Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Security
Data Breach Healthcare Employees Personal Information User Data User Data Leak User Security

Private Details of 63,126 Health Employees Compromised in Navistar Data Breach

 

After four months of detailed analysis, US truck manufacturer Navistar has confirmed a data breach on its systems that exposed the details of 63,126 healthcare employees. 

Navistar straight away implemented its cybersecurity response program after learning of a data breach on May 20. The manufacturer also collaborated with third-party cybersecurity specialists to discover the nature and extent of the security breach. 

Ten days later, the American manufacturer received information regarding the exfiltration of data from its systems. In the first week of June, the healthcare provider filed 8-K papers with the US Security and Exchange Commission, alerting investors regarding the data breach. The notification generated press coverage about the incident from Reuters and other media outlets, as investigators continued to examine the impact of the incident.

The investigation into the data theft confirmed on August 20, 2021, that the stolen files contained the protected health information of present and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. 

According to a statement by Navistar, the exfiltrated data possibly contained names, addresses, birth dates, and data linked with participation on the medical and insurance policies, which might have contained certain health-related data like the names of healthcare providers and prescription medications. 

The stolen private details are commonly used and traded by attackers because it offers a means to run more convincing phishing scams and to apply for fraudulent lines of credit under false names, researchers explained.

Navistar claimed it has strengthened the security after the data breach, which includes using the latest technologies and performing additional training for the employees. Security controls will still be assessed and kept up to date as necessary to avoid further disruptions. 

Earlier in July, Navistar sent notification letters to the victims to advise them regarding the data breach. The company is also providing a 2-year free membership to credit monitoring and identity theft protection services to persons whose Social Security number was affected in the attack.

Additionally, the healthcare provider sent the breach report to the Maine Attorney General suggesting that 63,126 persons were affected. The breach report was also submitted to the Department of Health and Human Services’ Office for Civil Rights stating that 49,000 plan members’ PHI was exposed.
Read more »
WhatsApp
Facebook global outrage Instagram Social Media Technology WhatsApp

Facebook, WhatsApp, Instagram Faces Massive Global Outage: What was the Reason?

 

The massive global outage for hours halted three giant social media platforms including Facebook, Instagram, and WhatsApp. Organizations and people all across the globe who heavily rely on services of these platforms including Facebook’s own workforce faced a huge loss. According to the data, Zuckerberg suffered a 7 billion loss. 

Facebook reported on late Monday that the company is working hard to restore access to its services and is “happy to report they are coming back online now." Also, the company apologized and thanked its users for their patience. However, fixing the glitches was not easy. 

As per the users’ reviews for some users, WhatsApp was working for a while, then it was not. For others, Instagram was working but not Facebook, and so on. 

Following the global outage, Facebook Chief Technology Officer Mike Schroepfer tweeted, "To every small and large business, family, and the individual who depends on us, I'm sorry, may take some time to get to 100%." 

According to the Security experts, the disruption could be the result of an internal mistake, though sabotage by an insider would be theoretically possible. However, Facebook says "a faulty configuration change" was the main reason for Monday's hours-long global outage. 

Soon after the global outage began, Facebook started acknowledging that the platform is facing some technical issues because users were not able to access its apps, and then Facebook started examining the same.

Facebook, the social media giant, also known as the second-largest digital advertising platform in the world, has faced a loss of around $545,000 in U.S. ad revenue per hour during the global shutdown, ad measurement firm Standard Media Index reported. 
Read more »
User Privacy
Data Breach Financial Data Breach Ransom Ransomware attack Shipping Company User Credentials User Data User Privacy

Shipping Giant Forward Air Reports Ransomware Data Breach

 

Forward Air, a shipping company, has revealed a data breach as a result of a ransomware attack that enabled threat actors to acquire employees' personal information.

Forward Air was struck with a ransomware attack in December 2020 by what was thought to be a new cybercrime group known as Hades. Forward Air's network was shut down as a consequence of the assault, causing commercial interruption and the inability to release freight for transport. 

Forward Air stated in an SEC filing that it lost $7.5 million of less than load (LTL) freight revenue mainly due to the Company's requirement to momentarily halt its electronic data interfaces with its clients. 

Researchers later discovered that this assault was most likely carried out by members of the Evil Corp cybercrime group, who frequently carry out operations under different ransomware identities, such as Hades, to avoid US penalties. 

Multiple Forward Air workers contacted BleepingComputer at the time, concerned that the hack had revealed their personal information. As part of the attack, the threat actors built up a Twitter account that they stated would be utilized to leak Forward Air data. However, no data was ever found to be released by threat actors. 

After almost a year, Forward Air has revealed that the current and ransomware attacks exposed the data of previous workers. 

A data breach notification sent to Forward Air employees stated, "On December 15, 2020, Forward Air learned of suspicious activity occurring within certain company computer systems. Forward Air immediately launched an investigation to determine the nature and scope of the incident." 

"The investigation determined that certain Forward Air systems were accessible in November and early December 2020 and that certain data, which may have included your personal information, was potentially viewed or taken by an unknown actor." 

Employee names, addresses, dates of birth, Social Security numbers, driver's licence numbers, passport numbers, and bank account numbers are among the data that the Evil Corp threat actors may have obtained. 

While Forward Air claims there is no evidence that the data was misused, they are providing impacted individuals with a complimentary one-year membership to the myTrueIdentity credit monitoring service. 

Since there is no way to detect if a threat actor utilised stolen data, even if they promise not to after receiving a ransom payment, all impacted workers should presume that their data has been compromised. This implies that individuals should keep track of their credit reports, bank records, and other financial information.
Read more »
RDP
Crypto Currency Cyber Security Cyberattack ESET Ransomware attack RDP

RDP Attacks On A Massive Increase, Warns ESET Threat Report

 

Cybersecurity firm ESET released a report warning a sudden rise in attacks RDP (Remote desktop protocol) endpoints, besides this Nobelium gang has also been active against European government organisations. ESET data tells that attacks on RDP servers went upto 103.9% in its T1 June reports that ESET publishes three times a year. The report shows total number of identified brute force attacks to be 55 billion, owing to a hacking campaign targeting Spanish victims. From the T1 2021 ESET report, one would assume that RDP attacks would go down. 

However, it came as a surprise when RDP related attacks were found again. The pattern suggests a potential increase in hacking attempts, especially a stark one in T3, it being the busiest time of 2021. The RDP attacks notice a small increase in some parts, but there was a huge uptick in RDP attacks against the Spanish targets. ESET data suggests that the total number of attacks against the Spanish targets in August accounts for one third globally. In addition to Spain, the US, Germany and Italy were also in the list. A similar pattern was noticed in SQL password guessing incidents. Meanwhile there was a 200% increase in RDP related attacks, cryptocurrency attacks noticed a slight downside. 

ESET experts believe that there might be a relation between cryptocurrency attacks and cryptocurrency price, especially in matters of cryptomining. ESET says "our report even mentions PayPal's and Twitter's announcements which sent the prices of major cryptocurrencies up following this increase (visible in the trend toward the end of T2). If there are more high-profile adoptions/announcements supporting cryptocurrencies in the coming months, we expect their prices to grow and cryptomining to follow." 

Even though ransomware attacks observed a single digit deficit (ESET also linked it to fall in cryptocurrency prices), the company is sure that the problem still persists. It wasn't possible to keep a full account of ransomware attacks in T2 as it was too busy, however, some incidents couldn't be ignored. "The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya IT management software, sent shockwaves that were felt not only in the cybersecurity industry," says ESET.
Read more »
Trojan Attacks
Backdoor Cyber Attacks NSA Pegasus Spyware Trojan Attacks

New Trojan Attack Campaign Prompted by Pegasus Spyware

 

An unexplored Sarwent Trojan is being distributed by a threat organization via a bogus Amnesty International website that claims to protect customers from the Pegasus smartphone spyware. 

The operation is intended towards those who feel they have been attacked by the NSO Group's Pegasus spyware and thus are tied to nation-state action, according to Cisco Talos security analysts, but Talos is yet to identify the exact threat actor. 

Pegasus is a piece of spyware created by the Israeli cyber arms firm NSO Group which can be loaded secretly on smartphones (and other devices) running most versions of iOS and Android. According to the disclosures from Project Pegasus 2021, the existing Pegasus program can attack all recent iOS versions up to iOS 14.6. Pegasus could intercept text messages, track calls, gather passwords, monitor position, access the target device's camera and microphone, and collect data from apps as of 2016. 

Despite the claims regarding authorized utilization, Pegasus - a contentious surveillance software technology has been allegedly used by tyrannical governments in operations targeting journalists, human rights activists, as well as other opponents of the state. 

Soon after the release of a comprehensive Amnesty International report on Pegasus in July of this year, as well as Apple's dissemination of updates for the ForcedEntry zero-day exploit, several users started exploring ways of protecting themselves from the spyware that was exploited by adversaries. 

On a bogus website that I identical to Amnesty International, the malicious actors claim to be delivering "Amnesty Anti Pegasus," an anti-virus tool that can allegedly guard against NSO Group's malware. 

Alternatively, customers are given the Sarwent remote access tool (RAT), which allows attackers to easily upload and run payloads on compromised PCs, as well as extract relevant and sensitive data. 

Despite its low intensity, the attack has struck individuals in the United States, the United Kingdom, Colombia, the Czech Republic, India, Romania, Russia, and Ukraine, as per Cisco Talos. 

“Given the current information, we are unsure of the actor’s objectives. The use of Amnesty International’s name, a group whose work frequently puts it at odds with governments around the world, as well as the Pegasus brand, malware that has been used to target dissidents and journalists on behalf of governments, raises questions about who is being targeted and why,” according to Cisco Talo. 

The campaign's adversary seems to be a Russian speaker who has been using Sarwent to target patients from different walks of life all across the globe since at least January 2021. The malicious actors have been using the Trojan and one with a comparable backdoor since 2014, according to security experts.
Read more »
Visa
Apple Digital Wallet transactions. iPhone Mobile Security United Kingdom Visa

Security Issues in Visa and Apple Payment Could Result in Fraudulent Contactless Payments

 

Researchers warn that an attacker who steals a locked iPhone can use a saved Visa card to conduct contactless payments worth thousands of dollars without having to unlock the phone. According to an academic team from the Universities of Birmingham and Surrey, backed by the UK's National Cyber Security Centre (NCSC), the problem is caused by unpatched vulnerabilities in both the Apple Pay and Visa systems. Visa, on the other hand, claims that Apple Pay transactions are safe and that any real-world assaults would be impossible to execute. 

Any iPhone with a Visa card set up in "Express Transit" mode can make fraudulent tap-and-go payments at card readers, according to the team. Commuters all around the world, including those on the New York City subway, the Chicago El, and the London Underground, may tap their phones on a reader to pay their fares without having to unlock their devices. 

The problem, which exclusively affects Apple Pay and Visa, is created, according to the researchers, by the usage of a unique code, dubbed "magic bytes," that is broadcast by transit gates and turnstiles to open Apple Pay. They were able to undertake a relay attack using ordinary radio equipment, deceiving an iPhone into thinking it was talking to a transit gate, according to the team. 

 “An attacker only needs a stolen, powered-on iPhone,” according to a writeup published this week. “The transactions could also be relayed from an iPhone inside someone’s bag, without their knowledge. The attacker needs no assistance from the merchant.” 

The researchers demonstrated a £1,000 payment being delivered from a locked iPhone to a normal, non-transit Europay, Mastercard, and Visa (EMV) credit-card reader in a proof-of-concept video. Visa said in a statement that Visa cards linked to Apple Pay Express Transit are safe to use and that cardholders should continue to do so. Contactless fraud methods have been investigated in the lab for over a decade and have proven to be impracticable to implement on a large scale in the real world. They also said that it takes all security concerns seriously and is always working to improve payment security across the ecosystem. 

“Logically, it’s an interesting advancement of tapping a contactless card machine against someone’s wallet/purse in their back pocket on the subway/metro,” Ken Munro, a researcher with Pen Test Partners, said. “However, I’m more concerned about the threat of fraud with a stolen phone. In the past, the PIN would have prevented fraud from a stolen phone. Now, there’s a valid attack method that makes theft of a phone with Express Transit enabled really quite valuable.”
Read more »
Russian Cyber Security
Cyber Security Russia Russian Cyber Security

Russia plans to launch a platform for white hat hackers

Igor Lyapunov, the vice-president of Rostelecom on information security, told that the platform will function similarly to the HackerOne resource. The company was one of the first to attract hackers to cooperate. Twitter, Slack, Adobe, Yahoo! and other major resources work with it. HackerOne pays specialists for the bugs found.  The project will be implemented on the basis of the National Cyber ​​Polygon created by Rostelecom.

“Participation in vulnerability search programs is a really correct and useful practice, which allows detecting weaknesses in protection in time,” Lyapunov stressed, adding that banks have to use HackerOne for the same purposes one way or another.

Experts believe that the Russian analog of the platform will increase the security of the Russian banking infrastructure. It will provide access to the expertise of white hat hackers for companies that have legal difficulties using a foreign platform.

Tinkoff bank already uses such a platform, and several more Russian banks are planning to use their services in the future.

Nevertheless, experts pointed to the weak control of methods and tools. According to them, the reward always remains only a formal reason for participating in the research, while the real cost of the vulnerabilities found can be significantly higher on the black market. So, hackers may subsequently resell tools for hacking infrastructure.

The expert of the Jet Infosystems company does not see any risks in the use of foreign platforms by Russian banks, because each of them has rules and companies set restrictions for researchers. According to him, if the platform for white hat hackers is launched on the basis of the Russian National Cyberpolygon, Russian banks will trust this platform more.


Read more »
User Security
Android Users Fake Schemes malware User Privacy User Security

Flubot Malware Employs Fake Security Updates to Trick Android Users

 

Threat actors behind the Flubot android malware are employing a new technique to fool Android users into downloading the malicious code. The attackers are sending fake SMS messages of potential security threat and are tempting Android users to install a security update. 

If installed, the Flubot Android malware steals passwords, bank details and other private details information from compromised devices. The malware also exploits permissions on the smartphone to spread itself to other victims, allowing the infection chain to continue. 

“Your device is infected with the FluBot malware. Android has detected that your device has been infected. FluBot is an Android spyware that aims to steal financial login and password data from your device. You must install an Android security update to remove FluBot,” states the fake security warning discovered by CERT NZ researchers. 

Last month, security firm Trend Micro explained how the Flubot malware tricked users into installing fake voicemail apps after taking users to a website that was designed to look like a mobile operator. Now, the Computer Emergency Response Team of New Zealand (CERT NZ) is warning users that the fake security warning is only a bait designed to instill a sense of temptation and pushing potential victims to install malicious apps.

In previous attacks, the malware was spreading by spamming text messages to contacts from compromised devices phones that instruct them to install malicious apps from servers under the possession of threat actors. 

The malware has been active since late 2020, and has targeted several European countries. Researchers have advised Android users to not click on the malicious link and if someone has clicked on the link, then do not enter any passwords or login to any service on your device. Immediately, factory reset the phone, only backing up data that is required.

It can be an uphill task to keep up with mobile alerts, but it's worth remembering that it's unlikely that companies will ask you to download an application from a direct link – downloading official apps via official app stores is the effective method to try to keep safe when downloading apps. Additionally, change all online account passwords, specifically those linked to online bank accounts and contact your bank immediately.
Read more »
Security Survey
Conti Ransomware cyber threat data security Ranomware Attack Ransomware REvil Security Survey

Two-Thirds of Organizations are Targets of at Least One Ransomware Attack

Every year there are a number of studies getting published on cybersecurity issues and recently 2021 Global State of Ransomware Report got published by Fortinet, a cybersecurity organization. The key finding of the report is that more than two-thirds of organizations are being targeted for at least one Ransomware attack in recent years and that’s why organizations are way more concerned about ransomware attacks compared to other forms of cybercrime. 

Before this report, a study showcased that the number of ransomware victims grew by almost 100%, while 60% of the attacks were performed by only three ransomware groups – Conti, Avaddon, and Revil. However, the research also revealed that the majority of organizations are well prepared against ransomware attacks, including, risk assessment plans, employee cyber training, and cybersecurity insurance. 

Research also discloses that the companies were most focused on remote workers and devices. The topmost priority of companies regarding a ransomware attack was how to secure data from the attack. In addition, 84% of organizations reported having an incident response plan, and cybersecurity insurance was a part of 57% of those plans. 

Regarding paying the ransom if attacked, the procedure for 49% was to pay the ransom outright, and for another 25%, it depends on how expensive the ransom is. Along with this, one-third of organizations that paid the ransom got their data back. 

John Maddison, EVP of products and CMO at Fortinet, said: “According to a recent FortiGuard Labs Global Threat Landscape report, ransomware grew 1070% year-over-year. Unsurprisingly, organizations cited the evolving threat landscape as one of the top challenges in preventing ransomware attacks…”

“…As evidenced by our ransomware survey, there is a huge opportunity for the adoption of technology solutions like segmentation, SD-WAN, ZTNA, as well as EDR, to help protect against the methods of access most commonly reported by respondents…” 

"…The high amount of attacks demonstrates the urgency for organizations to ensure their security addresses the latest ransomware attack techniques across networks, endpoints, and clouds. The good news is that organizations are recognizing the value of a platform approach to ransomware defense”, he added.
Read more »
Windows 10
China cyber attack Cyber Attacks Windows Windows 10

Chinese Threat Actors Spy On Windows 10 Users, Reports Kaspersky

 

An unknown anonymous Chinese speaking hacker has been associated with a long term evasive campaign targeted towards South East Asian victims, the campaign dates back to July 2020, deploying a kernel-mode rootkit on breached Windows devices. Attacks carried out by the group (Hackers) is termed GhostEmperor by Kaspersky cybersecurity, the group is said to have deployed a "sophisticated multi-stage malware framework" which enables persistence help and remote control over the victim host.

Kaspersky has termed the rootkit as Demodex, findings indicate infections has been spread out throughout various high-profile organizations in Malaysia, Vietnam, Indonesia, and Thailand, besides this Egypt, Afghanistan and Ethiopia outliers are also in the list. Threat actors use Demodex toolkit to cover up malware artefacts (user mode) from experts and cybersecurity agencies, meanwhile showing a surprisingly good undocumented loading program which involves kernel mode component of an open source project called Cheat Engine to evade Windows Driver Signature Enforcement feature.

Experts have observed that GhostEmperor infections leverage multiple access paths that end in the deployment of malware in memory, exploiting known vulnerabilities in open source servers like Apache, Oracle, Microsoft Exchange and Windows IIS, which includes ProxyLogon exploits that surfaced in March 2021. The purpose was to have an upper hand and then move out to other parts of target's network, including machines that run on earlier versions of Windows 10 OS. 

Aftern a successful breach, the selected infection chains which deployed toolkits were carried out remotely via different system in the same network using genuine software like PsExec or WMI, resulting in the execution of implant (in-memory) that could install additional payloads during run time. The Hacker News reports "disclosure comes as a China-linked threat actor codenamed TAG-28 has been discovered as being behind intrusions against Indian media and government agencies such as The Times Group, the Unique Identification Authority of India (UIDAI), and the police department of the state of Madhya Pradesh."
Read more »
User Security
Cryptocurrency Frauds Data Breach Hacking Phishing email User Credentials User Data User Privacy User Security

Coinbase: Hackers Stole Cryptocurrency From Around 6,000 Customers

 

Crypto Exchange Coinbase has revealed that hackers successfully stole money from at least 6,000 Coinbase users this spring, partly by exploiting a vulnerability in the cryptocurrency exchange's two-factor authentication mechanism. 

Coinbase is the world's second-largest bitcoin exchange with over 68 million users from over 100 countries. In a data breach warning delivered to impacted clients this week, Coinbase disclosed the hacking activity. The notice states, “At least 6,000 Coinbase customers had funds removed from their accounts, including you,” 

Account breaches happened between March 2021 and May 20, 2021. Coinbase estimates hackers launched a wide-scale email phishing effort to deceive a significant number of customers into providing their email addresses, passwords, and phone numbers. 

Furthermore, the unknown attackers got access to victims' email inboxes through the use of malicious software competent of reading and writing to the inbox if the user enables permission. Although, a password is insufficient to gain access to a Coinbase account. 

The business secures an account by default using two-factor authentication, which means users must enter both a password and a one-time passcode issued on the phone to log in. 

However, the hackers were capable to obtain the one-time passcode in certain situations. This happened to users who used the two-factor authentication method, which depends on SMS texts to deliver the code. 

A spokesperson for the cryptocurrency exchange told PCMag in a statement, “Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account.” 

Coinbase did not go into detail about how the impersonation occurred. However, according to the statement, the attackers employed a SIM-swapping attack to deceive the cell phone carrier into transferring over the victim's phone number. 

In response, Coinbase says it’s been compensating victims for the stolen cryptocurrency, following reports the company did little to help consumers hit in the hack. 

A company spokesperson added, “We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost.” 

It's also unclear how the issue was resolved. Coinbase, on the other hand, is pushing consumers to abandon the SMS-based two-factor verification scheme for more secure alternatives. This includes utilising a smartphone app to generate the one-time passcode or a hardware-based security key. 
Read more »
Subscribe to: Comments (Atom)