Entercom Radio Giant Says Data Breach Exposed User Credentials
14.3.2020  Bleepingcomputer  Incindent

US radio giant Entercom reported a data breach that took place in August 2019 after an unauthorized party was able to access database backup files stored third-party cloud hosting services and containing Radio.com user credentials.

Entercom's national network is comprised of more than 235 radio stations broadcasting news, sports, and music across the country and live the Radio.com online live streaming service to over 170 million people each month.

"As one of the country’s two largest radio broadcasters, Entercom offers integrated marketing solutions and delivers the power of local connection on a national scale with coverage of close to 90% of persons 12+ in the top 50 markets," the company says.

Data breach exposes Radio.com users' credentials
Entercom says in a notice of data breach sent to affected customers and filed with California's Office of the Attorney General that the data breach was detected while investigating a cyberattack that took place in September 2019.

"As part of our investigation into that attack, we became aware of unauthorized activity relating to third-party cloud hosting services, which we use to store information relating to Radio.com users," Entercom explains.

"Specifically, our investigation determined that for approximately three (3) hours on August 4, 2019, an unauthorized actor accessed information relating to Radio.com users contained in database backup files."

The company discovered that an unauthorized actor was able to access the protected personal information of an undisclosed number of Radio.com users.

During the investigation conducted with the help of third-party data privacy and computer forensics specialists, Entercom discovered that the attacker was able to gain access to the names, usernames, and passwords of the impacted Radio.com users.

We sincerely regret any inconvenience this incident may cause you. We remain committed to safeguarding the information in our care and will continue to take steps to ensure the security of our systems. - Radio.com Customer Support Team

Following the data breach, the radio giant implemented several measures designed to prevent similar incidents in the future, including but not limited to passwords rotations, cloud services multifactor authentication and stronger password policies, and staff data security training.

Entercom also urges users who received the data breach notification letters to change their passwords for Radio.com accounts and for any other accounts where the same password was used.

This suggests that the credentials accessed during the data breach were stored in plain text, something BleepingComputer tried to confirm by reaching out to an Entercom spokesperson but did not hear back at the time of publication.

Previous attacks targeting Entercom
This is the third time in the last year that Entercom was targeted in a security incident. Last September, a cyberattack that had all the signs of a ransomware attack affected all Entercom offices across the country.

At the time, online reports said that the attackers asked for a $500,000 ransom and the attack led to the disruption of telephone and email communication, music scheduling, production, billing, and various other internal digital systems.

In response to a media inquiry, Entercom said that they are "experiencing a disruption of some IT systems, including email." However, an internal memo explaining what was happening to employees also prohibited them from sharing any of the information outside the company.

Just before Christmas eve, in December 2019, Entercom suffered a second cyberattack that led to Internet connectivity problems disabling email communication, access to files, and content to the radio network digital platforms.

Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale
7.3.2020  Bleepingcomputer Incindent

Telus-owned Koodo Mobile has suffered a data breach after their systems were hacked and customer data from August and September 2017 was stolen by the attackers.

According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.

"What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised," the email stated.

This information can be used by scammers to port Koodo Mobile numbers to attacker's devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.

To prevent this, Koodo has enabled the 'Port Protection' feature on the affected accounts, which prevents attackers from porting a Koodo Mobile number to another carrier unless the account holder first calls and requests it to be done.

Koodo customer data being sold online
The email goes on to say that Koodo Mobile has found evidence that the stolen customer information is being sold online, but feels their Port Protection feature will protect their customer's mobile number from being used for fraudulent purposes.

"We have found evidence that the unauthorized third party is offering the information for sale on the dark web. With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter," the Koodo notification warned.

They then contradict themselves later in the notification by saying that affected users should not use their mobile number for two-factor authentication due to this data breach.

"We also recommend that you not register your mobile telephone number on online accounts. If you have done so, you may want to remove it and use an alternative method to receive One Time Passcodes or 2 Factor Authentication codes," the email continues.

Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

"A different market - one that specializes in automated selling of access to compromised accounts - currently offers over 21,000 Koodo accounts," Laeb told BleepingComputer.

Koodo Accounts for sale
Source: KELA
"As can be seen in the image in the third from the right column, this market also indicates the date in which the account was uploaded. Breaking down accounts scraped from the market by date, we can see an uptick in February," Laeb explained.

Monthly amounts of Koodo accounts sold online
Source: KELA
Unfortunately, with the amount of information leaked by data breaches, it may be too easy for an attacker to find enough information online about a particular customer so that they can bypass the Port Protection feature.

Due to this, it is strongly advised that you use another 2FA method for securing online accounts.

Otherwise, you may run into a similar problem as the one reported by this Koodo customer in the past.

Affected users should also be on the lookout for mobile SMS phishing (smishing) scams that pretend to be Koodo and utilize information obtained from this breach.

Update 3/7/20: Added information about Koodo accounts being sold online.

Virgin Media Data Breach Exposes Info of 900,000 Customers
7.3.2020  Bleepingcomputer  Incindent

Virgin Media announced today that the personal information of roughly 900,000 of its customers was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database.

Virgin Media is a leading cable operator in the U.K. and Ireland, and it delivered 14.6 million broadband, video, and fixed-line telephony services to approximately 6.0 million cable customers, as well as mobile services to 3.3 million subscribers at December 31, 2019, according to the company's preliminary Q4 2019 results.

Database exposed for almost a year
According to an ongoing investigation, Virgin Media discovered on February 28, 2020, that the exposed database was accessible from at least April 19, 2019, and it was recently accessed by an unauthorized party at least once although the company doesn't know "the extent of the access or if any information was actually used."

Lutz Schüler, CEO of Virgin Media, said in a press release that the company "immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed-line customers representing approximately 15% of that customer base."

"The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home, and email addresses and phone numbers," he added.

We are now contacting those affected to inform them of what happened. We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party. - Lutz Schüler, CEO of Virgin Media

Exposed customer information
The database was used to store and manage information on existing and potential Virgin Media customers and it included:

• contact details (such as name, home and email addresses, and phone numbers)

• technical and product information

• customers' dates of birth (in a very small number of cases)

"Please note that this is all of the types of information in the database, but not all of this information may have related to every customer," Virgin Media says.

The company also says that the unsecured database was not used to store customer passwords or financial details, like bank account numbers or credit card information.

Virgin Media advises customers who think that they might have been victims of identity theft to reach out to their bank or credit card company to inform them of any out of ordinary transactions or applications made in their name without their knowledge.

Customers were also warned over e-mail that they might be targeted by phishing attacks, fraud, or nuisance marketing communications.

Earlier today, T-Mobile also announced a data breach caused by an email vendor that got hacked and exposed the personal and financial info of some of its customers.

T-Mobile Data Breach Exposes Customer's Personal, Financial Info
7.3.2020  Bleepingcomputer  Incindent

T-Mobile has announced a data breach caused by an email vendor being hacked that exposed the personal and financial information for some of its customers.

In 'Notices of Data Breach' posted to their web site, T-Mobile states that their email vendor was hacked and an unauthorized person was able to gain access to T-Mobile employee's email accounts.

Some of the email accounts that were hacked contained T-Mobile customer information such as social security numbers, financial information, government ID numbers, billing information, and rate plans.

To alert customers of the data breach, yesterday T-Mobile began texting customers affected by the data breach. These texts state that T-Mobile "recently identified and shut down a security event involving some of your account information" and contain a link to a page containing more information.

T-Mobile Data Breach Notification Text
Source: Reddit
These text messages contain a link to one of the two "Notice of Data Breach" pages on T-Mobile's site depending on what data was exposed.

For users who had their financial information exposed, they will be directed to https://www.t-mobile.com/responsibility/consumer-info/pii-notice.

"The personal information accessed could include names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features."

For those who did not have their financial information impacted, they will be directed to https://www.t-mobile.com/responsibility/consumer-info/cpni-notice.

"The information accessed may have included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information. Your financial information (including credit card information) and Social Security number were not impacted."

Please note, the bolded text above was done by BleepingComputer to illustrate the difference between the two notices.

For customers whose financial information was exposed, T-Mobile is offering a free two-year subscription to the myTrueIdentity online credit monitoring service.

For customers who did not have financial information exposed, T-Mobile is not offering anything.

While the data breach notifications do not indicate that passwords were accessed, I strongly suggest you change your password at t-mobile.com. If your original password is also used at other sites, you should change them there as well to a unique password.

All customers impacted by this data breach should be on the lookout for targeted phishing scams. These phishing scams could pretend to be from T-Mobile or use the accessed information to gain your information at other companies.

It is not known how many T-Mobile customers were affected or when the breach occurred.

BleepingComputer has contacted T-Mobile for more information but has not heard back as of yet.

Prior T-Mobile data breaches
In 2018, T-Mobile customers were affected by a data breach after an unauthorized user hacked into the T-Mobile systems.

During this attack, the attacker was able to gain access to customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types (prepaid or postpaid).

T-Mobile suffered another data breach last year that affected its pre-paid customers.

As part of that breach, an attacker gained access to the name and billing address (if provided when establishing an account), phone number, account number, and rate plan and features of pre-paid customers.

Carnival Cruise Line Operator Discloses Potential Data Breach
7.3.2020  Bleepingcomputer  Incindent

The world's largest cruise ship operator Carnival Corporation & plc announced a potential data breach affecting some of its customers after hackers accessed employee email accounts.

Carnival Corporation is included in both the S&P 500 and the FTSE 100 indices, and it owns nine cruise line brands and a travel tour company.

According to the company's corporate website, "Carnival Corporation employs over 120,000 people worldwide and its 10 cruise line brands attract nearly 11.5 million guests annually, which is about 50 percent of the global cruise market."

"Combining more than 225,000 daily cruise guests and 100,000 shipboard employees, more than 325,000 people are sailing aboard the Carnival Corporation fleet every single day, totaling about 85 million passenger cruise days a year."

Network intrusion leading to email compromise
"In late May 2019, we identified suspicious activity on our network," a notification letter sent to Carnival Corporation customers and filed with the Office of the California Attorney General says.

"Upon identifying this potential security issue, we engaged cybersecurity forensic experts and initiated an investigation to determine what happened, what data was affected, and who was impacted.

"It now appears that between April 11 and July 23, 2019, an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our guests."

We take privacy and security of personal information very seriously, and we are offering affected individuals free credit monitoring and identity theft detection services through ID Experts to provide you with MyIDCare. - Carnival Corporation

Carnival Corporation adds that, depending on the guest, the hackers might have accessed to "customers' names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information."

The letter also says that there currently is no evidence that the impacted customers' personal info was misused after the security incident.

Besides the ongoing investigation regarding this security breach, Carnival Corporation says that it also reported the incident to the relevant law enforcement agencies.

Carnival Corporation's Data Protection Officer Jennifer Garone added that customers who have further questions about the incident can reach out to the company at +1 (833) 719-0091 (U.S. toll-free).

US Drugstore Giant Walgreens Leaked Users' Sensitive Info
7.3.2020  Bleepingcomputer   Incindent

US drugstore chain giant Walgreens disclosed over the weekend that some of its mobile apps' users have been able to inadvertently access other users' sensitive information because of a bug.

Walgreens is the second-largest pharmacy chain in the US right behind CVS Health, operating 9,277 drugstores and employing 230,000 people within all 50 states.

PII and PHI accidentally leaked
The data leak incident was caused by the unauthorized disclosure of secure messages within the Walgreens mobile app according to a data breach notification email sent by the company to affected customers.

The bug allowed "a small percentage of impacted customers" to view one or more personal messages containing limited health-related info of other app users "between January 9, 2020 and January 15, 2020."

Walgreens said that affected customers might have accidentally gained access and viewed sensitive information of others, including first and last name, prescription numbers and drug names, store numbers, and shipping address where applicable.

The company also said that "no financial information such as Social Security number or bank account information was involved in this incident."

The mobile app bug is now fixed
"On January 15, 2020, Walgreens discovered an error within the Walgreens mobile app personal secure messaging feature," the notifications says.

"Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app.

"Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue.

"Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data."

While Walgreens didn't mention what mobile app was affected by the bug, at the moment the Walgreens iOS app has been rated by users more than 2,500,000 times in the Apple Store while the Android Walgreens app has over 10,000,000 installations.

Walgreens recommends customers monitor their prescription and medical records and shared the steps needed to be taken for protecting one's information at the end of the data breach notice.

49 Million Unique Emails Exposed Due to Mishandled Credentials
24.2.2020  Bleepingcomputer  Incindent

An Israeli marketing firm exposed 49 million unique email addresses after mishandling authentication credentials for an Elasticsearch database, that were sitting in plain text on an unprotected web server.

In a vaguely-worded notification this week, Straffic, a privately-held digital marketing company, informed that the incident was the result of a "security vulnerability" affecting one of its servers.

This is not the entire story, though, and this incident shows that huge databases are still at risk even when accessing them requires authentication.

Unexpected vulnerability
Straffic is described as "a private network for connecting elite affiliates with CPA [cost per action] & CPL [cost per lead] offers from trusted advertisers."

In a short message on Wednesday, the company announced that "a security vulnerability has been found on one of the servers we use to provide our services."

The asset was an Elasticsearch database with 140GB of contact details consisting of names, phone numbers, and postal addresses. While it was password protected, it appears that the credentials were not properly stored.

A security researcher using the Twitter handle 0m3n found them in plain text on the webserver. A DevOps engineer with a focus on security, 0m3n decided to check the webserver after receiving a link in a spam message.

0m3n told Jeremy Kirk that they discovered a configuration text file (.ENV) file that pointed to an AWS Elasticsearch instance. The domain is no longer loading.

An .ENV file is typically used when testing an application in the Laravel PHP web framework. It should not make it in the git repo during the synchronization process and for this reason it is added to the ignore list (.gitignore).

Speaking to BleepingComputer, 0m3n said that the developers may have forgotten to add the .gitignore file and the configuration was synched to the web server.

This would clearly make it a case of "misconfigured webserver" rather than "security vulnerability." 0m3n said that there are multiple free automated checks that could be implemented for automated deployment of webservers that would eliminate such a risk.

In a span of about six months, 0m3n received between 30 and 50 spam texts similar to the one above and checked most of them. However, an .ENV configuration file was not present on any other. This could support the theory that the file was sunched by accident.

Troy Hunt said that 70% of the emails in Straffic's database were already present on Have I Been Pwned, the data breach notification site he created. This means that many of them "didn't come from previous breaches," he says in a reply to Under the Breach on Twitter.

The ratio is pretty normal but yeah, plenty of them didn’t come from previous breaches if that’s what you mean

— Troy Hunt (@troyhunt) February 27, 2020
Straffic says that all their systems are secure at the moment and that they did not find evidence of the data being copied or misused.

"Although we do our very best to protect the security of our service and deeply regret such a vulnerability has been found on our service, it is impossible to create a totally immune system, and these things can occur" - Straffic

Indeed, security incidents can occur even when the best precautions are in effect and are more likely to happen when database credentials float on the internet, especially when they are in plain text.

Hunt, who is very familiar with disclosure notices, points out that Straffic's announcement lacks the basic information that should be available in such a communication. Details about the the date of the incident (or at least an estimation), what caused it, how it was addressed, and informing impacted parties are missing.

[Update 02/28/2020]: Article updated with comments and image from 0m3n.

18 Sniffers Steal Payment Card Data from Print Store Customers
24.2.2020  Bleepingcomputer  Incindent

For the past 30 months, an online printing platform with a cover store for well-known magazines has been constantly infected with malicious scripts that steal customer payment card data.

At least 18 skimmers or sniffers - scripts that copy credit card info at checkout, were identified since August 2017 on Reprint Mint photo store that prints covers of ESPN sports magazine and of the American military publication Stars and Stripes.

MageCart sniffer overload
On some occasions, more than one skimmer was active at the same time, indicating that multiple attackers had compromised the site and were receiving the pilfered card info.

Sanguine Security, a company specialized in online store fraud protection, says that the first skimmer they noticed on Reprint Mint ran for a year and a half without drawing attention.

Things changed on February 1, 2019, when it was replaced by a different script, which sent the data to a file associated with the Inter sniffing kit, available on underground markets for $950.

The collecting file was moved to various domains, most likely compromised for this purpose.

On August 1, 2019, a third skimmer with a different code and exfiltration domain stepped in and replaced competition.

By December, Sanguine researchers had seen six different scripts specifically designed to intercept payment card data. Most of the time, only one of them was active, except for the last two, which seemed to coexist.

New sniffers were planted starting January 23, 2020, with number five being a constant, regardless of the rivals swooping in. Sanguine Security informs that it was still present on Wednesday, despite multiple attempts to reach out to the printing platform. BleepingComputer could confirm that the two scripts are active at the moment of writing.

Few crooks were caught
While Reprint Mint is a small shop, it shows that any eCommerce site can be a battlefield for MageCart operators. Card-stealing malware will make its way on any site with security gaps that can be exploited, no matter the amount of card data that can be exfiltrated. The information is then sold on underground forums.

Skimmer operators are extremely active, compromising hundreds of thousands of websites. One such threat actor alone managed to infect more than 40 web stores since October 2019. Over a dozen groups play this game.

Until now, authorities caught only three MageCart hackers that are part of a larger group that infected at least 571 stores since 2017. They collected about 1,000 cards and user account logins every week and either sold it on underground forums or used it to buy goods.

Slickwraps Data Breach Exposes Financial and Customer Info
24.2.2020  Bleepingcomputer  Incindent

Slickwraps has suffered a data breach after a security researcher was able to access their systems and after receiving no response to emails, publicly disclosed how they gained access to the site and the data that was exposed.

Slickwraps is a mobile device case retailer who sells a large assortment of premade cases and custom cases from images uploaded by customers.

In a post to Medium, a security researcher named Lynx states that in January 2020 he was able to gain full access to the Slickwraps web site using a path traversal vulnerability in an upload script used for case customizations.

Using this access, Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions.

Screenshot of Slickwraps payment gateway
After trying to report these breaches to Slickwraps, Lynx stated they were blocked multiple times even when stating they did not want a bounty, but rather for Slickwraps to disclose the data breach.

"They had no interest in accepting security advice from me. They simply blocked and ignored me," Lynx stated in the Medium post. This post has since been taken down by Medium, but is still available via archive.org.

Since posting his Medium post, Lynx told BleepingComputer that another unauthorized user sent an email to 377,428 customers using Slickwraps' ZenDesk help desk system.

These emails begin with "If you're reading this it's too late, we have your data" and then link to the Lynx's Medium post.

Some of these customers have posted images of the image to Twitter as seen below.

Email to SlickWrap customers
When BleepingComputer asked Lynx if he knew who was sending out the emails, he told us that it was not them, but they had seen traces of other unauthorized users in Slickwraps' web site as well.

"I saw some activity during my research, maybe they're the same people who sent out the emails? No clue to be honest," Lynx told BleepingComputer.

When we asked why they continued to look for more vulnerabilities instead of simply contacting Slickwraps when they first gained access we were told:

"As a white hat, we want to see how far we can go so we can generate a full report. No point in doing research and reporting the first vulnerability when there's still 10 others."

While Lynx told BleepingComputer that they were always concerned about legal repercussions after performing penetration testing, they felt that due to the severity of the data breach, it needed to be publicly disclosed.

"Companies know that I never intend to harm them and sometimes even offer bounties. This one was different in that sense that they blocked me and did not care about their customers at all. Since this is a major breach, and I exhausted all my other options to contact them, I felt the need to disclose this publicly, in hopes that they fix this asap."

Even with the breach disclosed in the Medium post and technical details having been posted, Lynx told us that the vulnerabilities still exist in the web site and that they still have access.

For those who have used Slickwraps in the past, Lynx has passed along the customer info to Troy Hunt of the Have I Been Pwned data breach notification service.

It is not known if Hunt will add this database to his system, but if he does, customers will be able to check if their email addresses are included in the database provided by Lynx.

For now, it is strongly suggested that all users change their password at Slickwraps and to use a unique password at all web sites that they visit.

Slickwraps releases statement
In a statement posted to their Twitter account, Slickwraps CEO Jonathan Endicott has apologized for the data breach and promises to do better in the future.

Slickwraps Users,

There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.

We are reaching out t0 you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data.

The information did contain names, user emails, addresses. If you ever checked out as "GUEST" none of your information was compromised.

If you were a user with us bef0re we secured this information on February 21st, we regretfully write this email as a notification that some of your information was included in these databases.

Upon finding out about the public user data, we took immediate action to secure it by closing any database in question.

As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts.

We are deeply sorry this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.

More details will follow and we appreciate your patience during this process.

Sincerely,

Jonathan Endicott
CEO @ Slickwraps
In the statement, though, Endicott says they first learned about this today, February 21st, while Lynx stated and showed screenshots of attempts to contact both Endicott via email and Slickwraps on Twitter prior to today

Email to Endicott disclosing breach
BleepingComputer has once again reached out to Slickwraps for further information.

Update 2/21/20 2:56PM EST: Added statement from Slickwraps

Hackers Share Stolen MGM Resorts Guest Database with 10M+ Records
23.2.2020  Bleepingcomputer  Incindent

An archive with over 10 million records of guests at the MGM Resorts hotels is currently distributed for free on a hacking forum.

The data comes from a security breach in July 2019 on one of MGM cloud services. In total, there are 10,683,189 records with about 3.1 million unique email addresses as far back as 2017.

Some data still valid
Among the details compromised are guests' names, dates of birth, email addresses, phone numbers, and physical addresses complete with postal codes.

The post sharing the information was spotted by a researcher at Under the Breach, a company that monitors the cybercrime space and currently working on releasing a new service aiming to provide companies intelligence about potential breaches.

Not all the information in the files is still valid. ZDNet was able to confirm that in some cases the phone numbers were disconnected; other times, the publication received confirmation from the person answering the phone that the details were real.

MGM acknowledged that the data dump resulted from a security incident in 2019. Although we could not find a notification to affected individuals, some members of the Vegas Message Board forum that stayed at MGM Resorts were alerted last summer that their personal data had emerged on the dark web.

"I was at an MGM property in July. My credit card company and an independent credit monitoring service both notified me 19 August that my email was on the dark web and passwords for two sites were compromised" - Vegas Message Board forum member

Risk of fraud
According to Under the Breach, ZDNet informs, the database contains details of high-profile guests, such as Twitter CEO Jack Dorsey, pop star Justin Bieber, and officials from the U.S. Department of Homeland Security and the Transportation Security Administration.

The immediate risk of having personal details publicly exposed is receiving targeted phishing messages that could help cybercriminals in their fraudulent activities.

The details can also be used to create new accounts in the name of the victim or for synthetic identity fraud, where the cybercriminal needs only some of the information to be valid in order to apply for some service.

Plastic Surgery Patient Photos, Info Exposed by Leaky Database
16.2.2020  Bleepingcomputer  Incindent

Hundreds of thousands of documents with plastic surgery patients' personal information and highly sensitive photos were exposed online by an improperly secured Amazon Web Services (AWS) S3 bucket.

NextMotion is a French plastic surgery tech firm that provides imaging and patient management services that help 170 plastic surgery clinics from 35 countries document, digitize and market their practices.

The company promises to the clients' "before & after imaging issues, reassure your patients, simplify your data management and improve your e-reputation."

"Nextmotion is an ecosystem based on a medical cloud which allows you to sort, store and access your data wherever you are," the company's site says.

"In that sense, all your data is covered with the highest requested security level as it is hosted in France on servers authorized by the Haute Autorité de Santé (French Health Authority) - in our case, AWS who is certified."

Graphic photos of patients exposed
The bucket was used by NextMotion to store roughly 900,000 files with highly sensitive patient images and videos, as well as plastic surgery, dermatological treatments, and consultation documents.

After analyzing the open S3 bucket discovered on January 24 in collaboration with vpnMentor more closely, security researchers Noam Rotem and Ran Locar found outlines and invoices for cosmetic treatments, videos of 360-degree body and face scans, as well as patient photos that, in some cases, were graphic snapshots of genitals, breasts, and more.

All these files were uploaded by NextMotion clients using the company's medical imaging solution to the unsecured database.

While there is no way to know the exact number of patients that had their information exposed, the hundreds of thousands of files found in the S3 bucket hint at thousands of patients having their sensitive data exposed.

Plastic surgery patient photos (Noam Rotem and Ran Locar)
PII data also exposed
NextMotion's CEO said in a press release that the patient data stored in the leaky database "had been de-identified - identifiers, birth dates, notes, etc. - and thus was not exposed."

However, "the exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients," as the two researchers explained.

"This type of data can be used to target people in a wide range of scams, fraud, and online attacks," their report also added.

"We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared," NextMotion says.

"This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application."

As a reminder, all your data is stored in France, in a secure HDS (personal data hosting) compliant medical cloud. Our application and our data management practice were audited in 2018 by a GDPR (General Data Protection Regulation) specialized law firm, in order to ensure our compliance with the data regulation which came into effect in 2019. - CEO of NextMotion

Previous incidents impacting plastic surgery patients
This is not the first time the sensitive personal information of plastic surgery patients might have landed in the wrong hands following a security incident.

In 2017, the London Bridge Plastic Surgery clinic issued a data breach statement saying that The Dark Overlord (TDO) hacking group was able to steal patient information and highly sensitive photos.

The AZ Plastic Surgery Center notified 5,524 patients in February 2019 that some of their protected health information (PHI) may have been accessed by TDO.

Later last year, in early November 2019, The Center for Facial Restoration reported to the U.S. Department of Health and Human Services that the PII of up to 3,600 patients may have been stolen in a hacking incident.

Microsoft’s Surface Duo Spotted in the Wild, Video Leaked
9.2.2020  Bleepingcomputer  Incindent

Microsoft said its dual-screen Android phone 'Surface Duo' won't be coming until Holiday 2020, but it looks like the phone could launch sooner than expected as Microsoft is now seeding the prototypes to more employees in the US and Canada.

Twitter user Israel Rodriguez recently posted a video of a Microsoft employee using the Surface Duo in Vancouver’s public transit system. In the video, the Surface Duo can be seen running a customized version of Android with Microsoft Launcher.

The leak also suggests that the device might come with a front-facing flash, which confirms the rumors that Microsoft won't put a dedicated camera on the back of the device.

In the video, the Surface Duo's software still appears to be buggy and the employee had to click and swipe multiple times to open apps, settings and switch between the windows. Asides from the details on the camera and software, the other features of Surface Duo are still not known.

In an interview, Microsoft Surface chief Panos Panay had confirmed that both Surface Duo and Surface Neo would feature “a good camera”, but these devices may not support 5G support at launch.

Misconfigured Docker Registries Expose Orgs to Critical Risks
9.2.2020  Bleepingcomputer  Incindent

Some organizations have improperly configured Docker registries exposed to the public web, leaving a door open for attackers to infiltrate and compromise operations.

Entities running this risk include research institutes, retailers, news media organizations, and technology companies, security researchers found after checking Docker servers on the internet.

Open access to images
In a Docker environment, applications are packed in virtualized images that include all the code and dependencies the programs need to run independently of the underlying operating system.

Users access these containers from repositories available in a Docker server called registry and create multiple versions of them, differentiated by tags. They can download and run images locally, upload custom versions, or delete them - push, pull, delete - these being the main operations supported by a Docker registry.

Searching for Docker registries accessible over the public web, security researchers at Palo Alto Networks found that 117 lacked authentication controls that would prevent unauthorized access.

"Although setting up a Docker registry server is straightforward, securing the communication and enforcing the access control requires extra configurations. System administrators may unintentionally expose a registry service to the internet without enforcing proper access control" - Palo Alto Networks

The researchers used Shodan and Censys search engines to find registries that did not require authentication and accepted the three primary operations mentioned above.

Test routine
To make sure that the test routine did not make any change on the remote server, they used non-existent image names and interpreted the response.

Of the 117 unprotected servers, 80 allowed downloading an image, 92, permitted unauthorized upload, and seven allowed anyone to delete images. In total, these unsecured Docker registries hosted 2,956 repositories and 15,887 tags.

Sample of repositories and tags on exposed Docker registry
Based on reverse DNS lookup and Canonical Name (CN) records in the TLS certificates, the researchers were able to determine the owner of the vulnerable servers in 25% of the cases.

They belonged to entities in a variety of domains, from research and retail to news and media organizations and businesses in the technology sector.

Attackers can profit from the misconfiguration and use the three commands permitted to replace original images with backdoored versions, host malware, interrupt business operations by making them inaccessible through encryption or blackmail for a ransom. Any client running a tampered image could immediately get infected this way.

Palo Alto Networks recommends adding a firewall rule to prevent the registry from being accessible from the public internet and enforce the Authenticate header in all API requests as forms of access control.

Japanese Defense Contractors Kobe Steel, Pasco Disclose Breaches
9.2.2020  Bleepingcomputer  BigBrothers  Incindent

Japanese defense contractors Pasco Corporation (Pasco) and Kobe Steel (Kobelco) today disclosed security breaches that happened in May 2018 and in June 2015/August 2016, respectively.

The geospatial provider and the major steel manufacturer also confirmed unauthorized access to their internal network during the two incidents, as well as malware infections affecting their computing systems following the attacks.

No damage such as information leakage has been discovered so far during the following investigations per the official statement issued today by Pasco.

However, while Kobelco's official statement doesn't mention it, Nikkei reports that 250 files with data related to the Ministry of Defense and personal info were compromised after the company's servers were hacked.

It is also possible that the threat actors behind the attacks might have targeted the companies' defense information, but the data that might have been leaked did not include defense secrets.

Kobe Steel is a known supplier of submarine parts for the Japan Self-Defense Forces (SDF), while Pasco is a provider of satellite data.

Two of four hacked Japanese defense contractors
The two companies are the last of the four defense-related firms that were hacked between 2016 and 2019, as Japanese Defense Minister Taro Kono said during a press conference on January 31.

Kono also stated that no hints are pointing at the attacks being related to each other and that the Japanese Ministry of Defense coordinated the disclosures because "it should be publicly disclosed. It is necessary to get the world to know and think about defenses."

The other two defense contractors that were infiltrated by attackers are Mitsubishi Electric and NEC. Both of them confirmed that their systems were breached in statements published on January 20 and January 30, respectively.

Mitsubishi Electric disclosed that the security breach might have caused the leak of personal and confidential corporate info, with about 200 MB worth of documents being exposed during the attack that took place on June 28, 2019.

The eight months delay disclosing the incident was attributed by Mitsubishi Electric to the complexity of the investigation caused by the activity logs being deleted after the attack.

NEC said that servers belonging to its defense business unit were accessed without authorization in December 2016 by third parties, but "no damage such as information leakage has been confirmed so far." 27,445 files were accessed illegally during the incident according to an NEC statement to BleepingComputer.

Chinese hackers suspected in at least two of the attacks
"According to people involved, Chinese hackers Tick may have been involved," Nikkei reported after Mitsubishi Electric disclosed the breach.

"According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised."

"The hijacked account was used to gain infiltration into the company's internal network, and continued to gain unauthorized access to middle-managed PCs who had extensive access to sensitive information," an Asahi Shimbun report added.

A Pasco official was also quoted as saying that the attackers behind the May 2018 security breach might be linked to China per a Kyodo News report from today.

Tick (also tracked as Bronze Butler and RedBaldNight) is a state-backed hacking group with Chinese ties with a focus on cyberespionage and information theft.

The group is known for primarily targeting Japanese organizations from several sectors including but not limited to manufacturing, critical infrastructure, international relations, and heavy industry.

Their end goal is to steal confidential intellectual property and corporate info after breaching enterprise servers via spearphishing attacks and exploiting various zero-day vulnerabilities — including one affecting Trend Micro's OfficeScan in the case of Mitsubishi Electric as reported by ZDNet.

According to research, Tick also usually wipes all evidence from hacked servers as part of an effort to delay investigations after their operations are eventually discovered.

Medicaid CCO Vendor Breach Exposes Health, Personal Info of 654K
9.2.2020  Bleepingcomputer  Incindent

Medicaid coordinated care organization (CCO) Health Share of Oregon today disclosed a data breach exposing the health and personal info of 654,362 individuals following the theft of a laptop owned by its transportation vendor GridWorks IC.

The non-profit organization is Oregon's largest Medicaid CCO and it serves the Oregon Health Plan (Medicaid) members in Clackamas, Multnomah, and Washington counties.

"On January 2, 2020, Health Share of Oregon learned that the personal information of its members was located on a laptop stolen from GridWorks IC, Health Share's contracted non-emergent medical transportation (Ride to Care) vendor," says the CCO in a statement issued today.

"The break-in and theft occurred at GridWorks' office on November 18, 2019."

Data breach exposes personal and health information
The stolen laptop includes several types of member information including members' names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers.

According to Health Share's statement, the personal health histories of its members were not exposed as part of this incident.

Health Share is sensing letters to all the members who had their information stored on the stolen device, with the letter to include an offer of 1 year of free identity monitoring services including credit monitoring, fraud consultation, and identity theft restoration.

Though the theft took place at an external vendor, we take our members’ privacy and security very seriously. Therefore, we are ensuring that members, partners, regulators, and the community are made fully aware of this issue. — Health Share of Oregon

In direct response to this vendor data breach, Health Share will expand contractor annual audits, as well as enhance training policies and make sure that patient information transmitted to partners and members is kept to the bare minimum required.

"We are committed to providing the highest quality service to our members, which includes protecting their personal information," interim CEO and Chief Medical Officer Maggie Bennington-Davis said.

Financial statements and credit reports monitoring advised
While Health Share doesn't know if the thief found its members’ information on the stolen laptop, it urges all affected members that will receive a breach notification letter to take advantage of the free one year of identity monitoring services.

Health Share also set up a dedicated, toll-free call center at 1-800-491-3163, available between Monday and Friday, 8:00 am to 5:30 pm for questions and concerns.

The CCO also reminds potentially impacted members that they can also put a 'security freeze' on their credit file for free to "stop any credit, loans, or other services from being approved in your name without your approval."

In case their info has been misused, Health Share members are also advised to file a complaint with the Federal Trade Commission, as well as a police report in case of identity theft or fraud.

NEC Defense Contracts Info Potentially Compromised in Breach
2.2.2020  Bleepingcomputer   Incindent

Update: NEC confirmed the security breach of its defense business division in an official statement, click here for more details.

The Japanese NEC electronics giant was the target of a cyberattack that resulted in unauthorized access to its internal network on Thursday according to information leaked to Japanese newspapers by sources close to the matter.

The electronics and information technology giant is a major contractor for Japan's defense industry, engaged in various defense equipment projects with the Japan Self-Defense Forces (JGSDF or Jieitai), including but not limited to 3D radar, broadband multipurpose radio systems and may have leaked relevant information.

While NEC hasn't yet released any official statements regarding this incident, roughly 28,000 files were found by the company on one of the compromised servers according to reports, some of them containing defense equipment info such as submarine sensors.

NEC said that it has routinely discovered attempts to gain unauthorized access to its internal network, but also explained that there is no evidence that info has been leaked or has been damaged so far.

NEC's Public Relations Office also told the NHK, the Asahi Shimbun, and Kyodo News that an information leak is possible given the lack of evidence.

"We have not confirmed any damage such as information leaks so far. However, it cannot be said that it has not leaked," NEC said.

However, according to Nikkei, the Japanese Ministry of Defense said that the exposed files contained "information on contracts with NEC, not defense secrets, and there is no impact on Japan's defense system."

BleepingComputer has reached out to NEC for more details regarding the incident but had not heard back at the time of this publication.

Mitsubishi Electric also breached
The reports come 10 days after the security breach disclosed by Mitsubishi Electric on January 20 that might have also led to a personal and confidential corporate information leak.

"On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside," Mitsubishi Electric said.

The breach started after Chinese affiliates were compromised and it then spread to the company's internal network per an Asahi Shimbun report that prompted Mitsubishi Electric's disclosure.

"The hijacked account was used to gain infiltration into the company's internal network, and continued to gain unauthorized access to middle-managed PCs who had extensive access to sensitive information," the report says.

Chinese hackers suspected as Mitsubishi attack operators
"According to people involved, Chinese hackers Tick may have been involved," Nikkei said at the time. "According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised."

Tick (also known as Bronze Butler and REDBALDKNIGHT) is a cyber-espionage group known for primarily targeting Japanese entities from various sectors ranging from international relations and manufacturing to critical infrastructure and heavy industry organizations.

The group's main goal is to siphon confidential corporate info and intellectual property after compromising enterprise servers by exploiting various zero-day vulnerabilities and launching spearphishing attacks.

Tick also commonly wipes all evidence from compromised computers to hinder investigations after their operations are discovered.

Update January 30, 19:20 EST: NEC confirmed the security breach of its defense business division in a press release issued today, "27,445 files were found to have been accessed illegally" in July 2018 (h/t piyokango):

NEC has confirmed that some of the internal servers used by the Company's defense business unit have been subject to unauthorized access by third parties. As a result of investigations conducted by the Company and external specialized organizations, no damage such as information leakage has been confirmed so far.

The NEC Group has implemented measures such as the introduction of an unknown malware detection system, but was unable to detect the initial penetration of attacks launched after December 2016 and the early spread of internal infections.

In June 2017, as a result of checking the occurrence of communication patterns described in the security company's threat report, it was confirmed that unauthorized communication was being performed from internal PCs, isolation and investigation of infected PCs, and unauthorized communication destinations Was detected and blocked. In July 2018, we succeeded in decrypting encrypted communication with an infected server and an external server that was performing unauthorized communication, and stored it on our internal server for information sharing with other departments used by our defense business division 27,445 files were found to have been accessed illegally.

As a result of investigation by the Company and external specialized organizations, no damage such as information leakage has been confirmed so far. These files do not contain confidential information or personal information. In addition, since July 2018, the situation has been individually explained to customers related to files that have been accessed illegally.

Open Exchange Rates Data Breach Affects Users of Well-Known Orgs
15.3.2020  Bleepingcomputer  Incindent

Open Exchange Rates has announced a data breach that exposed the personal information and salted and hashed passwords for customers of its API service.

Open Exchange Rates provides an API that allows organizations to query real-time and historical exchange rates for over 200 world currencies. The service's web site states that their API is used by companies such as Etsy, Shopify, Coinbase, Kickstarter, and more.

In data breach notification emails sent today, Open Exchange Rates explains that while investigating a network misconfiguration that was causing delays in their service, they discovered that an unauthorized user had gained access to their network and a database that included user information.

Open Exchange Rates Data Breach Notification
Source: Twitter
After further investigations, it was discovered that the hacker had access to their system for almost a month between February 9th, 2020, and March 2nd, 2020 and that the data was most likely extracted from their systems.

"Upon further examination, we determined that the unauthorised user appeared to have initially gained access on 9 February 2020, and could have gained access to a database in which we store user data. Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network." the email stated.

The following user information was exposed by this data breach:

The name and email address you registered with;
An encrypted/hashed password used by you to access your account connected with the platform;
IP addresses from which you have registered and/or logged into your account with us;
App IDs (32-character strings used to make requests to our service) associated with your account;
Personal and/or business name and address (if you have provided these);
Country of residence (if provided);
Website address (if provided).
Due to this breach, Open Exchange Rates has disabled the password for all accounts created before March 2nd, 2020 and users should use this link to set a new password.

If the same password is used at other sites, BleepingComputer strongly recommends that the password be changed at those sites as well.

As the customer API keys for the service may have also been exposed, Open Exchange Rates is recommending that all users generate new API IDs to access the service.

"As the App IDs (API keys) connected to your account are also potentially affected, you may also wish to generate new ones to access the service via your account dashboard. We do not have any evidence of these being used to gain access to the API, however they could be used to query exchange rate information from our service using your account."

As this API is used by well-known organizations, Open Exchange Rates is warning that the stolen data could be used in targeted spear-phishing campaigns and users should be suspicious of any email, phone calls, or texts asking to confirm their account information.

It is also recommended that users enable two-factor authentication at all sites that they have an account.

Hackers Get $1.6 Million for Card Data from Breached Online Shops
15.3.2020  Bleepingcomputer  Incindent

Hackers have collected $1.6 million from selling more than 239,000 payment card records on the dark web. The batch was assembled from thousands of online shops running last year a tainted version of Volusion e-commerce software.

The compromise was discovered in October 2019 by Check Point security researcher Marcel Afrahim and affected stores hosted on the Volusion cloud platform.

Wide-scope operation
This was a web-skimming incident, where attackers use malicious JavaScript that steals payment data when customers provide it at checkout.

In this case, the hackers modified a resource used on Volusion-based stores for navigating the UI menu. This resource loaded the skimmer from an external path.

Evidence found by Trend Micro indicates that the attack started on September 7 and is the work of FIN6.

RiskIQ refers to them as MageCart Group 6 and assesses that it goes only after high-profile targets that ensure a large volume of transactions.

Significant damage
A report from Gemini Advisory today informs that whoever compromised the Volusion infrastructure waited until November 2019 to start selling the data on the dark web.

Until now, they offered more than 239,000 payment card records on a single dark web marketplace and made $1.6 million. This data was from hundreds of different merchants.

Gemini determined that the number of compromised stores is as high as 6,589, which is in line with results from a search for sites with the modified Volusion JavaScript.

The researchers estimate that the attackers have up to 20 million records, though, which may trickle on the dark web for a long time. If true, they could have a potential maximum value of more than $100 million, if prices don’t fall.

“The average CNP [card-not-present] breach affecting small to mid-sized merchants compromises 3,000 records; scaling this figure to the 6,589 merchants using Volusion affected by this breach, the potential number of compromised records is up to nearly 20 million. Given this figure, the maximum profit potential would be as high as $133.89 million USD” - Gemini Advisory

This profit is just an estimation, though. However, even if hackers make just a 10th of it, the figure is still impressive. Buyers also stand to make significant profits from using the stolen card data, Gemini told BleepingComputer.

As for the domains affected by the attack, almost 5,900 were registered in the U.S., with less than 200 registered in Canada.

From the 239,000 records already sold on the dark web, 98.97% are for cards issued in the U.S., the researchers found. The next-largest issuer countries, each of them accounted for just several hundred records.

Entercom Radio Giant Says Data Breach Exposed User Credentials
14.3.2020  Bleepingcomputer  Incindent

US radio giant Entercom reported a data breach that took place in August 2019 after an unauthorized party was able to access database backup files stored third-party cloud hosting services and containing Radio.com user credentials.

Entercom's national network is comprised of more than 235 radio stations broadcasting news, sports, and music across the country and live the Radio.com online live streaming service to over 170 million people each month.

"As one of the country’s two largest radio broadcasters, Entercom offers integrated marketing solutions and delivers the power of local connection on a national scale with coverage of close to 90% of persons 12+ in the top 50 markets," the company says.

Data breach exposes Radio.com users' credentials
Entercom says in a notice of data breach sent to affected customers and filed with California's Office of the Attorney General that the data breach was detected while investigating a cyberattack that took place in September 2019.

"As part of our investigation into that attack, we became aware of unauthorized activity relating to third-party cloud hosting services, which we use to store information relating to Radio.com users," Entercom explains.

"Specifically, our investigation determined that for approximately three (3) hours on August 4, 2019, an unauthorized actor accessed information relating to Radio.com users contained in database backup files."

The company discovered that an unauthorized actor was able to access the protected personal information of an undisclosed number of Radio.com users.

During the investigation conducted with the help of third-party data privacy and computer forensics specialists, Entercom discovered that the attacker was able to gain access to the names, usernames, and passwords of the impacted Radio.com users.

We sincerely regret any inconvenience this incident may cause you. We remain committed to safeguarding the information in our care and will continue to take steps to ensure the security of our systems. - Radio.com Customer Support Team

Following the data breach, the radio giant implemented several measures designed to prevent similar incidents in the future, including but not limited to passwords rotations, cloud services multifactor authentication and stronger password policies, and staff data security training.

Entercom also urges users who received the data breach notification letters to change their passwords for Radio.com accounts and for any other accounts where the same password was used.

This suggests that the credentials accessed during the data breach were stored in plain text, something BleepingComputer tried to confirm by reaching out to an Entercom spokesperson but did not hear back at the time of publication.

Previous attacks targeting Entercom
This is the third time in the last year that Entercom was targeted in a security incident. Last September, a cyberattack that had all the signs of a ransomware attack affected all Entercom offices across the country.

At the time, online reports said that the attackers asked for a $500,000 ransom and the attack led to the disruption of telephone and email communication, music scheduling, production, billing, and various other internal digital systems.

In response to a media inquiry, Entercom said that they are "experiencing a disruption of some IT systems, including email." However, an internal memo explaining what was happening to employees also prohibited them from sharing any of the information outside the company.

Just before Christmas eve, in December 2019, Entercom suffered a second cyberattack that led to Internet connectivity problems disabling email communication, access to files, and content to the radio network digital platforms.

Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale
7.3.2020  Bleepingcomputer Incindent

Telus-owned Koodo Mobile has suffered a data breach after their systems were hacked and customer data from August and September 2017 was stolen by the attackers.

According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.

"What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised," the email stated.

This information can be used by scammers to port Koodo Mobile numbers to attacker's devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.

To prevent this, Koodo has enabled the 'Port Protection' feature on the affected accounts, which prevents attackers from porting a Koodo Mobile number to another carrier unless the account holder first calls and requests it to be done.

Koodo customer data being sold online
The email goes on to say that Koodo Mobile has found evidence that the stolen customer information is being sold online, but feels their Port Protection feature will protect their customer's mobile number from being used for fraudulent purposes.

"We have found evidence that the unauthorized third party is offering the information for sale on the dark web. With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter," the Koodo notification warned.

They then contradict themselves later in the notification by saying that affected users should not use their mobile number for two-factor authentication due to this data breach.

"We also recommend that you not register your mobile telephone number on online accounts. If you have done so, you may want to remove it and use an alternative method to receive One Time Passcodes or 2 Factor Authentication codes," the email continues.

Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

"A different market - one that specializes in automated selling of access to compromised accounts - currently offers over 21,000 Koodo accounts," Laeb told BleepingComputer.

Koodo Accounts for sale
Source: KELA
"As can be seen in the image in the third from the right column, this market also indicates the date in which the account was uploaded. Breaking down accounts scraped from the market by date, we can see an uptick in February," Laeb explained.

Monthly amounts of Koodo accounts sold online
Source: KELA
Unfortunately, with the amount of information leaked by data breaches, it may be too easy for an attacker to find enough information online about a particular customer so that they can bypass the Port Protection feature.

Due to this, it is strongly advised that you use another 2FA method for securing online accounts.

Otherwise, you may run into a similar problem as the one reported by this Koodo customer in the past.

Affected users should also be on the lookout for mobile SMS phishing (smishing) scams that pretend to be Koodo and utilize information obtained from this breach.

Update 3/7/20: Added information about Koodo accounts being sold online.

Virgin Media Data Breach Exposes Info of 900,000 Customers
7.3.2020  Bleepingcomputer  Incindent

Virgin Media announced today that the personal information of roughly 900,000 of its customers was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database.

Virgin Media is a leading cable operator in the U.K. and Ireland, and it delivered 14.6 million broadband, video, and fixed-line telephony services to approximately 6.0 million cable customers, as well as mobile services to 3.3 million subscribers at December 31, 2019, according to the company's preliminary Q4 2019 results.

Database exposed for almost a year
According to an ongoing investigation, Virgin Media discovered on February 28, 2020, that the exposed database was accessible from at least April 19, 2019, and it was recently accessed by an unauthorized party at least once although the company doesn't know "the extent of the access or if any information was actually used."

Lutz Schüler, CEO of Virgin Media, said in a press release that the company "immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed-line customers representing approximately 15% of that customer base."

"The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home, and email addresses and phone numbers," he added.

We are now contacting those affected to inform them of what happened. We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party. - Lutz Schüler, CEO of Virgin Media

Exposed customer information
The database was used to store and manage information on existing and potential Virgin Media customers and it included:

• contact details (such as name, home and email addresses, and phone numbers)

• technical and product information

• customers' dates of birth (in a very small number of cases)

"Please note that this is all of the types of information in the database, but not all of this information may have related to every customer," Virgin Media says.

The company also says that the unsecured database was not used to store customer passwords or financial details, like bank account numbers or credit card information.

Virgin Media advises customers who think that they might have been victims of identity theft to reach out to their bank or credit card company to inform them of any out of ordinary transactions or applications made in their name without their knowledge.

Customers were also warned over e-mail that they might be targeted by phishing attacks, fraud, or nuisance marketing communications.

Earlier today, T-Mobile also announced a data breach caused by an email vendor that got hacked and exposed the personal and financial info of some of its customers.

T-Mobile Data Breach Exposes Customer's Personal, Financial Info
7.3.2020  Bleepingcomputer  Incindent

T-Mobile has announced a data breach caused by an email vendor being hacked that exposed the personal and financial information for some of its customers.

In 'Notices of Data Breach' posted to their web site, T-Mobile states that their email vendor was hacked and an unauthorized person was able to gain access to T-Mobile employee's email accounts.

Some of the email accounts that were hacked contained T-Mobile customer information such as social security numbers, financial information, government ID numbers, billing information, and rate plans.

To alert customers of the data breach, yesterday T-Mobile began texting customers affected by the data breach. These texts state that T-Mobile "recently identified and shut down a security event involving some of your account information" and contain a link to a page containing more information.

T-Mobile Data Breach Notification Text
Source: Reddit
These text messages contain a link to one of the two "Notice of Data Breach" pages on T-Mobile's site depending on what data was exposed.

For users who had their financial information exposed, they will be directed to https://www.t-mobile.com/responsibility/consumer-info/pii-notice.

"The personal information accessed could include names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features."

For those who did not have their financial information impacted, they will be directed to https://www.t-mobile.com/responsibility/consumer-info/cpni-notice.

"The information accessed may have included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information. Your financial information (including credit card information) and Social Security number were not impacted."

Please note, the bolded text above was done by BleepingComputer to illustrate the difference between the two notices.

For customers whose financial information was exposed, T-Mobile is offering a free two-year subscription to the myTrueIdentity online credit monitoring service.

For customers who did not have financial information exposed, T-Mobile is not offering anything.

While the data breach notifications do not indicate that passwords were accessed, I strongly suggest you change your password at t-mobile.com. If your original password is also used at other sites, you should change them there as well to a unique password.

All customers impacted by this data breach should be on the lookout for targeted phishing scams. These phishing scams could pretend to be from T-Mobile or use the accessed information to gain your information at other companies.

It is not known how many T-Mobile customers were affected or when the breach occurred.

BleepingComputer has contacted T-Mobile for more information but has not heard back as of yet.

Prior T-Mobile data breaches
In 2018, T-Mobile customers were affected by a data breach after an unauthorized user hacked into the T-Mobile systems.

During this attack, the attacker was able to gain access to customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types (prepaid or postpaid).

T-Mobile suffered another data breach last year that affected its pre-paid customers.

As part of that breach, an attacker gained access to the name and billing address (if provided when establishing an account), phone number, account number, and rate plan and features of pre-paid customers.

Carnival Cruise Line Operator Discloses Potential Data Breach
7.3.2020  Bleepingcomputer  Incindent

The world's largest cruise ship operator Carnival Corporation & plc announced a potential data breach affecting some of its customers after hackers accessed employee email accounts.

Carnival Corporation is included in both the S&P 500 and the FTSE 100 indices, and it owns nine cruise line brands and a travel tour company.

According to the company's corporate website, "Carnival Corporation employs over 120,000 people worldwide and its 10 cruise line brands attract nearly 11.5 million guests annually, which is about 50 percent of the global cruise market."

"Combining more than 225,000 daily cruise guests and 100,000 shipboard employees, more than 325,000 people are sailing aboard the Carnival Corporation fleet every single day, totaling about 85 million passenger cruise days a year."

Network intrusion leading to email compromise
"In late May 2019, we identified suspicious activity on our network," a notification letter sent to Carnival Corporation customers and filed with the Office of the California Attorney General says.

"Upon identifying this potential security issue, we engaged cybersecurity forensic experts and initiated an investigation to determine what happened, what data was affected, and who was impacted.

"It now appears that between April 11 and July 23, 2019, an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our guests."

We take privacy and security of personal information very seriously, and we are offering affected individuals free credit monitoring and identity theft detection services through ID Experts to provide you with MyIDCare. - Carnival Corporation

Carnival Corporation adds that, depending on the guest, the hackers might have accessed to "customers' names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information."

The letter also says that there currently is no evidence that the impacted customers' personal info was misused after the security incident.

Besides the ongoing investigation regarding this security breach, Carnival Corporation says that it also reported the incident to the relevant law enforcement agencies.

Carnival Corporation's Data Protection Officer Jennifer Garone added that customers who have further questions about the incident can reach out to the company at +1 (833) 719-0091 (U.S. toll-free).

US Drugstore Giant Walgreens Leaked Users' Sensitive Info
7.3.2020  Bleepingcomputer   Incindent

US drugstore chain giant Walgreens disclosed over the weekend that some of its mobile apps' users have been able to inadvertently access other users' sensitive information because of a bug.

Walgreens is the second-largest pharmacy chain in the US right behind CVS Health, operating 9,277 drugstores and employing 230,000 people within all 50 states.

PII and PHI accidentally leaked
The data leak incident was caused by the unauthorized disclosure of secure messages within the Walgreens mobile app according to a data breach notification email sent by the company to affected customers.

The bug allowed "a small percentage of impacted customers" to view one or more personal messages containing limited health-related info of other app users "between January 9, 2020 and January 15, 2020."

Walgreens said that affected customers might have accidentally gained access and viewed sensitive information of others, including first and last name, prescription numbers and drug names, store numbers, and shipping address where applicable.

The company also said that "no financial information such as Social Security number or bank account information was involved in this incident."

The mobile app bug is now fixed
"On January 15, 2020, Walgreens discovered an error within the Walgreens mobile app personal secure messaging feature," the notifications says.

"Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app.

"Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue.

"Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data."

While Walgreens didn't mention what mobile app was affected by the bug, at the moment the Walgreens iOS app has been rated by users more than 2,500,000 times in the Apple Store while the Android Walgreens app has over 10,000,000 installations.

Walgreens recommends customers monitor their prescription and medical records and shared the steps needed to be taken for protecting one's information at the end of the data breach notice.

49 Million Unique Emails Exposed Due to Mishandled Credentials
24.2.2020  Bleepingcomputer  Incindent

An Israeli marketing firm exposed 49 million unique email addresses after mishandling authentication credentials for an Elasticsearch database, that were sitting in plain text on an unprotected web server.

In a vaguely-worded notification this week, Straffic, a privately-held digital marketing company, informed that the incident was the result of a "security vulnerability" affecting one of its servers.

This is not the entire story, though, and this incident shows that huge databases are still at risk even when accessing them requires authentication.

Unexpected vulnerability
Straffic is described as "a private network for connecting elite affiliates with CPA [cost per action] & CPL [cost per lead] offers from trusted advertisers."

In a short message on Wednesday, the company announced that "a security vulnerability has been found on one of the servers we use to provide our services."

The asset was an Elasticsearch database with 140GB of contact details consisting of names, phone numbers, and postal addresses. While it was password protected, it appears that the credentials were not properly stored.

A security researcher using the Twitter handle 0m3n found them in plain text on the webserver. A DevOps engineer with a focus on security, 0m3n decided to check the webserver after receiving a link in a spam message.

0m3n told Jeremy Kirk that they discovered a configuration text file (.ENV) file that pointed to an AWS Elasticsearch instance. The domain is no longer loading.

An .ENV file is typically used when testing an application in the Laravel PHP web framework. It should not make it in the git repo during the synchronization process and for this reason it is added to the ignore list (.gitignore).

Speaking to BleepingComputer, 0m3n said that the developers may have forgotten to add the .gitignore file and the configuration was synched to the web server.

This would clearly make it a case of "misconfigured webserver" rather than "security vulnerability." 0m3n said that there are multiple free automated checks that could be implemented for automated deployment of webservers that would eliminate such a risk.

In a span of about six months, 0m3n received between 30 and 50 spam texts similar to the one above and checked most of them. However, an .ENV configuration file was not present on any other. This could support the theory that the file was sunched by accident.

Troy Hunt said that 70% of the emails in Straffic's database were already present on Have I Been Pwned, the data breach notification site he created. This means that many of them "didn't come from previous breaches," he says in a reply to Under the Breach on Twitter.

The ratio is pretty normal but yeah, plenty of them didn’t come from previous breaches if that’s what you mean

— Troy Hunt (@troyhunt) February 27, 2020
Straffic says that all their systems are secure at the moment and that they did not find evidence of the data being copied or misused.

"Although we do our very best to protect the security of our service and deeply regret such a vulnerability has been found on our service, it is impossible to create a totally immune system, and these things can occur" - Straffic

Indeed, security incidents can occur even when the best precautions are in effect and are more likely to happen when database credentials float on the internet, especially when they are in plain text.

Hunt, who is very familiar with disclosure notices, points out that Straffic's announcement lacks the basic information that should be available in such a communication. Details about the the date of the incident (or at least an estimation), what caused it, how it was addressed, and informing impacted parties are missing.

[Update 02/28/2020]: Article updated with comments and image from 0m3n.

18 Sniffers Steal Payment Card Data from Print Store Customers
24.2.2020  Bleepingcomputer  Incindent

For the past 30 months, an online printing platform with a cover store for well-known magazines has been constantly infected with malicious scripts that steal customer payment card data.

At least 18 skimmers or sniffers - scripts that copy credit card info at checkout, were identified since August 2017 on Reprint Mint photo store that prints covers of ESPN sports magazine and of the American military publication Stars and Stripes.

MageCart sniffer overload
On some occasions, more than one skimmer was active at the same time, indicating that multiple attackers had compromised the site and were receiving the pilfered card info.

Sanguine Security, a company specialized in online store fraud protection, says that the first skimmer they noticed on Reprint Mint ran for a year and a half without drawing attention.

Things changed on February 1, 2019, when it was replaced by a different script, which sent the data to a file associated with the Inter sniffing kit, available on underground markets for $950.

The collecting file was moved to various domains, most likely compromised for this purpose.

On August 1, 2019, a third skimmer with a different code and exfiltration domain stepped in and replaced competition.

By December, Sanguine researchers had seen six different scripts specifically designed to intercept payment card data. Most of the time, only one of them was active, except for the last two, which seemed to coexist.

New sniffers were planted starting January 23, 2020, with number five being a constant, regardless of the rivals swooping in. Sanguine Security informs that it was still present on Wednesday, despite multiple attempts to reach out to the printing platform. BleepingComputer could confirm that the two scripts are active at the moment of writing.

Few crooks were caught
While Reprint Mint is a small shop, it shows that any eCommerce site can be a battlefield for MageCart operators. Card-stealing malware will make its way on any site with security gaps that can be exploited, no matter the amount of card data that can be exfiltrated. The information is then sold on underground forums.

Skimmer operators are extremely active, compromising hundreds of thousands of websites. One such threat actor alone managed to infect more than 40 web stores since October 2019. Over a dozen groups play this game.

Until now, authorities caught only three MageCart hackers that are part of a larger group that infected at least 571 stores since 2017. They collected about 1,000 cards and user account logins every week and either sold it on underground forums or used it to buy goods.

Slickwraps Data Breach Exposes Financial and Customer Info
24.2.2020  Bleepingcomputer  Incindent

Slickwraps has suffered a data breach after a security researcher was able to access their systems and after receiving no response to emails, publicly disclosed how they gained access to the site and the data that was exposed.

Slickwraps is a mobile device case retailer who sells a large assortment of premade cases and custom cases from images uploaded by customers.

In a post to Medium, a security researcher named Lynx states that in January 2020 he was able to gain full access to the Slickwraps web site using a path traversal vulnerability in an upload script used for case customizations.

Using this access, Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions.

Screenshot of Slickwraps payment gateway
After trying to report these breaches to Slickwraps, Lynx stated they were blocked multiple times even when stating they did not want a bounty, but rather for Slickwraps to disclose the data breach.

"They had no interest in accepting security advice from me. They simply blocked and ignored me," Lynx stated in the Medium post. This post has since been taken down by Medium, but is still available via archive.org.

Since posting his Medium post, Lynx told BleepingComputer that another unauthorized user sent an email to 377,428 customers using Slickwraps' ZenDesk help desk system.

These emails begin with "If you're reading this it's too late, we have your data" and then link to the Lynx's Medium post.

Some of these customers have posted images of the image to Twitter as seen below.

Email to SlickWrap customers
When BleepingComputer asked Lynx if he knew who was sending out the emails, he told us that it was not them, but they had seen traces of other unauthorized users in Slickwraps' web site as well.

"I saw some activity during my research, maybe they're the same people who sent out the emails? No clue to be honest," Lynx told BleepingComputer.

When we asked why they continued to look for more vulnerabilities instead of simply contacting Slickwraps when they first gained access we were told:

"As a white hat, we want to see how far we can go so we can generate a full report. No point in doing research and reporting the first vulnerability when there's still 10 others."

While Lynx told BleepingComputer that they were always concerned about legal repercussions after performing penetration testing, they felt that due to the severity of the data breach, it needed to be publicly disclosed.

"Companies know that I never intend to harm them and sometimes even offer bounties. This one was different in that sense that they blocked me and did not care about their customers at all. Since this is a major breach, and I exhausted all my other options to contact them, I felt the need to disclose this publicly, in hopes that they fix this asap."

Even with the breach disclosed in the Medium post and technical details having been posted, Lynx told us that the vulnerabilities still exist in the web site and that they still have access.

For those who have used Slickwraps in the past, Lynx has passed along the customer info to Troy Hunt of the Have I Been Pwned data breach notification service.

It is not known if Hunt will add this database to his system, but if he does, customers will be able to check if their email addresses are included in the database provided by Lynx.

For now, it is strongly suggested that all users change their password at Slickwraps and to use a unique password at all web sites that they visit.

Slickwraps releases statement
In a statement posted to their Twitter account, Slickwraps CEO Jonathan Endicott has apologized for the data breach and promises to do better in the future.

Slickwraps Users,

There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.

We are reaching out t0 you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data.

The information did contain names, user emails, addresses. If you ever checked out as "GUEST" none of your information was compromised.

If you were a user with us bef0re we secured this information on February 21st, we regretfully write this email as a notification that some of your information was included in these databases.

Upon finding out about the public user data, we took immediate action to secure it by closing any database in question.

As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts.

We are deeply sorry this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.

More details will follow and we appreciate your patience during this process.

Sincerely,

Jonathan Endicott
CEO @ Slickwraps
In the statement, though, Endicott says they first learned about this today, February 21st, while Lynx stated and showed screenshots of attempts to contact both Endicott via email and Slickwraps on Twitter prior to today

Email to Endicott disclosing breach
BleepingComputer has once again reached out to Slickwraps for further information.

Update 2/21/20 2:56PM EST: Added statement from Slickwraps

Hackers Share Stolen MGM Resorts Guest Database with 10M+ Records
23.2.2020  Bleepingcomputer  Incindent

An archive with over 10 million records of guests at the MGM Resorts hotels is currently distributed for free on a hacking forum.

The data comes from a security breach in July 2019 on one of MGM cloud services. In total, there are 10,683,189 records with about 3.1 million unique email addresses as far back as 2017.

Some data still valid
Among the details compromised are guests' names, dates of birth, email addresses, phone numbers, and physical addresses complete with postal codes.

The post sharing the information was spotted by a researcher at Under the Breach, a company that monitors the cybercrime space and currently working on releasing a new service aiming to provide companies intelligence about potential breaches.

Not all the information in the files is still valid. ZDNet was able to confirm that in some cases the phone numbers were disconnected; other times, the publication received confirmation from the person answering the phone that the details were real.

MGM acknowledged that the data dump resulted from a security incident in 2019. Although we could not find a notification to affected individuals, some members of the Vegas Message Board forum that stayed at MGM Resorts were alerted last summer that their personal data had emerged on the dark web.

"I was at an MGM property in July. My credit card company and an independent credit monitoring service both notified me 19 August that my email was on the dark web and passwords for two sites were compromised" - Vegas Message Board forum member

Risk of fraud
According to Under the Breach, ZDNet informs, the database contains details of high-profile guests, such as Twitter CEO Jack Dorsey, pop star Justin Bieber, and officials from the U.S. Department of Homeland Security and the Transportation Security Administration.

The immediate risk of having personal details publicly exposed is receiving targeted phishing messages that could help cybercriminals in their fraudulent activities.

The details can also be used to create new accounts in the name of the victim or for synthetic identity fraud, where the cybercriminal needs only some of the information to be valid in order to apply for some service.

Plastic Surgery Patient Photos, Info Exposed by Leaky Database
16.2.2020  Bleepingcomputer  Incindent

Hundreds of thousands of documents with plastic surgery patients' personal information and highly sensitive photos were exposed online by an improperly secured Amazon Web Services (AWS) S3 bucket.

NextMotion is a French plastic surgery tech firm that provides imaging and patient management services that help 170 plastic surgery clinics from 35 countries document, digitize and market their practices.

The company promises to the clients' "before & after imaging issues, reassure your patients, simplify your data management and improve your e-reputation."

"Nextmotion is an ecosystem based on a medical cloud which allows you to sort, store and access your data wherever you are," the company's site says.

"In that sense, all your data is covered with the highest requested security level as it is hosted in France on servers authorized by the Haute Autorité de Santé (French Health Authority) - in our case, AWS who is certified."

Graphic photos of patients exposed
The bucket was used by NextMotion to store roughly 900,000 files with highly sensitive patient images and videos, as well as plastic surgery, dermatological treatments, and consultation documents.

After analyzing the open S3 bucket discovered on January 24 in collaboration with vpnMentor more closely, security researchers Noam Rotem and Ran Locar found outlines and invoices for cosmetic treatments, videos of 360-degree body and face scans, as well as patient photos that, in some cases, were graphic snapshots of genitals, breasts, and more.

All these files were uploaded by NextMotion clients using the company's medical imaging solution to the unsecured database.

While there is no way to know the exact number of patients that had their information exposed, the hundreds of thousands of files found in the S3 bucket hint at thousands of patients having their sensitive data exposed.

Plastic surgery patient photos (Noam Rotem and Ran Locar)
PII data also exposed
NextMotion's CEO said in a press release that the patient data stored in the leaky database "had been de-identified - identifiers, birth dates, notes, etc. - and thus was not exposed."

However, "the exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients," as the two researchers explained.

"This type of data can be used to target people in a wide range of scams, fraud, and online attacks," their report also added.

"We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared," NextMotion says.

"This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application."

As a reminder, all your data is stored in France, in a secure HDS (personal data hosting) compliant medical cloud. Our application and our data management practice were audited in 2018 by a GDPR (General Data Protection Regulation) specialized law firm, in order to ensure our compliance with the data regulation which came into effect in 2019. - CEO of NextMotion

Previous incidents impacting plastic surgery patients
This is not the first time the sensitive personal information of plastic surgery patients might have landed in the wrong hands following a security incident.

In 2017, the London Bridge Plastic Surgery clinic issued a data breach statement saying that The Dark Overlord (TDO) hacking group was able to steal patient information and highly sensitive photos.

The AZ Plastic Surgery Center notified 5,524 patients in February 2019 that some of their protected health information (PHI) may have been accessed by TDO.

Later last year, in early November 2019, The Center for Facial Restoration reported to the U.S. Department of Health and Human Services that the PII of up to 3,600 patients may have been stolen in a hacking incident.

Microsoft’s Surface Duo Spotted in the Wild, Video Leaked
9.2.2020  Bleepingcomputer  Incindent

Microsoft said its dual-screen Android phone 'Surface Duo' won't be coming until Holiday 2020, but it looks like the phone could launch sooner than expected as Microsoft is now seeding the prototypes to more employees in the US and Canada.

Twitter user Israel Rodriguez recently posted a video of a Microsoft employee using the Surface Duo in Vancouver’s public transit system. In the video, the Surface Duo can be seen running a customized version of Android with Microsoft Launcher.

The leak also suggests that the device might come with a front-facing flash, which confirms the rumors that Microsoft won't put a dedicated camera on the back of the device.

In the video, the Surface Duo's software still appears to be buggy and the employee had to click and swipe multiple times to open apps, settings and switch between the windows. Asides from the details on the camera and software, the other features of Surface Duo are still not known.

In an interview, Microsoft Surface chief Panos Panay had confirmed that both Surface Duo and Surface Neo would feature “a good camera”, but these devices may not support 5G support at launch.

Misconfigured Docker Registries Expose Orgs to Critical Risks
9.2.2020  Bleepingcomputer  Incindent

Some organizations have improperly configured Docker registries exposed to the public web, leaving a door open for attackers to infiltrate and compromise operations.

Entities running this risk include research institutes, retailers, news media organizations, and technology companies, security researchers found after checking Docker servers on the internet.

Open access to images
In a Docker environment, applications are packed in virtualized images that include all the code and dependencies the programs need to run independently of the underlying operating system.

Users access these containers from repositories available in a Docker server called registry and create multiple versions of them, differentiated by tags. They can download and run images locally, upload custom versions, or delete them - push, pull, delete - these being the main operations supported by a Docker registry.

Searching for Docker registries accessible over the public web, security researchers at Palo Alto Networks found that 117 lacked authentication controls that would prevent unauthorized access.

"Although setting up a Docker registry server is straightforward, securing the communication and enforcing the access control requires extra configurations. System administrators may unintentionally expose a registry service to the internet without enforcing proper access control" - Palo Alto Networks

The researchers used Shodan and Censys search engines to find registries that did not require authentication and accepted the three primary operations mentioned above.

Test routine
To make sure that the test routine did not make any change on the remote server, they used non-existent image names and interpreted the response.

Of the 117 unprotected servers, 80 allowed downloading an image, 92, permitted unauthorized upload, and seven allowed anyone to delete images. In total, these unsecured Docker registries hosted 2,956 repositories and 15,887 tags.

Sample of repositories and tags on exposed Docker registry
Based on reverse DNS lookup and Canonical Name (CN) records in the TLS certificates, the researchers were able to determine the owner of the vulnerable servers in 25% of the cases.

They belonged to entities in a variety of domains, from research and retail to news and media organizations and businesses in the technology sector.

Attackers can profit from the misconfiguration and use the three commands permitted to replace original images with backdoored versions, host malware, interrupt business operations by making them inaccessible through encryption or blackmail for a ransom. Any client running a tampered image could immediately get infected this way.

Palo Alto Networks recommends adding a firewall rule to prevent the registry from being accessible from the public internet and enforce the Authenticate header in all API requests as forms of access control.

Japanese Defense Contractors Kobe Steel, Pasco Disclose Breaches
9.2.2020  Bleepingcomputer  BigBrothers  Incindent

Japanese defense contractors Pasco Corporation (Pasco) and Kobe Steel (Kobelco) today disclosed security breaches that happened in May 2018 and in June 2015/August 2016, respectively.

The geospatial provider and the major steel manufacturer also confirmed unauthorized access to their internal network during the two incidents, as well as malware infections affecting their computing systems following the attacks.

No damage such as information leakage has been discovered so far during the following investigations per the official statement issued today by Pasco.

However, while Kobelco's official statement doesn't mention it, Nikkei reports that 250 files with data related to the Ministry of Defense and personal info were compromised after the company's servers were hacked.

It is also possible that the threat actors behind the attacks might have targeted the companies' defense information, but the data that might have been leaked did not include defense secrets.

Kobe Steel is a known supplier of submarine parts for the Japan Self-Defense Forces (SDF), while Pasco is a provider of satellite data.

Two of four hacked Japanese defense contractors
The two companies are the last of the four defense-related firms that were hacked between 2016 and 2019, as Japanese Defense Minister Taro Kono said during a press conference on January 31.

Kono also stated that no hints are pointing at the attacks being related to each other and that the Japanese Ministry of Defense coordinated the disclosures because "it should be publicly disclosed. It is necessary to get the world to know and think about defenses."

The other two defense contractors that were infiltrated by attackers are Mitsubishi Electric and NEC. Both of them confirmed that their systems were breached in statements published on January 20 and January 30, respectively.

Mitsubishi Electric disclosed that the security breach might have caused the leak of personal and confidential corporate info, with about 200 MB worth of documents being exposed during the attack that took place on June 28, 2019.

The eight months delay disclosing the incident was attributed by Mitsubishi Electric to the complexity of the investigation caused by the activity logs being deleted after the attack.

NEC said that servers belonging to its defense business unit were accessed without authorization in December 2016 by third parties, but "no damage such as information leakage has been confirmed so far." 27,445 files were accessed illegally during the incident according to an NEC statement to BleepingComputer.

Chinese hackers suspected in at least two of the attacks
"According to people involved, Chinese hackers Tick may have been involved," Nikkei reported after Mitsubishi Electric disclosed the breach.

"According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised."

"The hijacked account was used to gain infiltration into the company's internal network, and continued to gain unauthorized access to middle-managed PCs who had extensive access to sensitive information," an Asahi Shimbun report added.

A Pasco official was also quoted as saying that the attackers behind the May 2018 security breach might be linked to China per a Kyodo News report from today.

Tick (also tracked as Bronze Butler and RedBaldNight) is a state-backed hacking group with Chinese ties with a focus on cyberespionage and information theft.

The group is known for primarily targeting Japanese organizations from several sectors including but not limited to manufacturing, critical infrastructure, international relations, and heavy industry.

Their end goal is to steal confidential intellectual property and corporate info after breaching enterprise servers via spearphishing attacks and exploiting various zero-day vulnerabilities — including one affecting Trend Micro's OfficeScan in the case of Mitsubishi Electric as reported by ZDNet.

According to research, Tick also usually wipes all evidence from hacked servers as part of an effort to delay investigations after their operations are eventually discovered.

Medicaid CCO Vendor Breach Exposes Health, Personal Info of 654K
9.2.2020  Bleepingcomputer  Incindent

Medicaid coordinated care organization (CCO) Health Share of Oregon today disclosed a data breach exposing the health and personal info of 654,362 individuals following the theft of a laptop owned by its transportation vendor GridWorks IC.

The non-profit organization is Oregon's largest Medicaid CCO and it serves the Oregon Health Plan (Medicaid) members in Clackamas, Multnomah, and Washington counties.

"On January 2, 2020, Health Share of Oregon learned that the personal information of its members was located on a laptop stolen from GridWorks IC, Health Share's contracted non-emergent medical transportation (Ride to Care) vendor," says the CCO in a statement issued today.

"The break-in and theft occurred at GridWorks' office on November 18, 2019."

Data breach exposes personal and health information
The stolen laptop includes several types of member information including members' names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers.

According to Health Share's statement, the personal health histories of its members were not exposed as part of this incident.

Health Share is sensing letters to all the members who had their information stored on the stolen device, with the letter to include an offer of 1 year of free identity monitoring services including credit monitoring, fraud consultation, and identity theft restoration.

Though the theft took place at an external vendor, we take our members’ privacy and security very seriously. Therefore, we are ensuring that members, partners, regulators, and the community are made fully aware of this issue. — Health Share of Oregon

In direct response to this vendor data breach, Health Share will expand contractor annual audits, as well as enhance training policies and make sure that patient information transmitted to partners and members is kept to the bare minimum required.

"We are committed to providing the highest quality service to our members, which includes protecting their personal information," interim CEO and Chief Medical Officer Maggie Bennington-Davis said.

Financial statements and credit reports monitoring advised
While Health Share doesn't know if the thief found its members’ information on the stolen laptop, it urges all affected members that will receive a breach notification letter to take advantage of the free one year of identity monitoring services.

Health Share also set up a dedicated, toll-free call center at 1-800-491-3163, available between Monday and Friday, 8:00 am to 5:30 pm for questions and concerns.

The CCO also reminds potentially impacted members that they can also put a 'security freeze' on their credit file for free to "stop any credit, loans, or other services from being approved in your name without your approval."

In case their info has been misused, Health Share members are also advised to file a complaint with the Federal Trade Commission, as well as a police report in case of identity theft or fraud.

NEC Defense Contracts Info Potentially Compromised in Breach
2.2.2020  Bleepingcomputer   Incindent

Update: NEC confirmed the security breach of its defense business division in an official statement, click here for more details.

The Japanese NEC electronics giant was the target of a cyberattack that resulted in unauthorized access to its internal network on Thursday according to information leaked to Japanese newspapers by sources close to the matter.

The electronics and information technology giant is a major contractor for Japan's defense industry, engaged in various defense equipment projects with the Japan Self-Defense Forces (JGSDF or Jieitai), including but not limited to 3D radar, broadband multipurpose radio systems and may have leaked relevant information.

While NEC hasn't yet released any official statements regarding this incident, roughly 28,000 files were found by the company on one of the compromised servers according to reports, some of them containing defense equipment info such as submarine sensors.

NEC said that it has routinely discovered attempts to gain unauthorized access to its internal network, but also explained that there is no evidence that info has been leaked or has been damaged so far.

NEC's Public Relations Office also told the NHK, the Asahi Shimbun, and Kyodo News that an information leak is possible given the lack of evidence.

"We have not confirmed any damage such as information leaks so far. However, it cannot be said that it has not leaked," NEC said.

However, according to Nikkei, the Japanese Ministry of Defense said that the exposed files contained "information on contracts with NEC, not defense secrets, and there is no impact on Japan's defense system."

BleepingComputer has reached out to NEC for more details regarding the incident but had not heard back at the time of this publication.

Mitsubishi Electric also breached
The reports come 10 days after the security breach disclosed by Mitsubishi Electric on January 20 that might have also led to a personal and confidential corporate information leak.

"On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside," Mitsubishi Electric said.

The breach started after Chinese affiliates were compromised and it then spread to the company's internal network per an Asahi Shimbun report that prompted Mitsubishi Electric's disclosure.

"The hijacked account was used to gain infiltration into the company's internal network, and continued to gain unauthorized access to middle-managed PCs who had extensive access to sensitive information," the report says.

Chinese hackers suspected as Mitsubishi attack operators
"According to people involved, Chinese hackers Tick may have been involved," Nikkei said at the time. "According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised."

Tick (also known as Bronze Butler and REDBALDKNIGHT) is a cyber-espionage group known for primarily targeting Japanese entities from various sectors ranging from international relations and manufacturing to critical infrastructure and heavy industry organizations.

The group's main goal is to siphon confidential corporate info and intellectual property after compromising enterprise servers by exploiting various zero-day vulnerabilities and launching spearphishing attacks.

Tick also commonly wipes all evidence from compromised computers to hinder investigations after their operations are discovered.

Update January 30, 19:20 EST: NEC confirmed the security breach of its defense business division in a press release issued today, "27,445 files were found to have been accessed illegally" in July 2018 (h/t piyokango):

NEC has confirmed that some of the internal servers used by the Company's defense business unit have been subject to unauthorized access by third parties. As a result of investigations conducted by the Company and external specialized organizations, no damage such as information leakage has been confirmed so far.

The NEC Group has implemented measures such as the introduction of an unknown malware detection system, but was unable to detect the initial penetration of attacks launched after December 2016 and the early spread of internal infections.

In June 2017, as a result of checking the occurrence of communication patterns described in the security company's threat report, it was confirmed that unauthorized communication was being performed from internal PCs, isolation and investigation of infected PCs, and unauthorized communication destinations Was detected and blocked. In July 2018, we succeeded in decrypting encrypted communication with an infected server and an external server that was performing unauthorized communication, and stored it on our internal server for information sharing with other departments used by our defense business division 27,445 files were found to have been accessed illegally.

As a result of investigation by the Company and external specialized organizations, no damage such as information leakage has been confirmed so far. These files do not contain confidential information or personal information. In addition, since July 2018, the situation has been individually explained to customers related to files that have been accessed illegally.