Search This Blog

Showing posts with label Security Breach. Show all posts

Dropbox Security Breach: Unauthorized Access to 130 Source Code Repositories


File hosting service, Dropbox reveals on Tuesday that it was the victim of a phishing campaign. The security breach allowed the unidentified threat actor to acquire unauthorized access to one of its GitHub accounts, compromising 130 of its source code repositories. 
"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," Dropbox published in an advisory. 
Dropbox discovered the breach on October 14, after GitHub reported the company of suspicious activities that began a day before the alert was sent. 
Upon further investigation of the security breach, it was disclosed that the source code accessed by the threat actors, contained the development team’s credentials, primarily API keys used by the team. 
"The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)." the company added in the published advisory. 
The cyberattack was introduced more than a month after both GitHub and CircleCI reported accounts of phishing attacks. The phishing campaign was allegedly designed in order to access GitHub credentials via fraudulent notifications purporting to be from the CI/CD platform. 
These fraudulent emails notified the online users that their CircleCI session has expired, ploying the victims into logging in through their GitHub credentials. 
"These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," explains Dropbox. 
Alongside, GitHub in an advisory, stated, "While GitHub itself was not affected, the campaign has impacted many victim organizations." In regards to the recent phishing attacks, Dropbox confirmed that the attackers did not have access to customers’ accounts, password, or payment information, and its core apps infrastructure were not impacted in the breach. "Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled." the company noted.  
Furthermore, Dropbox told that it has been working on securing its environment following the security breach, using WebAuthn and hardware tokens or biometric factors.

A Security Breach in the Shas Database Could Expose Millions of Records

According to top experts in the cybersecurity field, there has been a major security breach in the Shas Party's computerized election management system. This leaves it vulnerable to easy exploitation even for those with only a basic understanding of cybersecurity. 

Following an anonymous leak received on the Cyber podcast hosted by Ido Kinan and Noam Rotem, it has been revealed that the system has been breached. This has not only compromised the data of Shas activists and supporters but has also compromised the information of all Israeli citizens who are eligible to vote. Following that, Ran Bar-Zik, a software architect at the company, verified the findings.

According to a report by Calcalist, the anonymous leaker discovered the vulnerability with an automated scanning tool that detects such weaknesses. This tool was used by the anonymous leaker to detect the vulnerability. 

The information held in the system is just as disturbing as the breach itself: detailed personal details, such as family ties, phone numbers, and bank account numbers, not included in the voter register, of millions of Israeli citizens. 

An online PHP-powered system debugging tool that has been available for nearly four years has been breached as a result of a known vulnerability, and a common browser is all that is needed to exploit this vulnerability, so sophisticated tools are not required to expose this weakness. 

As soon as it is available for widespread use, the debugger should be disabled. It should only be enabled during the testing phase. Adding a few characters to a website address indicating the location of the debugger and performing a few other simple actions without requiring much computer knowledge is all it takes to penetrate the debugger when it remains active after the system is put into operation. 

Even though the breach in question was blocked, it is impossible to determine whether the information in the system had been compromised before it had been patched. There is a concern regarding who might have all the personal information that is stored in the system. This is because it is easy to exploit, and it was found without much effort. 

In response to the leak of data, Shas responds 

Every time there is a round of elections, the Shas party receives a voter registration copy from the Ministry of Interior. This is the same for all the other parties in the country. During every election, it is required that the transmitted information, including all the details that have been added to it, is destroyed. All data included in it will be destroyed as well. Although this is the case, it seems that Shas has managed to retain the personal data of voters from the previous year's elections. 

A professional and reliable electoral software operated by the Shas party for many years maintains a legally registered database as do all of Israel’s other parties. All of the information the Shas party holds has been legally collected, maintained, and complied with according to the law, backed up by cybersecurity experts that are the most knowledgeable in the field, the party spokesperson said in response to an inquiry by Haaretz. 

The party explained that their attention was drawn to concerns that the database had been illegally accessed. Following the receipt of this information, they acted immediately by implementing several immediate changes to ensure the security of the entire database as soon as possible. Shas has conducted a thorough examination of the database systems to ensure that all information remains secure. As part of its ongoing inspection of the database systems, the party stated that "If any party is found to have violated the law, Shas will take appropriate action." 

Elector, a platform used by Likud, leaks the personal information of its users 

A similar incident occurred last year when a list of the names and phone numbers of 5,000 Likud activists was released online from the "Elector" platform, where they could be found on the Ghost in leak website, according to Israeli news agency Ynet. 

There was a list uploaded by an anonymous source along with an email that circulated throughout many groups that stated that "The Likud's and Right's electoral system has been compromised." The list was sent by a source who identified himself as "an activist." The data will slowly leak out as the system is taken offline until the hackers are removed. Here are the first clusters of activists.

In a ruling issued by the Authority for the Protection of Privacy of the Ministry of Justice, it was determined that the Elector company, along with the Likud and Jewish Home parties which received technological services from the Elector company, had violated the Privacy Protection Law and the regulations governing its operation. 

As a result of an enforcement procedure conducted by the Authority, it has been revealed that the election holder has violated the law in many ways, including in the security of its information systems, and in how they conduct itself as a holder of sensitive personal information, among other things.

Another Singlet Subsidiary Faces Cyber Attack, Weeks after Optus Data Breach


Weeks after the data breach at the Australian telcom giant, Optus, Singapore Telecommunication Ltd, Singlet recently confirmed that its unit, Dialog has faced a cyber-attack. The attack has reportedly affected 1,000 of the company’s current and former employees and about 20 clients. 
A similar case of a data breach at Optus, the Australian subsidiary of Singlet took place late this September. The data breach reportedly compromised the personal data of up to 10 million customers, including present and former employees. 
Days after the breach, the threat actors withdrew a ransom demand of $1 million from the telecom company, describing there were “too many eyes” on the hacked data. The hackers nonetheless went ahead and leaked customer records of more than 10,000 customers, in order to prove that they actually have access to the data. 
“On Saturday 10 September 2022, we detected unauthorized access on our servers, which were then shut down as a preventive measure. Within two business days, our servers were restored and fully operational. We contracted a leading cyber security specialist to work within our IT Team to undertake a deep forensic investigation and continuous monitoring of the Dark Web. Our ongoing investigation showed no evidence of unauthorized downloading of the data[…]On Friday 7 October 2022 we became aware that a very small sample of Dialog’s data, including some employees’ personal information, was published on the Dark Web.” states Dialog regarding the data breach. 
Dialog mentioned how its systems were completely independent of Optus and IT unit NCS while assuring that there was in fact no evidence of any link between the data breaches at Dialog and Optus.  
"With this being the third large breach impacting the company in the last few years, it sounds like it is time to review the company's cybersecurity program because something is clearly not working," states O'Toole. 
"Everyone knows employees are the number one target for criminals looking to steal and compromise an organization's data, so addressing this risk must be the priority," she added. 
As per the CEO, one of the prominent solutions to tackle the risk is by deploying encrypted network access and segmentation tools, which encrypt employee credentials and other information so they cannot be hacked or stolen. "This closes doors on attackers, and it will significantly improve Singtel's security defenses against data breaches in the future," she added.

Leaked Brute Ratel C4 Post-Exploitation Toolkit might have Catastrophic Consequences


Malicious hackers have cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and published it for free across Russian-speaking and English-speaking hacking forums. 

For those unfamiliar with BRC4, it is a post-exploitation toolkit originally designed by Chetan Nayak for red team threat analysts to replace Cobalt Strike in penetration testing utilities. The toolkit was specifically created to bypass detection by security solutions such as endpoint detection and response (EDR) and antivirus (AV). 

According to Will Thomas, the cybersecurity researcher who first identified the breach, the toolkit’s potential for being put on other websites and for getting into the hands of multiple hackers might have catastrophic results. 

How hackers cracked BRC4? 

At first, threat actors created bogus firms to get around the license requirements for the usage of toolkit. This was done because the developer of BRC4, Chetan Nayak has the authority to revoke the licenses for any customers exploiting Brute Ratel for nefarious activities. 

However, Nayak claims that the uncracked version was uploaded to VirusTotal in mid-September, which was then cracked by the "Russian group Molecules" to remove the license check. He also accused MdSec of having done the upload, but it is still unclear who uploaded the files. 

The hackers have now published the cracked version of the tool on multiple English and Russian-speaking communities, including CryptBB, RAMP, BreachForums, and Exploit[.]in, Xss[.]is, and Telegram and Discord groups. 

“There are now multiple posts on multiple of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out,” said Thomas in the report. 

Future remains uncertain 

Thomas explained the potential dangers of the leaked toolkit, saying, it has the ability to design shellcode that is not easily detected by security software at this time. 

“One of the most concerning aspects of the BRC4 tool for many security experts is its ability to generate shellcode that is undetected by many EDR and AV products. This extended window of detection evasion can give threat actors enough time to establish initial access, begin a lateral movement, and achieve persistence elsewhere,” the researcher added. 

Knowing that this post-exploitation toolkit is in the hands of hackers who should never have gained secured access to it, is definitely spine-chilling. Let’s hope that antivirus software designers can enhance the security against Brute Ratel soon enough. 

In the meantime, the researcher has advised security, windows, and network admins to review MdSec's blog on Brute Ratel C4 to learn more about spotting the software on their networks.

84% of US Businesses Experienced Identity-Related Breaches


According to new information from the non-profit Id Outlined Safety Alliance, the range of security breaches resulting from phishing or exploiting identities has reached epidemic proportions (IDSA). For its 2022 Developments in Securing Digital Identities report, the IDSA surveyed 500 US identity and security experts. 

In the past year, 84 % of respondents reported having suffered an identity-related hack, with the clear majority (78 %) stating that it had a direct effect on the firm. Increased identity fraud in the corporate sector daily contributes to the issue. 

When leaders prioritize identity security, risky behavior is reduced. 71 % of companies have executives who publicly address staff members about password security. In the light of that, risky security behaviors were acknowledged by 60% of IT/security stakeholders. 

Having focused on the fundamentals and investments in security outcomes 97%  will invest in identity-focused security results. MFA is a major area of interest, especially for employees and privileged users. 

The report suggested a few basic steps businesses may take to enhance security outcomes of unauthorized access. When executives discuss corporate credentials, for instance, the survey found that 72% of respondents are more cautious with their work passwords than with using personal passwords. 

However, it seems that businesses are making sense. Almost all respondents (97%) stated they intended to invest in "identification-focused security outcomes," and 94 % reported that identity investments are a part of strategic efforts, such as cloud adoption (62 %), the deployment of Zero Trust (51 %), and digital transformation activities (42% ).

According to the Anti-Phishing Working Group(APWG), phishing reached an all-time high in the first quarter of 2022. 

Kaiser Permanente Reveals Data Leak of Nearly 70,000 Medical Records


Kaiser Permanente, California’s biggest hospital system has disclosed a data breach in one of its subsidiaries that put the sensitive medical data of almost 70,000 patients at risk. 

In a letter sent to patients on June 3, the healthcare provider termed the breach as a “security incident” that occurred on April 5 and involved unauthorized access to an employee’s emails. 

The leaked data included the first and last names of patients’, medical record numbers, dates of service, and laboratory test result information, the disclosure letter states. Sensitive data such as Social Security numbers and credit card numbers were not leaked in the data breach. 

After discovering that a hacker secured access to employees’ emails, Kaiser Permanente terminated the access within hours and launched an internal investigation to identify the scope of the data breach. Although there was no sign that the unauthorized party accessed the protected health information (PHI) contained in the emails, the healthcare firm could not rule out the possibility. 

Furthermore, the healthcare provider has taken multiple steps to boost the security which includes resetting the employee’s password for the email account where unauthorized activity was detected and additional training on safe email practices. 

“The breach occurred almost three months ago, yet Kaiser Permanente has only recently notified potentially impacted people that their data may have been compromised. During this time, the affected individuals could have been targeted by attackers using any specific information stolen in convincing social engineering campaigns. It’s critical that as a part of their larger cybersecurity culture, organizations include assessing their ability to quickly understand the scope of a potential breach in risk analysis or tabletop exercises,” stated Chris Clements, Vice President of Solutions Architecture at cybersecurity firm Cerberus Sentinel. 

Security tips to counter data breach 

The data breach took place nearly three months ago, but the healthcare firm just recently alerted potentially affected individuals that their private data may have been exposed. During the three-month period, the hackers may have exploited data to secure access to other restricted systems and also used it to access financial data such as credit card information, software codes, or online banking passwords.

As data breach attacks are becoming more common, it is critical to understand how to mitigate the risks. Here are some easy tips to shield your data from the threat of a security breach. 

• Change and Secure Your Passwords 
• Update data security features 
• Use Access Controls 
• Safeguard physical data 
• Encrypt data 
• Protect portable devices

Attackers Use Stolen OAuth Access Tokens to Breach Dozens of GitHub Repos


GitHub has shared a timeline of last month's security breach that saw an attacker using stolen OAuth app tokens to steal private repositories from dozens of organizations. 

OAuth tokens were issued to two third-party integrators, Heroku and Travis-CI but were stolen by an unknown hacker. According to GitHub's Chief Security Officer Mike Hanley, the company is yet to unearth evidence that its systems have been breached since the incident was first identified on April 12th, 2022. 

OAuth tokens are one of the go-to elements that IT vendors use to automate cloud services like code repositories and DevOps pipelines. While these tokens are useful for enabling key IT services, they are also susceptible to theft. 

“If a token is compromised, in this case, a GitHub token, a malicious actor can steal corporate IP or modify the source to initiate a supply chain attack that could spread malware or steal PII from unsuspecting customers," Ray Kelly, a researcher at NIT Application Security, explained. 

GitHub said it is in the process of sending the final notification to its customer. The firm’s examination of the hacker’s methodology includes the authentication of the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added that most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest. Next, attackers proceeded to clone private repositories.

“This pattern of behavior suggests the attacker was only listing organizations to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku,” GitHub stated. 

GitHub also issued recommendations that can assist users in investigating logs for data exfiltration or malicious activity. This includes scanning all private repositories for secrets and credentials stored in them, checking OAuth applications authorized for a personal account, and adhering to GitHub policies to improve the security of their GitHub organizations. Others include checking their account activity, personal access tokens, OAuth apps, and SSH keys for activity or changes that may have come from the malicious actor.

Conti Ransomware Targets Taiwanese Apple and Tesla Supplier Delta Electronics


Taiwanese electronics manufacturing firm Delta Electronics was targeted by the Conti ransomware this week. The company operates as a supplier for major tech giants such as Apple, Tesla, HP, and Dell. 

According to a statement circulated on January 22, 2022, the company said the incident only affected non-critical systems, which had no significant impact on its operations. Delta is now working on restoring systems taken down during the attack and says it has hired the services of third-party security experts to help with the investigation and recovery process.

The company added that it had notified law enforcement agencies and hired information systems advisers to investigate the attack and to improve network security. While Delta's statement did not disclose who was behind the attack, an undisclosed information security company discovered a Conti ransomware sample deployed on the company's network. 

The Conti operators claim to have encrypted 1,500 servers and 12,000 computers out of about 65,000 devices on the company’s network. The Conti ransomware gang is said to have demanded a $15 million ransom payment from Delta and stopped leaking files stolen from its network. 

While Delta is still reportedly working with Trend and Microsoft's security teams to investigate the incident and claims that its production has not been affected, its website is still down one week after the attack. 

"The Conti ransomware group revealed a specific pattern part of the Delta attack leveraging Cobalt Strike with Atera for persistence as revealed by our platform adversarial visibility. Certainly, this attack is reminiscent of the REvil Quanta one affecting one of the Apple suppliers," Vitali Kremez, CEO of AdvIntel, stated. 

The Conti ransomware gang first emerged in 2020 and has been linked to the Russian-speaking Wizard Spider cybercrime group. The ransomware gang has targeted multiple high-profile organizations including Ireland's Department of Health (DoH) and Health Service Executive (HSE), and the RR Donnelly (RRD) marketing giant.

Conti has also been the subject of two government warnings. The first was by the U.S. Federal Bureau of Investigation in May, followed by a warning from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in September. 

“Cybercriminals continue to target organizations that provide a service or product to larger organizations with the expectation that they cannot suffer downtime due to a ransomware attack and will be inclined to pay up faster,” James McQuiggan, a security expert at security awareness training company KnowBe4 Inc., said. “While the attack was substantial, it appears the organization took the necessary actions to protect the critical equipment and systems within their organizations, as it seems that the cybercriminal group targeted corporate systems like their webpage.”

Howard University Cancels Online and Hybrid Classes After Ransomware Attack


Washington, D.C’s Howard University, one of the largest Black Schools in the United States, has canceled online and hybrid classes as it continues to investigate a ransomware attack on its computer network.

The security breach was identified on September 3, just weeks after students returned to campus when the University’s Enterprise Technology Services (ETS) noticed “unusual activity” on the University’s network and intentionally shut it down in order to mitigate the risk and to investigate the incident. 

There has been no evidence to suggest that private details of their 9,500 undergraduate and graduate students were retrieved or stolen, but the investigation is still active, the university wrote in a statement.

“Based on the investigation and the information we have to date; we know the University has experienced a ransomware cyberattack. However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” the statement said. 

Howard University canceled classes to determine the impact of the ransomware attack, only essential employees were allowed to continue their work. Campus Wi-Fi will also be down while the investigation is underway, though cloud-based software will remain accessible to students and teachers.

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research, and clinical data. We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering,” the university said.

But the university warned that that remediation will be “a long haul — not an overnight solution.”

Howard University is the latest educational institution to be hit by a ransomware attack since the start of the pandemic, with the FBI’s Cyber Division warning that attackers have changed their strategies and are currently focusing heavily on schools and universities due to the widespread shift to remote learning.

Last year, the University of California paid $1.14 million to NetWalker attackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

In 2021 only, ransomware attackers have targeted 58 U.S. education organizations and school districts, including 830 individual schools, according to the report published by Emsisoft threat analyst Brett Callow last month. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities. 

"The attack on Howard University is yet another sign that cyberattacks are global, interconnected, and evolving. Hackers, drawn by the lucrative potential of holding business-critical data hostage, are launching more sophisticated attacks every day,” Stephen Manley, the chief technology officer at Druva, a data protection software company, said in a statement.

Romania's Website Suffer Major Security Breach


The website, Romania's biggest advertisement platform for real estate ads, was infringed last December by a security breach that allowed unauthenticated access to more than 201,087 files in the company's data archive (including copies of identity cards), as reported by the IT security experts- Website Planet, informs the specialized site The operator reported last month that it had remediated the flaw but did not report it to the Data Protection Authority. 

Although it remains unclear if consumer knowledge has fallen into harsh hands, as there is no password protection or authentication on the bucket of the company. The leaked data has been saved in 35,738.PDF and 165,316.JPG files, including full names, telephone numbers, home addresses, emails, CNP (social security), and personal signatures. This included personal identity information (PII) as well. Notably, anyone can just insert a correct URL to reach the bucket. 

This violation disclosed over 200,000 documents, but the exact number of persons impacted by the violation remains unclear. Additional customer information compromised includes real estate contracts between customers and the company, property records including architectural plans, detailed descriptions and location, land extractions and ANCPI document, user profile photos, scanned copies of national identity cards containing the identification of codes, demanded property price, detailed explanation of properties including Real estate agreements. officials stated, "In January 2021, we detected a potential vulnerability in our internal data storage systems. Our company promptly launched an investigation. The vulnerability was quickly remedied. Internal investigations on the causes and potential consequences continue. We ensure in this way that for data security is a priority and work continuously to protect the confidentiality and integrity of our platforms, meeting all current standards and in cooperation with. " 

Given the nature of the leaked information, the possible effects on consumers may be serious. Initially, malicious actors may use the information to learn about the residential address of the person, the estimated sales, and the financial status. Explicit financial data or information was not leaked, but unauthorized users could use property values as a proxy indicator for net wealth. Identity stealing is the primary concern of this material, but even other crimes such as robbery are more likely to arise from the leak. users may have done little to avoid leakage of their results. The organization is held responsible for the server leak. Users will nevertheless minimize the danger they pose from weak cybersecurity from third-party firms, such as customer credit reviews offering identity recuperation support if they have leaked personal data to destroy the credit records of others or commit other crimes under a presumed name.

US Cybersecurity Company FireEye Hacked by 'Nation-Backed' Threat Actors

On Tuesday, one of the leading cybersecurity firms, FireEye said that it has been attacked by "highly sophisticated" state-sponsored hackers who stole the company's valuable hacking tools used for testing customers' security and computer networks. The attack was heavily customized to breach FireEye's systems. 
The breach substantiated the biting reality that the most advanced security vendors out there, primarily to protect others from intrusions can also be targeted and consequently hacked. Notably, the attacker mainly sought data of some government customers, using an unprecedented combination of tactics, according to the firm. CEO Kevin Mandia in his blogpost characterized the attack as a 'highly targeted cyberattack', a kind never witnessed before. So far, no customer data seem to be accessed by the attackers. 
There are a number of speculations about who might have performed the attack, however, the firm gave no clarity about the origins of the attackers and is investigating the matter along with the FBI. In a similar context, Mandia indicated in his blog post that the nation responsible for the attack is someone with world-class offensive capabilities as the unfamiliarity of the attack speaks volumes about the top-notch capabilities tailor-made to attack FireEye.  
On the basis of his 25 years of experience in cybersecurity, Mr. Mandia further said in his Saturday's blog that this attack was “different from the tens of thousands of incidents we have responded to throughout the years,” and “used a novel combination of techniques not witnessed by us or our partners in the past.” 
“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” the company said in the filing. “Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.” 
While giving insights, a CISA spokesperson told, "As details are made available we are working to share and implement countermeasures across the federal networks and with our private sector partners," 
Meanwhile, FireEye has been said to have a "ringside seat" for some of the most advanced intrusions carried out globally by Mike Chapple, a former NSA official who's currently working at the University of Notre Dame as a cybersecurity expert.

Largest ISP in Austria Hit by a Security Breach

The largest internet service provider in Austria was hit by a security breach this week, in the wake of enduring a malware infection in November 2019, following an informant's report.

A1 Telekom said that their security team identified the malware a month later; however, that expelling the infection was trickier than it was initially envisioned.

From December 2019 to May 2020, its security team had stood up to the malware's operators in endeavors to expel the entirety of their hidden backdoor components and kick out the intruders.

The Austrian ISP told a local blogger that the malware just infected computers on its office network, yet not its whole IT framework, which comprised of approximately more than 15,000 workstations, 12,000 servers, and a large number of applications.

In interviews with the Austrian press [1, 2, 3], A1 said that the multifaceted nature of its internal system kept the attacker from advancing toward various frameworks "because the thousands of databases and their relationships are by no means easy to understand for outsiders."

The attackers evidently assumed manual control for the malware and endeavored to extend this initial foothold on a couple of frameworks to the company's whole system.

A1 said the attacker figured out how to compromise a few databases and even ran database inquiries so as to become familiar with the company's interior system.

A1, which hadn't disclosed the nature of the malware, didn't state if the 'intruders' were 'financially-focused' cybercrime gang or a nation-state hacking group.

While A1 declined to remark on the informant's attribution. Christian Haschek, the Austrian blogger and security researcher who originally broke the story, said the informant asserted the hack was carried out by Gallium, a codename utilized by Microsoft to portray a Chinese nation-state hacking group specializing in hacking telecom providers across the world.

Data of 9 million customers of the Russian courier service CDEK leaked

Data belonging to nine million customers of the CDEC Express transportation service was put up for sale on the Web for 70 thousand rubles ($950). This is the largest leak of personal data in Russian delivery services

Telegram channel In4security noticed that the database contains information about the delivery and location of goods and information about buyers, including Tax Identification Numbers. The seller of the database sent the author of the Telegram channel screenshots dated May 8, 2020. This indicates that the databases are fresh.

The CDEC claims that there was no data leak from the company. As the representative of the service stressed, personal data is collected by many companies, including state aggregators, the leak could have occurred on any of these resources.

Andrey Arsentiev, Head of Analytics and Special Projects at InfoWatch Group of Companies, said that this is the largest leak of personal data from Russian delivery services. He notes that the information of CDEC users is not leaked for the first time: previously, customers of the delivery service complained that personal data of other people is visible on the company's website due to vulnerabilities.

Head of Security Department of SearchInform Alex Drozd warned that after leaks there are always calls from scammers. They call the victim and introduce themselves as company employees and try to find out information about billing information.

The interest of fraudsters in the data of courier services may be associated with an increase in demand for their services during the coronavirus pandemic and self-isolation.
The company also recalled that recently, cases of detection of fraudulent sites that act on behalf of CDEC have become more frequent.

It should be noted that in recent weeks, there has been an increase in phishing sites: online cinemas, online stores, training courses, legal advice, government portals.  Earlier, E Hacking News reported that Russia has bypassed the USA in hosting for phishing resources.

One of Today's Most Popular E-Commerce Platforms Hit By A Major Security Breach

Recently Magento Marketplace, a portal for purchasing, selling, and downloading plug-ins and themes for Magento-based online stores was hit by a major security breach revealed by Adobe, as Adobe acquired Magento for $1.68 billion in May 2018.

The impacted users incorporate both the regular ones who purchased themes and plugins as well as the theme developers who were utilizing the portal to sell their code and make money.

In an email sent to users, the company said it was the vulnerability in the Magento Marketplace website that permitted "an unauthorized third-party" to access the account data for the registered users. The vulnerability enabled access to user information, like name, email, store username (MageID), billing and shopping addresses, phone number, and limited commercial information like percentages for payments Adobe made to theme/plugin developers.

However, fortunately, any account's passwords or financial information were not exposed, according to Adobe.

Jason Woosley, Vice President of Commerce Product and Platform, Experience Business, at Adobe, says “We have notified impacted Magento Marketplace account holders directly and already took down the Magento as soon as we learned of the hack in order to address the vulnerability.”

The store is currently back online.

The Adobe VP although didn't share the exact number of affected accounts. A Magento representative when approached didn't comment past the company's official blog post.

Nonetheless Adobe executive said the hack didn't bring about any outages or disturbances to the company's core Magento products and services, and, at the hour of writing, there is no reason to accept that the hacker compromised Magento's core backend or plugins and themes facilitated on the 'marketplace'.

Justdial Smacked By a Subsequent Security Breach in Two Weeks; Poor OpSec To Blame!

Justdial is a renowned Indian hyper-local search engine which recently became prone to two security breaches in the span of two weeks.

Only a few weeks ago, the database of all the customers of Justdial was laid bare on the dark web and now the reviewers’ data got on the line.

The company that has beyond 134 million QUA can’t afford to make such reckless mistakes.

April 18th saw the private data including names, addresses, email IDs etc. of over 100 million users which was stored in the search engine’s database to be laid out in the open.

The organization owed the breach to an expired API which allowed anyone to access the data of users. Major percentage of the affected included the hotline number users.

Security researchers were the first to discover the breaches that so thrashed Justdial. They also cited that no specific actions against them were taken.

These claims were denied by Justdial mentioning that the data was stored in a double-encrypted format.

The same group of researchers again found out a lacuna in the API of Justdial on April 29th.

Herein the people who post reviews were harmed in the form of their data being exposed.

Reportedly, the API connected to Justdial’s reviewers’ database had been unprotected since the company’s foundation.

Hence, the reviewers’ names, mobile numbers, locations and all became easily accessible thanks to the loophole.

But this issue was immediately fixed, according to the reporters.

No matter what happened, the unprotected database and the loophole contributed largely to the data breaches.

Justdial employs a humongous database and hence has large number of data stored within it.

Weak API and poor “Operation Security” is majorly to blame for all the breaches Justdial saw in these couple of weeks.

According to security researchers, API handlers and managers should be employed. Also easily implemented software switch could help in protecting the access points.

Also the first breach should have been taken seriously and used as a means of learning to help secure the system from future attacks.

It is evident that the company needs to strengthen their operational security and up their game in terms of securing the present loopholes and possible lacunae.

Phishing Scam Disguised As Some of Victims' Most-Trusted Websites Hits Google Chrome's Mobile Browser

A shockingly simple however convincing phishing scam has struck Google Chrome's mobile browser, camouflaged as some of the victim' most-confided in and trusted sites.

Being alluded to as the 'Inception Bar' it has targeted on the Android mobile users for Chrome by utilizing a 'fake address'  bar that not just shows the name of a real site, yet in addition a SSL badge - used to confirm a site's authencity - demonstrating that the said page is protected.

This 'Initiation Bar' is basically a webpage inside a webpage where regardless of whether a user endeavors to scroll back up the top of the page to get to the address bar; they're constrained down, caught in the fake page.

As indicated by developer Jim Fisher, who posted about the endeavor on his own blog, hackers can utilize a blend of coding and screenshots to trap exploited people into surrendering their private information.

Fisher even exhibited that he had the capacity to change the displayed URL of his own site to that of HSBC Bank.

This trick is valuable especially for scammers who endeavor to cover a pernicious website page as a genuine one and steal significant data from uses like passwords and credit card information.

With some additional coding, Fisher says that the trick could be made increasingly advanced, by simply making the fake bar intuitive.

While his demo was done on Google Chrome, the trick would possibly influence different browsers with comparative highlights.

In any case Google has proceeded to introduce a rather large group of new security feature that explicitly targets phishing including forbidding embedded browsers and different highlights that notify users when they're perusing a 'potentially harmful' website.

Hackers released around 845GB of username and password dump from old breaches

According to Kaspersky Lab, the database of users with billions of passwords, published at the end of January, was collected from well-known old leaks.

On January 31, Wired reported that hackers released a giant database that contains 2.2 billion unique usernames and passwords. In total, the entire archive of stolen data was the size of 845 gigabytes.

Kaspersky Lab studied this database and concluded that it does not contain any new information.

"This is a database of already known old leaks," said a representative of Kaspersky Lab.

It’s interesting to note that among the stolen data were accounts for such popular services as Yahoo, LinkedIn, Dropbox. All three of these companies previously reported major leaks of their bases. Russian hackers were suspected of involvement in the thefts.

However, Experts of Kaspersky Lab advised to check the availability of email in the database through the website and change passwords for the most important accounts.

Russian Hacking Group Targets The German Government’s Internal Communications Network

An infamous Russian hacking group known as Fancy Bear, or APT28, is by and large broadly considered responsible on account of a security breach in Germany's defence and interior ministries' private networks as affirmed by a government spokesman.

It is said to be behind the reprehensible breaches in the 2016 US election likewise including various cyber-attacks on the West. The group is accounted for to have targeted on the government's internal communications network with malware.

As per the reports by the DPA news agency the hack was first acknowledged in December and there may have been a probability of it lasting up to a year.

"We can confirm that the Federal Office for Information Security (BSI) and intelligence services are investigating a cyber-security incident concerning the federal government's information technology and networks," a German interior ministry spokesman said on Wednesday.

The group apparently hacked into a government computer system particularly intended to operate separately from other open systems i.e. public networks to guarantee additional security known as the "Informationsverbund Berlin-Bonn" (IVBB) network. The framework is utilized by the German Chancellery, parliament, federal ministries and a few security institutions.

Fancy Bear, also called Pawn Storm, is believed to run a global hacking campaign that is ", as far-reaching as it is ambitious" as indicated by a report by computer security firm Trend Micro.
Palo Alto Systems, a cyber-security firm, on Wednesday released a report saying that Fancy Bear now gives off an impression of being utilizing malevolent emails to target North American and European foreign affairs officials, incorporating a European embassy in Moscow.

"Pawn Storm” was even reprimanded for a similar attack on the lower house of the German parliament in 2015 and is likewise thought to have targeted on the Christian Democratic Union party of Chancellor Angela Merkel.

Authorities in the nation issued rehashed notices about the capability of "outside manipulation" in a last year's German election.

The hacking bunch has been linked to the Russian state by various security experts investigating its international hacks and is additionally known by certain different names including CozyDuke, Sofacy, Sednit and Tsar Group.

Hacker breaks into Telangana’s TSPost website, exposes flaw

Indian government sites are often criticized for their lack of cyber security and safety of people’s information. Pointing out a flaw in Telangana government’s NREGA portal, French hacker and independent security researcher Robert Baptiste hacked into the state government’s website.

He reportedly contacted the site owners regarding the issue and after receiving no response for some time, published his results on social media.

The website ( was vulnerable to one of the most basic web hacking technique, an SQL injection. It has now gone offline in the wake of this news.

“A basic SQL injection allows an attacker to access the database of the website,” Robert said. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”

TSPost, Telangana’s government benefit disbursement portal, contained the account details and Aadhaar numbers of over 56 lakh NREGA beneficiaries and 40 lakh beneficiaries of social security pensions.

Using the SQL injection, Robert was able to access not just the Aadhaar and account details from the website but also the API keys of UIDAI’s Aadhaar database, the access of which can enable anyone capable enough to make a fake Aadhaar app that could be uploaded to Google Playstore for malicious use.

This is one of the many cases pointing out how vulnerable the Aadhaar system is to hacking and security breaches.

Unknown Hackers demand Ransom in Bitcoin

Recently the news came out of a ransomware attack in Old Delhi after three of the hacked victims came forward to uncover more about the attack. The victims i.e. the traders were demanded ransom in Bitcoin from the unknown hackers.

Although it is believed that the hackers are supposedly from either Nigeria or Pakistan, they were responsible for encrypting files on the computers of the businessmen which comprised of key records. The hackers at that point, as indicated by the police coerced the victims, gave them the links to purchase bitcoins through which they needed to make payments for the release of critical documents.

 “Some traders paid in Bitcoins and got their data back. Some deposited the money from abroad. When my data was hacked, I spoke to fellow traders and learnt that there were other such cases. I wrote to the hackers and they agreed to decrypt the files for $1,750 (around Rs 1.11 lakh),” Mohan Goyal, one of the victims was quoted saying in the report.

According to reports, the hacked traders found the message that said there was a 'security issue' in the system displayed on their computers. The traders were then given case numbers and email addresses for correspondence. They were then at first offered decryption of five of their documents and files for free by the hackers, who later demanded the payment of ransom for the rest of the records.

While one of the IP address utilized by hackers was purportedly traced back to a system in Germany, but the fingers remain pointed towards hackers from Nigeria and Pakistan.

Experts say that for making it difficult to trace the money, getting the money in bitcoin works for the hackers. The Delhi crime branch which registered the FIR has already sent the hard disks of the complainants for further forensic tests. As of not long ago, three complaints already have been registered by the police and it is believed that the number of victims could be much higher.