Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Leak. Show all posts
Privacy
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Microsoft Power Pages Misconfiguration Privacy

Data Leak Reported Due to Power Pages Misconfiguration


 

The Power Pages platform from Microsoft offers users an easy-to-use, low-code platform that enables them to build data-driven websites with only a little bit of programming knowledge or experience. In both the public and private sectors, companies large and small rely on this tool to facilitate the collection and analysis of data that can assist them with all manner of problems that may arise from customers or citizens seeking information to solve a problem. 

There may be other issues regarding these web pages, such as the possibility of leaks of sensitive information for their respective organizations as well if the settings for these web pages are not set up properly.  According to cybersecurity researchers, a new vulnerability has been discovered in Microsoft Power Pages that stems from misconfigured access controls within websites built with this platform that can expose sensitive data. 

If the vulnerability resulted in millions of sensitive business records being exposed to unauthorized users, this could pose a serious security risk for affected organizations as a result. It is an application service platform, that is based on the Power Platform, and offers developers a low-code platform that can be used to build externally facing websites on top of Microsoft's infrastructure without a lot of coding. 

To guarantee a layer of access control, the Power Pages system uses a layered approach when it comes to writing a custom website. A site's permissions can be configured from a table level, a column level, or a column-level. Despite these risks, misconfigurations of these settings can unintentionally expose sensitive data to the public internet when businesses misconfigure these settings.  Organizers can expose more columns to the Web API than are necessary, thereby increasing the potential attack surface of their applications. 

According to Aaron Costello, AppOmni's chief of SaaS security research, Power Pages users have to pay more attention to the software's security settings to ensure their information is protected, especially given the product's popularity. It was announced earlier this year that websites that are created using Power Pages have over 250 million users every month, according to a statement from Microsoft.  Several AppOmni and Microsoft 365 customers are now using AppOmni Insights to assist with the detection of these kinds of exposures and to provide subsequent remediation guidance if such exposures are found. 

For a detailed understanding of how these kinds of vulnerabilities can arise, it is worthwhile to first understand the platform's RBAC model and how Power Pages are constructed. In contrast to traditional custom web development, Power Pages has the following main advantages: out-of-the-box (OOB) role-based access control (RBAC), the option of using Microsoft's Dataverse as the database automatically and the ease of a drag-and-drop interface, which is made possible by prebuilt components, which greatly reduces the need for custom code in the design of the web site. 

Affording too many permissions to roles like "Anonymous Users" (non-authenticated visitors) and "Authenticated Users" (authenticated visitors) may expose an organization to potential data leaks, which may not have been anticipated. It is worth noting that Microsoft's customers have the option of easily deploying these data-driven web applications. However, if these applications are mismanaged from a security perspective, they may have a heavy cost to pay for their security. This data is primarily made up of internal organization files as well as sensitive personal information regarding both users from inside the organization and those who register on the website and are registered to either organization. 


PII was recovered from most of these cases and consisted of full names, email addresses, phone numbers, and addresses for the home, in the majority of cases.  The information of over 1.1 million NHS employees was leaked by a large shared business service provider to the NHS, with many parts of the data including email addresses, telephone numbers, and even the addresses of the employees' homes, and this was being done without the employee's knowledge. 

In this particular case, the findings were fully disclosed responsibly and have been resolved since then. A lack of understanding of the access controls in Power Pages, as well as insecure custom code implementations are the main reasons for these data leaks. With excessive permissions given to unauthenticated users, any user may be able to extract records from the database if they have access to the readily available Power Page APIs available on the web. 

A Power Pages site also allows users to generate accounts and become authenticated with the help of APIs once they have registered. Users from outside of the company can also be granted global access for reading operations on the system. Researchers identified that the absence of column-level security in Microsoft Power Pages could enable unauthorized individuals to access sensitive data without restrictions. Additionally, it was noted that users often fail to replace sensitive information with masked strings, further exacerbating security vulnerabilities. 

In response, Microsoft has implemented multiple safeguards within the backend of Power Pages and Power Platform Apps. These measures include warning banners across all Power Platform admin console pages, as well as prominent alerts and warning icons on the table permissions configuration page of Power Pages. These updates aim to help administrators identify and address potentially risky configurations. This incident underscores the importance of proactive security practices in safeguarding sensitive data. Organizations utilizing Power Pages are encouraged to review and strengthen their configurations to mitigate risks and enhance overall security.
Read more »
User Security
B2B Data Breach Data Leak Demand science User Security

Data Aggregator Breach Exposes Data of 122 Million Users

 

Pure Incubation, currently known as DemandScience, allegedly experienced a data breach earlier this year, resulting in the theft of critical data, including contact information. 

The impacted entity is a B2B demand-generation and data aggregator that collects, collates, and organises data from public sources to create a comprehensive dataset that digital marketers and advertisers can use to create rich "profiles" for lead generation or marketing material. 

Furthermore, this organisation gathered data from public and third-party sources, including full names, physical addresses, email addresses, phone numbers, employment titles and positions, and social media links. 

The alleged cause of the data breach is an unsecured system on Pure Incubation, which allowed a threat actor known as 'KryptonZambie' to sell around 132.8 million documents on BreachForums starting last February.

On the other side, the data aggregator persisted on one of the enquiries, stating that there was no evidence of a hack. However, a follow-up email asking if the leaked data samples belonged to them went unanswered.

Furthermore, the senior director of corporate communications stated that a post from a black hat hacker criminal website triggered them to activate their security and incident response systems. The company also stated that its systems are completely working and that its first investigation did not find any sign of a hack or data breach. Still, it assured every concerned party that it constantly monitored the issue. 

On August 15, 2024, KryptonZambie made the dataset available for eight credits, which is equivalent to a few dollars. This disclosure forced the company to verify the data's legitimacy. However, the confirmation stated that anyone who was exposed to the DemandScience leak did so through a system that had been discontinued two years ago. 

The 122 million unique email addresses from the stolen dataset have been added to Have I Been Pwned, and impacted subscribers will be notified of the incident. Therefore, the individuals who may have been affected by the data leak should be vigilant of any unsolicited contacts, since threat actors can already carry out targeted phishing operations.
Read more »
User Privacy
Data Breach Data Leak Employee Data MOVEit Attack User Privacy

Amazon Employee Data Leaked in MOVEit Attack Fallout

 

Amazon has confirmed that some employee data was accessed last year, presumably as part of the huge MOVEit hacking campaign. A hacker recently revealed on the BreachForums cybercrime forum that they had stolen Amazon employee information, such as names, phone numbers, email addresses, job titles, and other job-related information. 

The hacker claimed the data came from the 2023 MOVEit attack, which entailed exploiting a zero-day vulnerability in Progress Software's MOVEit file transfer software to gather sensitive information from thousands of organisations that had used the program. 

The MOVEit campaign, which is widely thought to have been carried out by the Cl0p ransomware group, impacted about 2,800 organisations and compromised the data of approximately 100 million people. 

Amazon confirmed the data theft in a statement released earlier this week, but added several important details. According to the firm, the data was obtained via a third-party property management vendor; neither Amazon or AWS systems were compromised. 

The incident impacted several of the third-party vendor's clients, including Amazon. Amazon stated that only employee work contact information, such as work email addresses, desk phone numbers, and building locations, were revealed, while other, more sensitive information, such as Social Security numbers and financial information, were not compromised. 

The hacker claims that the Amazon employee database has nearly 2.8 million records, however it is unknown how many employees are affected. The same hacker has also leaked employee data from BT, McDonald's, Lenovo, Delta Airlines, and HP. The data appears to be the result of the same MOVEit breach that targeted the same real estate services company that housed Amazon employee information.
Read more »
User Security
American Firm Data Breach Data Leak Hot Topic User Privacy User Security

Hot Topic Data Breach Exposes Private Data of 57 Million Users

 

Have I Been Pwned warns that an alleged data breach compromised the private data of 56,904,909 Hot Topic, Box Lunch, and Torrid users. Hot Topic is an American retail franchise that specialises in counterculture-themed clothes, accessories, and licensed music merchandise. 

The firm has approximately 640 stores in the United States and Canada, mostly in shopping malls, with a large customer base.

According to HIBP, the exposed information includes full names, email addresses, birth dates, phone numbers, physical addresses, transaction history, and partial credit card data for Hot Topic, Box Lunch, and Torrid users. 

On October 21, 2024, a threat actor known as "Satanic" claimed responsibility for the security incident on BreachForum. The threat actor claims to have siphoned 350 million user records from Hot Topic and its subsidiaries, Box Lunch and Torrid. 

"Satanic" attempted to sell the database for $20,000 while also demanding a $100,000 ransom from Hot Topic to remove the ad from the forums. According to a HudsonRock report published on October 23, the intrusion could be the result of an information stealer malware infection that acquired credentials for Hot Topic's data unification service. 

While Hot Topic has stayed silent, and no notifications have been issued to potentially impacted users, data analytics firm Atlas Privacy revealed last week that the 730GB database impacts 54 million users. Atlas further highlighted that the collection contains 25 million credit card numbers encrypted with a poor cypher that can be easily broken by current computers. 

Although Atlas is not positive that the database belongs to Hot Topic, it did note that approximately half of all email addresses had not been seen in previous breaches, adding to the authenticity of the threat actor's claims. According to Altas, the hack appears to have occurred on October 19, with data ranging from 2011 until that date. 

The company has set up a website where Hot Topic consumers can see if their email address or phone number was compromised in the data breach. Meanwhile, the threat actor continues to offer the database, albeit for a lower cost of $4,000. Potentially impacted Hot Topic consumers should be wary of phishing attacks, keep track of their financial accounts for strange activity, and change their passwords on all platforms where they use the same credentials.
Read more »
Third Party App
Data Breach Data Leak Data Privacy Telecom Firm Third Party App

Hacker Claims to Publish Nokia Source Code

 

The Finnish telecoms equipment firm Nokia is looking into the suspected release of source code material on a criminal hacking site. See also: Gartner Market Guide for DFIR Retainer Services.

An attacker going by the handle "IntelBroker," who is also the proprietor of the current iteration of BreachForums, revealed on Thursday what he said was a cache of "Nokia-related source code" stolen from a third-party breach. The data consists of two folders: "nokia_admin1" and "nokia_etl_summary-data."

IntelBroker initially stated in a Last week's BreachForums post that he was selling the code, characterising it as a collection of "SSH keys, source code, RSA keys, Bitbucket logins, SMTP accounts, Webhooks, and hardcoded credentials."

A Nokia spokesperson stated that the company is "aware of reports that an unauthorised actor has alleged to have gained access to certain third-party contractor data, and possibly Nokia data." We will continue to constantly watch the situation." Last week on Tuesday, the hacker told Hackread that the data would cost $20,000.

IntelBroker told Bleeping Computer that the data came from Nokia's third-party service provider SonarQube. The hacker claimed to have gained access using a default password. SonarQube did not immediately reply to a request for comment.

In 2023, IntelBroker published online data stolen from a health insurance marketplace used by members of Congress, their families, and staffers. Earlier this year, he sparked a probe at the Department of State by uploading online papers purportedly stolen from government contractor Acuity. 

Third-party breaches at major firms are becoming more regular as companies improve their own cyber defences. Earlier this year, a slew of well-known brands, including AT&T, Ticketmaster, Santander Bank, automotive parts supplier Advance Auto Parts, and luxury retailer Neiman Marcus, were hit with breaches caused by a series of attacks on their accounts at cloud-based data warehousing platform Snowflake.
Read more »
Mexican Users
Cybernews Data Breach Data Leak Data Safety User Data Data Visualisation healthcare data breach Mexican Users

Massive Data Breach in Mexican Health Care Sector Exposes 5.3 Million Users’ Data

 

In a significant data breach, Cybernews researchers discovered a 500GB unprotected database from a Mexican health care company on August 26, 2024, exposing sensitive details of approximately 5.3 million people. Information in the leak included names, CURP identification numbers, phone numbers, email addresses, and details of payment requests. This security lapse occurred due to a misconfigured Kibana visualization tool, which left the database publicly accessible. While health records were reportedly not taken, the exposed CURPs (Mexican ID numbers akin to Social Security numbers) create risks for identity theft and phishing attacks. 

The breach has been attributed to Ecaresoft, a Texas-based firm specializing in cloud-based Hospital Information Systems, which provides services like Anytime and Cirrus. Over 30,000 doctors and 65 hospitals rely on Ecaresoft’s solutions for scheduling, inventory management, and patient data handling. However, a lapse in securing this information has now exposed users to heightened cybersecurity risks. Besides personal details, the exposed database included patients’ ethnicities, nationalities, religions, blood types, dates of birth, and gender, along with specifics about medical visits and fees. Although hackers were not directly responsible for this breach, the open database left users’ data vulnerable to any threat actors actively scanning for unsecured files online. 

Ecaresoft has yet to release a statement addressing the issue. As the database has since been removed from public access, it remains unclear how long it was available or if the affected users are aware of the potential risk. The breach highlights a common yet preventable security oversight, where sensitive data left unprotected can be indexed by search engines or accessed by unauthorized parties. This incident underscores the broader importance of robust password management and server configuration practices. Past cases, such as Equifax’s breach in 2017 caused by the use of “admin” as a password, illustrate how easily weak configurations can lead to large-scale data theft. Such security lapses continue to raise awareness of the need for secure, authenticated access in cloud-based and digital health care systems. 

Data security in health care remains a global challenge as hospitals and medical systems rapidly digitize, exposing user data to increasingly sophisticated cyber risks. As this incident reveals, health organizations must adopt robust security measures, such as regularly auditing databases for vulnerabilities and ensuring all access points are secure.
Read more »
User Privacy
Data Breach Data Leak UN Documents United Nations User Privacy

Over Thousand UN Documents Linked to Gender Equality Exposed Online

 

A database believed to belong to the United Nations Trust Fund to End Violence Against Women was uncovered unsecured online, containing financial records, bank accounts, staff details, victim testimonies, and other information. 

Jeremiah Fowler, a cybersecurity researcher, uncovered the database, which contained 228 GB of information, and reported it to vpnMentor. It lacked password protection, leaving the 115,141 files displayed unencrypted and accessible to anyone with an internet connection. 

While not confirmed, the database contained data that linked it to UN Women and the UN Trust Fund to End Violence Against Women, such as letters and documents addressed to the UN and stamped with UN insignia, with a specific reference to UN Women. 

Fowler discovered scanned passport documents and ID cards in the database, as well as specific details on staff roles such as names, job titles, salary information, and tax data. 

“There were also documents labelled as “victim success stories” or testimonies,” Fowler wrote in his report. “Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014.” 

It is unclear how long the database has been exposed, whether it is managed by the UN Women organisation or a third party, and whether anyone outside of the organisation has accessed it. 

Fowler outlines a number of hypothetical possibilities in which the data might be exploited, including convincing spear phishing attempts that employ customised documents to target vulnerable email accounts. The records might theoretically also be used by a threat actor to obtain a high-level grasp of the organisational and the financial framework of the company. 

The UN Women organisation has an undated scam notice on its website, although the page dates back at least to July 2022, with an update in July 2024 that includes an instruction to use the Quantum procurement verification portal. 

Fowler notified the UN Information Security team about the unprotected database, and received a response that stated, "The identified vulnerability does not belong to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN Women.”
Read more »
User Privacy
Data Breach Data Leak Kiosks Private Data Redbox User Privacy

Old Redbox Kiosks Hacked to Expose Customers’ Private Details

 

DVD Rental Service Redbox may be a thing of the past, but the data privacy issues it created for users may persist for some time. Redbox allows users to rent DVDs from its 24,000 autonomous kiosks throughout the United States. Its parent company, Chicken Soup for the Soul, declared bankruptcy in July 2024, after the emergence of streaming platforms such as Netflix and Prime Video decimated the DVD rental market. 

According to Ars Technica, one programmer reverse-engineered the hard drive of an old Redbox Kiosk and recovered users' names, emails, and rental histories from about a decade ago. In certain cases, Foone Turing, a California-based programmer, discovered parts of users' credit card data stored on hard drives, such as the first six and last four numbers of the credit card used, as well as transaction history. 

Turing stated in a social media post that she tracked down a film fan from Morganton, North Carolina, who supposedly rented The Giver and The Maze Runner in 2015. According to her, "anyone with basic hacking skills could easily pull data manually out of the files with a hex editor," completing: "This is the kind of code you get when you hire 20 new grads who technically know C# but none of them have written any software before.”

The programmer claims she didn't even need to utilise a physical kiosk to retrieve the old data; instead, she employed an uploaded hard drive she discovered on the social network Discord. The announcement comes as old Redbox kiosks are becoming rarities in some circles. According to the Wall Street Journal, a 19-year-old North Carolina resident acquired one after speaking with a contractor hired to dispose of one. 

Unfortunately, any victims impacted may have limited legal options, since "it may be difficult to hold a bankrupt company accountable," according to The Electronic Frontier Foundation. However, as Lowpass points out, Redbox kiosks may have only saved identifiable personal data locally if an internet or power outage prevented it from being sent to the cloud.
Read more »
Ransomware attack
8Base 8Base Ransomware corporate cyber attacks Cyber Attacks Dark Web Data Leak data security Ransomware attack

Nidec Corporation Ransomware Attack: Data Leak on Dark Web

 

In a recent disclosure, Nidec Corporation, a global leader in precision motors and automotive components, confirmed a significant data breach from a ransomware attack that occurred earlier this year. Hackers, after failing to extort the company, leaked stolen data on the dark web. This breach did not involve file encryption, but the stolen information has raised concerns for employees, contractors, and associates regarding potential phishing attacks. Nidec operates in over 40 countries and has an annual revenue exceeding $11 billion. 

The affected division, Nidec Precision, is based in Vietnam and specializes in manufacturing optical, electronic, and mechanical equipment for the photography industry. An internal investigation revealed that hackers accessed a server using stolen VPN credentials of a Nidec employee. This server contained sensitive documents, including business letters, purchase orders, invoices, health policies, and contracts. Over 50,000 files were compromised in the breach. The company responded by closing the entry point and implementing additional security measures as advised by cybersecurity experts. 

Employees are undergoing further training to reduce future risks, with Nidec notifying business partners who may have been affected. The attack was initially claimed by the 8BASE ransomware group in June, who alleged they stole personal data and a large volume of confidential information from Nidec’s systems. In July, the Everest ransomware group also published stolen data on the dark web, suggesting a connection to 8BASE and initiating a secondary extortion attempt. While Nidec has confirmed the authenticity of the stolen data, it downplayed the potential for direct financial damage to the company or its contractors. 

However, the company remains vigilant and continues to monitor for any unauthorized use of the information. This attack underlines the vulnerability of even the largest corporations to cybercriminals and the importance of robust security measures. As ransomware groups continue to evolve their tactics, companies like Nidec must ensure they are prepared to mitigate threats and protect their sensitive data. 

The Nidec breach is a stark reminder of the ongoing risks in today’s interconnected business environment. In response to this breach, Nidec has implemented stronger security protocols and is actively educating its workforce on how to mitigate cybersecurity risks moving forward.
Read more »
User Security
Data Breach Data Leak Data Sale IntelBroker User Privacy User Security

Cisco Investigates Data Breach After Hacker Claims Sale of Data

 

Cisco has acknowledged that it is investigating reports of a data breach after a hacker began offering allegedly stolen firm data for sale on a hacking platform. As per a report in a local media outlet, the investigation was launched following claims made by a well-known hacker identified as “IntelBroker.”

“Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files,” a Cisco spokesperson stated. “We have launched an investigation to assess this claim, and our investigation is ongoing.” 

The allegations surfaced after IntelBroker claimed, along with two others designated as "EnergyWeaponUser" and "zjj," that they infiltrated Cisco's servers on June 10, 2024, and obtained a large amount of developer-related data.

IntelBroker's post on a hacking forum showed that the data would include "GitHub projects, GitLab projects, SonarQube projects, source code, hard-coded credentials, certificates, customer SRCs, Cisco confidential documents, Jira tickets, API tokens, AWS private buckets, Cisco technology SRCs, Docker builds, Azure storage buckets, private and public keys, SSL certificates, Cisco premium products, and more." The hacker uploaded samples of a database, client information, multiple files, and screenshots of customer management interfaces. 

According to a recent update from IntelBroker, the breach also involves the theft of sensitive data from other major global companies such as Verizon, AT&T, and Microsoft. The stolen data is now allegedly being offered for sale on the cybercrime platform Breach Forums, with IntelBroker specifying that the transaction would take place in exchange for Monero (XMR), a cryptocurrency known for its anonymity properties. 

The hacker expressed a willingness to use an intermediary to facilitate the sale, assuring anonymity for both the buyer and seller. This technique is often used by hackers to evade detection by authorities. 

IntelBroker, which is known for high-profile data thefts, has already claimed responsibility for compromising other prominent firms. In June 2024, IntelBroker reported that they had infiltrated Apple, taking source code for internal tools, as well as Advanced Micro Devices (AMD), stealing employee and product information. In May 2024, IntelBroker claimed to have hacked Europol, which the organisation later confirmed.

IntelBroker did not provide any specific details on the techniques employed to acquire the data. The stolen data originated from a third-party managed services provider that specialises in software development and DevOps, according to sources knowledgeable with the breaches who spoke with BleepingComputer. It's still unclear if the earlier June incidents and the recent Cisco hack are linked.
Read more »
Windows Defender
Data Leak Infostealer malware User Privacy User Security Windows Defender

New Yunit Infostealer Bypasses Windows Defender and Steals Sensitive Data

 

A new information-stealing malware has been discovered that is capable of exfiltrating a large amount of sensitive information while also disabling antivirus products to create persistence on target endpoints.

CYFIRMA cybersecurity researchers have published a detailed investigation of the infostealer known as Yunit Stealer. Yunit Stealer employs JavaScript to include system utility and cryptography modules, enabling it to do activities such as system information retrieval, command execution, and HTTP queries. It persists on the target device by altering the registry, adding jobs via batch and VBScript, and, finally, by setting exclusions in Windows Defender.

When it comes to infostealing, Yunit is just as effective as any other malware. It can steal system information, browser data (passwords, cookies, autofill information, etc.), and bitcoin wallet information. In addition to passwords, it can keep credit card information that is kept in the browser. 

Once the malware has gathered all of the data it deems useful, it will attempt to exfiltrate it via Discord webhooks or into a Telegram channel. It will also upload it to a remote site and provide a download link for future use. The URL will also include screenshots, allowing the threat actor to access the information while remaining anonymous and evading discovery. Accessing data using encrypted communication channels is also beneficial.

The fact that the Telegram channel was only established on August 31, 2024, and that it only has 12 subscribers, according to CYFIRMA, serves as further evidence that Yunit is a fledgling infostealer that has not yet proven its mettle. As an alternative, the Discord account isn't operational right now. 

Prevention tips 

Keep your systems updated: Regularly updating your operating system and software can help defend against known vulnerabilities that Yunit Stealer could exploit. 

Use trustworthy antivirus software: While Yunit Stealer can disable some antivirus products, choosing a reputable and often updated security solution provides an extra degree of protection. 

Avoid dubious links and downloads. Phishing attacks are frequently the starting point for malware infections. Use caution while opening email attachments or clicking on unexpected URLs. 

Monitor your accounts: Check your online accounts on a regular basis for strange behaviour, particularly those that store sensitive data such as passwords and credit card information.
Read more »
User Privacy
Auto Canada Cyber Attacks Data Leak data security User Privacy

Car Dealership Auto Canada Confirms Cyberattack, Alleged Data Leak

Car Dealership Auto Canada Confirms Cyberattack, Alleged Data Leak

Car dealership company Auto Canada warned that employee data might have been leaked in a ransomware attack claimed by the Hunters International ransomware group. In August 2024, the company suffered a company was hit by a cyber-attack. While Auto Canada hasn't reported any fraud campaigns directly impacting individuals, it has notified employees about the potential risks.

Earlier in August, the company was forced to shut down a few internal IT systems offline to limit a ransomware attack, which led to operational disruptions. Although the 66 dealerships continued business as usual, some customer service operations were disrupted causing delays.

Data Leaked?

Auto Canada didn't disclose any further information or updates, but the ransomware gang Hunters International claimed responsibility for the attack, posting the data on their portal.

The group leaked terabytes of data allegedly stolen from the car dealership- network storage images, confidential financial and HR documents, and databases. The released data includes employee records and executive details, sparking debates about the scale of the cyber-attack.

Auto Canada's Reply

Responding to the concerns, Auto Canada has published an FAQ page discussing about the cyber attack and details uncovered during the investigation. “Our investigation is ongoing, and encrypted server content is being restored and analyzed as part of our incident response.” says the FAQ page. “We are currently working to determine the full scope of the data impacted by the incident, which may include personal information collected in the context of your employment with AutoCanada.”

The allegedly leaked data includes name, date of birth, address, social insurance number, payroll details, bank account info, and scans of government-issued I'd documents.

What Happens to Affected People?

For impacted individuals, Auto Canada has offered a three-year free-of-cost Identity theft protection and credit monitoring coverage via Equifax, the enrollment deadline is valid until January 31, 2025. Auto Car says the compromised systems were separated from the main network, compromised accounts were taken down, the encryption process was shut down, and resetting of all admin account passwords.

Despite the implemented measures, Auto Car can't provide a 100% guarantee of such incidents happening in the future. While the company acknowledges the attack, it has taken a few measures to prevent future incidents:

  • Conducting cybersecurity training for employees
  • Reviewing security policies
  • Implementing threat detection and incident response programs
  • Conducting regular security audits

Read more »
Small Businesses
Australia Australian Businesses Customer Data Cyber Security awareness Data Breach Data Leak small business security Small Businesses

Small Trade Businesses Urged to Strengthen Security After Total Tools Data Breach

 

Small trade businesses are on high alert following a significant data breach at Total Tools, a major Australian hardware retailer, which exposed sensitive information of over 38,000 customers. This breach compromised customer names, credit card details, email addresses, passwords, mobile numbers, and shipping addresses, making small trade businesses potential targets for secondary cyberattacks. 

The CEO of the Council of Small Business Organisations Australia (COSBOA), Luke Achterstraat, emphasized the importance of heightened vigilance for businesses, especially those in the construction and trades sector, as they face increased risks of cyber threats. Achterstraat urged all businesses with online hardware accounts to monitor for any unusual activity in the coming days and weeks. He stressed the importance of protecting sensitive data, finances, and client information from potential scams and fraud. COSBOA recommends businesses to immediately review their security protocols, change all passwords linked to Total Tools accounts, and enable two-factor authentication where possible to minimize the risk of unauthorized access. 

To further support small businesses, COSBOA is promoting the Cyber Wardens program, a free eLearning initiative funded by the Federal Government. This program is designed to help small businesses and their employees fortify their digital defenses against cyber threats, equipping them with the knowledge to identify and prevent cyberattacks. COSBOA has partnered with industry bodies such as the Master Builders Association, the National Timber and Hardware Association, and the Master Grocers Association to ensure that small businesses across Australia have access to the necessary resources to safeguard against cybercrime. 

With cyberattacks on the rise, especially in sectors like construction and trades, small businesses must stay informed and prepared. Hackers often exploit vulnerabilities in these industries due to the valuable data they handle, such as payment information, client details, and supplier contracts. Therefore, investing time in employee training and implementing cybersecurity best practices can significantly reduce the risk of future breaches. The recent data leak at Total Tools serves as a critical reminder that even trusted suppliers can fall victim to cyberattacks, putting customers and affiliated businesses at risk. As more companies move toward digital solutions, the importance of cybersecurity can’t be overstated. COSBOA’s efforts, through the Cyber Wardens program, aim to create a more secure environment for Australia’s 2.5 million small businesses, ensuring they are well-equipped to tackle the ever-evolving cyber threats. 

In addition to joining cybersecurity programs, businesses should regularly update software, employ strong, unique passwords, and back up essential data to reduce the impact of potential breaches. By taking these proactive steps, small trade businesses can enhance their digital security, ensuring they remain resilient against future cyber threats.
Read more »
threat report
Construction Firm Cyber Attacks Data Leak Data Privacy threat report

Construction Firms Targeted in Brute Force Assaults on Accounting Software

 

Unidentified hackers have targeted construction firms using Foundation accounting software, security experts revealed earlier this week. 

According to cybersecurity firm Huntress, the hackers hunt for publicly available Foundation installations on the internet and then test combinations of default usernames and passwords that allow for administrative access.

Huntress claimed it has detected active software breaches from organisations in the plumbing, concrete, and heating, ventilation, and air conditioning (HVAC) industries. The researchers did not specify whether the attacks were effective or what their purpose was. 

Foundation Software, the platform's Ohio-based developer, stated that it was working with Huntress to clarify some of the report's information. 

“The event potentially impacted a small subset of on-premise FOUNDATION users. It did not at all impact the bulk of our accounting users, which are under our secure, cloud-based [software-as-a-service] offering. It also did not impact our internal systems or any of our other product offerings through our subsidiary companies,” Foundation stated. 

The Huntress analysts stated they noticed the malicious behaviour targeting Foundation last week. On one host, the researchers discovered approximately 35,000 brute-force login attempts against the Microsoft SQL Server (MSSQL) used by the organisation to manage its database operations. 

Typically, such databases are kept secret and secure behind a firewall or virtual private network (VPN), but Foundation "features connectivity and access by a mobile app," researchers noted. This means that a specific TCP port, which is designed to regulate and identify network traffic on a computer, may be made open to the public, allowing direct access to the Microsoft SQL database. 

According to the report, Foundation users often used default, easy-to-guess passwords to protect high-privilege database accounts.

“As a result of not following recommendations and security best practices that were provided (one example being not resetting the default credentials), this small subset of on-premise users might face possible vulnerabilities,” Foundation noted. “We have been communicating and providing technical support to these users to mitigate this.” 

Huntress stated it detected 500 hosts running the Foundation software, and nearly 33 of them were publicly exposed with unchanged default credentials. 

“In addition to notifying those where we saw suspicious activity, we also sent out a precautionary advisory notification to any of our customers and partners who have the FOUNDATION software in their environment,” Huntress concluded.
Read more »
Rhysida ransomware gang
Cyber Security Data Leak data security Lawsuits Ransomware attack Ransomwares Rhysida Rhysida Ransomware Rhysida ransomware gang

Columbus Faces Scrutiny for Handling of Ransomware Attack and Lawsuit Against IT Consultant

 

In July, Columbus, Ohio, experienced a ransomware attack, which initially appeared to be a typical breach. However, the city’s unusual response sparked concern among cybersecurity experts and legal professionals. IT consultant David Leroy Ross, also known as Connor Goodwolf, uncovered a significant breach exposing sensitive data from various city databases, including arrest records, domestic violence cases, and personal information. 

This attack, carried out by the Rhysida Group, affected the city, police, and prosecutor’s office, with some databases going back to 1999. Goodwolf, whose expertise involves monitoring dark web activities, discovered that over three terabytes of data had been stolen. Among the exposed data were personal identifiable information, protected health information, and social security numbers. Goodwolf expressed particular concern over the exposure of sensitive information involving minors and domestic violence victims, emphasizing that they were now victimized a second time. 

Despite the serious implications, the city’s response appeared to downplay the breach. At a press conference in mid-August, Columbus Mayor Andrew Ginther claimed that the stolen data was encrypted or corrupted, making it largely unusable. Goodwolf, however, contradicted this statement, revealing that the data he found was intact and usable. When he attempted to notify city officials, he was met with resistance and a lack of cooperation. As a result, Goodwolf turned to the media, which led the city of Columbus to file a lawsuit and secure a temporary restraining order against him. The lawsuit, intended to prevent the further dissemination of sensitive information, raised concerns in the cybersecurity community. 

Legal experts pointed out that such lawsuits against data security researchers are uncommon and could have broader implications. Raymond Ku, a professor of law, noted that lawsuits against researchers typically arise when the disclosure of a vulnerability puts others at risk. However, cybersecurity professionals, such as Kyle Hanslovan, CEO of Huntress, argued that Goodwolf was acting as a responsible researcher. Hanslovan warned that this approach could set a dangerous precedent, silencing individuals who work to expose breaches. The city defended its actions, stating that it sought to prevent the release of confidential information, including undercover police identities. Although the restraining order expired, Columbus continues its civil lawsuit against Goodwolf, seeking up to $25,000 in damages. 

As Columbus works to recover from the attack, the broader implications of its actions toward Goodwolf remain a point of contention. Experts argue that the case highlights the need for a legal framework that balances the protection of sensitive information with the role of security researchers in revealing vulnerabilities. As Columbus strives to position itself as a tech hub, this legal battle could affect its reputation and relationships within the tech industry.
Read more »
Stolen Data
ALPHV/BlackCat Automotive Industry Cyber Attacks Dark Web Data Leak Ramsomware RansomHub RansomHub ransomware Stolen Data

Kawasaki Motors Europe Targeted by RansomHub Ransomware Attack

 

Kawasaki Motors Europe has been targeted by a ransomware attack orchestrated by the RansomHub gang, causing significant disruption to its services. The company, responsible for distributing and selling Kawasaki’s motorcycles across Europe, swiftly responded by isolating its servers to contain the threat. IT teams collaborated with external cybersecurity experts to analyze and cleanse systems of any lingering malware. Kawasaki aims to have 90% of its server infrastructure back online shortly, ensuring that business operations, including dealerships and supply chains, remain unaffected. 

The RansomHub group, a rising cybercriminal organization, claimed responsibility for the attack and added Kawasaki to its extortion portal on the dark web. According to the threat group, 487 GB of data was stolen, and they threatened to leak this information if their demands weren’t met. The data theft’s scope, particularly whether it includes sensitive customer details, remains unclear. Despite these developments, Kawasaki has not commented on the situation or responded to inquiries from cybersecurity analysts and reporters. 

RansomHub has gained significant traction in recent months, filling the void left by the now-defunct BlackCat/ALPHV ransomware operation. This has resulted in a surge of attacks against high-profile organizations, with RansomHub’s affiliates targeting critical sectors such as healthcare, retail, and manufacturing. The group’s growing notoriety was highlighted in a joint advisory issued by the FBI, CISA, and the Department of Health and Human Services, which reported over 200 victims of the ransomware group in the U.S. alone since February. The attack on Kawasaki emphasizes the evolving threat posed by ransomware groups and the importance of proactive cybersecurity measures. 

For businesses like Kawasaki, robust security protocols, regular updates, and swift incident response are critical in mitigating the risk of data breaches. The company’s efforts to cleanse infected servers highlight the importance of collaboration between internal IT teams and external cybersecurity experts in recovering from attacks. To protect against future breaches, organizations must invest in advanced threat detection technologies, ensure comprehensive patch management, and prioritize employee cybersecurity training. 

With cybercriminal groups like RansomHub becoming increasingly organized and opportunistic, adopting a layered defense strategy is vital for reducing exposure to such attacks. Kawasaki’s situation serves as a reminder of the growing challenges organizations face in safeguarding sensitive data from evolving cyber threats and the need for constant vigilance in a rapidly changing digital landscape.
Read more »
Technology
Data Breach Data Leak Data Privacy Hacktivism Hacktivist Internet Technology

Hacktivism: How Hacktivists are Using Digital Activism to Fight for Justice

Hacktivism: How Hacktivists are Using Digital Activism to Fight for Justice

What is Hacktivism?

Hacktivism, a blend of hacking and activism, has become a major threat in the digital landscape. Hacktivists are driven by political, religious, and social aims, they use different strategies to achieve their goals, and their primary targets include oppressive institutions or governments.

Hacktivists are known for using their technical expertise to drive change and have diverse aspirations, from free speech advocacy and protesting human rights violations to anti-censorship and religious discrimination. 

Data Leaks, Web Defacements, and DDoS Attacks

A recent report by CYFIRMA reveals that hacktivists believe themselves to be digital activists and work for the cause of justice, attacking organizations that they think should be held responsible for their malpractices. “Operation ‘Hamsaupdate’ has been active since early December 2023, where the hacktivist group Handala has been using phishing campaigns to gain access to Israel-based organizations. After breaching the systems, they deploy wipers to destroy data and cause significant disruption.” 

While few target local, regional, or national issues, other groups are involved in larger campaigns that expand to multiple nations and continents.

DDoS Attacks

A general tactic hacktivists use involves DDoS attacks. These attacks stuff websites with heavy traffic, disrupting servers and making sites inaccessible. Hacktivists employ diverse DDoS tools, ranging from botnet services and web-based IP stressors, to attack different layers of the OSI (Open Systems Interconnection) model.

Web Defacement Attacks

Hacktivists modify the website content in Web defacement to show ideological or political agendas. The motive is to humiliate the website owners and spread the idea to a larger audience.

Hacktivists can easily deface websites by exploiting flaws like SQL injection or cross-site scripting.

Data Leaks

Hacktivists also indulge in data leaks, where they steal sensitive data and leak it publicly. This includes personal info, confidential corporate data, or government documents. The aim here is to expose corruption or wrongdoings and hold the accused responsible in the eyes of the public.

Geopolitical Motives

Hacktivist campaigns are sometimes driven by geopolitical tensions, racial conflicts, and religious battles. The hacktivists are sometimes involved in #OP operations, the CYFIRMA report mentions. 

For instance, “#OpIndia is a popular hashtag, used by hacktivist groups from countries such as Pakistan, Bangladesh, Indonesia, Turkey, Morocco, and other Muslim-majority countries (as well as Sweden) that engage in DDoS attacks or deface Indian websites, and target government, individuals, or educational institutions.”

Read more »
Personal Information
Customer Data Customer Data Exposed Cybersecurity Breach Data Breach Data Leak Data protection Personal Information

Avis Data Breach Exposes Over 400,000 Customers’ Personal Information

 

Over 400,000 customers of Avis, a prominent car rental company known for its presence at U.S. airports, have had their personal data compromised in a recent cybersecurity breach. The company revealed the incident to the public on Monday, stating that the breach occurred between August 3 and August 6. Avis, which is part of the Avis Budget Group, sent notifications to affected customers last week, advising them on how to protect themselves from potential identity theft or fraud. 

The Avis Budget Group, which owns both Avis and Budget, operates over 10,000 rental locations across 180 countries, generating $12 billion in revenue in 2023, according to its most recent financial report. However, the recent data breach has cast a shadow over its operations, highlighting vulnerabilities in its data security measures. In a data breach notice filed with the Iowa Attorney General’s office, Avis disclosed that the compromised information includes customer names, dates of birth, mailing addresses, email addresses, phone numbers, credit card details, and driver’s license numbers. 

A separate filing with the Maine Attorney General revealed that the data breach has impacted a total of 299,006 individuals so far. Texas has the highest number of affected residents, with 34,592 impacted, according to a report filed with the Texas Attorney General. The fact that sensitive personal information was stored in a manner that allowed it to be accessed by cybercriminals has raised serious questions about the company’s data protection practices. Avis first became aware of the data breach on August 5 and took immediate steps to stop the unauthorized access to its systems.

The company stated that it had launched a comprehensive investigation into the incident and enlisted third-party security consultants to help identify the breach’s origins and scope. Avis has not yet disclosed specific details about the nature of the attack, the vulnerabilities exploited, or the identity of the perpetrators, leaving many questions unanswered. This breach underscores the growing challenges faced by companies in protecting customer data in an increasingly digital world. While Avis acted quickly to contain the breach, the company’s reputation could suffer due to the extent of the data compromised and the sensitive nature of the information accessed. 

The breach also serves as a reminder of the importance of robust cybersecurity measures, especially for businesses that handle large volumes of personal and financial data. The incident has also prompted scrutiny from regulators and data privacy advocates. Many are questioning how sensitive customer information was stored and protected and why it was vulnerable to such an attack. Companies like Avis must ensure they are equipped with advanced security systems, encryption protocols, and regular audits to prevent such breaches from occurring in the future. As the investigation continues, Avis customers are advised to monitor their financial accounts closely, watch for signs of identity theft, and take appropriate measures.
Read more »
Ransomware
Cyber Security Data Data Leak data security Ransomware

Planned Parenthood Cyberattack: How Bad Actors Are Targeting Medical Institutions

Planned Parenthood Cyberattack: How Bad Actors Are Targeting Medical Institutions

The healthcare sector has become an increasingly attractive target for cybercriminals. The latest victim in this alarming trend is Planned Parenthood of Montana, which recently fell prey to a ransomware attack by a group known as RansomHub. This incident not only underscores the vulnerabilities within healthcare organizations but also highlights the broader implications of such breaches on public health and safety.

About the Attack

On September 1, 2024, Planned Parenthood of Montana announced that it had been targeted by a ransomware attack. The hackers, identified as the RansomHub group, claimed to have stolen approximately 93GB of sensitive data. They are now threatening to release this data unless a ransom is paid by September 11. The stolen data reportedly includes patient records, financial information, and internal communications, making this breach particularly concerning.

The Bigger Picture

The timing of this attack is especially significant. It comes at a moment when abortion rights advocates in Montana have successfully gathered enough signatures to put the issue on the ballot in November. This has raised suspicions that the attack may have political motivations, aiming to influence public opinion and voter behavior. Regardless of the hackers’ intentions, the breach has created a climate of fear and uncertainty among patients and staff alike.

What is the damage?

The immediate impact of the breach is multifaceted. For patients, the exposure of sensitive medical information can lead to severe emotional distress and potential discrimination. For the organization, the financial and reputational damage can be devastating. Planned Parenthood of Montana now faces the daunting task of securing its systems, notifying affected individuals, and potentially paying a hefty ransom to prevent the release of the stolen data.

How Can Organizations Stay Safe?

1. Invest in Advanced Security Technologies

Healthcare organizations must invest in cutting-edge security technologies such as artificial intelligence (AI) and machine learning (ML) to detect and respond to threats in real-time. These technologies can analyze vast amounts of data to identify unusual patterns and potential security breaches before they cause significant damage.

2. Implement Multi-Factor Authentication (MFA)

Multi-factor authentication adds an extra layer of security by requiring users to provide two or more verification factors to gain access to systems and data. This can significantly reduce the risk of unauthorized access, even if login credentials are compromised.

3. Data Encryption

Encrypting sensitive data ensures that even if it is stolen, it cannot be easily read or used by unauthorized individuals. Healthcare organizations should implement encryption protocols for data both at rest and in transit to protect patient information.

Read more »
Ransomware Outfit
Chipmaker Cyber Attacks Data Leak Ransomware attack Ransomware Outfit

Microchip Technology Confirms Private Data Stolen in Ransomware Attack

 

Microchip Technology has acknowledged that employee information was stolen from vulnerable systems in an August incident. The Play ransomware group later claimed responsibility. 

The chipmaker, headquartered in Chandler, Arizona, serves over 123,000 clients across a variety of industries, including industrial, automotive, consumer, aerospace and defence, communications, and computing. 

On August 20, Microchip Technology revealed that a cyberattack discovered on August 17 has disrupted operations across multiple production plants. The incident hampered the company's capacity to meet orders, forcing it to shut down parts of its systems and isolate those affected in order to manage the breach. 

In a Wednesday filing with the Securities and Exchange Commission, Microchip Technology stated that its operationally critical IT systems are now functioning, with operations "substantially restored" with the firm processing customer orders and shipping products for more than a week. 

Microchip Technology also stated that the attackers acquired some staff data from its systems, but it has yet to find proof that customer information was also compromised during the intrusion. 

"While the investigation is continuing, the Company believes that the unauthorized party obtained information stored in certain Company IT systems, including, for example, employee contact information and some encrypted and hashed passwords. We have not identified any customer or supplier data that has been obtained by the unauthorized party," Microchip Technology stated. 

"The Company is aware that an unauthorized party claims to have acquired and posted online certain data from the Company's systems. The Company is investigating the validity of this claim with assistance from its outside cybersecurity and forensic experts,” the chipmaker added. 

Investigating Play ransomware claim 

Microchip Technology continues to assess the scope and consequences of the cyberattack with external cybersecurity consultants. Restoring IT systems affected by the incident is currently ongoing. The company claims that it has been processing customer orders and delivering products for more than a week, despite the fact that it is still working on recovery after the attack. 

Even though Microchip Technology is still investigating the origin and scope of the hack, the Play ransomware gang claimed credit on August 29 by including the American chipmaker on its dark web data dump website. 

The ransomware outfit claimed that it had stolen "private and personal confidential data, clients documents, budget, payroll, accounting, contracts, taxes, IDs, finance information," among other things, from the infiltrated systems of Microchip Technology. 

Since then, the ransomware group has disclosed some of the allegedly stolen material and threatens to release the remaining portion if the company does not respond to the leak.

Notable Play ransomware victims include cloud computing firm Rackspace, car merchant Arnold Clark, the Belgian city of Antwerp, the City of Oakland in California, and, most recently, Dallas County.
Read more »
Subscribe to: Posts (Atom)