's investigation into the incident continues, Uber stated that it is functioning with "several leading digital forensics firms," in addition to cooperating with the US Federal Bureau of Investigation (FBI) and the Justice Department.

In terms of how the attack occurred, the ridesharing company stated that an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB report. The previous week, the Singapore-based company reported that at least two of Uber's employees in Brazil and Indonesia had been infected with Raccoon and Vidar information robbers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

After gaining access, the miscreant appears to have accessed other employee accounts, giving the malicious party access to "several internal systems" such as Google Workspace and Slack. The company also stated that as part of its incident response measures, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.

Uber did not say how many employee accounts were potentially compromised, but it emphasised that no unauthorised code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps. The firm also revealed that the attacker gained access to HackerOne bug reports, but added that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based [multi-factor authentication] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defence evangelist at KnowBe4, said in a statement.

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, organisations must recognise that MFA is not a "silver bullet" and that not all factors are created equal.
While there has been a transition from SMS-based authentication to an app-based approach to reduce the dangers associated with SIM swapping attacks, the attack against Uber and Cisco shows that security controls that were once thought to be infallible are being circumvented by other means.

The fact that threat actors are relying on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorising an access request underscores the importance of employing phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."

Hacker Leaks Confidential Data of Rockstar Games Including GTA 6 Footage

 

Rockstar Games, an American Video game publisher revealed a network breach on Monday that resulted in videos from the next highly-anticipated series of its Grand Theft Auto (GTA) 6 getting leaked. 

“We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto. At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects,” the company stated. 

At the time of writing, a hacker has published nearly 90 videos of clips depicting GTA 6 gameplay apparently recorded during the initial phases of game development. The threat actor also claimed to have stolen GTA 5 and GTA 6 source code and other information and offered to sell some of it. He also requested Rockstar Games to make him an offer to prevent the whole information from publishing online. 

Meanwhile, the targeted firm is working with security experts and law enforcement agencies to remove the leaked videos posted on multiple websites. 

“We are extremely disappointed to have any details of our next game shared with you all in this way. Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations. We will update everyone again soon and, of course, will properly introduce you to this next game when it is ready,” Rockstar added. 

The alleged hacker behind the data leak claimed to be the same person who launched a sophisticated attack on Uber last week. The malicious actor attached images, videos, and source code as proof and linked to the New York Times coverage of the Uber data breach while describing it as his “previous work.”

In the case of Uber, the hacker published screenshots apparently showing that he gained access to cloud services, financial tools, cybersecurity products, and a HackerOne account. He also claimed said he is 18 years old and employed social engineering to intrude Uber systems. 

However, the ridesharing firm claimed on Friday that it had found no evidence of sensitive user data getting leaked, and said all its services, including Uber, Eats, Freight, and the Uber Driver app were operational.

Uber Claims No Private Details Accessed in Latest Network Breach

 

The hacker who claims to have hacked Uber might not have landed a stinging punch. The ridesharing firm has provided an update regarding the security breach by confirming there's "no evidence" to suggest that intruders accessed sensitive user data, such as trip histories. 

All services provided by the company, including Uber, Eats, Freight, and the Uber Driver app are functioning correctly and have also restored the use of internal software it took down upon unearthing the network breach. 

“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company stated. “Internal software tools that we took down as a precaution yesterday are coming back online this morning.” 

Uber contacted law enforcement and started an internal investigation into the incident, a company spokesman confirmed. However, the company didn't say more about the reported perpetrator or the nature of the incident, several security experts believe that it is downplaying the incident and has no clear idea regarding the depth of the breach. 

Intrusion details 

The breach allegedly involved a lone hacker, who claimed to be an 18-years-old male, who employed a social engineering-based hacking technique to trick an Uber employee into revealing login credentials by posing as a coworker. 

Upon securing an initial foothold, the hacker discovered an internal network share containing PowerShell scripts with privileged admin credentials, allowing carte blanche access to other critical systems, including AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack. 

Singapore-based Group-IB's follow-up investigation of downloaded artifacts as captured by the hacker reveals complete access to Uber's cloud-based infrastructure to hold private consumer and financial data. The hacker blamed Uber’s feeble security system for successfully exploiting its databases. He also contacted the New York Times claiming that he hacked Uber for fun and has its source code in his possession, which he might post online. 

Firm’s history of downplaying the data breach 

Network breach has been an issue for Uber in the past. In 2018, it agreed to a $148 million settlement over a 2016 data breach the company failed to reveal. Hackers were able to siphon data on 57 million drivers and riders, including private details such as names, email addresses, and driver's license numbers.

The data breach incident remained buried for more than a year. However, in November 2017 multiple reports surfaced that Uber suffered a massive security breach, and paid the hackers $100,000 to delete the information and had them sign a nondisclosure agreement.

North Korean Hackers Exploit Systems via Deploying PuTTY SSH Tool

An attack using a new spear phishing tactic that makes use of trojanized variants of the PuTTY SSH and Telnet client has been discovered with a North Korea link.

The malicious actors identified by Mandiant as the source of such effort is 'UNC4034', also referred to as Temp.Hermit or Labyrinth Chollima. Mandiant asserted that the UNC4034 technique was currently changing.

UNC4034 made contact with the victim via WhatsApp and tricked them into downloading a malicious ISO package in the form of a bogus job offer. This caused the AIRDRY.V2 backdoor to be installed via a trojanized PuTTY instance. 

As part of a long-running operation called Operation Dream Job, North Korean state-sponsored hackers frequently use fake job lures as a means of spreading malware. One such group is the Lazarus Group. 

The ios file had a bogus amazon job offer which was the entry point for hackers to breach data. After making initial contact via email, the file was exchanged over WhatsApp. 

The archive itself contains a text file with an IP address and login information, as well as a modified version of PuTTY that loads a dropper named DAVESHELL that installs a newer version of a backdoor known as AIRDRY. 

The threat actor probably persuaded the victim to open a PuTTY session and connect to the remote host using the credentials listed in the TXT file, therefore initiating the infection. Once the program has been launched, it makes an effort to persist by adding a new, scheduled task every day at 10:30 a.m. local time.

After a target responds to a fake job lure, the criminals may use a variety of malware delivery methods, according to Mandiant. 

The most recent version of the virus has been found to forego the command-based method in favor of plugins which are downloaded and processed in memory, in contrast to prior versions of the malware that included roughly 30 commands for transferring files, file systems, and command execution.

Several technical indicators are also included in the Mandiant alert to aid businesses in identifying UNC4034-related activities. Days before its publication, US authorities confiscated $30 million in North Korean cryptocurrency that had been stolen.

Bell Canada Hit by Hive ransomware

Bell Canada, a telecommunications firm, alerted consumers of a cybersecurity incident in which hackers gained access to business data. With more than 4,500 people, BTS is an autonomous subsidiary that specializes in installing Bell services for household and small-business customers in the provinces of Ontario and Québec.

Bell Technical Solutions, an independent subsidiary that specializes in the setup of Bell services for housing and small business customers in Ontario and Québec, had been the target of the recent cybersecurity incident, the company identified, according to a notice published on bell.ca. that "Some operational company and employee information was accessed in the recent cybersecurity incident,"

Although the Canadian telecoms operator declined to say when its network was compromised or the attack transpired, Hive claims in a fresh post to its data leak blog that BTS' systems were encrypted on August 20, 2022, almost exactly one month earlier.

To assist in the recovery process, outside cybersecurity professionals were hired. The Royal Canadian Mounted Police's cybercrime unit has been contacted about the attack, and the corporation has informed Canada's Office of the Privacy Commissioner of the occurrence.

In the wake of the occurrence, the Bell subsidiary cautioned customers that they might become the victim of phishing attacks and took immediate action to secure the compromised systems and to reassure users that no customer data, including credit and debit card numbers, banking information, or other financial data, was accessed as a result of the incident.

"Any persons whose private data could have been accessed will be promptly informed by us. Other Bell clients or other Bell businesses were not impacted; Bell Technical Solutions runs independently from Bell on a different IT system" the company stated.

Hive is an affiliate-based ransomware version that was first noticed in June 2021 and is used by hackers to launch ransomware attacks targeting healthcare facilities, charities, retailers, energy suppliers, and other industries globally.

Recently cyberattack by the Hive ransomware gang has led to an extortion attempt worth $2 million against Damart, the French clothing firm with over 130 locations throughout the world. According to data from Recorded Future, Hive is still one of the most active ransomware gangs, responsible for more than 150 attacks last month.









Uber Investigates Potential Breach Of its Computer System

 

Uber announced on Thursday that it is responding to a cybersecurity incident involving a network breach and that it is in contact with law enforcement authorities. The incident was first reported by the New York Times. When reached for comment, the company referred to its tweeted statement.  

As per two employees who were not authorised to speak publicly, Uber employees were instructed not to use the company's internal messaging service, Slack, and discovered that other internal systems were inaccessible.

Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach" shortly before the Slack system was taken offline on Thursday afternoon. The message went on to list a number of internal databases that the hacker claimed were compromised.

"It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times stated. 

Uber has not released any additional information about the incident, but it appears that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to obtain their password by impersonating a corporate IT employee and then used it to gain access to the internal network. 

The attacker was able to circumvent the account's two-factor authentication (2FA) protections by bombarding the employee with push notifications and contacting the individual on WhatsApp to abide by the authorization by claiming to be from Uber's IT department. The technique is similar to the recently disclosed Cisco hack, in which cybercriminal actors used prompt bombing to gain 2FA push acceptance. 

"Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface," Kevin Reed, a chief information security officer at Acronis, told The Hacker News.

It's not the first time

This is not Uber's first security breach. It came under fire for failing to adequately reveal a 2016 data breach that affected 57 million riders and drivers and then paying hackers $100,000 to obfuscate the breach. It was only in late 2017 that the public became aware of it.

Uber's top security executive at the time, Joe Sullivan, was fired for his role in the company's response to the hack. Mr. Sullivan was charged with obstructing justice for failing to notify regulators of the breach, and he is currently on trial. Mr. Sullivan's lawyers have argued that other employees were responsible for regulatory disclosures and that the company had made Mr. Sullivan a scapegoat. 

In December 2021, Sullivan was sentenced to three additional counts of wire fraud in addition to the previously filed felony obstruction and misprision charges.

"Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack," the superseding indictment said. It further said he "took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach."

The latest breach comes as Sullivan's criminal case goes to trial in the United States District Court in San Francisco.

Reed concluded, "The compromise is certainly bigger compared to the breach in 2016. Whatever data Uber keeps, the hackers most probably already have access."

Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.








Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 


Attackers Compromise Employee Data at PVC-Maker Eurocell

According to a law firm, a leading British PVC manufacturer has been contacting current and former employees to notify them of a "substantial" data breach. 

A data protection law specialist, Derbyshire-based Eurocell, which also operates as a distributor of UPVC windows, doors, and roofing products, disclosed the news in a letter to those affected. The firm apparently explained in it that an unauthorised third party gained access to its systems, as per Hayes Connor.

The compromised data included employment terms and conditions, dates of birth, next of kin, bank account, NI and tax reference numbers, right-to-work documents, health and wellbeing documents, learning and development records, and disciplinary and grievance docs. That's a lot of information for potential fraudsters to use in subsequent phishing or even extortion.

Eurocell has reportedly stated that there is no proof of data misuse, but this will provide little comfort to those affected. It is also unknown how many employees would be affected.

“The company has over 2,000 current employees, but it is possible that many more former employees could also be at risk given the type of information that has been exposed,” warned Hayes Connor legal representative, Christine Sabino.

“Every employer has various obligations when it comes to data security, which means they have a duty to keep sensitive information secure. This type of incident warrants a significant investigation. Our team has started to make our own enquiries into the case and are determined to ensure our clients get the justice they deserve.”

Hayes Connor made headlines earlier this year when it announced that over 100 current and former employees of a leading luxury car dealership would sue the firm following a data breach. On that occasion, they were dissatisfied with LSH Auto's lack of transparency regarding the incident.

Classified NATO Documents Stolen from Portugal, Now Sold on Darkweb

 

The Portuguese Armed Forces General Staff Agency (EMGFA) was reportedly the victim of a cyberattack that resulted in the theft of classified NATO documents, which are now being sold on the dark web. 

EMGFA is the government agency in charge of controlling, planning, and operating Portugal's armed forces. The agency only discovered it had been hacked after hackers posted samples of the stolen material on the dark web, offering to sell the files to interested parties. 

American cyber-intelligence agents discovered the sale of stolen documents and notified the US embassy in Lisbon, which alerted the Portuguese government of the data breach. A team of experts from the National Security Office (GNS) and Portugal's national cybersecurity centre was immediately dispatched to EMGFA to carry out the a complete screening of the body’s entire network.

The story was first reported by the local news outlet Diario de Noticias, which claims to have confirmed the accuracy of the information through anonymous sources close to the ongoing investigations. According to these sources, the leaked documents are of "extreme gravity," and their dissemination could jeopardise the country's credibility in the military alliance.

“It was a cyberattack prolonged in time and undetectable, through bots programmed to detect this type of documents, which were later removed in several stages,” stated one of DN’s sources.

EMGFA's computers are air-gapped, but the exfiltration used standard non-secure lines. As a result, the investigation's first conclusion is that the top military body violated its operational security rules at some point. As of today, no official statement has been issued by the Portuguese government on the subject, but the political opposition is increasing pressure for a briefing in response to DN's report.

Many members of parliament expressed surprise after learning that classified military documents were being sold on the internet and that the country's intelligence services had failed to detect such a critical breach. As a result, they asked the chairman of the parliamentary defence committee, Marcos Perestrello, to intervene and schedule hearings on the incident as soon as possible.

Microsoft Teams: Bugs Use GIFs to Construct Reverse Shells

Malicious hackers can utilize Microsoft Teams to launch innovative phishing attacks and discreetly carry out commands to steal data via GIFs using a new attack method known as "GIFShell."

The new attack pattern demonstrates how hackers can merge various Microsoft Teams flaws and security holes to reap the benefits of reliable Microsoft infrastructure and distribute malicious files, and orders, and perform data exfiltration via GIFs.

This attack chain can be highly destructive, especially in network security environments where Microsoft Teams may be one of a limited set of authorized, trusted hosts and apps, as per Raunch. The GIFShell stager can be persuasively dropped and implemented on the victim's computer by exploiting two additional vulnerabilities found in Microsoft Teams, including a lack of permission enforcement and attachment spoofing.

Bobby Rauch, a cybersecurity expert, and pentester revealed multiple holes in Microsoft Teams that may be chained together for code execution, data theft, cybersecurity bypasses, and phishing attacks. This led Rauch to the discovery of the new attack chain.

This attack's primary tool is referred to as "GIFShell," and it enables an attacker to build a reverse shell that sends malicious commands via base64-encoded GIFs in Teams and exfiltrates the output using GIFs recovered by Microsoft's own servers.

GIFShell Attack

Since the data exfiltration takes place through Microsoft's own systems, security software that interprets the traffic as normal Microsoft Team activity will have a hard time identifying it.

The attacker must first persuade a user to install a malicious stager that runs commands and uploads command outputs via a GIF URL to a Microsoft Teams web hook to construct this reverse shell.

Rauch created a new phishing attack on Microsoft Teams to help with this. As we know, phishing assaults are effective at infecting devices.

The 'stager,' a malicious program that GIFShell uses to mislead users into launching on their devices, continuously scans the Microsoft Teams logs.

Any malware on the system can access these logs because they contain all received messages and are viewable by all Windows user groups.

Hackers would build their own Microsoft Teams tenant after installing the stager and get in touch with other Microsoft Teams users from outside their organization. Attackers can easily accomplish this since Microsoft Teams by default permits external communication.

Rauch's GIFShell Python script enables the hackers to transmit a message to a Microsoft Teams user that comprises a specially created GIF to start the attack. This GIF file was altered to add instructions to run on the target's computer.

The email and the GIF will be saved in Microsoft Team's logs when the victim receives them, which the malware stager watches.

The base64-encoded commands will be extracted by the stager and run on the device when it recognizes a message that contains a GIF. The output of the command will subsequently be converted to base64 text by the GIFShell PoC.

The hacker's open Microsoft Teams webhook is accessed by the stager using this base64 text as the filename for a remote GIF placed in a Microsoft Teams poll card.

To get the GIF, which would be named using the base64-encoded result of the executed command, Microsoft's servers will link back to the hacker's server URL when Microsoft Teams creates flashcards for the user.

This request will be received by the GIFShell server, which is installed on the hacker's server, and will instantly decode the filename so that the hackers can view the results of the command issued to the targeted device.

The Microsoft Teams files folder has also been discovered to be accessed by other software, including malware and commercial monitoring tools like Veriato.

In a report to BleepingComputer, Microsoft purely reaffirmed its claim to Rauch stating, "We evaluated the methods mentioned by this researcher and found that the two stated do not satisfy the requirements for an immediate security fix. To help maintain customer security, we're always exploring for new ways to better combat phishing, and we might do something in a future release to assist prevent this tactic."

Users should ensure ethical computing habits online, including vigilance when clicking on links to websites, opening unexpected files, or allowing file transfers. Users shall remain aware of this type of phishing.

Analysis of Cyberthreats Linked to Gaming Industry in 2022

 

In 2022, the global gaming industry will surpass $200 billion, with 3 billion players worldwide, predicts the analytical firm Newzoo. Such committed, solvent and eager-to-win viewers have become a bit of trivia for botnets, that always look for ways to deceive their victims. 

According to data gathered by Kaspersky between July 2021 and July 2022, dangerous files that propagated through the misuse of gaming brands were mostly related to Minecraft (25%), FIFA (11%), Roblox (9.5%), Far Cry (9.4%), and Call of Duty (9%).

In specific, the report reviewed the most widespread PC game–related threats and statics on miner breaches, attacks disguised as game frauds, and thefts. Also, it examined several most energetic malware groups, offering them detailed, in-depth features.

In aspects of annual dynamics, Kaspersky reveals seeing a decline in both the quantities of distribution (-30%) and the number of users (-36%) compared to 2020.

Further, in the first half of 2022, Kaspersky said those who witnessed a notable increase in the number of consumers threatened by schemes that can deceive secret info, with a 13% increase over the first half of 2021.

In the same period, hackers also amplified their attempts to expand Trojan–PSW: 77% of secret-stealing spyware infection cases have been linked to Trojan–PSW.

A few recent cases of concealing malware in software encouraged as game frauds, installers, keygens, and the games themself are the following:
  • Minecraft alt lists on videogames forums dropping Chaos ransomware
  • NPM packages masquerading as Roblox libraries conveying malware and password stealers
  • Microsoft Store copies of games with malware loaders
  • Valorant cheats elevated via YouTube falling info-stealing malware
The cause why hackers exploit game titles to entice people is mainly the massive targeted pool, as the exploited game titles capture the interest of tens of millions of players.

A few instances of fake in-game item stores that copied the originals are highlighted by Kaspersky. These stores conned gamers into paying for stuff they would never receive while also phishing their login information.

Some users find the cost of games itself to be prohibitive and turn to pirated versions instead. Other games are being developed in closed beta, which excludes many potential players and forces users to look for alternate access points. Hackers take advantage of these circumstances by selling fraudulent, pirated beta testing launchers.

In terms of threat variants, Kaspersky reported that little had changed since last year in the environment that impacts gamers, with downloaders (88.56%) topping the list of harmful and unwanted software that is disseminated using the names of well-known games. Trojans (2.9%), DangerousObject (0.86%), and Adware (4.19%) are the next three most prevalent threats.

Finally, many developers advise users to disable antivirus software before installing game-related mods, cheats, and tools because many of them are created by unofficial one-person projects and may trigger false positive security detections.

As a result, players may disregard AV alerts and run malicious programs that have been found on their systems. Downloaders dominate because they can pass internet security checks without incident while still retrieving riskier payloads later on when the user runs the program.

Kaspersky claims that information thieves, cryptocurrency miners, or both are frequently dumped onto the victim's PC. As always, only download free software from reputable websites and exercise caution when doing so.

Savannah College of Art & Design Data Breach

 

The Savannah College of Art and Design (SCAD), a private entity in Georgia that accepts students from various states and has a presence in France, may be dealing with a patchwork of state data breach reporting regulations.

Avos Locker states the SCAD was attacked about two weeks ago and a significant amount of data was stolen. The college's network was not encrypted, in contrast to some ransomware attacks; only data was exfiltrated.

The information was found to be a part of a data security incident on August 30. On August 22, experts discovered unauthorized access affecting users' systems. Experts acted quickly to control the situation, and with the aid of a cybersecurity company, they started an inquiry.

Researchers also informed law enforcement about the occurrence. According to the inquiry, on August 22, an unauthorized user obtained access to the network and copied a few files from company systems.

A review of more than 69,000 files and a sample of the exfiltrated data were provided by Avos. The filenames' descriptions, which included names of persons and hints about the files' contents, appear to be what the files are made of. One of the samples student files contained a spreadsheet with more than 60,000 records for both past and present pupils.

More than 15,000 records dating back to 2005 were present in one of the files. Many of the records were for relatively minor offenses that are typical of college students.

Despite being a private institution, SCAD's website states that FERPA rights apply to its students. Schools are not required under FERPA to send out individual notification letters or breach alerts.

Aside from personal data about students, there may also be a problem with student financial aid. The federal Gramm Leach Bliley Act, which enforces security and breach notification requirements, may be implicated if such records were accessed. DataBreaches were unable to identify from the file list in this case whether that law would be applicable.

Avos withheld the amount of the ransom it demanded to erase the stolen data. SCAD did engage in some negotiation, but their goal seemed to be more to purchase time, according to a response it sent to data breaches.SCAD did not answer a question regarding how they handled the situation.




KeyBank Suffers Data Breach, Third Party Steals Personal Information


KeyBank hit by data breach 

Hackers stole personal data: addresses and account numbers of home mortgage holders at KeyBank, social security numbers, the bank reports, in the compromise of the third party vendor that serves multiple corporate clients. 

The hackers stole the information on July 5 after hacking into computers at the insurance service provider Overby Seawell Company. 

KeyBank has its operations across 15 states, and has around $200 Billion in assets, the bank hasn't disclosed how many customers were affected or to respond to any other queries related to the breach. 

KeyBank's stand

In statement, KeyBank told that it came to know about the data theft on 4th August, and KeyBank systems and operations weren't compromised. Overby Seawell Company hasn't replied to any phone messages and emails that were sent to executives for comment. 

It sent a statement to the Associated Press, KeyBank mentions Kennesaw, Georgia based Overby Seawell was hit by a cybersecurity incident that breached data of its corporate clients. It refused to comment further. 

Further information 

As per the website, Overby Seawell's customers are banks, credit unions, finance companies and property investors, and mortgage servicers. The products consist a tracking system for real-time insurance monitoring that can be combined with other financial industry software forums. 

In an August 26 letter sent to Associated Press by an impacted mortgage holder, KeyBank said the information included in the Overby-Seawell breach linked to their mortgage consists their name, mortgage account number, address, and the first eight digits of their nine digits social security number. 

That is enough information for identity theft which the hackers can use while carrying out a serious fraud. 

Phishing Scam Targeting American Express Customers

Armorblox security researchers discovered a brand new phishing campaign targeting American Express customers. Threat actors sent emails to lure American Express cardholders into opening an attachment and trying to get access to their confidential data and their accounts. Also, the hackers created a fake setup process for an “American Express Personal Safe Key” attack. 

The emails sent by hackers to customers urged them to create this account to protect their system from phishing attacks. Once you click the given link, it takes you to a fake page that asks for private data such as social security number, mother's maiden name, date of birth, email, and all American Express card details, including codes and expiration date. 

Additionally, the group of threat actors crafted the counterfeit webpage smartly to resemble the original American Express login page, including a logo, a link to download the American Express app, and navigational links. 

“The victims of this targeted email attack were prompted to open the attachment in order to view the secure message. Upon opening the attachment, victims were greeted with a message announcing additional verification requirements for the associated account. The urgency was instilled within the victims through the inclusion of the language, “This is your last chance to confirm it before we suspend it”, and a prompt for victims to complete a one-time verification process that was needed as part of a global update from the American Express team,” Armorblox security blog reads. 

Armorblox security researchers further added in their blog that, the hackers try to create a sense of urgency within the victim's mind that the sent email is essential and should be opened at once. Once the customer opens the link, the email appears as a legitimate email communication from American Express. 

“The language used within this attachment evoked a sense of trust in the victim, with the inclusion of the American Express logo in the top left and a signature that made the message seem to have come from the American Express Customer Service Team,” Armorblox security blog reads. 

Armorblox co-founder and CEO DJ Sampath said that financial institutions are often targeted with credential phishing scams. The main targets of this phishing scam are American Express charge card holders.

FBI: Hackers use DeFi Bugs to Steal Cryptocurrency

 


Investors are being warned by the FBI that hackers are increasingly using Decentralized Finance (DeFi) platform security flaws to steal cryptocurrency.

According to the PSA, which was posted on the FBI's Internet Crime Complaint Center (IC3) today, nearly 97% of the $1.3 billion in bitcoin that was stolen between January and March 2022 came via DeFi sites. This represents a big increase from 72% in 2021 and roughly 30% in 2020, according to projections by the FBI.

The FBI urges people to be aware of the hazards, seek professional assistance if they are unsure, and research the security and general business practices of DeFi providers. Additionally, we all refer to DeFi providers as exchanges, markets, and other websites where you may buy, sell, trade, and borrow bitcoins and other digital assets.

The FBI's warning is due to a Chainalysis analysis from April that revealed how, per Q1 2022 statistics, DeFi cryptocurrency platforms are currently more targeted than ever.

In the majority of occurrences, the hackers rely on using security flaws in their platform's code or unauthorized access to drain cryptocurrency to addresses under their command.

According to Chainalysis, the threat actors responsible for these attacks used dangerous laundering services, like unlawful exchanges and coin tumblers on the dark web, to re-launder the majority of the stolen funds in 2022.

The FBI's alert provides investors with guidance that begins with basic cautions about performing due diligence before investing and then suggests the following:

Before investing, research DeFi platforms, protocols, and smart contracts and be aware of the dangers associated with DeFi investments.

Verify whether the DeFi investment platform has undergone one or more code audits done by impartial auditors. A code audit normally entails carefully examining and studying the platform's underlying code to find any flaws or vulnerabilities that might impair the platform's functionality.

Be wary of DeFi investment pools with short join windows and quick smart contract rollouts, especially if they don't perform the advised code audit.

Be mindful of the potential risks crowdsourced solutions pose for finding and patching vulnerabilities. Open source code repositories give anyone, even those with malicious intent, unauthorized access.

This year, no DeFi-taken monies have been reimbursed, indicating that attackers are less interested in protecting their stolen assets than they were in 2021 when almost 25% of all cryptocurrency stolen via DeFi platforms was eventually recovered and given to the victims.

The FBI established a link between the Lazarus and BlueNorOff (also known as APT38) North Korean threat organizations and the April attack of Axie Infinity's Ronin network bridge, now the largest crypto hack ever.

The $611 million breach of the decentralized merge protocols and network Poly System in August 2021 was the most significant cryptocurrency theft to date.




IRS Accidentally Published Private Data of Nearly 120,000 Taxpayers

 

The Internal Revenue Service confirmed last week that it had accidentally exposed data for taxpayers’ IRAs to some non-profits and other tax-exempt entities, following a Wall Street Journal report that stated approximately 120,000 taxpayers who filed a form 990-T may have been impacted by the error.

Form 990-T is used for reporting 'unrelated business income' paid to a tax-exempt organization, such as nonprofits (charities) or IRA and SEP retirement accounts. The income is commonly generated from sales unrelated to a nonprofit's primary motive or real estate investments that pay income into an individual retirement account. 

According to the Treasury Department, only 501(c)(3) organizations are bound to make their Form 990-T available for public inspection. But in this case, a human coding error resulted in data from some non-501(c)(3)s also being made available for bulk download through the IRS' search portal for tax-exempt organizations. 

The Washington-based department stated the data leak was unearthed on August 26 but didn’t disclose how long the confidential information had been publicly available. Exposed data included names, contact details, and reported income for those IRAs. However, social security numbers, individual tax returns, and other sensitive data were not leaked. 

“The IRS recently discovered that some machine-readable (XML) Form 990-T data made available for the bulk download section on the Tax Exempt Organization Search (TEOS) should not have been made public. This section is primarily used by those with the ability to use machine-readable data; other more widely used sections of TEOS are unaffected.” Anna Canfield Roth, the Treasury’s acting assistant secretary for management, said in the letter. 

The Treasury announced that the data has been removed from the website, and the agency will replace them with the correct documents in the coming weeks. The IRS also plans to contact all the impacted taxpayers. Additionally, the IRS will notify Congress as it is bound to inform of any security incident involving more than 100,000 individuals under the Federal Information Security Modernization Act. 

“The IRS took immediate steps to address this issue. The files have been removed from IRS.gov and will be replaced with updated files in the near future. The IRS is continuing to review this situation. The Treasury Department has instructed the IRS to conduct a prompt review of its practices to ensure necessary protections are in place to prevent unauthorized data disclosures,” Roth further stated.