Search This Blog

Showing posts with label User Data Leak. Show all posts

Cyberattack Targets US Hospital in Texas

Just several weeks following one of the largest healthcare cyberattacks in the US, another hospital system was taken down by a ransomware attack. 

According to a report, OakBend discovered that cybercriminals had accessed its network and encrypted parts of its system on September 1, 2022. In reaction, OakBend started working on network restoration before getting in touch with a third-party data security organization to help with the business's investigation into the event.

The investigation revealed that OakBend Medical Center's computer system had been accessed without authorization and that the hackers had been able to delete some of the material that was accessible.

OakBend Medical Center started looking through the affected files after learning that private customer information had been made available to an unauthorized entity, in order to ascertain what information had been hacked and whose customers were impacted.

On October 28, the medical system notified the Department of Health and Human Services (HHS) of a data breach affecting approximately 500,000 people. The attack has been linked to the ransomware and data extortion gang Daixin Team.

The group, which was formed in June of this year, has financial motivations. Fitzgibbon Hospital in Missouri was its prior victim, and the gang claims to have stolen 40GB of confidential data, including personnel and patient records.

Additionally, CommonSpirit, which manages over 140 hospitals in the US, decided not to reveal the precise number of its locations that were experiencing delays. However, a number of hospitals have reported being impacted, including CHI Memorial Hospital in Tennessee, some St. Luke's hospitals in Texas, and Virginia Mason Franciscan Health in Seattle.

According to Brett Callow, a cybersecurity specialist at Emsisoft, ransomware has been used to breach 19 significant hospital chains in the United States this year.

OakBend stated: "Our analysis shows that only a small quantity of data was really transported outside of the OakBend computing environment, even though we are aware that the hackers had access to OakBend's servers to encrypt our data. However, it does seem that the cybercriminals were able to access or remove several employee data sets and some reports that contained the private and medical information pertaining to our present and past patients, employees, and connected individuals."

To all those whose information was affected as a result of the current data breach, OakBend Medical Center handed out data breach notifications on October 31, 2022.

Optus Data Breach: Australia’s Telco Giant Confirms Data of Millions of Users Compromised

 

Australia’s second largest Telecom Company, Optus has recently become a victim of a cyberattack that attack apparently led to the exposure of personal data of its current as well as former customers. According to Trevor Long, a Sydney-based tech analyst, the attack is the biggest breach of personal data from any Australian firm. 

The firm states that as soon as the attack was detected, it worked towards containing the attack, subsequently shutting it down before customers could suffer any harm. The company believes that one of the networks was still exposed to the test network with internet access. 

The data breach notification read, “Following a cyberattack, Optus is investigating the possible unauthorized access of current and former customer [..] Upon discovering this, Optus immediately shut down the attack.” 

In the wake of the attack, the firm confirmed that its customers' private data could be compromised since the attackers had an access to the customer identity database and opened it to other systems via Application Programming Interface (API). The firm further told that its network was accessed from an external source.  

The exposed data, as per the firm’s statement in a press release included customers’ names, dates of birth, contact numbers, email addresses, residential addresses, and identity documents numbers such as passport and driving licenses. The company’s services on the other hand, including mobile and home internet, have not been compromised and the attackers were void of access to messages and phone calls. 

Is Human Error Responsible For The Breach? 

At a media briefing, when asked about the possibility of a human error being responsible for the breach, Optus CEO Kelly Bayers Rosemarin stated that “I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so will not be divulging details about that.” 

The company has denied any claims of a human error that could execute this data breach. The CEO also apologized to the firm’s customers, stating it was challenging to offer immediate advice unless the case investigation was complete. 

The CEO also mentioned the strong cyber defense softwares invested in Telco pertaining to the attacks. She further said that this attack should be a wake-up call for all organizations in order to avoid becoming a victim of a data breach. 

California Gun Permit Website Exposes User Data

 

About the Data Leak

A state website in California disclosed private information of any user who registered for CCP (concealed Carry Weapons) permits during 2011-2021. The California Department of Justice says the incident happened last week, in the blunder, the US state's firearms dashboard portal was overwhelmed. 

Besides the portal breach, the data was also leaked on various other online dashboards like- Assault Weapon Registery, Dealer Record of Sale, Firearm Safety Certificate, Certified for Sale, Dealer Record of Sale, Gun Violence Restraining Order, and Firearm Safety Certificate dashboards. 

What are the experts saying?

"The California cyber-gaffe comes at a time when data privacy is at the forefront of the national debate, in large part because of the US Supreme Court's recent decision to overturn Roe vs. Wade, which has called into question what personal data is collected, retained — and potentially sold or shared," reports the Register. 

California Department of Justice says that data and dashboards were accessible to the public for 24 hours. The data leaked include Gender, Race, Date of Birth, driver's license info, criminal histories, and addresses. However, it didn't expose financial information and social security numbers. 

Info exposed in the Data Leak 

But still, some personal information may have been leaked on social media websites, says Fresno County Sheriff's Office, which found the data leak. The state DOJ will inform California users whose data was leaked and will give additional info and details about soon. It also includes credit monitoring services for impacted users. 

"I immediately launched an investigation into how this occurred at the California Department of Justice and will take strong corrective measures where necessary," said Rob Bonta, California Attorney General, in a statement. He also said that he was deeply sorry and unsettled by the incident. 

The office didn't address the issue immediately, denying to provide info about the number of users affected and a number of California residents that apply for concealed weapons permit every year but are denied. 

Tim Marley, VP for audit, risk, and compliance at Cerberus Sentinel said that "the failure to keep stakeholders' sensitive data confidential is coming with greater consequences for organizations in the United States."

NRA Reacts to Allegations of a Ransomware Campaign

 

Last year, the National Rifle Association — champion of gun-toting maniacs worldwide, admitted it was hacked by cybercriminals. The organization's political action committee (PAC) confirmed the attack in a filing to the Federal Election Commission on Friday. 

Last October, a ransomware group known as "Grief" boasted to the digital underworld about hacking into the gun lobby's networks and stealing critical internal papers. It released screenshots of documents it claimed to be stolen during the event. The NRA did not confirm or deny it had been hacked at the time. 

"The National Rifle Association does not talk about its physical or electronic security. The NRA, on the other hand, takes exceptional precautions to safeguard information about its members, funders, and operations, and is extremely cautious in doing so." Andrew Arulanandam, managing director of NRA Public Affairs. 

The NRA was added as a new victim on the ransomware gang's data site today, along with pictures of Excel spreadsheets revealing US tax information and transaction amounts. The threat actors also published a 2.7 MB archive called 'National Grants.zip,' which comprises bogus NRA grant applications. After Grief claimed it obtained 13 files supposedly from the NRA's databases, security researchers began posting about the breach on Wednesday. According to an analysis of the documents supplied, it included records from a recent NRA board meeting as well as grant documents. If the NRA did not pay an undisclosed ransom, it threatened to release more files. 

The Grief ransomware group is believed to be linked to Evil Corp, a Russian hacking group. Evil Corp has been active since 2009 and has been involved in a variety of destructive cyber activities, including the spread of the Dridex trojan, which was used to steal online banking credentials and money. 

In 2017, the hacking gang published BitPaymer, ransomware which was later renamed DoppelPaymer in 2019. The US Department of Justice charged members of the Evil Corp with stealing more than $100 million and adding the cyber group to the Office of Foreign Assets Control (OFAC) sanction list after years of attacking US interests. 

Soon after, the US Treasury cautioned ransomware negotiators may face civil penalties if anyone helped gangs on the blacklisted list get ransom payments. To avoid US sanctions, Evil Corp has been spreading new ransomware strains under different identities on a regular basis since then.WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, quite recently, the Macaw Locker are among the ransomware families.

NRA members should take precautions to protect themselves from any penalties which may occur as a result of this breach, according to Paul Bischoff, a privacy advocate at Comparitech. With the Grief ransomware group emerging, security researchers believe it is another version of DoppelPaymer due to the code similarities. Because Grief is related to Evil Corp, ransomware negotiators are unlikely to allow ransom payments unless the victim first obtains OFAC certification.

Doxy.me is Resolving a Data Leak that Exposed Patient Information to Facebook and Google

 

Doxy.me, a telehealth platform, is correcting an issue that allowed three third-party firms to obtain the names of some patients' providers. After examining the platform, privacy researcher Zach Edwards discovered that the company, which self-reports as having 30% of the growing US telemedicine market and is currently used by over 1 million providers worldwide, appeared to be sharing IP addresses and unique device identification numbers with Google, Facebook, and the marketing software company HubSpot. 

When patients clicked on a link to the platform's "virtual waiting room" service, which connects patients with medical professionals, the sensitive user data became available. According to Edwards, Doxy.me appears to have attempted to remove the doctor name from URLs given to third parties, but the three companies used particular technical loopholes to obtain the complete URL, which included the doctor names. There was no breach of patient health information.

Working with third parties like Google and Facebook to maximize data analytics and marketing poses dangers that are distinct from encrypting patient sessions or requiring strong passwords for Doxy.me. Regulators and lawmakers have shown a desire to address the privacy concerns raised by telehealth apps. In September, the Federal Trade Commission issued guidelines that would punish health applications for failing to tell consumers about the sharing of personal information without their permission. 

“As soon as you start sharing data, networks, there are some things that are out of your control and much of the responsibility here is on the ad networks themselves,” said Rykov, of the Mozilla Foundation. “They operate like a black box, we don’t really know what their algorithm is doing and what they’re capable of.” 

The problem raises broader concerns about data security in the telehealth industry. Google and Facebook use metadata gathered from throughout the web to categorize people into "audiences." Companies employ metadata collected across websites to construct audience groups, sometimes known as "lookalike" or "similar" audiences, to assist advertising customers target audiences they are attempting to reach. A marketing customer can then utilize this technique to increase the size of its own audience list. 

Such data sharing puts users in danger of being inadvertently grouped with other patients by Google and Facebook's advertising platforms, potentially providing sensitive information about a patient's condition to the companies' algorithms. Advertisers could therefore target individuals with adverts that were personalised to their specific medical issues.

California Pizza Kitchen Spilled 100K+ Employee SSNs in Data Breach

 

California Pizza Kitchen (CPK) data breach exposed the names and Social Security numbers (SSNs) of over 100,000 current and past workers.

According to a Data Breach Notification released on the Maine Attorney General's website, the "external system breach" happened on Sept. 15 at the popular U.S. pizza chain, impacting 103,767 people. CPK was formed in 1985 in Beverly Hills, California, and now has over 250 locations across 32 states. As per the statement, CPK identified suspicious behaviour in its computing environment on or about Sept. 15 and responded swiftly to mitigate and investigate the incident with third-party IT professionals. 

The company stated in the notice CPK sent to affected residents of Maine, “CPK immediately secured the environment and … launched an investigation to determine the nature and scope of the incident.” 

Following the notice, by Oct. 4, investigators had determined that some files on CPK's computers "could have been accessed without authorization." According to the company, by the end of the initial investigation on Oct. 13, it was evident that the breach had provided attackers with the names of previous and present employees, as well as their Social Security numbers. 

On Monday, Nov. 15, CPK notified all persons affected by the incident. According to the firm, there is no evidence that the information acquired has been misused by cybercriminals at this time. There have been no details released concerning the sort of breach that happened or how the attackers gained access to the system. CPK did not respond to Threatpost's request for comment on the incident right away.  

The firm is presently assessing existing security standards and has adopted additional measures – such as safeguards and employee training – to assist avoid future instances. 
 
Employee training, as per one security expert, is a critical component of preventing breaches like these, which are all too often at firms that have sensitive information on their networks but generally employ personnel who have no specialized expertise in how security breaches occur. 

Al-Khalidi, co-founder and co-CEO of security firm Axiad, stated in an email to Threatpost, “Every business like California Pizza Kitchen possesses valuable PII data which makes them a prime target for attackers. To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene.” 

He believes that ongoing training may help reinforce a company's overall security defense by preventing employees from falling prey to phishing or other socially engineered assaults that can bring a whole IT system down.

Over 2.6 Million Data of Instagram and TikTok Users Exposed by Data Scrapers

 

Security researchers detected over two million social network user accounts scraped from the internet after they were unintentionally posted online by an analytics firm. 

Anurag Sen's team at reviews site SafetyDetectives discovered the data on a misconfigured Elasticsearch server that had been left accessible with no password security or encryption in place. It instantly traced the 3.6GB trove of over 2.6 million TikTok and Instagram accounts to IGBlade, a company that delivers marketing information on social media users to its clients. 

The researchers wrote, “The scraped data of users on the server is the same data that features each user’s corresponding IGBlade.com page, and the database often provides links back to IGBlade,” this is how we know the database belongs to IGBlade.com.” 

Although data scraping is not unlawful, and all of the user information in the leaked database was publicly available, it violates TikTok and Instagram's terms of service. The breach might also benefit cyber criminals, who can use the enormous amount of user information collected in one place to facilitate mass social engineering and fraud schemes. 

As per the report, the compromised data was publicly available online for more than a month before the research team discovered it and contacted IGBlade. The Romanian company obtained it on the same day, July 5. 

The database contained complete names and usernames, profile images, "about" information, email addresses, phone numbers, and geographical data. Celebrities such as Alicia Keys, Ariana Grande, Kim Kardashian, Kylie Jenner, and Loren Gray have all been caught up in the privacy issue. 

According to SafetyDetectives, the disclosure might find IGBlade in hot water with the two social media behemoths. Furthermore, if thieves had access to the trove, they might utilise it in subsequent phishing attempts and bulk robocalling frauds.  They might even utilise the collected profile pictures to build new bogus profiles for disinformation and fraud operations. 

SafetyDetectives stated, “Data scraping can make information for thousands or millions of users instantly accessible, as it’s all stored in the same place. For example, navigating logs in a database is a far quicker solution than navigating between each user on a social media site.” 

“In this case, cyber-criminals can use data scraping as a cybercrime accelerant rather than an enabler. It can accelerate the speed and scope of hackers’ criminal activities.”

Thingiverse, 3D Printing Site Suffered Data Breach

 

The Thingiverse website has suffered a data breach which resulted in the email addresses of nearly 228,000 users surfacing on black-hat crime websites. 

Have I Been Pwned (HIBP), whose administrator Troy Hunt was informed off to the breach's dissemination on the forums, published the 228,000 hacked email addresses to the site, which led to the news coming to notice. 

The 36 GB data cache, which was first disclosed in October 2020, is reported to contain unique email addresses as well as other information that might be used to identify people. Whereas these details have been floating around the internet for over a year, data breach notification service provider 'Have I Been Pwned' has now discovered proof that they are "extensively circulating within the hacking community." 

On Twitter, Hunt said that the leak had exposed more than two million email addresses. He clarified that the bulk of the email addresses were webdev+$username@makerbot[.]com, which looked to be generated by Thingiverse itself based on their structure. 

Thingiverse that hosts free-to-use 3D printer designs is managed by Makerbot, a 3D printing company that was previously featured on these web pages in 2015 when it announced layoffs despite failing to fulfill "ambitious goals" 

Hunt stated on Twitter that Makerbot was unresponsive to his private overtures, prompting him to go public in the hopes of persuading someone that the source of the hack should be closed down. 

"We became aware of and have addressed an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users. We have not identified any suspicious attempts to access Thingiverse accounts, and we encouraged the relevant Thingiverse members to update their passwords as a precautionary measure. We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management," Thingiverse told The Register. 

Amazon's Twitch Blames Server Error for Massive Data Leak

 

Twitch disclosed a massive data breach on Wednesday, attributing it to an "error in a Twitch server configuration change" that exposed certain data to the internet. 

The purportedly stolen material includes the source code for Amazon's streaming platform, reports on creator payments, and information regarding an unannounced Steam competitor from Amazon Game Studios. Twitch acknowledged the incident in a tweet on Wednesday. The firm will provide further information in a blog post later, stating that it is still trying to determine the entire scope of the event. 

The company wrote, "We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." 

"Our teams are working with urgency to investigate the incident." 

Twitch said there's no indication that login credentials were exposed. The streaming platform also said, "full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed." 

Twitch's brief statement demonstrates that the company is in full crisis mode. IT professionals and security specialists are still attempting to determine the severity of the data breach. The attack was caused by a "server configuration" issue, according to the explanation. In other words, someone misconfigured the computers that contain Twitch's sensitive data, allowing hackers to discover and download it. 

The organization has not yet stated when this error occurred. Some of the stolen data dates back three years, so the computers might have been a victim for a while - or the error could have just left the door open for a few days or weeks. Attackers are always searching and analyzing the internet for open databases, and someone may likely have informed hackers about the internal IT mistake. 

Making these types of blunders, however, is costly, especially when the target is as large as Twitch. Numerous streamers informed BBC News that the payment data was correct for their own earnings and this poses issues for the firm. Candid Wuest from cyber-security company Acronis stated, "A lot more damage is now in store for Twitch. The breach is already harming Twitch on all the fronts that count." 

The leaked data "could contain nearly the full digital footprint of Twitch, making it one of the most severe data breaches of late." "Releasing payout reports for streaming clients will not make the influencers happy either," Mr. Wuest added. 

The download released online is also labeled "part one," implying that there may be more data to be published on the internet.

Private Details of 63,126 Health Employees Compromised in Navistar Data Breach

 

After four months of detailed analysis, US truck manufacturer Navistar has confirmed a data breach on its systems that exposed the details of 63,126 healthcare employees. 

Navistar straight away implemented its cybersecurity response program after learning of a data breach on May 20. The manufacturer also collaborated with third-party cybersecurity specialists to discover the nature and extent of the security breach. 

Ten days later, the American manufacturer received information regarding the exfiltration of data from its systems. In the first week of June, the healthcare provider filed 8-K papers with the US Security and Exchange Commission, alerting investors regarding the data breach. The notification generated press coverage about the incident from Reuters and other media outlets, as investigators continued to examine the impact of the incident.

The investigation into the data theft confirmed on August 20, 2021, that the stolen files contained the protected health information of present and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. 

According to a statement by Navistar, the exfiltrated data possibly contained names, addresses, birth dates, and data linked with participation on the medical and insurance policies, which might have contained certain health-related data like the names of healthcare providers and prescription medications. 

The stolen private details are commonly used and traded by attackers because it offers a means to run more convincing phishing scams and to apply for fraudulent lines of credit under false names, researchers explained.

Navistar claimed it has strengthened the security after the data breach, which includes using the latest technologies and performing additional training for the employees. Security controls will still be assessed and kept up to date as necessary to avoid further disruptions. 

Earlier in July, Navistar sent notification letters to the victims to advise them regarding the data breach. The company is also providing a 2-year free membership to credit monitoring and identity theft protection services to persons whose Social Security number was affected in the attack.

Additionally, the healthcare provider sent the breach report to the Maine Attorney General suggesting that 63,126 persons were affected. The breach report was also submitted to the Department of Health and Human Services’ Office for Civil Rights stating that 49,000 plan members’ PHI was exposed.

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

UN Computer Networks Breached by Hackers Earlier This Year

 

Hackers breached the United Nations' computer network and stole data, according to researchers at cybersecurity firm Resecurity, 

According to Bloomberg, the theft's unknown perpetrators appear to have acquired access by simply stealing login credentials from a UN employee. 

Logging into the employee's Umoja account provided access. The enterprise resource planning system Umoja, which means "unity" in Kiswahili, was deployed by the United Nations in 2015. The login and password used in the cyber-attack are believed to have been obtained from the dark web. 

Gene Yoo, chief executive officer at Resecurity, stated, “Organizations like the UN are a high-value target for cyber-espionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.” 

Researchers discovered that hackers initially gained access to the UN's networks on April 5, 2021, and that network breaches lasted until August 7. Based on the findings, the attackers did not seem to have harmed or disrupted the UN's computer network. Instead, the hackers seem to have been motivated by a desire to gather information. 

After reporting the security issue to the UN, Resecurity stated it worked with the UN's security team to evaluate the extent of the intrusion. While the UN claims that the assault was a reconnaissance operation by hackers who just captured screenshots of the organization's vulnerable network. The breach resulted in the theft of data, as per the Resecurity experts. 

The UN discontinued interacting with Resecurity, according to Yoo, when proof of data theft was provided to the organization. 

Hackers have previously attacked the United Nations and its agencies. In 2018, Dutch and British law enforcement prevented a Russian cyberattack on the Organisation for the Prohibition of Chemical Weapons (OPCW), which was investigating the deployment of a lethal nerve agent on British territory. 

According to a Forbes article, the UN's "core infrastructure" was hacked in a cyberattack in August 2019 that targeted a known flaw in Microsoft's SharePoint platform. The breach was not made public until the New Humanitarian newsgroup published the news. 

In the context of the latest breach, UN spokesman Farhan Haq told DailyMail.com, “This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” 

“At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.” 

Haq added that the United Nations is often targeted by cyber-attacks, including sustained campaigns.

Autodesk Disclosed it was Targeted in SolarWinds Hack

 

Autodesk has disclosed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain assault, nearly nine months after finding that one of its servers had been compromised with Sunburst malware. 

It is an American multinational software corporation that makes software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. 

In a recent 10-Q SEC filing, Autodesk stated, "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents." 

"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations." 

While the company went on to state that there was no additional damage to its systems, the company's announcement of the breach in its most recent quarterly results serves as a reminder to the world of how widespread the SolarWinds supply chain breach was. 

An Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst backdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough before they were detected. 

The spokesperson stated, "Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were collected for forensic analysis, and the software patch was applied. Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software installation." 

One of 18000 tech firms targeted in a large-scale cyber attack

SolarWinds' infrastructure was hacked as a result of a supply-chain assault conducted by the Russian Foreign Intelligence Service's hacking division (aka APT29, The Dukes, or Cozy Bear). 

The attackers trojanized the Orion Software Platform source code and build issued between March 2020 and June 2020 after obtaining access to the company's internal systems. These malicious builds were then used to deploy the Sunburst backdoor to around 18,000 clients, but fortunately, the threat actors only chose a small number of people for second-stage exploitation. 

Before the assault was revealed, SolarWinds stated to have 300,000 clients globally, including over 425 US Fortune 500 firms and all top 10 US telecom corporations. 

A long list of government agencies was also among the company's clients (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States). 

The US Department of Justice was the latest US official agency to reveal that during last year's SolarWinds global hacking spree, 27 US Attorneys' offices were compromised. 

Although Autodesk was not the only big corporation attacked in the SolarWinds breach, other companies such as Cisco, VMware, Intel, and Nvidia revealed similar issues in December.  

Chinese Android Game Developer Exposes Data of Over 1 Million Gamers

 

The Chinese developers of famous Android gaming applications exposed user information via an unprotected server. As per the report shared by vpnMentor's cybersecurity team, headed by Noam Rotem and Ran Locar, identified EskyFun as the owner of a 134GB server exposed and made public online.

Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M are among the Android games developed by EskyFun. 

According to the team on Thursday, the users of the following games were included in the data leak and altogether they have over 1.6 million downloads combined: 
-Rainbow Story: Fantasy MMORPG
-Metamorph M
-Dynasty Heroes: Legends of Samkok u 

According to the researchers, the supposed 365,630,387 records included data from June 2021 onwards, exposing user data gathered on a seven-day rolling basis. 

As per the team, when their software is downloaded and installed, the developers impose aggressive and highly troubling monitoring, analytics, and permissions settings, and as a consequence, the variety of data gathered was considerably more than one would imagine mobile games to need. 

The records constituted IP and IMEI data, device information, phone numbers, the operating system in use, mobile device event logs, whether or not a smartphone was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords, and support requests. 

vpnMentor estimates that up to or more than, one million users' information may have been compromised. 

On July 5, the unprotected server was detected, and EskyFun was approached two days later. However, after receiving no answer, vpnMentor tried again on July 27. 

Due to the continued inaction, the team was forced to contact Hong Kong CERT, and the server was safeguarded on July 28. 

The researchers commented, "Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users. Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

Reindeer Leak Personal Data of 3,00,000 Users In A Breach

 

WizCase's cybersecurity group discovered a prominent breach impacting Reindeer, an American marketing company that previously worked with Tiffany & Co., Patròn Tequila, and other companies. Led by Ata Hakçil, the group revealed that the breach leaked customer names, DOB, email ids, phone numbers, address, etc. The cybersecurity experts found a misconfigured Amazing S3 bucket that belonged to Reindeer.

It contained around 50,000 files and a total of 32 GB of data. Reindeer is currently a defunct American advertising company. Being a defunct company, it owns the bucket, so researchers had to contact Amazon for information about the breach as it is the only source that could provide details about the attack. The team also informed US-Cert, in hopes that it would contact the previous company owner. The misconfigured S3 bucket contained data of around 3,00,000 customers of Reindeer clients. Patròn was the top client with the highest number of customer PII (Personal Identifiable Information) leaked, however, other Reindeer clients were also affected, such as Jack Wills, a UK clothing brand. It seems that it has become an easy task to misconfigure permission/access errors in cloud-based deployments. 

The companies that are set to work on cloud-based platforms should have a robust cybersecurity system that keeps an eye on such breaches and informs about any potential error in the cloud infrastructure. The leaked information contains details of around 3,60,009 customers and profit photos of 1400 users. PPI include customer names, address, DOB, e-mail ids, Facebook Ids, and hashed passwords. As per the experts, 35 countries' users were included in the breach, the top three being Canada, the US, and Britain, having around 2,80,000 affected users. 

"The leaked data dates from May 2007-February 2012. The public cloud brings a whole host of new issues to which organizations are still adapting. The case of the Reindeer breach raises serious questions about the shared responsibility model and certainly highlights the need for a layered defense. When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration,” said Valtix CEO Douglas Murray.

Personal Information of 2,000 FOID Cardholders Compromised in ISP Website Breach

 

The Illinois State Police are notifying Firearm Owners Identification cardholders regarding a possible data breach after attackers attempted to breach the agency's Police FOID card portal.

According to ISP officials, the personal information of about 2,000 FOID cardholders, or about .0008% of the total number of FOID cardholders in the state, may have been compromised in the attempted hack. Those people will be contacted, the agency said in a news release.

“The software vendor determined that using previously stolen personal data to access existing accounts, unauthorized users may or may not have accessed additional “auto-populated” personal identifiers unique to that account and card such as the last four of a social security number. 2,067 FOID card holders, less than .0008 % of total cardholders, were possibly impacted by these attempts. In accordance with state law and out of an abundance of caution, all affected persons were sent a notice and issued a new card at no cost, according to the news release.

The ISP has strengthened its online security requirements and is limiting the use and access of personal information that FOID card applicants submit in their online FOID account that could match Illinois resident personal identification information unlawfully obtained from any number of previous cyber breaches. The personal information did not come from their systems and servers, ISP officials said after an investigation. 

The FOID website software vendor, working with ISP, recently determined unauthorized persons were attempting to use this type of previously unlawfully obtained personal information to match with and access existing FOID online account information to add further detail to their existing stolen data, the release read. 

The site is back online and is accepting applications. The residents who want to buy and own firearms and ammunition possess a Firearm Owners Identification card issued by Illinois State Police. For more than 18 months, the state has been delayed in processing applications for the required ID, with many waiting months, the agency said. 

“I’d rather there not be a database somewhere of gun owners and their addresses. It doesn’t take that much imagination to figure out how that information can be used in ways that increase the risk to those persons,” Cybersecurity consultant John Bambenek said while raising questions regarding cybersecurity.

WhatsApp CEO: US Allies' National Security Officials Targeted with NSO Malware

 

According to WhatsApp CEO Will Cathcart, governments used NSO group malware to target high-ranking government officials all around the world. 

Cathcart addressed the spyware assaults discovered by the Project Pegasus inquiry with The Guardian, noting they are similar to a 2019 attack against 1,400 WhatsApp users. 

Cathcart added, “The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then. This should be a wake-up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.” 

NSO Group's military-grade spyware is suspected of being utilized against heads of state, cabinet members, activists, and journalists. Over 50,000 phone numbers have been leaked from the Pegasus project's central breach. The inclusion of a person's phone number on the list, however, does not always indicate that they were efficiently targeted, according to The Guardian. 

The leak is said to have included French President Emmanuel Macron, although NSO denies that none of its clients targeted Macron. The IT company also stated that the reported 50,000 figure was overstated. 

Cathcart, on the other hand, tried to refute this portrayal, stating that his firm had documented a two-week-long attack in 2019 that affected 1,400 customers. He added, “That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high. That’s why we felt it was so important to raise the concern around this.” 

According to The Guardian, WhatsApp lodged a lawsuit against NSO in 2019, saying that the corporation had transmitted malware to its customers' phones. NSO, an Israeli firm, argued that the responsibility should be put on its customers who are the foreign government. 

“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this," Cathcart stated. "Should they stop? Should there be a discussion about which governments were paying for this software?” 

The NSO spokesperson told The Guardian, "We are doing our best to help to create a safer world. Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists, and criminals using end-to-end encryption platforms? If so, we would be happy to hear."

Olympic Ticket Data Leaked, Says Japanese Government

 

Following a breach, user IDs and passwords for the Tokyo Olympic ticket gateway were released on a leak website, a government official told Kyodo News on Wednesday. The leak was "not huge," according to the source, but the IDs and passwords might provide someone access to a person's name, address, bank account information, and other personal information. 

The government source, who spoke on the condition of anonymity, said the organizing body for the Games has initiated an investigation. The hack reportedly includes the names, addresses, and bank account information of individuals who purchased Paralympic tickets, as well as a volunteer portal. They did not specify how many accounts were compromised. The leak was revealed as Japanese musician Keigo Oyamada resigned this week from the team producing Friday's Olympic opening ceremony after admitting to previously bullying and abusing children with disabilities, and as organizers struggle to turn public opinion in their favor in the wake of the coronavirus pandemic. 

Some people on the internet denied the accusations of a breach. "There are no postings on any of the forums demonstrating direct information leaks," Twitter user pancak3 said after finding accounts for those registration sites on Dark Web markets. He went on to say that the data was not stolen as a consequence of a breach, but rather as a result of attacks using the RedLine virus and other data thieves. 

The announcement came just one day after the FBI issued a private industry alert warning organizations working with the Tokyo 2020 Summer Olympics to prepare for a wave of "DDoS attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics."

"Malicious activity could disrupt multiple functions, including media broadcasting environments, hospitality, transit, ticketing, or security," the FBI notice said on Tuesday. "The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments." 

The notice goes on to mention the Pyeongchang cyberattack, which occurred during the 2018 Winter Olympics in Pyeongchang, South Korea, during which Russian hackers used the OlympicDestroyer malware to disrupt web servers during the opening ceremony. According to the notice, the hackers "obfuscated the true source of the malware by emulating code used by a North Korean group, creating the potential for misattribution." Six Russian intelligence operatives were indicted by the Justice Department in October for the attack on the Pyeongchang Winter Olympics.

Fraudsters are Mailing Modified Ledger Devices to Steal Cryptocurrency

 

Scammers are mailing fraudulent replacement devices to Ledger customers who were recently exposed in a data breach, which are being used to steal cryptocurrency wallets. 

With increased cryptocurrency values and the use of hardware wallets to secure crypto funds, Ledger has become a frequent target for scammers. After receiving what appears to be a Ledger Nano X device in the mail, a Ledger user published a devious fraud on Reddit. The gadget arrived in authentic-looking packaging with a sloppy letter claiming that it was sent to replace their existing device as their customer information had been leaked online on the RaidForum hacker community. 

"For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device," state the fake letter from Ledger. 

"For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again." 

Despite the fact that the letter contained numerous grammatical and spelling issues, the information for 272,853 persons who purchased a Ledger device was published on the RaidForums hacking site in December 2020. This provided a slightly convincing reason for the new device's arrival. 

A shrinkwrapped Ledger Nano X box was also included in the package, containing what appeared to be a genuine device. After becoming skeptical of the device, they opened it and posted photos of the printed circuit board on Reddit, which clearly indicated the modification of devices. 

Mike Grover, a security researcher, and offensive USB cable/implant expert informed BleepingComputer that the threat actors added a flash drive and hooked it to the USB port based on the photos. 

Grover told BleepingComputer in a conversation about the photographs, "This appears to be a simple flash drive slapped on to the Ledger with the purpose of being for some form of malware delivery." 

"All of the components are on the other side, so I can't confirm if it is JUST a storage device, but.... judging by the very novice soldering work, it's probably just an off-the-shelf mini flash drive removed from its casing." 

As per the image examining, Grover highlighted the flash drive implant connected to the wires while stating, "Those 4 wires piggyback the same connections for the USB port of the Ledger." 

According to the enclosed instructions, it instructs people to connect the Ledger to their computer, open the drive that appears, and execute the accompanying application. The person then enters their Ledger recovery phrase to import their wallet to the new device, according to the guidelines. 

A recovery phrase is a human-readable seed that is used to produce a wallet's private key. Anyone with this recovery phrase can import a wallet and gain access to the cryptocurrency contained within it. After entering the recovery phrase, it is sent to the attackers, who use it to import the victim's wallet on their own devices to steal the contained cryptocurrency funds. 

This fraud is acknowledged by Ledger and they issued warnings about it in May on their dedicated phishing website. 

Recovery phrases for Ledger devices should never be shared with anybody and should only be input directly on the Ledger device the user is trying to recover. The user should only use the Ledger Live application downloaded straight from Ledger.com if the device does not allow to enter the phrase directly. 

Ledger customers flooded with scams: 

In June 2020, an unauthorized person gained access to Ledger's e-commerce and marketing databases, resulting in a data breach. 

This information was "used to send order confirmations and promotional mailings — largely email addresses, but with a subset that also included contact and order details including first and last name, postal address, email address, and phone number." 

Ledger owners began getting several of the phishing emails directing them to fraudulent Ledger apps that would fool them into inputting their wallet's recovery codes. After the contact information for 270K Ledger owners was disclosed on the RaidForums hacker community in December, these scams became more common. 

The leak resulted in phishing operations posing as new Ledger data breach notifications, SMS phishing texts, and software upgrades on sites imitating Ledger.com.

Data of 6 Million Battle for the Galaxy Players Leaked

 

WizCase security experts recently uncovered an unsecured ElasticSearch server owned by AMT Games, a Chinese mobile and browser game company, that exposed 5.9 million Battle for the Galaxy users' accounts, as well as 2 million transactions and 587,000 feedback messages. 

Despite the fact that AMT Games used the server to store profile information, payment history, and feedback messages for millions of Battle for the Galaxy players, the researchers discovered that data stored in the ElasticSearch server was not encrypted and the server was not secured with a password. 

AMT Games, which has a slew of mobile and social games with tens of millions of downloads, exposed 1.5TB of data through an Elasticsearch server. AMT Games Ltd. is a renowned mobile and browser-based online game company based in China. It creates games for Android, iPhone, Steam, and web browsers. Battle for the Galaxy, Heroes of War: WW2 Idle RPG, Epic War TD2, and Trench Assault are among of the company's most popular games. 

Player IDs, usernames, country, total money spent on the game, and data from Facebook, Apple, or Google accounts if the user linked them to their gaming account are often included in profiles. Account IDs, feedback ratings, and users' email addresses are all included in feedback messages. 

According to WizCase, transaction data includes price, item purchased, time of purchase, payment provider, and occasionally buyer IP addresses. Users who had their data exposed were advised that it could have been snatched up by opportunistic cyber-criminals looking for misconfigured databases. It went on to say that information on how much money people have spent on the site might help fraudsters target the biggest spenders. 

WizCase warned that "it is common for unethical hackers and criminals on the internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look." Bad actors could utilize personal information like email addresses and user difficulties with the service to "pose as game support and send users to fraudulent websites where their credit card credentials can be stolen," according to the report. 

The company advised players to enter as little personal information as possible when purchasing or setting up an account, and parents not to lend their credit cards to their children. WizCase stated that it notified AMT Games of the data breach but received no response. Access to the database was later disabled by the company.