Search This Blog

Showing posts with label database. Show all posts

A Security Breach in the Shas Database Could Expose Millions of Records


According to top experts in the cybersecurity field, there has been a major security breach in the Shas Party's computerized election management system. This leaves it vulnerable to easy exploitation even for those with only a basic understanding of cybersecurity. 

Following an anonymous leak received on the Cyber podcast hosted by Ido Kinan and Noam Rotem, it has been revealed that the system has been breached. This has not only compromised the data of Shas activists and supporters but has also compromised the information of all Israeli citizens who are eligible to vote. Following that, Ran Bar-Zik, a software architect at the company, verified the findings.

According to a report by Calcalist, the anonymous leaker discovered the vulnerability with an automated scanning tool that detects such weaknesses. This tool was used by the anonymous leaker to detect the vulnerability. 

The information held in the system is just as disturbing as the breach itself: detailed personal details, such as family ties, phone numbers, and bank account numbers, not included in the voter register, of millions of Israeli citizens. 

An online PHP-powered system debugging tool that has been available for nearly four years has been breached as a result of a known vulnerability, and a common browser is all that is needed to exploit this vulnerability, so sophisticated tools are not required to expose this weakness. 

As soon as it is available for widespread use, the debugger should be disabled. It should only be enabled during the testing phase. Adding a few characters to a website address indicating the location of the debugger and performing a few other simple actions without requiring much computer knowledge is all it takes to penetrate the debugger when it remains active after the system is put into operation. 

Even though the breach in question was blocked, it is impossible to determine whether the information in the system had been compromised before it had been patched. There is a concern regarding who might have all the personal information that is stored in the system. This is because it is easy to exploit, and it was found without much effort. 

In response to the leak of data, Shas responds 

Every time there is a round of elections, the Shas party receives a voter registration copy from the Ministry of Interior. This is the same for all the other parties in the country. During every election, it is required that the transmitted information, including all the details that have been added to it, is destroyed. All data included in it will be destroyed as well. Although this is the case, it seems that Shas has managed to retain the personal data of voters from the previous year's elections. 

A professional and reliable electoral software operated by the Shas party for many years maintains a legally registered database as do all of Israel’s other parties. All of the information the Shas party holds has been legally collected, maintained, and complied with according to the law, backed up by cybersecurity experts that are the most knowledgeable in the field, the party spokesperson said in response to an inquiry by Haaretz. 

The party explained that their attention was drawn to concerns that the database had been illegally accessed. Following the receipt of this information, they acted immediately by implementing several immediate changes to ensure the security of the entire database as soon as possible. Shas has conducted a thorough examination of the database systems to ensure that all information remains secure. As part of its ongoing inspection of the database systems, the party stated that "If any party is found to have violated the law, Shas will take appropriate action." 

Elector, a platform used by Likud, leaks the personal information of its users 

A similar incident occurred last year when a list of the names and phone numbers of 5,000 Likud activists was released online from the "Elector" platform, where they could be found on the Ghost in leak website, according to Israeli news agency Ynet. 

There was a list uploaded by an anonymous source along with an email that circulated throughout many groups that stated that "The Likud's and Right's electoral system has been compromised." The list was sent by a source who identified himself as "an activist." The data will slowly leak out as the system is taken offline until the hackers are removed. Here are the first clusters of activists.

In a ruling issued by the Authority for the Protection of Privacy of the Ministry of Justice, it was determined that the Elector company, along with the Likud and Jewish Home parties which received technological services from the Elector company, had violated the Privacy Protection Law and the regulations governing its operation. 

As a result of an enforcement procedure conducted by the Authority, it has been revealed that the election holder has violated the law in many ways, including in the security of its information systems, and in how they conduct itself as a holder of sensitive personal information, among other things.

BlackCat Ransomware’s Data Exfiltration Tool Gets an Upgrade

 

A new version of the BlackCat ransomware's data exfiltration tool for double-extortion attacks has been released. Exmatter, the stealer tool, has been in use since BlackCat's initial release in November 2021.
Exmatter Evolution Symantec researchers (who track the group as Noberus) claim in a report that the ransomware group's focus appears to be on data exfiltration capabilities, which is a critical component of double-extortion attacks. 

The exfiltration tool was substantially updated in August, with various changes including the ability to exfiltrate data from a wide range of file types, including FTP and WebDav, to SFTP, and the option to create a report listing all processed files. It has also added a 'Eraser' feature to corrupt processed files, as well as a 'Self-destruct' configuration option to delete and quit if it runs in a non-valid environment.

New information  stealer

The deployment of new malware known as Eamfo, which is specifically designed to target credentials saved in Veeam backups, has increased BlackCat's ability to steal information even further.

Eamfo connects to the Veeam SQL database and uses a SQL query to steal backup credentials. It decrypts and displays credentials to an attacker once they have been extracted.

Along with expanding Exmatter's capabilities, the latest version includes extensive code refactoring to make existing features more stealthy and resistant to detection. In any case, the BlackCat operation terminates antivirus processes with an older anti-rootkit utility.

BlackCat isn't slowing down and appears to be focused on constantly evolving itself with new tools, improvements, and extortion strategies. As a result, organisations are advised to secure access points and train their employees on cybercriminal penetration techniques. Businesses should also invest more in cross-layer detection and response solutions.

Personal Data of 30,000+ Students Disclosed in Unsecured Database

 

The security experts at SafetyDetectives reported that the private details of over 30,000 students were discovered on an inadequately secured Elasticsearch server. 

According to the researchers, the server was left linked to the Internet and did not require a password to retrieve the data contained therein. It disclosed more than one million records including personally identifiable information (PII) of 30,000 to 40,000 students. 

As per the report, the exposed data included complete names, email addresses, and phone numbers, as well as credit card information, transaction and purchased meal specifics, and login information saved in plain text. According to SafetyDetectives, the badly protected server was being upgraded at the time it was discovered, and server logs revealing student data were also discovered. 

The 5GB database looked to contain information about students who have Transact Campus accounts, according to the researchers. Because Transact Campus partners with higher education institutions in the United States, the most of affected students are citizens of the United States. 

Transact Campus offers an application that students may use to make payments and purchases using a unique personal account (called Campus ID), as well as for activities such as event access, class attendance tracking, and more. The researchers were unable to identify whether malicious actors had access to the unsecured database before it was protected. They do, however, warn that if criminal actors did get the data, the afflicted students may be subjected to a variety of assaults, including phishing, spam marketing, and malware. 

As per SafetyDetectives, they alerted Transact Campus about the unsecured server in December 2021 but did not obtain a response until January 2022, despite also contacting US-CERT. Although the information had previously been safeguarded at the time, Transact Campus refuted responsibility for the breach.

“Apparently, this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data,” Transact Campus told SafetyDetectives. 

The researchers, on the other hand, informed SecurityWeek that they examined a sample of the data discovered on the site and believe it belongs to real individuals. 

“We use publicly available tools to perform random searches for the people exposed and see if they actually exist. We, of course, performed this process when we discovered this server and found out that the data seemed to belong to real people,” SafetyDetectives stated. 

When contacted by SecurityWeek, Transact Campus stated that they promptly initiated an investigation into the breach after learning of the exposure. The exposed information was discovered to belong to a third party, according to Chief Information Security Officer Brian Blakley, and none of Transact's systems was accessed without authorization. 

When asked if the possibly impacted students had been notified in any manner about the data breach, Blakley advised SecurityWeek to contact Sodexo, which appears to be accountable for the hack. 

“Sodexo in conjunction with its payment provider for dining services, Foundry, provided a Notice of Data Breach to impacted clients and users explaining the incident,” he said. 

Sodexo is a global provider of food, facilities management, and home and personal services. SecurityWeek reached out to the organisation for further information on the incident but has yet to get a reply.

McMenamins Struck by Ransomware Attack, Employee Data at Risk

 

McMenamins, a Portland hotel and brewpub chain, was struck by a ransomware attack on Wednesday that may have stolen employees' personal information, but no customer payment information seems to have been compromised. 

The ransomware attack was discovered and stopped on December 12, according to McMenamins. The company stated it alerted the FBI and contacted a cybersecurity firm to figure out where the attack came from and how extensive it was. 

Employee data such as names, residences, dates of birth, Social Security numbers, direct deposit bank account information, and benefits records may have been acquired, according to the firm in a news release, but "it is not currently known whether that is the case." 

"To provide employees with peace of mind, McMenamins will be offering employees identity and credit protection services, as well as a dedicated helpline through Experian," the company stated. "A payment processing service manages the collection of such information. Further, this information is not stored on company computer systems impacted by the attack."  

Many operational systems have been taken offline, including credit card scanners, necessitating temporary alterations in payment procedures at some McMenamins sites. There is "no indication" that consumer payment data has been hacked, according to the firm. 

The co-owner, Brian McMenamin stated, “What makes this breach especially disheartening is that it further adds to the strain and hardship our employees have been through in the past two years.” 

“We ask that our customers give our employees extra grace as we make temporary adjustments in the way we process transactions and reservations, given the impacts to our systems by this breach.” 

The company stated that it is unclear when the problem would be rectified and systems restored. There are a few things firms can do to assist mitigate these attacks, according to Kerry Tomlinson, a cyber news reporter with Ampere News. 

"As a business, you need to have backups," Tomlinson said. "If ransomware hits and they're demanding ransom for you to get your files back, you can say thanks a lot but I already have backups." 

"It will happen more and more and it's only going to get bigger. If you're not paying attention now, you need to pay attention." 

Employees should be especially cautious to help prevent cyber assaults, according to Tomlinson, by avoiding questionable emails, setting unique passwords for each website visited, and adding a multi-factor authentication process to offer an extra layer of security. It is worth noting that despite the breach, all McMenamins locations are open.

3.8 Billion Clubhouse and Facebook User Records are Being Sold Online

 

According to CyberNews, a database holding the records of about 3.8 billion Clubhouse and Facebook users is being auctioned at a major hacker forum. The person selling them is reportedly asking for $100,000 for the complete database but is ready to split it up into smaller caches for lower costs. 

These records contain sensitive information such as phone numbers, addresses, and names, among other things. All of this information appears to have been obtained through a breach of Clubhouse's systems on July 24th, during which numerous members' phone numbers were exposed online. However, the damage isn't limited to Clubhouse's users. 

According to the September 4 post, the database also contains profiles of users who do not have Clubhouse accounts, whose phone numbers may have been obtained by threat actors as a result of Clubhouse's previous requirement that users share their entire contact lists with the social media platform in order to use it. 

Because the platform requires users to sync their contacts with the app, contact numbers from a user's phone can also be revealed if the company's servers are hacked. And it appears that this is exactly what occurred. As a result, those who do not have a Clubhouse ID and password have their data exposed to the hacker site and may be at risk. While it is still unclear how Facebook user IDs ended up in the mix, it is plausible that the cybercriminal compared the revealed numbers to those found in prior Facebook hacks, which have been many.

Prior to this compilation, threat actors had little use for the purportedly scraped Clubhouse phone numbers, which were posted without any additional information about the participants. As a result, the prior Clubhouse scrape was labeled a "bad sample" on the forum and failed to pique scammers' interest. 

However, according to CyberNews senior information security expert Mantas Sasnauskas, the expanded compilation “could serve as a goldmine for scammers.” They would obtain access to a lot more contextual information about the owners of the hacked phone numbers, according to Sasnauskas, such as usernames, locations based on phone number suffixes, Clubhouse network sizes, and Facebook profiles. 

This means that scammers would be able to launch localized mass campaigns and create customized scams based on information acquired from potential victims' Facebook accounts much more easily. “People tend to overshare information on social media. This could give insights for scammers on what vector to employ to run their scams successfully by, for example, calling people with the information they learned from their Facebook account,” says Sasnauskas.

Research Shows 19 Petabytes of Data Exposed Across 29,000+ Unprotected Databases

 

Researchers from CyberNews discovered that over 29,000 databases across the world are now totally inaccessible and publicly available, exposing over 19,000 terabytes of data to everyone, including threat actors. 

The majority of businesses keep confidential data in databases. Passwords, usernames, document scans, health records, bank account, and credit card information, and other vital information are all easily searchable and stored in one location. 

To steal all that valuable data, attackers don't always need to hack them: one of the most common causes of a breach is databases that have been left unsecured, allowing anyone to access the data without a username or password. Hundreds of millions of people's personal information can (and often does) become exposed on the internet as a result of database security flaws, allowing threat actors to exploit that data for a variety of malicious purposes, including phishing and other forms of social engineering attacks, as well as identity theft. 

According to CyberNews, hundreds of thousands of database servers are still open to everyone, with more than 29,000 insecure databases exposing nearly 19 petabytes of data to hacking, tampering, deletion, and other threats. The fact that tens of thousands of open databases have data exposed is nothing new. Indeed, cybercriminals are so aware of this that a vulnerable database can be identified and targeted by threat actors in only a few hours. 

After years of huge data breaches, ransom requests, and even crippling data wipeouts by feline hackers (meow), one would think database owners would be aware of the issue and, at the very least, ask for a username and password before letting someone in. 

To conduct the investigation, CyberNews used a specialized search engine to look for open databases for Hadoop, MongoDB, and Elasticsearch, three of the most common database types. As a result, the true number of unprotected databases and the volume of data exposed is undoubtedly much higher than they discovered. 

According to the results found, there are at least 29,219 vulnerable Elasticsearch, Hadoop, and MongoDB databases are let out in the open. Hadoop clusters outnumber the competition in terms of exposed data, with nearly 19 petabytes available to threat actors who could put millions, if not billions, of users at risk with a single click. 

Elasticsearch leads the pack in terms of exposed databases, with 19,814 instances without any kind of authentication, placing more than 14 terabytes of data at risk of being hacked or held hostage by ransomware gangs. MongoDB appears to do much better than others in terms of terabytes, but the 8,946 unprotected instances demonstrate that thousands of organizations and individuals who use MongoDB to store and handle their data still have a long way to go in terms of basic database security. 

Unknown cyber criminals conducted a series of so-called "Meow" attacks in 2020, wiping all data from thousands of unsecured databases without explanation or even a ransom demand, leaving shocked owners with nothing but an empty folder and files labeled "meow" as the attacker's signature. It was found that 59 databases hit by the ‘Meow’ attacks a year ago are still unprotected and collectively leaving 12.5GB of data exposed. 

According to CyberNews security researcher Mantas Sasnauskas, this only goes to show that raising awareness about exposed and publicly accessible databases is as important as ever. “Anyone can look for these unprotected clusters by using IoT search engines to effortlessly identify those that don’t have authentication enabled and exploit them by stealing the data, holding them ransom, or, as was the case with the ‘Meow’ attack, simply destroy valuable information for fun, wiping billions of records and crippling both business and personal projects in the process.”

Databases are used by businesses of all sizes to store customer and employee records, financial details, and other confidential information. Databases are often operated by administrators who lack security training, making them an easy target for malicious actors. 

The owner of a database can take certain steps to protect the database from unwanted visitors like:
1.Authentication should be activated so that no one can access your database without the correct credentials or ssh key. 
2.One must not use the default password – threat actors scour the internet for publicly available databases with default passwords allowed and target them on the spot.
3.Maintain the latest version of your database program.

Cloud Misconfiguration is Still the Leading Source of Cloud Data Violations

 

Almost everybody by now is workings from home and 84 percent are worried that new security vulnerabilities have been generated with the quick move towards 100 percent remote working. 

Cloud service providers built their administration panels' user interface purposefully to mislead consumers and charge for more services than originally intended. 

Although it was never demonstrated as a systematic business strategy, reports and alerts of a data breach have overwhelmed the internet in recent years since a cloud-based database has indeed been misconfigured and confidential information ultimately leaked. 

Throughout the past month, Censys, a security company that specializes in census-like inspections on the internet, looked closely at the cloud-based services, hoping to uncover what the best potential origin of misconfiguration might be for cloud-based businesses. As per the study, Censys has found over 1.93 million cloud server databases that have been displayed publicly without even any firewall or other authentication measures. The security company arguments that threat actors will discover and target these databases utilizing older vulnerability exploits. In addition, if the database was unintentionally leaked, it could also use a weak or even no password at all, disclosing it to all those who have detected its IP address. 

Censys reported having been used to scan MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle and that nearly 60 percent of all disclosed servers were MySQL databases which represent 1.15 million of the 1.93 million overall exposed DBs. 

The security agency also searched to find ports that could also be exposed by clouds service as they are normally used for remote management applications like SSH, RDP, VNC, SMB, Telnet, Team Viewer, and PC Anywhere. Censys retained that access to all these remote managing port must not be easily discovered but rather secured by Access Control Lists, VPN tunnel, or other traffic filtering solutions, although the underlying cause of these applications is that the systems can be remotely logged into. 

Another very significant discovery was indeed the virtual exposure of the RDP login screens by more than 1.93 million servers. 

Microsoft and several others have also indicated that many violations of security have also been caused by attackers obtaining access to an enterprise through compromised RDP credentials. Which included attacks on a broad range of actors, including DDoS botnets, crypto mining activities, ransomware gangs, and government-funded actors. 

Most organizations do not operate internally with just one cloud services provider infrastructure, but instead use several solutions, many of which might not have the same access or default settings, allowing several systems to become accessible even though IT personnel are not supposed to do so. While some cloud providers have taken measures to improve their dashboards and to clarify how those controls operate, the wording of each cloud provider is still substantially different, and some system administrators are still often confused. 

Censys said, “it expects the issue of misconfigured services to remain a big problem for companies going forward.”

SQL Triggers Used by Hackers to Compromise User Database

 

Over the past year, a broader pattern of WordPress malware with SQL triggers has occurred within infected databases to mask intrusive SQL queries. Whenever the trigger condition is fulfilled, these queries insert an admin-level user into a contaminated database. Users can use a MySQL database to store essential data, including CMS settings and a common CMS is used on their website (such as WordPress). Something that might change the MySQL database is whether injecting harmful code or removing the content of your Website, could also do severe harm to the website. 

Potential for protection is one factor why the MySQL database has its own unique username and password, which will deter someone from checking the MySQL database manually without the required login details. Unfortunately, if attackers have unauthenticated access, they can also read a wp-config.php file to understand the website's database authentication credentials — which can then be used to connect to the database using code from the attacker and malicious adjustments. 

An intruder with unwanted access to a website, who would like to create a permanent loophole if the files of the Website are washed, is indeed an example from real life.

An intruder's approach is to set an admin user in the CMS database of the website. Usually, these can be conveniently found in the administrative dashboard or SQL client. The unauthorized admin account is a loophole outside of the website and in the directory of the webserver. This knowledge is critical since owners of a compromised website will also forget the index. However, the exclusion of suspected users from the database of the website does not entail the removal of any potential backdoors. 

A SQL trigger is an automatically stored process that runs when certain database modifications are introduced. While there have been several useful implementations, that bad actors use SQL triggers to retain unwanted access after a compromise. To achieve this, attackers are placing a SQL trigger in a compromised website database and malicious activity is performed if specific conditions have been reached or an incident happens.

If attackers breach a site, they will bet on any database passwords that are stored in wp-config or other CMS configuration files — and once the hacker has obtained the data at any post-infection period, it can be extremely hard to identify if the hacker has harvested any valuable information. Users must change passwords, including the databases if a breach occurs. Failure to pursue this post-hack phase will allow an attacker to enter and change the website even after the user has assumed the infection was removed.

Comcast Data Breach Compromised with 1.5 Billion Data Records

 

American cable and Internet giant Comcast was struck by a data breach few days back. An unprotected developer database with 1.5 billion data records and other internal information was available via the Internet to third parties during this data breach. 

Comcast Corporation is the largest cable operator network and, after the AT&T it is the second largest internet service provider as well as the third largest telephonic company in the US after the AT&T and Verizon Communications. 

Recently the research team of WebsitePlanet in collaboration with the security researcher, Jeremiah Fowler, identified a non-password-protected database with a total size of 478 GB of 1.5 billion records. The database of Comcast featured dashboard permissions, logging, client IPs, @comcast e-mail addresses and hashed passwords in publicly accessible domain. By this breach, a description of the internal functionality, logging and general network structure is established with the IP addresses contained in the database. The server also revealed the Comcast Development Team's email addresses and hashed passwords. Further the database also provided the error reports, warning and the task or job scheduling information, cluster names, device names, and internal rules marked by the tag “Privileged=True.” Middleware also was detected in error logs and can often be used for ransomware or other bugs as a secondary way. 

However the measures to control the access to the data were taken around in an hour, as the malicious actors could have easily accessed and retrieved the confidential information until the data was secured. The researchers relying on Comcast's data immediately submitted a notice of disclosure and affirmed their observations to their Security Defect Reporting team. 

Fowler also said that, this was among the fastest response times I have ever had. Comcast acted fast and professionally to restrict the data set that was accessible to anyone with an internet connection. 

A representative for Comcast stated that, “The database in question contained only simulated data, with no real employee, customer or company data, outside of four publicly available Comcast email addresses. The database was used for software development purposes and was inadvertently exposed to the Internet. It was quickly closed when the researcher alerted us of the issue. We value the work of independent security researchers in helping us to make our products and services safer and thank the researcher for his responsible disclosure in this matter.” 

Naturally, it is unavoidable to deal with errors which reveal data as long as people are engaged in configurations. However, Comcast's size does cause these mistakes to be very disruptive and can affect many subscribers and business customers. That's the reason why these firms would follow those security lists, double-check additional teams, and do whatever they can to reduce chance of publicity. Though in this incident the action was taken in time.

Bitcoin surges past $ 11,000

Bitcoin soared 9% on Monday, performing like a safe haven asset as it edged past $11,000 for the first time since around mid-July.

The price of the world’s largest cryptocurrency climbed as high as $11,860, according to CoinDesk data, hitting a more than 3-week high. Bitcoin’s value now accounts for nearly 70% of the global crypto market, according to CoinMarketCap.

Global stock markets on the other hand have been sliding lower on the back of renewed trade uncertainty, after President Donald Trump said last week that Washington would impose 10% tariffs on another $300 billion worth of Chinese goods.

The pan-European Stoxx 600 index slipped 1.6% on Monday while the MSCI’s broadest index of Asia-Pacific shares outside Japan plummeted 2.5%. Dow futures meanwhile were off by about 100 points.

Analysts have previously argued the case that bitcoin could be a safe haven asset, with investors having flocked to the digital asset in the past on the back of an escalation in U.S.-Sino tensions.

“Bitcoin has many use cases and one of the most important is as a form of digital gold,” Charles Hayter, CEO of digital currency comparison platform CryptoCompare, told CNBC by email on Monday. “We have seen bitcoin jump before on macro uncertainty as it becomes a conduit and flight-to-safety asset.”

Yuan depreciation

Bitcoin’s jump in value also comes as China allowed the yuan to break the seven-per-dollar level for the first time in 11 years, triggering fears of a potential currency war.

The yuan fell after China’s central bank, the People’s Bank of China, set the currency’s daily midpoint at 6.9225 per dollar, its weakest level since December last year.

Simon Peters, an analyst at trading platform eToro, said Chinese investors could be seeking to diversify as the yuan depreciates.

“Given that Chinese investors make up a large proportion of crypto investors, there’s a strong possibility some are backing bitcoin’s chances against the yuan,” Peters said in a note on Monday.

US Navy to create database of 350 billion social media posts







The United States navy is planning to create a repository of more than 350 billion social media posts from around the world, to research on how people behave online. 

The project team has not specified from which social media platform they are intend to collect the data. 

However, they will only collect the public posts in between 2014 and 2016, from more than 100 countries and in at least 60 different languages. 

The details of the project were revealed in a  tender document from the Naval Postgraduate School for a firm to provide the data.

The deadline of the applications have now closed.

Additional requirements included:
  • the posts must come from at least 200 million unique users
  • no more than 30% can come from a particular country
  • at least 50% must be in a language other than English
  • location information must be included in at least 20% of the records

The collected database must not include private messages and users personal information. 


"Social media data allows us for the first time, to measure how colloquial expressions and slang evolve over time, across a diverse array of human societies, so that we can begin to understand how and why communities come to be formed around certain forms of discourse rather than others," T Camber Warren, the project's lead researcher, told Bloomberg.