Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Theft. Show all posts
malware
Credential Darknet Data Theft Kaspersky malware

Rise In Cybercrime: Dark Web Fueling Credential Attacks

 


In an unsettling situation, cybercriminals are increasingly turning to credential theft as a lucrative business, aided by the rise of infostealer malware attacks. Over the past three years, these threat actors have capitalised on the opportunity, compromising millions of personal and corporate devices globally.

The Rise of Infostealer Malware

According to cybersecurity experts at Kaspersky, infostealer malware attacks have surged sevenfold in recent years, with over 10 million devices compromised in 2022 alone. These sophisticated attacks enable hackers to silently collect login credentials and sensitive data from devices, posing a significant cybersecurity threat.

The Lucrative Market for Stolen Credentials

The value of corporate credentials in the cybercrime market has soared, leading to a 643% increase in data theft attacks. Cybercriminals act as initial access brokers, stealing corporate credentials and selling them on dark web forums for substantial profits. Kaspersky researchers highlight various sales models, with prices starting at $10 per log file.

Emerging Dark Web Hubs

Darknet markets have become key enablers of cybercrime, facilitating the sale of stolen credentials and victim profiles to cybercriminal groups. Following the takedown of Genesis Market, new hubs like Kraken Market and DNM Aggregator have emerged, offering seamless payment options via crypto processors.

Regional Impact

Regions like the Asia-Pacific and Latin America have been particularly affected by credential stealing attacks, with millions of credentials stolen from countries like Brazil, India, Colombia, and Vietnam. In Australia, compromised credentials accounted for the majority of cybersecurity incidents, with compromised or stolen credentials implicated in 56% of all incidents.

The Role of Initial Access Brokers

The number of initial access brokers (IABs) operating worldwide has risen significantly, with the APAC region experiencing a particularly sharp increase. These brokers play a critical role in fueling cybercrime operations, selling access to corporate networks and facilitating activities like ransomware attacks.

Despite the perception of cyberattacks as complex operations, the reality is that many exploit the simplicity of credential vulnerabilities. According to the Cybersecurity and Infrastructure Security Agency (CISA), over half of government and critical infrastructure attacks leverage valid credentials, with stolen credentials implicated in 86% of breaches involving web-based platforms. Credential stuffing, a technique where attackers use stolen usernames and passwords on various websites, has become increasingly popular due to individuals' tendency to reuse login information for convenience. 

With cybercriminals exploiting vulnerabilities in corporate and personal networks, organisations and individuals must remain a step ahead to protect against this pervasive threat.




Read more »
Singapore
Cyber Crime Cyber Safety CyberCriminal data security Data Stolen Data Theft Database Breach Hacker attack KYC Singapore

Cybercriminals Threaten Release of Stolen World-Check Database, Exposing Millions to Financial Risk

 

A financially motivated criminal hacking group, self-identified as GhostR, has claimed responsibility for the theft of a confidential database containing millions of records from the renowned World-Check screening database. The stolen data, totaling 5.3 million records, includes sensitive information used by companies for screening potential customers and assessing their links to sanctions and financial crime.
 
World-Check, a vital tool for conducting "know your customer" (KYC) checks, enables companies to identify high-risk individuals with potential ties to money laundering, government sanctions, or other illicit activities. The hackers disclosed that they obtained the data from a Singapore-based firm with access to the World-Check database, though the specific company remains unnamed. 

A portion of the stolen data encompasses individuals sanctioned as recently as this year. The compromised records include details of current and former government officials, diplomats, politically exposed persons (PEPs), individuals associated with organized crime, suspected terrorists, intelligence operatives, and even a European spyware vendor. These individuals are deemed high-risk for involvement in corruption, bribery, or other illicit activities. 

The stolen data comprises a wealth of sensitive information, including names, passport numbers, Social Security numbers, online cryptocurrency account identifiers, bank account numbers, and more. Such a breach poses significant risks, as it could potentially expose innocent individuals to unwarranted scrutiny and financial harm. 

Simon Henrick, a spokesperson for the London Stock Exchange Group (LSEG), which oversees World-Check, clarified that the breach did not originate from LSEG's systems but involved a third party's data set. While LSEG did not disclose the identity of the third-party company, they emphasized their commitment to collaborating with the affected party to safeguard data integrity and notify relevant authorities. 

Privately operated databases like World-Check are not immune to errors, raising concerns about the accuracy and fairness of their content. Past incidents, such as the 2016 leak of an older World-Check database, underscore the potential repercussions of erroneous data, including wrongful accusations and financial repercussions for innocent individuals. 

The breach highlights the critical need for enhanced cybersecurity measures and regulatory oversight to protect sensitive personal information and mitigate the risks associated with data breaches. As investigations into the incident continue, stakeholders must prioritize transparency, accountability, and proactive measures to prevent future breaches and safeguard consumer data privacy.
Read more »
Privnote
Cryptocurrency Breach Data Breach Data Theft malicious phishing Privnote

Privnote Secure Messaging App Is Under Phishing Threat

 

Privnote.com, launched in 2008, revolutionized secure messaging with its encryption technology. It allows users to send messages with a unique link, ensuring privacy as the content self-destructs after reading. However, its popularity among cryptocurrency enthusiasts also drew the attention of malicious actors who engaged in phishing activities. 

Phishers exploit Privnote's model by creating clones, such as privnote[.]co, that mimic its functionality. These clones surreptitiously replace cryptocurrency addresses when users create notes containing crypto wallets. Thus, unsuspecting users fall victim to sending funds to the phisher's address instead of the intended recipient. 

GitHub user, fory66399, lodged a complaint last month against MetaMask, a cryptocurrency wallet, alleging wrongful flagging of privnote[.]co as malicious. Threatening legal action, fory66399 demanded evidence and compensation. However, MetaMask's lead product manager, Taylor Monahan, swiftly debunked these claims by providing screenshots showing the fraudulent activities of privnote[.]co. 

According to DomainTools.com, the domain privatenote[.]io has changed hands between two individuals: Andrey Sokol from Moscow and Alexandr Ermakov from Kiev, over two years. While these names may not be the real identities of the scammers, they provide clues to other sites targeting Privnote since 2020. 

Furthermore, Alexandr Ermakov is linked to several other domains, including pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io, as per DomainTools. This suggests a potential network of fraudulent activities associated with Privnote, emphasizing the need for caution in identifying phishing attempts. 

Let’s Understand Suspicious Activities on Privnote: 

Domain Registrations: The domain pirvnota[.]com saw a change in registration details from Andrey Sokol to "BPW" and "Tambov district" as the registrant's state/province. This led to the discovery of pirwnote[.]com, along with other suspicious domains like privnode[.]com, privnate[.]com, and prevnóte[.]com, all linking to the same internet address. Interestingly, pirwnote[.]com is now selling security cameras from a Hong Kong-based internet address. 

Deceptive Legitimacy: Tornote[.]io appears to have undergone efforts to establish credibility. A Medium account has published numerous blog posts endorsing Tornote as a secure messaging service. However, testing reveals its malicious intent, as it also alters cryptocurrency addresses in messages. 

Search Engine Manipulation: Phishing sites manipulate search engine results to appear prominently for terms like "privnote." Currently, a Google search for "privnote" lists tornote[.]io as the fifth result. These sites rotate cryptocurrency addresses every five days to evade detection. 

According to the Privnote website, it is a web-based service focused on privacy, allowing users to create encrypted notes shared via unique one-time-use HTTPS links. Notes and their contents are processed securely in users' browsers, with no readable data stored on Privnote's servers. 

IP addresses are processed solely for communication and promptly deleted thereafter. Personal data within notes remains encrypted and inaccessible to Privnote. The service uses cookies for functional and non-functional purposes, respecting user privacy preferences. Privnote does not target children under 16 and commits to regularly updating its Privacy Policy.
Read more »
Waterfall Security
Data Breach Data Theft IoT IT OT Ransomware Waterfall Security

Rise of Hacktivist Groups Targeting OT Systems

Recent research from Waterfall Security Solutions has revealed important insights into the changing nature of cyberattacks on Operational Technology (OT) organizations. One key finding is the rise of hacktivist groups as major players in targeting OT systems. 

Additionally, the study emphasizes that most disruptions in OT environments do not occur directly through manipulation of OT systems but rather as a result of IT-based attacks, particularly ransomware incidents. In simpler terms, hackers are increasingly using ransomware to disrupt OT operations, and these disruptions are causing significant problems for OT organizations. 

Let’s Understand Operational Technology 

Operational Technology (OT) involves using both hardware and software to control industrial equipment, focusing on how it interacts with the physical world. This includes systems like programmable logic controllers (PLCs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA) systems. 

OT environments are responsible for overseeing and managing real-world processes in industries like manufacturing, energy, healthcare, building management, and environmental systems. 

Differences Between OT, IT, and IOT 

The blending of Operational Technology (OT) and Information Technology (IT) is changing industries in the era of the Internet of Things (IoT). OT deals with managing physical equipment, while IT deals with data systems. IoT connects ordinary objects to the internet, allowing smooth communication and automation. This merging presents fresh chances for making processes more efficient and fostering innovation in various fields. 

Following the report, it highlights a worrying trend a nearly 20% rise in cyberattacks causing physical consequences. 

As per report, last year, cyber incidents inflicted hefty financial blows on companies like Johnson Controls and Clorox, racking up costs of approximately $27 million and $49 million, respectively. In Massachusetts, MKS Instruments faced a staggering $200 million loss due to a cyberattack that halted its operations temporarily. Moreover, its supplier, Applied Materials Inc. based in California, reported an additional loss of $250 million stemming from the same incident. 

Further it reveals that only about 25% of cyberattacks cause problems for operational technology (OT) but instead compromise other parts of the network infrastructure directly. Various attacks happen by compromising machines in the IT network. 

Andrew Ginter, from Waterfall, explains that companies often shut down their OT systems as a precaution when there is a risk of nearby compromised processes. For example, Hahn Group GmbH turned off its systems after an attack last March, leading to weeks of recovery work. Similarly, UK Royal Mail had printers hijacked to print ransom notes, resulting in nationwide mail export suspensions and £42 million in losses. 

Furthermore, Ginter points out if there is a problem with the IT network, it can affect the OT network and vice versa, potentially leading to disruptions in physical operations that rely on these networks.
Read more »
secure public Wi-Fi
Cyber Crime Data Theft Financial crime Online Scam secure public Wi-Fi

Public WiFi Convenience Leads to Cyber Threats, Read to Know Everything

 

Cybersecurity experts are issuing a stern warning to Scots regarding the potential dangers lurking within public WiFi networks. While the convenience of accessing the internet on the go, such as during train commutes, may seem appealing, experts emphasize the significant cybersecurity risks that accompany such practices. 

One of the primary concerns raised by cybersecurity professionals is the phenomenon known as "session hijacking." In this scenario, cybercriminals exploit vulnerabilities present in public WiFi networks to gain unauthorized access to users' devices while they are browsing online. 

Let’s Understand ‘Session Hijacking’ in Simple Words 

Session hijacking, a prevalent cybersecurity attack, occurs when an attacker gains control of an individual's internet session while they are engaged in activities such as checking their credit card balance, paying bills, or shopping online. 

Typically, session hijackers target browser or web application sessions to perpetrate their attacks. Once a session hijacking attack is successful, the attacker gains the ability to perform any action that the victim could undertake on the targeted website. Essentially, the hijacker deceives the website into believing that they are legitimate users, thereby granting them unauthorized access and control over the victim's session.  And it can lead to various cyber-crimes and financial scams. 

Do You Know What Risks Lurking in Public WiFi Networks? 

Vincent van Dijk MSc a cybersecurity expert, warns individuals about the lurking dangers within public WiFi networks, highlighting three prevalent cyber threats: 

1. Man-in-the-Middle attacks 
2.  Evil Twin attacks 
3. Malware Present in Networks 

In a Man-in-the-Middle attack, hackers infiltrate the public network, intercepting data as it travels from a connected device to the WiFi router. Vincent explains the severity of this threat, stating, "If you are engaged in online banking during such an attack, hackers can easily access your passwords and account information. Your credit card numbers, email addresses, and other personal details become vulnerable to theft." 

Evil Twin attacks present another insidious threat. When users search for a public WiFi hotspot, they may encounter a fraudulent network pretending as a legitimate one. These malicious networks often bear names strikingly similar to authentic ones, such as 'Free University Wi-Fi2' or 'Station Wi-Fi04.' Therefore, connecting to these clones exposes users to scammers, compromising their private data and leaving them susceptible to exploitation. 

Further, Vincent explains that when hackers successfully infect a network with malware, they gain the ability to distribute harmful software bugs to any device connected to it. As a cautionary measure, he advises users to exercise caution if they encounter unexpected pop-up notifications while connected to such networks. Clicking on these pop-ups could inadvertently lead to exposure to infected links, putting users' devices and sensitive information at risk. 

Following the concerns related to public WiFi, experts suggested public to use Virtual Private Networks (VPNs) and verify network authenticity while using Public Wifi. By doing so users can mitigate the risks associated with public WiFi usage, safeguarding their sensitive information from cybercriminals.
Read more »
Data Theft
APT Cyberattacks CyberCrime Cybersecurity Data Breach Data Heist Data Theft

The Great Data Heist: China's Alleged Theft of Voter Data and Its Potential Impact

 


Chinese-backed hackers allegedly targeted U.S. officials, journalists, corporations, pro-democracy activists and the United Kingdom's electoral watchdog in a comprehensive, state-backed attack on March 25, authorities announced in an announcement on March 25. The attack was aimed at targeting officials, journalists, corporations, pro-democracy activists, and the British election watchdog. 

In 2010, China launched Operation Troll to harass critics of the government, steal trade secrets from American corporations, as well as spy on and trace high-level political figures, an operation that began in 2010. Officials say the campaign began in 2010. During the last election, Western officials sounded a fresh alarm about a country long regarded as having advanced espionage capabilities when they revealed the operation, which was carried out by a hacking group called APT31. 

According to the U.S. Justice Department, seven hackers are being charged with crimes in China, and they are believed to be living there. An official announcement by the British government concerning the breach that may have provided China with access to information on tens of millions of U.K. voters held by the Electoral Commission was that a front company and two defendants had been imposed sanctions by the British government. 

U.K. Deputy Prime Minister Oliver Dowden said that hackers working for the Chinese government were responsible for the 2021 data breach at the Electoral Commission in his speech to lawmakers in Parliament on Monday. It was the first time since the cyberattack was reported in 2023 that the United Kingdom has attributed it to the Chinese government and has said it is not going to hesitate to take swift and robust actions whenever the Chinese government threatens its interest.

In his speech, Dowden said the U.K. government would not hesitate to take quick and robust action whenever the Chinese government threatened its interests. In the United Kingdom, the Electoral Commission, which keeps copies of the register of citizens eligible for voting, reported in July that hackers had taken an estimated 40 million U.K. citizens' names and addresses. There are approximately 5 million registered voters across the U.S. including all people who voted in the last 4 years.

Between 2014 and 2022, over 30 million people were affected by the data breach, but they weren't recognized until after a year had passed. As the deputy prime minister of the United Kingdom mentioned in Parliament in Downden's speech, the attack likely occurred as part of a wider threat perpetrated by government-backed groups. 

The government of New Zealand, as well as the governments of other Western countries, have also voiced their concerns. Several high-profile phishing attacks targeting German politicians that were linked to Russian-backed groups have recently been reported in the media. APT31, a Chinese-based cyberattack group, has been sanctioned in the UK as part of the government's response to the attack by responding to the involvement of two individuals, Zhao Guangzong and Ni Gaobin, and one company, Wuhan Xiaoruizhi Science and Technology Company Ltd. 

Those companies are no longer authorised to handle these funds or assets, and the individuals are not allowed to enter the country. " There is no doubt that APT31 has an impeccable track record of targeting politicians both in the US and Europe. They have targeted various political campaigns, parliamentarians, and other targets to gain insight into the landscape," said John Hultquist, Chief Analyst of Mandiant Intelligence - Google Cloud. APT31 has been identified as a threat targeting British lawmakers during a separate campaign in 2021, the National Cyber Security Centre said, even though no parliamentary accounts were compromised, a reconnaissance activity was conducted against the lawmakers during that campaign. 

The British Foreign Secretary, David Cameron, made a formal request for the Chinese ambassador to be summoned, and he said in a separate statement that he raised the matter directly with the Chinese Foreign Minister, Wang Yi. It is clear from the episode that for the UK, this represents an increasing level of tension that has been growing since Hong Kong passed security legislation that the UK says undermines freedom in Hong Kong. Moreover, this violated the handover agreement signed by the two countries when Beijing took over the governance of the territory in 1997.z
Read more »
User Safety
Data Breach Data Theft Footwear Firm User Privacy User Safety

Vans Warns Consumers of Fraudsters Following ALPHV Data Breach

 

Vans customers have been alerted to the possibility of fraud or identity theft as a result of an ALPHV data breach at the parent firm. 

Vans claims that in December 2023, VF Group discovered "unauthorised activities" on a section of its IT systems. It also claimed that no passwords or detailed financial data were stolen.

However, it also stated that "it cannot be excluded" and that attackers may try to make use of the customer data they had taken hold of. The North Face, Dickies, Timberland, and other brands are owned by VF Group.

In an email to its customers, Vans stated that the data breach was discovered by VF Group on December 13 and was "apparently carried out by external threat actors."

The firm says it "immediately took steps" to address the threat, which included shutting down affected IT systems and hiring cybersecurity experts. By 15 December, it says, the hackers were ejected. 

"Our investigation revealed that the incident has affected some personal information of our customers that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, and shipping address," the email reads. 

However, it stated that the company did not "collect or retain" payment or financial data, such as bank account or credit card information, therefore there was "no chance that any detailed financial information was exposed to the threat actors." 

It said that no customers had been affected as of yet, but warned that the issue "may result in attempts at identity theft, phishing, and possibly fraud in general." 

It has warned users to be wary of unfamiliar emails, texts, and phone calls seeking personal information. Vans says it has informed the relevant law enforcement agencies and will evaluate its cybersecurity protocols.
Read more »
Proofprint
Black Basta Ransomware Cyber Attacks CyberCrime Data Theft Email Phishing Email scam email security Hacekrs NTLM Proofprint

New Email Scam Targets NTLM Hashes in Covert Data Theft Operation

 


TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive attachments. This tactic is geared towards pilfering the hash data of NT LAN Manager (NTLM) users.

According to our investigation, this group is utilizing a chain of attacks aimed at stealing authentication information from the NT LAN Manager (NTLM) system. It would be possible to exploit this method for obtaining sensitive data and facilitating further malicious activity if this method were to be exploited. 

By using booby-trapped email attachments containing booby-trapped NTLM hashes to steal employees' NTLM hashes, a threat actor that is known for establishing initial access to organizations' computer systems and networks is using these attachments to steal employees’ hashes. Earlier this week, enterprise security firm Proofpoint published a report that suggested that the new attack chain "is capable of gathering sensitive information and facilitating follow-on activities." 

As reported by the company, at least two phishing campaigns have utilized this approach since February 26, 2024, when thousands of messages were distributed worldwide and hundreds of organizations were targeted. As an initial access broker (IAB), TA577 has previously been associated with Qbot and has been linked to Black Basta ransomware infections. 

The phishing waves spread thousands of messages around the world and targeted hundreds of organizations. The email security company Proofpoint reported today that although it has seen TA577 favouring Pikabot deployment in recent months, two recent attacks indicate that TA577 has taken a different approach to the attack. 

A group called TA578, which has been linked with the Qbot malware campaign and the Black Basta ransomware campaign, is one of the first access brokers. Recently, it has demonstrated an increasing interest in exploiting authentication protocols despite its previous inclination toward deploying Pikabot malware. 

NTLM hashes are a cornerstone of the security of Windows systems for authentication and session management. Attackers are extremely interested in these hashes as they are potentially useful in offline password cracking and in pass-the-hash attacks, which do not require actual passwords to gain access to services but instead use hashes as shortcuts. 

A technique known as thread hijacking, by which the attackers craft phishing emails that seem like legitimate follow-up emails to ongoing conversations, is used by the attackers. There is a malicious external server that is used to capture NTLM hashes, as these emails contain personalized ZIP files with HTML documents. When opened, these malicious servers start connecting to a malicious external server that has been set up specifically to capture these hashes. 

TA577 likely has the resources, time, and experience to iterate and test new delivery methods at the rate at which it adopts and distributes new tactics, techniques, and procedures (TTPs). TA577, along with other IABs, seems to be on top of the threat landscape and understands when and why certain attack chains cease to be effective. 

To increase the effectiveness and likelihood of victim engagement with their payload delivery and bypass detections, they will be able to create new methods to bypass detections and make use of them as quickly as possible. Researchers at Proofpoint have also noticed an increase in the use of file scheme URIs to direct recipients to external file shares such as SMB and WebDAV for the delivery of malware. To prevent exploits identified in this campaign, organizations should block outbound SMBs to prevent these sophisticated attacks. 

While restricting guest access to SMB servers is a simple security measure, it falls short of preventing these sophisticated attacks. The company advises that strict email filtering be implemented, outbound SMB connections should not be allowed, and Windows group policies should be activated to minimize the risk. 

To combat these types of NTLM-based threats effectively, Microsoft has introduced advanced security features into Windows 11 to help users. It is important to maintain constant vigilance and take strong security measures to prevent phishing attacks targeting the NTLM authentication protocol. For organizations to remain safe from sophisticated cybercriminal endeavours, they must stay abreast of emerging threats and adjust their defences to keep up with the rapidly evolving threats.
Read more »
system spread
AI Worms Cyber Security Data Safety Data Theft Private Data Researchers Security system spread

Researchers Develop AI "Worms" Capable of Inter-System Spread, Enabling Data Theft Along the Way

 

A team of researchers has developed a self-replicating computer worm designed to target AI-powered applications like Gemini Pro, ChatGPT 4.0, and LLaVA. The aim of this project was to showcase the vulnerabilities in AI-enabled systems, particularly how interconnections between generative-AI platforms can facilitate the spread of malware.

The researchers, consisting of Stav Cohen from the Israel Institute of Technology, Ben Nassi from Cornell Tech, and Ron Bitton from Intuit, dubbed their creation 'Morris II', drawing inspiration from the infamous 1988 internet worm.

Their worm was designed with three main objectives. Firstly, it was engineered to replicate itself using adversarial self-replicating prompts, which exploit the AI applications' tendency to output the original prompt, thereby perpetuating the worm. 

Secondly, it aimed to carry out various malicious activities, ranging from data theft to the creation of inflammatory emails for propagandistic purposes. Lastly, it needed the capability to traverse hosts and AI applications to proliferate within the AI ecosystem.

The worm utilizes two primary methods for propagation. The first method targets AI-assisted email applications employing retrieval-augmented generation (RAG), where a poisoned email triggers the generation of a reply containing the worm, subsequently spreading it to other hosts. The second method involves inputs to generative-AI models, prompting them to create outputs that further disseminate the worm to new hosts.

During testing, the worm successfully pilfered sensitive information such as social security numbers and credit card details.

To raise awareness about the potential risks posed by such worms, the researchers shared their findings with Google and OpenAI. While Google declined to comment, an OpenAI spokesperson acknowledged the potential exploitability of prompt-injection vulnerabilities resulting from unchecked or unfiltered user inputs.

Instances like these underscore the imperative for increased research, testing, and regulation in the deployment of generative-AI applications.
Read more »
Software Protection
API API Integration Secure cyber attack Data Theft Hackers Software Protection

5 Simple Steps to Bulletproof Your API Integrations and Keep Hackers at Bay


In today's tech-driven world, APIs (Application Programming Interfaces) are like the connective tissue that allows different software to talk to each other, making our digital experiences seamless. But because they are so crucial, they are also prime targets for hackers. 

They could break in to steal our sensitive data, mess with our systems, or even shut down services. That is why it is super important for companies to beef up their API security, protecting our info and keeping everything running smoothly and this is where API Integration Secure name comes up. 

Let’s Understand What is API Integration Secure and Why Is It Important 

API integrations are made secure through a combination of measures designed to protect the data and systems involved. This includes using encryption to safeguard information as it travels between systems, implementing authentication and authorization protocols to ensure that only authorized users and applications can access the API, and regularly monitoring for any suspicious activity or attempted breaches. 

Additionally, following best practices in API design and development, such as limiting the data exposed through the API and regularly updating and patching any security vulnerabilities, helps to further enhance security. Overall, a multi-layered approach that addresses both technical and procedural aspects is key to ensuring the security of API integrations. 

Here Are Five Ways to Keep API Integrations Secure: 


Use an API Gateway: Think of it as the guardian of your APIs. It keeps an eye on who is trying to access your data and blocks anyone suspicious. Plus, it logs all the requests, so you can check who has been knocking on your digital door. 

Set Scopes for Access: Just because someone was allowed in does not mean they can see everything. Scopes make sure they only get access to the stuff they really need, like a limited view of a database. It is like giving someone a key to one room instead of the whole house. 

Keep Software Updated: You know those annoying software updates that pop up? They are actually super important for security. They fix any holes that hackers might try to sneak through. So, always hit that update button. 

Enforce Rate Limits: Imagine a crowded street during rush hour. Rate limits make sure not too many cars (or requests) clog up the road at once. It helps prevent crashes and slowdowns, making sure everyone can get where they need to go smoothly. 

Monitor Logs with SIEM: It is like having a security guard watching CCTV cameras for any suspicious activity. SIEM collects all the logs from API calls and flags anything fishy. So, if someone is trying to break in, you will know right away and stop them in their tracks.
Read more »
Data Theft
Africa under cyber threats AI threats cyber attack Cyber Threats in Africa Data Theft

Africa's Cyber Threats Rise With AI Development

 

In 2023, a majority of African economies witnessed a decline in overall cyber threats, signaling a positive trend. However, notable exceptions were observed, with Kenya experiencing a substantial 68% increase in ransomware attacks, while South Africa encountered a notable 29% surge in phishing incidents targeting sensitive data. 

This evolving landscape underscores a significant paradigm shift. Cyber adversaries are increasingly setting their sights on critical infrastructure across Africa, accompanied by a discernible inclination towards integrating artificial intelligence (AI) into their modus operandi. Insights derived from Kaspersky's telemetry data reveal a growing reliance on AI, particularly large language models (LLMs), to orchestrate more sophisticated social engineering tactics. 

Following Are the Reasons Behind the Cyber-Threats

AI's Growing Influence: 

Kaspersky's Yamout highlights the surge in attacks in Africa, fueled by AI technologies like LLMs, making cybercrime more accessible. These advancements have led to the creation of convincing phishing emails, synthetic identities, and deepfakes, exacerbating existing AI inequalities. 

Hacking Critical Infrastructure: 

Kaspersky notes a significant attack on operational technology, with 38% of OT computers facing threats in 2023. Cybercriminals and nation-state groups, alongside rising tensions, contribute to this threat landscape, including the emergence of hacktivism driven by socio-cultural and economic motives. 

Mobile Internet, Mobile Threats: With mobile devices being the primary means of internet access in Africa, Dark Reading observes a 10% rise in mobile threats in 2023, including ransomware and SMS phishing attacks. The shift to remote work globally further amplifies mobile threats, presenting challenges in safeguarding personal and corporate data. 

Furthermore, according to Interpol's African Cyberthreat Assessment 2023 report, Africa has historically been a hotspot for social engineering threats, particularly noting the prevalence of BEC (business email compromise) actors like the SilverTerrier group. This underscores the persistent challenges posed by cybercriminals operating within the region. 

Kaspersky's report echoes these concerns, noting a growing trend of citizens in Africa and the META region being targeted by cybercriminals. This alarming development emphasizes the urgent need for enhanced cybersecurity measures to safeguard individuals and businesses against evolving threats. 

Further, analysis from a 2023 Positive Technologies report reveals that BEC attacks remain the primary cyber threat to organizations and individuals in the region. The financial, telecom, government, and retail sectors are particularly vulnerable, collectively accounting for over half of all reported attacks. 

The Positive Technologies report also highlights key findings regarding the nature of cyber attacks in Africa. Notably, 80% of attacks on African organizations involve malware, indicating the widespread use of malicious software to compromise systems and networks. 

Additionally, a staggering 91% of attacks targeting African citizens incorporate a social engineering component, illustrating the effectiveness of deceptive tactics in exploiting unsuspecting individuals. 

What can be done to measure the surge of cyber-attacks? 

Various studies advocate for patching software, managing credentials, and securing endpoints to combat ransomware groups exploiting vulnerabilities. Unpatched software, vulnerable web services, and weak remote access services are cited as common entry points for attackers in Africa.
Read more »
Threats from Technology
cyber attack Cyber Attacks Data Theft IOT Threats Optum Ransomware Threats from Technology

BlackCat Ransomware Hit Healthcare Giant Optum, Stolen 6TB Sensitive Data

 
In a shocking development, the notorious BlackCat/ALPHV ransomware gang has stepped forward to claim responsibility for a devastating cyberattack on Optum, a subsidiary of the healthcare giant UnitedHealth Group (UHG). This malicious breach has triggered an ongoing outage that is currently wreaking havoc on the Change Healthcare platform. 

BlackChat posted on their dark website that the group successfully exfiltrated a staggering 6 terabytes of data from Change Healthcare's network. This data includes information from lots of healthcare providers, insurance companies, and pharmacies. 

The stolen data has details about people's medical records, insurance, dental records, payments, and claims. It also has personal info like phone numbers, addresses, social security numbers, and email addresses for millions of people. The data even includes information about active U.S. military and navy personnel, making the situation even more serious. 

Change Healthcare serves as the primary payment exchange platform for a staggering network of over 70,000 pharmacies spread across the United States. The platform's critical role in facilitating transactions within the healthcare industry has been severely disrupted by the attack. 

UHG, the parent company of Optum, holds the distinction of being the largest healthcare conglomerate globally in terms of revenue. With a sprawling workforce of 440,000 employees worldwide, UHG collaborates with over 1.6 million physicians and healthcare professionals across a vast network of 8,000 hospitals and care facilities. 

Why BlackCat Ransomware Group Get So Much Attention From CY-Researchers? 

BlackCat ransomware, also known as ALPHV, has emerged as a notable threat in the realm of ransomware. What distinguishes BlackCat is its use of the Rust programming language, known for its emphasis on safety and performance. By leveraging Rust, BlackCat can evade detection by conventional security measures, presenting a formidable challenge for cybersecurity experts. 

Additionally, BlackCat showcases a high degree of sophistication by targeting a diverse array of devices and entry points. Its capability to compromise systems operating on Windows, Linux, and VMWare platforms highlights its adaptability and flexibility in executing attacks. Of particular concern is BlackCat's adoption of double extortion tactics. In addition to encrypting data, it exfiltrates sensitive information to exert pressure in ransom negotiations. 

Since its discovery in November 2021, BlackCat has remained a significant cybersecurity threat. Its ability to breach various systems serves as a stark reminder of the ever-evolving landscape of cyber threats, underscoring the importance of proactive defense strategies. 

Following the attack, Optum alerted users via a dedicated status page that the efforts were ongoing to restore affected systems to full functionality. They also emphasized that while their operations are being restored, systems belonging to Optum, UnitedHealthcare, and UnitedHealth Group remain unaffected by the cyberattack.
Read more »
Hacking
CMS editor Cyber Security Threats Data Theft FCKeditor Hacking

Old Website Tool Exploited by Hackers, Puts Education and Government Sites at Risk

Hackers are taking advantage of an old CMS editing tool for websites that have not been updated in a long time. They are using it to break into educational and government websites all over the world. Their goal is to mess with search results by sending people to dangerous websites or scams. Open redirect is like leaving the front door of your website wide open for hackers. 

They can sneak in, pretend to be you, and lead unsuspecting visitors straight into their trap. Imagine someone sending a fake email pretending to be from your company. The email has a link that looks legit because it has your domain name. But when people click on it, instead of going to your website, they end up on the hacker's site. 

This sneaky trick works because the website changes the link without you realizing it. Sometimes, it is done by the website itself using fancy code. Other times, it is as simple as sending a secret message to the visitor's browser. Either way, it is bad news for your online reputation. 

Imagine a scenario where there's a link on a website like this: "https://www.example.com/?redirect=". This link is supposed to take visitors to a specific webpage. But here is the catch: anyone can change that link to lead to whatever website they want. It is like having a signpost that can be tampered with to send people wherever someone pleases. That is what we call an open redirect. 

Attackers exploit open redirects to perpetrate phishing schemes, distribute malware, or perpetrate scams under the guise of legitimate domains. Because these URLs originate from reputable sources, they often evade security measures implemented by various products. When search engines index these redirects, they unintentionally make harmful links appear higher in search results.  

This means that open redirects can be used to manipulate search engine rankings by using trusted websites to promote shady content for specific searches. Attackers exploit open redirects on trusted domains to conduct phishing, distribute malware, or scam users. These redirects bypass security filters and can rank malicious content higher in search results. Despite their risks, major companies may not prioritize fixing them unless they lead to more severe vulnerabilities. 

@g0njxa, a cybersecurity researcher, uncovered a troubling malicious redirect campaign targeting university websites. This campaign exploits open redirect flaws associated with FCKeditor, a now outdated web text editor. Despite FCKeditor being replaced by the more modern CKEditor in 2009, many institutions still use the vulnerable version. 

@g0njxa identified several prominent institutions impacted by the malicious redirect campaign, including MIT, Columbia University, and government websites in Virginia and Spain. Despite these warnings, the software developer's response underscores the urgency of transitioning away from FCKeditor, which has been obsolete since 2010. This highlights the critical need for adopting more secure alternatives.
Read more »
Digital healthcare system
Consumer Data Cyber Attacks Cyber Hacking Data Theft Digital healthcare system

Nation-State Cyber Attacks Cause Pharmacy Delays: A Critical Healthcare Concern

 

In recent weeks, pharmacies across the United States have experienced significant delays, leaving patients waiting for essential medications. The cause of these delays is now being attributed to a wave of cyber attacks orchestrated by nation-state hackers, raising serious concerns about the intersection of healthcare and cybersecurity. 

Reports suggest that multiple pharmacy chains have fallen victim to sophisticated cyber campaigns, disrupting their operations and causing delays in prescription fulfillment. The attacks have targeted not only large pharmacy conglomerates but also smaller, independent pharmacies, highlighting the broad scope and indiscriminate nature of these cyber threats. 

The nation-state hackers responsible for the attacks are believed to be employing advanced tactics to compromise pharmacy systems, gaining unauthorized access to sensitive patient data and disrupting the pharmaceutical supply chain. The motives behind these attacks remain unclear, but the potential impacts on patient health and the healthcare system at large are alarming. 

The attacks on pharmacies come at a time when the healthcare sector is already grappling with various cybersecurity challenges. The COVID-19 pandemic has accelerated the adoption of digital health technologies, making the industry more susceptible to cyber threats. Pharmacies, in particular, have become attractive targets due to the wealth of sensitive information they handle, including patient prescriptions, personal details, and healthcare records. 

One of the primary concerns arising from these cyber attacks is the potential compromise of patient privacy. Nation-state hackers with access to pharmacy systems could harvest valuable personal information, creating opportunities for identity theft, financial fraud, or even targeted phishing attacks. The compromised data could also be used for more extensive espionage or to gain insights into the health conditions of specific individuals. 

Beyond privacy concerns, the disruptions caused by these cyber attacks pose a direct threat to public health. Patients relying on timely medication refills may face life-threatening consequences if supply chains are disrupted for an extended period. The interconnected nature of the healthcare ecosystem means that disruptions at pharmacies can have cascading effects on hospitals, clinics, and other healthcare providers. The evolving tactics of nation-state hackers in targeting critical infrastructure and essential services underscore the need for heightened cybersecurity measures across the healthcare sector. 

Pharmacies, in particular, must prioritize robust cybersecurity protocols to safeguard patient information and ensure the continuity of healthcare services. Healthcare organizations should invest in advanced threat detection systems, employee training on cybersecurity best practices, and regular security audits to identify and mitigate vulnerabilities. Collaborative efforts between the public and private sectors are essential to share threat intelligence, enhance cybersecurity awareness, and develop proactive strategies to counter the evolving tactics of nation-state hackers. 

In response to the recent wave of attacks, federal agencies and cybersecurity experts are urging pharmacies to enhance their cybersecurity posture. The Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidelines to help healthcare organizations strengthen their defenses against cyber threats. 

The pharmacy delays across the United States attributed to nation-state hackers serve as a stark reminder of the vulnerabilities inherent in the healthcare sector's increasing reliance on digital technologies. As the industry continues to evolve, addressing these cybersecurity challenges becomes imperative to safeguard patient well-being, protect sensitive medical data, and ensure the resilience of essential healthcare services in the face of evolving cyber threats.
Read more »
RMM Software
ConnectWise Data Breach Data Theft Ransomeware RMM Software

ConnectWise ScreenConnect Vulnerability: Navigating the Breach Risk

 

ConnectWise ScreenConnect, a widely-used remote access software, is facing a critical vulnerability that could expose sensitive data and allow the deployment of malicious code. Described as an authentication bypass flaw, the severity-rated vulnerability poses a significant risk to more than a million small to medium-sized businesses that rely on ConnectWise's remote access technology. 

The flaw was initially reported to ConnectWise on February 13, with the company publicly disclosing details on February 19. The vulnerability enables attackers to bypass authentication, potentially leading to the remote theft of confidential data or the injection of malware into vulnerable servers. While ConnectWise initially stated there was no indication of public exploitation, recent updates confirm compromised accounts and active exploitation. 

ConnectWise has not disclosed the exact number of affected customers, but it has seen "limited reports" of suspected intrusions. Approximately 80% of customer environments are cloud-based and were automatically patched within 48 hours. However, concerns persist, with cybersecurity firm Huntress reporting active exploitation and signs of threat actors moving towards more targeted post-exploitation and persistence mechanisms. 

ConnectWise spokesperson Amanda Lee declined to comment on the number of affected customers but emphasized that there has been no reported data exfiltration. However, the situation is serious, with cybersecurity experts warning of potential widespread ransomware attacks given the extensive reach of ConnectWise's software. Florida-based ConnectWise provides remote access technology to more than a million small to medium-sized businesses. 

The vulnerability, actively exploited by threat actors, poses a significant risk to the security of these businesses. Cybersecurity company Huntress reported early signs of threat actors deploying Cobalt Strike beacons and installing a ScreenConnect client onto affected servers. ConnectWise has released patches for the actively exploited vulnerability and is urging on-premise ScreenConnect users to apply the fix immediately. 

Additionally, the company has addressed another vulnerability affecting its remote desktop software, for which there is no evidence of exploitation. The incident comes in the wake of warnings from U.S. government agencies. These agencies observed a "widespread cyber campaign" involving the malicious use of legitimate remote monitoring and management (RMM) software, including ConnectWise SecureConnect. 

The current vulnerability adds to concerns about the security of remote access solutions, following recent incidents involving AnyDesk, which had to reset passwords and revoke certificates due to evidence of compromised production systems. ConnectWise is actively working to address the vulnerability, but the situation remains critical. 

The potential for a large-scale ransomware free-for-all underscores the importance of swift action and heightened cybersecurity measures to protect businesses from the evolving threat landscape. Businesses relying on remote access solutions must prioritize security to mitigate the risks associated with vulnerabilities in widely-used software platforms.
Read more »
Yahoo
Android Apple CIA Cyberattacks CyberCrime Cybersecurity Data Theft Yahoo

Ex-CIA Developer Faces 40-Year Sentence for Leaking Classified Data to WikiLeaks

 


In a multi-charged case that involved the disclosure of classified documents to WikiLeaks, Joshua A Schulte, a former CIA software engineer, was sentenced to 40 years for multiple counts of espionage and computer hacking, as well as one count of lying to FBI agents after handing over classified materials to WikiLeaks in 2022, he was found guilty of four counts of espionage and computer hacking in 2022. 

According to US authorities, Schulte was the cause of the largest breach in CIA history, because his alleged contributions to WikiLeaks have been regarded as one of the largest unauthorized disclosures of classified information ever made by the United States. 

Approximately eight thousand classified documents detailing CIA hacking tools were released on WikiLeaks in 2017 as part of an incident dubbed Vault 7, in which 8761 classified documents were made available. 

The trial on March 9, 2020, July 13, 2022, and September 13, 2023, led Schulte to become the prime suspect and face multiple convictions at trials that concluded on that date. US spies used the leak, which the CIA dubbed a “digital Pearl Harbor,” to hack Apple and Android smartphones, as well as to hack internet-connected television sets and turn them into listening devices, the CIA dubbed a “digital Pearl Harbor.” 

There has been a discussion about whether the Wikileaks founder Julian Assange should be kidnapped or assassinated after the security breach, Yahoo News reported, citing anonymous officials. As a result of the security breach, US officials have been planning to wage an "all-out war" against Wikileaks, including a potential kidnapping or assassination of its founder. 

Despite being indicted in 2019 on charges of espionage and criticized by press freedom organizations, Assange is currently fighting extradition to the US government in Britain. Additionally, the US authorities claim that Schulte's personal computer also contained tens of thousands of videos and images of child sexual abuse material. 

The Independent reports that Schulte denied the allegations and claimed that the CIA and FBI had used him as a scapegoat for the leak of CIA documents. Several brazen, heinous crimes of espionage committed by Joshua Schulte, one of the most brazen, and horrendous of all times, were committed by Schulte, the lawyer for the US. 

In his quest for revenge against the CIA, Schulte caused untold damage to the national security of our country based on how the CIA responded to Schulte's security breaches while employed by the agency. Schulte intended to cause even more harm to this nation after he was caught by the FBI, as he launched what he called an “information war,” releasing top secret information from behind bars to cause more harm to the nation.” 

Schulte received his sentence based on convictions for espionage, computer hacking, contempt of court, lying to the FBI, and having CSAM, among other charges. Additionally, he received a life sentence of supervised release alongside his prison sentence as well as his prison sentence. The CIA spying tools leak that was published last week included some shocking claims, including that hackers could gain access to Apple iPhones, 

Android devices made by Google and Samsung, and Samsung TVs made by Samsung to spy on their users. As presented in court documents, Schulte's theft "immediately and profoundly" affected the CIA's ability to gather foreign intelligence against U.S. adversaries; placed CIA personnel, programs, and assets directly at risk; and resulted in hundreds of millions of dollars of losses to the Agency.

Schulte repeatedly denied responsibility for the leak of the WikiLeaks documents during interrogations conducted by the FBI following the WikiLeaks disclosures. Schulte wrote in his journal in his detention pending trial that he intended to "break diplomatic relations, close embassies, and end US occupation across the globe." 

In the course of searching his apartment in New York, the FBI found that Schulte had hidden thousands of videos and images of horrific and disturbing child sexual abuse under layers of encryption. The FBI uncovered the servers and computers where Schulte had hidden the videos. Following his move to New York, according to the investigation, he continued to store child pornography from Russian websites and the dark web that he collected during his employment with the CIA and began to store it after moving to the city. It was from March 2020 until September 2023 that Schulte faced three separate trials in which he was tried for different crimes.
Read more »
Purple Fox
Cyber Attacks data security Data Theft Malware attacks Purple Fox

Ukraine Faces PurpleFox Malware Crisis: Unraveling the Ongoing Battle and Countermeasures

 

In a disturbing turn of events, the insidious PurpleFox malware has recently unleashed a wave of cyber havoc in Ukraine, infiltrating and compromising thousands of computers. This highly adaptable and elusive malware variant has sent shockwaves through the cybersecurity community, posing a significant challenge to both individuals and organizations alike. 

PurpleFox, renowned for its sophisticated tactics, primarily targets Windows-based systems by exploiting vulnerabilities, granting unauthorized access, and establishing a persistent presence within the infected devices. Armed with multifaceted capabilities such as data theft, remote command execution, and the ability to download and deploy additional malicious payloads, PurpleFox has proven a formidable adversary. 

Reports of compromised systems experiencing data breaches and operational disruptions are emerging, highlighting the malware's destructive potential. Its ability to remain dormant within systems makes detection an arduous task, further complicating the efforts of cybersecurity professionals to neutralize its impact. 

Security researchers point to various infection vectors, including malicious websites, infected email attachments, and stealthy drive-by downloads, as the primary means by which PurpleFox spreads. Its polymorphic nature, constantly mutating its code, renders traditional signature-based detection methods less effective, underscoring the need for advanced, adaptive cybersecurity measures. 

Prompted by the severity of the situation, Ukrainian authorities, alongside cybersecurity agencies, have initiated a concerted effort to contain and eliminate PurpleFox. Emergency response teams have been dispatched to affected regions to assess the extent of the damage and devise strategies for neutralizing the malware's threat. 

The motives behind the PurpleFox campaign in Ukraine remain mysterious, as the malware is a versatile tool often utilized for various cybercriminal activities, including espionage, data theft, and ransomware attacks. Investigations are underway to identify the perpetrators and their overarching objectives. 

To fortify defences against PurpleFox and similar threats, cybersecurity experts stress the importance of timely software updates, robust antivirus solutions, and comprehensive user education. Additionally, organizations are urged to implement network segmentation and closely monitor network traffic for anomalies that could signify a malware infection. 

This incident serves as a poignant reminder of the ever-evolving landscape of cyber threats. As cyber adversaries continually refine their tactics, a proactive and collaborative approach is indispensable to fortify digital defences and ensure the resilience of critical infrastructure. 

In conclusion, the PurpleFox malware outbreak in Ukraine underscores the critical importance of cybersecurity vigilance in our interconnected world. As the investigation unfolds, individuals and organizations must remain vigilant, adopting proactive measures to bolster their cybersecurity defences against the relentless evolution of cyber threats.
Read more »
Threats of Technology
Data Breach Data Theft India Information Security Threats of Technology

Unprecedented Data Breach Exposes Personal Information of Millions in India

Described as the biggest data breach ever, a big security mistake has apparently leaked the personal info of millions of people around the world. CloudSEK, an Indian cybersecurity company, brought attention to the breach, exposing extensive sensitive data, including names, mobile numbers, addresses, and unique 12-digit Aadhaar card numbers. Surprisingly, two groups involved in cybercrime, including CYBO CREW-affiliated CyboDevil and UNIT8200, are selling the data for $3,000. 

CYBOCREW is a relatively new threat group that was initially identified in July 2023. This group has been focusing on organizations in various sectors like automobile, jewellery, insurance, and apparel, carrying out significant breaches. Among its most active affiliates are CyboDevil and UNIT8200. 

Reportedly in the recent attack 750 million Indians have been hit, constituting around 85% of the country's 1.4 billion population, this disclosure raises serious concerns regarding the security and privacy of personal information, marking a critical incident in the cybersecurity domain. 

The breach's severity is magnified by the revelation of Aadhaar card numbers, a crucial identification document in India. The leaked data encompasses details frequently used for identity verification and authentication, leaving affected individuals susceptible to various forms of exploitation, including identity theft and fraud. 

The repercussions of this breach extend to mobile network subscribers in multiple countries, amplifying concerns about privacy and data security. According to CloudSEK researchers, the compromised database contains sensitive security information and has been compressed from 1.8TB to 600GB. 
In their analysis of the extensive personally identifiable information (PII) within the database, CloudSEK identified the global impact on major telecom providers. 

Despite the widespread implications, users in India face heightened risks due to the exposure of their unique Aadhaar identification numbers. This increased vulnerability raises concerns about potential identity theft, financial fraud, and a greater susceptibility to cybercrime for those affected. 

The situation emphasizes the urgent need to address and mitigate risks associated with such breaches to protect personal information and thwart malicious activities. The database is up for sale on Telegram and Breach Forums, which are well-known places for hackers and cybercrime activities. 

Interestingly, this forum recently had another person threatening to release a database from Hathway, which had information from 4 million users. According to CloudSEK, the person selling the data denies being part of the data breach and says they got it through law enforcement channels and undisclosed asset work. However, the source of the data still needs to be clarified.
Read more »
ransom refusal
Cybersecurity Data Breach Data Theft Estes Express Lines FBI Investigation Freight shipping identity monitoring IT Security Personal Data Breach ransom refusal

Estes Declines Ransom Demand Amidst Personal Data Breach and Theft

 

Estes Express Lines, a major private freight shipping company in the United States, has notified over 20,000 customers about a security breach where their personal information was stolen by unknown hackers.

The company revealed that on October 1, 2023, unauthorized individuals gained access to a part of their IT network and deployed ransomware. Despite the standard advice from the FBI and financial regulators, Estes chose not to pay the ransom demanded by the attackers. 

Initially disclosed in early October as a "cyberattack" affecting their IT infrastructure, Estes later announced the full restoration of their system capabilities by October 24 through a video posted by their chief operating officer, Webb Estes.

A group known as Lockbit claimed responsibility for the breach a month later and disclosed that they leaked data taken from the company on November 13. On New Year's Eve, Estes filed a data breach notice with the Maine Attorney General, providing further insights into the digital intrusion, now confirmed to be a ransomware attack.

According to Estes, they are collaborating with the FBI in the investigation. While the forensic analysis confirmed that personal information was stolen, the specifics of the accessed data were not explicitly mentioned in the sample notification letter. 

However, the Maine filing indicated that it involved names or other personal identifiers combined with Social Security numbers, suggesting a broader scope of compromised information.

Estes has not provided immediate responses to inquiries regarding details about the breach, such as the stolen data specifics, the initial network access point for the hackers, the ransom amount demanded, and the rationale behind the decision to refrain from paying the ransom. 

This decision has sparked a contentious debate encompassing practical considerations like effective backups and financial implications, along with broader ethical concerns such as potential support for criminal activities like human trafficking, terrorism, or future cybercrimes through ransom payments.

Both paying and not paying ransoms have proven to be financially burdensome for affected entities. Caesars Entertainment allegedly paid $15 million to a ransomware group to decrypt their data and prevent customer information leakage after a September breach, while MGM Resorts, despite not paying the ransom in a similar attack, suffered losses surpassing $100 million.

While the US government advises against ransom payments, some voices advocate for a complete ban on such extortion payments. Despite the breach, Estes has stated that they are not currently aware of any instances of identity theft, fraud, or financial losses stemming from the incident. Additionally, they plan to offer affected individuals 12 months of free identity monitoring services through Kroll.
Read more »
Threat Landscape
Cyber Crime Data Theft Game Studio Security Breach Threat Landscape

Game Studio Ubisoft Investigates Claims of Data Security Incident

 

Video gaming company Ubisoft revealed that it is looking into reports that hackers attempted to steal data this week by breaching into its networks. 

Ubisoft officials were "aware of an alleged data security incident and are currently investigating. At this point, we don't have anything further to share," a spokesperson for the French firm stated.

The claims were made in a series of social media posts by vx-underground, which hosts the internet's largest collection of malware source code, samples, and publications. The account has become well-known for its interactions with hackers and ransomware gangs, and it frequently shares threat actors' information. 

Earlier this week on Thursday night, hackers told vx-underground that they had "roughly 48 hours" access to Ubisoft servers and accounts before the firm realised something was amiss and cancelled their access. 

“They aimed to exfiltrate roughly 900gb of data but lost access,” the vx-underground account explained. “The Threat Actor would not share how they got initial access. Upon entry they audited the users' access rights and spent time thoroughly reviewing Microsoft Teams, Confluence, and SharePoint.” 

Alleged screenshots of Microsoft Teams accounts and other points of access were published by the hackers via the vx-underground account. 

The Egregor ransomware group first attacked the video game publisher in 2020. The publisher is primarily renowned for titles including Assassin's Creed, Far Cry, and Prince of Persia. The organisation disclosed a well-known game's source code. 

Additionally, in 2021, the company acknowledged that player data from its Just Dance video game franchise was compromised due to a vulnerability in its IT structure. If confirmed, the incident would be the latest in a string of high-profile hacks on one of the biggest game studios.

Arion Kurtaj was sentenced to an indefinite hospital order by a UK court on Thursday for his role in many attacks on large businesses, the most notorious of which involved Rockstar Games, the developer of Grand Theft Auto. 

Kurtaj will be held in a secure hospital for the rest of his life or until doctors believe he is no longer a threat to society, according to Judge Patricia Lees of Southwark Crown Court, who stated that he was "determined to commit further serious offences if the opportunity arose.”
Read more »
Subscribe to: Posts (Atom)