Search This Blog

Showing posts with label User Data. Show all posts

21M Users' Personal Data Exposed on Telegram

 

A database containing the personal information and login passwords of 21 million individuals was exposed on a Telegram channel on May 7th, 2022, as per Hackread.com. The data of VPN customers was also exposed in the breach, including prominent VPNs like SuperVPN, GeckoVPN, and ChatVPN. 

The database was previously accessible for sale on the Dark Web last year, but it is now available for free on Telegram. The hacked documents contained 10GB of data and exposed 21 million unique records, according to VPNMentor analysts. The following details were included: 
  • Full names
  • Usernames
  • Country names
  • Billing details
  • Email addresses
  • Randomly generated password strings
  • Premium status and validity period
Further investigation revealed that the leaked passwords were all impossible to crack because they were all random, hashed, or salted without collision. Gmail accounts made up the majority of the email addresses (99.5 percent). 

However, vpnMentor researchers believe that the released data is merely a portion of the whole dump. For the time being, it's unknown whether the information was gained from a data breach or a malfunctioning server. In any case, the harm has been done, and users are now vulnerable to scams and prying eyes. The main reason people use VPNs is to maintain their anonymity and privacy. Because VPN customers' data is regarded more valuable, disclosing it has far-reaching effects. 

People whose information was exposed in this incident may be subjected to blackmail, phishing scams, or identity theft. Because of the exposure of personally identifiable information such as country names, billing information, usernames, and so on, they may launch targeted frauds. Threat actors can easily hijack their accounts and exploit their premium status after cracking their credentials. 

If the data falls into the hands of a despotic government that prohibits VPN use, VPN users may be arrested and detained. Users should change their VPN account password and use a mix of upper-lower case letters, symbols, numbers, and other characters for maximum account security.

Anonymous Hacks Russian Energy Companies, Leaking 1Million+ Emails

 

Anonymous claims to have hacked into Russian energy businesses in order to expose emails and continue its cyberwar on Ukraine. On Twitter, the hacker collective claimed to have exposed over 1 million emails from ALET, a Russian customs broker for gasoline and energy firms. 

The tweet stated, "NEW: #Anonymous hacked nearly 1.1 million emails (1.1 TB of data) from ALET, a Russian customs broker for companies in the fuel and energy industries, handling exports and customs declarations for coal, crude oil, liquefied gases and petroleum products."

DDoSecrets, an organisation co-founded by Emma Best and dedicated to comprehensive data transparency in the public interest, disclosed the breach. 

What is ALET? 

ALET is a customs broker based in Russia. It manages exports and customs declarations for petroleum products, coal, liquefied gases, and crude oil for enterprises in the fuel and energy industry. It has worked with 400 businesses and filed 119,000 customs declarations since 2011 with oil products accounting for the majority of its revenues. Gazprom, Gazprom Neft, and Bashneft have all recommended it.

Anonymous has threatened to fight a cyberwar against Putin since the start of the Russia-Ukraine conflict. So far, it has lived up to that promise. Not only has the organisation disclosed Russian information, but it has also infiltrated Russian organisations in order to inform citizens about what is happening outside the nation. 

Anonymous is best known for hacking Russian streaming sites and TV networks in order to show Russian residents what was going on in Ukraine. Last week, the group hacked Enerpred, Russia's largest hydraulic equipment manufacturer dealing in the energy, coal, gas, oil, and construction industries, and stole 645,000 emails (up to 432GB of data).

The company's headquarters are in Irkutsk, Eastern Siberia's capital, and offices in major Russian cities including Moscow and St. Petersburg. DDoSecrets' (Distributed Denial of Secrets) website has the leaked data.

Google's Safety Section Will Show What Android Apps Do With the User Data

Earlier this week, Google rolled out a new Data Safety section for Android apps on Play Store to mention the type of data that is collected and given to third parties. It is the users' right to know why their data is collected and if the developer shares user data with a third party. 

Besides this, users should know how application developers are protecting user data when an app is downloaded. The transparency measure, built in accordance with Apple's Privacy Nutrition Labels, was first announced by Google last year in May 2021. 

The Data safety section will show up against all app listings on the digital storefront, presenting a unified view of what kind of data is getting collected, why it's being collected, and how it'll be used, also mentioning what data is shared with the third parties. Moreover, the labels may also show an app's security practices, for instance, data encryption in transit and if the user can ask for the data to be deleted. 

Additionally, it will validate these practices against security standards like Mobile Application Security Verification Standard (MASVS). The feature will probably be rolled out for all users, app developers can expect a deadline of 20 July 2022 to finalize the work and update the users if there is any change in the apps' functionality or data handling practices. 

Data safety may face similar concerns that Apple did, as the system is built entirely on an honor system, which needs app developers, to be honest, and clear about what they'll do with the data, avoiding listing it as inaccurate labels. 

Since then, Apple said that the company will audit labels for authenticity, and make sure that these labels are dependable and don't give the users fake assurance about security. 

"Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information and that it will mandate them to fix misrepresentations should it identify instances of policy violations," reports The Hacker News.

42M+ People's Financial Data Compromised in UK

 

According to a press release from international law firm RPC, a growing number of ransomware attacks has resulted in the disclosure of financial data pertaining to about 42.2 million persons in the United Kingdom. 

“The surprisingly high number of people whose financial data was impacted in the last year shows how cyber-attacks have become endemic,” said RPC partner Richard Breavington. “Hackers are continually refining their methods, employing ever more complex techniques to extort money in whatever way they can. Some businesses, fearing the potential reputational costs, not to mention other consequences, decide that they will take the last-ditch approach of paying the ransom demands. As a result, these attacks have become very lucrative for cybercriminals.” 

Cyberattacks are spreading at an alarming rate, notably in the United Kingdom. In the years 2019-2020, 2.2 million people's data was stolen, compared to 42.2 million in the years 2021-2022, a startling increase of over 1,700% in just three years. One of the possible explanations for this increase in risking residents' sensitive information was pointed to as an increase in data in general. The cybercriminal network will then sell the information in a marketplace and perhaps hold financial institutions for ransom if the data has been corrupted by malware or ransomware. 

Breavington explains in the release that “criminal gangs are doing this because their blackmail threats over encryption alone are becoming less effective as businesses get better at backing up their systems. But hackers have honed their tactics and added this additional form of blackmail.” 

As a result of many firms finding it easier to just pay the ransom to attackers, several hacking groups have increased the number of attacks they carry out in a short period of time. As we saw earlier this month, ransomware and cyber threat groups will occasionally get access to a company's system and examine its inner workings for a period of time before launching an attack. 

“Before carrying out an attack, hackers are increasingly carrying out reconnaissance to scope out protections that are in place, as well as data held by the company,” Breavington said. “Businesses should not be making their jobs easier by signposting this information.” 

Many people are losing faith in firms' ability to keep their financial information secure as the number of hacks rises. As a result, many firms must recognise that it is their job to strengthen security layers, maintain a 24/7 approach to cybersecurity and online threats, and regularly self-audit their processes to ensure that they are doing everything necessary to reclaim that lost confidence.

Dark Data: A Crucial Concern for Security Experts

 

BigID recently released a research paper that examines the current problems that businesses face in safeguarding their most critical information. A number of important findings emerged from the research:
  • Dark data is extremely concerning to 84 per cent of businesses. This is data that businesses aren't aware of, but which accounts for more than half of all data in existence and can be extremely sensitive or vital. 
  • Unstructured data is the most difficult to manage and safeguard for eight out of ten businesses. Unstructured data generally comprises a variety of sensitive information and is challenging to scan and identify due to its inherent complexity. 
  • More than 90% of businesses have trouble implementing security standards involving sensitive or important data. Data policy reach and enforcement are crucial for proper data asset management, remediation, and security. 
Data is an organization's most valuable asset, relying on it every day to make critical strategic and operational choices. Unfortunately, most of this data is highly sensitive or critical, and it can be exposed accidentally or maliciously in some instances. 

Dimitri Sirota, CEO of BigID stated, “Data is the fuel that drives a company forward. However, a lot of this data is personal and as it accumulates, so does cyber risk. You owe it to your customers, partners, and employees to keep this data safe, let alone to keep your business running. This report reinforces the fact that most continue to struggle to confidently protect their most valuable data.” 

Sensitive or essential data is being spread throughout the environment at unprecedented rates, thanks to the rapid rise of public, private, hybrid, and multi-cloud models. As the scope of this type of data grows, so does the risk to the organisation. 

The research looks into the most significant security issues, the core causes of these problems, and practical ways to improve data security so that teams can protect their most valuable data assets.

CitySprint Confirms Security Breach, Personal Data of Drivers May be Compromised

 

CitySprint, a same-day delivery company, has issued a warning to couriers after discovering a data breach that may have given hackers access to sensitive personal information. A security issue was confirmed in an email sent to hundreds of drivers on April 7th. 

Self-employed drivers transport items across the UK for CitySprint, which was recently acquired by package delivery behemoth DPD Group. These drivers provide personal information to CitySprint using the company's iFleet interface, which includes photos of their driver's licence, car shots, and weekly earnings data. The delivery company claims that it shut down the iFleet system and restricted access to it as soon as it became aware of "the incident." 

CitySprint currently claims that it has no confirmation that personal data has been accessed, but it does not rule out the possibility. For the time being, the business's investigations are ongoing, and it has deployed forensic cybersecurity professionals to completely and comprehensively examine the event and analyse what data, if any, has been exposed. 

It states, “Our security checks, which are not quite complete yet have shown that so far, no personal data was compromised. The remaining checks will confirm if any of your data may have been affected. Therefore, as a precautionary measure, we have informed the Information Commissioner’s Office of the incident.” 

CitySprint claims it takes personal data protection "very seriously" and is investigating IT working processes across the company. Some drivers are clearly dissatisfied with the way the company handles their personal information. 

CitySprint includes several pieces of advice in its email for drivers on what to do if their personal information is compromised online. Change their passwords to something strong and unique, enable two-factor authentication on accounts that provide it, and consider signing up for an identity theft protection service. 

On 13th April, CitySprint offered the following statement, “We recently detected an apparent malicious attempt by a third party to access confidential data from our courier management platform. As soon as this issue was discovered, we took immediate steps to close off external access to this and launched a full and thorough investigation, led by independent cybersecurity experts. 

Now that this investigation has concluded, we are pleased to confirm that we believe that no personal data has been compromised. This incident has been reported to the proper authorities and we are in contact with couriers who contract with us about this as a matter of precaution.”

Hotel WiFi Across MENA Compromised, Private Information Leaked

 

Etizaz Mohsin, a Pakistani cybersecurity researcher, was in a hotel room in Qatar when he accidentally discovered a technical vulnerability in the company's internet infrastructure, compromising the personal information of hundreds of hotels and millions of tourists worldwide. 

Mohsin explained, “I discovered that there is an rsync [file synchronisation tool] service running on the device that allows me to dump the device’s files to my own computer. I was able to gain access to all other hotels’ sensitive information that was being stored on the FTP [file transfer protocol] server for backup purposes.” 

He was able to get network configurations for 629 significant hotels in 40 countries, as well as millions of customers' personal information, such as room numbers, emails, and check-in and check-out dates. Information from major hotel chains in Qatar,, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain, as well as the Kempinski, Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain was included in the research. 

The hotels all use AirAngel's HSMX Gateway internet technology, which is a British company. Some of the world's most well-known hotel chains are among its clients. Most hotels, stores, restaurants, and cafés need guests to set up an account and fill out their personal information before they may use the internet. It does, however, have some disadvantages. 

Mohsin added, “A public WiFi network is inherently less secure than the one you use at home. It gives hackers access to critical information like banking credentials and account passwords by allowing them to monitor and intercept data transferred across the network.”

Seven years ago, researchers discovered a flaw in hotel routers that affected 277 devices in hotels and convention centres in the US, Singapore, the United Kingdom, the United Arab Emirates, and 25 other countries.

Social Engineering Attacks Resulted in Compromise of Morgan Stanley Client Accounts

 

Morgan Stanley's wealth and asset management division, Morgan Stanley Wealth Management, says that social engineering attacks have compromised some of its customers' accounts. 

Vishing (also known as voice phishing) is a social engineering attack in which scammers impersonate a reputable business (in this case Morgan Stanley) over the phone to persuade their targets to expose or pass over sensitive information such as banking or login credentials. 

According to a notice sent to impacted clients, a threat actor portraying Morgan Stanley acquired access to their accounts "on or around February 11, 2022" after deceiving them into submitting their Morgan Stanley Online account information. The attacker also electronically transferred money to their accounts after successfully compromising their own accounts. 

The alert reads, "As you are aware, on or around February 11, 2022, you were contacted by a bad actor claiming to be with Morgan Stanley. The bad actor was able to obtain information relating to your Morgan Stanley Online account, subsequently accessing this account and initiating unauthorized Zelle payments." 

A Morgan Stanley spokesperson told BleepingComputer that "there was no data breach or information leak from Morgan Stanley." The Morgan Stanley division also stated that all affected customers' accounts had been disabled, adding that its systems "remain secure." 

The company explained, "This compromise was not a result of any action of Morgan Stanley Wealth Management and our systems remain secure. Your Morgan Stanley Wealth Management account has been flagged to our Customer Call Center so that any callers into the Call Center will be prompted with additional verification. Your previous Morgan Stanley Online account was also disabled." 

Morgan Stanley advises customers not to answer calls from numbers they don't recognise as a way to protect themselves from vishing attacks and other sorts of social engineering frauds. 

"Also, be guarded when providing your personal data by phone. Make sure the person asking for the information is from a legitimate organization and is who they claim to be. You can always hang up and call the organization back using a phone number found through a trusted source – such as the company’s official website or perhaps a financial statement," the company further recommended. 

Morgan Stanley announced a data breach in July 2021 when the Clop ransomware group hacked into the Accellion FTA server of Guidehouse, one of Morgan Stanley's third-party providers, and stole personal information belonging to its clients. 

Morgan Stanley is a significant investment banking and global financial services corporation based in the United States that offers investment banking, securities, wealth management, and investment management services around the world.  

Wightlink Customers' Details Compromised in Cyber Attack

 

Wightlink, a UK ferry company, has been struck by a highly complex cyber-attack that may have exposed the personal information of "a small number of customers and staff." Wightlink stated, the incident, which occurred in February, reportedly impacted certain back-office IT systems but not its ferry services, booking system, and website.

According to the company, law enforcement and the UK's Information Commissioner's Office (ICO) have been contacted, since they have possible breach victims. Wightlink has three routes between Hampshire in southeast England and the Isle of Wight, an island off the south coast. The company claims to carry 4.6 million passengers each year on over 100 daily sailings.

Wightlink claimed in a statement received by The Daily Swig: “Unfortunately, despite Wightlink taking appropriate security measures, some of its back-office IT systems were affected by a cyber-attack last month. However, this criminal action has not affected Wightlink’s ferries and FastCats, which have continued to operate normally during and following the attack, nor were its booking system and website affected.” 

Wightlink said it hired third-party cybersecurity experts to analyse and analyse the situation as soon as it was detected. The operator stated it was working with the South East Regional Organised Crime Unit in addition to reporting the incident to the ICO. 

The company stated, “Wightlink does not process or store payment card details for bookings. However, the investigation has identified a small number of customers and staff for whom other items of personal information may have been compromised during the incident. 

Wightlink chief executive Keith Greenfield stated, “I would like to thank all my colleagues at Wightlink who responded quickly ensuring that the impact to customers was minimised and that cross-Solent travel and bookings were unaffected.”

Hackers Expose 190GB of Alleged Samsung Data

 

Hackers that exposed secret information from Nvidia have now turned their attention to Samsung. The hacker group known as Lapsus$ is suspected of taking 190GB of data from Samsung, including encryption and source codes for many of the company's new devices. 

On Saturday, hackers launched an attack on Samsung, leaking critical data collected through the attack and making it accessible via torrent. The hackers shared the complete data in three sections in a note to their followers, as seen by Bleeping Computer, along with a text file that details the stuff available in the download. 

The exposed material includes "source code from every Trusted Applet" installed on every Samsung smartphone, as per the message. It also includes "confidential Qualcomm source code," algorithms for "all biometric unlock operations," bootloader source code for the devices, and source codes for Samsung's activation servers and Samsung account authentications, including APIs and services. 

In short, the Lapsus$ attack targets Samsung Github for critical data compromise: mobile defence engineering, Samsung account backend, Samsung pass backend/frontend, and SES, which includes Bixby, Smartthings, and store. 

The attack on Samsung comes after the cyber organisation attempted to extort money from Nvidia in a ransom scheme. It's worth noting that it's not a straightforward monetary request. Instead, the hackers have asked Nvidia to lift the restriction on Ethereum cryptocurrency mining that it has placed on its Nvidia 30-series GPUs. Nvidia's GPU drivers must be open-sourced forever, according to the hackers. 

The hackers are plainly looking for money from the disclosed data, as evidenced by the updates. For $1 million, one of them promised to sell anyone a bypass for the crypto nerf on Nvidia GPUs. Another communication from the group, according to The Verge, claimed that instead of making the data public, they are attempting to sell it straight to a buyer. 

Last Monday, Nvidia confirmed the breach, acknowledging a leak of "employee credentials" and "proprietary information." It, on the other hand, disputed that the attack was linked to the ongoing Russia-Ukraine crisis and claimed that the cyberattack would have no impact on its operations. 

As of currently, there are no reports of Lapsus$ demanding a similar ransom from Samsung. If they do, however, Samsung is likely to suffer a significant setback, especially given the type of data that the hacking group now claims to have access to.

Zenly Addressed the Risks of User Data Exposure and Account Takeover

 

Zenly, a social app from Snap that allows users to monitor the positions of friends and family on a live map, has two flaws that potentially imperil people being tracked. The issues are a user-data disclosure vulnerability and an account-takeover vulnerability, according to the Checkmarx Security Research Team.   

Zenly is a real-time location sharing software created in 2015 by Alexis Bonillo and Antoine Martin in Paris, France. Zenly's primary role is to share and monitor locations with friends. The software may communicate not only your current position, but also your mobile direction and speed. Zenly employs dependable, effective, and precise positioning technology to pinpoint the precise location of friends or family members. 

According to Checkmarx, the vulnerability exploits the "Add by Username" procedure, which begins by searching for a known username. Then, to view requests that occur during the username search, "an environment that permits intercepting and decoding network requests to get visibility into network activities" can be employed. 

“By observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,” according to the analysis. “This list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.” 

According to the researchers, after the target username has been found, the same interceptor may be used to retrieve the associated phone number via a view named "Add by Username," then clicking the "Add as Friend" button.

This vulnerability's mitigation strategy can be divided into two phases. The most serious consequences are from gaining access to a user's Personally Identifiable Information (PII) without their permission. This could be avoided by eliminating the target phone number field from the reply sent when a friend request is created. The second step in this mitigation recommendation is to effectively limit or shape the data supplied by the /UserPublicFriends endpoint when a username search is performed, rather than returning an entire list of the friends' usernames. 

According to Checkmarx, the second bug appears in the user-authentication flow. This authentication uses SMS messages carrying verification numbers to validate sessions. After sending the SMS message to the user, the app uses the session token and the SMS verification code to access the /SessionVerify endpoint. 

Both vulnerabilities have been fixed, and users should update their apps to the most recent version to avoid compromise, according to the company.

PseudoManuscrypt Malware Proliferating Similarly as CryptBot Targets Koreans

 

Since at least May 2021, a botnet known as PseudoManuscrypt has been targeting Windows workstations in South Korea, using the same delivery methods as another malware known as CryptBot. 

South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published, "PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot and is being distributed. Not only is its file form similar to CryptBot but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen."
  
According to ASEC, approximately 30 computers in the country are compromised on a daily basis on average. PseudoManuscrypt was originally discovered in December 2021, when Russian cybersecurity firm Kaspersky revealed details of a "mass-scale spyware attack campaign" that infected over 35,000 PCs in 195 countries around the world. 

PseudoManuscrypt attacks, which were first discovered in June 2021, targeted a large number of industrial and government institutions, including military-industrial complex firms and research in Russia, India, and Brazil, among others. The primary payload module has a wide range of spying capabilities, enabling the attackers virtually complete access over the compromised device. Stealing VPN connection data, recording audio with the microphone, and capturing clipboard contents and operating system event log data are all part of it. 

Additionally, PseudoManuscrypt can access a remote command-and-control server controlled by the attacker to perform malicious tasks like downloading files, executing arbitrary instructions, log keypresses, and capturing screenshots and videos of the screen. 

The researchers added, "As this malware is disguised as an illegal software installer and is distributed to random individuals via malicious sites, users must be careful not to download relevant programs. As malicious files can also be registered to service and perform continuous malicious behaviours without the user knowing, periodic PC maintenance is necessary."

Google Announces Privacy Sandbox on Android to Restrict Sharing of User Data

 

Google announced on Wednesday that it will extend its Privacy Sandbox activities to Android in an effort to broaden its privacy-focused, but less disruptive, advertising technologies beyond the desktop web. To that aim, Google stated it will work on solutions that prohibit cross-app tracking, similar to Apple's App Tracking Transparency (ATT) framework, essentially restricting the exchange of user data with third parties as well as removing identifiers like advertising IDs from mobile devices. 

Anthony Chavez, vice president of product management for Android security and privacy, stated, "The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk." 

Google's Privacy Sandbox, which was announced in 2019, is a collection of technologies that will phase out third-party cookies and limit covert monitoring, such as fingerprinting, by reducing the number of information sites that can access to keep track of users online behavior. 

The Alphabet Inc. company, which makes the majority of its revenue from advertising, says it can safeguard phone users' data while still providing marketers and app developers with new technology to deliver targeted promotions and measure outcomes. According to Anthony Chavez, vice president of product management for Android Security & Privacy, the proposed tools for the Android mobile operating system would limit the app makers' ability to share a person's information with third parties and prohibit data monitoring across several apps. Google stated the tools would be available in beta by the end of 2022, followed by "scaled testing" in 2023. Chavez said in an interview that the best path forward is an approach “that improves user privacy and a healthy mobile app ecosystem. We need to build new technologies that provide user privacy by default while supporting these key advertising capabilities." 

Google is aiming to strike a balance between the financial needs of developers and marketers and the expanding demands of privacy-conscious consumers and regulators. The company is gathering feedback on the proposal, similar to how its Privacy Sandbox effort is gradually building a new online browsing privacy standard. Google's initial idea was met with derision from UK authorities and lawmakers, but the corporation has subsequently proposed serving adverts based on themes a web user is interested in that are erased and replaced every three weeks. 

Meta Platforms Inc., the parent company of Facebook, has been at odds with Apple over the company's App Monitoring Transparency tool, which allows iPhone users to turn off tracking across all of their apps. According to executives, Google's YouTube has taken a minor financial hit as a result of the technology. In other words, it makes it more difficult for marketers to verify whether their iPhone advertising was effective. 

According to Chavez, the Android Privacy Sandbox would enable tailored advertising based on recent "topics" of interest, and enable attribution reporting, which will tell marketers if their ad was effective.

NSW Government Database Compromises 500,000+ Addresses

 

The government of New South Wales (NSW) has admitted to a data breach that exposed more than 500,000 addresses via a government website. 

According to 9News, the NSW Customer Services Department acquired hundreds of thousands of locations through its QR code registration system before making them public on a government website. The locations belonged to firms that were registered as COVID-safe businesses, which was an option offered to all NSW businesses as well as those from other jurisdictions with interests in NSW. 

Skeeve Stevens, a technology specialist in the security and intelligence space who spotted the dataset in September and stated he notified cyber security professionals, who then informed the government. Defence sites, missile maintenance facilities, domestic violence shelters, essential infrastructure networks, and correctional facilities were among the targets. Locations in Western Australia, Victoria, Queensland, South Australia, and the Australian Capital Territory were also included in the database. 

Last October, the government forwarded the matter to the privacy commissioner, who determined that the incident did not constitute a privacy breach. The issue was brought to the attention of NSW Premier Dominic Perrottet this week, and he admitted that the material had been posted incorrectly. 

Perrottet stated, "That was worked through [the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn't have happened."

According to 9News, the NSW Department of Customer Services classified fewer than 1% of the 566,318 locations as sensitive. 

A department spokesperson stated, "These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients." 

The COVID-Safe Businesses and Organization dataset has been withdrawn, according to a notice on the NSW data website dated 12 October 2021. “We have identified issues with the integrity of the data with the recent increase in volume of registrations. We apologise for any inconvenience,” stated the notice, without revealing what the issue was. 

Last weekend, a marketing stunt by Coinbase used QR codes to bring potential consumers to its site, prompting experts to debate whether they pose a true cyber security danger. Some experts believe they shouldn't be trusted because of the risk of being hijacked by cyber thieves, while others believe the fear around the technology is exaggerated and the real-world threat is minimal.

A Data Breach at a Croatian Phone Company Affects 200,000 Customers

 

Croatian phone company 'A1 Hrvatska' has announced a data breach that exposed the personal information of 10% of its users, or approximately 200,000 persons. A1 Hrvatska is a Croatian mobile network operator and a strategic partner of Vodafone. It is part of the Telekom Austria Group. A1 is the first and only operator in Croatia to offer the complete 5-play service, which comprises A1 TV, mobile and fixed telephony, and mobile and fixed Internet. 

The notification doesn't go into much depth, other than to say that they had a cybersecurity incident involving unauthorized access to one of their user databases, which contained sensitive personal information. Full names, personal identity numbers, physical addresses, and phone numbers have all been accessed. 

"Unfortunately, despite advanced protection measures and the constant raising of the level of security, a security incident occurred related to one of the user databases, which compromised part of the personal data of part A1 of users. We emphasize that information on bank cards and accounts is not compromised because it is not available in the specified database. We will directly inform all users whose personal data is potentially compromised," said the company. 

A criminal complaint was also filed with the Zagreb Police Administration right away, and information experts assisted in identifying the culprits of the crime. In addition, the competent institutions HAKOM and AZOP, with which the company works closely, were notified. 

A1 Hrvatska is a strategic partner of Vodafone, whose Portugal region was subjected to a very disruptive cyberattack, resulting in the suspension of 4G and 5G data services. Strategic partners occasionally share online infrastructure, but in this case, the link appears implausible, but it cannot be fully ruled out. Because the event does not appear to have impacted A1 Hrvatska's services or operations, it appears to be an instance of unauthorised database access, either through a misconfiguration or stolen credentials. 

 "A1 Croatia adheres to the highest security standards and data protection, and we will continue to make additional investments in improving the security environment. The recurrence of this security incident is not possible and has not had and will not affect the provision of services to customers," the company said.

Attackers Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks

 

A classic phishing tactic using mislabeled files is being used to deceive Microsoft 365 users into revealing their credentials. Malicious actors are dusting off Right-to-Left Override (RLO) attacks to fool victims into running files with altered extensions, as per cybersecurity researchers at Vade. Victims are requested to enter their Microsoft 365 login details when they open the files. 

In the previous two weeks, Vade's threat analysis team has discovered more than 200 RLO attacks targeting Microsoft 365 users. The technique of assault was: 

Within the Unicode encoding system, the RLO character [U+202e] is a special non-printing character. The symbol was created to support languages like Arabic and Hebrew, which are written and read from right to left. 

The special character, which can be found in the Windows and Linux character maps, can be used to mask the file type. The executable file abc[U+202e]txt.exe, for example, will display in Windows as abcexe.txt, misleading people to believe it is a.txt file. 

The threat has been present for more than a decade, and CVE-2009-3376 was first identified in 2008 in Mozilla Foundation and Unicode technical reports. 

"While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes," noted researchers. 

RLO spoofing was previously a common technique for hiding malware in attachments. According to Vade researchers, the approach is currently being used to phish Microsoft 365 business users in order to gain access to a company's data. The team encountered one RLO attack in which an email was delivered with what seemed to be a voicemail.mp3 attachment. 

Researchers stated, "This kind of scam preys on the curiosity of the recipient, who is not expecting a voicemail, and who maybe intrigued enough to click the phishing link in the body of the email or the attachment, which is often an html file."
  
"Most likely attackers are taking advantage of the COVID-19 pandemic, with the expansion of remote working," hypothesized the analysts, who also noted that "RLO spoofing attachments is more convincing with the lack of interpersonal communication due to teleworking."

Qbot Malware: Steals Your Data In 30 Minutes

 

The large-scale spread of the Qbot malware (aka QuakBot or Qakbot) has taken up speed recently, as per the experts, it hardly takes around 30 minutes to steal Sensitive data after the early stage infiltration. The DFIR report suggests that Qbot was executing these fast data-stealing attacks in October 2021, and now it suggests that the hackers have resurfaced with similar strategies. Particularly, researchers believe that it takes around 30 minutes for the threat actors to steal browser info and emails from Outlook and around 50 minutes for the actors to switch to another workstation. 

The timeline suggests that Qbot travels fast to execute privilege escalation the moment an infection takes place, and a full-fledged monitoring scan can take up to ten minutes. Entry-level access to Qbot infections is generally obtained via phishing emails with harmful attacks, like Excel (XLS) documents that may use a macro to plant a DLL loader on the victim machine. Taking a look back, we have noticed that Qbot phishing campaigns use different infection file templates. If launched, the Qbot DLL payload is planted and deployed in genuine Windows applications to avoid detection, like Mobsync.exe or MSRA.exe. 

For instance, the DFIR report reveals that Qbot was planted into MSRA.exe and then creates a timelined task for privilege escalation. Besides this, Qbot DLL with the help of malware is added to Microsoft Defender's execution list, to avoid getting identified when planted into MSRA.exe. Qbot can steal mails in 30 minutes after the initial deployment, these mails are used in the future for phishing attacks. Experts observed that Qbot is also capable of stealing Windows credentials by dumping Local Security Authority Server Service (LSASS) process memory and stealing it from different browsers. 

The stolen credentials are later used for spreading the malware on other device networks laterally. The malware only took 50 minutes for dumping credentials after its execution. Bleeping Computer reports "Microsoft report from December 2021 captured the versatility of Qbot attacks, making it harder to evaluate the scope of its infections accurately. However, no matter how a Qbot infection unfolds precisely, it is essential to keep in mind that almost all begin with an email."

Washington State Database Breach May Expose Personal Data

 

The Washington State Department of Licensing stated that the personal information of possibly millions of licenced professionals may have been compromised, after discovering unusual activity on the online licencing system.

According to agency spokesperson Christine Anthony, the agency licences around 40 types of enterprises and professionals, ranging from auctioneers to real estate agents, and it temporarily shut down its web platform after discovering the activities in January. 

Social Security numbers, birth dates, and driver's licences could be among the information held on the POLARIS system. According to Anthony, the agency does not yet know whether such data was accessed or how many people may have been compromised. 

As per The Seattle Times, Anthony stated the agency has been working with the state Office of Cybersecurity, the state Attorney General's Office, and a third-party cybersecurity firm to determine the magnitude of the issue. 

Meanwhile, the POLARIS system's shutdown is creating problems for some professionals and businesses who need to apply for, renew, or update their licences. The outage occurs at a busy period for real estate brokers, appraisers, and home inspectors as the state's real estate market begin to recover from its seasonal slowdown. 

The extent of the breach is undetermined. POLARIS processes data from 23 state-licensed professions and business kinds, according to Anthony. The agency has roughly 257,000 active licences in its system, including bail bonds brokers, funeral directors, home inspectors, and notaries, according to Anthony. He added that there are likely more records that will be uncovered while doing our investigation. 

The State Auditor's Office has set up a website with more details on the security breach as well as links to additional guidance and resources for protecting the identity and credit. That website will be updated with the most recent information on a regular basis. If anyone has any queries, they can contact the Auditor's Office dedicated call centre at 1-855-789-0673 from Monday to Friday, 8 a.m. to 5 p.m. Pacific Time.

The Cat and Mouse Chase of Account Takeovers

Cequence Security Threat Research Team analyzed more than 21 billion applications transactions between June and December of 2021, API-based account registration and login transactions raised by 92 percent and around 850 million. It highlights the fact that hackers cherish APIs as developers do. The same database that shows account takeover (ATO) attacks on login APIs grew by 62 percent. An ATO causes an end-user to panic, with getting messages like “you have received a password reset notification from your favorite retailer/social media/financial institution because your account has been compromised.” 

If you are ever hit by an ATO, you will probably not want to conduct business with the organization that is associated with the account. This affects businesses by causing them to lose valuable customers and also hits the profit bottom lines due to loss in sales, brand damage, and infrastructure cost overruns. ATO techniques have evolved over credential stuffing, which is a high-volume, generally used technique. ATO now includes slow and low attacks having specific usernames and passwords. It follows a pattern, for instance, attacks on organizations and employees having some social presence (recommendations, reviews, etc.). 

For these people, ATOs have become a constant problem, the goal here is not to steal sensitive information, but to use these hijacked accounts for amplifying negative or positive information. The patterns observed in these attacks have been seen earlier in varying forms in different customer environments. Bots go silent for a while but return to cause more damage. Noticing these bot behaviors suggested that botters work together by sharing ideas, studying unsafe vectors (deprecated APIs), to prepare for the next attack. 

A robust defense system will require continuous monitoring, reviewing of all endpoints- mobile and Web API, cooperation between safety and peers. "ATO is a problem that more and more organizations are facing as threat actors want to steal gift cards, access one-click purchasing, and dominate hype-sales to buy and resell the inventory. As we have seen through this analysis, the pace and vigor are on the rise. All organizations that have an authenticated application should consider monitoring for ATO, and build mitigations to ensure their customer satisfaction remains high," writes Jason Kent for Threat Post.

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.