Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Leak. Show all posts

ICBC London Branch Hit by Ransomware Attack, Hackers Steal 6.6TB of Sensitive Data

 

The London branch of the Industrial and Commercial Bank of China (ICBC) recently fell victim to a ransomware attack, resulting in the theft of sensitive data. According to a report by The Register, which references information posted on the hackers' data leak site, the bank has until September 13 to meet the ransom demand or risk the stolen data being publicly leaked.

The attack was orchestrated by a group called Hunters International, who claim to have exfiltrated 5.2 million files, amounting to 6.6 terabytes of sensitive information. Despite being a relatively new name in the ransomware scene, some experts believe Hunters International is a rebranded version of Hive, a notorious ransomware group that was dismantled by the FBI in July 2022. At that time, the FBI successfully infiltrated the Hive group, seizing decryption keys and halting its operations.

Emerging approximately a year ago, Hunters International has shifted its focus toward data theft rather than system encryption. Some cybersecurity researchers suggest that developing and deploying encryption tools is complex and time-consuming, making data theft alone an equally profitable, yet simpler, approach for the group.

ICBC, the world’s largest bank by total assets and market capitalization, is a state-owned financial institution in China. It provides a variety of banking services, including corporate and personal banking, wealth management, and investment banking. With an extensive global presence, ICBC plays a significant role in funding infrastructure projects both domestically and abroad.

As of now, ICBC has not made any public statements regarding the attack or responded to requests for comment.

MyDeal Data Breach: 2.2 Million Customers' Details Exposed

 

Woolworths claims that the personal information of 2.2 million customers of a website it owns has been compromised. 

Woolworths-owned MyDeal announced today that "a compromised user credential was used to gain unauthorised access to its Customer Relationship Management (CRM) system, resulting in the exposure of some customer data." 

Woolworths said in a statement that it is in the process of contacting the estimated 2.2 million people affected by email. The data accessed includes customer names, email addresses, phone numbers, delivery addresses, and, in some cases, the customer's date of birth for anyone who has had to prove their age when purchasing alcohol. According to the company, only 1.2 million customers' email addresses were exposed.

"MyDeal does not store payment, driver's licence or passport details and no customer account passwords or payment details have been compromised in this breach," Woolworths said.

It stated that the Mydeal.com.au website and app were not affected. There has also been "no compromise of any other Woolworths Group platforms or the Woolworths Group customer or Everyday Rewards records".

MyDeal CEO Sean Senvirtne said, "We apologise for the considerable concern that this will cause our affected customers. We have acted quickly to identify and mitigate unauthorised access and have increased the monitoring of networks. We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them.

Pieter van der Merwe, the chief security officer at Woolworths Group, stated that the company's "cyber security and privacy teams are fully engaged and working closely with MyDeal to support the response." Woolworths stated that customers who were not contacted had their information not accessed.

Shangri-La Reports Major Data Breach at Eight Hotels, Guests Data Leaked

 

A database breach at Shangri-La Group has potentially exposed the personal information of guests who stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei, and Tokyo. 

Mr. Brian Yu, the group's senior vice-president for operations and process transformation, stated in an e-mail to affected guests on Friday: "A sophisticated threat actor managed to bypass Shangri-IT La's security monitoring systems undetected and illegally accessed the guest databases." The breach occurred between May and July 2022, according to its investigation. 

Around the same time, Asia's top security summit, the Shangri-La Dialogue, returned to Singapore after a two-year hiatus due to the pandemic. From June 10 to 12, the event was held at the eponymous Shangri-La hotel on Orange Grove Road near Orchard Road. In the e-mail sent to the affected guests, Mr. Yu confirmed that certain data files had been stolen from the breached databases.

"Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data," he added.

Upon being asked whether the Shangri-La Dialogue was specifically targeted, a hotel spokesman said, “There is no evidence to suggest any specific hotel or event was singled out. As a matter of policy, we do not disclose information about our guests.” 

"Data related to the Shangri-La Dialogue was stored on a separate secure server and was not affected in this incident," stated a spokesman for the event's organiser, the International Institute for Strategic Studies (IISS).

The Singapore Cyber Security Agency mentioned that it is aware of the incident and urged organisations to monitor and check their IT networks for signs of suspicious activity regularly. The  properties affected are listed below:

• Shangri-La Apartments, Singapore
• Shangri-La Singapore
• Island Shangri-La, Hong Kong
• Kerry Hotel, Hong Kong
• Kowloon Shangri-La, Hong Kong
• Shangri-La Chiang Mai
• Shangri-La Far Eastern, Taipei
• Shangri-La Tokyo

Following the discovery of unauthorised network activity, the hotel group said it hired cyber forensic experts to investigate the discrepancies. The databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names, according to the statement.

The hotel chain assured guests that there is currently no evidence that their personal information has been released or misused by third parties. As a precaution, in destinations where local regulations allow, it is providing affected guests with a one-year complimentary identity monitoring service provided by Experian, a third-party cyber security service provider.

"We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you," wrote Mr. Yu in the e-mail.

He ensured guests that data such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted. "Protecting our guests' information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems, and databases. Once again, we deeply regret any inconvenience or concerns this incident may cause."

Angry Developer Leaks LockBit Ransomware Builder

 

The recently released 3.0 version of LockBit encryptor’s builder, called LockBit Black is leaked online. According to the Ransomware operator’s public representative LockBitSupp, this leak is not executed by a hacker, rather, it is the work of some disgruntled developer. 

About LockBit Black Builder 

The latest version, LockBit Black was under the testing phase till June and comprised numerous advanced features, such as auto-analysis, a ransomware bug bounty program, and newer methods of extortion. 

The builder included a password-protected 7z archive LockBit3Builder, it comprised four files – a batch file, a builder, a modifiable configuration file, and an encryption key generator. The files allow one to build the executable code to launch their own operation, such as encryptor, decryptor, and tools to execute the decryptor in a specific way.  

LockBit Ransomware’s Builder Leaks

A recently registered Twitter account by the handle @ali_qushji is under scrutiny by the security researchers of 3xport, as the Twitter user Ali Qushji claims that his team has gotten hold of LockBit servers and found a builder for the LockBit 3.0 ransomware encryptor. 

“Unknown person @ali_qusji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) ransomware” the Tweet read. 

On September 10, the researchers at VX-Underground were allegedly contacted by a user named protonleak (@protonleaks1), who shared a copy of the builder. The research agency further claimed that the ransomware group was not hacked, but the private ransomware builder code was leaked by one of the group’s developers. 

The developer was allegedly hired by the LockBit ransomware group, he was discontented with the ransomware operator’s leadership, and leaked the builder in response. 

"We reached out to LockBit ransomware group regarding this and discovered this leaker was a programmer employed by LockBit ransomware group [...] They were upset with LockBit leadership and leaked the builder." VX-Underground tweeted. 

Threat to the Ransomware Operators

According to John Hammond, a security researcher at Huntress Labs, "This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files[...] Anyone with this utility can start a full-fledged ransomware operation."   

The leak consequently is a threat to ransomware operators, as the builder code is now accessible to other ransomware operators. As a result, many new versions of the builder will soon be circulated by the operators. Moreover, the leaked builder will give security researchers a chance to conduct a better analysis of the ransomware, and develop advanced software that could tackle future attacks.

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.

Hacker Offers 5.4 million Twitter Account Details for $30,000

 

A threat actor acquired data from 5.4 million Twitter accounts by exploiting a now-patched vulnerability in the popular social networking site. Hacker is currently selling the stolen information on the prominent hacker site Breached Forums. 

In January, a Hacker report claimed the discovery of a vulnerability that may be used by an attacker to identify a Twitter account using the linked phone number/email, even if the user has elected to avoid this in the privacy settings. 

“The vulnerability allows any party without any authentication to obtain a Twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” reads the description in the report submitted by Zhirinovskiy via bug bounty platform HackerOne. 

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number but an attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities” Twitter acknowledged the vulnerability and rewarded Zhirinovskiy with a $5,040 prize. 

The website Restore Privacy uncovered the advertising for the massive data trove on Breached Forums. A hacker has published a database of 5.4 million Twitter users. 

Database of 5.4 million Twitter users

According to the seller, the database comprises data (email addresses and phone numbers) from people ranging from celebrities to businesses. The vendor additionally included a data sample in the form of a csv file. 

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy. 

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.” 

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.

Hotel WiFi Across MENA Compromised, Private Information Leaked

 

Etizaz Mohsin, a Pakistani cybersecurity researcher, was in a hotel room in Qatar when he accidentally discovered a technical vulnerability in the company's internet infrastructure, compromising the personal information of hundreds of hotels and millions of tourists worldwide. 

Mohsin explained, “I discovered that there is an rsync [file synchronisation tool] service running on the device that allows me to dump the device’s files to my own computer. I was able to gain access to all other hotels’ sensitive information that was being stored on the FTP [file transfer protocol] server for backup purposes.” 

He was able to get network configurations for 629 significant hotels in 40 countries, as well as millions of customers' personal information, such as room numbers, emails, and check-in and check-out dates. Information from major hotel chains in Qatar,, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain, as well as the Kempinski, Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain was included in the research. 

The hotels all use AirAngel's HSMX Gateway internet technology, which is a British company. Some of the world's most well-known hotel chains are among its clients. Most hotels, stores, restaurants, and cafés need guests to set up an account and fill out their personal information before they may use the internet. It does, however, have some disadvantages. 

Mohsin added, “A public WiFi network is inherently less secure than the one you use at home. It gives hackers access to critical information like banking credentials and account passwords by allowing them to monitor and intercept data transferred across the network.”

Seven years ago, researchers discovered a flaw in hotel routers that affected 277 devices in hotels and convention centres in the US, Singapore, the United Kingdom, the United Arab Emirates, and 25 other countries.

Apple's Find My Network: Can be Abused to Leak Secrets Via Passing Devices

 

Apple's Find My network, which is used to track iOS and macOS devices – as well as more recently AirTags and other kits – has been revealed to be a possible espionage tool. 

In brief, passing Apple devices can be used to send data over the air from one location to another, such as a computer on the other side of the world, without the need for any other network connection. 

Using Bluetooth Low Energy (BLE) broadcasts and a microcontroller designed to act as a modem, Fabian Bräunlein, co-founder of Positive Security, invented a way to send a limited amount of arbitrary data to Apple's iCloud servers from devices without an internet connection. A Mac application can then download the data from the cloud. He dubbed his proof-of-concept service Send My in a blog post on Wednesday. 

When activated in Apple devices, the Find My network acts as a crowdsourced location-tracking system. Participating devices transmit over BLE to other nearby Apple devices, which then relay data back to Cupertino's servers via their network link. Authorized device owners can then use the company's iCloud-based Find My iPhone or iOS/macOS Find My app to get location reports on enrolled hardware. 

Researchers from Germany's Technical University of Darmstadt – Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick – released an overview of Apple's Find My network's protection and privacy in March, uncovering a few issues along the way. 

Bräunlein's aim was to see if the Find My network could be exploited to send arbitrary data from devices that didn't have access to the internet. "Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet," he states. "It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users." Since he didn't find any rate-limiting mechanism for the number of location reports devices can send over the Find My network, he theorizes that his strategy may be used to deplete smartphone users' data plans. 

With each report being more than 100 bytes, broadcasting a large number of unique public encryption keys as part of the Find My protocol would increase the amount of mobile traffic sent. Bräunlein used an ESP32 microcontroller with OpenHaystack-based firmware to transmit a hardcoded default message and listen for new data on its serial interface for his data exfiltration scheme. These signals will be picked up by nearby Apple devices that have to Find My broadcasting switched on and transferred to Apple's servers. 

In order to satisfy Apple's authentication criteria for accessing location data, obtaining data from a macOS computer necessitates the use of an Apple Mail plugin that runs with elevated privileges. To view the unsanctioned transmission, the user must also install OpenHaystack and run DataFetcher, a macOS app created by Bräunlein.

Leaked Apple Schematics & Extortion Threats Removed From Dark Web

 

According to MacRumors, the ransomware group that stole schematics from Apple supplier Quanta Computer last week and threatened to release the trove of documents has mysteriously deleted all references to the extortion attempt from its dark web blog. 

Last Tuesday, the ransomware group REvil claimed that it had gained access to Quanta's internal computers and obtained some photographs and schematics of unreleased Apple products. The group requested $50 million from Quanta in order to retrieve the data. However, according to a statement posted on the hacker group's website on April 20, Quanta declined to pay the ransom, which led the criminals to turn their attention to Apple. 

The hackers publicly posted a handful of images depicting unreleased product schematics, including in total, 21 images showing different features of an alleged upcoming MacBook Pro, an SD card slot, HDMI slot, and a MagSafe charger, to prove they had hacked into Quanta's servers and to increase the pressure on Apple. 

Unless Apple paid the $50 million ransom demand in return for removing the files, the group threatened to publish new data every day leading up to May 1. The extortion attempt was timed to coincide with Apple's "Spring Loaded" digital event on April 20, at which the company unveiled AirTag item trackers, new iPad Pro models, and new iMacs. Despite the threat, after the original demand was made public, no further stolen documents have been leaked online. 

REvil isn't known for bluffing and regularly shares stolen documents if its victims don't pay up, so it's unclear why the group didn't follow through this time. According to MacRumors, the photos were mysteriously deleted from their dark web location. The group has not stated why the photos were deleted, and all references to the blackmail attempt have been removed. 

Apple is still yet to comment on the breach, although it has a history of refusing to deal with hackers. A hacker group tried to extort money from Apple in 2017 by keeping consumer data hostage. "We do not reward cybercriminals for violating the law," Apple told the community, and the company has yet to comment on the breach. 

The group is still aggressively extorting other businesses, so it's unclear what caused it to delete all material related to the Quanta hack.