Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Expose. Show all posts
UAE
Data Breach Data Expose Data Leak Threat actor UAE

Hackers Claim Biggest Attack On UAE in History

Hackers Claim Biggest Attack On UAE in History

The United Arab Emirates government was the target of a significant data breach attack that has the cybersecurity industry on edge. The attacker, who goes by the username "UAE," has not been recognized. Unless a ransom of 150 bitcoins (about USD 9 million) is paid, the threat actor threatened to disclose the data from the purported UAE hack in a post on BreachForums.

Major UAE government organizations including the Executive Council of Dubai, the Federal Authority for Nuclear Regulation, the Telecommunications and Digital Government Regulatory Authority, and important government programs like Sharik.ae and WorkinUAE.ae are among the victims of the purported attack. The UAE Space Agency, Ministry of Finance, and Ministry of Health and Prevention are among the other ministries impacted.

The threat actor released a few samples, claiming to have access to personally identifiable information (PII) belonging to different government personnel. These samples included the roles, genders, and email addresses of high-ranking individuals.

Hackers exposed samples from the UAE attack

The threat actor purportedly posted screenshots of internal data from multiple prominent government agencies in the United Arab Emirates. The threat actor displayed samples of personally identifiable information (PII) including names, roles, and contact data, claiming to have obtained access to PII of high-ranking government personnel.

The threat actor's purported possession of samples raises questions about the safety of government employees and the integrity of national activities. The hacker's sudden appearance complicates the situation and raises questions about the accuracy of the statements made, but it may also point to a high-risk situation.

Such a compromise might have serious repercussions for public safety, national security, and the UAE's economic stability. The world's cybersecurity community is keeping a careful eye on the events and highlighting the necessity of a prompt and forceful government probe to determine the full scope of the hack and minimize any possible harm.

Experts advise to be cautious with UAE attacks

The hacker's sudden rise to prominence and lack of past experience or evidence of similar actions raises questions about the veracity of the claims.

There hasn't been any independent confirmation of the breach, nor have the UAE government or the impacted agencies addressed these allegations as of yet. For further details on the attacks, the Cyber Express team has gotten in touch with the Telecommunications and Digital Government Regulatory Authority (TDRA) in Dubai.

The vast number of impacted organizations and the type of purportedly stolen data point to a very sophisticated and well-planned operation, which is inconsistent with the image of a lone, inexperienced hacker.

Read more »
Vulnerabilities and Exploits
Cactus ransomware Cyber Servers Cyberattacks CyberCrime Cybersecurity CyberThreat Data Expose Qlik Servers Vulnerabilities and Exploits

Cactus Ransomware Exposes Thousands of Vulnerable Qlik Sense Servers

 


Many organizations remain dangerously vulnerable to the Cactus ransomware group, despite security researchers warning of the threat five months ago. The Cactus ransomware group exploits three vulnerabilities in QlikSense's data analytics and business intelligence platform. Two vulnerabilities were released in August and September by Qlik, which were identified as CVE-2023-41266 and CVE-2023-41265. In August, the company disclosed two vulnerabilities in multiple versions of Qlik Sense Enterprise for Windows that CVE-2023-41266 and CVE-2023-41265 tracked. 

As a result of these vulnerabilities, an attacker can execute arbitrary code on affected systems remotely, unauthenticated, and in a chain. A vulnerability in Qlik CVE-2023-48365 was released in September, which proved to be a bypass of Qlik's fix for the two previously disclosed flaws from August. Two months later, Arctic Wolf reported that operators of the Cactus ransomware had exploited the three vulnerabilities to gain a foothold in targeted systems by exploiting the three vulnerabilities. 

During that period, the vendor was alerting customers of multiple instances of receiving attacks through Qlik Sense vulnerabilities and warned of a rapidly developing Cactus group campaign at the time. It appears that many organizations have not received the memo yet, as a scan conducted by Fox-IT on April 17 revealed that of the 5,205 QlikSense servers that were still susceptible to the exploits of Cactus Group on April 17, there were still 3,143 still vulnerable.

It appears that the majority of those vulnerable servers are found in the countries which have a relatively high number of QlikSense servers, such as Italy, which has 280 exposed servers, Brazil, which has 244 exposed servers, the Netherlands and Germany, which both have 241 exposed servers each. There have been reports that threat actors have been targeting QlikSense servers with software vulnerabilities, and are misleading victims with elaborate stories, as reported by Cyber Security News. 

The reports by Shadowserver indicate that approximately 5,200 Qlik servers are exposed to the internet, of which 3,100 are vulnerable to exploitation by Cactus and the Cactus group. There have been 241 compromised systems identified in the Netherlands by threat actors, and 6 of them have already been compromised. An existing Nuclei template could be used to identify vulnerable QlikSense servers that are exposed to the Internet to identify vulnerable QlikSense servers. 

Using this template, multiple research steps were involved in identifying the list of servers and compromised servers. It was researchers who found vulnerable servers using the “product-info.json” file. As a result of the release label and version numbers in this file, it can be assumed that the exact version of the running QlikSense server could be revealed within this file.

Additionally, the release label parameter contains information such as "February 2022 Patch 3" which indicates that the latest update has been provided to Qlik Sense as well as the relevant advisory system. Using the cURL command, the below .ttf (True Type Font) file can be used to retrieve this information from the product-info.json file. It specifies that a .ttf file will be used to point the request to that file. You can access font files without having to authenticate on QlikSense servers, and you can bypass a 400 bad request response by using the “Host: localhost” parameter. 

The server that has been patched will return a message of “302 Authenticate at this location” in response, while the vulnerable server will return a 200 OK response, containing information regarding the file. Moreover, a response of 302 or a release label parameter of a Qlik server that contains the content of “November 2023” is considered non-vulnerable. Consequently, Fox-IT discovered thousands of vulnerable servers as a result of its research. 

The information that Fox-IT collected and shared was shared with the Dutch Institute for Vulnerability Disclosure (DIVD), as well as with other Dutch authorities, NCSC and the Digital Trust Center (DTC). Besides informing victims at a national level, the DIVD also informed officials and specialists in other countries who could benefit from the information as well. There are currently 5,205 active Qlik Sense servers around the world, of which 3,143 are vulnerable to an attack via the Internet. 

The Cactus group has attacked these servers in the Netherlands in the same way every time, which implies that they are the group's preferred attack route all over the world. A total of 122 Qlik servers have been compromised so far in the campaign. Researchers report that there is a high probability that such a problem has been caused by Cactus. For these servers to be protected against this threat, they must be updated to eliminate it. 

For Dutch companies to take measures to protect themselves, the Digital Trust Center (DTC), which is part of the Ministry of Economic Affairs, notified the companies of the threat so that they could take some precautions. Several foreign cyber organizations, including the American Cybersecurity & Infrastructure Security Agency (CISA) and the FBI, were notified of the vulnerabilities by the Dutch Institute for Vulnerability Disclosure (DIVD). 

Recently, there have been several ransomware attacks on Dutch companies and institutions, which have rattled them. There were several victims among them, including the Dutch Football Association KNVB, the KNVB, the VDL Group, the Maastricht University, Hof van Twente, Radio Nederland, the Netherlands Organization of Scientific Research and Mediamarkt. In most cases, the ransom fee was requested in return for the encryption key. 

There were over 140,000 Dutch companies in the last year who were warned of specific cyber threats as a result of the Digital Trust Center. To mitigate the risk of exploitation by threat actors, organizations and users of Qlik Sense servers are advised to promptly update to the latest version following the provided security advisories.
Read more »
User Security
Data Breach Data Expose Data Leak data security Ransom Samsung User Data User Privacy User Security

Hackers Expose 190GB of Alleged Samsung Data

 

Hackers that exposed secret information from Nvidia have now turned their attention to Samsung. The hacker group known as Lapsus$ is suspected of taking 190GB of data from Samsung, including encryption and source codes for many of the company's new devices. 

On Saturday, hackers launched an attack on Samsung, leaking critical data collected through the attack and making it accessible via torrent. The hackers shared the complete data in three sections in a note to their followers, as seen by Bleeping Computer, along with a text file that details the stuff available in the download. 

The exposed material includes "source code from every Trusted Applet" installed on every Samsung smartphone, as per the message. It also includes "confidential Qualcomm source code," algorithms for "all biometric unlock operations," bootloader source code for the devices, and source codes for Samsung's activation servers and Samsung account authentications, including APIs and services. 

In short, the Lapsus$ attack targets Samsung Github for critical data compromise: mobile defence engineering, Samsung account backend, Samsung pass backend/frontend, and SES, which includes Bixby, Smartthings, and store. 

The attack on Samsung comes after the cyber organisation attempted to extort money from Nvidia in a ransom scheme. It's worth noting that it's not a straightforward monetary request. Instead, the hackers have asked Nvidia to lift the restriction on Ethereum cryptocurrency mining that it has placed on its Nvidia 30-series GPUs. Nvidia's GPU drivers must be open-sourced forever, according to the hackers. 

The hackers are plainly looking for money from the disclosed data, as evidenced by the updates. For $1 million, one of them promised to sell anyone a bypass for the crypto nerf on Nvidia GPUs. Another communication from the group, according to The Verge, claimed that instead of making the data public, they are attempting to sell it straight to a buyer. 

Last Monday, Nvidia confirmed the breach, acknowledging a leak of "employee credentials" and "proprietary information." It, on the other hand, disputed that the attack was linked to the ongoing Russia-Ukraine crisis and claimed that the cyberattack would have no impact on its operations. 

As of currently, there are no reports of Lapsus$ demanding a similar ransom from Samsung. If they do, however, Samsung is likely to suffer a significant setback, especially given the type of data that the hacking group now claims to have access to.
Read more »
Subscribe to: Posts (Atom)