Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Compromised Data. Show all posts

‘Mother of All Breaches’: 26 Billion Personal Records and Passwords Leaked


Even after being significantly vigilant while using online tools, a user’s personal and professional information could still be exposed to a data breach. In certain cases, hackers tend to compile credentials and information stolen in past breaches to make their next hacks a little easier. 

In a recent data breach, what came to be known as the ‘mother of all breaches,’ a whopping 12 terabytes (TB) of data was compromised. This data involved 26 billion records. The records were gathered through sales, breaches, and leaks.

The discovery was made by Bob Dyachenko, a cybersecurity researcher at SecurityDiscovery.com along with the team at Cybernews.com

As of right now, researchers believe that this is a combination of various breaches and leaks rather than coming from a single source. Some of the data in this collection are duplicates. They have yet to completely rule out the possibility that any new data will be included.

Given the discovery of the data set, credential-stuffing assaults are anticipated to occur shortly. For those unaware, credential stuffing is the practice of malicious actors using a user's login credentials from one website to try them on another. When a person uses the same password across several websites, these assaults are typically successful.

How to Protect Yourself

One thing that a user can do is check whether they were a part of any leak, not only this one. One can do so by going to Have I Been Pwned or Cybernews’ lookup tool.

The best thing one can do in case they have been compromised or not is to follow these rules from the Tech Talk Commandments:

  • Make secure passwords: It is not important to choose any complicated password. Rather, it is preferable to include more characters—uppercase, lowercase, digits, and special characters if allowed.
  • Employ a password organizer: The passwords of the users will be safely stored in these. Some allow device syncing. In fact, most, if not all, will assist kids in creating secure passwords.
  • Make use of two-factor authentication: While adding another barrier to account login can be inconvenient, it does have an impact. Attackers will not have all they need to obtain access if there is a second authentication method that the user has employed.  

Massive Data Breach at HCA Healthcare: 11 Million Patients' Information Compromised by Hackers

 

Hospital and clinic operator HCA Healthcare has announced that it experienced a significant cyberattack, posing a risk to the data of at least 11 million patients. 

The breach affects patients in 20 states, including California, Florida, Georgia, and Texas. HCA Healthcare, headquartered in Nashville, disclosed that the compromised data includes potentially sensitive information such as patients' names, partial addresses, contact details, and upcoming appointment dates.

This breach, discovered by the company on July 5, is considered one of the largest healthcare breaches in history. HCA Healthcare revealed that the hackers accessed various types of information, including patient names, cities, states, zip codes, emails, telephone numbers, dates of birth, genders, service dates, locations, and next appointment dates.

"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," the company said in its Monday announcement.

"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate," it said.

If the estimated number of affected patients reaches 11 million, this breach would rank among the top five healthcare hacks reported to the Department of Health and Human Services Office of Civil Rights. The most severe breach in this sector occurred in 2015 when medical insurer Anthem was compromised, affecting 79 million individuals. In that case, Chinese spies were indicted, but there is no evidence that the stolen data was ever sold.

According to the Associated Press, the suspected hacker behind the HCA breach initially posted a sample of the stolen data online on July 5, attempting to sell it and potentially extort HCA. The hacker claimed to possess 27.7 million records and subsequently released a file on Monday containing nearly 1 million records from HCA's San Antonio division.

To ensure the legitimacy of any invoices or billing requests, HCA is advising patients to contact the chain at (844) 608-1803 before making any payments. The company has reported the incident to law enforcement and engaged third-party forensic and threat intelligence advisors. 

HCA maintains that the breach, which exposed approximately 27 million rows of data related to around 11 million patients, did not include highly sensitive information such as patients' treatment or diagnosis details, payment information, passwords, driver's license numbers, or Social Security numbers.

Although DataBreaches.net initially reported on the hack and shared a code sample purportedly offered by the hacker, HCA's spokesperson clarified that the code was an email template developed by the company, and the client ID mentioned referred to a doctor's office or facility, not a patient.

HCA Healthcare assured that it has not discovered any evidence of malicious activity on its networks or systems related to this incident. As an immediate containment measure, the company has disabled user access to the storage location. 

HCA intends to reach out to affected patients to provide additional information and support, complying with legal and regulatory obligations. It will also offer credit monitoring and identity protection services where necessary. HCA Healthcare operates more than 180 hospitals and 2,000 care locations, including walk-in clinics, across 20 states and the U.K., according to its website.

Thousands of Websites Attacked Via Compromised FTP Credentials

 

Wiz, a cloud security startup, has issued a warning about a widespread redirection campaign in which thousands of East Asian-targeted websites have been affected using legitimate FTP credentials. In many cases, the attackers gained access to highly secure auto-generated FTP credentials and utilized them to hijack the victim websites to redirect visitors to adult-themed content. 

The campaign, which has most likely been ongoing since September 2022, has compromised at least 10,000 websites, many of which are owned by small businesses and large corporations. According to Wiz, differences in hosting providers and tech stacks make identifying a common entry point difficult to identify a common entry point.

As part of the initial incidents, the attackers added "a single line of HTML code in the form of a script tag referencing a remotely hosted JavaScript script" to the compromised web pages. The injected tags cause a JavaScript script to be downloaded and executed on the machines of website visitors.
According to Wiz, in some cases, JavaScript code was injected directly into existing files on the compromised server, most likely via FTP access, ruling out the possibility of malvertising.

The cybersecurity startup has identified a number of servers associated with this campaign, which serve JavaScript variants that share many similarities, implying they are closely linked, if not part of the same activity.

Before redirecting the visitor to the destination website, the JavaScript redirection code checks for specific conditions such as a probability value, a cookie set on the victim's machine, whether the visitor is a crawler, and whether or not they are using Android. 

Originally, the JavaScript code was seen fingerprinting users' browsers and sending the gathered data to attacker-controlled infrastructure. The behavior, however, has not occurred since December 2022. Other changes in the redirection scripts that Wiz has noticed include the addition of intermediate servers to the redirection chain in February 2023.

In some cases, website administrators removed the malicious redirection only to find it reemerged shortly afterward. As per Wiz, the campaign's goal could be ad fraud or SEO manipulation, but the attackers could also be looking to increase traffic to the destination websites. However, the threat actors may decide to employ the gained access for other illicit reasons.

PseudoManuscrypt Malware Proliferating Similarly as CryptBot Targets Koreans

 

Since at least May 2021, a botnet known as PseudoManuscrypt has been targeting Windows workstations in South Korea, using the same delivery methods as another malware known as CryptBot. 

South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published, "PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot and is being distributed. Not only is its file form similar to CryptBot but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen."
  
According to ASEC, approximately 30 computers in the country are compromised on a daily basis on average. PseudoManuscrypt was originally discovered in December 2021, when Russian cybersecurity firm Kaspersky revealed details of a "mass-scale spyware attack campaign" that infected over 35,000 PCs in 195 countries around the world. 

PseudoManuscrypt attacks, which were first discovered in June 2021, targeted a large number of industrial and government institutions, including military-industrial complex firms and research in Russia, India, and Brazil, among others. The primary payload module has a wide range of spying capabilities, enabling the attackers virtually complete access over the compromised device. Stealing VPN connection data, recording audio with the microphone, and capturing clipboard contents and operating system event log data are all part of it. 

Additionally, PseudoManuscrypt can access a remote command-and-control server controlled by the attacker to perform malicious tasks like downloading files, executing arbitrary instructions, log keypresses, and capturing screenshots and videos of the screen. 

The researchers added, "As this malware is disguised as an illegal software installer and is distributed to random individuals via malicious sites, users must be careful not to download relevant programs. As malicious files can also be registered to service and perform continuous malicious behaviours without the user knowing, periodic PC maintenance is necessary."