Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Breach. Show all posts
SparkCat
Android app removal Apple Breach Cyber Security Cybersecurity Data Google iOS malware SparkCat

Apple and Google Remove 20 Apps Infected with Data-Stealing Malware


Apple and Google have removed 20 apps from their respective app stores after cybersecurity researchers discovered that they had been infected with data-stealing malware for nearly a year.

According to Kaspersky, the malware, named SparkCat, has been active since March 2024. Researchers first detected it in a food delivery app used in the United Arab Emirates and Indonesia before uncovering its presence in 19 additional apps. Collectively, these infected apps had been downloaded over 242,000 times from Google Play Store.

The malware uses optical character recognition (OCR) technology to scan text displayed on a device’s screen. Researchers found that it targeted image galleries to identify keywords associated with cryptocurrency wallet recovery phrases in multiple languages, including English, Chinese, Japanese, and Korean. 

By capturing these recovery phrases, attackers could gain complete control over victims' wallets and steal their funds. Additionally, the malware could extract sensitive data from screenshots, such as messages and passwords.

Following Kaspersky’s report, Apple removed the infected apps from the App Store last week, and Google followed soon after.

Google spokesperson Ed Fernandez confirmed to TechCrunch: "All of the identified apps have been removed from Google Play, and the developers have been banned."

Google also assured that Android users were protected from known versions of this malware through its built-in Google Play Protect security system. Apple has not responded to requests for comment.

Despite the apps being taken down from official stores, Kaspersky spokesperson Rosemarie Gonzales revealed that the malware is still accessible through third-party websites and unauthorized app stores, posing a continued threat to users.
Read more »
Ransomware
Breach Cyber Attacks CyberCrime Cybersecurity Data Hacking Insider Threat Ransom note Ransomware

Cybercriminals Entice Insiders with Ransomware Recruitment Ads

 

Cybercriminals are adopting a new strategy in their ransomware demands—embedding advertisements to recruit insiders willing to leak company data.

Threat intelligence researchers at GroupSense recently shared their findings with Dark Reading, highlighting this emerging tactic. According to their analysis, ransomware groups such as Sarcoma and DoNex—believed to be impersonating LockBit—have started incorporating these recruitment messages into their ransom notes.

A typical ransom note includes standard details about the company’s compromised state, data breaches, and backup destruction. However, deeper into the message, these groups introduce an unusual proposition:

"If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In another instance, the ransom note offers financial incentives:

"Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc."

The note then instructs interested individuals on how to install malicious software on their workplace systems, with communication facilitated via Tox messenger to maintain anonymity.

Kurtis Minder, CEO and founder of GroupSense, stated that while his team regularly examines ransom notes during incident response, the inclusion of these “pseudo advertisements” is a recent development.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," said Minder. "I don't know the right answer, but obviously these notes do get passed around." He further noted that cybercriminals often experiment with new tactics, and once one group adopts an approach, others tend to follow suit.

For anyone tempted to respond to these offers, Minder warns of the significant risks involved: "These folks have no accountability, so there's no guarantee you would get paid anything. You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to analyze past ransomware communications for any early signs of this trend. Minder anticipates discovering more instances of these ads in upcoming investigations.
Read more »
UnitedHealth cyberattack
Breach Change Healthcare data Data Breach Healthcare cybersecurity Medical Data breach Ransomware attack UnitedHealth cyberattack

UnitedHealth Confirms Change Healthcare Cyberattack Impacted 190 Million People

 

UnitedHealth Group has officially disclosed that the February ransomware attack on its subsidiary, Change Healthcare, affected approximately 190 million individuals in the U.S.—nearly twice the previously estimated figure.

The healthcare giant confirmed the revised number in a statement to TechCrunch on Friday, after market hours.

“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, a UnitedHealth spokesperson, in an email to TechCrunch. “The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”

UnitedHealth also stated that there is no evidence suggesting the stolen data has been misused. “The company is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis,” the spokesperson added.

The cyberattack, which occurred in February 2024, stands as the most significant medical data breach in U.S. history. It led to prolonged disruptions across the healthcare sector. Change Healthcare, a leading health tech provider and claims processor, handles vast amounts of patient data, medical records, and insurance information.

Hackers behind the attack stole an extensive volume of sensitive health and insurance data, some of which was leaked online. Reports indicate that Change Healthcare paid at least two ransom payments to prevent further exposure of the compromised files.

Initially, UnitedHealth estimated the number of impacted individuals to be around 100 million when it filed a preliminary report with the Office for Civil Rights, a division of the U.S. Department of Health and Human Services that oversees data breaches.

According to Change Healthcare’s breach notification, the cybercriminals accessed and stole:

  • Names, addresses, phone numbers, and email addresses
  • Dates of birth and government-issued ID numbers (Social Security, driver’s license, passport)
  • Medical diagnoses, prescriptions, lab results, imaging, and treatment plans
  • Health insurance details
  • Financial and banking data related to patient claims
The breach has been attributed to the ALPHV ransomware group, a Russian-language cybercrime network. During congressional testimony, UnitedHealth CEO Andrew Witty revealed that attackers gained access through a stolen credential that lacked multi-factor authentication, highlighting a critical security lapse.

As the healthcare industry grapples with the aftermath, this breach underscores the urgent need for enhanced cybersecurity measures to safeguard sensitive medical data.


Read more »
Unauthorized
Breach Casio Cyber Attacks Cyberattack Cybersecurity Data Disruption losses restructuring services Unauthorized

Casio Hit by Cyberattack Causing Service Disruption Amid Financial Challenges

 

Japanese tech giant Casio recently experienced a cyberattack on October 5, when an unauthorized individual accessed its internal networks, leading to disruptions in some of its services.

The breach was confirmed by Casio Computer, the parent company behind the iconic Casio brand, recognized for its watches, calculators, musical instruments, cameras, and other electronic products.

"Casio Computer Co., Ltd. has confirmed that on October 5, its network was accessed by an unauthorized third party," the company revealed in a statement today. Following an internal review, the company discovered the unauthorized access led to system disruptions, which have caused some services to be temporarily unavailable. Casio mentioned it cannot provide further details at this stage, as investigations are still ongoing. The company is working closely with external specialists to assess whether personal data or confidential information was compromised during the attack.

Although the breach has disrupted services, Casio has yet to specify which services have been impacted.

The company reported the cyber incident to the relevant data protection authorities and quickly implemented measures to prevent further unauthorized access. BleepingComputer reached out to Casio for more information, but a response has not yet been provided.

So far, no ransomware group has claimed responsibility for the attack on Casio.

This attack comes nearly a year after a previous data breach involving Casio's ClassPad education platform, which exposed customer data from 149 countries, including names, email addresses, and other personal information.

The recent cyberattack adds to the company's challenges, as Casio recently informed shareholders of an expected $50 million financial loss due to significant personnel restructuring.
Read more »
US semiconductor manufacturer
Breach Data Microchip Technology attack Play ransomware ransomware cyberattack US semiconductor manufacturer

Play Ransomware Claims Attack on US Semiconductor Manufacturer Microchip Technology

 

The Play ransomware group has claimed responsibility for last week's cyberattack on the American semiconductor company Microchip Technology. On Tuesday, the group added Microchip Technology to its data leak site, as noted by multiple cybersecurity researchers. Play is notorious for its use of custom tools and double-extortion tactics, which involve both encrypting victims' files and threatening to release stolen data.

Microchip Technology reported last week that intruders had disrupted "certain servers and some business operations." Upon discovering the breach, the company took immediate steps to isolate the affected systems, shut down some services, and initiate an investigation.

Microchip Technology has not commented on the Play gang's involvement in the attack. The company produces products such as microcontrollers, embedded security devices, and radio frequency devices, which it supplies to sectors including automotive, industrial, aerospace, and defense. In 2024, its sales reached $7.6 billion.

The Play group typically gives its victims 72 hours to pay a ransom before making stolen data public. However, Kevin O’Connor, a researcher at U.S.-based cybersecurity firm Adlumin, noted that in this case, the timeline was extended, with Play claiming responsibility a week after Microchip Technology reported the incident to the SEC (Securities and Exchange Commission). O'Connor added that while it's not uncommon for ransomware groups to delay data release, it often indicates ongoing negotiations.

Adlumin's research suggests that the Play ransomware operation has significantly expanded over the past year, likely due to its shift to an affiliate model, complicating the attribution of attacks. O'Connor also mentioned that it's still unclear whether the core group or its affiliates were behind the attack on Microchip Technology.

Play ransomware was first identified in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) has reported that the group typically encrypts systems after data exfiltration, impacting various businesses and critical infrastructure organizations across North America, South America, Europe, and Australia. According to Trend Micro's research published in July, the majority of Play's attacks this year have been concentrated in the United States.
Read more »
US Cybersecurity
Breach CISA critical infrastructure risk Cyber Security Data Analytics Information Security supply chain attacks US Cybersecurity

CISA Investigates Sisense Breach: Critical Infrastructure at Risk

 

In the fast-paced landscape of cybersecurity, recent events have once again brought to light the vulnerabilities that critical infrastructure organizations face. The breach of data analytics company Sisense, under investigation by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the importance of robust security measures in protecting sensitive data and systems. 

Sisense, a prominent American business intelligence software company, found itself at the center of a security incident impacting not only its own operations but also critical infrastructure sector organizations across the United States. 

With offices in New York City, London, and Tel Aviv, and a clientele including major players like Nasdaq, ZoomInfo, Verizon, and Air Canada, the breach sent shockwaves through the cybersecurity community. CISA's involvement underscores the severity of the situation, with the agency actively collaborating with private industry partners to assess the extent of the breach and its implications for critical infrastructure. 

As investigations unfold, the focus is on understanding the nature of the compromise and mitigating potential risks to affected organizations. In response to the breach, CISA has issued recommendations for all Sisense customers to reset any credentials and secrets that may have been exposed or used to access the company's platform and services.

This proactive measure aims to prevent further unauthorized access and protect sensitive information from exploitation. Sisense's Chief Information Security Officer, Sangram Dash, echoed CISA's advice in a message to customers, emphasizing the importance of promptly rotating credentials used within the Sisense application. This precautionary step aligns with best practices in cybersecurity, where rapid response and mitigation are essential to minimizing the impact of security incidents. 

Additionally, customers are urged to report any suspicious activity related to potentially exposed credentials or unauthorized access to Sisense services to CISA. This collaborative approach between organizations and government agencies is crucial in addressing cybersecurity threats effectively and safeguarding critical infrastructure from harm. The incident involving Sisense is not an isolated event. 

Similar supply chain attacks have targeted critical infrastructure organizations in the past, highlighting the need for heightened vigilance and resilience in the face of evolving cyber threats. One such attack, involving the 3CX breach a year ago, had far-reaching consequences, impacting power suppliers responsible for generating and distributing energy across the grid in the United States and Europe. 

As organizations grapple with the aftermath of the Sisense breach, lessons learned from this incident can inform future cybersecurity strategies. Proactive measures such as continuous monitoring, regular security assessments, and robust incident response plans are essential for mitigating risks and protecting critical infrastructure assets. 

The Sisense breach serves as a wake-up call for the cybersecurity community, emphasizing the interconnected nature of cyber threats and the imperative of collaboration in defending against them. By working together and adopting a proactive stance, organizations can bolster their defenses and safeguard critical infrastructure from cyber adversaries.
Read more »
online transactions
Adobe Breach Cyber Security E Commerce Magento online transactions

E-commerce Breach: Hackers Target Magento, Steal Payment Data

 




In a concerning development for e-commerce security, hackers have been discovered exploiting a critical flaw in the popular Magento platform, leaving numerous online stores vulnerable to data breaches. The vulnerability, identified as CVE-2024-20720 with a severity score of 9.1, was acknowledged and addressed by Adobe in security updates released on February 13, 2024.

The exploit involves injecting a persistent backdoor into e-commerce websites, allowing threat actors to execute arbitrary commands and potentially steal sensitive payment data. Security experts from Sansec revealed that attackers are utilising a cleverly crafted layout template stored in the database to automatically insert malicious code into the system.

By combining the Magento layout parser with the beberlei/assert package, hackers can execute system commands, particularly targeting the checkout cart section of affected websites. This malicious code, facilitated by the 'sed' command, enables the installation of a payment skimmer, designed to capture and transmit financial information to compromised Magento stores under the attackers' control.

This incident underlines the urgency for e-commerce businesses to promptly apply security patches provided by Magento to mitigate the risk of exploitation. Failure to do so could leave them susceptible to financial losses and reputational damage.

The exploitation of vulnerabilities within the Magento platform has become an ongoing concern within the realm of e-commerce security. Since its acquisition by Adobe in 2018 for a significant $1.68 billion, Magento has grown to power more than 150,000 online stores worldwide. However, this widespread adoption has inadvertently made it an enticing target for cybercriminals seeking to exploit weaknesses in its infrastructure. One notable example of such exploitation is the MageCart attacks, which have highlighted the persistent threat posed by outdated and unsupported versions of Magento.

Given the prevalence of these vulnerabilities, it is pivotal for online merchants to prioritise cybersecurity measures to safeguard their customers' sensitive data and uphold trust within the e-commerce ecosystem. This necessitates a proactive approach that includes regular software updates, the implementation of robust security protocols, and continuous monitoring for any suspicious activities.

Industry stakeholders are urged to collaborate closely to enhance cybersecurity resilience and protect the integrity of online transactions. By staying informed and proactive, businesses can effectively combat cyber threats and uphold the security of their e-commerce operations.



Read more »
Ransomware
Birmingham Breach Computer Hacking cyber attack Cyber Attacks Ransomware

Birmingham City Computers Breached by Hackers, Mayor Confirms

 



Birmingham Mayor Randall Woodfin’s office has officially acknowledged that the city’s computer systems fell victim to a cyberattack almost a month ago. The incident came to light in a memo sent to city employees, obtained by AL.com, confirming that hackers gained unauthorised access to the city’s networks.

Timeline of Events

The disruption was first noticed on March 6, prompting an immediate investigation into the unexpected activity that disrupted various computer systems. City officials are actively working to restore full functionality to the affected systems, although the investigation into the breach is ongoing. Rick Journey, the mayor’s communications director, emphasised the city’s commitment to ensuring the security of its network.

Impact on Operations

The cyberattack has caused significant disruptions, with employees resorting to pen and paper for tasks like timekeeping due to the network outage. Despite these challenges, critical public safety and public works services have remained unaffected. However, law enforcement agencies have faced limitations, including difficulties in accessing databases to check vehicle theft reports and outstanding warrants.

What Does It Mean for Employees?

Addressing concerns about payroll and employee compensation, city officials reassured employees that payroll processing will continue as scheduled. Payroll coordinators are available to address any individual questions or concerns regarding payment accuracy. Despite the disruption, city authorities are committed to ensuring that employees receive their salaries on time.

Response and Investigation

Following the breach, the city has enlisted the support of third-party specialists to investigate the extent of the disruption and its impact on operations. While specific details about the cyberattack remain limited due to the ongoing investigation, officials have stressed that the 911 emergency system remains fully functional.

A Potential Ransomware Attack 

Multiple government sources have indicated that the cyberattack is likely a ransomware attack, wherein hackers demand payment in exchange for restoring access to the city’s data. Despite the severity of the incident, city officials have reiterated that emergency services have not been compromised.

This incident dials on the mounting challenges municipalities face in safeguarding against cybersecurity breaches. As authorities delve deeper into the matter, concerted efforts are underway to bolster cybersecurity measures, emphasising the critical need to strengthen defences against potential future threats. 


Read more »
Subscribe to: Posts (Atom)