Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
third-party risk
business disruption Cyber Attacks Cyber Insurance Cybersecurity Data Breach Ransomware third-party risk

Cyberattacks on Key Vendors Trigger Widespread Disruptions Across Industries

Cybercriminals are increasingly targeting a single point of failure within companies to create large-scale disruption, according to a recent report by Resilience. The analysis highlights how such attacks can have a ripple effect across entire industries.

In 2024, the global average cost of a data breach was estimated at nearly $4.9 million, based on IBM research. However, certain incidents proved to be significantly more damaging.

One of the most costly breaches occurred when UnitedHealth reported a staggering $3.1 billion expenditure in response to a cyberattack on its Change Healthcare subsidiary. This division processes billions of medical claims annually, and the ransomware attack led to prolonged disruptions in the healthcare sector.

“It was the most significant and consequential cyberattack in the history of U.S. health care,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, in a blog post.

Another major incident targeted CDK Global, a software provider for car dealerships across the U.S. The ransomware attack caused financial damages exceeding $1 billion collectively, as estimated by Anderson Economic Group.

The cyberattacks on Change Healthcare and CDK Global exemplify how disruptions in interconnected organizations can have widespread industry consequences, Resilience noted in its report.

According to Resilience’s analysis, third-party risks have become a leading factor in cyber insurance claims, representing 31% of claims filed by its clients in 2024. While a slightly higher percentage (37%) of third-party claims was recorded in 2023, none resulted in material financial losses.

The study also revealed that ransomware attacks targeting vendors have become a “new and significant” contributor to insurance claims, accounting for 18% of such cases.

Although ransomware remained the primary cause of cyber losses in 2024—responsible for 62% of claims—its overall occurrence may be declining. Resilience attributes this trend to cybercriminals shifting focus toward larger, high-profile organizations that offer bigger financial payouts, moving away from the traditional “spray and prey” strategy.
Read more »
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
X
Data Breach EU Internet IT POLSA Space X

Polish Space Agency "POLSA" Suffers Breach; System Offline

Polish Space Agency "POLSA" Suffers Breach; System Offline

Systems offline to control breach

The Polish Space Agency (POLSA) suffered a cyberattack last week, it confirmed on X. The agency didn’t disclose any further information, except that it “immediately disconnected” the agency network after finding that the systems were hacked. The social media post indicates the step was taken to protect data. 

US News said “Warsaw has repeatedly accused Moscow of attempting to destabilise Poland because of its role in supplying military aid to its neighbour Ukraine, allegations Russia has dismissed.” POLSA has been offline since to control the breach of its IT infrastructure. 

Incident reported to authorities

After discovering the attack, POLSA reported the breach to concerned authorities and started an investigation to measure the impact. Regarding the cybersecurity incident, POLSA said “relevant services and institutions have been informed.”  

POLSA didn’t reveal the nature of the security attack and has not attributed the breach to any attacker. "In order to secure data after the hack, the POLSA network was immediately disconnected from the Internet. We will keep you updated."

How did the attack happen?

While no further info has been out since Sunday, internal sources told The Register that the “attack appears to be related to an internal email compromise” and that the staff “are being told to use phones for communication instead.”

POLSA is currently working with the Polish Military Computer Security Incident Response Team (CSIRT MON) and the Polish Computer Security Incident Response Team (CSIRT NASK) to patch affected services. 

Who is responsible?

Commenting on the incident, Poland's Minister of Digital Affairs, Krzysztof Gawkowski, said the “systems under attack were secured. CSIRT NASK, together with CSIRT MON, supports POLSA in activities aimed at restoring the operational functioning of the Agency.” On finding the source, he said, “Intensive operational activities are also underway to identify who is behind the cyberattack. We will publish further information on this matter on an ongoing basis.”

About POLSA

A European Space Agency (ESA) member, POLSA was established in September 2014. It aims to support the Polish space industry and strengthen Polish defense capabilities via satellite systems. The agency also helps Polish entrepreneurs get funds from ESA and also works with the EU, other ESA members and countries on different space exploration projects.  

Read more »
telecommunications
Data Breach Orange Group Security Systems Sensitive data telecommunications

Hacker Leaks Stolen Data After Cyberattack on Orange Group

 


A hacker has claimed responsibility for breaking into the systems of Orange Group, a well-known French telecommunications provider. The attacker alleges that they stole a large number of internal files, including confidential details about customers and employees. After failing to extort the company, the hacker released some of this data on an underground forum.  


Orange Verifies the Cyberattack  

Orange Group has acknowledged the breach, stating that the attack targeted a non-essential system. The company has started an internal investigation and is taking steps to limit the damage. However, reports suggest that significant amounts of data have already been exposed.  

The hacker, who goes by the online name Rey, is associated with a cybercriminal group called HellCat. Despite this, Rey insists that this was not a ransomware attack. The breach primarily impacted Orange Romania, a regional branch of the company.  


What Information Was Compromised?  

According to the hacker, the stolen files contain nearly 380,000 email addresses, as well as confidential company records. The leaked data includes:  

• Customer and employee details  

• Business contracts and invoices  

• Internal source code  

• Payment card information, though many of these details are outdated  

Some of the email addresses in the leaked files belonged to former employees and business partners who had been associated with Orange Romania over five years ago. Additionally, the breach affected records from Yoxo, Orange’s subscription-based mobile service.  


How Did the Breach Occur?  

Rey claims to have accessed Orange’s systems for over a month before stealing data. The hacker reportedly gained entry using stolen login credentials and weaknesses in Jira, a software tool the company uses for project management and issue tracking.  

On the day of the attack, the hacker extracted company files for about three hours without triggering any security alerts. They also left a ransom note, but Orange did not respond or engage in negotiations.  


Orange’s Official Statement  

When asked about the breach, an Orange spokesperson confirmed that their Romanian operations had been targeted by hackers. The company’s cybersecurity and IT teams are currently working to understand the full extent of the breach and are focused on reducing its impact.  


A Pattern of Attacks?  

This is not the first time attackers have used Jira security flaws to steal information from large corporations. In similar cases, cybercriminals have managed to extract huge amounts of data, including 40GB in one breach and 2.5GB in another.  

This incident shows us the reality of weakened security systems and stolen login details can allow hackers to infiltrate major organizations. Companies must regularly update their cybersecurity measures to prevent such attacks. Employees and customers affected by this breach should remain cautious of phishing scams or fraudulent activities that may arise from their leaked data.  

As the investigation progresses, more details about the Orange Group breach may emerge. For now, the company is working on securing its systems and preventing further exposure of sensitive information.

Read more »
Ransomware attack
cyber attack Cybersecurity Breach Data Breach data security Lee Enterprises newspaper hack Ransomware attack

Lee Enterprises Confirms Ransomware Attack Impacting 75+ Publications

 

Lee Enterprises, a major newspaper publisher and the parent company of The Press of Atlantic City, has confirmed a ransomware attack that disrupted operations across at least 75 publications. The cybersecurity breach caused widespread outages, impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack, first disclosed to the Securities and Exchange Commission (SEC) on February 3, led to significant technology failures, affecting essential business functions. In an official update to the SEC, Lee Enterprises reported that hackers gained access to its network, encrypted key applications, and extracted files—common tactics associated with ransomware incidents.

As a result of the attack, the company's ability to deliver newspapers, process billing and collections, and manage vendor payments was severely affected. “The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments,” Lee Enterprises stated in its SEC filing.

With a vast portfolio of 350 weekly and specialty publications spanning 25 states, Lee Enterprises is now conducting a forensic investigation to assess the extent of the data breach. The company aims to determine whether hackers accessed personal or sensitive information belonging to subscribers, employees, or business partners.

By February 12, the company had successfully restored distribution for its core publications. However, weekly and ancillary publications are still facing disruptions, accounting for approximately five percent of the company's total operating revenue. While recovery efforts are underway, full restoration of all affected services is expected to take several weeks.

Cybersecurity experts have warned that ransomware attacks targeting media organizations can have severe consequences, including financial losses, reputational damage, and compromised data security. The increasing frequency of such incidents highlights the urgent need for media companies to strengthen their cybersecurity defenses against evolving cyber threats.

Growing Cybersecurity Threats in the Media Industry


The publishing industry has become an attractive target for cybercriminals due to its reliance on digital infrastructure for content distribution, subscription management, and advertising revenue. Recent high-profile cyberattacks on media organizations have demonstrated the vulnerability of traditional and digital publishing operations.

While Lee Enterprises has not yet disclosed whether a ransom demand was made, ransomware attacks typically involve hackers encrypting critical data and demanding payment for its release. Cybersecurity experts caution against paying ransoms, as it does not guarantee full data recovery and may encourage further attacks.

As Lee Enterprises continues its recovery process, the company is expected to implement stronger cybersecurity measures to prevent future breaches. The incident serves as a reminder for organizations across the media sector to enhance their security protocols, conduct regular system audits, and invest in advanced threat detection technologies.
Read more »
Russian IT security
banking software hack Cybersecurity Data Breach LANIT breach LANIT cyberattack NKTsKI warning Russian IT security

LANIT Cyberattack: Russian IT Giant Faces Major Security Breach

 

Russia's National Coordination Center for Computer Incidents (NKTsKI) has issued a warning to organizations in the country's credit and financial sector regarding a security breach at LANIT, a leading Russian IT service and software provider.

The alert, also published on GosSOPKA’s (State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks) website, states that the attack occurred on February 21, 2025. The incident may have affected LLC LANTER and LLC LAN ATMservice, both subsidiaries of the LANIT Group of Companies.

LANIT Group is a key player in Russia’s IT sector and the nation’s largest system integrator, with a client portfolio that includes the Russian Ministry of Defense and entities within the military-industrial complex, such as Rostec. Due to these associations, the U.S. Department of the Treasury imposed sanctions on LANIT in May 2024.

LLC LANTER and LLC LAN ATMservice specialize in banking technology, developing software solutions for banking equipment, payment systems, and Automated Teller Machines (ATMs).

Following the breach, NKTsKI has advised all potentially impacted organizations to reset passwords, update access keys, and modify remote access credentials.

"NKTsKI recommends that all organizations immediately change passwords and access keys for their systems hosted in LANIT's data centers," the bulletin states. "If your infrastructure uses LANIT group developments and software products, and LANIT engineers have been granted remote access, it is also recommended to change connection credentials."

"Additionally, it is advised to enhance monitoring of threats and information security events in systems that were developed, deployed, or maintained by engineers from the LANIT Group of Companies."

A detailed PDF document has been provided with further security recommendations, outlining measures to mitigate threats from compromised external channels.

NKTsKI has not disclosed how the attackers infiltrated the LANIT network, the exact timeline of the breach, the extent of the compromised data, or the perpetrators behind the attack.

In recent months, Russian ATM operators and banks have faced repeated cyberattacks from Ukrainian hackers, who frequently use distributed denial-of-service (DDoS) techniques to disrupt operations.

However, the latest warning suggests a deeper infiltration into a major service provider’s systems, raising concerns about potential widespread supply chain vulnerabilities.
Read more »
Patient Data
Data Breach data security Data Sets Data Theft Healthcare Data healthcare data breach Patient Data

DM Clinical Research Database Exposed Online, Leaking 1.6M Patient Records

 

A clinical research database containing over 1.6 million patient records was discovered publicly accessible online without encryption or password protection. Security researcher Jeremiah Fowler found the dataset, linked to DM Clinical Research, exposing sensitive information such as names, medical histories, phone numbers, email addresses, medications, and health conditions. 

The unprotected database, totaling 2TB of data, put those affected at risk of identity theft, fraud, and social engineering scams. While the database name suggests it belongs to DM Clinical Research, it remains unclear whether the firm directly managed it or if a third party was responsible. Fowler immediately sent a disclosure notice, and the database was taken offline within hours. 

However, it is unknown how long it remained exposed or whether threat actors accessed the data before its removal. Only a thorough forensic audit can determine the extent of the breach. DM Clinical Research responded to the disclosure, stating that they are reviewing the findings to ensure a swift resolution. They emphasized their commitment to data security and compliance with legal regulations, highlighting the importance of protecting sensitive patient information. 

However, this incident underscores the growing risks facing the healthcare industry, which remains a prime target for cyberattacks, including ransomware and data breaches. Healthcare data is among the most valuable for cybercriminals, as it contains detailed personal and medical information that cannot be easily changed, unlike financial data. 

In recent years, hackers have aggressively targeted medical institutions. In 2024, a cyberattack compromised the records of 190 million Americans, and UnitedHealth suffered a ransomware attack that leaked customer information onto the dark web. The exposure of sensitive medical conditions—such as psychiatric disorders, HIV status, or cancer—could lead to discrimination, scams, or blackmail. Attackers often use exposed medical data to craft convincing social engineering scams, posing as doctors, insurance companies, or medical professionals to manipulate victims. 

Fowler warns that health records, unlike financial data, remain relevant for a lifetime, making breaches particularly dangerous. Organizations handling sensitive data must take proactive measures to protect their systems. Encryption is critical to safeguarding customer information, as unprotected datasets could lead to legal consequences and financial losses. Real-time threat detection, such as endpoint security software, helps identify intrusions and suspicious activity before damage is done. 

In the event of a breach, transparency is essential to maintaining consumer trust and mitigating reputational harm. For individuals affected by data breaches, vigilance is key. Regularly monitoring financial accounts and bank statements for suspicious transactions can help detect fraudulent activity early. Social engineering attacks are also a major risk, as scammers may exploit exposed medical data to impersonate trusted professionals. 

Be cautious of unexpected emails, phone calls, or messages requesting personal information, and avoid opening attachments from unfamiliar sources. Using strong, unique passwords—especially for financial and healthcare accounts—adds an extra layer of security. 

This breach is yet another reminder of the urgent need for stronger cybersecurity measures in the healthcare sector. As cybercriminals continue to exploit vulnerabilities, both organizations and individuals must remain proactive in safeguarding sensitive data.
Read more »
National Public Data
California Privacy Protection Agency Data Breach data breach fine data brokers regulation National Public Data

National Public Data Faces $46,000 Fine from California Regulator Over Data Breach

 

National Public Data, the Florida-based company responsible for exposing millions of Social Security numbers to hackers last year, is now facing a fine from a U.S. regulator—though the penalty amount may fall short of consumer expectations.

The California Privacy Protection Agency (CPPA) has imposed a $46,000 fine on National Public Data, the maximum penalty permitted under California’s data broker regulations. The agency announced the enforcement action on Thursday, citing the company’s failure to comply with the state's data deletion law.

According to the regulator, National Public Data did not register or pay the required annual fee under California’s Delete Act, which mandates data brokers to register by January 31, 2024, and contribute to the California Data Broker Registry. Companies that fail to comply face a daily fine of $200. In this case, the company registered on September 18—230 days past the deadline—resulting in the accumulated $46,000 penalty.

The company’s registration came only after CPPA reached out, following widespread media coverage of the Social Security number leak. It remains uncertain whether additional penalties will be levied, but the CPPA confirmed that the current fine will be presented to an administrative law judge. "The CPPA’s five-member board ultimately decides whether to adopt or modify the judge’s decision. At that point, the agency’s decision becomes reviewable by a California court," the CPPA stated to PCMag.

Funds collected from the penalty will be directed to the Data Brokers’ Registry Fund to support the implementation and enforcement of the Delete Act, including the development of California’s first-of-its-kind data deletion system, according to the agency.

While the fine may seem minimal to those affected by the data breach, National Public Data remains under scrutiny. Last year, the company acknowledged that attorneys general from all 50 states, along with the Federal Trade Commission (FTC), were investigating the incident. Additionally, California's Consumer Privacy Act grants residents the right to sue businesses for data breaches that expose nonencrypted personal information.

National Public Data’s parent company, Jerico Pictures, has also faced significant legal challenges. In an attempt to manage mounting lawsuits, the company sought bankruptcy protection in a Florida court. However, the filing was dismissed after U.S. Trustee for Florida, Mary Ida Townson, stated: "The Debtor [Jerico Pictures] lacks the income and resources to demonstrate a reasonable likelihood of rehabilitation." Financial records indicate that the company reported a net profit of $865,149 on $1.2 million in revenue for 2023 and $475,526 in 2022.

Although further regulatory actions remain uncertain, National Public Data has ceased operations. Jerico Pictures' owner, Salvatore Verini, has not provided any public comment on the situation.
Read more »
Subscribe to: Posts (Atom)