Search This Blog

Showing posts with label Sensitive data. Show all posts

 Cyberattack Logan Health and Server Intrusion 

 

A sophisticated intrusion on the IT systems resulted in the compromise of a file server containing protected health information of Logan Health Medical Center which recently notified 213,543 patients, workers, and business associates warning the personal and health data may have been accessed by criminals.

Logan Health Medical Center, according to a letter, first observed evidence of illegal behavior on one of its servers on November 22, 2021. As a result, the hospital solicited the help of outside forensic experts to investigate the magnitude of the event and as to whether any sensitive personal information had been exposed. 

Logan Health CEO Craig Lambrecht reminded staff of its "vital responsibility in protecting patients' sensitive health information" in an email to employees, as well as a series of reminders on password security and responding with emails from unknown senders. 

Logan Health Medical Center confirmed on January 5, 2022, how an unauthorized party had gained access to files containing protected health information about specific staff and patients. On February 22, 2022, Logan Health began sending out data breach notification letters to all factions whose knowledge was contained in the affected files. 

After gaining access to a computer network, a cybercriminal can see and delete any data stored on the stolen servers. While most organizations can determine which files were accessed in the event of a data breach, it may not be able to determine which files the hacker really visited or whether any data was removed. 

The investigation into the Logan Health Medical Center data breach is still in its early stages. There is currently no proof of Logan Health being legally liable for the data breach. However, as more information about the breach surfaces, this could change. 

You can defend oneself from data theft or other forms of fraud by doing the following:

  • Determine what information has been tampered with.
  • Limit Who Has Access to Your Accounts in the future. 
  • Take steps to safeguard your credit and financial accounts.
  • Monitor your credit report and financial accounts regularly.

State Bar of California's Confidential Details Leaked by a Website

 

The State of Bar California is inspecting a data attack after hearing that a site is publishing sensitive information about 260,000 attorney discipline cases pertaining to California and different jurisdictions. State Bar officials came to know about the posted records on Feb 24 on Saturday night, all the sensitivity details that were posted on the site judyrecords.com, that includes case numbers, information about various cases and statuses, respondents, file dates, and witness names that were removed. 

State Bar executive Leah Wilson in a statement said that the bar apologizes for the site's unauthorized display of personal data. The bar takes full responsibility for protecting confidential data with sincerity, and it is currently doing everything it can to resolve the issue quickly and protect respondents from further attacks. 

According to reports, full case records were not leaked, as per officials, they don't know if the published information was due to a hacking attack. Judyrecords.com is a site that covers court case records nationwide. 

The State Bar website lets the public search for case details, but the details about the attorney discipline case published by judyrecords.com are not meant for public access. The information was stored in State Bar's Odyssey case management system, which is given by vendor Tyler Technologies. 

As per the California Business and Professions Code, disciplinary investigations are confidential filing of formal charges. The conclusion of the data breach is that the State Bar notified law enforcement and asked forensic expert teams to inspect the issue. Tyler Technologies is currently assisting in the inquiry. 

Besides this, the state bar also asked the hosting provider of the website to take down the published information. Judyrecords website says, "Judyrecords is a 100% free nationwide search engine that lets you instantly search hundreds of millions of United States court cases and lawsuits. Judy records have over 100x more cases than Google Scholar and 10x more cases than PACER, the official case management system of the United States federal judiciary. As of Dec 2021, Judy records now features the free full-text search of all United States patents from 1/1/1976 to 11/10/2021 — over 7.9 million patents in total."

A U.S. Group Hacked Top Research Institutes in India, Russia and China

 

According to a new report from a Beijing-based cybersecurity firm, hackers associated with the United States National Security Agency (NSA) were discovered to have inserted "covert backdoors" that could have given them access to sensitive information in dozens of countries, including India, Russia, China, and Japan. According to the report, it is getting traction in China's media after the country was accused with cyber hacking by the US. 

China's cyber-attacks target sensitive data stored by US institutions. It has become a thorn on the side of bilateral relations between the US and China. On the other side, Indian organisations believe that China hacks into sensitive data from government agencies and institutions. 

The National Security Agency (NSA) is a United States Department of Defense national-level intelligence agency that reports to the Director of National Intelligence (DNI). The NSA is in charge of worldwide information and data monitoring, gathering, and processing for foreign and domestic intelligence and counterintelligence purposes, specialised in a field known as signals intelligence (SIGINT). The NSA is also in charge of protecting the United States' communication networks and information systems. 

Among the allegedly hijacked websites named in the report were those associated with one of India's leading microbial research labs, the Institute of Microbial Technology (IMTech) under the Council of Scientific and Industrial Research, as well as the Indian Academy of Sciences in Bengaluru. Websites associated with the Banaras Hindu University were also reported to have been hacked.

Pangu Lab, a Beijing-based cybersecurity firm, published a technical study outlining how it discovered the backdoors and linked them to "unique IDs in the operating manuals of the NSA" discovered in the 2013 leak of NSA documents by insiders. 

According to the Chinese firm, in 2013, CIA analyst Edward Snowden leaked very relevant NSA files. Because they reveal the NSA's unique IDs. The company discovered a key that unlocks a backdoor Bvp47. It is a hacking tool created in partnership with the National Security Agency by The Equation Group. It also led to the detection of a number of similar cyberattacks that used the same unique IDs as the NSA platform. 

According to the report, which outlined how the backdoor operated, this was a backdoor communication technology that has never been seen before, indicating an organisation with considerable technological capabilities behind it. “As an advanced attack tool, Bvp47 has allowed the world to see its complexity,” it said. “What is shocking is that after analysis, it has been realised that it may have existed for more than 10 years.”

Washington State Database Breach May Expose Personal Data

 

The Washington State Department of Licensing stated that the personal information of possibly millions of licenced professionals may have been compromised, after discovering unusual activity on the online licencing system.

According to agency spokesperson Christine Anthony, the agency licences around 40 types of enterprises and professionals, ranging from auctioneers to real estate agents, and it temporarily shut down its web platform after discovering the activities in January. 

Social Security numbers, birth dates, and driver's licences could be among the information held on the POLARIS system. According to Anthony, the agency does not yet know whether such data was accessed or how many people may have been compromised. 

As per The Seattle Times, Anthony stated the agency has been working with the state Office of Cybersecurity, the state Attorney General's Office, and a third-party cybersecurity firm to determine the magnitude of the issue. 

Meanwhile, the POLARIS system's shutdown is creating problems for some professionals and businesses who need to apply for, renew, or update their licences. The outage occurs at a busy period for real estate brokers, appraisers, and home inspectors as the state's real estate market begin to recover from its seasonal slowdown. 

The extent of the breach is undetermined. POLARIS processes data from 23 state-licensed professions and business kinds, according to Anthony. The agency has roughly 257,000 active licences in its system, including bail bonds brokers, funeral directors, home inspectors, and notaries, according to Anthony. He added that there are likely more records that will be uncovered while doing our investigation. 

The State Auditor's Office has set up a website with more details on the security breach as well as links to additional guidance and resources for protecting the identity and credit. That website will be updated with the most recent information on a regular basis. If anyone has any queries, they can contact the Auditor's Office dedicated call centre at 1-855-789-0673 from Monday to Friday, 8 a.m. to 5 p.m. Pacific Time.

Exposed Corporate Credentials Endanger the Pharmaceutical Industry

 

Constella Intelligence published a report that includes fresh and additional information relevant to pharma sector exposures, breaches, and leakages, with a specific focus on employees and executives from the top twenty pharma firms on the Fortune Global 500 list. 

The report examined eighteen prominent pharmaceutical corporations and their nine hundred plus subsidiaries around the world to assess the presence of exposures of services, sensitive platforms, unpatched CVEs, and other security vulnerabilities. Among the major insights were some alarming numbers, such as 92% of pharmaceutical organisations having at least one exposed database with possible data leakage and 46% having an exposed SMB service. SMB flaws have already been used in prominent assaults such as WannaCry, NotPetya, Nachi, and Blaster worms. 

In 70% of the pharmaceutical M&A deals examined in 2020, the newly acquired subsidiary had a detrimental impact on the parent company's security posture, introducing tens, if not hundreds, of sensitive unprotected and unpatched services. 

The threat intelligence team identified 9,030 breaches/leakages and 4,549,871 exposed records—including attributes such as email addresses, passwords, phone numbers, addresses, and even credit card and banking information—related to employee corporate credentials from the companies examined by analysing identity records from data breaches and leakages discovered in open sources and on the surface, deep, and dark web. 

The proliferation and distribution of this sensitive employee data provides threat actors with the resources they need to carry out a wide range of cyberattacks, including impersonation, phishing, account takeover, and a variety of others that can lead to more sophisticated attacks like ransomware or coordinated disinformation campaigns. 

“The pharma sector’s role within the healthcare ecosystem, especially with today’s public health needs, only emphasizes how critically important it is that these companies protect themselves from cyber threat actors,” said Constella Intelligence CEO, Kailash Ambwani. “As we have seen before, only one exposed employee credential can lead to a company having their systems or supply chain shut down by a data breach leading to a ransomware attack, resulting in a shortage of life-saving supplies.”

Because of their intellectual property and confidential information, as well as their critical role in creating life-saving treatments, pharmaceutical firms are high-value targets for threat actors. The pandemic-driven shift toward remote workforces, combined with accelerating operational digitization, has increased the overall digital footprint of enterprises in this industry, resulting in more digital vulnerabilities and risk.

Forged Kubernetes Apps is used to Extract Sensitive Data from Argo CD Setups

 

Argo CD is among the most popular Kubernetes continuous deployment technologies. Besides being easy to operate, it has a lot of power too. Kubernetes GitOps is the first tool that comes to mind. For cluster bootstrapping, Argo CD uses the App of Apps pattern.

Instead of manually developing each Argo CD app, we can make it programmatically and automatically. The idea is simple: make a single Argo CD application that looks for a git repo directory and puts all of the Argo CD application configuration files there. As a result, whenever an application definition file is created on the git repo location, the Argo CD application is immediately produced. Inspiringly, any Kubernetes object, including Argo CD, can be generated or handled. 

Apiiro's Security Research team discovered a vulnerability scanning supply chain 0-day vulnerability (CVE-2022-24348) in Argo CD, another famous open source Continuous Delivery platform, which allows attackers to access sensitive data like secrets, passwords, and API keys. 

Argo CD organizes and instigates the operation and monitoring of post-integration application deployment. A user can create a new deployment pipeline by specifying an Archive or a Kubernetes Helm Chart file which contains:
  • The metadata and data required to deploy the correct Kubernetes setup.
  • The ability to update the cloud setup dynamically as the manifest is changed. 

A Helm Infographic is a YAML document that has multiple fields which constitute a declaration of assets and configurations required for an application to be deployed. File names and indirect paths to self-contained software sections in other files are one form of value that can be found in the application in question. 

In reality, Argo CD contributors predicted as this type of exploitation will be available in 2019 and designed a dedicated framework to facilitate it. The vulnerability has two consequences: 

First, the direct consequences of reading contents from other files on the repository, which may contain sensitive data. The aforementioned can have a significant influence on a company. 

Second, because application files typically contain a variety of transitive values of secrets, tokens, and environmentally sensitive settings, the attacker can effectively use this to expand the campaign by moving laterally through different services and escalating the privileges to gain more ground on the system and target organization's resources. 

Argo CD-reposerver is a central server or pod where repositories are saved; apart from file architecture, there is no robust segmentation, hence the anti-path-traversal technique is a crucial component of file security. The mechanism's inner workings are mostly contained in a single source code file called util/security/path traversal.go, which details the systematic cleanup of origin path input.

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.

Servers for Dark Souls 3 Have Been Shut Down Due to a Critical RCE Bug

 

Bandai Namco has halted the Dark Souls role-playing game's online PvP feature, bringing its servers offline to investigate claims of a major security issue that may endanger players. According to Reddit user reports, the vulnerability is a remote code execution (RCE) vulnerability that might allow attackers to take control of the system, giving them access to sensitive information, allowing them to plant malware, or use resources for cryptocurrency mining. 

According to the reports, the exploit is currently being disseminated, and it may also work against Elden Ring, a Bandai Namco upcoming title. On Saturday, a Discord post clarified that the game developer received details about the RCE vulnerability via a responsible disclosure report directly from the individual who identified it. Bandai Namco is said to have ignored the report, but considering the gravity of the flaw, the reporter chose to demonstrate it on popular streamers to raise awareness and illustrate how critical it is. 

The exploit was demonstrated on the Twitch stream of a player named The Grim Sleeper. An unknown entity launched a PowerShell script on the streamer's PC, which used the Windows Narrator engine to read out crucial notes about the gameplay. 

"For example, the creator of the exploit has already shared information about the vulnerability with the developers of the Blue Sentinel plugin, a mod for Dark Souls designed to counteract cheats. And one can only guess who else could get this information," researchers wrote. "Also, once demonstrated, other hackers may try to replicate the exploit and use it to cause real harm to players," researchers continued. "There are various possible scenarios here: attackers can use it to steal passwords from game accounts or crypto-wallets, install good old ransomware, hidden miners and much more." 

According to Saryu Nayyar, CEO and Founder of Gurucul, this attack highlights the vulnerability of remote workers accessing corporate resources via home networks and personal devices. Because we connect our gaming systems to the same network as resources connected to the corporate network, the virus can simply migrate from home to a much larger operation, she explained. 

That is why, she adds, it is vital for security teams to understand how users use network resources and to include that knowledge into an evaluation of the risks and severity associated with attack campaigns. RCE vulnerabilities are not new, but they are hazardous when no one is aware of them, according to Jorge Orchilles, CTO of SCYTHE.

Russian Hackers Employ Malicious Traffic Direction Systems to Spread Malware



Researchers have discovered possible linkages among a subscription-based crimeware-as-a-service (Caas) solution as well as a cracked copy of Cobalt Strike according to what they presume is being offered as a tool for customers to stage post-exploitation operations. 

Prometheus is an open-source activity monitoring and warning system for cloud applications that are based on metrics. Nearly 800 cloud-native companies, namely Uber, Slack, Robinhood, as well as others, employ it. 

Prometheus offers convenient observation of a system's state along with hardware and software metrics like memory use, network utilization, and software-specific defined metrics by scraping real-time information from numerous endpoints (ex. number of failed login attempts to a web application).

Prometheus has an understood policy of omitting built-in support for security features like authentication and encryption because the numeric metrics it collects are not deemed sensitive data. This allows the company to focus on creating monitoring-related services. It's being advertised on Russian underground forums as a traffic direction system (TDS) which allows bulk phishing redirection to rogue landing pages, designed to deliver malware payloads on targeted computers for $250 per month. 

"A system of a malicious technology, malicious email circulation, illicit folders across authorized platforms, traffic diversion, and the capacity to deliver infected files are the significant elements of Prometheus," the BlackBerry Research and Intelligence Team stated in a report. 

The redirection comes from one of two places: malicious advertisements on normal websites, or websites that have been tampered with to install harmful code. The attack network begins with a spam email that contains an HTML file or a Google Docs page; when opened, it redirects the victim to a compromised website that hosts a PHP backdoor fingerprint smudges the machine to determine whether to serve the victim with malware or redirect the user to another page that may contain a phishing scam.

While TDS's aren't a novel concept, the level of sophistication, support, and cheap financial cost lend validity to the hypothesis that this is a trend that will likely emerge in the threat environment in the near future, the researchers wrote.

In addition to enabling these techniques, it is strongly advised for anyone with a Prometheus implementation to query the previously listed endpoints to see if sensitive data was exposed before the identification and TLS functionalities in Prometheus were implemented.

Data Breach at Ciox Health Exposed Information on Over 12,000 Patients

 

Thousands of people's protected health information (PHI) may have been compromised in a hacking attack at a Georgia-based healthcare information management organization. Clinical or treatment information, as well as social security numbers, were among the sensitive data compromised during Ciox Health's cyber-attack last summer. The headquarters of Ciox Health is in Alpharetta, Georgia. In the release of information department (ROI), record retrieval, and health information management, the organization offers a variety of services. Ciox serves three out of every five hospitals and over 16,000 physician practices. 

According to a recent Ciox Health notification, an unauthorized person accessed a Ciox employee's email account between June 24 and July 2, 2021. The threat actor may have utilized that access to download emails and attachments related to the compromised account, according to the firm. 

“Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account,” said the notice. “On September 24 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests.” 

According to the company, no fraud or theft has been detected as a result of the incident. "We believe that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information," Ciox Health said in a statement. "Protecting the privacy and security of the information Ciox maintains is critically important to us, and we are continuing to take steps to further strengthen our email security." 

Ciox investigated the case in early November and began alerting patients later that month. The account information was related to billing inquiries and customer service requests, and it could have included patient names, provider names, dates of birth, dates of service, health insurance information, clinical information, or social security or driver's license numbers. 

On December 30, the data breach was reported to the US Department of Health and Human Services' Office for Civil Rights as a hacking/IT issue affecting 12,493 people. The security notice was issued on behalf of 32 different healthcare providers, including Children's Healthcare of Atlanta, Indiana University Health, Niagara Falls Memorial Medical Center Health System, and Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System, and was published on Ciox Health's website.

Morgan Stanley to Pay $60M to Resolve Data Security Lawsuit

 

Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology. 

The settlement offer awaits the approval of New York District Judge Analisa Torres. The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019. 

Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission. 

As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error. 

Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures. 

Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources. Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016. 

The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.

PulseTV Discloses Potential Breach Affecting 200,000 People

 

PulseTV, a popular online store in the United States, has revealed a credit card data breach that has affected over 200,000 customers. 

VISA notified the company on March 8, 2021, that their website (www.pulsetv.com) was a common point of purchase for some fraudulent credit card transactions owing to a probable compromise, according to the notice letter issued by the Office of the Maine Attorney General. The corporation conducted some security tests on its website but found no evidence of a breach. 

VISA alerted the company again in July, but law enforcement only contacted it a few months later about more payment card hacks that seemed to have emanated from its website. The corporation engaged a legal counsel who hired cybersecurity experts to help them. The investigators learned on November 18, 2021, that the website had been identified as a common point of purchase for several fraudulent MasterCard credit card transactions. 

The data breach notification letter stated, “On November 18, 2021, our investigator learned that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard. Based upon communications with the card brands, it is believed that only customers who purchased products on the website with a credit card between November 1, 2019, and August 31, 2021, may have been affected. The investigation was unable to verify that the website was the cause of the unauthorized transactions.” 

“However, in an abundance of caution, PulseTV is notifying customers, including you, who purchased products on our website during that time period so that they can take steps to protect and secure their credit card information.” 

Only clients who purchased products on the website using a credit card between November 1, 2019, and August 31, 2021, according to PulseTV, were affected. The information that may have been compromised includes: 
  • Full name 
  • Shipping address 
  • Email address 
  • Payment card number 
  • Payment card expiration date 
  • Payment card security code (CVV) 
Customers may be vulnerable to a variety of scams, including fraudulent card-not-present transactions. To avoid similar accidents in the future, the company will take the following steps: adding two-factor authentication to all internal devices, implementing end-point detection and response technologies to improve network visibility and threat prevention, and switching to a new payment system. 

The company is still working with payment card networks and law enforcement to investigate the security compromise, and it has notified state regulators and affected customers. 

The letter concluded, “We recommend that you remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports for any unauthorized activity. Information on additional ways to protect your information, including how to obtain a free credit report and a free security freeze, can be found at the end of this letter.”
  
“You should report any incidents of suspected identity theft to your local law enforcement and state Attorney General. If you believe your payment card information may have been compromised, we strongly encourage you to contact your payment card company and/or financial institution and request that the card be cancelled.”

RIPTA Hit By Data Breach, Sensitive Information At Risk

Rhode Island Attorney General Peter Neronha earlier this week said that he is opening up an investigation into a data breach which includes Rhode Island Public Transit Authority (RIPTA). The news comes following the outrage that happened this week over the organization's handling of the breach. 

RIPTA's office says that it is currently receiving a lot of calls about the incident, asking them to enquire into what took place. RIPTA sent out a notification on 21 December saying that it suffered a security breach in August. It later confirmed that the data was extracted from their systems on 3rd and 5th August. 

These files had details about RIPTA health plans including address, social security numbers, Medicare identification numbers, date of birth, qualification information, claims information, and health plan member identification. US department of health and human services breach website report that 5,015 people were affected. Recently, the ACLU of Rhode Island asked RIPTA to explain why sensitive information of people with no links to the organization was involved in the data breach. 

"Local ACLU chapter executive director Steven Brown says his chapter has received complaints from people who got letters from RIPTA notifying them that their personal data, including personal health care information, was accessed in a security breach of RIPTA's computer systems," ZdNet reports. 

The letters showed that the number of targets in the list in the US department of health and human services website (5,015) are different than the ones mentioned in the breach sent to victims: 17,378. 

"Worst -- and most inexplicable -- of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information -- much less their personal health care information -- in the first place, as they have no connection at all with your agency," Brown says. The process was time-consuming, but RIPTA wanted to be sure what data was compromised in the breach and to whom it belonged to.

FinTech Company Struck by Log4j Says "No" to Paying the Ransom

 

ONUS, one of the largest Vietnamese crypto trading platforms, was recently hit by a cyberattack. Hackers aimed for the company's payment system, which was running a vulnerable version of Log4j. 

Following the cyberattack, extortion began, with hackers apparently blackmailing the company into paying a $5 million ransom, or user data would be made public. According to BleepingComputer, the corporation refused to pay, and as a result, information of about nearly 2 million ONUS users showed up for sale on forums. 

Around December 9, a Proof of Concept (POC) exploit for the well-known and presently making headlines Log4j vulnerability, CVE-2021-44228, appeared on Github. Threat actors have spotted a chance to substantially exploit it since then. ONUS's Cyclos server, which used a vulnerable version of Log4Shell, was one of their targets. 

Between December 11 and December 13, the hackers were able to successfully exploit it. They also installed backdoors to increase the access's power. On December 13, a Cyclos alert apparently informed ONUS that its systems needed to be fixed; nevertheless, even if the Cyclos instance was patched, it appeared to be a late response. Threat actors had plenty of time to steal important data. According to BleepingComputer, the databases held nearly 2 million customer records, including E-KYC (Know Your Customer) information, hashed passwords, and personal information. It's worth noting that the Log4Shell flaw was discovered on a sandbox server used "for programming purposes only." 

However, hackers were able to get access to other storage sites, such as Amazon S3 buckets, where production data was stored, due to a system misconfiguration. The threat actors reportedly demanded a $5 million ransom from ONUS, which the business refused and instead decided to inform customers about the cyberattack through a closed Facebook group. 

Chien Tran, the CEO from ONUS declared that “As a company that puts safety first, we are committed to providing our customers with transparency and integrity in business operations. (…) That is why, after careful consideration, the right thing we need to do now is to inform the entire ONUS community about this incident.” 

According to an ONUS announcement on the subject, hackers were able to obtain the following consumer data from the fintech firm: 
• Name, phone number, and email address; 
• Address; 
• KYC data (procedures used by Fintech enterprises to get identification documents and customers’ proofs along with “video selfie” for an automated check); 
• Encrypted history; 
• Transaction history; 
• Other encrypted data. 

The Misconfiguration in the Amazon S3 Buckets 

Besides Log4j, which facilitated an entry for the threat actors, there was another issue too with ONUS’ Amazon S3 buckets linked to improper access control. CyStack started an investigation on the incident and published their report with details about the cyberattack and the backdoor the hackers managed to plant on the impacted system.

“During monitoring, CyStack – ONUS’s security partner, detected and reported a cyberattack on ONUS system to us. The hacker took advantage of a vulnerability in a set of libraries on the ONUS system to get into the sandbox server (for programming purposes only). However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system (Amazon S3) and stole some essential data.” 

“Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information. (…) To facilitate access, the attackers downloaded and ran a backdoor on the server. This backdoor was named kworker for the purpose of disguising as the Linux operating system’s kworker service. (…) The kworker backdoor obtained was written in Golang 1.17.2 and built for Linux x64. It was used as a tunnel connecting the C&C server and the compromised server via SSH protocol (a wise way to avoid detection!).” 

According to BleepingComputer, because the organisation declined to pay the requisite ransom to hackers, customer data was for sale on a data breach marketplace by December 25. Hackers claim to have 395 copies of the ONUS database tables, which contain personal information and hashed passwords. 

CyStack advised ONUS to fix Log4j, deactivate any exposed AWS credentials, and properly configure AWS access rights, as well as the recommendation that public access to crucial S3 buckets be blocked. Users should upgrade to the current Log4j version 2.17.1 as soon as possible. ONUS also stated that none of its assets was harmed and that the company's team has been working with security specialists to identify and address flaws. 

The company's asset management and storage system, ONUS Custody, was also improved. In the case of a property loss, the firm must ensure that the ONUS Protection Fund would take care of the problem.

Hackers Leaked Vestas' Data After Ransomware Attack

 

Personal information stolen from Vestas (VWS.CO) by hackers in a ransomware attack last month has been made public, the company announced late Wednesday. 

Vestas had to close down IT systems across various business units and locations on Nov. 19 due to a cyber security incident. Vestas is a prominent North American wind turbine producer, installer, and service provider, with 40,000 MW installed and 36,000+ MW in operation in the United States and Canada.

The Danish firm stated that it was able to continue operations despite the fact that information had been compromised. 

Vestas said in a statement, "The hackers managed to retrieve data from the compromised internal file share systems and have made some of the compromised data public." 

The majority of the leaked data is personal information including such names, contact information, and CVs, but there are also instances of more sensitive data such as social security numbers and bank account information, it added. 

"Due to the potential risk caused by the leak of personal data, Vestas encourages all employees and business partners to continue to stay vigilant of any indications of misuse of their personal data." 

Ransomware which has dominated cybersecurity threats this year encrypts victims' data and can even shut down an organization's network or steal data. In most cases, hackers will give the victim a key in exchange for cryptocurrency payments in the hundreds of thousands or even millions of dollars. 

Critical Infrastructure 

Vestas employs 25,000 people and has production sites in 16 countries, with a revenue of over a billion USD per year. Vestas plays a critical role in delivering such services as governments accelerate the adoption of pollution-reduction regulations and roll out renewable energy investment initiatives. 

Vestas was already dealing with supply chain challenges and rising material prices, so this cyberattack struck at an especially inconvenient moment. As ransomware gangs ramp up their attacks in search of higher payments, critical infrastructure has become increasingly vulnerable to cyberattacks. 

Ireland's Health Service Executive, meat producer JBS, and US gasoline pipeline Colonial Pipeline have all been targets of previous attacks on critical infrastructure.

This Decade-old Malware has Picked Some Nasty New Tactics

 

Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack. 

Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol. 

According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous. 

Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools. 

The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely." 

Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it. Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic. 

Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry. Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware. 

Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge. Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data. 

Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).

"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted. 

"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor." 

Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact. Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.

Nobelium Hacking Group Targets French Organisations

 

According to the French national cyber-security agency ANSSI, the Russian-backed Nobelium hacker group responsible for last year's SolarWinds hack has now been targeting French firms since February 2021. 

Whereas the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) has not identified how Nobelium gained access to email accounts belonging to French organizations, it has stated that the hackers exploited them to send hostile emails to international entities.

In turn, French government organizations were targeted by fraudulent emails sent from servers belonging to foreign firms, which were thought to be infiltrated by the very same threat actor. Nobelium's infrastructure for cyberattacks on French entities was primarily built utilizing virtual private servers (VPS) from several hosting companies (favoring servers from OVH and located close to the targeted countries). 

"Overlaps have been identified in the tactics, techniques, and procedures (TTP) between the phishing campaigns monitored by ANSSI and the SOLARWINDS supply chain attack in 2020," ANSSI explained in a report. 

ANSSI advises limiting the processing of email attachments to prohibit harmful files provided in phishing efforts to fight against this hacker group's attacks. 

The French cyber-security agency additionally urges at-risk enterprises to use its Active Directory security hardening guidance to improve Active Directory security (and AD servers in particular). 

Nobelium, the hacker squad responsible for last year's SolarWinds supply-chain attack, which resulted in the compromise of various US federal agencies, is the cyber department of the Russian Foreign Intelligence Service (SVR), also known as APT29, The Dukes, or Cozy Bear. 

In April, the US government charged the SVR section of organizing the "broad-scope cyber-espionage campaign" that targeted SolarWinds. 

Based on strategies identified in events beginning in 2018, cybersecurity firm Volexity also attributed the assaults to the same threat actor. 

The Microsoft Threat Intelligence Center (MSTIC) revealed information in May on a Nobelium phishing effort that targeted government agencies from 24 countries. 

Nobelium is still targeting the worldwide IT supply chain, according to Microsoft, having hit 140 managed service providers (MSPs) and cloud service providers and compromised at least 14 since May 2021. 

Nobelium also attacked Active Directory Federation Services (AD FS) servers, seeking to infiltrate governments, think tanks, and private companies in the United States and Europe with the use of FoggyWeb, a new inactive and highly targeted backdoor. 

In October, Microsoft disclosed that Nobelium was perhaps the most prominent Russian hacking organization throughout July 2020 and June 2021, orchestrating the attacks that were behind 92 % of the notifications Microsoft sent to customers about Russia-based threat activity. 

Mandiant too linked the hacking organization to attempts to compromise government and enterprise networks throughout the world by targeting their MSPs with a new backdoor codenamed Ceeloader, which is designed to deliver more malware and capture sensitive information of political importance to Russia.

Sky: Major Security Flaw on 6M Routers Left Customers Vulnerable to Hackers

 

A "serious" security vulnerability impacting over six million Sky routers exposed customers to hackers for more than 17 months, as per the analysts. 

According to internet security firm Pen Test Partners, users of Sky routers were vulnerable to hacks and online attacks for well over a year as a result of the security vulnerability. If they hadn't updated the router's default admin password, hackers could have accessed Sky router customers' passwords and personal information. The following Sky devices were impacted: 
  • Sky Hub 3 (ER110) 
  • Sky Hub 3.5 (ER115) 
  • Booster 3 (EE120) 
  • Sky Hub (SR101) 
  • Sky Hub 4 (SR203) 
  • Booster 4 (SE210) 
However, these last two devices came with a randomly generated admin password, making it more complex for a hacker to attack. Furthermore, around 1% of Sky's routers are not manufactured by the firm. Customers who have one of these can now request a replacement at no cost. 

The software flaw discovered by Pen Test Partners researcher Raf Fini stated that flaw would have allowed a hacker to modify a home router merely by directing the user to a malicious website through a phishing email. 

Pen Test Partner's Ken Munro told BBC News that they could then "take over someone's online life," obtaining passwords for banking and other services. Although there was no proof that the vulnerability had been exploited, he added that the time it took to patch it was perplexing. 

"While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn't acceptable," he said. 

The Sky was warned about the problem in May 2020, according to Pen Test Partners. Sky acknowledged the issue, but it wasn't until October 2021 that Sky announced 99 percent of all impacted routers had been updated. In response to the security issues, Sky informed ITV News that they began working on a solution as soon as they got notified of the situation. 

A Sky spokesperson stated, "We can confirm that a fix has been delivered to all Sky-manufactured products.”

CDSL Suffered a Data Breach, Exposing the Details of 43.9 Million Investors

 

According to cyber security consultancy company CyberX9, a vulnerability at a CDSL subsidiary, CDSL Ventures Limited (CVL), exposed personal and financial data of over 4 crore Indian investors twice in ten days. CDSL Ventures Ltd is a KYC registering agency independently registered with the Securities and Exchange Board of India (SEBI), and Central Depository Services (India) Limited (CDSL) is a SEBI registered depository. 

CVL has taken swift action, according to CDSL, and the vulnerability has now been mitigated. According to CyberX9, the vulnerability was disclosed to CDSL on October 19, and the securities depository took roughly 7 days to address it, despite the fact that it could have been fixed instantly.

The vulnerability, according to CyberX9, a Chandigarh-based consultancy firm, was not very difficult, and it was detected for the second time by the firm. “CDSL was exposing extremely sensitive personal and financial data of about 43.9 million ( about 4.39 crore) investors in India. The data being exposed belonged to those who did their market securities KYC. In India, you have to go through a KYC process for investing in securities like stocks, mutual funds, bonds,” it said.

The information exposed by CDSL, according to the Chandigarh-based cyber security start-up, could be a virtual gold mine for phishers and scammers engaged in the so-called business of e-mail compromise, who frequently impersonate brokers, banks, and businesses in an attempt to dupe individuals and businesses into transferring funds to fraudsters. 

“We verified the fix before publication and it was no longer exploitable. Later, on October 29th, our research team got to work again and within a couple of minutes they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. CERT-In and NCIIPC also accepted our vulnerability report,” CyberX9 said on its blog. According to CyberX9, the exposed data includes the investor's name, phone number, email address, PAN, salary range, father's name, and date of birth.

Phishers and scammers would have an unending supply of compelling scamming templates for calls and emails if they had access to CDSL KYC data. According to CyberX9, a database like this would provide fraudsters with a constant stream of new investors undergoing KYC, allowing them to target them. Financial fraud, identity theft, and exposing people to things like extortion, targeted assaults on people, and so on can all result from sensitive personal and financial data being exposed to large groups of people.

In the Future, Quantum Computing will Increase Cybersecurity Risks

 

While dealing with the immediate threat posed by hackers, US government officials are also planning for a longer-term threat: attackers who are collecting sensitive, encrypted material now in the hopes of being able to decrypt it later. Quantum computers, which work in a totally different way than the conventional computers we use, pose a threat. They use quantum bits instead of regular bits made up of 1s and 0s, which can represent multiple values at the same time.

Quantum computers' complexity could make them significantly faster at specific tasks, allowing them to solve issues that are currently hard for modern machines to handle, such as cracking many of the encryption schemes used to safeguard sensitive data including personal, trade, and state secrets. 

“For all the dramatic advances offered by quantum computing, it could create a huge threat to the security of our data,” Terry Halvorsen, IBM’s general manager for client and solutions development in the Federal and Public market. “It offers the powerful potential to break certain types of cryptography that safeguards many critical communications." 

Despite the fact that quantum computers are still in their infancy, are extremely expensive, and are riddled with issues, officials say attempts to protect the country from this long-term threat must begin immediately. 

“The threat of a nation-state adversary getting a large quantum computer and being able to access your information is real,” says Dustin Moody, a mathematician at the National Institute of Standards and Technology (NIST). “The threat is that they copy down your encrypted data and hold on to it until they have a quantum computer.” Faced with this "harvest now, decipher later" policy, officials are working to create and implement new encryption algorithms to protect secrets from a new breed of supercomputers. The Department of Homeland Security, for example, claims to be leading a long and challenging transition to post-quantum cryptography.

Quantum computers may be able to defeat asymmetric encryption systems based on integer factorization or discrete logarithms in a matter of seconds. Everyone, from financial services corporations to government organizations, is concerned about this. To protect electronic mortgage data, digital signatures may need to be secure for up to 30 years. 

Experts estimate that quantum computers will take a decade or more to achieve anything significant, but with money flowing into the field in both China and the United States, the race is on to make it happen—and to create better defenses against quantum attacks. According to Moody, who oversees NIST's research on post-quantum cryptography, the US has been sponsoring a contest through NIST since 2016 with the goal of producing the first quantum-computer-proof algorithms by 2024.