Search This Blog

Showing posts with label Data Leak. Show all posts

Financial Institutions are More Vulnerable to Unintentional Data Leakage

 

Netwrix has released additional findings from its global 2022 Cloud Security Report for the financial and banking sectors. Financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure than other industries surveyed.

Indeed, 44 percent of respondents in this sector believe their own IT staff is the greatest threat to cloud data security, while 47 percent are concerned about contractors and partners, compared to 30 percent and 36 percent, respectively, in other verticals surveyed. 
“Financial organizations experience accidental data leakage more often than companies in other verticals: 32 percent of them reported this type of security incident within the last 12 months, compared to the average of 25 percent. This is a good reason for them to be concerned about users who might unintentionally expose sensitive information. To address this threat, organizations need to implement a zero-standing privilege approach in which elevated access rights are granted only when they are needed and only for as long as needed,” comments Dirk Schrader, VP of security research at Netwrix.

“Cloud misconfigurations are another common reason for accidental data leakage. Therefore, security teams must continually monitor the integrity of their cloud configurations, ideally with a dedicated solution that automates the process.”

Phishing is the most common type of attack reported by all sectors. 91 percent of financial institutions, on the other hand, say they can detect phishing within minutes or hours, compared to 82 percent of respondents in other verticals.

“Even though financial organizations detect phishing quickly, it is still crucial for them to keep educating their personnel on this threat because attacks are becoming more sophisticated,” adds Schrader.

“To increase the likelihood of a user clicking a malicious link, attackers are crafting custom spear phishing messages that are directed at the person responsible for a certain task in the organization and that appear to come from an authority figure. Regular staff training, along with continuous activity monitoring, will help reduce the risk of infiltration”.

Private Data Leaked in Ransomware Attack on Virginia Mason Franciscan Health

 

The parent firm of Virginia Mason Franciscan Health was recently the target of a ransomware assault, the healthcare system disclosed earlier this week. 

The organization linked to 10 VMFH hospitals spread across the Puget Sound region, CommonSpirit Health, stated some patients' names, addresses, phone numbers, and dates of birth were included in leaked files while the cyberattack was being investigated. Additionally included were special IDs that the hospital utilized internally (not insurance IDs or medical record numbers). 

According to Chad Burns, a spokeswoman for CommonSpirit, it's unclear how many patients were impacted. The firm acknowledged that there is currently no proof that any private information has been "misused." 

“We apologize for any concern this may cause. CommonSpirit Health and its affiliated entities … take the protection and proper use of personal information very seriously.” CommonSpirit said in a statement. 

Midway through October, the Chicago-based healthcare organization revealed it had become the victim of ransomware, a type of malicious software. Patients and professionals in the Puget Sound region had started to notice system disruptions at VMFH institutions. MyChart, a patient interface used to maintain electronic health data, medicines, and test results, was unavailable for roughly two weeks as the business took some systems offline and started looking into the issue. Appointments were canceled or rescheduled. 

Earlier this week, CommonSpirit acknowledged that between September 16 and October 3, an "unauthorized third party" had acquired access to some areas of its network. According to the statement, the third party might have had access to patients' private information over those two weeks. 

Since then, the statement stated, electronic systems have been brought back online with more security and monitoring measures. 

CommonSpirit, which operates 140 hospitals throughout 21 states, alerted the authorities and is still assisting with the investigation. The business claimed that it took action to safeguard its technological equipment, control the situation, and preserve the continuity of care. 

St. Michael Medical Center in Silverdale, St. Anne in Burien, St. Anthony in Gig Harbor, St. Clare in Lakewood, St. Elizabeth in Enumclaw, St. Francis in Federal Way, and St. Joseph in Tacoma are among the VMFH facilities in Washington. 

No other information was revealed on whether the cyberattack also impacted patient data from CommonSpirit's other facilities across the nation because the investigation is still underway, according to Burns. 

Beginning on Thursday, CommonSpirit intends to mail letters to all impacted patients. Additionally, it urged patients of VMFH institutions to check their healthcare accounts for accuracy and notify their physician or insurer of any odd services or expenditures.

A Ransomware Attack Hit Two Michigan Schools

In response to a ransomware attack, two Michigan school districts have shuttered. Kevin Oxley, the superintendent of the Jackson County Intermediate School District, announced that until Wednesday school would remain closed.

In order to look into the incident and get support in re-establishing their systems in a secure manner, the schools alerted law enforcement and hired external cybersecurity advisors.

According to Det. Lt. Mike Teachout of the Michigan Cyber Command Center, the district got in touch with the organization. This organization is in charge of coordinating the joint efforts of the emergency response to cyber occurrences in Michigan.

The schools encouraged everyone to abstain from using any school-issued gadgets as a precaution.

According to Kevin Oxley, "This intrusion occurred because we were victims of a ransomware attack that was spotted over the weekend. Credits to overnight work by our tech staff and cybersecurity professionals. We actively shut down networks as soon as we noticed suspicious behavior in order to contain the situation."

While restoration efforts are ongoing, Oxley stated that getting students back in class on Thursday was the first priority. "We prioritized bringing vital systems back up to allow us to safely restart operations and reopen school buildings across Jackson and Hillsdale counties," Oxley said.

Over 24,000 pupils are enrolled in the district. According to officials, Hillsdale Community District Schools, whose technology services are provided by a county consortium, were also impacted by the incident.

A wide range of facility operations, including but not limited to heating, telephones, and classroom equipment, were affected by the cyberattack that transpired over the weekend of November 12–13, forcing schools in Jackson and Hillsdale counties to cancel classes for the whole week. As of yet, no cybercrime organization has been held responsible for the attack.

The Los Angeles Unified School District, one of the largest school systems in the US, was the victim of a ransomware attack in September. School districts that are a prime target for ransomware gangs now must exercise caution. 




Abortion Data of Medibank Patient’s Leaked on the Dark Web

 

Threat actors who siphoned customer data from Australia's largest health insurer Medibank last month have released sensitive details of patients' medical diagnoses and procedures, including abortions, onto the dark web. 

The ransomware group also disclosed they allegedly demanded a $US1 ($1.60) per customer ransom from the health insurer but Medibank refused to pay ransom for the data, a decision supported by the Australian government. 

"Added one more file abortions.csv ...," read a post on the blog. "Society asks us about ransom, it's a 10 million USD (A$15.5 million). We can make a discount 9.7m (A$15 million) 1$ (A$1.60) =1 customer." 

The file reportedly contained a spreadsheet with 303 customers' details alongside billing codes related to pregnancy terminations, including non-viable pregnancy, miscarriage, and ectopic pregnancy. 

Day after the data leak, minister for cyber security Clare O'Neil described the leak of the patients’ data as "morally reprehensible". 

"I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cybersecurity but more importantly, as a woman, this should not have happened, and I know this is a really difficult time," she said. I want you to know that as a parliament and as a government, we stand with you. You are entitled to keep your health information private and what has occurred here is morally reprehensible and it is criminal." 

Meanwhile, David Koczkaro, CEO at Medibank requested the public to not seek out the files, which contain the names of policyholders rather than patients. 

"These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care," he said. Koczkaro also apologized for what he called the "malicious weaponization" of personal data. 

Additionally, the Australian government has defended the insurer's decision to not pay the ransom. Both have warned that more releases of customer information are expected. Prime Minister Anthony Albanese has said that he is also a Medibank customer. 

The Medibank hack follows a string of unrelated cyber assaults against Australian organizations in recent weeks and months, as customer data have come under siege from hackers. 

Earlier this year in September, Australia's second-largest telecommunications firm Optus was also targeted for extortion, after the private information of nearly 10 million customers was siphoned in what the firm called a cyber-attack. The attackers also targeted supermarket chain Woolworths, and Australian Federal Police classified documents, which exposed agents working to stop international drug cartels.

The Urlscan.io API Unintentionally Exposes Sensitive URLs and Data

 

Researchers have issued a warning about enterprise software misconfigurations that result in the leak of sensitive records on urlscan.io. 
Urlscan.io is a website scanning and analysis platform. The system accepts URLs and generates a wealth of data, including domains, IP addresses, DOM information, and cookies, as well as screenshots. According to the developers, the engine's goal is to enable "anyone to easily and confidently analyze unknown and potentially malicious websites."

Many enterprise customers and open-source projects are supported by Urlscan.io, and an API is provided to integrate these checks into third-party products. GitHub alert Positive Security stated in a blog post published today (November 2) that the urlscan API came to its attention as a result of an email sent by GitHub in February warning customers that GitHub Pages URLs had been accidentally leaked via a third-party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Positive Security discovered that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices after further investigation.

Pingbacks to leaked email addresses appeared to indicate that the culprits were misconfigured security tools that submitted links received via email as public scans to urlscan.io. Many API integrations, for example, used generic python-requests/2.X.Y user agents that ignored account visibility settings, allowing scans to be incorrectly submitted as public.

Misconfiguration of SOAR

Positive Security contacted a number of leaked email addresses and received only one response: from a company that sent an employee a DocuSign link to their work contract and then launched an investigation. The employer discovered that the problem was caused by a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io.

Positive Security investigated historical urlscan.io data and discovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they appeared on urlscan. Password resets for many web services can be triggered for users of such misconfigured clients, and the leaked link can be used to set a new password and take over the accounts.

Speaking to The Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

Urlscan  Overhaul

Positive Security reported its findings to urlscan.io once the impact of the issue assessment was completed in July. As a result, the cybersecurity firm and urlscan.io developers collaborated to resolve the issues discovered, resulting in the release of a new engine version later this month.

The updated software features an improved scan visibility interface as well as team-wide visibility settings. Urlscan.io later published Scan Visibility Best Practices, which explain the security benefits and risks posed by the three visibility settings users select when submitting a URL: 'Public,' 'Unlisted,' and 'Private.'

Urlscan.io has also contacted customers who have submitted a large number of public scans and has started reviewing third-party SOAR tool integrations. Finally, the developers added deletion rules, highlighted visibility settings in the user interface, and included a report button to disable problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third-party automation providers to ensure adherence to safe default behaviors. A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”

FCC Commissioner Brendan Carr Calls Out for Tik Tok Ban in US

 

The US government should take action to ban TikTok rather than negotiate with the social media app, Brendan Carr, one of five commissioners at the Federal Communications Commission, told a local media outlet in an interview. 

With more than 200 million downloads in the U.S. alone, the app’s immense popularity is concerning because ByteDance, a Chinese company, owns it. That means there’s potential for data on US residents to flow back to China. However, the FCC has no power to ban TikTok directly, but Congress previously acted after Carr raised concerns regarding Chinese telecom firms, including Huawei. 

TikTok is currently in negotiations with Council on Foreign Investment in the U.S. (CFIUS), a multi-agency government body charged with reviewing business deals involving foreign ownership, to determine whether it can be divested by ByteDance to an American firm and remain operational in the United States. 

Earlier this year in September, the New York Times reported, that a deal was taking shape but not yet in its final form and that Department of Justice official Lisa Monaco was concerned the deal did not provide enough insulation from China. 

"I don’t believe there is a path forward for anything other than a ban," Carr said, citing recent incidents regarding how TikTok and ByteDance managed American consumer's data. “Perhaps the deal CFIUS ends up cutting is an amazing, airtight deal, but at this point, I have a very, very difficult time looking at TikTok’s conduct thinking we’re going to cut a technical construct that they’re not going to find a way around.” 

A few months ago, Carr sent letters to Apple and Google asking the tech giants to remove TikTok from their respective app stores. The commissioner is now calling for a nationwide ban despite the efforts made by both parties – the US government and TikTok – to come to an agreement. 

“Commissioner Carr has no role in or direct knowledge of the confidential discussions with the US government related to TikTok and is not in a position to discuss what those negotiations entail” a TikTok spokesperson responded. “We are confident that we are on a path to reaching an agreement with the US government that will satisfy all reasonable national security concerns.” 

For now, it’s still business as usual for a Chinese app in the US, though it may be a good idea for creators to have a backup plan in case of a ban. YouTube Shorts is a good option, and it pays better too.

Leaked Amazon Prime Video Server Exposed Users Viewing Habits

A database containing Amazon Prime Video users' viewing habits, which was stored on an internal Amazon server, was accidentally exposed online and could be accessed by anyone with a web browser. 
Anurag Sen, a cyber-security researcher, discovered the database containing Amazon Prime viewing habits on an internal Amazon server that was accessible online. According to TechCrunch, the database was first detected as being exposed to the internet on September 30 by the search engine Shodan.

"But because the database was not protected with a password, the data within could be accessed by anyone with a web browser just by knowing its IP address," the report noted.

The database contained nearly 215 million viewing data entries, such as the name of the show or movie being streamed, the device on which it was streamed, and other internal data. The Amazon Prime Video database was eventually taken down from the Internet. According to an Amazon spokesperson, there was a "deployment error with a Prime Video analytics server."

"This problem has been resolved and no account information (including login or payment details) was exposed. This was not an AWS issue; AWS is secure by default and performed as designed," the spokesperson added.

'The Lord of the Rings: The Rings of Power' attracted more than 25 million global viewers on its first day, the largest debut in Prime Video history, and is closing in on 100 million viewers to date, according to the company's latest Q3 earnings call. It also kicked off Prime Video's inaugural season as the exclusive home of NFL Thursday Night Football with over 15 million viewers for its first game.

Countering Financial Data Leak in the Era of Digital Payments

 

Over the past five years, there has been a huge surge in the usage of financial services technologies and with that, the risk of a financial data breach has also increased. Multiple financial services technologies use screen scraping to access the private banking data of consumers.

 Screen scraping is a technology by which a customer provides its banking app login credentials to a third-party provider (TTP). The TTP then sends a software robot to the bank’s app or website to log in on behalf of the user and access data.

“The way consumers traditionally connect to their bank accounts is facilitated through screen scraping, where providers require internet banking login information,” explained Joe Pettersson, Chief Technology Officer at Banked. 

One safer alternative to screen scraping is APIs, which let two systems work together. Here are the three benefits of using API: 

Easier for developers 

APIs come with inbuilt documentation, which helps developers code between two systems with a common language. So, they don’t have to learn the details of a full fraud prevention engine’s code, they only need to look at the documentation to understand exactly how quickly they can access certain functions. Once again, this saves time and effort for the whole IT team and helps in making the fraud system more cost-effective. 

Good for Scaling

 Regardless of how efficient a person is, there’s simply no way to review all the user data manually. This is where APIs play an important role by offering fast queries and responses for hundreds of thousands of user logins, transactions, or signups. 

Automates everything 

Because APIs are linked to web apps, there’s no need to regularly tweak them or wait for IT updates. All the fixes and improvements are made from the server side, so individuals can focus on their business instead. It’s not only cheaper in terms of IT resources, but also much more efficient and faster.

Conclusion 

To mitigate fraud risk, propagating knowledge and awareness of new payment technologies, channels, and products, and the risks involved — to both customers and employees — is a crucial part of a fraud prevention strategy. Embedding the fraud management process into overall customer engagement and experience should be the first step forward.

Initials Access Brokers are Playing Major Role in Data Breaches

 

As the cybercrime ecosystem continues to expand in Australia, the job of security professionals has also come under scrutiny. In the past month, alone seven major Australian enterprises including Optus, Medibank, and Woolworths have suffered data breaches. 

According to the latest Recorded Future intelligence report, the rise of initial access brokers (IABs) has led to increasing data breaches. IABs employ several multiple tools, techniques, and procedures (TTPs) to achieve initial access to the targeted network. 

IABs modus operandi 

IABs often launch the first stage of a ransomware attack and then sell this access to other hackers who deploy the ransomware to paralyze the victim’s computer system. 

IABs are primarily active on top-tier Russian-language platforms like Exploit, XSS, and RAMP, and typically operate using multiple languages and online pseudonyms to bypass detection. The advertising on underground forums includes a series of important details that hackers will need to select their next victim. These include victim country, annual revenue, industry, type of access, rights, data to be exfiltrated, devices on the local network, and pricing. 

While many ransomware affiliates are happy to negotiate publicly, with IABs advertising on these forums, others are thought to work directly and secretly with a pre-selected group of access brokers. Either way, the advantage of working alongside IABs is clearly to accelerate their campaigns. 

According to the latest research conducted by KELA, IABs sell initial access for $4600, and sales take between one and three days to finalize. Once access has been purchased, it takes up to a month for a ransomware attack to take place -- and potentially for the victim to be subsequently named on a leak site. The average price for access was around USD 2800 and the median price - USD 1350.

How to counter the threat 

Fortunately, there are multiple things businesses can do to mitigate the threat, not only of initial info-stealing attacks but also the ransomware that follows. 

Organizations should train employees to recognize and neutralize social engineering attacks. When it comes to ransomware, maintain offline backups of sensitive data, segment networks to contain an attack’s blast radius, and apply two-factor authentication everywhere. Continuous monitoring and robust threat intelligence will also provide a useful early warning system. 

Most importantly, the right defensive posture can help organizations to regain the initiative and put enough roadblocks in the way that their adversaries give up and move on to the next target.

Lockbit 3.0 Ransomware Targets UK-Based Kingfisher Insurance

 

Earlier this week, UK insurer Kingfisher Insurance's name appeared on the LockBit ransomware gang’s leak site alongside claims of 1.4TB of the firm`s data having been siphoned, including private data of staff and users. 

The malicious gang set a deadline of 28 November to fulfill its demands and in case the firm fails to adhere to their demand, it will be releasing the siphoned data to the public. Kingfisher appears alongside six other firms the gang claims to have hacked this month. 

The company acknowledged the attack on its IT systems however they have denied the size of the data breached. 

According to LockBit, the siphoned data includes private data of staff and customers as well as contacts and corporate mail archives belonging to Kingfisher. The hackers published multiple email addresses linked to Kingfisher Insurance staff, as well as passwords to several management system accounts, such as Workday and Access on their site. 

According to the Kingfisher’s representative, the company blocked all external access and exploited servers were brought offline as soon as the cyberattack became known. Kingfisher owns multiple high-profile UK insurance brands, such as Classic Insurance Services, ClubCare Insurance, Cork Bays & Fisher, and First Insurance. 

LockBit 3.0 flexing its muscles 

According to research from security vendor CyberInternational, LockBit is the most active ransomware gang in the third quarter of 2022, launching 37% of the ransomware attacks, a surge of 5% since the previous quarter. Since its emergence in 2019, LockBit has continued to operate as a ransomware-as-a-service (RaaS) by recruiting hackers to infiltrate networks and encrypt devices. 

Earlier this year in, the gang targeted global private and public sectors including the Italian tax offices, the cybersecurity firm Mandiant and NHS supplier Advanced. The latter attack led to disruptions to the NHS’s 111 service. 

In the same month, LockBit received a taste of its own medicine when anonymous hackers launched a DDoS attack on its dark web server containing leaks from companies the gang has ransomed. At the time of the attack, LockBit was receiving “400 requests a second from over 1,000 servers”.

Private Data of Nearly 296,000 User Compromised in Toyota Data Breach

 

Toyota Motor, the world's largest car manufacturer, said on Friday it had identified that about 296,000 pieces of customer information and assigned customer numbers were “mistakenly” leaked from its T-Connect service. 

The Japanese automaker published a statement warning its customers that they may be at risk of receiving spam, phishing scams, or malicious texts to their email addresses. Those impacted by the data leak are users who signed up for the service starting July 2017 via their emails. 

According to the firm, a total of 296,019 email addresses and customer numbers were possibly leaked, but private data such as customer names, phone numbers, or credit card information remained unharmed. Toyota also has not reported any cases where the leaked customers’ information has been misused yet. 

“The email addresses and customer management numbers of some customers who subscribe to 'T-Connect' were found to have been leaked,” Toyota stated. “We sincerely apologize for causing great inconvenience and concern to our customers.” 

The incident occurred after an unnamed subcontractor who was a designer for the T-Connect website accidentally uploaded parts of the source code with public settings from December 2017 until September 15 of this year. However, based on security experts' investigation, the car manufacturer hasn’t identified third-party access to the data server where the information was stored. 

“From December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub,” the automaker added. It was discovered that the published source code contained an access key to the data server and by using it, it was possible to access the email address and customer management numbers stored in the data server.” 

According to threat analysts, car apps put customers’ private details at risk. Earlier this year in May, security researchers at the cybersecurity firm Kaspersky published a report that more than fifty percent of these apps utilize customers’ personal data without first asking for their consent and that these apps tend to be susceptible to data leaks. 

The average cost of a data breach hit a record high of $4.35 million in 2022, which is 2.6 percent higher than last year and 13 percent from 2020, US technology firm IBM said in an August report. 

This is not the first time Toyota made headlines for the wrong reasons. Earlier in February, the company suspended Japanese factory operations after a supplier of electronic components was hit by a suspected ransomware attack. Toyota has joined a series of popular firms that have had their data and user information leaked, including Samsung Electronics, LinkedIn, Cisco, Twitter, and Facebook.

Australian Security Firm G4S Hacked, Staff on Alert


Ransomware Attack, G4S Breached

Present and earlier employees of security organization G4S have been alarmed to be cautious, due to a ransomware attack where personal information was stolen and posted online. The leaked info includes tax file numbers, medical checks, and bank account information. 

The attack comes after the massive Optus data leak incident in Australia, joining two more data breaches. It seeks government plans to reform cybersecurity and follow higher penalties under the Privacy Act.

G4S offers services to Australian prisons

G4S offers services to prisons throughout Australia, earlier it offered services to offshore detention centers on Manus Island, belonging to the federal government. 

It informed its former and current customers earlier this week that it suffered a cyber incident, allowing unauthorized access to a third party, and giving malware programs access to G4S systems. 

According to Guardian Australia, it believes the incident to be a ransomware attack targeting Port Philip prison. The media reported on this incident in early July. 

"Guardian Australia was also alerted on Tuesday to another Optus-style data breach involving an employment agency. The breach was the result of a similar open application programming interface (API) to that believed to have been breached in the Optus attack. Personal documents such as photos of passport pages and Covid-19 vaccination certificates were accessible via the vulnerability."

What can the victims do?

During mid-September, G4S came to know that some data was leaked online. However, it only informed the affected customers about the degree of the attack and the compromised documents in an e-mail earlier this week. 

The stolen data includes employee names, dates of birth, address, medical and police records, contact info, bank account details, tax file numbers, license details, and Medicare numbers. 

In some incidents, health info is given to the company, payslips, and Workcover claims information and incident reports have also been leaked.

Though the incident happened at Port Philip prison, the cyber criminal got access to the company's entire network throughout Australia. 

Casualties not confirmed

The number of staff impacted by the breach is yet to be known, G4S didn't give answers to questions about the victims, on the other hand, saying the company is working with affected individuals to provide them full assistance. 

G4S advised the victims to change their identity documents but didn't provide compensation for replacements or give credit monitoring. 

The Guardian reports:

"Separately, photos of identity documents – including driver licenses – of hundreds of thousands of the company’s clients were publicly available via Google image search results because users had uploaded their licences as their profile photo. The company has since acted to prevent users from uploading sensitive documents to profiles."





Telstra Struck by Data Breach Exposing 30,000 Employees' Data

 

Telstra, Australia's largest telecommunications company, revealed a data breach via a third-party supplier. The company stated that its systems were not compromised; rather, the security breach affected a third-party supplier who previously provided a now-defunct Telstra employee rewards programme. 

The data breach affected a third-party platform called Work Life NAB, which is no longer available, and was provided to several other organisations by Pegasus Group Australia (a subsidiary of MyRewards International Ltd.). Pegasus Group Australia, a subsidiary of MyRewards International Ltd, ran it. 

The third-party platform did not store any customer account information, according to Narelle Devine, the company's chief information security officer for the Asia Pacific region. Other companies appear to have been affected by the security breach. Data from 2017 was leaked online, and it included names (first and last) and email addresses used to sign up for the employee rewards programme.

“Information obtained as a result of a data breach at a third-party supplier was posted on the internet. The supplier previously provided a now-obsolete Telstra employee rewards program.” reads the statement published by the company. “Critically, there was no breach of any Telstra systems, and no customer account information was stored on the third-party platform.”

According to Reuters, people who obtained access to internal Telstra staff email, 30,000 current and former employees have been affected. The company is still investigating the incident and assisting the third party in determining how and to what extent the security breach occurred.

Optus, Australia's second-largest company, recently confirmed that a security breach impacted nearly 2.1 million of its current and former customers.

Ferrari Refutes Ransomware Attack Following RansomEXX’s Online Claims

 

Italian vehicle designer Ferrari S.p.A might have become the latest victim of a ransomware attack. As per a Reuters report, internal documents belonging to the brand were published on a dark web leak site owned by ransomware group RansomEXX. 

However, the car manufacturer thwarted such claims, stating that there was no evidence of a ransomware attack or of a breach of the company's system. The company said that it is investigating the leak of the internal documents and that appropriate actions would be taken as needed, adding that there has been no disruption to its business and operations. 

Earlier this week Monday, Corriere Della Sera newspaper, citing the Italian website the Red Hot Cyber, reported that the luxury car designer had been a victim of a ransomware attack. 

 According to Red Hot Cyber, a notorious hacking group called RansomEXX claimed on its Tor leak site that it has breached Ferrari stealing 6.99 GB of data, which not only included internal documents but also datasheets and repair manuals, etc. The source of the documents remains unclear.  

In December 2021, ransomware gang Everest indirectly targeted Ferrari, when Italian manufacturing firm Speroni was hit by the ransomware group. That time around, the hackers siphoned 900 GB of data containing sensitive details regarding the firm’s partners such as Ferrari, Lamborghini, Fiat Group, and other Italian car manufacturers. 

According to Cybernews, the malicious hackers also got involved with Ferrari’s entry into the NFT market, taking control of the company’s subdomain and exploiting it to host an NFT scam almost immediately after Ferrari disclosed it would mint tokens based on their cars, earlier this year. 

RansomEXX has been operating since 2018, after updating its name in June 2020. The gang's modus operandi has become more potent and is targeting high-profile firms. 

Some of the high-profile organizations targeted by the RansomExx group in the past include the Texas Department of Transportation (TxDOT), Konica Minolta, Brazilian government networks, IPG Photonics, and Tyler Technologies. RansomExx has designed its own Linux version to make certain that they target all critical servers and data in a firm.

Elbit Confirms Data Breach After Ransomware Gang Claims Hack

 

Elbit Systems of America, a subsidiary of Israel's Elbit Systems, has confirmed a data breach, just months after a ransomware group claimed to have compromised the company's systems. 

The Fort Worth, Texas-based company stated in a notification to the Maine Attorney General's office that the breach occurred on June 8 and was discovered the same day. According to the report, only 369 individuals are impacted. Elbit discovered the breach after observing unusual activity on its network, according to a notification sent to impacted customers by a law firm on its behalf. The network was immediately shut down, and security measures were implemented.

According to an investigation aided by a cybersecurity firm, the attacker may have obtained information belonging to specific employees, such as name, address, social security number, date of birth, direct deposit information, and ethnicity. Individuals affected were notified in July and offered a year of free identity protection and credit monitoring services, according to the company.

Elbit Systems of America provides solutions in the areas of defence, commercial aviation, homeland security, medical instrumentation, law enforcement, and sustainment and support.

In late June, the Black Basta ransomware group announced that it had hacked Elbit Systems of America. According to the group's Tor-based leak website, all of the files stolen from Elbit have been made public, indicating that the defence company has declined to pay the hackers' ransom.

At the time of writing, the Black Basta website was extremely slow and only displayed a few documents reportedly stolen from the defence contractor, including a payroll report, an audit report, a confidentiality agreement, and a non-disclosure agreement. Elbit has been contacted for more information about the incident by SecurityWeek.

The Black Basta ransomware operation first surfaced in April, and cybersecurity experts have discovered links to the notorious Conti group. In order to increase its chances of getting paid, the operation employs a double extortion strategy that involves encrypting files and stealing valuable data from compromised systems. The group has grown into a major threat, with approximately 100 victims listed on the Black Basta leak website.

Elbit Systems of America has previously been targeted by hackers. In 2018, the company admitted to being targeted after a hacker allegedly stole account information from its systems. However, it did not confirm an actual breach or data theft at the time.

Thousands of Users Impacted in Revolut Data Breach

 

Financial technology firm Revolut has suffered a massive data breach that may have allowed hackers to access the private details of over 50,000 users. 

The fintech giant, which has a banking license in Lithuania, described the assault as “highly targeted” and stated the hacker only had access to 0.16% of customers’ data for a “short period” of time. 

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted,” Revolut spokesperson Michael Bodansky explained. To be clear, no funds have been accessed or stolen. Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.”  

However, according to Revolut’s breach disclosure to the authorities in Lithuania, the firm says nearly 50,150 global customers, including 20,687 in the European Economic Area (EEA) and 379 Lithuanian citizens, may have been impacted by the data breach. The leaked data includes names, postal and email addresses, telephone numbers, partial card details, and bank account information.  

Soon after the attack, multiple Revolut users complained regarding obscene texts received via the application’s chat feature. Some customers also reported getting text messages directed to a Revolut phishing website. It’s unclear if these events are related to the breach. 

In its data breach notification to affected users, Revolut warned impacted users to be on high alert for follow-on phishing and fraud scams using leaked details. 

“Cyber-criminals are constantly looking for ways to make money at your expense and try to exploit human emotions in order to extract the information they need directly from you using social engineering techniques. Scammers usually follow the same principle – they try to force you to take actions without thinking about them after starting an emotional conversation,” the company warned users. 

“Malicious persons and fraudsters may try, using the publicized information about this breach of personal data security, to trick you with various login or other important personal data, offer some fictitious services and ask you to pay for them.” 

According to Forbes, London-based Revolut is UK’s most valuable fintech startup currently valued at $33 billion. It has over 20 million customers in 200 nations but is most popular in Europe and the UK. The app-based bank was established in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko.

Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach

 

Uber revealed more details about the security incident that occurred last week on Monday, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group. 

The financially motivated extortionist group was dealt a massive blow in March 2022 when the City of London Police arrested seven suspected LAPSUS$ gang members aged 16 to 21. Two of them were charged for their actions weeks later. The hacker responsible for the Uber breach, an 18-year-old teenager known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

As the company's investigation into the incident continues, Uber stated that it is functioning with "several leading digital forensics firms," in addition to cooperating with the US Federal Bureau of Investigation (FBI) and the Justice Department.

In terms of how the attack occurred, the ridesharing company stated that an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB report. The previous week, the Singapore-based company reported that at least two of Uber's employees in Brazil and Indonesia had been infected with Raccoon and Vidar information robbers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

After gaining access, the miscreant appears to have accessed other employee accounts, giving the malicious party access to "several internal systems" such as Google Workspace and Slack. The company also stated that as part of its incident response measures, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.

Uber did not say how many employee accounts were potentially compromised, but it emphasised that no unauthorised code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps. The firm also revealed that the attacker gained access to HackerOne bug reports, but added that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based [multi-factor authentication] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defence evangelist at KnowBe4, said in a statement.

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, organisations must recognise that MFA is not a "silver bullet" and that not all factors are created equal.
While there has been a transition from SMS-based authentication to an app-based approach to reduce the dangers associated with SIM swapping attacks, the attack against Uber and Cisco shows that security controls that were once thought to be infallible are being circumvented by other means.

The fact that threat actors are relying on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorising an access request underscores the importance of employing phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."

Hacker Leaks Confidential Data of Rockstar Games Including GTA 6 Footage

 

Rockstar Games, an American Video game publisher revealed a network breach on Monday that resulted in videos from the next highly-anticipated series of its Grand Theft Auto (GTA) 6 getting leaked. 

“We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto. At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects,” the company stated. 

At the time of writing, a hacker has published nearly 90 videos of clips depicting GTA 6 gameplay apparently recorded during the initial phases of game development. The threat actor also claimed to have stolen GTA 5 and GTA 6 source code and other information and offered to sell some of it. He also requested Rockstar Games to make him an offer to prevent the whole information from publishing online. 

Meanwhile, the targeted firm is working with security experts and law enforcement agencies to remove the leaked videos posted on multiple websites. 

“We are extremely disappointed to have any details of our next game shared with you all in this way. Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations. We will update everyone again soon and, of course, will properly introduce you to this next game when it is ready,” Rockstar added. 

The alleged hacker behind the data leak claimed to be the same person who launched a sophisticated attack on Uber last week. The malicious actor attached images, videos, and source code as proof and linked to the New York Times coverage of the Uber data breach while describing it as his “previous work.”

In the case of Uber, the hacker published screenshots apparently showing that he gained access to cloud services, financial tools, cybersecurity products, and a HackerOne account. He also claimed said he is 18 years old and employed social engineering to intrude Uber systems. 

However, the ridesharing firm claimed on Friday that it had found no evidence of sensitive user data getting leaked, and said all its services, including Uber, Eats, Freight, and the Uber Driver app were operational.

Bjorka Hunt: Indonesian Parliament Passes Personal Data Protection Bill


After a series of data leaks pertaining to 1.3 billion registered phone numbers and 105 million voters and confidential official records of the President’s correspondence, Indonesia's newly established data protection task force is chasing down a hacker dubbed 'Bjorka'.  
 
Bjorka claims to be based in Warsaw, Poland and has been stealing and selling data that included information pertaining to state-owned enterprises, mobile phone operators, and the general election commission. The stolen data was found to be sold on a BreachForums for the past few weeks. The hacker has also leaked confidential logs of incoming and outgoing documents between Indonesia's President Joko Widodo and the State Intelligence Agency.  
 
The hacker has been tweeting for the past weeks with regards to the leaks, he boldly made statements like “stop being an idiot” directed towards the government. The day after a senior informatics applications official appealed to Bjorka to stop leaking the country’s personal data, at a press conference on September 5th. Bjorka also mentioned in another tweet about how easy it is “to get into various data protection policy [...] primarily if it is managed by the government.” 
 
In the wake of the incident, at least three of Bjorka’s Twitter accounts have been suspended by the government. 
 
Bjorka’s Hunt initiated by the data protection task force has led to the arrest of a man in Madiun, East Java who is believed to be Bjorka. The 21-year-old man, going by the initials MAH, is being interrogated by the force, though he has not been formally charged with any criminal offense as of yet. Currently, the real identity of Bjorka remains unknown as there is no credible information regarding his whereabouts.
 
Chief executive of Jakarta-based Digital Forensic Indonesia, Mr. Ruby stated that instead of focusing only on the latest data breach, the task force should also investigate similar leaks and related cases since 2019.  It will allow the lessons from past cases to prevent any such incidents that may happen in the future. 
 
“It’s better for the task force to improve data management. Relevant institutions just denied data leaks in the past few years and did not enhance their data protection and therefore, there have been recurring data leaks,” states Mr. Alfons Tanujaya, IT security specialist at Vaksincom. 

With regard to the recent surge in data breaches and particularly the aforementioned case, the Indonesian Parliament passed the Personal Data Protection Bill on Tuesday. The Communications minister Johnny G Plate stated that the bill “marks a new era in the management of personal data in Indonesia, especially on the digital front.” The bill includes corporate fines and up to six-year imprisonment for those who are found to have mishandled data for breaching rules on distributing or gathering personal data.

Uber Claims No Private Details Accessed in Latest Network Breach

 

The hacker who claims to have hacked Uber might not have landed a stinging punch. The ridesharing firm has provided an update regarding the security breach by confirming there's "no evidence" to suggest that intruders accessed sensitive user data, such as trip histories. 

All services provided by the company, including Uber, Eats, Freight, and the Uber Driver app are functioning correctly and have also restored the use of internal software it took down upon unearthing the network breach. 

“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company stated. “Internal software tools that we took down as a precaution yesterday are coming back online this morning.” 

Uber contacted law enforcement and started an internal investigation into the incident, a company spokesman confirmed. However, the company didn't say more about the reported perpetrator or the nature of the incident, several security experts believe that it is downplaying the incident and has no clear idea regarding the depth of the breach. 

Intrusion details 

The breach allegedly involved a lone hacker, who claimed to be an 18-years-old male, who employed a social engineering-based hacking technique to trick an Uber employee into revealing login credentials by posing as a coworker. 

Upon securing an initial foothold, the hacker discovered an internal network share containing PowerShell scripts with privileged admin credentials, allowing carte blanche access to other critical systems, including AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack. 

Singapore-based Group-IB's follow-up investigation of downloaded artifacts as captured by the hacker reveals complete access to Uber's cloud-based infrastructure to hold private consumer and financial data. The hacker blamed Uber’s feeble security system for successfully exploiting its databases. He also contacted the New York Times claiming that he hacked Uber for fun and has its source code in his possession, which he might post online. 

Firm’s history of downplaying the data breach 

Network breach has been an issue for Uber in the past. In 2018, it agreed to a $148 million settlement over a 2016 data breach the company failed to reveal. Hackers were able to siphon data on 57 million drivers and riders, including private details such as names, email addresses, and driver's license numbers.

The data breach incident remained buried for more than a year. However, in November 2017 multiple reports surfaced that Uber suffered a massive security breach, and paid the hackers $100,000 to delete the information and had them sign a nondisclosure agreement.