Search This Blog

Showing posts with label Data Leak. Show all posts

UK Mental Health Charities Imparted Facebook Private Data for Targeted Ads


Some of the largest mental health support organisations in Britain gave Facebook information about private web browsing for its targeted advertising system. 

The data was delivered via a monitoring mechanism installed in the charities’ websites and includes details of URLs a user visited and buttons they clicked across content linked to depression, self-harm and eating disorders. 

Additionally, it included information about the times visitors saw pages to access online chat tools and when they clicked links that said "I need help" in order to request assistance. Some of the pages that caused data sharing with Facebook were particularly targeted towards youngsters, such as a page for 11 to 18-year-olds that provided guidance on how to deal with suicidal thoughts. 

Details of conversations between charities and users or messages sent via chat tools were not included in the data sent to Facebook during the Observer's analysis. All of the charities emphasised that they took service user privacy very seriously and that such messages were confidential.

However, it frequently involved browsing that most users would consider private, such as information about button clicks and page views on websites for the eating disorder charity Beat as well as the mental health charities Mind, Shout, and Rethink Mental Illness. 

The data was matched to IP addresses, which are typically used to identify a specific person or home, and, in many cases, specifics of their Facebook account ID. The tracking tool, known as Meta Pixel, has now been taken down from the majority of charity' websites. 

The information was discovered following an Observer investigation last week that exposed 20 NHS England trusts sharing data with Facebook for targeted advertising. This data included browsing activity across hundreds of websites related to particular medical conditions, appointments, medications, and referral requests.

Facebook says it makes explicit that businesses should not use Meta Pixel to gather or distribute sensitive data, such as information that could expose details about a person’s health or data belonging to children. It also says it has filters to weed out sensitive data it receives by mistake. However, prior research has indicated that they don't always work, and Facebook itself acknowledges that the system "doesn't catch everything".

The social media giant has been accused of doing too little to oversee what information it is being supplied, and faced questions over why it would allow some entities – such as hospitals or mental health organisations – to send it data in the first place.

Threat Actors Launch a New Wave of Mass-Hacks Against Business File Transfer Tool


Security experts are raising the alarm after hackers were detected using a recently identified vulnerability in a well-known file transfer tool that is used by thousands of organisations to start a new wave of massive data exfiltration assaults. 

The flaw affects Progress Software's MOVEit Transfer managed file transfer (MFT) software, which enables businesses to transmit huge files and datasets over the internet. Ipswitch is a subsidiary of Progress Software.

Last week on Wednesday, Progress acknowledged that it had found a vulnerability in MOVEit Transfer that "could lead to escalated privileges and potential unauthorised access to the environment," and it advised customers to turn off internet traffic to their MOVEit Transfer environments. 

All consumers are being urged to promptly apply patches that are now accessible by Progress. 

The U.S. cybersecurity agency CISA is also advising U.S. organisations to implement the required patches, follow Progress' mitigating recommendations, and look for any malicious behaviour. 

The popularity of popular enterprise systems has made corporate file-transfer technologies an increasingly appealing target for hackers who want to steal data from numerous victims. 

The impacted file transfer service is used by "thousands of organisations around the world," according to the company's website, but Jocelyn VerVelde, a representative for Progress through an outside public relations firm, declined to specify how many organisations use it. More than 2,500 MOVEit Transfer servers are visible on the internet, according to Shodan, a search engine for publicly exposed devices and databases. Most of these servers are based in the United States, but there are also many more in the United Kingdom, Germany, the Netherlands, and Canada. 

Security researcher Kevin Beaumont claims that the vulnerability also affects users of the MOVEit Transfer cloud platform. According to Beaumont, some "big banks" are also thought to be MOVEIt customers and at least one disclosed instance is linked to the U.S. Department of Homeland Security. Several security firms claim to have already seen indications of exploitation.

According to Mandiant, "several intrusions" involving the exploitation of the MOVEit vulnerability are under investigation. Charles Carmakal, the chief technical officer of Mandiant, acknowledged that Mandiant had "seen evidence of data exfiltration at multiple victims." 

According to a blog post by cybersecurity firm Huntress, one of its clients has observed "a full attack chain and all the matching indicators of compromise." 

Meanwhile, the security research company Rapid7 said that it has seen indications of data theft and misuse from "at least four separate incidents." According to Rapid7's senior manager of security research, Caitlin Condon, there is evidence that suggests attackers may have started automated exploitation. 

While the exact start date of exploitation is unknown, threat intelligence firm GreyNoise claims to have seen scanning activity as early as March 3. The company advises customers to check their systems for any signs of possible unauthorised access that may have happened during the last 90 days. 

The perpetrator of the widespread MOVEit server exploitation is still unknown. 

The attacker's actions were "opportunistic rather than targeted," according to Rapid7's Condon, who also speculated that this "could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets."

'Hot Pixel' Attack Exploits Novel GPUs and SoCs to Siphon Browsing History


An innovative cyberattack technique known as "Hot Pixel," which targets the complex interactions between graphic processing units (GPUs), contemporary system-on-a-chip (SoC), and browser data, has been discovered through a historic partnership between the University of Michigan, Ruhr University Bochum, and Georgia Tech. 

The "Hot Pixel" attack varies from conventional security flaws, as it bypasses modern side-channel defences by taking advantage of data-dependent computation cycles in GPUs and SoCs to steal information from Chrome and Safari browsers. 

The inherent difficulties that contemporary processors have in managing power consumption and heat dissipation, especially at high execution rates, served as the foundation for the researchers' finding. This disproportion generates a distinct digital fingerprint that can be recognised and examined. 

By removing pixels from the content being displayed in the target's browser, the "Hot Pixel" attack takes advantage of these peculiarities to deduce a device's navigation history. The attackers were able to quickly determine the data being processed by observing how the processor behaved differently under various browsing circumstances.

“The rendered image of a webpage may contain private information that should be isolated from scripts running on the page,” the research paper reads. “Examples include embeddings of cross-domain content through the use of iframe elements, and the rendering of hyperlinks, which indicates whether they have been visited.”

In the Chrome and Safari web browsers, researchers ran several CPU and GPU tests. They were able to steal data based on pixels from Chrome with an accuracy range of 60% to 94%, and it took them between 8.1 and 22.4 seconds to decode each pixel. 

Sending cookies to iframe elements is prohibited by Safari's anti-pixel-stealing policy if their origin is different from the parent page of the attacker. However, the researchers found that by burying URLs to sensitive sites on their site, attackers can still exfiltrate the victim's browsing history. 

Attackers might simply ascertain whether their victim had previously visited a particular address because links are presented differently if they have been previously viewed.

The researchers suggest the following measures to stop attacks similar to Hot Pixel: 

  • Minimise devices that are thermally restricted 
  • Enforce hardware constraints by keeping systems' temperatures within acceptable ranges 
  • Remove secrets from iframes' visible content by separating cookies from cross-origin iframes
  • Get rid of unauthorised access to sensor readings (OS-level mitigation)

Confidential Report Highlights Bitfinex Security Breach in Massive 2016 Hack


In 2016, a hacker or hackers gained access to the Bitfinex cryptocurrency exchange and took 119,754 bitcoins worth a total of $72 million. The stolen coins' worth had risen to almost $4 billion by the time US police detained rapper Heather Morgan and her husband, startup founder Ilya Lichtenstein, last year on suspicion of laundering them. The US Department of Justice's single greatest recovery in its history. However, the hack's culprit is still at large.

Ledger Labs, a Canadian cryptocurrency consulting and development company, was hired by one of Bitfinex's owners, iFinex, to conduct an investigation. The secret report from that inquiry was never made public. However, a copy of the study with specific conclusions has been obtained by the Organised Crime and Corruption Reporting Project. 

According to the document's in-depth findings, conclusions, and suggestions, Bitfinex failed to put the operational, financial, and technological controls recommended by its partner in cyber security, Bitgo, into place.

Although Bitfinex did not question the legitimacy of the report in contacts with journalists, OCCRP was unable to independently confirm the facts. Bitgo opted out of commenting but did not expressly deny the report's existence or its conclusions. Requests for response from Ledger Labs went unanswered, and the study's author, Michael Perklin, stated that he was unable to do so because his work on the iFinex report was subject to a non-disclosure agreement.

OCCRP was unable to independently verify the results, however in interactions with journalists, Bitfinex did not contest the validity of the study. Bitgo declined to comment, but did not expressly contest the report's validity or conclusions. An inquiry for response was not answered by Ledger Labs, and the study's author, Michael Perklin, declined to speak because his work on the iFinex research was subject to a non-disclosure agreement. 

For cryptocurrency sites, strict digital security is essential since mistakes cost users real money.

“When you’re dealing with the internet of money, the stakes are that much higher,” stated Hugh Brooks, director of security operations at blockchain security firm CertiK. “If you get breached or make a mistake, it’s not just some usernames and passwords, it’s someone’s life savings or potentially a massive amount of funds.”

According to the Ledger Labs report that OCCRP was able to receive, Bitfinex used a security mechanism that required an administrator to possess two out of the three security keys in order to do any substantial exchange activities, including moving bitcoin. 

However, it discovered that Bitfinex made a crucial mistake by putting two of these three keys on the same piece of hardware. An attacker who managed to hack that one device would have complete access to Bitfinex's internal systems and to "security tokens" that gave them control over the operating system. According to the paper, "the hacker was able to take tokens," and in less than a minute, he was able to increase the daily cap on the number of transactions that were allowed in order to fast drain as much bitcoin as possible. 

According to the Ledger Labs report, the hacker obtained tokens associated with a generic "admin" email account and another tied to "giancarlo," which belonged to Bitfinex CFO and shareholder Giancarlo Devasini, a former Italian plastic surgeon with a shady business past. The document did not assign blame for the hack to Devasini.

The paper stated that holding numerous keys and tokens on a single device constituted "a violation of the CryptoCurrency Security Standard," alluding to an industry-led best-practice initiative, however it is unclear whether this particular device was compromised in the hack. It also claimed that other fundamental security precautions, such as monitoring server activities outside of the server, and a "withdrawal whitelist" - a security feature that only allows cryptocurrency transfers to confirmed or approved addresses — were missing.

Based on a rigorous study of source IP addresses, the Ledger Labs document found that the attack most likely started in Poland. 

Although the hacker is still at large, US authorities detained dual Russian-American citizen Ilya Lichtenstein and his wife, Heather Morgan, last year for allegedly laundering stolen bitcoins. Both have pled not guilty and await trial. 

Lichtenstein is a self-described digital entrepreneur and investor who has created a few tiny apps, while Morgan, a trained economist and contributor, has taken over as CEO of some of Lichtenstein's software initiatives. Morgan has an interesting backstory that includes a rapping alter ego known as "Razzlekhan." Nonetheless, US authorities highlighted in an official Department of Justice document that Morgan used her own name to cash out some of the stolen cryptocurrency's online purchases.

Hackers Leak Photos to Mock Western Digital's Cyberattack Response


The ALPHV ransomware operation, also known as BlackCat, has shared screenshots of internal emails and video conferences seized from Western Digital, revealing that they likely continued to have access to the firm's systems even while the company responded to the incident. 

The release comes after the threat actor informed Western Digital on April 17th that if a ransom was not paid, they would harm them until they "could not stand anymore." Western Digital was the victim of a cyberattack on March 26th, in which threat actors infiltrated its internal network and stole company data. However, no ransomware was installed, and no files were encrypted.

In response, the company suspended its cloud services, including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and SanDisk Ixpand Wireless Charger, as well as related mobile, desktop, and online apps, for two weeks.

According to TechCrunch, an "unnamed" hacking group accessed Western Digital and claimed to have stolen ten terabytes of data. The threat actor allegedly shared examples of the stolen data with TechCrunch, including files signed with stolen Western Digital code-signing keys, unlisted corporate phone numbers, and images of other internal data.

In addition, the hackers claimed to have stolen data from the company's SAP Backoffice implementation. While the hacker claimed to be unrelated to the ALPHV ransomware operation, a message soon surfaced on the gang's data leak site, alerting that Western Digital's data would be spilled if a ransom was not paid.

Western Digital is mocked by ALPHV. Security researcher Dominic Alvieri informed BleepingComputer that the hackers revealed twenty-nine screenshots of emails, documents, and video conferences connected to Western Digital's response to the attack in an additional attempt to humiliate and disgrace the corporation.

When an organization is compromised, one of the first measures is to figure out how the threat actor obtained access to the network and block the path. However, there can be a delay between identification and response, enabling the adversary's access to continue even after an attack is detected. This access permits them to watch the company's response and steal additional data.

The threat actors appear to have sustained access to parts of Western Digital's systems in the screenshots supplied by ALPHV since they show video conferences and emails concerning the attack. The "media holding statement" is depicted in one image, and an email regarding staff leaking information about the attack to the press is depicted in another.

Another message from the threat actors is included with the exposed material, claiming to have customers' personal information as well as a comprehensive backup of WD's SAP Backoffice implementation.

While the data appears to be Western Digital's, BleepingComputer was unable to independently confirm its source or whether it was stolen during the attack. Western Digital is not currently negotiating a ransom to halt the publication of stolen data, which has prompted fresh threats from hackers.

"We know you have the link to our onion site. Approach with payment prepared, or [redacted] off. Brace yourselves for the gradual fallout," reads ALPHV's new warning to Western Digital.

Western Digital declined to comment on the stolen screenshots and threat actors' assertions.

Data Leak: Critical Data Being Exposed From Salesforce Servers

According to a post by KrebsOnSecurity published on Friday, servers running Salesforce software are leaking private data controlled by governmental bodies, financial institutions, and other businesses.

According to Brian Krebs, Vermont had at least five websites that gave anyone access to critical information. One of the programs impacted was the state's Pandemic Unemployment Assistance program. It revealed the applicants' full names, Social Security numbers, residences, contact information (phone, email, and address), and bank account details. Vermont adopted Salesforce Community, a cloud-based software solution created to make it simple for businesses to quickly construct websites, just like the other organizations giving the general public access to sensitive data.

Among the other victims was Columbus, an Ohio-based Huntington Bank. It recently bought TCF Bank, which processed commercial loans using Salesforce Community. Names, residences, Social Security numbers, titles, federal IDs, IP addresses, average monthly payrolls, and loan amounts were among the data components that were revealed.

Apparently, both Vermont and Huntington discovered the data leak after Krebs reached them for a comment on the matter. Following this, both the customers withdrew public access to the critical data.. Salesforce Community websites can be set up to require authentication, limiting access to internal resources and sensitive information to a select group of authorized users. The websites can also be configured to let anyone read public information without requiring authentication. In certain instances, administrators unintentionally permit unauthorized users to view website sections that are meant to be accessible only to authorized personnel.

Salesforce tells Krebs that it provides users with clear guidance on how to set up Salesforce Community so that only certain data is accessible to unauthorized guests, according to Krebs.

Doug Merret, who raised awareness in regards to the issue eight months ago, further elaborated his concerns on the ease of misconfiguring Salesforce in a post headlined ‘The Salesforce Communities Security Issue.’

“The issue was that you are able to ‘hack’ the URL to see standard Salesforce pages - Account, Contact, User, etc.[…]This would not really be an issue, except that the admin has not expected you to see the standard pages as they had not added the objects associated to the Aura community navigation and therefore had not created appropriate page layouts to hide fields that they did not want the user to see,” he wrote.

Krebs noted that it came to know about the leaks from security researcher Charan Akiri, who apparently identified hundreds of organizations with misconfigured Salesforce sites. He claimed only five of the many companies and governmental agencies that Akiri informed had the issues resolved, among which none were in the government sector.

Amnesty International Takes a While to Disclose the Data Breach From December


Amnesty International Australia notified supporters via email last Friday that their data might be at risk owing to "anomalous activity" discovered in its IT infrastructure. 

The email was sent extremely late in the day or week, but it was also sent very far after the behaviour was discovered. The email, which Gizmodo Australia saw, claims that the activity was discovered towards the end of last year. 

“As soon as we became aware of this activity on 3 December 2022, we engaged leading external cyber security and forensic IT advisors to determine if any unauthorised access to our IT environment had occurred,” Amnesty International Australia stated.

“We acted quickly to ensure the AIA IT environment was secure and contained, put additional security measures in place and commenced an extensive investigation.” 

Amnesty International said that while it took the organisation some time to notify its supporters of a security breach, the investigation is now complete and has revealed that an unauthorised third party temporarily got access to its IT system. 

“In the course of this investigation, we identified that some low-risk information relating to individuals who made donations in 2019 was accessed, but of low risk of misuse,” the organisation added. 

Although "low risk" information was not defined, it is clear from the security advice that it offered that the data is most likely name, email address, and phone number. Despite being satisfied that the information obtained through the breach won't be used inappropriately, Amnesty International Australia advised its supporters to "carefully scrutinise all emails," "don't answer calls from unknown or private numbers," and "never click on links in SMS messages or social media messages you are not expecting to receive." 

The breach only affected the local arm of the charity, according to Amnesty International Australia, and did not affect any other branches. The statement further stated that although the scope of the "information accessed in the cyber event" did not match the requirements or level for notification under the Notifiable Data Breaches Scheme, Amnesty International Australia had decided to notify its supporters" in the interest of transparency".

Canada Attempts to Control Big Tech as Data Gets More Potent


Whether you're booking a flight, opening a new bank account, or buying groceries, a select few well-known brands control the majority of the market. What this means for the nation's goods—and prices—is examined in the Canadian Press series Competition Ltd. 

Marc Poirier co-founded the search management platform Acquisio 20 years ago, but he will never forget how Google sparked the company's decline. 

It was 2015. The tech behemoth had recently reorganised its companies under the Alphabet brand and was assessing whether recent pushes into riskier projects like self-driving vehicles, internet-beaming balloons, and smart city infrastructure could match the success of its search engine business. The Brossard, Quebec-based business of Marc Poirier was in a lose-lose situation as advertising income and growth stagnated and the company felt pressure to increase earnings.

“I experienced first-hand Google going from partner to fierce competitor,” Poirier stated. “They started selling the same stuff that we built.” 

Sales growth at Acquisio, which sold software to assist advertisers manage bids and budgets for Google, Yahoo, and Microsoft search campaigns, abruptly came to a halt before starting to decline. Poirier began to consider selling, and in 2017 he finally did so through a contract with 

Regulators all across the world have made controlling Big Tech a primary priority because of incidents like Poirier's and growing worries about the sheer scale and influence that tech companies have over users, their privacy, communications, and data. 

Google declined to comment on Poirier's particular situation, but spokesman Shay Purdy pointed out that Alphabet underwent significant changes between 2015 and 2017, including its complex restructuring, and claimed that external factors at the time included an economic downturn following a spike in oil prices. 

Many people are expecting that an ongoing review of the country's Competition Act would level the playing field for digital businesses, even as Canada moves closer to new legislation that will shift some revenue from social media giants to news publishers and better safeguard consumer privacy. 

It's not simple, though, to look into and dismantle monopolies in a sector that is constantly changing and formerly functioned under the motto "move fast and break things" popular in Silicon Valley. Tech companies, aware that regulators are following on their heels, are making the work even more difficult. 

The Competition Bureau, Canada's monopoly watchdog, has been given a lot of the job. It has looked into issues including Ticketmaster's deceptive price advertising, Thoma Bravo's acquisition of the oil and gas software business Aucerna, Amazon's market dominance, and other issues. But if real reform is to take place, according to the bureau and tech observers, the federal government must give the regulator additional authority. 

Collecting evidence of anti competitive behaviour is frequently the bureau's first obstacle. Technology companies are known for keeping their operations under wraps, depending on strong non-disclosure agreements and limiting personnel access to prevent product leaks before buzzy releases or competitors gaining an advantage over them. 

In order to make it more difficult to trace a paper trail, Krista McWhinnie notices companies becoming progressively more deliberate about how they record their decision-making or take any action that even seems to hint at anticompetitive purpose. 

“That alone can stop us from being able to remedy conduct that is having potentially quite a big impact in the market,” stated the deputy commissioner of the bureau’s Monopolistic Practices Directorate. 

It is insufficient to justify action under Canadian competition laws, even if the bureau has evidence that a company's practices are seriously hurting competition. Additionally, the bureau must show that a corporation planned to engage in anticompetitive action as well, which is "a very high bar" and "relatively unusual" in other nations. 

According to McWhinnie, "that's frequently a really difficult task that requires a lot of resources." It takes a lot of time, which is one of the factors contributing to the difficulty in bringing these cases quickly. The bureau has come under fire in recent months for moving too slowly on an examination of Google's possible involvement in anti-competitive practices in the online display advertising market, which is set to begin in October 2021. 

The investigation is predicated on the hypothesis that Google's hegemony in online advertising may be limiting the development of rivals, leading to higher costs, less variety, and less innovation, as well as harming advertisers, news publishers, and consumers. 

“Every day that Google is allowed to monopolise ad revenue, more harm is inflicted on the Canadian news industry, which has a negative impact on democracy as a whole,” stated Lana Payne, Unifor’s national president, in a press release. 

Google pointed The Canadian Press to a research on the economic impact of its services, which showed that the use of its search, cloud, advertising, and YouTube products generated $37 billion in revenue for Canadian companies, non-profits, publishers, creators, and developers. More than the total economic impact of the forestry and aviation industries, this is equal to 1.5% of Canada's gross domestic product, according to the statement.

Jim Balsillie, a former BlackBerry CEO and current head of the Council of Canadian Innovators, feels that Canada's problems with competition are caused by a lack of tools and a subpar approach to defending consumer rights in the digital age. The sheer quantity and specificity of consumer data that many large internet companies collect, together with their ability to use AI to mix it with that data to glean personal insights and sway public opinion, is what gives them their power and control.

Data gathering isn't only a Big Tech strategy. Balsillie cites pharmacies as having reams of health information on customers, cellular providers as knowing your whereabouts to within 10 metres, and banks as knowing what you're buying. 

According to Jennifer Quaid, estimating the potential worth of all that data—a crucial component of figuring out whether businesses are engaging in anticompetitive behavior—is not an easy task.

It's challenging to quantify the effects of mergers or tech company policies on innovation, creativity, and consumer behaviour, especially when the company deals in data "that isn't necessarily valuable at the time but ends up becoming valuable when it's aggregated with other information," said the competition law professor at the University of Ottawa's Civil Law Section.

Quaid and Balsillie concur that the problem would be made simpler if the Competition Bureau had a wider array of tools at its disposal, enabling it to impose more significant fines and overhauling some of the regulatory regimes that have allowed some monopolies to flourish unchecked.

Data on Resold Corporate Routers can be Used by Hackers to Access Networks


Enterprise-level network equipment available on the black market conceals important information that hackers could use to infiltrate company networks or steal consumer data. 

Researchers examined a number of used corporate-grade routers and discovered that the majority of them had been incorrectly decommissioned and then sold online. 

Selling core routers 

Eighteen secondhand core routers were purchased by researchers at cybersecurity company ESET, who discovered that on more than half of those that operated as intended, it was still possible to obtain the full configuration data. 

All other network devices are connected via core routers, which act as the foundation of a big network. They are built to forward IP packets at the greatest rates and handle a variety of data transmission interfaces. 

When the ESET research team initially purchased a few secondhand routers to create a test environment, they discovered that they had not been completely wiped and still included network configuration data as well as information that might be used to identify the former owners.

Four Cisco (ASA 5500) devices, three Fortinet (Fortigate series) devices, and eleven Juniper Networks (SRX Series Services Gateway) devices were among the hardware items purchased. 

Cameron Camp and Tony Anscombe claim in a report from earlier this week that two devices were mirror images of one other and were treated as one in the evaluation results while one device was dead on arrival and excluded from the tests. 

Only two of the 16 remaining devices had been toughened, making some of the data more difficult to access. Only five of the remaining 16 devices had been properly deleted. 

The majority of them, however, allowed access to the whole configuration data, which contains a wealth of information about the owner, how they configured the network, and the relationships between various systems. 

The administrator of corporate network devices must issue a few commands to safely wipe the settings and reset the device. In the absence of this, routers can be started in recovery mode, which enables configuration verification. 

Network loopholes 

The researchers claim that a few of the routers stored user data, information allowing other parties to connect to the network, and even "credentials for connecting to other networks as a trusted party." 

Additionally, the router-to-router authentication keys and hashes were present on eight out of the nine routers that provided the whole configuration data. Complete maps of private applications stored locally or online were included in the list of business secrets. Examples include SQL, Spiceworks, Salesforce, SharePoint, VMware Horizon, and Microsoft Exchange. 

“With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens” - ESET researchers explained. 

According to the study, such in-depth insider knowledge is normally only available to "highly credentialed personnel" like network administrators and their managers. With this kind of knowledge at hand, an attacker might simply create an undetectable assault vector that would take them far inside the network. 

"With this level of detail, impersonating network or internal hosts would be far easier for an attacker, especially given that the devices frequently contain VPN credentials or other easily cracked authentication tokens," the researchers added. 

Numerous of them had been in managed IT provider environments, which run the networks of big businesses, according to information found in the routers. 

One device even belonged to a managed security services provider (MSSP) that managed networks for hundreds of clients across a variety of industries (such as manufacturing, banking, healthcare, and education). 

The researchers then discuss the significance of thoroughly cleaning network devices before getting rid of them in light of their findings. Companies should have policies in place for the secure disposal of their digital equipment. 

The researchers also caution against always employing a third-party service for this task. They learned that the business had utilised such a service after informing the owner of a router of their discoveries. 

The advice is to wipe the device free of any potentially sensitive data and reset it to factory default settings in accordance with the manufacturer's instructions.

Data of 2.5 Lakh Customers Sent to Personal Account by CFPB Employee


The Wall Street Journal reported that a consumer financial protection bureau (CFPB) employee sent records containing private information to a personal email address that included confidential supervisory information from 45 other financial institutions as well as personal information on roughly 256,000 customers at one financial institution.

The agency, which was already under siege from Republican lawmakers, presented the breach to Congress as a catastrophic incident. 

The emails contained customer information from seven businesses, although the majority of the personal data was linked to customers at one unnamed institution, a CFPB spokeswoman told the Journal. 

The incident was discovered by the agency for the first time in February, and it was revealed to lawmakers on March 21, according to the Journal. The reason the employee, who was later fired, forwarded the emails to a personal account was not disclosed by the CFPB. 

According to the CFPB, the personal information includes two spreadsheets with names and transaction-specific account numbers that were used internally by the financial institution, which downplays the severity of the data theft.

According to the representative, the spreadsheets do not contain the customers' bank account details and cannot be utilised to access a customer's account. As of Wednesday, the former CFPB employee had not complied with a request to erase the emails. Republican lawmakers seized on the data leak and demanded additional information from Director Rohit Chopra in statements they released. 

The CFPB has expanded enforcement efforts against the mortgage industry under Chopra, which has increased compliance expenses.

In October, Mortgage Bankers Association President and CEO Bob Broeksmit described the agency as a "judge, jury, and executioner all rolled into one." 

He urged the government to "establish clear and consistent standards, providing notice and comment when enacting rules." Unfortunately, the Bureau does not often follow this reasonable procedure, announcing new legal responsibilities without formal process or deliberation, enforcing novel and untested legal theories, and making it extremely difficult for businesses to grasp their legal obligations." 

Additionally, the agency is battling constitutional issues on various fronts. The agency's funding structure—by which it is funded by the Fed as opposed to appropriations legislation enacted through Congress—will be decided by the Supreme Court in a case that will be heard there. The agency's financing source was ruled to be illegal in 2022 by a panel of Trump appointees on the Fifth Circuit U.S. Court of Appeals. 

The funding provisions for the CFPB were found to be constitutional in March by the Second Circuit U.S. Court of Appeals, which includes the districts of Connecticut, New York, and Vermont.

MSI Acknowledges Security Breach Following Ransomware Attack Allegations


MSI (short for Micro-Star International), a Taiwanese PC vendor, revealed today that its network had been compromised in a cyberattack in response to claims of a ransomware attack. 

The Money Message ransomware group earlier this week claimed to have infiltrated part of MSI's systems and taken files that will be released online the following week if the business declines to pay a $4 million ransom. 

MSI disclosed that particular sections of its information service systems had been impacted by a cyberattack that had been notified to the appropriate authorities in a Friday filing with Taiwan's Stock Exchange (TWSE), which was first noticed by PCMag. 

"After detecting some information systems being attacked by hackers, MSI's IT department has initiated information security defense mechanisms and recovery procedures. The Company also has reported [sic] the anomaly to the relevant government authorities," MSI stated.

No information was provided by the company regarding the attack's time frame, if any of the compromised systems were encrypted, or whether the attackers stole any client or corporate data as a result of the event. 

Nevertheless, MSI did claim that the cyberattack had no "significant" operational or monetary effects and that security upgrades had been put in place to guarantee the protection of data held on the compromised systems.

"No significant impact on our business in terms of financial and operational currently. The Company is also enhancing the information security control measures of its network and infrastructure to ensure data security," the company added. 

On Friday, MSI also released a statement cautioning users to make sure they only download BIOS and firmware upgrades from legitimate websites. 

"MSI urges users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website," the company concluded. 

After learning that the organisation may have been involved in the hack of a well-known computer hardware provider, BleepingComputer published the first report on the Money Message ransomware operation's activities last weekend.

In conversations between the ransomware gang and an MSI representative that BleepingComputer was able to observe, the threat actors wanted a $4,000,000 ransom in exchange for access to what they claimed to have stolen from MSI's network, amounting to about 1.5 TB of data.

If MSI doesn't pay the demanded ransom, Money Message now threatens to release the purportedly stolen files sometime next week. The threat actors have added MSI to their list of companies whose data they are leaking, although they have only so far shared screenshots of what they claim are the PC manufacturer's Enterprise Resource Planning (ERP) databases and files with software source code, secret keys, and BIOS firmware.

US Healthcare Startup Brightline Impacted by Fortra GoAnywhere Assaults


A firm providing virtual mental health services for children is the latest victim of Fortra's widespread ransomware onslaught, which has spread its effects even further. 

The American healthcare behemoth Blue Shield of California confirmed that data from one of its providers, Brightline, that was housed in its GoAnywhere file transfer platform had been taken in a data breach notice filed with the Maine attorney general's office. Threat analysts identified Brightline as a potential victim of the mass breach last week. It offers online coaching and therapy for kids. 

The breach notification verified that hackers—perhaps members of the Russia-linked Clop ransomware gang who claimed to have infiltrated over a hundred businesses via an unreported security flaw—accessed and possibly exfiltrated the personal information of over 63,000 patients. 

The group has announced that they will release the data taken from Brightline "soon" on Clop's dark web leak site, which they use to expose the stolen material absent payment of a ransom.

On its website or on social media, Brightline has not yet made the breach publicly acknowledged. John O'Connor, a representative for Brightline, declined to comment on TechCrunch's inquiries, although he did not deny that the hack has a 63,000 person impact. The number of young Brightline customers who are impacted is unknown. 

According to Blue Shield's breach report, the patient names, addresses, dates of birth, gender, Blue Shield subscriber ID numbers, phone numbers, e-mail addresses, plan names, and plan group numbers were all compromised. 

Nevertheless, Brightline is not the only healthcare provider among the 130 firms being affected by the Clop group. US Wellness, a provider of corporate health and wellness initiatives, also acknowledged that hackers had gained access to user personal information including names, addresses, dates of birth, and member ID numbers. 

Because of the severity of the Fortra vulnerability's effects on healthcare institutions, the U.S. government's health sector cybersecurity coordination centre, or HC3, issued a warning in February to help companies prepare for Clop's attacks. 

The City of Toronto, Investissement Québec, and Virgin Red are among the ever-expanding list of victims the group is known to have targeted outside of healthcare institutions. 

Virgin Red was contacted by Clop and, according to Jodie Burton, learnt that hackers had "illegally gotten some Virgin Red files via a cyber-attack on our provider, GoAnywhere." Although Fortra had promised them that their data was secure, TechCrunch has heard from other victims who, like them, only discovered that data had been taken after receiving a ransom demand.

Watch Out for These Common Signs to Identify an Email Phishing Scam


Cybercriminals most frequently use phishing as a method of attack. This communication is a hoax designed to trick the recipient into disclosing private information, sending money, or clicking on a dangerous link. Usually, it is transmitted by email, social media direct messages, or some other text-based method. 

There are many different kinds of phishing, but for big firms, whaling or imitation phishing is the most dangerous. In this kind of attack, the cybercriminal poses as a senior executive to target the employees of the target company. In order to mislead the recipient, deceptively similar email addresses, display names, and messages are used. Since an email from top management or a professional acquaintance is typically taken to be authentic and doesn't arouse suspicion, it is a particularly effective strategy.

To mitigate risks, watch out for these tell-tale signs to identify a phishing email.

Unexpected or unsolicited correspondence 

When an email arrives unexpectedly, that's your first clue that it might be a fraud. Do you recall any offline or in-person discussions about the aforementioned subject? A warning sign that an email may be a phoney message is when you unexpectedly receive one from a top leader, client, or vendor without any prior context.

Scan the display name and email address 

Always check the display name and email address of the sender. On closer inspection, you might discover that a "O" has been changed to a "0" or a I has been changed to a "!". It might initially appear to be genuine. Also, you need to regularly check the domains of the emails you get. 

Internal communications will almost never come through a free email provider and will almost always come from the company's official domain. The same is true of external communication from other enterprises and companies. When you hover over a domain, the fraudulent one will often appear to be real or similar to the company's email address. 

Prompting urgency 

In most cases, phishing emails sound urgent. They want the victim to act without considering or confirming the legitimacy of the email's sender or contents. So, you should be wary of senior executives who unexpectedly request money transfers or information disclosures over email. Always confirm such requests using alternative methods. Call the sender directly, for instance, to confirm the communication. 

Unusual query

Take into account the requests made in the email. There are some common calls to action in phishing emails. They request that you send them private or delicate business information that shouldn't ideally be communicated through email in an unforeseen or initial discussion. It can also request that you click a link to submit this data. You can be led to assume that a senior executive has sent you a paper pertinent to your job by including it in an email. It might even request that you transfer money, either your own or, if you have the power, the company's. 

Prevention tips 

The first thing to do if you think you've received a phishing email is to say nothing. That is, never reply to emails, click on any links, or download any attachments. Next, if you have any doubts about the communication's legitimacy, you should always get in touch with the sender directly through a different method, such as by phone, text, or in person.

Additionally, keep an eye on the emails that arrive in your mailbox. Even if they are from within the company, use extra caution when dealing with emails or senders you weren't anticipating.

Users' Private Info Accidentally Made Public by ChatGPT Bug


After taking ChatGPT offline on Monday, OpenAI has revealed additional information, including the possibility that some users' financial information may have been compromised. 

A redis-py bug, which led to a caching problem, caused certain active users to potentially see the last four numbers and expiration date of another user's credit card, along with their first and last name, email address, and payment address, the business claims in a post. Users might have also viewed tidbits of other people's communication histories. 

It's not the first time that cache problems have allowed users to view each other's data; in a famous instance, on Christmas Day in 2015, Steam users were sent pages containing data from other users' accounts. It is quite ironic that OpenAI devotes a lot of attention and research to determining the potential security and safety repercussions of its AI, yet it was taken by surprise by a fairly well-known security flaw. 

The firm claimed that 1.2 percent of ChatGPT Plus subscribers who used the service on March 20 between 4AM and 1PM ET may have been impacted by the payment information leak. 

According to OpenAI, there are two situations in which payment information might have been exposed to an unauthorised user. During that time, if a user visited the My account > Manage subscription page, they might have seen information about another ChatGPT Plus customer who was actively utilising the service. Additionally, the business claims that certain membership confirmation emails sent during the event were sent to the incorrect recipient and contained the final four digits of a user's credit card information. 

The corporation claims it has no proof that either of these events actually occurred before January 20th, though it is plausible that both of them did. Users who may have had their payment information compromised have been contacted by OpenAI. 

It appears that caching had a role in how this whole thing came about. The short version is that the company uses a programme called Redis to cache user information. In some cases, a Redis request cancellation would result in damaged data being delivered for a subsequent request, which wasn't supposed to happen. The programme would typically get the data, declare that it was not what it had requested, and then raise an error.

Yet, the software determined everything was good and presented it to them if the other user was requesting for the same type of data — for example, if they were trying to view their account page and the data was someone else's account information. 

Users were being fed cache material that was originally intended to go to someone else but didn't because of a cancelled request, which is why they could see other users' payment information and conversation history. It also only affected individuals who were actively using the system for that reason. The software wouldn't cache any data for users who weren't actively using it. 

What made matters worse was that, on the morning of March 20, OpenAI made a change to their server that unintentionally increased the amount of Redis queries that were aborted, increasing the likelihood that the issue would return an irrelevant cache to someone.

As per OpenAI, the fault that only affected a very specific version of Redis has been addressed, and the team members have been "great collaborators." It also claims that it is changing its own software and procedures to ensure that something similar doesn't occur again. Changes include adding "redundant checks" to ensure that the data being served actually belongs to the user making the request and decreasing the likelihood that its Redis cluster will experience errors when under heavy load.

Cerebral Admits to Revealing Patient Information to Meta, TikTok, and Google


As per TechCrunch, Cerebral, a telehealth startup specialising in mental health, inadvertently shared sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers. Cerebral admits to exposing a slew of patient data with the tracking tools it's been using since October 2019 in a notice posted on the company's website. 

Patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and other information are all impacted by the oversight. It is possible that the answers clients provided as part of the mental health self-assessment were exposed on the company's website and app, which patients can use to schedule therapy appointments and receive prescription medication.

Cerebral claims that this data was gathered through the use of tracking pixels, which are pieces of code that Meta, TikTok, and Google allow developers to embed in their apps and websites. For example, the Meta Pixel can gather information about a user's activity on a website or app after clicking an ad on the platform, and it can even keep track of the information a user fills out on an online form. While this allows companies like Cerebral to track how users interact with their ads on various platforms and the actions they take as a result, it also gives Meta, TikTok, and Google access to this data, which they can then use to gain insight into their own users.

Cerebral notes that the exposed information may "vary" from patient to patient depending on a variety of factors such as "what actions individuals took on Cerebral's Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies," and more. The company says it will notify affected users and that "regardless of how an individual interacted with Cerebral's platform," no social security numbers, credit card numbers, or bank account information were exposed.
Cerebral says it has "disabled, reconfigured, and/or removed" any tracking pixels on the platform to prevent future exposures and has "enhanced" its "information security policies and technology vetting processes" since discovering the security hole in January.

Cerebral is required by law to report potential HIPAA violations. HIPAA stands for Health Insurance Portability and Accountability Act. This prohibits healthcare providers from disclosing patient information to anyone other than the patient or anyone the patient has given permission to receive health information. The US Office for Civil Rights is currently investigating the breach, which follows similar incidents involving pixel-tracking tools.

An investigation by The Markup last year discovered that some of the nation's top hospitals were sending sensitive patient information to Meta via the company's pixel. Two class-action lawsuits were filed, accusing that Meta and the hospitals in question violated medical privacy laws.

The Markup discovered months later that Meta was able to obtain financial information about users via tracking tools embedded in popular tax services such as H&R Block, TaxAct, and TaxSlayer. Meanwhile, other online medical companies, such as BetterHelp and GoodRx, were fined by the FTC earlier this year for sharing sensitive patient data with third parties.

Cerebral is being investigated by the Department of Justice and the Drug Enforcement Administration for prescribing controlled substances such as Adderall and Xanax, in addition to whether or not it violated HIPAA regulations. It has since stopped prescribing these medications.

Consumers of Chick-fil-A had Grievances Following Account Takeovers


An automated credential stuffing attack that affected more than 71,000 customers of Chick-fil-A, an American food chain,for months has been made known to its clients. 

Attacks that use automation—often through bots—to test a large number of username-password combinations against targeted online accounts are known as credential stuffing. The practise of users using the same password for numerous online services has made this kind of attack vector possible; as a result, the login information used in credential stuffing attacks is frequently obtained from other data breaches and is made available for purchase from a variety of Dark Web sources.

"Following a careful investigation, we determined that unauthorised parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company said in a letter to those impacted. 

Customers' names, email addresses, membership numbers, mobile pay numbers, and masked credit or debit card numbers (meaning that unauthorised parties could only see the last four digits of the payment card number) were among the personal information that was compromised. Some clients' phone numbers, residences, birthdays, and months of birth were also made public.

In response to the attacks, Chick-fil-A said it has deleted stored credit and debit card payment methods, temporarily blocked cash that had been put onto customers' Chick-fil-A One accounts, and restored any balances that had been adversely affected. 

Also, the restaurant chain advised customers to change their passwords and use a secure password that is exclusive to the website. Some people pointed out that even while password reuse or the use of obvious and weak passwords is the users' fault, Chick-fil-A is still somewhat to blame. 

"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "Nonetheless, organisations are required by law and morality to protect the private and financial information of their users." 

"This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers,”Maimon added. 

Rise in credential stuffing attacks

Credential stuffing has increased recently as a result of the massive supply of credentials available for purchase on the Dark Web. According to an analysis this week, the selling of stolen credentials rules underground markets, with more than 775 million credentials available right now. 

A credential-stuffing assault that disclosed personal information in January that was targeting roughly 35,000 PayPal user accounts exposed nearly 35,000 PayPal user accounts. In the same month, Norton LifeLock warned users about the dangers of being exposed to its own credential-stuffing assault. 

Also, a larger discussion has been sparked by the situation. Some security experts have suggested methods to completely do away with passwords, such as replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology. This is because nearly two-thirds of people reuse passwords to access various websites.