Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Technological Threats. Show all posts

Massive Data Breach in Columbus Over 3TB Files Leaked by Rhysida Ransomware Group

 

Columbus is grappling with the fallout from a significant data breach, as the Rhysida ransomware group has begun leaking over three terabytes of stolen data on the dark web. The breach, which targeted the city's employees, comes after two failed auctions by the hackers to sell the data. 

The leak, which started early Thursday morning, includes a substantial portion of the 6.5 terabytes of data that Rhysida claims to have stolen. Among the leaked files are personal data from city employees’ computers and SQL backup files containing entire databases. 

Cybersecurity experts, including Ohio State Assistant Professor Carter Yagemann and CMIT Solutions' Daniel Maldet, have confirmed the data's release. While the complete extent of the breach remains unclear, NBC4 has verified that the leaked data contains files related to current city employees, as well as at least one contractor and a former staff member who left in 2021. 

The hackers initially demanded 30 bitcoin (approximately USD 1.7 million) as the starting bid for the auction, but this failed to attract buyers. However, cybersecurity expert Shawn Waldman has warned that the situation is dire, especially as the city has only just begun rolling out credit monitoring for affected individuals. 

"The fact that some of the personally identifiable information is already out and available means the damage could be irreversible," Waldman said. 

He also suggested that the data not yet released may have been sold privately, although this cannot be confirmed. Columbus Mayor Andrew Ginther acknowledged the breach in a statement, though he downplayed the severity of the leaked data, noting that the failure to sell the data could indicate it lacks value. 

However, Waldman and other experts caution that the situation is far from resolved. "If the city doesn’t continue negotiations, we could see the entire data set leaked in the near future," Waldman said. Rigwht now, the city is working with the FBI and the Department of Homeland Security to look into the data breach that was first noticed on July 18. 

Even though the city's IT team stopped the hackers from locking down the city's systems, they still managed to steal a lot of important information. This has put Columbus officials and residents on high alert as the investigation continues.

Hackers Breach ISP to Poison Software Updates With Malware

 

A Chinese hacking group, known as StormBamboo, has compromised an internet service provider (ISP) to distribute malware through automatic software updates. This cyber-espionage group, also called Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting organizations in China, Hong Kong, Macao, Nigeria, and various countries in Southeast and East Asia. 

On Friday, cybersecurity researchers from Volexity revealed that StormBamboo exploited insecure software update mechanisms that did not verify digital signatures. This allowed the group to deploy malware on Windows and macOS devices instead of the intended updates. 

They did this by intercepting and modifying DNS requests, directing them to malicious IP addresses. This method delivered malware from their command-and-control servers without needing user interaction. 

"Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware. Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped," the researchers added. 

For example, StormBamboo used 5KPlayer update requests to push a backdoored installer from their servers. Once the target's system was compromised, the hackers installed a malicious Google Chrome extension, ReloadText, which stole browser cookies and email data. Volexity noted that StormBamboo targeted multiple software vendors with insecure update processes. The company worked with the ISP to investigate and resolve the issue, immediately stopping the DNS poisoning once the network components were rebooted. 
 
In April 2023, ESET researchers observed StormBamboo using the Pocostick (MGBot) Windows backdoor by exploiting the update mechanism for Tencent QQ. In July 2024, Symantec found the group targeting an American NGO in China and several organizations in Taiwan with new Macma macOS and Nightdoor Windows malware versions. 

Although the exact method was unclear, it was suspected to be a supply chain or adversary-in-the-middle attack. This incident highlights the importance of secure update mechanisms to prevent such cyber-attacks.