Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Stolen Data. Show all posts
Stolen Data
Cyberattack Cybersecurity Data Breach health data medical records Personal Information Ransomware Social Security Stolen Data

Sunflower and CCA Suffer Data Breaches, Exposing Hundreds of Thousands of Records

 

Sunflower recently disclosed a cyberattack on its systems, revealing that hackers gained access on December 15 but remained undetected until January 7. 

During this time, sensitive personal and medical data — including names, addresses, dates of birth, Social Security numbers, driver’s license details, medical records, and health insurance information—were compromised. According to its filing with the Maine Attorney General’s Office, the breach impacted 220,968 individuals.

Meanwhile, CCA experienced a similar data breach in July last year. The organization reported that cybercriminals stole extensive patient information, including names, addresses, dates of birth, driver's license numbers, Social Security numbers, diagnoses, lab results, prescriptions, patient ID numbers, and provider details. The breach affected 114,945 individuals, as per its filing with Maine’s Attorney General’s Office.

The Rhysida ransomware group has claimed possession of 7.6TB of Sunflower’s data, including a 3TB SQL database, according to The Register. With the data still listed online, it suggests that either negotiations are ongoing or have collapsed. However, as of now, there is no confirmed evidence of the stolen data being misused on the dark web.

Following these incidents, both organizations have taken steps to strengthen cybersecurity measures to prevent future breaches.
Read more »
Stolen Data
cyber espionage tools Cyber Security CyberCrime Cybercrime Markets Dark web marketplace Department of Justice Marketplace Personal Data Stolen Data

U.S. Justice Department Shuts Down Rydox Cybercrime Marketplace

 

The U.S. Justice Department announced on Thursday the successful seizure and dismantling of Rydox, a notorious online marketplace for trafficking stolen personal information and cybercrime tools. In a coordinated operation with international law enforcement agencies, three individuals allegedly responsible for administering the site were arrested.

Since its inception in 2016, Rydox has been linked to over 7,600 illicit sales, generating significant profits by selling sensitive data such as credit card details, login credentials, and personally identifiable information (PII). Authorities reported that the platform offered 321,372 cybercrime products to a user base of more than 18,000 registered buyers, earning over $230,000 in revenue.

The Coordinated Crackdown

This operation involved multiple law enforcement agencies, including:

  • FBI’s Pittsburgh Office
  • Albania’s Special Anti-Corruption Body (SPAK)
  • National Bureau of Investigation (BKH)
  • Kosovo Special Prosecution Office
  • Kosovo Police
  • Royal Malaysian Police

Authorities apprehended two Kosovo nationals, Ardit Kutleshi (26) and Jetmir Kutleshi (28), in Kosovo. Both suspects will be extradited to the Western District of Pennsylvania to face charges including identity theft and money laundering. A third individual, Shpend Sokoli, was arrested in Albania and will face prosecution in his home country.

As part of the operation, law enforcement seized the domain Rydox.cc and its associated servers located in Kuala Lumpur, Malaysia. Additionally, U.S. authorities confiscated approximately $225,000 in cryptocurrency linked to the defendants, effectively dismantling the infrastructure supporting Rydox’s operations.

Global Cooperation in Combating Cybercrime

Eric Olshan, U.S. Attorney for the Western District of Pennsylvania, emphasized the importance of international collaboration in tackling cybercrime networks. “The harms can be devastatingly local,” Olshan stated, underlining how these crimes, though orchestrated globally, impact individuals and communities directly. He reiterated the Justice Department’s commitment to holding cybercriminals accountable.

Rydox has long symbolized the darker side of digital innovation, where stolen data is exploited for illicit profit. By providing a marketplace for cybercrime tools and sensitive information, it enabled thousands of buyers to commit fraudulent activities that affected both individuals and organizations.

Implications of the Takedown

The successful takedown of Rydox marks a significant victory in the fight against global cybercrime. It highlights the importance of multinational efforts in addressing online criminal networks. However, it also serves as a reminder of the persistent threats posed by similar platforms.

The arrests and dismantling of Rydox send a strong message to cybercriminals: no one is beyond the reach of international law enforcement agencies. This operation underscores the commitment of global authorities to combat cybercrime and protect victims from its devastating consequences.

Read more »
Stolen Data
Conti Ransomware Cyber Security data security Mimic Mimic Attacks Ransomware attack Ransomware families Ransomwares Stolen Data

Understanding Mimic Ransomware: Features, Threats, and Noteworthy Exploits

 


Mimic is a ransomware family first discovered in 2022. Like other ransomware, it encrypts files on a victim’s system and demands a cryptocurrency payment for the decryption key. What makes Mimic particularly concerning is its dual approach: it not only encrypts data but also exfiltrates it beforehand. This stolen data can be used as leverage, with attackers threatening to release or sell it if the ransom is not paid. 
 
Mimic is believed to reuse code from Conti, a well-known ransomware whose source code was leaked after the group publicly supported Russia’s invasion of Ukraine. While the exact origins of Mimic remain unclear, its operations appear to primarily target English- and Russian-speaking users.   
 

Exploitation of Legitimate Tools  

 
One of Mimic’s distinctive features is its exploitation of the API from Everything, a legitimate Windows file search tool developed by Voidtools. By leveraging this tool, the ransomware can quickly locate and encrypt files, increasing the efficiency of its attacks.   
 
Importantly, Mimic does not rely on victims having Everything pre-installed. Instead, it typically packages the tool along with additional malicious programs designed to:   
 
  • Disable Windows Defender to reduce system defenses. 
  • Misuse Sysinternals’ Secure Delete tool to erase backups, making file recovery more difficult. 

Indicators of Infection  

 
Victims of Mimic can identify an infection by the “.QUIETPLACE” extension added to encrypted files. Additionally, the ransomware leaves a ransom note demanding $3,000 in cryptocurrency to provide the decryption key.   
 
In many cases, victims feel compelled to pay the ransom, particularly when backups have been deleted or compromised.   
 

The Emergence of Elpaco   

 
A new variant of Mimic, known as Elpaco, has recently been detected. This variant is associated with attacks that involve brute-forcing Remote Desktop Protocol (RDP) credentials. Once access is gained, attackers exploit the *Zerologon* vulnerability (CVE-2020-1472) to escalate privileges and deploy the ransomware.   
 
Reports of Elpaco infections have surfaced in countries such as Russia and South Korea, underscoring the expanding reach and evolving capabilities of this ransomware family.   
 

The Importance of Vigilance 

 
Although tools like Everything and Secure Delete are not inherently harmful, Mimic’s misuse of these legitimate programs highlights the need for continuous vigilance. Cybercriminals are increasingly finding ways to exploit trusted software for malicious purposes. 
 
As Mimic and its variants continue to evolve, implementing robust cybersecurity measures—including regular system updates, strong authentication protocols, and comprehensive backup strategies—remains essential to mitigating the risk of ransomware attacks.
Read more »
UNODC
Cyber crimes Deepfake Personal Data Stolen Data Telegram UNODC

UN Report: Telegram joins the expanding cybercrime markets in Southeast Asia

 


According to a report issued by the United Nations Office for Drugs and Crime, dated October 7, criminal networks across Southeast Asia are increasingly turning to the messaging platform Telegram for conducting comprehensive illegal activities. It says Telegram, due to big channels and seemingly insufficient moderation, becomes the attraction of the underworld for organised crime and its resultant transformation in the ways of operating global illicit operations.

An Open Market for Stolen Data and Cybercrime Tools

The UNODC report clearly illustrates how Telegram has become a trading platform for hacked personal data, including credit card numbers, passwords, and browser histories. Cybercriminals publicly trade on the large channels of Telegram with very little interference. In addition, it has various software and tools designed to conduct cybercrime such as fraud using deepfake technology and malware used for copying and collecting users' data. Moreover, money laundering services are provided in unauthorised cryptocurrency exchanges through Telegram.

An example was an ad to be placed on Telegram stating that it was moving USDT cryptocurrency, stolen and with $3 million daily transactions, to cash in on criminal organisations involved in transnational organised crime in Southeast Asia. According to reports, these dark markets are growing increasingly omnipresent on Telegram through which vendors aggressively look to reach criminal organisations in the region.

Southeast Asia: A hub of fraud and exploitation

According to the UNODC reports, this region in Southeast Asia has become an important base for international fraudulent operations. Most criminal activities within the region relate to Chinese syndicates located within heavily fortified locations and use trafficked individuals forced into labour. It is estimated that the industry generates between $27.4 billion and $36.5 billion annually.

The move comes as scrutiny of Telegram and its billionaire founder, Russian-born Pavel Durov, is intensifying. Durov is facing legal fallout in France after he was charged with abetting crime on the platform by allowing the distribution of illegal content after he tightened his regulations in France. The case has sparked debates on the liability of tech companies for the crimes happening on their platform, and the line between free speech and legal accountability.

It responded to the increasing pressure by promising cooperation with legal authorities. The head of Telegram, Durov, stated that Telegram will share the IP addresses and phone numbers of users whenever a legal request for them is required. He further promised to cancel some features on the platform that have been widely misused for illicit activities. Currently, more than a billion people worldwide are using Telegram, and it has so far not reacted publicly to the latest report from the UNODC.

A Perfect Fertile Ground for Cybercrime

For example, as personal data becomes more and more exposed to fraudulent exploitation and fraud schemes through Telegram, for instance, the Deputy Representative for Southeast Asia and the Pacific at UNODC highlighted the perils of the consumer getting to see. In this respect, Benedikt Hofmann, free access and anonymity developed an ideal setting for criminals towards the people's data and safety.

Innovation in Criminal Networks

The growth in Southeast Asia's organised crime to higher levels may indicate criminals will be armed with new, more varying technologies-most importantly malware, generative AI tools, and deepfakes-to commit sophisticated cyber-enabled fraud. In relation to innovation and adaptability, investigation by UNODC revealed over 10 specialised service providers in the region offering deep fakes technology for use in cybercrime cases.

Expanding Investigations Across Asia

Another area of concern discussed in the UNODC report is the increasing investigation by law enforcement agencies in other parts of Asia. For example, South Korean authorities are screening Telegram for its role in the commission of cybercrimes that include deepfake pornography. Meanwhile, in India, a hacker used Telegram chatbots to leak private data from Star Health, one of the country's largest insurers. This incident disclosed medical records, IDs, and even tax details. Star Health sued Telegram.

A Turning Point in Cybersecurity

The UNODC report opens one's eyes to the extent the challenge encrypted messaging presents toward the fight against organised crime. Thus, while criminal groups will continue and take full advantage of platforms like Telegram, tech companies remain on their toes about enforcing control measures over illegal activity while trying to balance concerns to address user privacy and safety.


Read more »
Stolen Data
Bitcoin Cyber Attacks Ransom Attack Rhysida Rhysida Ransomware Rhysida ransomware gang Seattle Seattle Port Stolen Data

Port of Seattle Faces $5.9 Million Ransom Demand in Rhysida Cyberattack

 

The Port of Seattle is confronting a severe cybersecurity crisis as the Rhysida ransomware group demands a ransom of 100 bitcoins (approximately $5.9 million). Rhysida, which has gained notoriety for targeting organizations worldwide, released screenshots of stolen documents, claiming they possess sensitive data such as scanned U.S. passports, Social Security numbers, and tax forms. The group has threatened to sell this data on the dark web if their ransom demands are not met within a week. 

In a joint statement with Seattle-Tacoma International Airport, the Port of Seattle has made it clear they will not pay the ransom, despite threats to publicly release the stolen data. A Port spokesperson emphasized that refusing to comply is part of their firm stance against negotiating with cybercriminals. The extent of the data breach is still under investigation, but Rhysida’s involvement suggests a sophisticated attack that exploited vulnerabilities in the port’s systems. The attack was initially detected on August 24, leading to widespread service disruptions. 

Critical systems were impacted, including baggage handling, check-in kiosks, ticketing, Wi-Fi, and digital display boards, creating significant inconvenience for travelers. The port responded swiftly, isolating affected systems to prevent further breaches. This disruption highlights the real-world consequences of ransomware attacks on essential infrastructure, raising concerns about cybersecurity preparedness in public sectors. Rhysida operates as a ransomware-as-a-service group, enabling other cybercriminals to use its platform for extortion. The group, active since June 2023, has a history of targeting multiple sectors, including government, healthcare, and critical infrastructure, with a focus on the U.S. 

According to cybercrime research platform eCrime.ch, Rhysida has claimed nearly 150 victims since its emergence, demonstrating its rapid growth and effectiveness in breaching high-value targets. The breach at the Port of Seattle emphasizes the growing threat of ransomware attacks on critical infrastructure and serves as a wake-up call for organizations to prioritize cybersecurity measures. Authorities, cybersecurity experts, and the port’s internal IT team are working together to assess the full impact of the attack and develop strategies to restore normal operations. Given the evolving tactics of ransomware groups like Rhysida, this incident underscores the urgent need for comprehensive security strategies and employee training to protect against future breaches. 

In light of this attack, cybersecurity agencies have warned other U.S. ports and critical infrastructure organizations to strengthen their defenses against similar threats. This breach represents a broader trend of ransomware groups targeting critical infrastructure, which, if left unchecked, could have far-reaching implications on national security and economic stability. The Port of Seattle’s refusal to pay the ransom aligns with federal guidelines discouraging negotiations with cybercriminals, but it remains to be seen whether this approach will mitigate the impact of the breach or provoke further retaliation from Rhysida. 

The incident serves as a stark reminder that cybersecurity threats are increasingly sophisticated, requiring organizations to adapt their defense strategies to safeguard sensitive data and operations.
Read more »
Stolen Data
ALPHV/BlackCat Automotive Industry Cyber Attacks Dark Web Data Leak Ramsomware RansomHub RansomHub ransomware Stolen Data

Kawasaki Motors Europe Targeted by RansomHub Ransomware Attack

 

Kawasaki Motors Europe has been targeted by a ransomware attack orchestrated by the RansomHub gang, causing significant disruption to its services. The company, responsible for distributing and selling Kawasaki’s motorcycles across Europe, swiftly responded by isolating its servers to contain the threat. IT teams collaborated with external cybersecurity experts to analyze and cleanse systems of any lingering malware. Kawasaki aims to have 90% of its server infrastructure back online shortly, ensuring that business operations, including dealerships and supply chains, remain unaffected. 

The RansomHub group, a rising cybercriminal organization, claimed responsibility for the attack and added Kawasaki to its extortion portal on the dark web. According to the threat group, 487 GB of data was stolen, and they threatened to leak this information if their demands weren’t met. The data theft’s scope, particularly whether it includes sensitive customer details, remains unclear. Despite these developments, Kawasaki has not commented on the situation or responded to inquiries from cybersecurity analysts and reporters. 

RansomHub has gained significant traction in recent months, filling the void left by the now-defunct BlackCat/ALPHV ransomware operation. This has resulted in a surge of attacks against high-profile organizations, with RansomHub’s affiliates targeting critical sectors such as healthcare, retail, and manufacturing. The group’s growing notoriety was highlighted in a joint advisory issued by the FBI, CISA, and the Department of Health and Human Services, which reported over 200 victims of the ransomware group in the U.S. alone since February. The attack on Kawasaki emphasizes the evolving threat posed by ransomware groups and the importance of proactive cybersecurity measures. 

For businesses like Kawasaki, robust security protocols, regular updates, and swift incident response are critical in mitigating the risk of data breaches. The company’s efforts to cleanse infected servers highlight the importance of collaboration between internal IT teams and external cybersecurity experts in recovering from attacks. To protect against future breaches, organizations must invest in advanced threat detection technologies, ensure comprehensive patch management, and prioritize employee cybersecurity training. 

With cybercriminal groups like RansomHub becoming increasingly organized and opportunistic, adopting a layered defense strategy is vital for reducing exposure to such attacks. Kawasaki’s situation serves as a reminder of the growing challenges organizations face in safeguarding sensitive data from evolving cyber threats and the need for constant vigilance in a rapidly changing digital landscape.
Read more »
Stolen Data
Dark Web Data Breach data stealing Information Leak Phishing Attack PII Stolen Data

Massive Data Breach Exposes Personal Information of 2.9 Billion People Worldwide

 

No matter how cautious you are online, your personal data can still be vulnerable, as demonstrated by a recent data breach that exposed the information of 2.9 billion people. This alarming incident was brought to light as part of a class action lawsuit filed earlier this month. The lawsuit, submitted to the U.S. District Court for the Southern District of Florida, claims that the personal data, including full names, addresses, and Social Security Numbers, was compromised by a public records data provider named National Public Data, a company specializing in background checks and fraud prevention.  

The stolen data, which includes detailed personal information dating back 30 years, was taken by a cybercriminal group known as USDoD. According to the complaint, these hackers attempted to sell the vast collection of data on the dark web for $3.5 million. Given the enormous number of people affected, it is likely that the data includes individuals not only from the U.S. but from other countries as well. National Public Data allegedly obtained this massive amount of personal information through a process known as scraping, a technique used to collect data from websites and other online sources. The troubling aspect of this case is that the company reportedly scraped personally identifiable information (PII) from non-public sources, meaning many of the individuals affected did not voluntarily provide their data to the company. 

One of the plaintiffs, a California resident, became aware of the breach after receiving a notification from an identity theft protection service that his information had been leaked on the dark web. As part of the lawsuit, this plaintiff is seeking a court order for National Public Data to securely dispose of all the personal information it acquired through scraping. Additionally, the plaintiff is asking for financial compensation for himself and other victims, along with the implementation of stricter security measures by the company. In the wake of such a breach, the exposed data could be used by hackers to commit various forms of identity theft and fraud. While National Public Data has yet to issue a formal statement, it is likely that the company will be required to notify affected individuals of the breach. These notifications are expected to arrive by mail, so it is important to monitor your mailbox closely. 

Typically, companies responsible for data breaches offer affected individuals free identity theft protection or credit monitoring for a period of time. Until such services are offered, it is crucial to be vigilant in checking your emails and messages, as hackers may use the stolen data to conduct phishing attacks. Additionally, carefully monitoring your bank and financial accounts for any signs of unauthorized activity is recommended. 

This breach, which is nearly as significant as the 2013 Yahoo! breach that exposed the data of 3 billion people, is likely to have far-reaching consequences. Tom’s Guide has reached out to National Public Data for further information and will provide updates as the situation develops.
Read more »
User Data
Data Breach Data Leak Ransom Stolen Data User Data

AT&T Paid Attackers $370K to Delete Stolen Customer Data

 

AT&T reportedly paid a hacker more than $370,000 to remove stolen customer data. In an extraordinary turn of events, the ransom may not have gone to those responsible for the breach.

Last Friday, AT&T disclosed that an April data breach had exposed the call and text records of "nearly all" of its customers, including phone numbers and call counts. In a filing with the Securities and Exchange Commission (SEC), AT&T claimed it has since tightened its cybersecurity measures and is working together with law authorities to investigate the incident.

It now appears that AT&T has taken additional steps in response to the intrusion. According to Wired, AT&T paid a ransom of 5.7 bitcoin to a member of the hacking group ShinyHunters in mid-May, which was worth little more than $373,000 at the time. In exchange for this money, the hacker allegedly deleted the stolen data from the cloud server where it was stored, as well as providing video footage of the act. 

However, there is no guarantee that the millions of people affected by the latest massive AT&T attack will be entirely safe, as digital data can be easily copied. The security expert who mediated negotiations between AT&T and the hacker told Wired that they believe the only complete copy of the stolen dataset was wiped. However, partial fragments may remain at large. 

Prior to AT&T's announcement of the incident, it was revealed that Santander Bank and Ticketmaster had also been penetrated using login credentials that had been taken by an employee of the independent cloud storage provider Snowflake. According to Wired, following the Ticketmaster breach, hackers may have infiltrated over 160 companies at once using a script.
Read more »
Technology
Black Basta Company Breach Ransomware Stolen Data Technology

Securing Sensitive Data: Lessons from Keytronic’s Recent Breach


Keytronic, a prominent printed circuit board assembly (PCBA) manufacturer, recently confirmed a significant data breach. The breach occurred after the Black Basta ransomware gang leaked over 500GB of the company’s stolen data. In this blog post, we delve into the details of the breach, its impact, and Keytronic’s response.

The Breach Details

Attack Timeline 

The breach came to light two weeks ago when Black Basta claimed responsibility for the attack. Keytronic had reported the cyberattack in an SEC filing over a month ago, on May 62.

Operational Disruption 

The attack disrupted Keytronic’s operations, limiting access to critical business applications. As a result, the company had to shut down domestic and Mexico operations for two weeks to address the incident.

Stolen Data

The stolen data included sensitive information such as human resources, finance, engineering, and corporate data. Black Basta shared screenshots of employees’ passports, social security cards, customer presentations, and corporate documents2.

As required by new SEC criteria, the Company has also stated that the attack and loss of production will have a material impact on its financial position in the fourth quarter of 2024, ending on June 29.

Impact and Response

Personal Information Compromised: Keytronic confirmed that personal information was stolen during the breach. The threat actor accessed and exfiltrated limited data from the company’s environment, including personally identifiable information.

Financial Implications: The resulting production loss could impact Keytronic’s financial condition for the fourth quarter, which ends on June 29. The company incurred approximately $600,000 in expenses for external cybersecurity experts, with more costs anticipated.

Lessons Learned

The company has already spent around $600,000 on hiring external cybersecurity experts and expects to pay more. While Keytronic could not identify a specific threat group, the Black Basta ransomware organization claimed the attack two weeks ago, revealing what they claim is all of the stolen data.

The threat actors say that the attack stole human resources, finance, engineering, and business data, and they have shared photos of employee passports and social security cards, as well as customer presentations and company documents.

Black Basta Ransomware

The Black Basta ransomware operation began in April 2022 and is thought to be made up of former members of the Conti ransomware operation, which broke into smaller groups after it shut down.

Black Basta has since grown to be one of the biggest and most damaging ransomware operations, responsible for a large number of attacks, including those against Capita, Hyundai's European division, the Toronto Public Library, the American Dental Association, and, most recently, a ransomware attack on U.S. healthcare giant Ascension.

Between April 2022 and May 2024, a ransomware campaign breached 500 businesses and stole data from at least 12 out of 16 key infrastructure sectors, according to CISA and the FBI.
Read more »
Stolen Data
Customer Data Data Breach EasyPark Phone Parking Service RingGo Stolen Credentials Stolen Data

RingGo: Phone Parking Service Suffers Data Breach, Customer Data Stolen


UK-based pay-by-phone parking service – RingGo – has suffered a data breach, where information including partial credit card numbers of several of its customers has been leaked. 

The EasyPark-owned company informed that the data of at least 950 customers had been stolen by the hackers. The data included names, phone numbers, addresses, email addresses and parts of credit card numbers.

According to the company, the compromised information is “non-sensitive” and claims that “no combination of this stolen data can be used to perform payments.”

However, it has warned customers have been warned against phishing scams, where threat actors use stolen customer details to send them emails and text messages, that look convincing, in order to scam the target victims. 

While British customers were the least affected by the breach, data of thousands of Europe-based customers are feared to be compromised. It needs to be made clear as to who is behind the data breach. 

Easypark further informs that it was “reaching out to all affected customers.” Meanwhile, RingGo claims to be “UK’s number one parking app,” with over 19 million customers. 

Using the company's app, drivers pay for parking using their smartphones by providing information about their vehicle, like the license plate number, and payment information, like a credit or debit card.

The Information Commissioner's Office (ICO) in the UK and the corresponding European agency have received reports from Stockholm-based EasyPark, according to a Tuesday Guardian report.

According to a statement published on the company’s website, the attack first came to light on December 10: "The attack resulted in a breach of non-sensitive customer data."

“We deeply care about our customers and want to make sure you are fully informed about this incident […] Our security team, including external security experts, is working hard to ensure effective security and privacy measures are in place[…]We are deeply sorry this happened and will continue to work hard every day to earn your trust.”

Owned by private equity firms Vitruvian Partners and Verdane, the company has operations across 4,000 cities in 23 countries, encompassing most of western Europe, the US, and Australia. Since its founding in 2001, it has expanded via several acquisitions.  

Read more »
Web injection campaign
Bank Data IBM Security JavaScript malware Stolen Data Web injection campaign

New Web Injection Malware Campaign Steals Bank Data of 50,000 People


In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan. 

The malware was first discovered by IBM’s security team, where the researchers noted that the threat actors have been preparing for the campaign since December 2022, after buying the malicious domains.

The attacks used scripts that were loaded from the attacker's server to intercept user credentials and one-time passwords (OTPs) by focusing on a particular page structure that is shared by numerous institutions.

The attackers can access the victim's bank account, lock them out by altering security settings, and carry out illicit transactions by obtaining the aforementioned information.

A Stealthy Attack Chain

The attack begins when the threat actors infect the victim’s device with the malware. While IBM’s report did not specify the details of this stage, it is more likely that this is done through malvertizing, phishing emails, etc. 

The malicious software inserts a new script tag with a source ('src') property pointing to an externally hosted script once the victim visits the malicious websites of the attackers. 

On the victim's browser, the malicious obfuscated script is loaded to change the content of webpages, obtain login credentials, and intercept one-time passcodes (OTP).

IBM found this extra step unusual since most malware can perform web injections directly on the web page.

It is also noteworthy to mention that the malicious script uses names like cdnjs[.]com and unpkg[.]com to mimic authentic JavaScript content delivery networks (CDNs) in an attempt to avoid detection. Moreover, the script verifies the existence of particular security products before execution. 

Also, the script tends to continuously mend its behaviour to the command and control server’s instructions, sending updates and receiving specific outputs that guide its activity on the victim’s device. 

A "mlink" flag set by the server controls its various operational states, which include injecting phone number or OTP token prompts, displaying error warnings, or mimicking page loading as part of its data-stealing tactic. 

IBM notes that nine “mlink” variable values can be combined to instruct the script to carry out certain, distinct data exfiltration activities, indicating how a wide range of commands is being supported. 

According to IBM, this campaign is still a work in progress, thus the firm has urged online users to use online banking portals and apps with increased caution.  

Read more »
Stolen Data
British Library Data Breach ransomware attacks Ransomware Gangs Rhysida Rhysida ransomware gang Stolen Data

British Library Staff Passports Leaked Online, Hackers Demand £600,000 Ransom


In a ransomware attack, the British Library staff passports have been leaked online, where the threat actors are demanding a ransom of £600,000 (to be paid in Bitcoin) in order to retrieve the stolen documents. 

The responsibility of the attack has been claimed by ransomware gang Rhysida. The group has listed the library as their victim over its darknet forum, where it has leaked the low resolution snippets of the stolen information. The gang is offering to auction the further information for 20 Bitcoin, or about £600,000, to the highest bidder.

As a result of the attacks, the library’s operations have been disrupted for weeks. The stolen data includes images of passport photos and HMRC employment records. 

In the darknet website, the listing for the British Library reads, “With just seven days on the clock, seize the opportunity to bid on exclusive, unique and impressive data. Open your wallets and be ready to buy exclusive data.”

The aforementioned listing appeared on the website on Monday, where the group has demanded the ransom to be paid till November 27.

In regards to this, Emisoft’s threat analyst, Brett Callow says that the data “auction” was effectively a “continuation of the extortion attempt” by the gang.

British Library Cyber Attack

The cyberattack on the British Library started in late October, where the attackers stole large chunks of the library’s website. 

Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.

Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.

The British Library released the following statement on Monday: "We are aware that some data has been exposed, after confirmation last week that this was a ransomware attack. It looks like these are from our own HR records.”

“We have no evidence that data of our users has been compromised.”

The National Cyber Security Centre (NCSC), which is affiliated with GCHQ, and the Metropolitan Police are collaborating with the library to strengthen its IT infrastructure and carry out a forensic examination.

Sir Roly Keating, chief executive of the British Library, said: “We are immensely grateful to our many users and partners who have shown such patience and support as we work to analyse the impact of this criminal attack and identify what we need to do to restore our online systems in a safe and sustainable manner.”  

Read more »
Stolen Data
City of Dallas Cyber Attacks Dallas ransomware attack Data Leak ransomware attacks Royal Ransomware Stolen Data

Dallas Ransomware Attack: Hackers Steal 800K City Files


Hackers who targeted the City of Dallas in the alleged ransomware attack have stolen nearly 1.2 terabytes of data, which equals a sum of 819,000 files, reports City officials. 

City’s Chief Information Officer Bill Zielinski describes that the threat actors gained access to 230 City servers, along with around 1,000 computers and more than 1,100 workstations. Following the attack, the City disabled 100 of its servers.

According to Zielinski, “As part of the remediation and restoration activity, every server, workstation and other host device was thoroughly reviewed for potential impact.”

While the City employees were supposed to issue an ‘After Action Report,’ to the Dallas City Council in regards to the ransomware attack on Wednesday, the affair was postponed when the council members spent the entire evening debating amendments to the next FY23-24 budget.

Adding to this, the council had scheduled time as 9 a.m., but the Council members did not mark their presence till 8 p.m.

Later, coming back to the original topic of discussion, the presentation displayed before the council noted that the hacker group ‘Royal Ransomware,’ was behind the attacks and was responsible for gaining illicit access to 1.169 terabytes of City data between April 7 and May 3 this year.

Dallas officials further noted that the reason behind the dysfunctional City services (that stayed for months) was in fact due to the said ransomware attack. For instance, the City was unable to provide up-to-date crime statistics until the end of July 2023. Officials currently assert that 99.9% of City operations are back online.

The Dallas Express has previously reported that hackers are suspected of stealing the personal data of over 26,000 people, including minors. However, the claims were denied by the City which claimed that no such information has been compromised. The City apparently stated, “no indication that data from residents, vendors, or employees has been leaked.”

However, in regards to the City’s response to the attacks, City Manager T.C. Broadnax said that the City did a “great job.” According to him, the City’s overall response was successful, but the messaging was poor.

“Could we do better? I think, from a communication standpoint, at least, what people believe we should be communicating?[…]I would say, yeah, we can always do better,” he said.

Read more »
Travelling Safety
Boarding pass Data Breach passenger information Stolen Data Travel Travelling Safety

Experts Alert Travelers Against Sharing Photos of Boarding Passes Online


After giving hours to work – each day, every week, for months – checking in at the airport possibly represents an exciting time, for travelers who have waited long for the much-needed rest and recreation.

One may also want to capture this moment and share a sneak peek of their journey with their pals, starting with clicking a little picture of their boarding pass to post on social media. However, cyber experts have advised the vacationers against this, since doing so could be a risk to their privacy, or even lead to their information getting into the wrong hands. 

While modern boarding passes do not contain any outright personal details and only contain information like the person’s name, flight number and seat number, certain codes could be used by a hacker to further get hold of a victim’s information.

Josh Amishav, Founder and CEO of data breach monitoring company Breachsense, explained "Your frequent flyer number, name, and passenger name record are valuable for identity theft, enabling fraud like opening credit card accounts or making unauthorised purchases.”

"Hackers can employ social engineering techniques, pretending to be airline representatives to trick you into revealing more personal data. They can also create targeted phishing attempts using your boarding pass info, leading to clicking on malicious links or sharing sensitive data," he says.

The threat does not end here, since this is not the only way a boarding pass can be used by an unauthorized body to access a flyer’s information. Another case that comes to light is the illicit usage of contents of a lost or stolen boarding pass.

Thus, there are several measures and precautions one must keep in mind in order to protect oneself from falling prey to such cyber incidents. Here, we are listing some of those measures: 

  • Always make sure that the boarding pass is safe with you; never put it in the pocket of the airplane seat or toss it in a hotel trash can without first shredding it up. 
  • It is crucial to properly dispose of printed boarding passes when one is done with them and no longer needs them in order to prevent the information contents from falling into the wrong hands.
  • In case one is posting picture of their boarding passes, or any documents from their trip on social media, it is recommended to edit those pictures in a way so it does not display any important detail.  

Read more »
Unauthorized access
Data Breach Data Privacy Email Fraud North Korean Hackers Phishing Attacks Russian Firm Stolen Data Unauthorized access

North Korean Hackers Infiltrate Russian Missile Engineering Firm

 


A sanctioned Russian missile engineering business was successfully penetrated by North Korean hackers, it has been revealed in an astonishing development, prompting worries about the possible repercussions of this security breach. The event shows how North Korea's cyberwarfare capabilities are becoming more sophisticated and how willing it is to target prominent defense organizations outside of its borders.

The compromised business, a significant actor in the Russian defense sector, is focused on the creation of cutting-edge missile technologies. The intrusion, which was initially revealed by cybersecurity company SentinelOne, has alarmed the international security community and shed light on the changing landscape of cyber threats and geopolitical conflicts.

Researchers in cybersecurity have reported that the North Korean hacker squad thought to be responsible for the intrusion is renowned for its skill and ties to the Pyongyang regime. The gang uses a combination of spear-phishing emails and carefully designed malware to infect its targets. Once within the organization's network, the hackers were able to obtain confidential technical information and research about missile systems without authorization.

Concerns over possible cooperation between North Korean hackers and state-approved organizations have been raised in the wake of the incident. According to experts, the stolen missile technology may end up in North Korea's own military research and development efforts or possibly be sold to nations with hostile intents. The North Korean regime may be able to advance its missile capabilities with the help of the stolen data, seriously endangering regional stability.

"The breach of a sanctioned Russian missile engineering company by North Korean hackers underscores the serious nature of cyber threats in today's interconnected world. It serves as a wake-up call for governments and organizations to bolster their cybersecurity measures," warns cybersecurity analyst Jane Thompson.

The compromised Russian company has not disclosed the full extent of the breach, raising concerns about the potential scope of the stolen data. As investigations are ongoing, cybersecurity teams are working tirelessly to assess the damage, contain the breach, and strengthen the company's cyber defenses.

This incident emphasizes the essential necessity for governments and commercial businesses to work together on upgrading their cybersecurity strategy. It is crucial that nations give priority to the security of vital defense infrastructure and sensitive technical developments as cyber threats continue to grow in complexity and scope.
Read more »
Vulnerabilities and Exploits
CISA FDA Illumina medical data stolen Security flaw Stolen Data US Government Vulnerabilities and Exploits

Illumina: FDA, CISA Warns Against Security Flaw Making Medical Devices Vulnerable to Remote Hacking


The US Government has issued a warning for healthcare providers and lab employees against a critical flaw, discovered in the genomics giant Illumina’s medical devices, used by threat actors to alter or steal sensitive patient medical data.

On Thursday, US cybersecurity agency CISA and US Food and Drug Administration FDA released separate advisories to alert organizations of the vulnerabilities affecting the Universal Copy Service (UCS) component used by a number of Illumina's genetic sequencing devices.

The vulnerability flaw, identified as CVE-2023-1968 enables remote access to a vulnerable device via the internet without the need for a password. If exploited, hackers may be able to compromise devices and cause them to generate false, changed, or nonexistent results. 

The advisories also include a second vulnerability, CVE-2023-1966, which is rated 7.4 out of 10 for severity. The flaw might provide hackers access to the operating system level, where they could upload and run malicious programs to change settings and access private information on the impacted product.

The FDA claimed it was unaware of any actual attacks that exploited the flaws, but it did issue a warning that a hacker might use them to remotely control a device or change its settings, software, or data, as well as remotely access the user's network.

“On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability,” states the FDA in its notification. 

The products from Illumina that are vulnerable include iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq, and NovaSeq. These products, which are used all around the world in the healthcare industry, are made for clinical diagnostic use when sequencing a person's DNA for different genetic diseases or research needs.

According to Illumina spokesperson David McAlpine, Illumina has “not received any reports indicating that a vulnerability has been exploited, nor do we have any evidence of any vulnerabilities being exploited.” Moreover, he declines to comment on whether the company has technical resources that could detect exploitation, nor did he specify the number of devices affected by the vulnerability.

Illumina CTO Alex Aravanis in a LinkedIn post mentions that the company detected the flaw as part of routine efforts to examine its software for potential flaws and exposures.

“Upon identifying this vulnerability, our team worked diligently to develop mitigations to protect our instruments and customers[…]We then contacted and worked in close partnership with regulators and customers to address the issue with a simple software update at no cost, requiring little to no downtime for most,” Aravanis said.  

Read more »
Stolen Data
Antivirus cybercriminals Hacking keylogger malware Phishing Campaign Phishing Mails Snake Keylogger Stolen Data

Here's all you Need to Know About Snake Keylogger


In this age of ever-evolving technological developments, crime pertaining to the same is also emerging at a higher scale. One of the most talked about and harsh cybercrimes are data breaches. 

In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers. 

Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger. 

What Is Snake Keylogger? 

In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general. 

Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform. 

With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.  

Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.

How Does Snake Keylogger Operate? 

Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment. 

Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers. 

The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web. 

One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited. 

How to Protect Yourself from Snake Keylogger? 

To avoid Snake Keylogger, one can opt for a number of measures: 

  • The first is by installing antivirus software on their devices. While Snake Keylogger can sometimes avoid detection by antivirus software, it is crucial to have a reliable and efficient antivirus provider installed on your devices in order to identify keyloggers and other types of malware. 
  • Additionally, one must always exercise caution when opening any email attachments, particularly those from unknown or dubious senders. The distribution of malware via attachments is fairly prevalent, and Snake Keylogger is only one of many examples. Consider passing an email attachment via an attachment scanner to identify any potential risks if you ever receive one from a sender you do not fully trust. 
  • To avoid fraudulent emails, one should make sure to enable their email provider’s spam filter. This way, the suspicious emails will be sent to a separate folder, rather than the main inbox. 
  • Moreover, one must ensure to frequently update their operating systems as well as the installed apps. Since Snake Keylogger infects devices by exploiting software flaws, frequent updates will iron out these flaws, meaning cybercriminals can no longer be able to abuse the software.  

Read more »
User Privacy
Data Breach Have I Been Pwned Password Phishing Attacks Stolen Data User Privacy

20M User Data Breach Reported by PeopleConnect

Hackers stole a 2019 backup database holding the personal details of millions of users, PeopleConnect, the company behind the background check services TruthFinder and Instant Checkmate, acknowledged that they experienced a data breach.

Customers can run background checks on others using subscription-based services like TruthFinder and Instant Checkmate. Access to numerous databases containing personal data, including email addresses, physical addresses, social media profiles, arrest histories, and phone numbers, is offered.

Data for 20.22 million potential TruthFinder and Instant Checkmate users who utilized the services up to April 16th, 2019, were allegedly leaked on January 21 by a member of the Breached cybercrime and data breach forum.

When Have I Been Pwned's Troy Hunt informed PeopleConnect of the data leak, the business promptly initiated an investigation and reiterated that it intended to make the situation official? TruthFinder and Instant Checkmate received notifications from PeopleConnect stating that there had been a data breach on both sites.

"The list, which appears to cover all client accounts created between 2011 and 2019, was made, as we have confirmed, several years ago. Our organization produced the list that was published. Although our investigation is ongoing, it looks that this was an accidental list release or theft. It does not appear that any user activity, such as reports or queries on our system, was involved in the published list in question, and it does not appear that payment information, passwords that can be read or used, or other methods of breaching user accounts were involved," the data security firm told.

The business hired a cybersecurity organization from outside to look into the event, but there was no sign that their network had been compromised. PeopleConnect advises that targeted phishing attempts are to be on the lookout for and will provide more updates as new information becomes available.



Read more »
The Guardian ransomware attack
Data Breach JD Sports JD Sports Fashion plc Royal Mail Stolen Data The Guardian ransomware attack

JD Sports: Data of 10 Million Customers at Risk


Following a cyber-attack, sportswear chain JD Sports has confirmed that the stored data of around 10 million customers might be at risk. The company said data that “may have been accessed” by the threat actors included names, addresses, email accounts, phone numbers, order details, and the final four digits of bank cards. 

Apparently, the data is related to online orders between November 2018 and October 2020. The company assured that the affected customers are being informed about the breach. 

It further added that the affected data was “limited.” The company claimed that payment card information was secure and that there is no reason to believe that hackers had gained access to customer passwords. 

In regards to the data breach, the chief financial officer of JD Sports, Neil Greenhalgh stated “We want to apologize to those customers who may have been affected by this incident […] Protecting the data of our customers is an absolute priority for JD.” 

The hack targeted online purchases made under the JD, Size, Millets, Blacks, Scotts, and MilletSport brands. It is believed that the business discovered the attack recently, but that only historical data was accessed. 

Reportedly, the company is working in collaboration with some of the “leading cyber-security experts” and is engaging with the UK’s Information Commissioner’s Office (ICO) in regard to the incident. 

Mr. Greenhalgh has advised the affected customers to be “vigilant about potential scam e-mails, calls and texts.” 

UK Companies Vulnerable to Cyber-attacks 

In recent times, numerous UK Businesses have witnessed at least one cyber-attacks. For an instance: 

  • Earlier this month, Royal Mail was a victim of a ransomware attack that resulted in its halt of post and parcel delivery operations overseas. 
  • In December 2022, the Guardian newspaper was targeted by a malicious ransomware attack. 

According to Lauren Wills-Dixon, solicitor and an expert in data privacy at law firm Gordons, businesses are needed to be prepared for potential cyber-attacks since they are among the most common targets for threat actors. The reason for the same is the large amount of customer data they have in store. 

She also added that the increased use of technology by the industry “to reduce overheads and streamline operations has raised the risk even further.” 

“In this new world, it's not 'if' but 'when' a cyber-attack will happen.” 

Read more »
User Privacy
Attacker Data Data Breach Leak Stolen Data Twitter User Data User Privacy

Hacker Offers 5.4 million Twitter Account Details for $30,000

 

A threat actor acquired data from 5.4 million Twitter accounts by exploiting a now-patched vulnerability in the popular social networking site. Hacker is currently selling the stolen information on the prominent hacker site Breached Forums. 

In January, a Hacker report claimed the discovery of a vulnerability that may be used by an attacker to identify a Twitter account using the linked phone number/email, even if the user has elected to avoid this in the privacy settings. 

“The vulnerability allows any party without any authentication to obtain a Twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” reads the description in the report submitted by Zhirinovskiy via bug bounty platform HackerOne. 

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number but an attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities” Twitter acknowledged the vulnerability and rewarded Zhirinovskiy with a $5,040 prize. 

The website Restore Privacy uncovered the advertising for the massive data trove on Breached Forums. A hacker has published a database of 5.4 million Twitter users. 

Database of 5.4 million Twitter users

According to the seller, the database comprises data (email addresses and phone numbers) from people ranging from celebrities to businesses. The vendor additionally included a data sample in the form of a csv file. 

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy. 

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.” 

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.
Read more »
Subscribe to: Posts (Atom)