Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Safety. Show all posts
Yutaka Sejiyama
Cyber Security Data Japanese security researcher Safety Sonic Wall Yutaka Sejiyama

Ransomware Groups Exploiting SonicWall VPN Vulnerability for Network Breaches

 

Ransomware operators Akira and Fog are increasingly gaining unauthorized access to corporate networks by exploiting SonicWall VPN vulnerabilities. The attackers are believed to be targeting CVE-2024-40766, a critical flaw in SonicWall's SSL VPN access control, to breach networks and deploy ransomware.

SonicWall addressed this vulnerability in August 2024. However, within a week, reports indicated that it was already being actively exploited. According to Arctic Wolf security researchers, Akira ransomware affiliates have been observed using this flaw to establish an initial foothold in victim networks. In their latest findings, Arctic Wolf disclosed that at least 30 network intrusions involving Akira and Fog ransomware began with unauthorized VPN access through SonicWall accounts.

Of the incidents reported, Akira affiliates accounted for 75% of breaches, with the remainder linked to Fog ransomware. Notably, the two groups appear to use shared infrastructure, suggesting ongoing collaboration, a trend previously noted by cybersecurity firm Sophos.

Although researchers can't confirm the vulnerability was exploited in every case, all breached systems were running unpatched versions susceptible to the flaw. In most attacks, ransomware encryption followed initial access within about ten hours, with some cases taking as little as 1.5 to 2 hours. The attackers often connected through VPNs or VPSs to mask their IP addresses.

Arctic Wolf highlights that many targeted organizations had unpatched endpoints, lacked multi-factor authentication for their VPN accounts, and were running services on default port 4433. In cases where firewall logs were available, events indicating remote user logins (message IDs 238 or 1080) were observed, followed by SSL VPN logins and IP assignments.

The ransomware groups moved swiftly, targeting virtual machines and backups for encryption. Stolen data mainly included documents and proprietary software, though files older than six months were often disregarded, with more sensitive files retained up to 30 months.

Fog ransomware, active since May 2024, typically uses compromised VPN credentials for initial network access. Meanwhile, the more established Akira ransomware has recently faced some downtime with its Tor site, though access has been gradually restored.

Japanese security researcher Yutaka Sejiyama reports approximately 168,000 SonicWall endpoints remain vulnerable to CVE-2024-40766. Sejiyama also suggested that the Black Basta ransomware group might be exploiting this flaw in recent attacks.
Read more »
Security
Cyber Attacks Data Data Safety data security perso Safety Security

Cyberattack on Maui's Community Clinic Affects 123,000 Individuals in May

 

The Community Clinic of Maui, also known as Mālama, recently notified over 123,000 individuals that their personal data had been compromised during a cyberattack in May. Hackers gained access to sensitive information between May 4 and May 7, including Social Security numbers, passport details, financial account information (such as CVV codes and expiration dates), and extensive medical records.

In addition to this, hackers obtained routing numbers, bank names, financial account details, and some biometric data. A total of 123,882 people were affected by the breach, which resulted in the clinic taking its servers offline.

Local reports suggested the incident was a ransomware attack, sparking public frustration as Mālama was forced to close for nearly two weeks. Upon reopening at the end of May, the clinic operated with limited services, and nurses had to rely on paper charts due to system-wide computer outages.

Following the attack, Mālama worked with law enforcement and cybersecurity experts to investigate the breach, with the findings confirmed on August 7. 

In a statement on its website, the clinic offered complimentary credit monitoring to those whose Social Security numbers may have been exposed, although a regulatory filing in Maine indicated that identity theft protection services were not provided. The organization has not responded to requests for clarification, and a law firm is reportedly exploring potential lawsuits against Mālama related to the breach.

The ransomware group LockBit, which was taken down by law enforcement earlier this year, claimed responsibility for the attack in June. On Tuesday, Europol and other agencies announced a coordinated effort to target the gang, resulting in four arrests and the seizure of servers critical to LockBit's operations in France, the U.K., and Spain.

In 2024, healthcare providers across the U.S. have been increasingly targeted by cyberattacks, disrupting services and threatening public safety. Notably, McLaren Health Care and Ascension, two major health systems, have faced severe ransomware incidents, and last week, one of the region's only Level 1 trauma centers had to turn away ambulances following a cyberattack.

Read more »
Security
Data Breach Data Safety data security Safety Security

Seattle Port Suffers Data Breach, Rhysida Ransomware Suspected

 

The ransomware attack has significantly disrupted the port's operations, highlighting the challenges that critical infrastructure providers face in the immediate aftermath of a cybersecurity breach. While recovery efforts are ongoing, the impact continues for some areas.

Most affected systems have been restored, but the port's website, internal portals, and the airport's mobile app remain offline. Despite this, officials reported that the majority of flights have adhered to their schedules, and cruise ship operations have remained unaffected.

The port made it clear that it refused to meet the attackers' demands, warning that the hackers may attempt to post stolen data on the dark web. In an update on Friday, the port stated, "The Port of Seattle does not plan to pay the criminals responsible for this cyberattack," said Steve Metruck, the port’s executive director. "Paying them would go against the values of the port and our responsibility to wisely manage taxpayer funds."

Port authorities have confirmed that some data was compromised by the Rhysida group in mid-to-late August. An investigation is ongoing to determine the specific nature of the stolen information, and those affected will be informed as soon as the analysis is complete.

In November 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory regarding the Rhysida group.

Metruck emphasized the port's efforts not only to restore operations but to use the experience to strengthen future security. "We remain committed to building a more resilient port and will share insights from this incident to help safeguard other businesses, critical infrastructure, and the public," he said.
Read more »
Security
Cybersecurity Data Data Breach Data Safety data security Safety Security

Fortinet Confirms Data Breach Involving Limited Number of Customers, Linked to Hacker "Fortibitch"

 

Fortinet has disclosed a data breach impacting a "small number" of its clients after a hacker, using the alias "Fortibitch," leaked 440GB of customer information on BreachForums. The hacker claimed to have accessed the data from an Azure SharePoint site, following the company's refusal to meet a ransom demand. This incident emphasizes the need for companies to secure data stored in third-party cloud services, cybersecurity experts have noted.

In a statement released on September 12, Fortinet reported that the breach involved unauthorized access to files stored on its cloud-based shared file drive. The company did not confirm the exact source of the breach but reassured that the affected data represented less than 0.3% of its over 775,000 customers—approximately 2,300 organizations. Fortinet also stated that no malicious activity had been detected around the compromised data, and no ransomware or data encryption was involved. The company has since implemented protective measures and directly communicated with impacted customers.

Dark Reading noted that the hacker also leaked financial and marketing documents, product information, HR data from India, and some employee records. After unsuccessful attempts to extort the company, the hacker released the data. There was also a mention of Fortinet’s acquisitions of Lacework and NextDLP, as well as references to a Ukrainian threat group, though no direct connections were identified.

This breach highlights the growing risk of cloud data exposure. A recent analysis by Metomic revealed that more than 40% of sensitive files on Google Drive were vulnerable, with many shared publicly or with external email addresses. Experts stress the importance of using multifactor authentication (MFA), limiting employee access, and regularly monitoring cloud environments to detect and mitigate potential security lapses. They also recommend encrypting sensitive data both in transit and at rest, and enforcing zero-trust principles to reduce the risk of unauthorized access.
Read more »
User Safety
Data Breach Leak Personal Data Safety Security User Data User Safety

ICBC London Branch Hit by Ransomware Attack, Hackers Steal 6.6TB of Sensitive Data

 

The London branch of the Industrial and Commercial Bank of China (ICBC) recently fell victim to a ransomware attack, resulting in the theft of sensitive data. According to a report by The Register, which references information posted on the hackers' data leak site, the bank has until September 13 to meet the ransom demand or risk the stolen data being publicly leaked.

The attack was orchestrated by a group called Hunters International, who claim to have exfiltrated 5.2 million files, amounting to 6.6 terabytes of sensitive information. Despite being a relatively new name in the ransomware scene, some experts believe Hunters International is a rebranded version of Hive, a notorious ransomware group that was dismantled by the FBI in July 2022. At that time, the FBI successfully infiltrated the Hive group, seizing decryption keys and halting its operations.

Emerging approximately a year ago, Hunters International has shifted its focus toward data theft rather than system encryption. Some cybersecurity researchers suggest that developing and deploying encryption tools is complex and time-consuming, making data theft alone an equally profitable, yet simpler, approach for the group.

ICBC, the world’s largest bank by total assets and market capitalization, is a state-owned financial institution in China. It provides a variety of banking services, including corporate and personal banking, wealth management, and investment banking. With an extensive global presence, ICBC plays a significant role in funding infrastructure projects both domestically and abroad.

As of now, ICBC has not made any public statements regarding the attack or responded to requests for comment.
Read more »
Vulnerabilities and Exploits
Data Flaws Patch Safety Security flaw Vulnerabilities and Exploits

CISA Issues Warning on Critical Vulnerabilities in Vonets WiFi Bridge Devices, No Patch Released

 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory highlighting several critical vulnerabilities discovered in Vonets WiFi Bridge devices. These vulnerabilities present significant risks, including the potential for attackers to execute arbitrary code, access sensitive data, or disrupt device operations.

This poses a serious threat to the security of industrial and commercial networks that depend on these devices. Despite the gravity of these issues, Vonets has not responded to CISA’s outreach for collaboration on mitigation efforts, leaving users at risk.

Key Vulnerabilities and Their Impacts:

The vulnerabilities identified in the Vonets devices vary in severity and include:

  • CVE-2024-41161 (CVSSv4 8.7): This flaw involves the use of hard-coded credentials, allowing unauthorized users to bypass authentication and gain full device access using pre-set administrator credentials that cannot be disabled. This makes it a particularly dangerous vulnerability.
  • CVE-2024-29082 (CVSSv4 8.8): An issue with improper access control permits attackers to bypass authentication and perform a factory reset on the device through unprotected endpoints, leading to potential service disruptions and loss of configuration data.
  • CVE-2024-41936 (CVSSv4 8.7): A directory traversal vulnerability that enables attackers to read arbitrary files on the device, bypassing authentication and exposing sensitive information.
  • CVE-2024-37023 (CVSSv4 9.4): OS command injection vulnerabilities allow authenticated attackers to execute arbitrary operating system commands on the device, potentially giving them control over its operation.
  • CVE-2024-39815 (CVSSv4 8.7): A flaw in the handling of exceptional conditions could lead to a denial-of-service (DoS) scenario when attackers send specially crafted HTTP requests to the device.
  • CVE-2024-39791 (CVSSv4 10): The most severe vulnerability, a stack-based buffer overflow, allows remote attackers to execute arbitrary code, potentially gaining full control of the device without needing authentication.
  • CVE-2024-42001 (CVSSv4 6.1): An issue with improper authentication enables attackers to bypass authentication by sending specially crafted requests during an active user session.

CISA’s Recommendations

In light of Vonets' lack of response, CISA has issued several recommendations to help organizations mitigate the risks associated with these vulnerabilities:

  • Minimize Network Exposure: Ensure that control system devices and networks are not directly accessible from the internet to reduce the risk of unauthorized access.
  • Isolate Control Systems: Position control system networks and remote devices behind firewalls and separate them from business networks to prevent cross-network attacks.
  • Secure Remote Access: When remote access is necessary, use secure methods like Virtual Private Networks (VPNs). However, it's crucial to keep VPNs updated and ensure the security of connected devices.
CISA stresses the importance of conducting thorough impact analysis and risk assessments before implementing any defensive measures to avoid unintended operational disruptions.

While no public exploitation of these vulnerabilities has been reported yet, the critical nature of these issues demands immediate attention. Organizations and individuals must act swiftly to safeguard their networks and reduce the risk of potential attacks
Read more »
User Privacy
Data Breach Data Safety data security Safety Security User Data User Privacy

National Public Data Breach Exposes Millions: Threat of Identity Theft Looms

 

Data breaches continue to be a persistent issue without a simple solution, as evidenced by the recent breach of the background-check service National Public Data. This incident highlights the escalating dangers and complexity of such breaches. After months of uncertainty, National Public Data has finally confirmed the breach, coinciding with a large amount of stolen data being leaked online.

In April, a hacker known as USDoD started selling a data set on cybercriminal forums for $3.5 million. The data, said to include 2.9 billion records, purportedly affected "the entire population of the USA, CA, and UK." As the weeks passed, samples of the data emerged, with researchers and other actors verifying its authenticity. By early June, it was confirmed that the data contained information like names, emails, and physical addresses.

Although the data's accuracy varies, it appears to consist of two main sets. One contains over 100 million legitimate email addresses along with other personal information. "There appears to have been a data security incident that may have involved some of your personal information," National Public Data announced on Monday. "The incident is believed to have involved a third-party bad actor who attempted to access data in late December 2023, with potential leaks occurring in April 2024 and summer 2024. The breached information includes names, email addresses, phone numbers, Social Security numbers, and mailing addresses."

The company stated it is cooperating with law enforcement and government investigators. National Public Data now faces potential class action lawsuits due to the breach.

"We have become desensitized to the continuous leaks of personal data, but there is a serious risk," says security researcher Jeremiah Fowler, who has been monitoring the National Public Data situation. "It may not be immediate, and it could take years for criminals to figure out how to use this information effectively, but a storm is coming."

When data is stolen from a single source, such as Target, it is relatively easy to trace the source. However, when information is stolen from a data broker and the company does not disclose the incident, it becomes much harder to verify the data's legitimacy and origin. Often, people whose data is compromised are unaware that National Public Data held their information.

Security researcher Troy Hunt noted in a blog post, "The only parties that know the truth are the anonymous threat actors and the data aggregator. We're left with 134M email addresses in public circulation and no clear origin or accountability." Even when a data broker admits to a breach, as National Public Data has, the stolen data may be unreliable and mixed with other datasets. Hunt found many email addresses paired with incorrect personal information, along with numerous duplicates and redundancies.

"There were no email addresses in the Social Security number files," noted Hunt, who operates the website Have I Been Pwned (HIBP). "If you find your email in this data breach via HIBP, there's no evidence your SSN was leaked, and the data next to your record may be incorrect."

For those whose Social Security numbers were included in the breach, the threat of identity theft remains significant. They are forced to freeze their credit, monitor credit reports, and set up financial monitoring services. Notifications about the breach have already been sent out by credit monitoring and threat intelligence services. Although the stolen data is flawed, researchers warn that every data set attackers obtain can fuel scamming, cybercrime, and espionage when combined with other personal data compiled by criminals over the years.

"Each data breach is a puzzle piece, and bad actors and certain nations are collecting this data," Fowler says. "When combined systematically and organized in a searchable way, numerous breaches can provide a complete profile of individual citizens."
Read more »
User Security
Data Data Breach Safety Security User Data User Privacy User Safety User Security

Massive Data Leak Exposes Sensitive Information for Millions

 


A significant data breach has compromised the personal information of millions of individuals across the United States, United Kingdom, and Canada. The leaked data, obtained from a company called National Public Data, includes highly sensitive information such as names, mailing addresses, and social security numbers.

The leaked database, consisting of nearly 2.7 billion records, was reportedly offered for sale on the dark web. While the exact scope of the breach is still being investigated, numerous individuals have confirmed the presence of their personal data within the leaked files.

The exposed information poses a serious risk of identity theft and other malicious activities. Scammers may use this data to target individuals with phishing attempts or fraudulent transactions.

To protect yourself:

1. Be wary of suspicious emails: Avoid clicking on links or opening attachments in unsolicited emails, even if they appear to be from legitimate sources.
2. Verify the sender: Double-check the sender's email address to ensure it is authentic.
3. Use strong, unique passwords: Create complex passwords for all your online accounts and avoid reusing them across different platforms.
4. Monitor your accounts: Regularly check your bank statements, credit reports, and online accounts for any unauthorized activity.

If you believe your personal information may have been compromised in this data breach, it is recommended to take steps to protect your identity and report the incident to the appropriate authorities.

Read more »
User Privacy
Data Data Breach data security Safety Security Third Party Data User Data User Privacy

National Public Data Hacked: Personal Information of Millions at Risk

 


National Public Data, a company specializing in background checks and fraud prevention, has experienced a significant data breach. The data collected by the company has reportedly fallen into the hands of a hacking group known as "USDoD," which began selling access to the stolen information in April. The stolen data is said to include details of users from the US, UK, and Canada.

The company is now facing a class-action lawsuit, as reported by Bloomberg Law. The lawsuit was filed by Christopher Hoffman, a resident of California, after his identity protection service alerted him that his personal data had been compromised in the breach.

The scope of the data leak could be one of the largest ever recorded, though the full extent is still unconfirmed. National Public Data has not yet responded to requests for comment. However, in June, malware repository VX Underground reviewed the stolen data, which was initially on sale for $3.5 million.

VX Underground confirmed the authenticity of the massive 277.1GB uncompressed file, noting that the data included real and accurate information. They verified several individuals' details, who consented to the search of their information. According to VX Underground, the stolen data encompasses Social Security numbers, full names, and user address history spanning over three decades. It appears that the personal information of users who opted out of data collection was not included. USDoD acted as a broker for the sale, while a mysterious individual known as "SXUL" was behind the breach.

Although USDoD intended to sell the data to private buyers, it has reportedly been circulating freely on a popular hacker forum, posing a significant risk of identity theft. The archive is said to include dates of birth and phone numbers, though users who have downloaded the 277GB file report numerous duplicates. Some entries pertain to the same individual at different addresses, and others cover deceased persons. As a result, the actual number of affected individuals is estimated to be closer to 225 million, rather than the initially believed 2.9 billion.

National Public Data had previously advertised its People Finder tool, claiming access to over 2.2 billion merged records covering the entire adult population of the USA and its territories. In response to the breach, some identity protection services have already begun analyzing the stolen data and notifying affected consumers whose Social Security numbers were found in the archive. Hoffman's class-action lawsuit demands that National Public Data pay damages and implement several IT security changes, including the deletion of stored data on US users unless a reasonable justification is provided.
Read more »
Vulnerabilities and Exploits
Data Safety data security Hackers Safety Vulnerabilities and Exploits

Hackers Exploit Bytecode Interpreters to Inject Malicious Code

 

Attackers can conceal their efforts to execute malicious code by embedding commands into the machine code stored in memory by software interpreters used in many programming languages, such as VBScript and Python. This technique will be demonstrated by a group of Japanese researchers at next week's Black Hat USA conference.

Interpreters convert human-readable software code into bytecode, which are detailed programming instructions that the underlying virtual machine can understand. The research team managed to insert malicious instructions into the bytecode held in memory before execution. Since most security software does not scan bytecode, their changes went undetected. 

This method could enable attackers to hide their malicious activities from most endpoint security software. Researchers from NTT Security Holdings Corp. and the University of Tokyo will showcase this capability using the VBScript interpreter, says Toshinori Usui, a research scientist at NTT Security. The researchers have confirmed that the technique also works for inserting malicious code into the in-memory processes of both the Python and Lua interpreters.

"Malware often hides its behavior by injecting malicious code into benign processes, but existing injection-type attacks have characteristic behaviors ... which are easily detected by security products," Usui says. "The interpreter does not care about overwriting by a remote process, so we can easily replace generated bytecode with our malicious code — it's that feature we exploit."

While bytecode attacks are not entirely new, they are relatively novel. In 2018, researchers from the University of California at Irvine published a paper introducing bytecode attacks and defenses. Last year, the administrators of the Python Package Index (PyPI) removed a malicious package known as fshec2, which escaped initial detection because its malicious code was compiled as bytecode. Python compiles its bytecode into PYC files, which the Python interpreter can execute.

"This may be the first supply chain attack to leverage the fact that Python bytecode (PYC) files can be directly executed, and it comes amid a spike in malicious submissions to the Python Package Index," Karlo Zanki, a reverse engineer at ReversingLabs, said in a June 2023 analysis of the incident. "If so, it poses yet another supply chain risk going forward, since this type of attack is likely to be missed by most security tools, which only scan Python source code (PY) files."

Beyond Precompiled Malware

After an initial compromise, attackers have several options to extend their control over a targeted system: They can perform reconnaissance, attempt further system compromise using malware, or use existing tools on the system — a strategy known as "living off the land."

The NTT researchers' bytecode attack technique falls into the latter category. Instead of using pre-compiled bytecode files, their attack — called Bytecode Jiu-Jitsu — involves injecting malicious bytecode into the memory space of a running interpreter. Since most security tools do not inspect bytecode in memory, the attack can conceal the malicious commands from detection.

This approach allows attackers to bypass other more obviously malicious steps, such as calling suspicious APIs to create threads, allocating executable memory, and modifying instruction pointers, Usui explains.

"While native code has instructions directly executed by the CPU, bytecode is just data to the CPU and is interpreted and executed by the interpreter," he says. "Therefore, unlike native code, bytecode does not require execution privilege, [and our technique] does not need to prepare a memory region with execution privilege."

Improving Interpreter Defenses

Interpreter developers, security tool developers, and operating system architects can all help mitigate this problem. Although bytecode attacks do not exploit vulnerabilities in interpreters, but rather their method of code execution, certain security measures like pointer checksums could reduce the risk, according to the UC Irvine paper.

The NTT Security researchers noted that checksum defenses would likely be ineffective against their techniques and recommend that developers enforce written protections to mitigate the risk. "The ultimate countermeasure is to restrict the memory write to the interpreter," Usui says.

Presenting a new attack technique aims to show security researchers and defenders what could be possible, not to inform attackers' strategies, Usui emphasizes. "Our goal is not to abuse defensive tactics, but to ultimately be an alarm bell for security researchers around the world," he says.
Read more »
Windows
Business Safety Cyber Security Linux Microsoft Safety Windows

Report: macOS Most Vulnerable to Endpoint Attacks Compared to Windows and Linux

 

A new report from Picus Security has unveiled a concerning vulnerability in many IT environments: a high risk of complete takeover through escalated privileges. 

Simulated attacks revealed that while organizations can typically defend against seven out of ten attacks, the persistent threat of sophisticated cybercrime syndicates leaves a substantial margin for error.

Full environment takeovers occur when attackers gain administrator-level access, enabling them to freely navigate and compromise systems. Alarmingly, Picus successfully achieved domain admin access in 40% of the tested environments.

While Linux and Windows demonstrated relatively strong defenses against endpoint attacks, macOS proved significantly more vulnerable, raising concerns about its security posture. Picus CTO Volkan Ertürk emphasized the need for increased focus on securing macOS systems, recommending the use of threat repositories like the Picus Threat Library to identify and address vulnerabilities.

The report also highlighted the prevalence of basic security lapses, with a quarter of companies using easily guessable passwords and a mere 9% effectively preventing data exfiltration. Cybercrime groups like BlackByte, BabLock, and Hive posed the most significant challenges for organizations.

“Like a cascade of falling dominoes that starts with a single push, small gaps in cybersecurity can lead to big breaches,” said Dr. Suleyman Ozarslan, Picus co-founder and VP of Picus Labs.

It's clear that organizations are still experiencing challenges when it comes to threat exposure management and balancing priorities. Small gaps that lead to attackers obtaining domain admin access are not isolated incidents, they are widespread. Last year, the attack on MGM used domain admin privileges and super admin accounts. It stopped slot machines, shut down virtually all systems, and blocked a multi-billion-dollar company from doing business for days,” Ozarslan said.

Read more »
Third Party Data
Databreach Personal Data Privacy Safety Security Third Party Data

HealthEquity Data Breach Exposes Personal Information

 

HealthEquity, a leading provider of Health Savings Accounts (HSAs), has confirmed a significant data breach affecting potentially 4.3 million customers. The breach, discovered in March but only confirmed in June, involved unauthorized access to a data repository containing sensitive personal information.

The compromised data may include names, addresses, phone numbers, Social Security numbers, employment details, and partial payment card information. However, HealthEquity emphasizes that the specific data exposed varies for each individual.   

In response to the breach, HealthEquity has taken steps to secure the affected data repository and implemented a global password reset for the third-party vendor involved. The company will be notifying impacted individuals in early August about the incident and providing details on the actions they are taking.   

To help protect customers, HealthEquity is offering two years of free credit monitoring and identity theft protection through Equifax. Impacted individuals will receive a notification letter with instructions on how to enroll in this service.   

While no hacker group has claimed responsibility for the breach and no data has been leaked publicly thus far, experts advise affected individuals to remain vigilant. Monitor bank statements, credit reports, and watch for suspicious emails or text messages.

This ongoing situation highlights the importance of protecting personal information and underscores the need for robust security measures by companies handling sensitive data.
Read more »
Security
CISO Cyber Security Data Private Equity Safety Security

The CISO: A Cornerstone of Private Equity Success

 


In the dynamic landscape of private equity, the Chief Information Security Officer (CISO) has emerged as a critical player. Beyond safeguarding digital assets, the CISO is instrumental in driving business growth and ensuring regulatory compliance.

The CISO's role extends far beyond technical expertise. They are strategic architects, designing security frameworks aligned with business objectives. Proactive risk identification and mitigation are paramount, requiring a deep understanding of the evolving threat landscape. Effective communication of security posture to leadership is essential for securing buy-in and support.

  • Operational Excellence and Incident Response
Day-to-day security operations, from policy enforcement to incident management, fall under the CISO's purview. Building a resilient organization capable of weathering cyberattacks involves meticulous planning, employee training, and a robust security operations center (SOC).
  • Governance, Compliance, and Culture
Navigating a complex regulatory environment is a core competency for CISOs. Ensuring adherence to standards like GDPR and CCPA while fostering a security-conscious culture is vital. Effective third-party risk management and transparent reporting to stakeholders are essential for maintaining trust.
  • Overcoming Challenges
Balancing security with business agility, scaling defenses with company growth, and managing the impact of security changes are ongoing challenges. CISOs must be adept at finding innovative solutions to these complex issues.
  • Security Teams in a Portfolio Context
Private equity firms often manage diverse portfolios with varying risk profiles. Centralized oversight, shared resources, and a risk-based approach are essential for effective security management across the portfolio.

By operating as strategic partners, CISOs can significantly contribute to the long-term success of private equity firms and their portfolio companies.
Read more »
Spyware
Data Data Safety malware Safety Security Spyware

Report: Spyware Maker's Data Leak Exposes Malware Used on Windows, Mac, Android, and Chromebook Devices

A Minnesota-based spyware company has been hacked, exposing thousands of devices worldwide under its covert surveillance, TechCrunch has learned.

A source familiar with the breach provided TechCrunch with files from the company’s servers, detailing device activity logs from phones, tablets, and computers monitored by Spytech. Some files date back to early June. TechCrunch confirmed the authenticity of the data by analyzing logs, including those from the company's CEO, who installed the spyware on his own device.

The leaked data reveals that Spytech's software, including Realtime-Spy and SpyAgent, has compromised over 10,000 devices since 2013. These include Android devices, Chromebooks, Macs, and Windows PCs globally.

Spytech is the latest in a series of spyware makers hacked in recent years, being the fourth this year alone, according to TechCrunch.

When contacted, Spytech CEO Nathan Polencheck stated that TechCrunch's email was the first he had heard of the breach and that he was investigating the situation.

Spytech produces remote access applications, often labeled as "stalkerware," marketed for parental control but also advertised for spousal surveillance. Monitoring activities of children or employees is legal, but unauthorized monitoring of a device is illegal, leading to prosecutions for both spyware sellers and users.

Stalkerware apps are typically installed by someone with physical access to the device and can remain hidden and difficult to detect. These apps transmit keystrokes, browsing history, device activity, and, for Android devices, location data to a dashboard controlled by the installer.

The breached data seen by TechCrunch includes activity logs for all devices under Spytech's control, mostly Windows PCs, with fewer Android devices, Macs, and Chromebooks. The logs were not encrypted.

TechCrunch analyzed location data from compromised Android phones and mapped the coordinates offline to protect victims' privacy. The data indicates Spytech's spyware monitors devices primarily in Europe and the United States, with other clusters in Africa, Asia, Australia, and the Middle East.

One record linked to Polencheck's administrator account includes the geolocation of his residence in Red Wing, Minnesota.

While the data contains sensitive information from individuals unaware their devices are monitored, there isn't enough identifiable information for TechCrunch to notify victims of the breach. Spytech’s CEO did not comment on whether the company plans to notify its customers or authorities as required by law.

Spytech has operated since at least 1998, remaining largely unnoticed until 2009, when an Ohio man was convicted of using its spyware to infect a children's hospital's systems, targeting his ex-partner's email. The spyware collected sensitive health information, leading to the sender's guilty plea for illegal interception of communications.

Recently, Spytech is the second U.S.-based spyware company to experience a data breach. In May, Michigan-based pcTattletale was hacked, leading to its shutdown and deletion of victim data without notifying affected individuals. Data breach notification service Have I Been Pwned later listed 138,000 pcTattletale customers as having signed up for the service.
Read more »
Third Party Data
Data Breach Data Leak Data Safety data security Safety Security Third Party Data

Hacker Alleges Theft of Piramal Group’s Employee Data; Company Denies Breach as "Erroneous and Misleading"

 


Recent reports have suggested that employee data belonging to Piramal Group, including names and email addresses of both current and former staff members, may have been compromised and offered for sale on the dark web. These allegations have understandably raised concerns regarding the security of sensitive information within the organization. 

However, Piramal Group has firmly denied any breach, attributing the purported data leak to a third-party platform. The Indian government's Computer Emergency Response Team (CERT-In) was also notified of the situation and has confirmed that there was no compromise in Piramal Group's systems.

The controversy arose when a hacker reportedly posted a small portion of the stolen data on a prominent cybercrime forum last week. The publication that brought this issue to light claims to have accessed a larger sample of data from the alleged hacker and validated it using a job listing portal. This development has highlighted the importance of robust data security measures and has led to widespread speculation about the integrity of Piramal Group's systems.

In response to these allegations, a spokesperson for Piramal Group provided a detailed statement to the Times of India, emphasizing, "As mentioned earlier, we can confirm that there has been no data breach at Piramal Group.The suspicious activity on the dark web was evaluated and confirmed by our cybersecurity team as a false claim.

As per our investigation, the sample data shared is not Piramal Organization data and has no relevance to us. On further investigation we have also found that the information in question seems to have originated from a third-party platform, Mailinator and not any of the systems at Piramal. Mailinator is not associated with Piramal Group in any form

We have also shared the same feedback with regulatory authority, CERT IN and kept them informed.

We reiterate that there has been no breach of our data and any assertion to this effect is erroneous and misleading."

The detailed response from Piramal Group underscores their commitment to data security and transparency. As the investigation continues, the company remains vigilant in protecting the personal information of its employees and upholding the trust placed in them by their stakeholders.
Read more »
User Safety
Cyber Safety Data Data Breach Data Leak Safety Security User Data User Safety

ERP Firm Data Breach Exposes Over 750 Million Records

 

A leading Enterprise Resource Planning (ERP) company based in Mexico inadvertently left an unsecured database online, exposing sensitive information on hundreds of thousands of users. This was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to Website Planet. According to Fowler, the database contained 769 million records and was accessible to anyone who knew where to look.

The exposed data included highly sensitive and personally identifiable information such as API keys, secret keys, bank account numbers, tax identification numbers, and email addresses. The database, which is 395GB in size, belongs to ClickBalance, a software provider that offers a range of cloud-based business services including administration automation, accounting, inventory, and payroll.

Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers. Upon discovering the database, Fowler immediately contacted ClickBalance, which secured the database within hours. However, it remains unclear whether any malicious actors accessed the data before it was secured or whether the data has been used in any malicious activities. Fowler emphasizes that only a comprehensive forensic investigation can determine the full extent of the exposure.

The exposure of tax identification numbers and bank account details poses significant risks, enabling cybercriminals to conduct fraudulent activities. The theft of active email addresses is particularly concerning, as it allows criminals to launch phishing attacks that can deliver malware and ransomware.

Despite the severe potential consequences, unsecured databases continue to be a common cause of data breaches. Many large enterprises and government organizations have been found with online databases lacking adequate protection. For instance, a previous incident resulted in the personal information of the entire Brazilian population being leaked.
Read more »
Safety
Cyber Safety Cyber Security Data Online Security Safe Safety

How to Protect Your Online Accounts from Hackers

 

Hackers are increasingly targeting individuals to steal cryptocurrency, access bank accounts, or engage in stalking. Although these attacks are relatively rare, it's crucial to know how to protect yourself if you suspect someone has accessed your email or social media accounts.

A few years ago, I wrote a guide to help people secure their accounts. Many companies provide tools to enhance account security, which you can use even before contacting their support teams.

Here, we break down steps you can take across various online services.

First, it's important to note that these methods don't guarantee complete security. If you still feel compromised, consider consulting a professional, especially if you are a journalist, dissident, activist, or someone at higher risk.

Enable multi-factor authentication (MFA) on all your accounts, or at least the most critical ones like email, banking, and social media. This directory provides instructions for enabling MFA on over 1,000 websites. You don't have to use the recommended MFA app; many alternatives are available.

Some services also offer physical security keys or passkeys stored in password managers, providing high-level protection against password-stealing malware and phishing attacks.

Securing Your Gmail Account

If you suspect your Gmail account has been compromised, scroll to the bottom of your inbox and click on "Last account activity" in the bottom right corner. Then click on "Details" to see all the locations where your Google account is active. If you notice any unfamiliar activity, such as logins from different countries, click on "Security Checkup." Here, you can see which devices your account is active on and review recent security activity.

If you spot suspicious activity, click on "See unfamiliar activity?" and change your password. Changing your password will sign you out of all devices except those used for verification and third-party apps you've granted access to. To sign out from those devices, visit Google Support and click on the link to view apps and services with third-party access.

Consider enabling Google’s Advanced Protection for enhanced security. This feature makes phishing and hacking more difficult but requires purchasing security keys. It's highly recommended for individuals at higher risk.

Remember, your email account is likely linked to other important accounts, so securing it is crucial.

Checking Microsoft Outlook Security

To check if your Microsoft Outlook account has been accessed by hackers, go to your Microsoft Account, click on "Security" in the left-hand menu, and then under "Sign-in activity," click on "View my activity." You'll see recent logins, the platform and device used, browser type, and IP address. If anything looks suspicious, click on "Learn how to make your account more secure," where you can change your password and find instructions for recovering a hacked or compromised account.

Given that your email is often linked to other critical accounts, securing it is vital.

Securing Your Yahoo Account

Yahoo also provides tools to check your account and sign-in activity for unusual signs of compromise. Go to your Yahoo My Account Overview or click on the icon with your initial next to the email icon on the top right corner, then click on "Manage your account." Next, click on "Review recent activity." You can see recent activity on your account, including password changes, phone numbers added, and connected devices with their IP addresses.

Since your email is likely linked to sensitive sites like your bank, social media, and healthcare portals, it's essential to secure it diligently.

By following these steps and using the tools provided by these services, you can enhance the security of your online accounts and protect yourself from potential threats
Read more »
Security
Cyber Insurance Cyber Security insurance Safety Security

Significant Drop in Cyber-Insurance Premiums Makes Coverage More Affordable

 

Over the last year, a steady decline in premium rates has made cyber-insurance coverage more accessible and affordable for organizations of all sizes.

The primary driver behind this decrease is the increasingly competitive marketplace, with more insurance companies offering coverage for cybersecurity incidents such as ransomware attacks and data breaches. Additionally, improved cyber hygiene among insured organizations has contributed to the lower rates, according to a recent report from London-based Howden Insurance.

Howden's report highlighted a 15% reduction in average cyber-insurance premium rates in 2023 compared to the previous year. This decline follows a two-year period from December 2020 to December 2022 when rates surged due to a significant increase in ransomware-related claims.

Sarah Neild, head of cyber retail, UK, at Howden, stated, "Favorable dynamics have persisted into 2024, with the cost of cyber insurance continuing to fall despite ongoing attacks, heightened geopolitical instability, and the proliferation of GenAI. At no other point has the market experienced the current mix of conditions: a heightened threat landscape combined with a stable insurance market underpinned by robust risk controls."

Howden’s findings are echoed by US-based Aon, which reported a 17% decline in premium rates in 2023 compared to 2022. Aon also anticipates stable pricing through the end of the year due to ample capacity and a competitive market environment. Aon’s analysis showed that a rise in ransomware and other cyberattacks, alongside heightened regulatory reporting requirements, has increased interest in cyber insurance among organizations.

Shawn Ram, head of insurance at Coalition Insurance, noted that premium rates have declined even as cybersecurity-related claims have risen over the past year. "In 2023, overall claims frequency increased 13% year-over-year, and overall claims severity increased 10% YoY, resulting in an average loss of $100,000. Claims frequency increased across all revenue bands, with businesses between $25 million and $100 million in revenue seeing the sharpest spike — a 32% YoY increase." Despite the increased claims activity, pricing for cyber insurance remains stable due to the robust capacity in the market.

Insurance companies have become more adept at evaluating cyber risk, says Andrew Braunberg, an analyst with Omdia. "Carriers are getting a lot smarter in how they assess the cyber risks of prospects and the way they write up coverage," he explains, adding that insurers now conduct more thorough risk assessments and expect proactive security technologies to be in place.

Howden expects demand for cyber insurance from small and midsize enterprises (SMEs) to drive growth and price stability in the market over the next few years. SMEs, which contribute nearly half of the GDP in major economies, represent an underserved demographic offering significant growth opportunities for insurers and brokers. The market is also projected to expand significantly as insurance companies look to grow outside the US, which currently accounts for two-thirds of the global market.

Xing Xin, CEO and co-founder of cyber insurer Upfort, believes that while there are enough insurers eager to write more business around cybersecurity to keep prices stable for now, increased claims frequency and severity may eventually impact underwriting and rates. "A widespread cybersecurity issue that systemically triggers a high count of policies could reverse the current trend, leading to accelerated rate growth," he cautions.

By leveraging these insights, Elivaas can stay ahead in the rapidly evolving landscape of cyber-insurance, ensuring robust protection for their clients and continued market leadership.
Read more »
Security
Cybersecurity Threats Fickle Stealer Infostealer Malware Safety Security

New Infostealer 'Fickle Stealer' Targets Sensitive Data Using Multiple Distribution Methods

 

Security experts are raising alarms about a new infostealer named Fickle Stealer, which is being disseminated through various techniques across the internet. Fickle Stealer engages in typical malicious activities, such as stealing sensitive files, system information, browser-stored files, and cryptocurrency wallet details. However, what sets Fickle Stealer apart is its construction using the Rust programming language.

"Beyond targeting popular applications, this stealer searches for sensitive files in the parent directories of common installation paths to ensure thorough data collection," stated security researcher Pei Han Liao. "It also fetches a target list from the server, adding flexibility to Fickle Stealer's operations."

According to cybersecurity researchers from Fortinet FortiGuard Labs, Fickle Stealer employs four distinct distribution methods: a VBA dropper, a VBA downloader, a link downloader, and an executable downloader. Some of these methods utilize a PowerShell script that bypasses User Account Control (UAC) mechanisms. This script also transmits system information, such as the device's location (country and city), IP address, operating system version, computer name, and username, to a Telegram bot.

Infostealers are among the most prevalent and disruptive forms of malware, second only to ransomware. They enable cybercriminals to access sensitive services, including banking accounts, social media profiles, and corporate platforms. With access to cryptocurrency wallet data, hackers can transfer funds to their own wallets, effectively stealing any available money. Furthermore, infostealers allow criminals to access email inboxes, leading to phishing attacks, impersonation, identity theft, and potentially ransomware attacks on corporate IT systems.

Securing devices against infostealers involves the same precautions as defending against other types of malware. Users should avoid downloading and running suspicious files and thoroughly verify email attachments before opening them. By adhering to these practices, individuals and organizations can better protect their sensitive data from cyber threats.
Read more »
Safety
Cyber Security Data data security Information and Security Safety

Tech Giants Aid Rural Hospitals in Cybersecurity Battle

 


Microsoft and Google have announced initiatives to offer free or discounted cybersecurity services to rural hospitals across the United States, aiming to reduce their vulnerability to cyberattacks that have disrupted patient care and threatened lives, according to a joint statement from the White House and the tech companies on Monday.

In a statement to CNN, Microsoft revealed plans to provide eligible rural hospitals with free security updates, as well as security assessments and staff training. Google will offer free cybersecurity advice and launch a pilot program to tailor its cybersecurity services to the specific needs of rural hospitals.

The nation's approximately 1,800 rural community hospitals are particularly susceptible to ransomware attacks due to their limited IT security resources and lack of cybersecurity-trained staff. These hospitals often serve as the only healthcare facility within a wide radius, so a ransomware attack that halts their operations can endanger patients' lives.

This initiative follows private discussions between tech firms and the White House National Security Council, which has been increasingly concerned about cyber threats to hospitals. By leveraging the widespread use of Microsoft and Google's software in hospitals across the country, the effort aims to strengthen the healthcare sector's defenses.

Anne Neuberger, the top cyber official at the White House National Security Council, highlighted the urgency of addressing this threat: "We’re in new territory as we see this wave of attacks against hospitals."

The Biden administration is also working on establishing minimum cybersecurity requirements for US hospitals. Although the details are not yet finalized, the American Hospital Association has expressed opposition, arguing that the proposal could penalize victims of cyberattacks.

Rising Ransomware Attacks

Ransomware attacks on the US healthcare sector surged by 128% in 2023 compared to 2022, as reported by the Office of the Director of National Intelligence. Recent incidents underscore the sector's vulnerabilities. In February, a ransomware attack on a major health insurance billing firm disrupted billions of dollars in healthcare payments, pushing some clinics to the brink of bankruptcy. UnitedHealth Group paid a $22 million ransom to recover patient data, affecting one third of Americans.

In May, a ransomware attack on one of America's largest hospital chains forced nurses to manually enter prescription information, jeopardizing patient safety.

The FBI and international allies have targeted ransomware gangs, seizing their computers and decrypting victim files. However, ransomware remains lucrative, partly because many perpetrators operate with impunity from Russia. Hospitals, desperate to restore services, often pay ransoms, perpetuating the cycle of attacks.

"We see a more permissive environment in Russia for hacktivists and criminals, which is concerning," Neuberger said. "More companies paying ransoms only fuels further attacks."


Cyberattacks continue to disrupt other essential services. The City of Cleveland is investigating a cyber incident that led to the closure of City Hall on Monday and Tuesday as a precaution. While internal systems and software are shut down, emergency services, including 911, police, fire department, ambulances, and the Department of Public Utilities, remain operational but with limited IT capabilities.

"Over the weekend, the city identified some abnormalities," said Commissioner Kimberly Roy-Wilson of the Division of Information Technology Services. "We have initiated our containment protocols and are now investigating the nature and scope of these abnormalities."

Mayor Justin Bibb did not disclose the agencies involved in the investigation.
Read more »
Subscribe to: Posts (Atom)