Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bypass of Sensitive data.. Show all posts

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security

 


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Russian Hacking Forum Maza Hijacked, Suffers Data Breach

Cybercriminal forum Maza was recently hit by a data breach that led to the leak of user information. Earlier this week, experts at Flashpoint found the breach suffered by Maza, (earlier called Mazafaka) that has been on the web since 2003. It is a reserved and strictly restricted platform for Russian hackers. The group is involved in carding, which involves the selling of stolen credit card/financial information on the web, besides this, the forum discusses spam, exploits, malware, phishing attacks, money laundering, and much more. The hackers posted a warning message "This forum has been hacked/Your data has been leaked," after the successful breach of the platform.  

The leaked information includes usernames, user IDs, email IDs, links to messenger app that include- MSN, messenger, and login credentials (obfuscated and hashed). ZDNet reports, "In January, Russian forum Verified was taken over without warning. The introduction of new domains, temporary open registration, and the silence of old moderators has raised suspicion among some users as to the intentions of the new owners." According to Flashpoint, around 2000 user accounts were breached. Users discussing the breach said that they'll now have to find another forum, whereas other users believe that the breach is partial or old. 

As of now, the experts are unaware of who hijacked the forum besides the fact that hackers might have used an online translator to post the warning. It implies that the hackers may not be Russian speaking unless they did it intentionally to misguide.  This is not the first time Maza was hacked, back in 2011 by a rival group named DirectConnection, around 2000 user accounts were leaked. Soon, DirectConnection was compromised as a retaliation.  

Aleksei Burkov, known as alias 'Kopa,' is said to be the admin for both the forums. He was sentenced to prison for 9 years by US authorities against the charge of running the Cardplanet carding forum. "Users may be justified in such concerns, especially considering law enforcement is now posting 'friendly' warnings on hacking forums to discourage illegal activities," says ZDNet.As of now, no latest developments have appeared. Stay updated to know more.

US Telemarketing Company Leaks Data of 114,000 Consumers In a Cloud Storage Error

In a recent cybersecurity incident, a US telemarketing firm leaked sensitive data of tens of thousands of customers after a misconfiguration of a cloud storage bucket happened. VpnMentor team's Noem Rotem identified the malicious AWS S3 bucket last year on 24 December. The finding was traced back to CallX, a Californian business, and its clients use the analytics service to strengthen their inbound marketing and media buying. As per the website, the company lends marketplace Lending tree, security provider Vivint and Liberty Mutual Insurance to its customers. 

Rotem discovered around 1,14,000 files that were dumped openly in the leaky bucket. Most of the files were the audio recordings of call logs between customers and CallX clients, these were traced through the company's software. Besides this, 2000 text transcripts of conversations were also accessible. The files' PII (Personally Identifiable information) include user names, contact no, residential address, and much more. 

"If cybercriminals needed additional information, they could hijack calls logged by CallX and do fake ‘follow up’ phone calls or emails posing as a representative of the relevant CallX client company. Using the transcripts, it would be easy to establish trust and legitimacy with targets in such schemes," reports VpnMentor. As the people exposed have no apparent relationship to one another, by the time the fraud was discovered, it may be too late, it says. VpnMentor alarmed that hackers could launch phishing attacks using the leaked data. CallX can also fall under regulatory scrutiny, being in the purview of the new CCPA (Californian privacy law). Sadly, the bucket is still open to date. 

VpnMentor in its research team reported (https://www.vpnmentor.com/blog/report-callx-breach/) "our team discovered CallX’s S3 bucket and was able to view it due to insufficient security. We found an image of the company’s logo amongst the files stored on the S3 bucket and, upon further investigation, confirmed the company as its owner. We immediately contacted CallX to notify it of the vulnerability and provide guidance on securing an S3 bucket. It’s unclear how many people were aware that somebody recorded their conversations. As a result, the people exposed in this data breach may never know their private data was exposed publicly."

Financial and Customer Info being Exposed in Slickwraps Data Breach


Slickwraps, a mobile device case retailer that specializes in designing and assembling the most precision-fitted phone cases in the world has suffered a major data breach that exposed the personal information of employees including their API credentials, resumes and much more.



In January 2020, a security researcher named Lynx attempted to gain access to Slickwraps's systems, he acquired full access to the company's website employing a path traversal vulnerability present in a script which is used by them for customizing cases.

After exploiting the vulnerability, Lynx sent emails stating the same to the company and upon receiving no response to those emails, he decided to make public disclosure of the vulnerability and how he exploited it to acquire access to the systems and the data that was compromised.

While giving insights of the incident, Lynx told that it allowed them to acquire access to 9GB of personal customer data that included employee resumes, customers' pictures, API credentials, ZenDesk ticketing system along with more sensitive data such as hashed passwords, transactions, and contact-related information.

As per the reports, multiple attempts made by Lynx to report the data breaches to Slickwraps were blocked by the company. Even though Lynx made it clear that they don't want any bounty and are just trying to get Slickwraps to publicly disclose the breach.

In a post made by Lynx on Medium, he stated, "They had no interest in accepting security advice from me. They simply blocked and ignored me."

While accepting the shortcomings of the company in terms of user security, Jonathan Endicott, Slickwraps CEO, apologized for the data breach and said, "There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back."

"We are reaching out to you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party."

"Upon finding out about the public user data, we took immediate action to secure it by closing any database in question. As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts."

"We are deeply sorry about this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving the communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cybersecurity firm to audit and improve our security protocols."

"More details will follow and we appreciate your patience during this process." the statement further read.

Hacker uses a nanocomputer to steal NASA data

It wasn’t a good day for NASA when an unidentified cyber-attacker was able to steal 500 MB of mission data, through a Raspberry Pi nanocomputer.

First introduced by the charity Raspberry Pi Foundation in 2012, the Raspberry Pi is a credit-card sized device intended for the general public, young and old, beginners and amateurs. It is sold for about $35 that plugs into home televisions and is used mainly to teach coding to children and promote computing in developing countries.

The Raspberry Pi organization has just announced the release of the fourth generation of its budget desktop PC, the completely re-engineered Raspberry Pi 4.

The April 2018 attack went undetected for nearly a year, according to an audit report issued on June 18, and an investigation is still underway to find the culprit.

The hacker infiltrated into NASA’s Jet Propulsion Laboratory network and stole sensitive data and forced the temporary disconnection of space-flight systems, the agency has revealed.

Prior to detection, the attacker was able to exfiltrate 23 files amounting to approximately 500 megabytes of data, the report from NASA’s Office of inspector General said.

These included two restricted files from the Mars Science Laboratory mission, which handles the Curiosity Rover, and information relating to the International Traffic in Arms Regulations which restrict the export of US defense and military technologies.

“More importantly, the attacker successfully accessed two of the three primary JPL networks,” the report said.

"Officials were concerned the cyberattackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems."

NASA came to question the integrity of its Deep Space Network data “and temporarily disconnected several space flight-related systems from the JPL network.”

Docker Hub hack exposes sensitive data of 190,000 users

                                                                   

An unauthorized person gained access to a Docker Hub database that exposed sensitive information for approximately 190,000 users. Docker says the hacker had access to this database only for a short moment and the data accessed is only five percent of Docker Hub's entire userbase.

This information included some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories used for Docker autobuilds.

GitHub and Bitbucket access tokens stored in Docker Hub allow developers to modify their project's code and have it automatically build, or autobuild, the image on Docker Hub. If a third-party gains access to these tokens, though, it would allow them to gain access to a private repositories code and possibly modify it depending on the permissions stored in the token.

Docker Hub lost keys and tokens which could have downstream effects if hackers used them to access source code at big companies.

Docker Hub is the official repository for Docker container images. It makes software tools for programmers and developers.

According to a security notice sent late Friday night, Docker became aware of unauthorized access to a Docker Hub database on April 25th, 2019.

Docker disclosed the breach in an email to customers and users of Docker Hub, its cloud-based service that’s used by several companies and thousands of developers all over the world. In the email, obtained by Motherboard, Docker said that the stolen data includes “usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

"On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data," said Kent Lamb, Director of Docker Support.

Experts Motherboard spoke to said that, in a worst-case scenario, the hackers would have been able to access proprietary source code from some of those accounts. Specifically, Docker allows developers to run software packages known as “containers.” It is used by some of the largest tech companies in the world, though it is not yet publicly known what information was accessed and which companies’ accounts were affected.

Researchers discover Malware Samples Designed to Exploit CPU Vulnerabilities

As of late scientists have found more than 130 malware samples intended to misuse the recently disclosed Spectre and Meltdown CPU vulnerabilities that enable pernicious applications to sidestep memory isolation mechanisms in order to gain access to passwords, photographs, archives, mails, and other sensitive data.

Experts have cautioned that there could soon be remote attacks, not long after Spectre and Meltdown were unveiled on January 3, and to top that a JavaScript-based Proof of-Concept (PoC) misuse for Spectre had likewise been made accessible.

On Wednesday, January 17 an antivirus testing firm AV-TEST, announced that it has obtained 139 samples from different sources, including researchers, analysers and antivirus companies and had likewise observed 77 malware tests apparently identified with the CPU vulnerabilities making the number fairly rising to 119 by January 23. However, the experts do believe that the prevailing malware samples are still in the "research phase" and assailants are in all likelihood searching for approaches to extract more information from computers especially via the means of web browsers



“Most appear to be recompiled/extended versions of the PoCs - interestingly, for various platforms like Windows, Linux and MacOS,” says Andreas Marx, CEO of AV-TEST , further adds “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”

Fortinet, which is likewise known for dissecting a significant number of the samples, affirmed that a larger part of them depended on accessible PoC code.

Processor and operating system vendors have been dealing with microcode and software alleviations for the Meltdown and Spectre attacks, yet the patches have regularly caused issues, prompting organizations ending refreshes and disabling alleviations until the point that such issues are settled.


Marx, in addition to the installing of the operating systems and BIOS updates, further proposed a couple of more suggestions that have a solid shot of reducing the attacks, two of them being: turning off the PC when it's not required for over an hour, and closing the web browsers amid work breaks. He is certain that by adjusting to these strategies the attack surface would diminish a considerable measure and furthermore save quite some energy.