Incindent Articles - H 2020 1 2 3 4 5 6 7 8 9 10 Incindent List - H 2021 2020 2019 2018 1 Incident blog Incident blog
46M accounts were impacted in the data breach of children’s online playground Animal Jam
13.11.20 Incindent Securityaffairs
The popular children’s online playground Animal Jam has suffered a data breach that affected more than 46 million accounts.
Animal Jam is a safe, award-winning online playground for kids created by WildWorks.
Kids aging 7 through 11 can play games, personalize their favorite animal, learn fun facts, and so much more. Animal Jam currently has over 130 million registered players and 3.3 million monthly active users.
Animal Jam has suffered a data breach impacting 46 million accounts belonging to children and parents who signed up for the game.
This week a threat actor published two databases, titled ‘game_accounts’ and ‘users’, belonging to the popular gaming portal for free on a hacker forum. The huge trove of data was obtained by the black hat hacker ShinyHunters, which is known for several data leaks.
The threat actor did not share the complete databases, it only leaked a dump containing 7 million user records. The exposed data includes the email addresses of the parents managing the player accounts and other info.
According to Bleeping Computer, which analyzed the sample records, the database was stolen around October 12th, 2020 based on the timestamps in the dump.
WildWorks immediately launched an investigation into the security breach, company, it appears that threat actors compromised the server of a third-party vendor WildWorks uses for intra-company communication. The attackers obtained a key that enabled them to access this database.
“WildWorks has learned that a database containing some Animal Jam user data was stolen in connection with a recent attack on the server of a vendor WildWorks uses for intra-company communication. A subset of the stolen records include the email addresses of the parents managing the player accounts and other data that could be used to identify the parents of Animal Jam players.” reads the data breach notification published by the company.
The information exposed in the data breach includes:
Email addresses used to create approximately 7 million Animal Jam and Animal Jam Classic parent accounts
Approximately 32 million player usernames associated with these parent accounts
Passwords associated with those user accounts, but in encrypted form
14.8M records include the birth year the player entered at account creation
23.9M records include the gender the player entered at account creation
5.7M accounts include the full birthday the player entered at account registration
12,653 of the parent accounts include a parent’s full name and billing address (but no other billing info)
16,131 of the parent accounts include a parent’s first and last name, without a billing address
The company is going to notify impacted users, it pointed out that all user databases have now been secured against similar attacks.
WildWorks is recommending owners of Animal Jam accounts to immediately change their password.
“The passwords released in this breach were encrypted and unreadable by normal means. However, if your account was secured with a weak password to begin with (for example, a very short password, or one using dictionary words), it would be possible for knowledgable hackers to break the encryption and expose your password as plain text.” concludes the company. “As a precaution, we are forcing ALL players to change their passwords immediately to ensure the security of their accounts.”
Prestige reservation platform exposes millions of hotel guests
11.11.20 Incindent Securityaffairs
Millions of hotel guests worldwide were impacted by a data leak caused by a misconfigured S3 bucket used by Prestige Software’s Cloud Hospitality.
Researchers at Website Planet discovered a misconfigured S3 bucket used by the Prestige Software’s Cloud Hospitality that exposed millions of hotel guests worldwide.
The reservation system Prestige Software’s “Cloud Hospitality” allows operators at hotels to integrate their reservation systems with online booking websites like Booking.com.
The unsecured cloud repository used by the hotel reservation platform has exposed 10 million files (24.4 GB worth of data) related to guests at various hotels around the world.
Exposed data, some of which go back to 2013, include sensitive information and credit card details.
In some cases, each record contained data for multiple hotel guests that were part of a single reservation.
“Courtesy of our security team at Website Planet, we can reveal that a hotel reservation platform has been exposing highly sensitive data from millions of hotel guests worldwide, dating as far back as 2013 and including credit card details for 100,000s of people.” reads a post published by Website Planet. “The company was storing years of credit card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks.”
The experts revealed that the unsecured S3 bucket contained over 180,000 records from August 2020 alone.
The exposed records include full names, email addresses, national ID numbers and phone numbers of hotel guests, card numbers, cardholder names, CVVs and expiration dates, the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more.
According to the experts. the data leak affects a large number of reservation platforms, including Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, and Sabre.
The availability of such kind of data could expose hotel guests to a wide range of malicious activities, including identity theft, phishing attacks, scams, malware attacks, and reservation takeover.
The researchers pointed out that Prestige could face penalties in case authorities will determine violations of the General Data Protection Regulation and the Payment Card Industry Data Security Standard (PCI DSS).
At the time of publishing this post, it is not clear if someone has access to the S3 bucket.
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” concludes the experts. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”
Luxottica data breach exposes info of LensCrafters and EyeMed patients
9.11.20 Incindent Securityaffairs
A data breach suffered by Luxottica has exposed the personal and health information of patients of LensCrafters, Target Optical, and EyeMed.
Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley. Luxottica also makes sunglasses and prescription frames for designer brands such as Chanel, Prada, Giorgio Armani, Burberry, Versace, Dolce and Gabbana, Miu Miu, and Tory Burch.
The Italian company employs over 80,000 people and generated 9.4 billion in revenue for 2019.
Luxottica was hit by a ransomware attack that took place on September 18.
In October, the Italian website “Difesa e Sicurezza” reported that that the Nefilim ransomware operators have posted a long list of files that appear to belong to Luxottica.
The huge trove of files appears to be related to the personnel office and finance departments.
The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department.
The exposed financial data includes budgets, marketing forecast analysis, and other sensitive data.
Now the news of another data breach made the headlines, a security breach has exposed the personal and protected health information for patients of LensCrafters, Target Optical, EyeMed, and other eye care practices.
The partners share a web-based appointment scheduling platform that is used by patients to schedule appointments online or over the phone.
Luxottica disclosed a security breach in the appointment scheduling application that took place on August 5, 2020.
According to a “Security Incident” notification issued this week by the company, it first became aware of the hack on August 9 and, after investigating the attack, determined on August 28 that the threat actors gained access to patients’ personal information.
“On August 9, 2020, Luxottica learned of the incident, contained it, and immediately began an investigation to determine the extent of the incident. On August 28, 2020, we preliminarily concluded that the attacker may have accessed and acquired patient information,” the Luxottica data breach notification states.
The notification confirms the exposure of information including personal data (PII) and protected health information (PHI), such as medical conditions and history. For some patients, exposed information included credit card numbers and social security numbers.
“The personal information involved in this incident may have included: full name, contact information, appointment date and time, health insurance policy number, and doctor or appointment notes that may indicate information related to eye care treatment, such as prescriptions, health conditions or procedures,” Luxottica warned.
Luxottica is offering a free two-year identity monitoring service through Kroll to those patients who had their payment information and SSNs exposed.
At the time the company is not aware of fraudulent activities abusing the exposed data, anyway, it is recommending its patients to remain vigilant for any suspicious activities and monitor their credit statements and history.
“We recommend that all potentially impacted individuals take steps to protect themselves, for example by closely monitoring notices from your health insurer and health care providers for unexpected activity.” states the company is a statement published on a website set up after the incident. “If your payment card information and/or Social Security number were involved in this incident, this is explicitly stated in your letter.”
On October 27th, the company began to notify affected users.
20 million Bigbasket user records available on the dark web
8.11.20 Incindent Securityaffairs
Bigbasket, a prominent online grocery store in India, allegedly suffered a data breach, details of over 20 million people available in the darkweb.
Grocery e-commerce website Bigbasket has allegedly suffered a data breach, according to cyber intelligence firm Cyble, the details of over 20 million people available in the darkweb.
BigBasket was founded by Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the CDC group, it has over 18,000 products from over 1000 brands in its listing.
“Recently, Big Basket, India’s leading online food and grocery store, became victim to a data breach.” reported Cyble.
While the COVID-19 pandemic continues to spread worldwide, online shopping is becoming very important for users, and such kind of incidents is exposing millions of users to the risk of hack.
Online stores manage both personal and financial details of their customers to allow them to easily purchase the products and receive them at their home.
In routine Dark web monitoring activity, the Cyber research team spotted a threat actor offering the database of BigBasket for sale in a cyber-crime market. The archive is 15 GB in size and contains 20 million user records, it is being sold for over $40,000.
The database includes names, email IDs, password hashes (potentially hashed OTPs), contact numbers (mobile + phone), addresses, date of birth, location, and IP addresses of login among many others.
Cyble notifies the company’s management team of the leak and they are currently working towards a disclosure process.
Below the timeline of the alleged data breach:
Oct 14, 2020 – The alleged breach occurred (screenshot below)
Oct 30, 2020 – Cyble detected the breach
Oct 31, 2020 – Cyble validated the breach through validation of the leaked data with BigBasket users/information
Nov 1, 2020 – Cyble disclosed the breach to BigBasket management
Nov 7, 2020 – Public disclosure.
The company has filed a police complaint in this regard with Cyber Crime Cell in Bengaluru and is investigating the alleged incident.
“Cyble is disclosing the alleged data leak in the interest of the population impacted.” concludes Cyble.
People who want to check if their information has been exposed in this data breach and other incidents can register on Cyble’s data breach monitoring and notification platform, AmiBreached.com.
Private Prison Operator GEO Group Discloses Data Breach
6.11.20 Incindent Securityweek
Florida-based private prison operator GEO Group this week revealed that it was recently targeted in a cyberattack that involved ransomware and which may have resulted in the theft of sensitive information.
The GEO Group operates over 120 jails, rehabilitation facilities, processing centers, and community reentry centers in North America, the UK, Australia and South Africa. In the United States, it also operates some of the controversial ICE detention centers.
The company revealed on November 3 that it discovered a data breach on August 19. Hackers gained access to GEO’s network and deployed a piece of ransomware.
Once the breach was detected, the company rushed to cut off all connections between the compromised corporate servers and facilities, data centers and the corporate office. However, an investigation revealed that the attackers may have accessed personal and protected health information.
The exposed information includes name, address, date of birth, social security number, driver’s license number, employee ID number, and medical treatment and other health-related information. GEO says it’s not aware of any cases of fraud or misuse of personal information resulting from this breach.
The company has started sending out notices to current and former employees and it has also informed the Securities and Exchange Commission (SEC) through an 8-K form.
GEO said in the SEC filing that the incident impacted a “portion” of its technology systems and a “limited amount of data that contained personally identifiable information and protected health information.”
“The Company recovered its critical operating data and the incident has not had a significant impact on the Company’s business operations or its ability to perform the services required under GEO’s contracts with its government customers to care for the individuals entrusted to GEO’s facilities and programs,” GEO said.
It added, “Based on its assessment and on the information currently known and obtained through the investigation of the incident, the Company does not believe the incident will have a material impact on its business, operations or financial results. The Company carries insurance, including cyber insurance, commensurate with its size and the nature of its operations.”
Swedish Insurer Folksam Exposes Data on 1 Million Customers
5.11.20 Incindent Securityweek
Swedish insurance company Folksam on Tuesday revealed that data on 1 million customers was inadvertently shared with third-parties.
Headquartered in Stockholm, the firm was established over a hundred years ago and is currently one of the largest insurers in Sweden. In 2001, the company sold the English subsidiary Folksam International.
The newly disclosed data security incident was identified during an internal audit. Immediately after discovering the issue, the company stopped the data sharing, contacted its partners to ask them to erase the data, and also informed authorities on the matter.
“We understand that this can cause concern among our customers and seriously point out what has happened. We immediately stopped sharing this personal information and requested to be deleted,” a Google Translate version of the company’s announcement reads.
The idea behind the data sharing, Jens Wikström, head of marketing and sales at Folksam, explains, was to provide customized offers to its users, but the operation was not performed correctly.
The company notes that the incident involves sensitive information that some of its customers might have shared, such as the type of insurance purchased and personal identity numbers (the equivalent of SSNs in Sweden). Folksam says it is not aware of the impacted data being improperly used by third parties.
The insurance company shared the sensitive information with Adobe, Facebook, Google, LinkedIn, and Microsoft. The purpose of the data was to analyze the information that users searched for on påfolksam.se, so as to provide them with customized offers.
Folksam also noted that this incident shouldn’t have happened and that it is working on ensuring that a similar data leak won’t happen again.
34M Records from 17 Companies Up for Sale in Cybercrime Forum
4.11.20 Incindent Threatpost
A diverse set of companies, including an adaptive-learning platform in Brazil, an online grocery service in Singapore and a cold-brew coffee-maker company, are caught up in the large data trove.
A whopping 34 million user records have materialized on an underground sales forum, which cybercriminals claim are gleaned from 17 different corporate data breaches.
According to reports, the data appeared late last week, and the theft appears to be the work of a single person or group.
The affected companies are a widely diverse set of targets, gleaned from around the world. According to Bleeping Computer, they include: Apps-builder.com; Athletico in Brazil; Indonesian financial firm Cermati; Clip (a card-reader company in Mexico); Coupontools.com; Eatigo; Everything5pounds.com; Fantasy Cruncher (a fantasy sports tool); Game24h in Vietnam; Geekie; online video-maker Invideo; lease-to-own furniture company Katapult; RedMart; Toddycafe (which offers cold-brew coffee gear); W3layouts (website templates); Indian wedding planning service Wedmegood; and Wongnai.
Two of the breaches were previously reported: RedMart and Eatigo.
RedMart (a division of Lazada, owned by Chinese giant Alibaba), offers online grocery shopping and delivery in Singapore. It’s perhaps the highest-profile company on the list – the company confirmed the incident in a notice to customers.
A full 1.1 million records were stolen from the company and put up for sale, containing emails, SHA1 hashed passwords, mailing and billing addresses, full names, phone numbers, partial credit-card numbers and expiry dates. The price tag for the cache is $1,500, according to the Straits Times, a Singapore-area paper of record.
“Our cybersecurity team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company,” according to the company’s statement. “This RedMart-only information is more than 18 months out of date and not linked to any Lazada database…current customer data” is not affected.
Meanwhile Eatigo, which offers online restaurant reservations in Singapore and neighboring areas, said that data from 2.8 million accounts was stolen and offered for sale. In an email to affected customers, also reported by the Straits Times, the company said the data was more than 18 months old.
“We were made aware on Oct 30th that along with several other e-commerce platforms, we were the subject of a data security incident,” the company said. “Your existing Eatigo account password is protected by encryption and hence safe. We do not store credit-card information on our system.”
The affected data includes emails, passwords, names, phone numbers, gender, and Facebook IDs and tokens.
The other company to confirm a breach is Wongnai, Thailand’s equivalent to Yelp. That database included 4.3 million records, the attacker said, containing emails, passwords, Facebook and Twitter IDs, names, birthdates, phone numbers and postal codes. It confirmed the breach via email, according to Bleeping Computer.
“Thanks for your inquiry, we were aware of this incident last night (Bangkok time) and our tech team have been investigating this matter,” the company told the outlet.
Another breach of note in the trove is the compromise of Geekie, which is an adaptive-learning platform sanctioned by the Brazilian government and used by 5,000 different schools there. It reportedly had the most records put up for sale: A full 8.1 million of them are on offer, containing emails, bcrypt-sha256/sha512 hashed passwords, usernames, names, dates of birth, gender, mobile phone numbers and Brazilian CPF numbers (taxpayer IDs).
Meanwhile, the seller of the data on the underground forum told Bleeping Computer that he was merely a broker, acting on behalf of the actual attacker.
“When asked how the hacker gained access to the various sites, the seller stated, ‘Not sure if he want to disclose,'” according to the report.
Massive Credential Dumps
This latest incident continues the sporadic trend of massive data dumps showing up online (which generally lead to follow-on phishing and account take-over efforts).
In January, a huge cache totaling 87 GB of data was spotted on the MEGA cloud service. The data was organized into 12,000 separate files under a root folder called “Collection #1.” But as it turns out, Collection #1 was only a fraction of a larger amount of leaked credentials.
Soon after, researchers at the Hasso Plattner Institute in Potsdam, Germany discovered another new trove of stolen data equaling 845 GB and 25 billion records in all (611 million credentials after de-duping). The latest data dump, dubbed #Collection #2-5″ contained roughly three times as many unique records as Collection #1.
In all, the entire set of compromised credentials totaled 993.53 GB of data, including addresses, cell phone numbers and passwords.
Texas Gold-Dealer Mined for Payment Details in Months-Long Data Breach
3.11.20 Incindent Threatpost
JM Bullion fell victim to a payment-card skimmer, which was in place for five months.
A popular precious-metals dealer, JM Bullion, has been the victim of a payment-skimmer attack. The company’s response was less than solid gold — it took months to notify its users of the breach.
The Dallas-based company sells gold, platinum, silver, copper and palladium bullion, in the form of bars, coins and pure metal coins called rounds. As part of its business model JM Bullion explains it “enables investors to purchase bullion they physically hold, as opposed to merely owning on paper.”
In a notice sent to its online customers, the company said that it became aware of suspicious activity on its website on July 6. An investigation uncovered third-party, malicious code present on the site, which “had the ability to capture customer information entered into the website in limited scenarios while making a purchase,” according to an email, shared on Reddit on Sunday.
The company claims on its website that it uses 256-bit SSL encryption, certified by DigiCert/Norton. Additionally, “We never have access to your credit/debit card information, as it is processed securely by CyberSource, the parent company of Authorize.net, following the most stringent PCI-compliant standards.”
However, payment-card skimmers, which are code-injections into vulnerable website components, simply record whatever customers enter into the fields on checkout pages, making the encryption and other protections a moot point.
Thus, the cyberattackers were able to capture name, address and payment-card details, JM Bullion confirmed.
It also said that the skimmer was active for five months, from February 18 until its forensics team was able to remove it on July 17. The Reddit member said that the notice went out on Halloween, meaning that the company waited three and a half months to alert users of the issue. The dates also show that there were 11 days that the skimmer was active after the company became aware of suspicious activity on the website.
Customers took to Reddit to complain. Click to enlarge.
It’s unclear how many customers are affected. The company said that the skimmer was in action in a “small portion” of transactions. According to its website, it ships more than 30,000 orders per month.
When reached by phone, a customer service person told Threatpost that only those affected received the email notices.
JM Bullion didn’t immediately respond to a request for more details on the breach.
There’s no word on who could be behind the attack, but payment skimmers are at the heart of ongoing Magecart attacks. Magecart is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, using exploits for unpatched vulnerabilities.
“Magecart attacks are notoriously difficult to detect because they target the client-side of websites,” Ameet Naik, security evangelist at PerimeterX, told Threatpost, noting that taking five months to notice the skimmer is not unusual. “Hackers inject malicious shadow code into the website scripts which runs on the users’ browsers. Traditional server-side monitoring and security solutions don’t have visibility into this client-side activity and are unable to stop such digital skimming attacks that lead to the theft of personal data from website users. This not only hurts the online business, but also exposes them to compliance penalties and liability.”
Taking advantage of unpatched and out-of-date websites, Magecart continues to be active. In October, a Magecart spinoff group called Fullz House compromised Boom! Mobile’s U.S. website and made off with a raft of personal identification.
Gold Dealer JM Bullion Discloses Months-Long Payment Card Breach
2.11.20 Incindent Securityweek
Texas-based precious metals dealer JM Bullion has informed some customers that their payment card information may have been stolen by cybercriminals, but the disclosure came months after the breach was discovered.
Founded in 2011, JM Bullion sells gold, silver, platinum and other precious metals, and it allows customers to pay with cryptocurrency. According to its website, the company reached 500,000 customers in March 2018 and it claims to ship over 30,000 orders per month.
The company claims on its website that customer information is kept secure through “256-bit SSL encryption” and that it does not have access to payment card information as it’s processed by a third party.
However, one JM Bullion customer revealed on Reddit over the weekend that they received a letter from the company informing them of a data security incident. The firm said it was alerted to suspicious activity on its website on July 6, when it launched an investigation with the help of third-party forensics experts.
The investigation found that someone hacked into JM Bullion’s website and planted malicious code that was present on the site between February 18 and July 17, 2020. The malicious code was apparently designed to harvest customer information entered on the website — this is known as a skimming or Magecart attack.
JM Bullion claims that the malicious code only captured information in “limited scenarios” when customers were making a purchase. The information stolen as part of this attack included names, addresses and payment card information, including card number, expiration date and security code.
“JM Bullion takes the security of personal information in its care very seriously. In response to this incident, JM Bullion notified law enforcement, our card processor, and the credit card brands, and continues to work with them as needed. We also reviewed our internal procedures and implemented additional safeguards on our website to protect customer information in our possession,” Michael Wittmeyer, CEO of JM Bullion, told customers.
Some customers who discussed the incident on Reddit seem disappointed that it took the company five months to discover the breach and another three months to alert impacted individuals. Others expressed concern that the exposure of physical addresses is serious as someone could use the information to target the homes of people who acquired precious metals.
SecurityWeek has reached out to JM Bullion for additional information and will update this article if the company responds.
UK ICO fines hotel chain giant Marriott over data breach
2.11.20 Incindent Securityaffairs
The UK Information Commissioner’s Office fined US hotels group Marriott over the 2018 data breach that affected millions of customers worldwide.
The UK Information Commissioner’s Office announced it has fined Marriott £18.4 million ($23.5 million) for multiple data breaches suffered by the company since 2018 that exposed the personal information of its customers.
“The ICO has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure.” reads the press release published by the ICO. “The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).”
In July 2019, the UK’s data privacy regulator announced that the giant hotel chain Marriott International faces a £99 million ($123 million) fines under GDPR over 2014 data breach.
According to the U.K.’s Information Commissioner’s Office, Marriott International was not compliant with the European Union’s data protection regulation GDPR.
The fine is less than initially planned because the watchdog had taken into account Marriott’s efforts “to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty”.
In November 2018, the hotel chain announced that data from as many as 500 million guests at its Starwood hotels may have been compromised by a security breach occurred in 2014.
This is one of the largest data breaches in history, the biggest one for the hospitality industry.
Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.
According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.
The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”
Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.
The investigation in the Starwood Data Breach revealed that stolen data also includes financial data, payment card numbers and payment card expiration dates were exposed, even if in an encrypted format.
According to the Information Commissioner’s Office, the data breach affected 30 million European residents, including 7 million in the U.K.
According to the British watchdog, Marriott failed to perform sufficient due diligence when it bought Starwood in 2016 and did not implement necessary measures to secure its systems.
”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.” Information Commissioner Elizabeth Denham said.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Hackers stole credit card data from JM Bullion online bullion dealer
2.11.20 Incindent Securityaffairs
JM Bullion, the leading online bullion dealer in the United States, has disclosed a data breach, hackers stole customers’ credit card information.
JM Bullion, the online retailer of products made of precious metals (i.e. gold, silver, copper, platinum, and palladium) has disclosed a data breach.
JM Bullion has sent a ‘Notice of Data Security Incident‘ to its customers, the security breach took place on February 18, 2020, when its staff discovered a malicious script on its website.
“On July 6, 2020, JM Bullion was alerted to suspicious activity on its website. JM Bullion immediately began an investigation, with the assistance of a third-party forensic specialist, to assess the nature and scope of the incident. Through an investigation, it was determined that malicious code was present on the website from February 18, 2020 to July 17, 2020, which had the ability to capture customer information entered into the website in limited scenarios while making a purchase,” reads the JM Bullion’s notice.
It is a classic Magecart attack, threat actors planted a malicious script on the website which was used to steal information entered by users while making a purchase. The company was alerted of the compromise on July 6, 2020 and immediately launched an investigation with the help of a third-party forensic firm.
Published by Reddit user r/Silverbugs
The information stolen in this attack includes customers’ names, addresses, and payment card information, including the account number, expiration date, and security codes.
Customers who made purchases on JM Bullion’s site between February 18th, 2020, to July 17th, 2020, have been impacted and are recommended to remain vigilant on credit card statements for fraudulent activity.
A data breach broker is selling account databases of 17 companies
1.11.20 Incindent Securityaffairs
A threat actor is offering for sale account databases containing an aggregate total of 34 million user records stolen from 17 companies.
A data breach broker is selling account databases containing a total of 34 million user records stolen from 17 companies.
The threat actor is advertising the stolen data since October 28 on a hacker forum.
Source Bleeping Computer
The availability of the huge trove of account data was first reported by BleepingComputer, the threat actor told them that it is only acting as a broker and did not hack the seventeen companies.
At the time it is not clear how someone amassed the records from the allegedly hacked companies, it is likely that they were circulating in the hacking underground and were privately sold to various threat actors.
According to the seller, the account databases are the results of data breaches that took place in 2020, none of the companies have disclosed security breaches prior to this week.
Only RedMart, after being informed by Bleeping computer, disclosed a security breach.
The seventeen companies are 8.1 million (8.1 million), Clip.mx (4.7 million), Wongnai.com (4.3 million), Cermati.com (2.9 million), Everything5pounds.com (2.9 million), Eatigo.com (2.8 million), Katapult.com (2.2 million), Wedmegood.com (1.3 million), RedMart (1.1 million), Coupontools.com (1 million), W3layouts.com (789 thousand), Game24h.vn (779 thousand), Invideo.io (571 thousand), Apps-builder.com (386 thousand), Fantasycruncher.com (227 thousand), Athletico.com.br (162 thousand), Toddycafe.com (129 thousand).
Bleeping computer detailed for each company the information exposed in the data breach.
“From the samples of each database seen by BleepingComputer, we have confirmed that exposed email addresses correspond to accounts for thirteen of the allegedly seventeen breached services. We could not verify accounts for Clip.mx, Katapult, CouponTools, or Aps-builder.com.” states BleepingComputer.
Users of the above companies have to immediately change their passwords, and if they use the same passwords at other sites, they should also change the password at those sites.
Wisc. GOP’s $2.3M MAGA Hat Debacle Showcases Fraud Concerns
31.10.20 Incindent Threatpost
Scammers bilked Wisconsin Republicans out of $2.3 million in a basic BEC scam — and anyone working on the upcoming election needs to pay attention.
The Wisconsin Republican party’s war chest is lighter by $2.3 million after scammers posing as MAGA-hat vendors were able to spoof invoices in what appears to be a basic business email compromise (BEC) attack. It’s just the latest in a litany of attacks related to the upcoming election, and it showcases a big problem area when it comes to cybersecurity, researchers said.
In a BEC attack, a fraudster impersonates a trusted party to try and trick a business into making payments or wiring money. In a typical BEC attack, criminals will do their research to make their communications seem credible, according to Agari’s recent deep dive on the state of BEC attacks.
“Cybercriminals, using a sophisticated phishing attack, stole funds intended for the re-election of President Trump, altered invoices and committed wire fraud,” Wisconsin state party Chair Andrew Hitt said in a statement announcing the incident. “These criminals exhibited a level of familiarity with state party operations at the end of the campaign to commit this crime.”
Researchers disagreed with the “sophisticated” claim: “While this scam may look sophisticated, this is fairly simple and reflects the vulnerability of any organization that has not digitized their spend management processes,” Alex Saric, CMO of Ivalua said. “Invoicing is an area ripe for fraudsters and cybercriminals, who know employees may not always question their validity, particularly if they look convincing.”
That tracks with Hitt’s explanation about the scammers’ familiarity with party operations. These financially motivated criminals will often sit and monitor inboxes they’ve compromised for quite some time. In this instance they were able to get enough insight into the Wisconsin GOP’s day-to-day dealings that they could doctor MAGA-hat invoices, according to reports. They used the names of existing vendors to the party and made the invoices look close enough to the real thing to get them paid.
The Wisconsin GOP said that no proprietary information was compromised in the attack, and that the state party still has enough cash on hand to keep the operation going.
“While a large sum of money was stolen, our operation is running at full capacity with all the resources deployed to ensure President Donald J. Trump carries Wisconsin on November 3rd,” Hitt added.
Cybercrime Isn’t Partisan
The Wisconsin GOP isn’t alone. According to Agari’s most recent count, BEC attacks make up 40 percent of all cybercrime losses, impacting more than 177 countries across the world.
But as the election approaches and campaign activity amps up to its most furious pace in the final days before the election, political operations will be a particularly juicy target for cybercriminals, warned Ken Liao, vice president of cybersecurity strategy and Abnormal Security.
“Political candidates, their staffs and the organizations they work with will always be targets for malicious actors,” Liao said. “Email-based attacks — and more specifically attacks perpetrating invoice fraud — are one of the more common methods used by hackers to gain access to sensitive information. As we get closer to the election, attackers will count on the fact that staffers will be busier and stretched thin, making it easier to induce a security lapse.”
Which requires political staff and elections officials to be more diligent than normal (especially when things around them are anything but normal). It’s not a simple ask — which is precisely what malicious actors are banking on to help fuel their scams, Liao added.
“All it takes is one errant click from a single member of a campaign staff,” he said. “It’s particularly important for employees to be vigilant and ensure that anything they open or click on is from a trusted source. At the same time, employers need to have detection capabilities that can automatically identify signals coming from email traffic that poses a threat.”
Campaign operations have also largely gone mobile, adding another layer of exposure to attacks, according to Hack Schless, who works in security solutions at Lookout.
“Campaign workers communicate directly with reporters and coordinate with other staffers over messaging apps and SMS,” Schless said. “They also need to run their candidates’ social-media accounts. SMS, social media, and third-party messaging platforms are three of the most popular platforms threat actors use to socially-engineer targets into falling for phishing attempts. It’s gone so far as the DNC warning campaign workers against social engineering through dating apps in a statement issued earlier this year.”
The goal of these attempts is to trick staffers into giving up their credentials, Schless added.
“They want to gain access to the campaign’s infrastructure to steal data or resources normally accessed by that individual,” he said. “The attacker can carry out their campaign through SMS, email, iMessage, social media platforms, third-party messaging apps and more.”
Recent Election-Related Attacks
All of this is against the backdrop of no shortage of attacks on the election this year.
For instance, Iranian actors posing as the hate group “Proud Boys” launched email campaigns against registered Democrats with threatening messages to “vote for Trump or else,” using stolen voter-registration data.
Last week Georgia’s database of voter signatures was impacted by a ransomware attack on Hall County, Ga.
And just days ago the Trump Campaign website was defaced with a cryptocurrency scam, briefly displaying a message from scammers claiming to have “strictly classified information.”
The added fog of highly charged, partisan politics only serves to help criminals, Tom Pendergast, chief learning officer at MediaPro said.
“We must remember as this story unfolds that this is not a partisan issue,” he noted. “Now, it may be partisan in that the cybercriminals behind this attack may prefer one party over the other (though it’s not clear which party is advantaged here). And we can be sure it will get twisted to partisan ends.”
He adds any attacks on our elections need to be met with a unified American front.
“However, the way we respond to it should NOT be partisan,” Pendergast continued. “Making voting and email and digital transactions and the internet safe for everyone should be an issue we can all get behind. No one gains from cybercrime and no one gains from election fraud, if what we ultimately care about is a stable democracy.”
Wisconsin Republican Party Says Hackers Stole $2.3 Million
30.10.20 Incindent Securityweek
Hackers have stolen $2.3 million from the Wisconsin Republican Party’s account that was being used to help reelect President Donald Trump in the key battleground state, the party’s chairman told The Associated Press on Thursday.
The party noticed the suspicious activity on Oct. 22 and contacted the FBI on Friday, said Republican Party Chairman Andrew Hitt.
Hitt said the FBI is investigating. FBI spokesman Brett Banner said that, per policy, “the FBI is not permitted to confirm or deny an investigation.” The Wisconsin Department of Justice, which has a center focused on cyber crime able to assist if requested, has not been asked to investigate, said spokeswoman Rebecca Ballweg.
The alleged hack was discovered less than two weeks before Election Day, as Trump and Democratic rival Joe Biden made their final push to win Wisconsin and its 10 electoral votes. Trump won the state by fewer than 23,000 votes in 2016 and was planning his third visit in seven days on Friday. Biden also planned to campaign in Wisconsin on Friday. Polls have consistently shown a tight race in the state, usually with Biden ahead by single digits and within the margin of error.
Hitt said he was not aware of any other state GOP being targeted for a similar hack, but state parties were warned at the Republican National Convention this summer to be on the lookout for cyber attacks.
“We have been in contact with the state party and are assisting them through this process,” said Republican National Committee spokesman Michael Ahrens. “The RNC never left Wisconsin after 2016, and we are confident that our ground game and the millions we are spending on TV and digital will deliver us another win there in 2020.”
The reported hack exposed new tensions in the final days of the race between the Trump campaign and the state party, which overspent and failed to properly account for its expenditures in 2018, leading to a shakeup in top party leadership.
Campaign officials in Wisconsin learned about the alleged hack from media reports and were furious that state officials had not briefed them on how it might impact operations, according to a Trump campaign official who requested anonymity because the person was not authorized to discuss internal conversations.
But Trump’s director of battleground strategy, Nick Trainer, said the national campaign was notified immediately.
“I personally received a call notifying me as a senior official for the campaign,” he said. “We have complete trust in the Republican Party of Wisconsin and know they will deliver the state for the President in four days.”
There have been more than 800 attempted phishing attacks for financial gain targeting the Wisconsin Democratic Party this campaign cycle, but none has been successful, said party spokeswoman Courtney Beyer.
The alleged hack is “certainly embarrassing” for Republicans, said Matt Rothschild, leader of the Wisconsin Democracy Campaign, an independent group that tracks campaign donations and spending.
“It’s got to hurt them and their ability to function at this crucial moment,” he said. “I can’t see any upside for them in this matter.”
Hitt stressed that the money stolen was for services already rendered.
“While a large sum of money was stolen, our operation is running at full capacity,” he said.
Hitt said the hackers manipulated invoices from four vendors who were being paid for direct mail for Trump’s reelection efforts as well as for pro-Trump material such as hats to be handed out to supporters. Invoices and other documents were altered so when the party paid them, the money went to the hackers instead of the vendors, Hitt said.
It was discovered after someone noticed that an invoice was generated that should not have been, he said.
Hitt said it appears the attack began as a phishing attempt and no data appears to have been stolen, said party spokesman Alec Zimmerman.
The money was stolen from the state party’s federal account, which currently contains about $1.1 million, but that number fluctuates daily because of quick moving resources late in the campaign, Zimmerman said. Money in the federal account can only be spent on federal races and donations are capped at $10,000 per individual each calendar year.
Campaign finance reports filed this week in Wisconsin show Democrats have raised far more money than Republicans. The state Democratic Party raised nearly $59 million over the past two years compared with just $23.7 million for Republicans.
Early voting is in full swing in Wisconsin, with more than 1.6 million ballots returned as of Thursday morning. That is nearly 55% of the total vote cast in 2016.
Britain Fines US Hotel Chain Marriott Over Data Breach
30.10.20 Incindent Securityweek
Britain's data privacy watchdog on Friday said it has fined US hotels group Marriott over a data breach affecting millions of customers worldwide.
The UK Information Commissioner's Office said in a statement it fined Marriott £18.4 million ($23.5 million, 20.1 million euros) for breaches of data that included personal information such as passport numbers since March 2018.
That was when new European Union data protection rules, or GDPR, came into effect.
The final penalty is far less than a figure of around £100 million originally planned by the ICO.
The watchdog said it had taken into account "steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty".
Since the breach occurred before Britain left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.
The ICO said Marriott's breach in fact dated back to 2014, uncovering client data including passport numbers.
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack six years ago on Starwood Hotels and Resorts Worldwide.
The ICO said the precise number of people affected remained unclear as there may have been multiple records for an individual guest.
It added that seven million guest records related to people in the UK.
"The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott," the watchdog said.
"The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number," it said.
Information Commissioner Elizabeth Denham said businesses are required to look after "precious" personal data belonging to clients.
"Millions of people's data were affected by Marriott's failure... When a business fails to look after customers' data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect," she said.
Home Depot Confirms Data Breach in Order Confirmation SNAFU
30.10.20 Incindent Threatpost
Hundreds of emailed order confirmations for random strangers were sent to Canadian customers, each containing personal information.
Home Depot has exposed the private order confirmations of hundreds of Canadian consumers, containing names, physical addresses, email addresses, order details and partial credit-card information.
After customers began reporting that they had received hundreds of emails from the home-improvement giant, each containing an order confirmation for a stranger, the company confirmed the issue.
One affected customer posted a screenshot of his inbox on Twitter, filled with random people’s order confirmations, tweeting: “Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong.”
He added, “you are almost certainly aware by now that you sent four-to-five-hundred emails to each of 527 people by mistake.”
The company was quick to respond, although it didn’t provide many details.
“Thank you for reaching out to us,” Home Depot Canada tweeted on Wednesday. “We are aware of what occurred this morning and can confirm that this issue has now been fixed. This issue impacted a very small number of our customers who had in-store pick-up orders. Please DM us with any additional questions.”
But the issue seems to have affected multiple hundreds of people, and not just in-store pickup orders:
Home Depot Canada confirmed the impact to online shoppers in a later tweet after being called out on the in-store only claim.
In response to an inquiry asking how the breach happened and asking for more concrete details on who was affected, the DIY specialist told Threatpost: “Tuesday evening, we discovered a systems error on select http://Homedepot.ca orders impacting a small number of our Canadian customers. Some customers may have received multiple emails for orders they did not place. This issue has been fixed. None of the emails contained passwords or un-hashed payment card information.”
It’s unclear exactly what details these particular order confirmations included; Home Depot order confirmations sent in the past to Threatpost staff include full names and addresses, details and cost of the items ordered, phone numbers if provided for delivery purposes, and links to “check order status.” Clicking that link takes customers to an online portal to sign in, which could conceivably lead to the exposure of more information if cyberattackers were able to brute-force the credentials.
If past data exposures are any indication, the information is enough to craft convincing phishing and fraud messages. Additionally, it could even allow someone to show up at a house under the guise of being a delivery person, or conceivably allow someone to pick up an in-store order that wasn’t theirs, if strict ID checking weren’t in place. Threatpost has asked researchers for their take on the seriousness of the issue and will update this post accordingly.
Home Depot was the subject of one of the most high-profile data breaches ever to come to light, with 50 million credit card numbers stolen and 53 million email addresses pilfered by unknown attackers in 2014. The place for “doers” agreed in 2018 to pay $19.5 million to compensate the victims of the incident, which stemmed from attackers using compromised vendor credentials to gain access to its network and then the company’s point-of-sale system.
EXCLUSIVE: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone
28.10.20 Incindent Securityweek
More Than 2 Petabytes of Unprotected Medical Data Found on Picture Archiving and Communication System (PACS) Servers
The results of 13 million medical examinations relating to around 3.5 million U.S. patients are unprotected and available to anyone on the internet, SecurityWeek has learned. This is despite the third week of this year's National Cybersecurity Awareness Month (week beginning 19 October 2020) majoring on 'Securing Internet-Connected Devices in Healthcare'.
The details were disclosed to SecurityWeek by Dirk Schrader, global vice president at New Net Technologies (NNT -- a security and compliance software firm headquartered in Naples, Florida). He demonstrated that the records can be accessed via an app that can be downloaded from the internet by anyone. The records found are in files that are still actively updated, and provide three separate threats: personal identity theft (including the more valuable medical identity theft), personal extortion, and healthcare company breaches.
Schrader examined a range of radiology systems that include an image archive system -- PACS, or picture archiving and communication system. These contain not only imagery but metadata about individual patients. The metadata includes the name, data of birth, date and reason for the medical examination, and more. Within a hospital, the imaging systems (X-rays, MRIs etc) are also stored in the PACS. The treating physician needs ready access to the images to confirm the current treatment. Schrader simply used Shodan to locate systems using the DICOM medical protocol. Individual unprotected PACS systems within the return of 3,000 servers were located manually. One, for example, contained the results of over 800,000 medical examinations, probably relating to about 250,000 different patients.
Although unprotected servers were found manually by Schrader, he chose this route to demonstrate that no hacking skills are required in this process. An attacker could have written a script to separate the protected from the unprotected servers in a fraction of the time. In total, he had access to more than 2 petabytes of medical data.
He found three ways to access the stored data. The first is what the physician would do, via a configurable freeware DICOM Viewer app downloaded from the internet and configured by the user. Viewers can be found simply by searching for 'DICOM viewer'. Schrader specifically used the Radiant DICOM Viewer. An even simpler method is directly via the web browser. The server is located via Shodan, and because it is unprotected, an attacker can often both download and upload to that server, and manipulate the content. "I can upload false data," Shrader told SecurityWeek, "without hacking." The third method is that some of the servers offer a full download of the entire dataset directly through the browser.
The level of detail on individuals includes names and sometimes social security numbers -- potentially allowing identity theft. The type and result of the medical examination is also included, allowing an attacker to collect details on patients who have proved COVID or HIV positive, or had a mastectomy procedure -- potentially allowing personal extortion. In some cases, active folders can be accessed -- and updated -- by an attacker simply through a browser. If these folders are updated with a weaponized PDF or JPG, then the attacker has a potential route to deliver malware and ultimately ransomware to the healthcare institution concerned. Where a physician is using the content of the PACS server to check on a patient's current treatment, and downloads a weaponized file, he or she could potential open route for malware to infect the institution, ultimately leading to a major ransomware attack.
Schrader has been investigating this issue for several years, looking at healthcare institutions around the world. In December 2019, he sent disclosure notices to the administrators of 120 unprotected systems in the U.S. Sixty-nine administrators completely ignored the warnings, including 19 children's hospitals. Elsewhere, responses have been better. In general, the response from Europe and the UK has been positive, and the data has been secured. The U.S., India and Brazil are the primary culprits today, but other unprotected PACS systems exist in Australia and Canada - and one in France. The figures he gave to SecurityWeek relate entirely to the U.S.; and rather than exposed systems being removed, new systems are still being added without adequate or any authentication requirements.
Having obtained the IP addresses from Shodan, Schrader went on to run vulnerability checks against the U.S. institutions, and found, he told SecurityWeek, "around 600 high severity vulnerabilities in around 170 U.S. systems connected to the internet;" suggesting that the systems are not just unprotected, but also unmanaged. "There are numerous end-of-life vulnerabilities, and several Microsoft vulnerabilities at the highest risk level. There is no reason for a picture archiving system to remain unpatched -- it's like these systems have been connected to the internet and just forgotten."
Schrader has found no hard evidence that PACS content has been abused by criminals, "But my suspicion," he told SecurityWeek, "is that criminals are already using this method because it is so easy." The solution to the problem is simple -- PACS servers should require adequate access authentication, or be removed from the internet. In the meantime, many millions of sensitive medical records can be accessed by anyone at any time.
Hacker was identified after the theft of $24 million from Harvest Finance
27.10.20 Incindent Securityaffairs
A threat actor has stolen roughly $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance.
A hacker has stolen approximately $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance, a web portal that lets users finding the farming opportunities that will maximize their yield(APY) returns.
The hack took place earlier today and was almost immediately confirmed by Harvest Finance administrators in messages posted on the company’s Twitter account and Discord channel.
“On October 26, 02:53:31 AM +UTC, an attacker executed a theft of funds from the USDC and USDT vaults of Harvest Finance.” reads the security breach notification published by the company. “The attacker exploited an arbitrage and impermanent loss that influences the value of individual assets inside the Y pool of Curve.fi, which is where the funds of Harvest’s vaults were invested.”
The attackers initially invested large quantities of cryptocurrency assets in the company service and then used a cryptographic exploit to stole the platform’s funds and transfer them to wallets under its control.
The attacker successfully transferred 13,000,000 USD Coin (USDC) and 11,000,000 Tether (USDT) from the attacking contract to the address “0x3811765a53c3188c24d412daec3f60faad5f119b.”
Experts noticed that shortly after the attack, the hacker returned roughly $2.5 million back to Harvest Finance, but they ignore the reason.
The company immediately launched an investigation into the cyber heist, it claims to have linked the fraudulent activities to an individual “well-known in the crypto community.”
The company claims to have collected “a significant amount of personally identifiable information on the attacker initially offered a $400,000 bounty to anyone who will allow recovering the stolen funds. The bounty will be lowered to $100,000 after 36 hours of the announcement.
The company hopes that the attacker will return the stolen funds:
Harvest Finance explained that the attack was the result of an error it has made, anyway if the attacker will return the stolen funds it will not take legal action against the hacker.
“We made an engineering mistake, we own up to it,” explained the company.
“You’ve proven your point. If you can return the funds to the users, it would be greatly appreciated by the community, and let’s move on.”
Fragomen law firm data breach exposed Google employee’s data
27.10.20 Incindent Securityaffairs
Immigration law firm Fragomen has disclosed a data breach that exposed current and former Google employees’ personal information.
Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, LLP, one of the most prominent US law firms covering immigration law, disclosed a data breach.
The security breach exposed current and former Google employees’ personal information after an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services.
The firm discovered the intrusion on September 24, 2020 and engaged a digital forensic investigation firm to assist with this investigation.
“We recently became aware of suspicious activity within our computer network. While our investigation is ongoing, we discovered that an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services. This file contained personal information for a discrete number of Googlers (and former Googlers), including you,” reads the data breach notification sent to the impacted people.
A Form I-9 is filled out by all US employees to verify their identity and employment authorization for employment in the United States.
The form contains employee’s information, including full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address,
Exposed data could be abused by crooks to carry out multiple malicious activities, including identity theft. Users should be vigilant and report to the authorities any suspicious activities.
Fragomen is offering one year of free credit monitoring to the affected Google’s employees.
“We are offering complimentary identity theft protection and credit monitoring services to all Googlers (and former Googlers) who may have been affected by this incident in countries where these services are available. These services are available through IDX, the data breach and recovery services expert.” continues the notification notice. “IDX identity protection services include: 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised.”
Swedish Authorities, Banks Hit by Security Data Leak: Report
27.10.20 Incindent Securityweek
Details of bank vault floor plans, alarm systems and the security arrangements for Swedish authorities have been leaked online after a security company was hacked, local media reported Tuesday.
A total of 19 gigabytes of information and around 38,000 files were stolen from security group Gunnebo by one or more hackers in August, according to newspaper Dagens Nyheter.
"It's of course unfortunate that we've had a theft of data," Gunnebo CEO Stefan Syren was quoted as telling the paper.
"We are now reviewing the material and in the cases where there is sensitive information we are contacting the client," he said.
Among the leaked documents are details of the security arrangements for the Swedish parliament and confidential plans of the Swedish Tax Agency's new office on the outskirts of Stockholm, the paper said.
Plans for bank vaults in at least two German banks were leaked, while other documents show the alarm systems and surveillance cameras at a branch of the SEB bank in Sweden, it reported.
Headquartered in Sweden, Gunnebo is a multinational company with nuclear power plants, hospitals and airports among its international customers.
The hack was reported to the Swedish Security Service in August.
"We can only speculate on what the target of the attack was, but as we cannot rule out that it was an attempt at industrial espionage, it has been important to follow the regulations and we have therefore decided to inform Sapo," Syren said in a statement at the time.
The company also said it had concluded that the attack was "well organized," but no details of what data had been compromised was disclosed.
AFP has contacted Gunnebo for a comment.
Dagens Nyheter said hacking attacks based on extortion have hit many companies in recent times, in which criminals steal sensitive information and then demand a ransom not to leak the data online.
Neighboring Finland is currently dealing with an unprecedented hack after the private records of thousands of psychotherapy patients were stolen from the private healthcare company Vastaamo.
The records were first used to try to blackmail the company but then emails demanding ransoms were sent directly to patients at the weekend.
Nando’s Hackers Feast on Customer Accounts
27.10.20 Incindent Threatpost
Multiple chicken diners said their usernames and passwords were stolen and the accounts used to place high-volume orders.
Diners at a popular chicken-dinner chain have seen hundreds of dollars siphoned out of their bank accounts, after cybercriminals were able to access their restaurant ordering credentials. The issue though is that payment-card information is not stored within Nando’s accounts, leaving some questions as to how the hacks occurred.
The Nando’s chain of Peri-Peri chicken eateries is a fixture on most main drags in U.K. and European cities, with dozens of locations in the U.S. as well. It confirmed a credential-stuffing attack on Friday.
Credential-stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts. The cyberattackers use stolen passwords and usernames from previous data breaches to brute-force accounts on a wide scale, and when a match is found, they can take over the victim’s account.
Multiple Nando’s customers said their usernames and passwords were stolen and the accounts used to place high-volume orders, according to reports. The mobile numbers were also changed on the impacted accounts.
“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called credential-stuffing, whereby the customer’s email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” Nando’s said in a press statement. “We take immediate action to refund anyone who has been impacted and secure those affected Nando’s accounts.”
It added, “We have made and are continuing to make investments to improve our detection and prevention of suspicious and malicious activity. We apologize to our customers who have been impacted by this.”
Because of COVID-19, Nando’s customers must place an order online or by using a QR code. They’re then prompted for their payment details, but customers said that those details aren’t stored in the account.
“We quite quickly received a refund after complaining on Twitter, however we’re yet to receive any explanation as to how the attack happened,” one U.K. victim told the Daily Mirror.
The sums were not insignificant – one woman received an email confirmation for two orders totaling around $150 (£114.50) that she had never placed. After checking her banking app and confirming that the money was taken out, she talked to the manager at the store, located in the Kensington neighborhood of greater London.
“We eventually found the telephone number for the Kensington High Street branch and after a while managed to talk to the manager who confirmed that there were a group of young people who’d placed the same orders in store,” she told the Mirror. “They said they’d had numerous attempts blocked while trying to purchase further orders. They’d just left the branch with all the food from the original two orders. He said he had CCTV and we had to contact head office to obtain a refund.”
Other victims told U.K. media outlets that they were robbed of even more – one man was robbed of about $870 (£670).
Threatpost has reached out to Nando’s for more information on how the fraudsters were able to access payment-card details.
Between July 2018 and June of this year, there were more than 100 billion credential-stuffing attacks in total, according to a recent Akamai report. In the commerce category specifically – comprising the retail, travel, and hospitality industries – there were 64 billion recorded. More than 90 percent of those attacks targeted the retail industry, which includes fast-food chains like Nando’s.
Nitro PDF data breach might impact major companies, including Microsoft, Google, and Apple
27.10.20 Incindent Securityaffairs
Nitro PDF suffered a massive data breach that impacts many major organizations, including Apple, Chase, Citibank, Google, and Microsoft.
A massive data breach suffered by the Nitro PDF might have a severe impact on well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.
Nitro Software, Inc. develops commercial software used to create, edit, sign, and secure Portable Document Format (PDF) files and digital documents. The company has over 650,000 business customers worldwide, and claims millions of users across the globe.
According to the following the security advisory issued by the software maker and unauthorized third party gained limited access to a company database.
"NITRO ADVISES OF LOW IMPACT SECURITY INCIDENT
* AN ISOLATED SECURITY INCIDENT INVOLVING LIMITED ACCESS TO NITRO DATABASE BY AN UNAUTHORISED THIRD PARTY
* DATABASE DOES NOT CONTAIN USER OR CUSTOMER DOCUMENTS.
* INCIDENT HAS HAD NO MATERIAL IMPACT ON NITRO'S ONGOING OPERATIONS.
* INVESTIGATION INTO INCIDENT REMAINS ONGOING
* NO EVIDENCE CURRENTLY THAT ANY SENSITIVE OR FINANCIAL DATA RELATING TO CUSTOMERS IMPACTED OR IF INFO MISUSED
* DOES NOT ANTICIPATE A MATERIAL FINANCIAL IMPACT TO ARISE FROM INCIDENT
* INCIDENT IS NOT EXPECTED TO IMPACT CO'S PROSPECTUS FORECAST FOR FY2020"
Cybersecurity intelligence firm Cyble came across a threat actor that was selling a database, allegedly stolen from Nitro Software’s cloud service, that includes users’ data and documents. The huge archive contains 1TB of documents, the threat actor is attempting to sell it in a private auction with the starting price of $80,000.
The database contains a table named ‘user_credential’ that contains 70 million user records, including email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related data.
Cyble shared the database with Bleeping Computer that was able to determine the authenticity of the database.
“From the samples of the database shared with BleepingComputer, the document titles alone disclose a great deal of information about financial reports, M&A activities, NDAs, or product releases.” states BleepingComputer.
The records in the document database contain a file’s title, whether it was created, signed, what account owns the document, and whether it’s public.
I have reached Cyber for a comment, below their statement:
“Considering the scale and extent of the breach, this is one of the worst breaches Cyble has seen in the last few years. The cybercriminals were not only able to access sensitive account details, but also the information related to shared documents as well. Majority of the Fortune 500 organizations are affected by this breach.”
The databases contain a large number of records belonging to well-known companies:
Company # of accounts # of documents
Amazon 5,442 17,137
Apple 584 6,405
Citi 653 137,285
Chase 85 177
Google 3,678 32,153
Microsoft 3,330 2,390
M&A documents
Cyble has added the data related to the NITRO PDF data breach to its AmIBreached.com data breach notification service.
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
21.10.20 Incindent Securityaffairs
Researchers discovered that MMO game Street Mobster is leaking data of 1.9 million users due to SQL Injection critical vulnerability.
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
Original Post: https://cybernews.com/street-mobster-game-leaking-data-of-2-million-players
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Dickey’s BBQ Breach: Meaty 3M Payment Card Upload Drops on Joker’s Stash
17.10.20 Incindent Threatpost
After cybercriminals smoked out 3 million compromised payment cards on the Joker’s Stash marketplace, researchers linked the data to a breach at the popular barbecue franchise.
Popular U.S. smoked-meat franchise Dickey’s Barbecue Pit has been hit with a data breach, with cybercriminals posting the fat cap of the compromised data – 3 million payment cards – on the popular Joker’s Stash underground marketplace this week.
The Dallas-based franchise, which is a subsidiary of Dickey’s Capital Group, has 469 locations (411 of which are currently open during the pandemic) across 42 states. Researchers believe that the meat of the compromised data came from 156 of these locations across 30 states. They also believe the exposure window appears to be between July 2019 and August 2020.
In a statement sent to Threatpost, Dickey’s confirmed the breach and said it is currently focused on determining the locations affected and time frames involved.17.10.20
“We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway,” according to the statement. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”
The affected Dickey’s locations. Credit: Gemini Research
Researchers with Gemini Advisory shed light on the details of the breach when they discovered the upload on the Joker’s Stash, a popular underground destination that specializes in trading in payment-card data. This marketplace is known for advertising and uploading major breaches containing millions of compromised cards, including the Wawa breach – which dropped 30 million payment cards – from January.
Researchers said they observed the marketplace administrator setting the compromised data live on Oct. 12. The administrators claimed the breached data, which they called BLAZINGSUN, is comprised of 3 million compromised cards with a median price of $17 per card.
Gemini Advisory researchers claim that payment transactions of the franchise may have been processed on point-of-sale (PoS) systems via the outdated magnetic stripe card method – which they said is prone to malware attacks.
Security experts have advocated for retailers to switch over to chip-card readers, which contain an embedded microprocessor that encrypts the card data, implement the EMV standard (which stands for Europay, MasterCard and Visa, and is a global standard for chip cards’ compatibility with point-of-sale terminals), and are in theory a more secure alternative to magnetic stripe cards.
“It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s,” researchers said.
Another piece of the equation is that because Dickey’s operates on a franchise model, each location may have been able to dictate the type of POS device and processors that they utilize – so some locations may be affected by the breach, while others may not be, said researchers.
“However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” said researchers. “The current exposure by location does not exactly align with the restaurant’s distribution across states, although with the exception of Texas, which hosts 123 restaurant locations but only three compromised locations, the exposure is approximately reflective of the overall distribution.”
Dickey’s did not provide any further information on the cause of the breach when reached out to by Threatpost.
Warren Poschman, senior solutions architect with data-security specialist comforte AG, said that store merchants need to require the use of secure connections – from the PoS device to the backend – using point-to-point encryption and tokenization. Backend payment processors (and the merchants that outsource to them) must also tokenize all data to ensure that any breach will not result in exposure, he stressed.
“As the breach at Dickey’s BBQ reminds us, there is still plenty of meat left on the bone of credit card fraud despite the dramatic shift in coverage to privacy and identity theft,” he said. “With COVID-19 pushing businesses in the fast casual restaurant segment to the brink, attackers are taking advantage of lax security while many are in survival mode. Regardless of the ill timing, organizations need to ensure that every step in the payment cycle is secured from acquisition to settlement.”
It’s not the first security incident for Dickey’s, which experienced a ransomware attack in 2015 with a $6,000 extortion demand. Gemini Advisory researchers said, based on previous major breaches uploaded to Joker’s Stash, the records from Dickey’s Barbecue Pit will likely continue to be added to this marketplace over several months. Regardless, the incident shows that PoS security issues continue to pose a threat to merchants, they said.
“This represents a broader challenge for the industry, and Dickey’s may become the latest cautionary tale of facing lawsuits in addition to financial damage from cybersecurity attacks,” they said.
Dickey's Barbecue Pit Investigating Possible Breach Affecting 3M Payment Cards
17.10.20 Incindent Securityweek
A data set of millions of payment card records apparently stolen from US-based restaurant franchise Dickey’s Barbecue Pit has emerged on a Dark Web marketplace, Gemini Advisory reports.
The data, posted on the Joker’s Stash underground marketplace, appears to have been harvested from over a hundred compromised locations. The data seems to come from 35 US states and several countries in Europe and Asia.
The data set, which is titled BLAZINGSUN, supposedly contains 3 million payment records, with an average price of $17 per card.
There are 469 locations across 42 states that are operating under the Dickey’s Barbecue Pit franchise, each of them allowed to use the type of point-of-sale (POS) device they like, as well as their preferred processors.
According to Gemini Advisory, the data that emerged on Joker’s Stash suggests that 156 Dickey’s locations across 30 states may have been compromised. The data was supposedly harvested between July 2019 and August 2020.
“Dickey’s operates on a franchise model, which often allows each location to dictate the type of point-of-sale (POS) device and processors that they utilize. However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” Gemini Advisory says.
The security firm also notes that the exposure by location does not exactly align with the restaurant’s distribution across states, although with the exception of Texas, which hosts 123 restaurant locations but only three compromised locations, the exposure is approximately reflective of the overall distribution.
Gemini also says that the payment transactions in this breach were processed via the magstripe method, which is outdated and prone to attacks. However, it’s unclear whether the affected restaurants employed outdated or misconfigured terminals.
“Based on previous Joker’s Stash major breaches, the records from Dickey’s will likely continue to be added to this marketplace over several months,” the security firm notes.
The restaurant chain says it’s aware of a possible data breach and it has launched an investigation.
"We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges," Dickey's said, responding to a SecurityWeek inquiry.
Breach at Dickey’s Barbecue Pit compromises 3 million Cards
16.10.20 Incindent Securityaffairs
Dickey’s Barbecue Pit, the largest barbecue restaurant chain in the US, suffered a POS breach, card details for 3 Million customers were posted online.
Dickey’s Barbecue Pit is a family-owned American barbecue restaurant chain, the company suffered a POS breach and card details of more than three million customers have been posted on the carding portal Joker’s Stash.
The huge trove of payment card data was spotted by researchers from the cyber-security firm Gemini Advisory.
The Joker’s Stash dark web marketplace is one of the most popular carding websites, it is known for advertising and card details from major breaches.
The card details of Dickey’s Barbecue Pit‘s customers were included in a dump titled “BLAZINGSUN.” JokerStash originally claimed that the breach would be available in August, then again in September, and finally it was posted online on October 12.
“Gemini Advisory determined that the compromised point of purchase (CPP) was Dickey’s Barbecue Pit, a US-based restaurant franchise.” reads the post published by Gemini Advisory.
“The advertisement claimed that BLAZINGSUN would contain 3 million compromised cards with both track 1 and track 2 data. They purportedly came from 35 US states and “some” countries across Europe and Asia.”
This BLAZINGSUN breach contains 3 million compromised payment records that are available for a median price of $17 per card.
The experts worked with several partner financial institutions who independently confirmed the authenticity of the stolen data.
According to Gemini, the hackers obtained the card details after compromised the in-store Point-of-Sale (POS) system used at Dickey’s Barbecue Pit restaurants.
Crooks compromised 156 of Dickey’s 469 locations across 30 states, most of them in California and Arizona.
Dickey’s locations are marked by the blue restaurant icon while the locations confirmed to be compromised are marked in red.
The compromise took place between July 2019 and August 2020. Gemini reported that the root cause of the security breach was the use of the outdated magstripe method for payment transactions, which exposed car holders to PoS malware attacks.
The company published an official statement that confirmed that it has immediately started the incident response procedure.
“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved.” reads the statement provided by the company. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”
The payment card records are mostly for cards using outdated magstripe technologies and are being sold for a median price of $17 per card.
“Based on previous Joker’s Stash major breaches, the records from Dickey’s will likely continue to be added to this marketplace over several months.”concludes the post.
Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts
16.10.20 Incindent Threatpost
Companies that use Broadvoice’s cloud-based VoIP platform may find their patients, customers, suppliers and partners to be impacted by a massive data exposure.
UPDATE
Broadvoice, a well-known VoIP provider that serves small- and medium-sized businesses, has leaked more than 350 million customer records related to the company’s “b-hive” cloud-based communications suite.
The data includes hundreds of thousands of voicemail transcripts, many involving sensitive information such as details about medical prescriptions and financial loans.
Broadvoice provides one of the more popular business platforms for communications, which includes voice, contact-center technology, remote-workforce help, Salesforce.com integration, unified communications, SIP trunking and more. Much of this is offered via b-hive, which it hosts on behalf of customers such as doctors’ offices, law firms, retail stores, community organizations and more.
Because its technology underpins these customers’ basic interactions with patients, clients, partners, suppliers and others, plenty of personal data flows through Broadvoice’s cloud-based systems. And that data is apparently retained by the company, so that its business clients can access it if needed, for analytics and call-center quality control, among other things.
Unfortunately, according to researchers at Comparitech, Broadvoice left an Elasticsearch database cluster containing such information open to the internet, accessible to anyone, with no authentication required. The cache of data included records with personal details of Broadvoice clients’ customers, they noted.
The misconfigured cluster included 10 separate collections of data, related to b-hive.
The largest collection (275 million records) included full caller name, caller ID, phone number, and city and state. Meanwhile, a collection entitled “people-production” contained account ID numbers for Broadvoice’s own customers, which allowed researchers to cross-reference entries with records in other collections.
But the most concerning one held 2 million voicemail records, with more than 200,000 transcripts.
“Many of the transcripts included select personal details such as full name, phone number and date of birth, as well as some sensitive information,” according to a Comparitech posting on Thursday. “For example, some transcripts of voicemails left at medical clinics included names of prescriptions or details about medical procedures. In one transcript, the caller identified themselves by their full name and discussed a positive COVID-19 diagnosis.”
Researchers added, “Other voicemails left for financial-service companies included details about mortgages and other loans, while there was at least one instance of an insurance-policy number being disclosed.”
Most of these records also contained a full name, business name or a generic name such as “wireless caller”; phone number; a name or identifier for the voice mailbox (such as “appointments”); and internal identifiers, according to Comparitech.
When reached for comment about Broadvoice’s data-retention policies, and whether its business customers will be issuing data-breach notifications to their own affected customers, Rebecca Rosen, vice president of marketing, told Threatpost that the number of impacted businesses is likely less than 10,000.
“To provide some perspective, we believe that the researcher accessed a sub-set of data that potentially impacted less than 10,000 customers,” she said. “Our investigation is otherwise ongoing, and we are not otherwise commenting or speculating other than what we have posted online.”
Aside from the privacy implications, the data paves the way for convincing fraud attempts, researchers noted.
“The leaked database represents a wealth of information that could help facilitate targeted phishing attacks,” according to Comparitech. “In the hands of fraudsters, it would offer a ripe opportunity to dupe Broadvoice clients and their customers out of additional information and possibly into handing over money. For example, criminals could pose as Broadvoice or one of its clients to convince customers to provide things like account login credentials or financial information.”
Meanwhile, “information about things like medical prescriptions and loan enquiries could be used to make messages extremely convincing and persuasive.”
The collections were discovered by researcher Bob Diachenko on Oct. 1, and were secured the same day, according to Broadvoice. The cluster had been uploaded on Sept. 28, meaning it was exposed for about four days.
“Broadvoice takes data privacy and security seriously,” Broadvoice CEO Jim Murphy said in a statement. He added, “At this point, we have no reason to believe that there has been any misuse of the data. We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time.”
He also said that Broadvoice is working with Diachenko to ensure that the retained data is destroyed.
Cybercriminals Steal Nearly 1TB of Data from Miami-Based International Tech Firm
15.10.20 Incindent Threatpost
Databases of sensitive, financial and personally identifiable info and documents from Intcomex were leaked on Russian-language hacker forum after a ransomware attack.
Hackers have stolen nearly a terabyte of data from a Miami-based tech firm, leaking a number of the pilfered files (including full credit-card information, scans of sensitive documents such as passports, bank statements and financial documents, and even customer databases) on a Russian hacker forum.
An investigation uncovered leaked data belonging to Intcomex, a very large value-added reseller (VAR) which provides technology products and services targeting Latin America and the Caribbean. The leaks occurred on Sept. 14 and Sept. 20, when hackers dumped it in two parts on the forum.
“So far, the first release was a collection called ‘Internal Audit’ with a size of 16.6GB, while the second release is titled ‘Finance_ER,’ totaling 18GB,” according to a report on the CyberNews website. “Based on folder names, the most recent data comes from July 2020.”
The data appears to have been stolen as the result of a ransomware attack. Hackers promised to leak “the more interesting data”— which — at a later time, according to the report. A Russian-language note left along with the leaked data alludes to the hackers waiting to see if the company will pay up before releasing the rest of the data, which likely will be more full credit-card information, a treasure trove for hackers, according to the report.
CyberNews said it contacted Intcomex on Sept. 21 about the leak, which confirmed that the database researchers saw on the forum is indeed theirs.
Intcomex said it took “decisive steps to address the situation and protect our systems” upon learning about the leak and is working with third-party cybersecurity experts in the investigation of what happened, according to a media statement. The company also notified law enforcement and is in the process of letting “affected parties” know about the leak “as appropriate,” the company said.
The breach did not impact the services Intcomex provides to its partners, the company said. However, its sheer size, the sensitivity of the info, and the lack of breach detection by the company are extremely worrisome from a cybersecurity position, experts noted.
“Not only is this leak significant in the volume of data that was leaked, but also the sensitive contents of the data as well,” observed Erich Kron, security awareness advocate for security firm KnowBe4, in an email to Threatpost. “This is not a simple matter of an email address and a name; when sensitive information such as passport numbers and license scans along with payroll information are lost, these can cause significant damage to the users of the service, up to and including real identity theft.”
Threat actors also were able to steal the data and dump it online before the company even noticed, observed Chris Clements, vice president of solutions architecture for security firm Cerberus Sentinel.
“This highlights the ongoing shortcomings of businesses in detecting that a breach has occurred before the attacker has been able to do significant damage,” he said in an email to Threatpost. “In this case, attackers were apparently able to exfiltrate nearly a terabyte of sensitive information without detection.”
Indeed, the data leaked by the team is extensive and could be used by cybercriminals to launch further and comprehensive attacks on the company’s employees, customers or partners. Credit cards include the full number, expiration date, CVV2, and the holder’s full name, and document scans include full passport info for both U.S. and Latin American passport holders, as well as people’s Social Security numbers and full driver-license info.
The fact that the company operates across country borders also could mean a very messy and expensive clean-up operation on the backend of the leak, Kron noted.
“Between legal fees, fines and identity-theft protection services being provided to the victims, these types of attacks can be very costly for organizations,” he said. “In addition, with this organization serving 41 countries, they are going to have a mess of notification requirements and additional fines are likely from foreign entities.”
Hackers Publish Public School District's Stolen Data Online
12.10.20 Incindent Securityweek
Computer hackers who obtained information about a Virginia public school district’s students and employees have posted stolen data online, school officials said Friday in an email to parents and staff.
The Fairfax County Public Schools didn’t specify the nature or volume of the data that was stolen in the ransomware attack last month. Hackers use ransomware software to steal data and threaten to publish or block access to it unless a target pays a ransom.
The Washington Post reports that Schools Superintendent Scott Brabrand’s email on Friday said the criminal cyber organization known as the Maze group had claimed responsibility for the attack and posted stolen data on the dark web.
Braband said the district was cooperating with the Virginia State Police and the FBI.
“We are working around the clock to identify the information that was taken and will notify impacted individuals as appropriate,” he wrote.
School district spokeswoman Lucy Caldwell said officials believe “only a subset of individuals, including a limited number of students” were affected by the ransomware attack. Caldwell said the district will offer free credit-monitoring services to all district employees and their spouses and any others who were affected.
Developer successfully compiled leaked source code for MS Windows XP and Windows Server 2003 OSs
1.10.20 Incindent Securityaffairs
Last week, the source code for MS Windows XP and Windows Server 2003 OSs were leaked online, now a developer successfully compiled them.
Last week, the source code for Microsoft’s Windows XP and Windows Server 2003 operating systems was published as a torrent file on the bulletin board website 4chan. This is the first time that the source code of Microsoft’s 19-year-old operating system was leaked online.
The leaker goes online with the moniker billgates3 and claims to have collected the source code over the course of the last few months.
The leaker also added that the source code for multiple Microsoft operating systems is circulating in the hacking community for years.
The collection of torrent files leaked online is 43GB in size and include the source code for Windows Server 2003 and other older operating systems developed by Microsoft, including:
Windows 2000
Windows CE 3
Windows CE 4
Windows CE 5
Windows Embedded 7
Windows Embedded CE
Windows NT 3.5
Windows NT 4
MS-DOS 3.30
MS-DOS 6.0
Now a Windows developer that goes online with the moniker ‘NTDEV‘ announced to have successfully compiled both Windows XP and Windows Server 2003 using the leaked source code.
And the final proof…
I'm so excited! It's been such an amazing journey! pic.twitter.com/d0wLp1OdRQ
— NTDEV (@NTDEV_) September 29, 2020
I have compiled Server 2003 and, it seems like it's more complete than XP… Let's make it an ISO and see how far it goes…
(for comparison, the "CD" from the compiled XP took only 68MB) pic.twitter.com/ncCwTjCS1f
— NTDEV (@NTDEV_) September 28, 2020
‘NTDEV‘ also published a video to show how to compile both Windows operating systems. The expert has no problem while compiling the source code for Windows server 2003.
The developer explained that the source code for Windows XP doesn’t contain critical files, including the Winlogon.exe.
“So, upon further inspection, the XP source code might not be as complete as we previously thought, as it doesn’t compile a critical file, winlogon.exe However, there is also an Server 2003 sc in that leak, so let’s see how far that goes… Stay tuned!” added the developer.
So, upon further inspection, the XP source code might not be as complete as we previously thought, as it doesn't compile a critical file, winlogon.exe
However, there is also an Server 2003 sc in that leak, so let's see how far that goes… Stay tuned!
— NTDEV (@NTDEV_) September 28, 2020
The expert provided multiple updates on its attempts and successes through its Twitter account.
The availability of the source code of the Windows XP could allow threat actors to search for zero-day issues that could be exploited in attacks against the tens of millions of PCs are still based on the popular Microsoft OS.
French Shipping Giant CMA CGM Discloses Security Breach
29.9.20 Incindent Securityweek
French shipping giant CMA CGM on Monday revealed that it has been dealing with a cyberattack that forced it to shut down some systems.
The company said it disabled external access to its IT applications to prevent malware from spreading.
“Our teams are fully mobilized and access to our information systems is gradually resuming,” the company said. “The CMA CGM network remains available to the Group's customers for all booking and operation requests.”
While CMA CGM has not shared any additional information about the incident, Lloyd’s List reported that the incident involved a piece of file-encrypting ransomware named Ragnar Locker. Earlier this year, the same ransomware, which its creators continue to improve, reportedly hit renewable energy company EDP Renewables North America.
SecurityWeek has reached out to CMA CGM for more information and will update this article if the company responds.
CMA CGM says on its website that it has 755 offices, 750 warehouses and 110,000 employees across more than 160 countries. Its fleet of 489 vessels serves a majority of the commercial ports around the world.
CMA CGM is not the only shipping giant to fall victim to a cyberattack. The list also includes Maersk, which in 2017 was hit by the NotPetya attack, Mediterranean Shipping Company (MSC), which earlier this year suffered an outage due to a malware attack, and China’s COSCO, which experienced disruptions due to a piece of ransomware in 2018.
Tyler Technologies Says Customers Reported Suspicious Logins
28.9.20 Incindent Securityweek
Tyler Technologies, a major provider of software and services for state and local governments in the United States, has advised customers to reset remote network access passwords after a couple of customers reported suspicious logins.
Tyler recently launched an investigation after its internal corporate network was hit by ransomware. It’s currently unclear if the suspicious logins are related to the recent ransomware incident, but as a precaution the company has advised clients who haven’t already done so to reset the passwords that Tyler staff use to remotely access their network and applications.
“We recently learned that two clients have reported suspicious logins to their systems using Tyler credentials. Although we are not aware of any malicious activity on client systems and we have not been able to investigate or determine the details regarding these logins, we wanted to let you know immediately so that you can take action to protect your systems,” Matt Bieri, the CIO of Tyler Technologies, told customers.
“Although we do not have enough information to know whether this evening’s reports of suspicious activity are related to the ongoing investigation of unauthorized access to Tyler’s internal systems, we believe precautionary password resets should be implemented,” he added.
In updates posted on its website over the weekend, Tyler said it became aware of unauthorized access to some of its internal systems, including phone and IT systems, early in the morning of September 23. Some systems were shut down and an investigation was launched.
The company has confirmed being targeted with a piece of ransomware — it was the RansomExx ransomware according to some reports — but it’s not sharing additional technical information due to its ongoing investigation. An investigation is also being conducted by law enforcement.
The operators of the RansomExx ransomware are not known to steal data from targeted organizations, and Tyler says it has found no evidence that the environment hosting customer systems, which is separate from the corporate network, was also impacted.
Tyler has also responded to reports that some customers were unable to make court and utility payments due to the incident. The firm claims it has reviewed logs and it has found no evidence of disruption to payment services.
Some have also raised concerns related to the election-related services provided by the company to governments, and potential impact on elections resulting from this incident. However, Tyler pointed out that it does not make actual election software. Its Socrata open data platform can be used to post election results, promote campaign finance transparency, or post information on polling, but in reality very few use it for this purpose.
“Tyler's Socrata product is a SaaS data platform that is hosted offsite on AWS (Amazon Web Services), not on Tyler's internal network that was impacted. We have never had a report that a bad actor has used our Socrata platform to display incorrect or misleading election results, polling locations, campaign finance information, or other civic data,” Tyler said.
Source Code of Windows XP, Server 2003 leaked
26.9.20 Incindent Securityaffairs
The source code for Microsoft’s Windows XP and Windows Server 2003 operating systems was published as a torrent file on bulletin board website 4chan.
The source code for Microsoft’s Windows XP and Windows Server 2003 operating systems was published as a torrent file on the bulletin board website 4chan. This is the first time that the source code of Microsoft’s 19-year-old operating system was leaked online.
The leaker goes online with the moniker billgates3 and claims to have collected the source code over the course of the last few months.
The leaker also added that the source code for multiple Microsoft operating systems is circulating in the hacking community for years.
“I created this torrent for the community, as I believe information should be free and available to everyone, and hoarding information for oneself and keeping it secret is an evil act in my opinion,” the leaker said,” [Micorsoft] claims to love open source so then I guess they’ll love how open this source code is now that it’s passed around on BitTorrent.”
The collection of torrent files leaked online is 43GB in size and include the source code for Windows Server 2003 and other older operating systems developed by Microsoft, including:
Windows 2000
Windows CE 3
Windows CE 4
Windows CE 5
Windows Embedded 7
Windows Embedded CE
Windows NT 3.5
Windows NT 4
MS-DOS 3.30
MS-DOS 6.0
According to multiple media, the leaked Windows XP code is related to the SP1 version.
The collection of torrent also includes the source code some Windows 10 internal builds along with the source code for the first Xbox OS that was first leaked online in May.
Even if the Windows XP has reached the end of life, the popular OS is still running on roughly one percent of computers worldwide
The availability of the source code of the Windows XP could allow threat actors to search for zero-day issues that could be exploited in attacks against the tens of millions of PCs are still based on the popular Microsoft OS.
Source Code of Windows XP, Server 2003 Allegedly Leaked
26.9.20 Incindent Securityweek
Someone has leaked what appear to be source code files for the Windows XP and Windows Server 2003 operating systems
The files were leaked on the image-based bulletin board 4chan and they can be downloaded both from file hosting websites and via torrents. There are tens of gigabytes of files and they also seem to include source code for older Microsoft operating systems (MS-DOS, Windows NT, Windows CE, Windows 2000), previously leaked files related to Xbox, and Bill Gates conspiracy theories.
One individual claimed on 4chan that these files have been “going around privately for many years now.”
The source code files for Windows XP and Windows Server 2003 appear to have been made public for the first time. Several people say the code looks legitimate and one infosec enthusiast pointed out that the leaked Windows XP code seems to be for the SP1 version.
Both Windows XP and Windows Server 2003 reached end of life and end of support years ago. However, according to some recent data, Windows XP is still running on roughly one percent of computers worldwide, which translates to tens of millions of PCs.
From a security perspective, while the Windows XP source code could be useful for finding some new vulnerabilities in the operating system, threat actors have plenty of existing exploits to choose from if they want to target devices running Windows XP.
Some pointed out, however, that parts of the code in Windows XP likely also made it into Windows 10, which could have more serious implications.
On the other hand, the source code of Windows operating systems is not a closely guarded secret, as some pointed out. Microsoft has been giving access to Windows source code to plenty of entities, particularly for transparency purposes. It’s also worth noting that some Windows 10 source code was also leaked online a few years ago.
Nevertheless, some individuals already claim to have found “interesting stuff” in the leaked files.
SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.
Microsoft Windows XP Source Code Reportedly Leaked Online
26.9.20 Incindent Thehackernews
Microsoft's long-lived operating system Windows XP—that still powers over 1% of all laptops and desktop computers worldwide—has had its source code leaked online, allegedly, along with Windows Server 2003.
Yes, you heard that right.
The source code for Microsoft's 19-year-old operating system was published as a torrent file on notorious bulletin board website 4chan, and it's for the very first time when source code for Microsoft's operating system has been leaked to the public.
Several reports suggest that the collection of torrent files, which weigh 43GB in size, also said to include the source code for Windows Server 2003 and several Microsoft's older operating systems, including:
Windows 2000
Windows CE 3
Windows CE 4
Windows CE 5
Windows Embedded 7
Windows Embedded CE
Windows NT 3.5
Windows NT 4
MS-DOS 3.30
MS-DOS 6.0
The torrent download also includes the alleged source code for various Windows 10 components that appeared in 2017 and source code for the first operating system of the original Xbox that appeared online in May.
While Microsoft has not officially confirmed or denied the leak yet, several independent security researchers have since begun analyzing the source code and spoken of its legitimacy (1, 2).
Using the name billgates3, the leaker claims to have compiled the collection of leaked Microsoft source code over the course of the last few months.
The leaker also said that many Microsoft operating system source code files had been passed around privately between hackers for years.
So, the leaker decided to share the source code to the public, saying that "information should be free and available to everyone."
"I created this torrent for the community, as I believe information should be free and available to everyone, and hoarding information for oneself and keeping it secret is an evil act in my opinion," the leaker said, adding that the company "claims to love open source so then I guess they'll love how open this source code is now that it's passed around on BitTorrent."
Besides containing source code, the torrent also includes a media folder (files and videos) related to conspiracy theories about Bill Gates.
The leaked source code should not come as a surprise as Microsoft does have a history of providing its OS source code to governments worldwide via a special Government Security Program (GSP) the company runs that allows governments and organizations controlled access to the source code.
Needless to say, Microsoft ended its support for Windows XP back in 2014, so its source code leak doesn't make the systems running the outdated OS version more of a target, because there's probably a ton of other unpatched vulnerabilities already exist.
But since operating systems may share code, exploitable flaws found in the Windows XP source code still present in Windows 10 can allow hackers to target newer versions of Windows operating system altogether, which would be a real threat to billions of users.
Feds Hit with Successful Cyberattack, Data Stolen
25.9.20 Incindent Threatpost
The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit.
A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.
“The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA. “First, the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server.”
As for how the attackers managed to get their hands on the credentials in the first place, CISA’s investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.
“It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure,” according to the alert. “CVE-2019-11510…allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.”
The patch was issued in April of 2019, but the Department of Homeland Security (DHS) in April of this year noted that before the patches were deployed, bad actors were able to compromise Active Directory accounts via the flaw – so, even those who have patched for the bug could still be compromised and are vulnerable to attack.
After initial access, the group set about carrying out reconnaissance on the network. First they logged into an agency O365 email account to view and download help-desk email attachments with “Intranet access” and “VPN passwords” in the subject lines – and it uncovered Active Directory and Group Policy key, changing a registry key for the Group Policy.
“Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe—to enumerate the compromised system and network,” according to CISA.
The next step was to connect to a virtual private server (VPS) through a Windows Server Message Block (SMB) client, using an alias secure identifier account that the group had previously created to log into it; then, they executed plink.exe, a remote administration utility.
After that, they connected to command-and-control (C2), and installed a custom malware with the file name “inetinfo.exe.” The attackers also set up a locally mounted remote share, which “allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA noted.
The cybercriminals, while logged in as an admin, created a scheduled task to run the malware, which turned out to be a dropper for additional payloads.
“inetinfo.exe is a unique, multi-stage malware used to drop files,” explained CISA. “It dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.”
It added, “The cyber-threat actor was able to overcome the agency’s anti-malware protection, and inetinfo.exe escaped quarantine.”
CISA didn’t specify what the secondary payload was – Threatpost has reached out for additional information.
The threat group meanwhile also established a backdoor in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.
“The proxy allowed connections between an attacker-controlled remote server and one of the victim organization’s file servers,” according to CISA. “The reverse SOCKS proxy communicated through port 8100. This port is normally closed, but the attacker’s malware opened it.”
A local account was then created, which was used for data collection and exfiltration. From the account, the cybercriminals browsed directories on victim file servers; copied files from users’ home directories; connected an attacker-controlled VPS with the agency’s file server (via a reverse SMB SOCKS proxy); and exfiltrated all the data using the Microsoft Windows Terminal Services client.
The attack has been remediated – and it’s unclear when it took place. CISA said that it’s intrusion-detection system was thankfully able to eventually flag the activity, however.
“CISA became aware—via EINSTEIN, CISA’s intrusion-detection system that monitors federal civilian networks—of a potential compromise of a federal agency’s network,” according to the alert. “In coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity.”
Data for 600K customers of U.S. fitness chains Town Sports leaked online
24.9.20 Incindent Securityweek
The database containing personal information of over 600,000 clients of the US fitness chain Town Sports was exposed on the Internet.
US fitness chain Town Sports has suffered a data breach, a database belonging to the company containing the personal information of over 600,000 people was exposed on the Internet.
Town Sports International Holdings is an operator of fitness centers in the Eastern United States, California and in Switzerland. Its brands include New York Sports Clubs, Boston Sports Clubs, Philadelphia Sports Clubs, Washington Sports Clubs, Lucille Roberts, TMPL Gym and Total Woman Gym and Spa.
Town Sports International lost the battle with the Coronavirus outbreak and filed for bankruptcy on September 14, 2020.
Data breach hunter Bob Diachenko discovered a database belonging to the company exposed online.
The archive contained records for almost 600,000 members or staff, exposed info includes names, addresses, phone numbers, email addresses, last four digits of credit cards, credit card expiration dates, and a member’s billing history.
“Fitness chain Town Sports International has exposed 600,000 records of members and employees on the web without a password or any other authentication required to access it, Comparitech researchers report.” reads the report published by Comparitech, “Comparitech security researcher Bob Diachenko received a tip from cybersecurity expert Sami Toivonen about the exposure on September 21, 2020.”
The expert confirmed that the database did not contain financial data or account passwords.
Diachenko notified Town Sports and shared his findings with the journalist Zack Whittaker from Techcrunch on September 21, 2020.
The good news is that the company secured the database the day after it was informed of the data leak.
At the time it not clear how long the database remained exposed online and if any unauthorized persons had accessed it in the past.
Town Sports should remain vigilant, threat actors could use the exposed data to carry out several malicious activities.
“In the wrong hands, cybercriminals could use the information stored in the database to scam and phish Town Sports customers and employees.” concludes Comparitech.
“Scammers can use the database’s personal information to make the message seem more convincing. Phishing messages usually contain links to phishing pages that look authentic and often identical to the official website, but in fact are copies designed to steal passwords or payment info.”
Shopify Discloses Insider Threat Incident
24.9.20 Incindent Securityweek
E-commerce platform provider Shopify on Tuesday said two members of its support staff were caught accessing customer information without authorization.
According to Shopify, the two employees used their permissions to access customer transactional records from some merchants. The company says less than 200 merchants are impacted by the incident and they have all been notified.
The exposed merchant customer data included name, email address, physical address, and order details (e.g. products and services purchased), but payment card or other financial information were not impacted.
The rogue employees have been terminated and law enforcement has launched an investigation.
“We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant,” Shopify said.
The company pointed out that this insider threat incident did not involve exploitation of a vulnerability in its platform.
“Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product,” the company said.
Incidents like this are not unheard of. Last year, Trend Micro said an employee sold the personal information of roughly 100,000 customers to tech support scammers.
Unsecured Microsoft Bing Server Exposed Users' Search Queries and Location
23.9.20 Incindent Thehackernews
A back-end server associated with Microsoft Bing exposed sensitive data of the search engine's mobile application users, including search queries, device details, and GPS coordinates, among others.
The logging database, however, doesn't include any personal details such as names or addresses.
The data leak, discovered by Ata Hakcil of WizCase on September 12, is a massive 6.5TB cache of log files that was left for anyone to access without any password, potentially allowing cybercriminals to leverage the information for carrying out extortion and phishing scams.
According to WizCase, the Elastic server is believed to have been password protected until September 10, after which the authentication seems to have been inadvertently removed.
After the findings were privately disclosed to Microsoft Security Response Center, the Windows maker addressed the misconfiguration on September 16.
Misconfigured servers have been a constant source of data leaks in recent years, resulting in exposure of email addresses, passwords, phone numbers, and private messages.
"Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk," said WizCase's Chase Williams in a Monday post. "We saw records of people searching from more than 70 countries."
Some of the search terms comprised of predators looking for child porn and the websites they visited following the search as well as "queries related to guns and interest in shootings, with search histories that included shopping for guns, and search terms like 'kill commies.'"
Aside from device and location details, the data also consisted of the exact time the search was performed using the mobile app, a partial list of the URLs the users visited from the search results, and three unique identifiers, such as ADID (a numeric ID assigned by Microsoft Advertising to an ad), "deviceID", and "devicehash."
In addition, the server also came under what's called a "meow attack" at least twice, an automated cyberattack that has wiped data from over 14,000 unsecured database instances since July with no explanation.
Although the leaky server didn't reveal names and other personal information, WizCase cautioned that the data could be exploited for other nefarious purposes, in addition to exposing users to physical attacks by letting criminals triangulate their whereabouts.
"Whether it's searching for adult content, cheating on a significant other, extreme political views, or hundreds of embarrassing things people search for on Bing," the company said. "Once the hacker has the search query, it could be possible to find out the person's identity thanks to all the details available on the server, making them an easy blackmail target."
Health Care Patient, Donor Data May Have Been Breached
19.9.20 Incindent Securityweek
Patients and donors to at least four different health care providers in Minnesota are being notified that their personal information may have been compromised.
The potential data breach involves hundreds of thousands of patients and donors at Children’s Minnesota, Allina Health, Regions Hospital and Gillette Children’s Specialty Healthcare.
The hack is part of a ransomware attack on a cloud computing company called Blackbaud, which manages databases for a number of nonprofits.
“Since learning of this incident, we have been working with Blackbaud to understand the scope of the ransomware attack and the steps it is taking to prevent future data security incidents,” a statement from Allina Health said. “Our security experts have evaluated Blackbaud’s security protocols and feel confident it has taken the appropriate action to further protect the information entrusted to it.”
More than 200,000 patients and donors from Allina Health hospitals and clinics and more than 160,000 patients and donors at Children’s Minnesota have been notified of the possible data breach.
Children’s Minnesota has told those involved to check their medical bills for signs of fraud.
Allina’s breach notice says the information involved, including names, addresses and possibly medical information, does not put individuals at risk for identity or financial theft, the Star Tribune reported.
Staples discloses data breach exposing customer order data
15.9.20 Incindent Securityaffairs
Giant office retail company Staples disclosed a data breach, threat actors accessed some of its customers’ order data.
Staples, the office retail giant, disclosed a data breach, it notified its customers that their order data have been accessed by threat actors without authorization.
The office retail giant sent out a data breach notification letter to the impacted customers, the incident took place around September 2.
The popular security expert Troy Hunt, who runs the data breach notification service HaveIBeenPwned published on Twitter the incident notice sent out by the company to its customers.
According to the notification, no sensitive data was exposed and an unauthorized party only accessed a limited amount of order data for customers of Staples.com.
Staples revealed that exposed order data includes customers’ names, addresses, email addresses, phone numbers, last four credit card digits, cost of the products, delivery and product ordered.
The data accessed by the hackers did not include account credentials and full payment card data.
Exposed data could be abused by threat actors to carry out malicious activities, including identity theft and phone call scams.
Customers that received the data breach notification could contact the company by phone for any questions or concerns.
Popular Marketing Tool exposes data of users of dating sites
14.9.20 Incindent Securityaffairs
Personal details of hundreds of users of dating sites were exposed online earlier this month.
An Elasticsearch server containing personal details of hundreds of thousands of dating site users were exposed online without authentication.
The unsecured database was discovered by security researchers from vpnMentor at the end of August.
“vpnMentor’s research team recently received a report from an anonymous ethical hacker about a massive data leak exposing users of over 70 adult dating and e-commerce websites from around the world.” reads the post published by vpnMentor.
“The various websites were all using the same marketing software built by email marketing company Mailfire — who was responsible for the leak.”
The experts discovered that the database was containing copies of push notifications that tens of online sites were sending to their users via Mailfire’s push notification service.
The archive contains 882.1 GB of log files that were being updated in real-time while the notifications were sent out to the users of more than 70 dating sites. The database also contained data from some e-commerce websites, the leak affected individuals from over 100 countries.
At the beginning of the investigation, the server’s database was containing over 370 million records for 66 million individual notifications sent in just 96 hours.
Data exposed in the notifications includes:
Full names
Age and date of birth
Gender
Email addresses
Locations of senders
IP addresses
Profile pictures uploaded by users
Profile bio descriptions
The leak also exposed messages between users of the impacted dating sites that could include embarrassing relationships or sexual interests.
Some of the notifications included in the archive contained links to the user’s profile that also contained authentication keys. An attacker could use these URLs to access a user’s profile on the dating site without the knowledge of the password.
Leaked data could expose users to several malicious activities, including scams, identity theft, blackmail and extortion, and of course attack takeover.
Below the timeline of the discovery:
Data leak discovered: 31st August 2020
Vendors contacted: 3rd September 2020
Response received from Mailfire: 3rd September 2020
Server secured: 3rd September 2020
Client companies informed: 4th September 2020
