Search This Blog

Showing posts with label Privacy. Show all posts

Bjorka Hunt: Indonesian Parliament Passes Personal Data Protection Bill


After a series of data leaks pertaining to 1.3 billion registered phone numbers and 105 million voters and confidential official records of the President’s correspondence, Indonesia's newly established data protection task force is chasing down a hacker dubbed 'Bjorka'.  
 
Bjorka claims to be based in Warsaw, Poland and has been stealing and selling data that included information pertaining to state-owned enterprises, mobile phone operators, and the general election commission. The stolen data was found to be sold on a BreachForums for the past few weeks. The hacker has also leaked confidential logs of incoming and outgoing documents between Indonesia's President Joko Widodo and the State Intelligence Agency.  
 
The hacker has been tweeting for the past weeks with regards to the leaks, he boldly made statements like “stop being an idiot” directed towards the government. The day after a senior informatics applications official appealed to Bjorka to stop leaking the country’s personal data, at a press conference on September 5th. Bjorka also mentioned in another tweet about how easy it is “to get into various data protection policy [...] primarily if it is managed by the government.” 
 
In the wake of the incident, at least three of Bjorka’s Twitter accounts have been suspended by the government. 
 
Bjorka’s Hunt initiated by the data protection task force has led to the arrest of a man in Madiun, East Java who is believed to be Bjorka. The 21-year-old man, going by the initials MAH, is being interrogated by the force, though he has not been formally charged with any criminal offense as of yet. Currently, the real identity of Bjorka remains unknown as there is no credible information regarding his whereabouts.
 
Chief executive of Jakarta-based Digital Forensic Indonesia, Mr. Ruby stated that instead of focusing only on the latest data breach, the task force should also investigate similar leaks and related cases since 2019.  It will allow the lessons from past cases to prevent any such incidents that may happen in the future. 
 
“It’s better for the task force to improve data management. Relevant institutions just denied data leaks in the past few years and did not enhance their data protection and therefore, there have been recurring data leaks,” states Mr. Alfons Tanujaya, IT security specialist at Vaksincom. 

With regard to the recent surge in data breaches and particularly the aforementioned case, the Indonesian Parliament passed the Personal Data Protection Bill on Tuesday. The Communications minister Johnny G Plate stated that the bill “marks a new era in the management of personal data in Indonesia, especially on the digital front.” The bill includes corporate fines and up to six-year imprisonment for those who are found to have mishandled data for breaching rules on distributing or gathering personal data.

LastPass Hacked, Customer Data and Vaults Secure

The password manager, LastPass recently unveiled that the attackers who breached its security in August 2020 also had access to its network for four days. 
 
As per the latest statements by LastPass, the company suffered from the interference of cyber attackers for four days in august 2022. Luckily, the company was able to detect and remove malicious actors during this period. 

With regards to the investigation updates concerning the security breach, the CEO of LastPass, Karim Toubba published a notice, stating, “We have completed the investigation and forensics process in partnership with Mandiant.” 
 
Furtermore, the company also stated, “There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.” 
 
During the investigation, the company found that the malicious actors got access to the development environment by compromising a developer’s endpoint. After the developer completed its multi-factor authentication, the cyber attackers used their persistent access in imitating the developer and entered the development environment. 
 
However, the company commented that the system design and controls of the developer environment prevented threat actors from meddling with customer data or coded password vaults. 
 
The security measures of LastPass include a master password, which is required to access the vaults and decrypt the data. However, LastPass does not store that master password, which invalidates any other attempt of accessing other than by the user himself. In essence, LastPass does not have access to its users' master passwords. 

In an analysis of source code and production, it was found that as LastPass does not allow any developer from the development environment to push source code into a production environment without a fixed process, the threat actors were also unable to inject any code-poisoning or malicious code. 
 
In order to extend support to LastPass’s customers, Toubab further assured in the notice that they "have deployed enhanced security controls including additional endpoint security controls and monitoring.” The company has worked jointly with Mandiant, an American cybersecurity firm and a subsidiary of Google – to conclude that no sensitive data has been compromised. 

In 2015, the company witnessed a security incident that impacted email addresses, authentication hashes, and password reminders along with other data. Today, LastPass has approximately 33 million customers, thus a similar security breach would have a more jarring impact and hence is a matter of utmost concern. LastPass persuaded customers that their private data and passwords are safe with them as there was no evidence suggesting that any customer data was compromised. 


TikTok Android Vulnerability Identified by Microsoft 

 

In the TikTok Android app, Microsoft has described a high-severity weakness that might have enabled a hacker to take over an account by luring users into clicking on a link.

The bug's current identification is CVE-2022-28799. According to Microsoft, the flaw has not yet been exploited by the public, despite the app having an estimated 1.5 billion downloads on the Play Store. Microsoft advises all TikTok users on Android to upgrade the app to the most recent version while it is being patched.

In fact, Microsoft detected over 70 vulnerable JavaScript methods that, when combined with a bug to take control of WebView, might be exploited to provide the attacker's capability.

Threat actors could execute authenticated HTTP queries or access or modify the private information of TikTok users using the ways that were publicly disclosed.

In essence, attackers who would have been successful in exploiting this vulnerability might have easily:
  • Retrieved the users' authentication tokens by triggering a request to a server under their control and logging the cookie and the request headers.
  • Retrieved or modified the users' TikTok account data, including private videos and profile settings by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
"The TikTok Android app was revealed to have a WebView Hijacking vulnerability due to an unvalidated deep link on an invalid argument. Through a JavaScript interface, this may have led to account hijacking, " The HackerOne  explained in an article.

Only about a month after Microsoft first revealed the security flaw, TikTok version 23.7.3 was launched with a patch to address the CVE-2022-28799 tracking number.

Microsoft further said that "Once the targeted TikTok user clicks the hacker's specially constructed malicious link, the attacker's server is granted total access to the JavaScript bridge and can activate any accessible functionality."

The server of the attacker sends back an HTML page with JavaScript code that modifies the user's profile biography and sends video upload tokens back to the attacker.

Attackers with complete access to users' accounts could modify their profile information, send messages, upload movies, and even post private videos.

Tiktok has also fixed further security vulnerabilities that might have let hackers steal customers' personal details or take over their accounts to tamper with footage.

Austria: Google Breached a EU Court Order

The Austrian advocacy group noyb.eu complained to France's data protection authorities on Wednesday that Google had violated a European Union court judgment by sending unsolicited advertising emails directly to the inbox of Gmail users. 

One of Europe's busiest data regulators, the French CNIL, has imposed some of the largest fines on companies like Google and Facebook. The activist organization gave CNIL screenshots of a user's inbox that displayed advertising messages at the top.

The French word 'annonce,' or 'ad,' and a green box were used to identify the messages. According to the group, that type of marketing was only permitted under EU rules with the users' consent.

When referring to Gmail's anti-spam filters, which place the majority of unsolicited emails in a separate folder, Romain Robert, program director at noyb.eu, said, "It's as if the mailman was paid to eliminate the ads from your inbox and put his own instead."

Requests for comment from Google did not immediately receive a response. A CNIL spokeswoman acknowledged that the organization had received the complaint and was in the process of registering it.

The CNIL was chosen by Vienna-based noyb.eu (None Of Your Business) over other national data privacy watchdogs because it has a reputation for being one of the EU's most outspoken regulators, according to Robert.

Even while any CNIL ruling would only be enforceable in France, it might force Google to examine its methods there. 

Max Schrems, an Austrian lawyer and privacy activist who won a prominent privacy case before Europe's top court in 2020, formed the advocacy group Noyb.eu.

This year, the CNIL fined Google a record-breaking 150 million euros ($149 million) for making it challenging for people to reject web trackers. Facebook (FB.O), owned by Meta Platforms, was also penalized 60 million euros for the same offense.

The firms are constantly under investigation for their practice of transmitting the private details of EU citizens to databases in the US. Numerous complaints have been made by NOYB to authorities throughout the bloc, claiming that the practice is forbidden.

A crucial tenet of the European Union's data privacy policy and a primary goal for the CNIL is the prior agreement of Internet users for the use of cookies, which are small bits of data that aid in the creation of targeted digital advertising campaigns. 

Upcoming Crimeware is Driven by Cobalt Strike

Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.

Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.

Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.

Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.

Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.

According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.

Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.

State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).

Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.

Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.

Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.

Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.


PayPal Invoices Used for Data Theft

The past few months have seen an increase in the usage of convincing phishing emails made using an attack on PayPal's invoice system. Scammers are constantly seeking new ways to steal your personal information or money. 

Hackers send bogus invoices from PayPal's website using a free PayPal account they have registered. The emails' bodies contained spoof logos of companies like Norton to make their recipients believe they were authentic.

Emails from PayPal will likely be delivered to your inbox rather than your spam bin because they are not regarded as spam. Because it came from a real Paypal account, the email will appear to be trustworthy so users are advised to stay cautious and not fall for it. You won't receive a worthwhile service if you pay this charge, cybercriminals will receive your money and use it for their own gain. 

The PayPal invoices feature statements like "thank you for purchasing Norton Security Premium package, if you have not authorized this transaction, please call us with your credit card details." They resemble a related fraud that employed phony Quickbooks invoices and was disclosed earlier this month.

The scam, often known as a "double spear" assault, prompts users to call the number, at which point hackers attempt to get them to pay the invoice and steal their credit card information.

Phishing efforts are frequent and come in a variety of shapes, according to a written statement from PayPal.

PayPal stated that it has a zero-tolerance policy for attempted fraud on the platform and that its team is working relentlessly to protect its consumers.

"We are aware of this well-known phishing scheme and have added more measures to help mitigate this particular incidence," the company said. "Nevertheless, we advise clients to exercise constant vigilance online and to get in touch with Customer Service immediately if they believe they are a victim of a scam."

It's astonishing how well-adapted modern fraudsters are at using the very same technologies that financial institutions have long utilized to provide their consumers a sense of security while dealing online. 

Today's scamsters seem to be more interested in hacking your entire computer and online life with remote administration software than they are in stealing your PayPal password, which seems to be at the center of the majority of frauds these days.

Users are advised to follow the guidelines given below in order to safeguard themselves against the aforementioned scam. 
  • To prevent phishing emails from being sent to you, don't rely on email spam filters. Examine emails for warning signs, such as impending deadlines and scare tactics, to spot potential phishing frauds.
  • Use a recognized phone number or email address to get in touch with the service provider directly to confirm the validity of an invoice. To get in touch with the service provider, do not utilize the phone number or link provided in the invoice.
  • The simple notion that an email was delivered via a reputable website should not be used as proof of its validity. To make their schemes seem more credible, cybercriminals can exploit reliable websites.

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.

Flaws in Policybazaar Insurance Firm

A small cybersecurity company informed Policybazaar last month that it had found severe security flaws in the organization's internet-facing network that could expose the private financial and personal information of at least 11 million customers to malicious hackers.

The unnamed firm used the typical ethical hacker strategy, which gave Policybazaar, the insurance aggregator, time to fix the bugs and notify the authorities. It said that it felt legal, in part because it had workers who were clients, but it did not get permission in advance to test Policybazaar's technology.

On July 24, a publicly held entity Policybazaar — which counts Tencent among its investors — notified India's stock markets that it had suffered an unauthorized breach, but "no substantial customer data was compromised."

Flaw analysis

CyberX9's director Himanshu Pathak said that anyone with decent computer/IT expertise could have easily found, used, and leaked all of this material.

CyberX9, a startup, is not passive. The company's managing director wants Indians to be aware that since many extremely significant flaws were so simple to find, it appeared as though Policybazaar had purposefully left itself vulnerable to hacking by criminals.

The data also contains copies of the identification, health, and financial documents that people must present in order to obtain insurance, such as tax returns, pay stubs, bank statements, driver's licenses, and birth certificates.  90% of India's internet insurance aggregator market is claimed by Policybazaar, a broker for various carriers and types of policies that collects data through user uploads and self-generated records.

The Associated Press contacted three of the people listed in the sample material, which included copies of private data from CyberX9, one of whom was a soldier stationed in Ladakh, a region that is disputed by Pakistan and China. All three of them acknowledged that they were Policybazaar users. All of them claimed they were unaware of any security incident.

56 million users were enrolled on Policybazaar at the end of December, with 11 million of them as 'transacting clients' who bought 25 million insurance policies, according to documentation on the website of Policybazaar's parent firm, PB Fintech Ltd.

Other than to declare that it had corrected the discovered vulnerabilities and had forwarded the incident to outside consultants for a forensic audit, Policybazaar refused to answer the queries from the AP.

After learning about the volume of private and sensitive data that Policybazaar was in charge of maintaining during its November IPO, CyberX9 claimed it made the decision to check Policybazaar's network for vulnerabilities.

There were no limitations on the number of times an unauthorized user could perform such a retrieval, per the report, which detected five vulnerabilities and was able to collect user data without requesting permission.

Data privacy in India

The founder of SecureLayer7, Sandeep Kamble, said that the handling of these cases by the legal system is immature since most judges lack the necessary technological knowledge. 

Despite the nation's top court deemed privacy to be a fundamental right in 2017 and ordered the government to draft legislation, India, which has 800 million internet users, also lacks a data protection law. Criticism of some of the bill's provisions, such as one that allowed the government access to personal data in the interest of 'sovereignty,' caused a delay in its consideration in Parliament.

A data protection law is deemed required in India, where financial fraud and data leaks are common, as per digital experts. Due to previous events in which both private companies and the government leaked people's data, its absence has raised privacy issues in the nation.









Hackers Use Malware To Spy on Emails


Gmail users should keep a watch out for the recently found email spying software called SHARPEXT. The malware was found by Volexity, a cybersecurity firm. The spying malware targets AOL and Google account holders and can read/download their personal e-mails and attachments.

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 

Greek Intelligence Service Accepts Keeping Surveillance on Journalist


The head of Greek intelligence informed a parliamentary committee that his agency had spied on a journalist, two sources on the scene said, in a revelation that coincides with pressuring the government to give information about the use of surveillance malware. 

The committee's hearing recently was called when the leader of the socialist opposition PASOK party filed a complaint to the prosecutor when his phone was bugged with spyware software. 

Reuter reports "Predator spyware can extract passwords, files, photos, and contacts and activate a phone's camera and microphone, enabling surveillance of conversations nearby. Last year when the allegation was reported by Greek media, left-wing SYRIZA, Greece's largest opposition party, asked for the parliamentary committee to convene to look into the matter."

On the 29th July hearing, the chief of the EYP intelligence service told the parliamentary and transparency committee that his service had kept tabs on Thanasis Koukakis, a financial journalist working for CNN Greece. Lawmakers say that he admits to the surveillance. 

Giannis Oikonomou denies authorities using spyware that was deployed in the hacking of Koukakis and denied doing any business with companies selling it. The government has nothing to hide and has requested the justice system to enquire about the cases properly. 

He says without crossing to the extreme of technophobia, such malware does pose a threat and must be tackled efficiently.

Spy services in democratic countries always face pressure for being transparent, this includes lawmakers trying to prevent exploitation and better performance, public concern regarding spyware by authorities, and in a few countries, agencies are needed to make the work public to increase the chances of recruitment. 

Reuters says that agencies say they much balance those demands with the need for secrecy, arguing that much of their work to keep their countries safe should remain classified to protect sources. 

In April, a Greek prosecutor began an investigation into an allegation by Koukakis that his smartphone had been infected by surveillance software. 

The European Union regards using spyware against journalists as unacceptable. 


Slack Fixed Security Flaw for Passwords

When establishing or revoking shared invitation links for workplaces, a bug revealed salted password hashes, therefore Slack claimed it reset passwords for around 0.5 percent of its users.

A cryptographic method known as hashing converts any type of data into a fixed-size output. Salting is intended to strengthen the hashing operation's security and make it more resilient to brute-force attacks.

The flaw was found and patched in Slack's Shared Invite Link functionality, which allows Slack workspace owners to generate a link that will allow anybody to join, according to official Slack documentation. The function is provided as an alternative to sending out individual email invitations to join the workplace.

All users who created or canceled shared invitation links between 17 April 2017 and 17 July 2022 are said to have been affected by the problem, which was discovered by an anonymous independent security researcher.

Bret Taylor, co-CEO of Salesforce, stated on the business's most recent earnings call in May for the period ending April 30 that the number of customers investing more than $100,000 on Slack annually had increased by more than 40% on an annualized basis for four straight quarters. In July 2021, Salesforce completed the $27.7 billion acquisition of Slack.

The business claimed that no Slack client kept or displayed the hashed password and that active encrypted network traffic monitoring was necessary for its discovery. The business is also using the event to encourage people to enable two-factor authentication as a defense against account takeover attempts and develop original passwords for online services.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

 

Security experts have discovered another Chinese information operation that is attempting to improve the country's image overseas by utilising a large number of fake news sites and social media assets. 

The content, which is available in 11 languages, tries to win hearts and minds over to Beijing's way of thinking by undermining criticism of the Xinjiang genocide and the deterioration of democracy in Hong Kong. 

According to Mandiant, among the Communist Party opponents targeted in the campaign are Chinese billionaire Guo Wengui and German anthropologist Adrian Zenz, who is known for his study on Uyghur oppression. The campaign's most striking feature is that it appears to leverage infrastructure owned by local public relations business Shanghai Haixun Technology, a company that promotes "positive thinking." 

According to Mandiant in a blog post, the word "positive energy" is particularly loaded in China since it is frequently used by the Xi Jinping government to refer to communications that reflect Beijing positively. As a result, Mandiant dubbed the information operations effort "HaiEnergy." 

“While we do not currently have sufficient evidence to determine the extent to which Haixun is involved in, or even aware of HaiEnergy, our analysis indicates that the campaign has at least leveraged services and infrastructure belonging to Haixun to host and distribute content,” the firm explained. 

“In total, we identified 72 websites (59 domains and 14 subdomains) hosted by Haixun, which were used to target audiences in North America, Europe, the Middle East and Asia.” 

The campaign has solely relied on Haixun's internet infrastructure to post information and host websites. In reality, those sites share significant commonalities, indicating a coordinated strategy, including: 
  • Nearly all the English language sites are built with a Chinese-language HTML template
  • Several of the sites that include a domain and subdomain are disguised to appear as different, independent sites
  • Many of the sites link directly to other sites in the network
  • The same articles are often published across multiple sites
If Haixun is actively involved in this effort, it would be a continuation of a pattern in which threat actors utilise "info ops for hire" organisations to perform their dirty work, according to Mandiant. The one advantage is that it does not appear to have paid off on this occasion.

“We note that despite the capabilities and global reach advertised by Haixun, there is at least some evidence to suggest HaiEnergy failed to generate substantial engagement,” the report concluded.

“Most notably, despite a significantly large number of followers, the political posts promoted by inauthentic accounts we attribute to this campaign failed to gain much traction outside of the campaign itself.”

Aetna Reports Mailing Vendor Hack Affected 326,000

 

Aetna ACE revealed to federal regulators a health data breach impacting about 326,000 people that was caused by a ransomware event involving OneTouchPoint, a subcontractor that offers printing and mailing services to one of the insurer's contractors. 

OneTouchPoint, located in Wisconsin, revealed to Maine's attorney general last week that a hacking issue uncovered in April affected roughly 1.1 million people. In a statement posted on its website, OneTouchPoint also identifies more than 30 health plan clients who were affected by the event. That list does not include Aetna ACE. 

Despite this, Aetna ACE reported the OneTouchPoint issue to the Department of Health and Human Services on July 27 as a HIPAA breach impacting almost 326,300 people. Aetna states the exposed information may have included names, residences, dates of birth, and limited medical information, according to a statement given to Information Security Media Group on Tuesday. 

According to Aetna, the incident did not include any of Aetna's or parent company CVS Health's systems. Some experts believe that breaches involving health insurers pose significant privacy and security risks to their members' protected health information. 

"Insurance companies typically hold large volumes of individually identifiable data that are valuable to hackers," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. 

The OneTouchPoint incident is not Aetna's first known health data leak involving a vendor that offers printing and mailing services. Aetna paid millions of dollars in regulatory fines and civil settlements as a result of a botched mailing breach in 2017. 

This privacy violation happened during a vendor's sending of letters to around 12,000 Aetna plan participants in different states informing them of new alternatives for filling their HIV medicines. The members' HIV medicine information was possibly apparent via the clear windows of the shipping envelopes. Aetna paid more than $20 million in court settlements relating to regulatory fines imposed by a few state attorneys general and the resolution of class action lawsuits as a result of the privacy issue.

Google Delays Phasing Out Ad Cookies on Chrome Until 2024

 

Google announced on Wednesday that it is postponing its plans to disable third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. 

"The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox, stated. 

Keeping this in mind, the internet and ad tech behemoth announced a "deliberate approach" to extending the testing window for its continuing Privacy Sandbox activities before phasing out third-party cookies. Cookies are packets of data that a web browser places on a user's computer or another device when they visit a website, with third-party cookies powering much of the digital advertising ecosystem and its capacity to follow users across other sites to serve tailored adverts. 

Google's Privacy Sandbox is an umbrella phrase for a collection of technologies aimed at improving consumers' privacy across the web and Android by limiting cross-site and cross-app tracking and offering improved, safer alternatives to serve interest-based ads. While Google had intended to launch the functionality in early 2022, it altered the timeframe in June 2021, proposing to phase away third-party cookies over a three-month period beginning in mid-2023 and concluding in late 2023. 

"It's become clear that more time is needed across the ecosystem to get this right," the company noted at the time. 

The second extension comes after Google introduced Topics API in January 2022 as a successor for FLoC (short for Federated Learning of Cohorts), followed by a developer preview of Privacy Sandbox for Android in May. 

In February 2022, the UK Competition and Markets Authority (CMA) formally accepted Google's commitments on how it develops the technology, emphasising the need to flesh out Privacy Sandbox so that it promotes competition and helps publishers increase ad revenue while also protecting consumer privacy. According to the revised plan, Privacy Sandbox trials will be opened to users worldwide next month, with the number of people participating in the testing increasing during the remainder of the year and into 2023. 

Google also stated that users will be prompted to control their participation and that the APIs will be broadly accessible by Q3 2023, with third-party cookie support expected to be phased off in H2 2024. For its part, the CMA confirmed that it is aware of "alternative approaches being created by third parties" and that it is "working with the [Information Commissioner's Office] to better assess their feasibility and possible implications.

Data of 4,000 Patients at VCU Health Exposed

 

A recent incident compromising the privacy of user-protected health information has been reported by Virginia Commonwealth University Health System. 

The institution revealed the confidential health information of almost 4,000 individuals for 16 years. According to VCU Health's research, the information was available to donors, and recipients as early as January 4, 2006.

There is no proof, according to VCU Health, that any information has been exploited. There were 4,441 donors and beneficiaries in total for this incidence.

On February 7, 2022, a data leak was discovered. On March 29 and May 27, 2022, additional details about the categories of data involved, were disclosed. The information which could be seen in the medical records of other transplant patients or donors included names, Social Security numbers, lab results, medical record numbers, and dates of service.

Customers who are notified have been reminded to keep an eye out for any fraudulent behavior by regularly monitoring their financial account statements. Individuals who may have had their Social Security data exposed have been provided free credit monitoring. 

''Many health care systems are built in a way that sensitive data, such as SSNs, DOBs, or other PII/PHI, is either not shared at all, is at least hidden on the screen by default, and reading them requires additional step-up verification.'' The Synopsys Software Integrity Group's Ashutosh Rana, a senior security consultant, stated. 


Hacker Alert! British Army's YouTube and Twitter Accounts Hijacked

 


About the Crypto Scam

Threat actors hacked the Twitter and YouTube accounts of the British army. A malicious third party compromised the accounts last Sunday, when the users opened the British army accounts, they were redirected to cryptocurrency scams. 

The Minister of Defence (MoD) press office reported the incident around 7 PM on Twitter. The tweet said that the office is aware of the breach of the army's YouTube and Twitter accounts and an inquiry has been set up to look into the issue. 

It is a matter of utmost importance for the army when it comes to information security, says the MoD office, the army is currently trying to resolve the problem. It said to offer no further comments until the investigation is completed and the issue has been solved. 

However, after four hours, an update said that problem had been fixed, here is the official tweet.

What are the reports saying?

Although only YouTube and Twitter were written in the posts, other reports suggest that the Facebook account was also hijacked. The reports disclosed that the threat actors posted various promotional links to various crypto and NFT scams, these include phishing links to a fraud mint of The Possessed NFT collection. 

On YouTube, the threat actors modified the entire account to make it look like investment agency Ark Invest, they posted live stream videos that featured celebrities like Elon Musk and Jack Dorsey. 

What makes this attack unique?

This is a very classic crypto scam, the hackers used videos to promote QR codes for viewers to send their crypto money to, and the viewers were told that they'll get double the investment if they do so. The MoD has now taken down all the content that was rebranded by the hackers. 

"Just last week, high street bank Santander warned of a predicted 87% year-on-year increase in celebrity-endorsed cryptocurrency scams in the UK in 2022. It reported a 61% increase in the cases it dealt with between Q4 2021 and Q1 2022, with the average cost of these scams increasing 65% year-on-year in the first quarter to reach £11,872" says InfoSecurity.

Microsoft Launches New Privacy Features for Windows 11

 

Microsoft is developing a new privacy dashboard to patch its vulnerabilities for Windows 11 that will allow users to view which apps and tools have access to sensitive hardware components such as the camera, microphone, location, phone calls, messages, and screenshots. It's included in one of June Windows 11 Preview Builds and now is ready for testing in the Dev Channel for Windows Insiders.

Users will be able to view the newly implemented tool in the Privacy & Security > App Permissions section, where a "Recent activity" option will be available, as per Microsoft. Users will be able to locate the monitored category of information in this section. "Once clicked, it will show every instance of one of the programs installed on a user's machine that has recently accessed sensitive devices and information," says the next step. Even though the list contains information about the most recent time the program accessed the service, clicking on any of the entries yields no additional information.

Several users would be able to proactively protect themselves from ransomware and phishing attacks that are unwittingly deployed by malicious actors due to this additional layer of privacy. Malware or malicious software may obtain access to a user's privacy in some cases via spying on its camera or microphone, or by reading file paths, process IDs, or process names.

If Windows Hello is turned off, your PC will be unable to access your camera. Some apps use the Camera app to capture pictures, by the Camera app's camera access setting. No images will be taken and sent to the app that accessed them unless you manually select the capture button in the Camera app.

Desktop apps can be downloaded from the internet, stored on a USB drive, or installed by your IT administrator. Microsoft has not yet officially launched this new privacy option, according to its Windows Insider Blog. This information comes from Microsoft's Vice President of Enterprise and OS Security, David Weston, in a tweet on Thursday. 

Windows has never had a privacy feature as useful as this, but it appears that Microsoft is working to strengthen the operating system's privacy controls. With Android version 12, Google provided a similar capability, although its execution is far from satisfactory.

ACY Accidentally Exposes User Data On Web

Anurag Sen, a famous cybersecurity expert said that ACY Securities, an Australia-based trading company accidentally posted huge amounts of personal and financial data of unsuspected users and businesses on the web for public access. The incident happened because of misconfigured database that ACY Securities owns. Sadly, the data leak had over 60GB worth of data that was left in the open without any protection. 

It means that anyone with basic knowledge about obtaining unsafe databases from platforms like Shodan can gain full access to ACY's data. The data had logs from February 2020 to this date, getting updated regularly. The exposed data includes- full name, postal code, address, date of birth, email address, gender details, contact number, password, and banking, and financial information. The attack hit businesses in various countries including China, India, Spain, Russia, Brazil, Australia, Romania, Malaysia, the United States, the United Kingdom, Indonesia, and United Arab Emirates. 

The expose is very severe because, at the beginning of this year, Anonymous and affiliated hacker groups totaled 90% (estimated) of Russian cloud databases, leaked to the public. The exposed data in these leaks was without a password or authentication. 

In the ACY Securities incident, if we consider the extent and nature of leaked data, the case could've turned out to have the worst implication. For instance, threat actors could have downloaded tha data and performed phishing scams, identity thefts, marketing campaign scams, and microloans identity scams.

"misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. In 2021, the number increased to 399,200 exposed databases," read a post on HackRead.

Hacker Steals Database of Verizon Employees

 

A hacker stole a database including hundreds of Verizon workers' complete names, email addresses, corporate ID numbers, and phone numbers. By calling phone numbers in the database, Motherboard was able to confirm that at least part of the data is genuine. Four persons confirmed their complete identities and email addresses, as well as their employment at Verizon. It's uncertain whether all of the info is correct or up to date.

Another person validated the information and stated that she used to work for the company. A dozen more numbers received voicemails that included the names in the database, implying that they are also correct. Last week, the hacker contacted Motherboard to provide the information. 

The data was obtained, according to the unidentified hacker, by convincing a Verizon employee to grant them remote access to their company computer. At that time, the hacker claimed to have gotten access to a Verizon internal tool that displays employee data and to have developed a script to query and scrape the database. 

“These employees are idiots and will allow you to connect to their PC under the guise that you are from internal support,” they told Motherboard in an online chat. The hacker stated they reached out to Verizon and shared the email that he sent to the company. 

“Please feel free to respond with an offer not to leak you’re [sic] entire employee database,” the hacker wrote in the email, according to a screenshot of it. The hacker stated they would like Verizon to pay them $250,000 as a reward. A Verizon spokesperson confirmed the hacker has been in contact with the company. 

“A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further,” the spokesperson told Motherboard in an email. 

“As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.” 

While the stolen information does not include Social Security numbers, passwords, or credit card details, it is nonetheless potentially harmful. It might be beneficial for hackers who wish to target corporate employees—or mimic one while speaking with another—in order to get access to internal tools. An attack of this type would offer hackers the opportunity to impersonate Verizon personnel and, if successful, complete access to networks that would allow them to look up individuals' information and transfer their phone numbers, a practice known as SIM swapping. 

For years, hackers have gained access to victims' phone numbers, allowing them to change the target's email password, for example. As a result, the hackers get access to the victim's bank or cryptocurrency account. Hundreds, if not thousands, of people have been victimised by this type of breach in recent years. Several persons have been arrested and indicted in the United States for allegedly participating in these types of cyberattacks.

Cyber Agencies: Beware of State Actors Levelling up Attacks on Managed Service Providers

 

The United States, the United Kingdom, Australia, and Canada's cybersecurity agencies issued a second advisory this week, stating that cyberattacks against managed service providers (MSPs) are expected to escalate. 

According to the advice, if an attacker is able to access a service provider's infrastructure, ransomware or espionage activity could be carried out against the provider's customers. 

The nations advised, "Whether the customer's network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects." 

"NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors -- including state-sponsored advanced persistent threat groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships." 

The MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services, for the purposes of this advice. The first piece of obvious advice is to avoid getting compromised in the first place. Beyond that, users should follow standard suggestions such as improving monitoring and logging, updating software, having backups, employing multi-factor authentication, segregating internal networks, using the least privilege approach, and removing old user accounts. Users should verify contracts for clauses that ensure MSPs have adequate security safeguards in place.

Further, the advisory stated, "Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment."
 
"MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery."