Your curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.
WEEK OF SEPTEMBER 20, 2021
Saudi Arabia approves new law to protect personal data
- The new law will ensure the privacy of personal data, regulate the sharing of personal data and prevent the abuse of personal data.
- The data include, name, identification number, address, phone number, personal records, financial records and Images, videos or any other identifying data.
- The head of SDAIA, Abdullah Al-Ghamdi assured that it’s not permissible to use personal means of communication for the purpose of marketing or awareness materials except with the approval of the owner of personal data, or the existence of a mechanism that enables him to express his desire to receive it or not.
China tells firms to boost cyber, data security oversight on connected vehicles
- China tells corporations to spice up cyber, information safety oversight on linked automobiles
- China’s industry ministry published a notice telling companies to step up cyber and data security oversight over connected vehicles, saying that security risks in the industry had become increasingly prominent.
- All relevant companies should establish data security management systems and regularly assess risks from network attacks, the Ministry of Industry and Information Technology said in a statement.
Tesla will work with global regulators on data security: Elon Musk
- Tesla, which assembles vehicles for China in Shanghai, has been under scrutiny over its storage and handling of customer data.
- Cars are being fitted with an ever-increasing array of sensors and cameras to assist drivers but the data such equipment generates has also raised questions about privacy and security.
- In May, Reuters reported that staff at some Chinese government offices had been told not to park their Tesla cars inside government compounds due to security concerns over vehicle cameras. Tesla later said it had established a site in China to store car data locally.
Working From Home Brings New Cybersecurity Challenges as Workers Commonly Bypass Inconvenient Measures
- 76% of the IT respondents said that security sometimes had to take a backseat to business continuity needs during the pandemic period.
- The mass shift to working from home precipitated by the Covid-19 pandemic created massive security challenges, ones that were difficult to solve even if workers could be convinced to practice nearly perfect security hygiene. A new study from HP indicates that employee buy-in is far from 100%.
- A full 30% of remote workers under the age of 24 say that they circumvent or ignore certain corporate security policies when they get in the way of getting work done.
- While the young cohort is most likely to buck the system, 67% of IT leaders say they get “weekly” complaints about restrictive policies and 48% of all workers feel that these measures are a waste of time.
Nearly 50% of On-Premises Databases Have Vulnerabilities
- A network compromise shouldn’t mean “game over” for corporate data, but survey data shows many companies fail to protect their crown jewels.
- Almost half of all companies have internal databases with known vulnerabilities, with the average vulnerable database having 26 publicly disclosed flaws – more than half of which are critical or high-severity issues, according to data collected over the past five years by Internet security firm Imperva.
- While vulnerable on-premises databases gain some protection from being inside the corporate firewall, companies that leave databases with known and unpatched flaws are exposing them to attackers who gain access to a company’s network or are able to use public applications to deliver payloads to the back-end systems, the company.
- Many of the unpatched vulnerabilities are at least 3 years old, and more than half (56%) are considered serious.
CISA, FBI: State-Backed APTs may be exploiting critical Zoho bug
- The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August.
- The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD.
- It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users and attackers alike.
- “FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114,” the trio of agencies stated. They also strongly urged organizations to keep ADSelfService Plus away from direct access via the internet.
WEEK OF SEPTEMBER 13, 2021
Recent breaches underscore high healthcare security risk
- Healthcare institutions in California and Arizona are sending breach notification letters after attackers compromised thousands of patients’ data.
- The average cost of a cyberattack-related shutdown exceeds $440,000 for smaller organizations and $130,000 for larger ones.
- Researchers say while attacks against healthcare have increased, many victims – especially midsize hospitals – have not adapted to the change.
Only 8% of orgs with web apps for file uploads have adequate cybersecurity
- Yet almost all of them (99%) are concerned (to a varying degree) about cyber threats.
- Organizations have raced to digitally transform their businesses in response to market pressures and customer demands leading to widespread adoption of cloud services and collaboration and sharing platforms. However, security for their web applications supporting file uploads and transfers has lagged behind, further exacerbated by the pandemic.
- In their 2021 Web Application Security Report, Opswat found that 87% of organizations are “extremely” or “very” concerned about file uploads as an attack vector for malware and cyberattacks, with 82% reporting increased concern since last year.
UN confirms April 2021 data breach
- UN official also confirms further attacks connected to the initial breach have been detected and are under investigation.
- Attackers likely broke into UN infrastructure using the stolen username and password of a UN employee bought on the Dark Web, the report states.
- These credentials granted access to an account for Umoja, the UN’s proprietary project management software. The account attackers accessed was not protected with multifactor authentication, the report notes.
- From this entry point, the attackers could further infiltrate the UN network, says Resecurity, which found the breach and claims the earliest known date attackers accessed UN systems was April 5. They were still active as of Aug. 7.
Hackers leak passwords for 500,000 Fortinet VPN accounts
- While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid.
- This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks.
- The list of Fortinet credentials was leaked for free by a threat actor known as ‘Orange,’ who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation.
CISA warns of actively exploited Zoho ManageEngine ADSelfService vulnerability
- The flaw, tracked as CVE-2021-40539, concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted.
- ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.
- In an independent advisory, Zoho cautioned that it’s a “critical issue” and that it’s “noticing indications of this vulnerability being exploited.”
Jenkins hit as Atlassian Confluence cyberattacks widen
- The popular biz-collaboration platform is seeing mass scanning and exploitation just two weeks after a critical RCE bug was disclosed.
- Atlassian Confluence is a collaboration platform where business teams can organize its work in one place: “Dynamic pages give your team a place to create, capture, and collaborate on any project or idea,” according to the website.
- Earlier, in June, researchers uncovered a chain of Atlassian bugs that could be tied together for one-click information disclosure from Jira accounts.
- Sensitive information could have been easily siphoned out of the platform, researchers at Check Point Research said: “Anything related to managing a team or writing…code that you can encounter bugs in.”
WEEK OF SEPTEMBER 06, 2021
India is fast becoming the global ransomware capital, says NPCI CEO
- Dominance of a few players may not be in the best interest and there is a need to raise competition, says Dilip Asbe.
- Recently I read that India is becoming or has become the ransomware capital of the world and most of these demands are in crypto currencies, Asbe mentioned.
- At NPCI, we ensure that strong and in-depth security standards are applied, from infrastructure to data security. We look forward to implementing this in RuPay in the next few days, and in addition UPI offers secure and secure tokenization with its original design, Asbe said in an exclusive interview.
Bangkok Airways clarifies the incident of a cybersecurity attack
- Bangkok Airways Public Company Limited discovered that the company had been a victim of cybersecurity attack which resulted in unauthorized and unlawful access to its information system.
- Upon such discovery, the company immediately took action to investigate and contain the event, with the assistance of a cybersecurity team.
- Currently, the company is investigating, as a matter of urgency, to verify the compromised data and the affected passengers as well as taking relevant measures to strengthen its IT system.
US Cyber Command warns of ongoing ‘Mass Exploitation’ of critical confluence vuln
- Apply Atlassian’s patch now — before the holiday weekend — the US Defense Department cybersecurity unit and CISA say.
- On the heels of an advisory earlier this week from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI about the potential for widespread ransomware attacks over the upcoming Labor Day weekend, the US Cyber Command warned of ongoing and spreading attacks in the wild exploiting a vulnerability in the Confluence workspace software platform.
- CISA also issued an alert today, urging organizations to install the patches immediately.
Coinbase users fear hacking after erroneous emails
- A major cryptocurrency exchange has mistakenly sent emails to 125,000 users, wrongly telling them their two-factor authentication settings had been changed.
- Coinbase said the emails were “not the result of malicious behaviour”.
- Two-factor authentication requires users to enter information, such as a texted code, in addition to a password. And the alert caused alarm many among users, who feared their accounts had been hacked.
- The company said the error had been due to an issue with its notification system.
New malware uses novel fileless technique to Evade Detection
- PRIVATELOG and its installer STASHLOG first to use Common Log File System to stash secondary payload, Mandiant researchers say.
- The malware is noteworthy because of the novel technique it uses to try and reside undetected in memory on infected systems, according to the security vendor.
- Fileless — or memory-resident — malware typically executes in memory, unlike malware that writes payloads to disk and therefore is more easily detected via antivirus tools.
- The usual recommendations for mitigating risk to a network apply to fileless malware as well, Matthew Dunwoody, senior principal researcher at Mandiant, says. This includes patching to mitigate vulnerabilities, managing the risk of phishing through both technology, and employee education and monitoring systems for evidence of malicious activity.
Translated ransomware playbook gives rare insight into gang’s operation
- A purported playbook for working with the Conti ransomware group shows that even cybercriminals need dead-simple instructions to navigate complex attacks.
- Threat experts at Cisco Talos this week provided a full English translation of the playbook, which came to light last month, allegedly after a disgruntled “affiliate” leaked the location of the server controlling compromised machines and more than 100MB of tools and documents.
- The playbook focuses on a number of popular tools — such as Cobalt Strike, Mimikatz, and PowerShell — and tells affiliates, low-level cybercriminals who infect systems for a cut of the profits, how to find exploits for common vulnerabilities.
WEEK OF AUGUST 30, 2021
40% of SaaS data access is unmanaged and publicly exposed
- The DoControl report revealed that up to 40% of their SaaS data access is unmanaged, which means that anyone with a private or public link can expose the data to thousands of external collaborators whose relevancy is unknown.
- The report serves as a wake up call for CISOs, CTOs, and CIOs who are currently unaware of the internal and external threats facing their unmanaged data in SaaS applications.
- This poses a significant risk to the organizations that house this data and exponentially increases the likelihood of a data breach.
- The most surprising takeaway from the report, which is based on aggregated, anonymized US customer data, is that companies are unaware of how much data access is still afforded to former employees, former vendors, and former partners.
FBI Warns Businesses of New Hive Ransomware
- The Flash alert posted this week noted that the affiliate-based ransomware uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate.
- It noted that these include phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally.
- The malware itself looks for and terminates processes linked to backups, anti-virus and file copying to boost its chances of success.
- Encrypted files end with a .hive suffix.
Microsoft warns thousands of cloud customers of exposed databases
- Microsoft warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.
- The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies.
- Because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones.
- Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz.
T-Mobile hit with class-action lawsuits over data breach
- One of the lawsuits, Espanoza v. T-Mobile USA, accuses T-Mobile of putting plaintiffs and class-action members at “considerable risk” due to the company’s failure to adequately protect its customers as a result of negligent conduct.
- The other lawsuit, Durwalla v. T-Mobile USA, alleges victims have already already spent as much as 1,000 hours addressing privacy concerns stemming from the attack, including reviewing financial and credit statements for evidence of unauthorized activity.
- Together, the suits seek a range of actions for violations of the Washington Consumer Protection Act and the California Consumer Privacy Act, including compensatory damages and reimbursement of out-of-pocket costs for the efforts to repair any damage from the fraud.
Cybersecurity company flags Microsoft Power Apps data leak of 38M records
- The UpGuard research team says it notified 47 organizations – including governmental public health entities – about their publicly accessible data.
- A Microsoft representative told Healthcare IT News that only a small subset of customers configured the portal as described in the report, and that the company worked closely with those customers to ensure they were using the privacy settings consistent with their needs.
- The representative said its primary portal designer, Design Studio, uses strong privacy settings by default and that the organization is in the process of ensuring alternative designer tools default to similar strong settings.
“Sophisticated” Cyber-Attack Compromises Patient Data at Private Health Clinic
- Eye & Retina Surgeons revealed the attack took place on 6 August, compromising sensitive data including patients’ names, addresses, ID card numbers, contact details and clinical information.
- However, no credit card or bank account details were accessed or compromised in the incident.
- The clinic confirmed that the attack impacted servers and several computer terminals at its branch in Camden medical, although none of its other branches were unaffected. Thankfully, none of the eye specialist’s clinical operations were affected, and its IT systems are now securely restored.
WEEK OF AUGUST 23, 2021
T-Mobile investigating claims of massive customer data breach
- Hackers selling the data are claiming it affects 100 million users.
- The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said.
- Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.
- On the underground forum the seller is asking for 6 bitcoin, around $270,000, for a subset of the data containing 30 million social security numbers and driver licenses. The seller said they are privately selling the rest of the data at the moment.
Pearson to pay $1 mn to settle charges it misled investors, U.S. SEC says
- London-based Pearson PLC (PSON.L) will pay $1 million to settle charges it misled investors about a 2018 cyber intrusion involving the theft of millions of student records.
- The educational-publishing firm did not admit nor deny the regulator’s charges, the SEC said, but in 2019 the firm disclosed in its annual report that the data breach may have included birth dates and email addresses, when, in fact, it knew that such records were stolen.
- Pearson also said at the time that it had “strict protections” in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC found.
- Pearson spokesman Tom Steiner said the company’s data breach involved a web-based software tool that was retired in July 2019, and that the firm “continues to enhance its cyber security efforts to minimise the risk of cyberattacks in an ever-changing threat landscape.”
Japan’s Tokio Marine is the latest insurer to be victimized by ransomware
- Ransomware struck Japan’s largest property and casualty insurer, Tokio Marine Holdings, at its Singapore branch.
- Tokio Marine, which has a U.S. division and offers a cyber insurance product, said it did not have any immediate indication that any customer information was breached. Such data could be a smorgasbord for hackers who would use the data to extort victims based on their coverage amounts.
- It’s at least the third major insurer to disclose a ransomware attack in recent months, following CNA and AXA.
Audit exposes cybersecurity lapse in US Pacific Submarine fleet
- A recent internal audit of the US Navy revealed that Pacific Fleet submarines and their tenders have not received internal and external cybersecurity inspections in recent years.
- The audit — conducted by the Institute for Defense Analyses and obtained by Navy Times through a Freedom of Information Act request — detailed “the specter of cyber vulnerability among some of the sea service’s most potent platforms,” exposing lapses in the cybersecurity standards of the Naval fleets.
- The audit determined short staffing as one possible reason for the lack of inspections, despite these vulnerability evaluations being required every three years.
Colonial Pipeline says ransomware attack also led to personal information being stolen
- The ransomware attack that forced Colonial Pipeline, one of the largest fuel pipelines in the United States, to go offline this spring also compromised the personal information of nearly 6,000 individuals.
- The pipeline operator has begun sending data breach notification letters to the 5,810 affected individuals, who are mostly current or former company employees and their family members.
- The hackers gained access to records including names; contact information; birth dates; Social Security, driver’s license and military ID numbers; and health insurance information.
Ransomware attacker offers employees a cut if they install DemonWare on their organization’s systems
- Researchers went undercover and posed as willing “insider threats” to expose and study an unusual hybrid BEC-style social engineering-ransomware scheme.
- Their ploy gave them a front-row seat in a rare ransomware threat — one that comes with a bold social engineering twist.
- The scam is somewhat reminiscent of a more targeted ransomware attempt on Tesla last year, when cybercriminals tried to bribe an employee at the carmaker’s Gigafactory in Nevada to the tune of $1 million to help infect the company’s network with ransomware.
WEEK OF AUGUST 16, 2021
UPMC to Pay $2.65M to Settle Data Breach Case
- Judicial approval has been given to a multi-million-dollar settlement concerning a data breach that happened at the University of Pittsburgh Medical Center (UPMC) seven years ago.
- The agreement will see UPMC pay $2.65m to 66,000 employees whose personal data was pilfered by former Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson.
- Detroit resident Johnson (aka TheDearthStar and Dearthy Star on the dark web) hacked into the center’s Oracle PeopleSoft database in 2013 and 2014 using the nicknames “TDS” and “DS.”
- Following the breach, a class-action lawsuit was filed accusing the University of Pittsburgh Medical Center of negligence. The suit alleged that UPMC had failed “to comply with widespread industry standards relating to data security.”
Singaporean telco leaked personal data of over 57,000 customers
- StarHub’s breach announcement came a month after discovery of customer file on dump site
- StarHub is in the process of notifying 57,191 customers via email that they are victims of a cyber attack that leaked national identity card numbers, mobile numbers and email addresses.
- In the email, StarHub explains that there is no current evidence that information has been misused, and that an incident management team assessed the situation. Investigations by digital forensic and cybersecurity experts are ongoing.
- StarHub claims credit card and bank account information was not compromised, but has nonetheless offered all affected customers six months of free credit monitoring, as long as they act by September 5.
Accenture claims ‘no impact’ in apparent ransomware attack
- Cybercriminals have breached Accenture in an apparent ransomware attack but the global consulting giant says the incident was immediately contained with no impact on it or its systems.
- The LockBit ransomware gang announced the attack Tuesday night on its dark web leak site, setting a deadline of Thursday evening for payment.
- Accenture said in a statement Wednesday that it had “identified irregular activity in one of our environments” and ”immediately contained the matter and isolated the affected servers.”
- It did not specify when the incident occurred — or acknowledge that it was ransomware. But the description of its response was consistent with ransomware.
Hackers netting average of nearly $10,000 for stolen network access
- The single most expensive offering seen by Intsights researchers was being offered for about $95,000.
- A new report from cybersecurity company Intsights has spotlighted the thriving market on the dark web for network access that nets cybercriminals thousands of dollars.
- More than 37% of all victims in a sample of the data were based in North America while there was an average price of $9,640 and a median price of $3,000.
1M Stolen Credit Cards Hit Dark Web for Free
- A dump of hundreds of thousands of active accounts is aimed at promoting AllWorld.Cards, a recently launched cybercriminal site for selling payment credentials online.
- Threat actors have leaked 1 million stolen credit cards for free online as a way to promote a fairly new and increasingly popular cybercriminal site dedicated to selling payment-card credentials.
- The cards were published on an underground card-selling market, AllWorld Cards, and stolen between 2018 and 2019, according to info posted on the forum.
- The leaked credit cards include the following fields: Credit-card number, expiration date, CVV, name, country, state, city, address, ZIP code, email and phone number, according to threat actors.
State police say FOID data compromised in hack
- The Illinois State Police are notifying about 2,000 Illinoisans with Firearm Owners Identification cards that their personal information may have been compromised in a hack of the agency’s Police FOID card portal.
- Illinois State Police said the information of about 2,000 FOID cardholders, or about .0008% of the total number of FOID cardholders in the state, may have been accessed in the attempted hack.
- Cybersecurity consultant John Bambenek said the hack raises not just concerns about cybersecurity, but also physical security.
WEEK OF AUGUST 09, 2021
Data breaches exposed 18 billion records in first half of 2021
- Risk Based Security released their 2021 Mid Year Data Breach QuickView Report, revealing significant shifts in the data breach landscape despite 2021 breaches declining by 24%.
- There were 1,767 publicly reported breaches in the first six months of 2021, which exposed a total of 18.8 billion records.
- However, the decline of reported data breaches does not mean security has improved over the pandemic.
Data breaches cost Indian firms ₹165 mn on an average
- Data breaches cost companies in India about ₹165 million on an average, according to a new report by IBM Security and Ponemon Institute.
- This is an increase of 17.85% from ₹140 million in the last report released in 2020.
- The global ‘Cost of a Data Breach Report’, which surveyed more than 500 companies worldwide between May 2020 and March 2021, found that data breaches cost surveyed companies $4.24 million per incident on average – the highest cost in the 17-year history of the report.
California’s privacy law raises risks of legal action and fines over data collection
- California is leading the way with strict new data privacy provisions and substantial fines for non-compliance from a new enforcement agency.
- The law was passed November 2020 and it applies to any company of sufficient size that does business in California which includes online sales without requiring a physical location.
- California residents can request from a company how their personal data has been used, and for what purpose, and they can request that their personal data not be sold or demand it be deleted including any data that has been sold to third parties.
Hackers Take Down Italian Vaccine-Booking Site
- A cyberattack brought down the Covid-19 vaccine-scheduling website for the Italian region of Lazio, underscoring the vulnerability of healthcare data and vaccine technology during the pandemic.
- The attack appeared to be part of a supply-chain hacking campaign that also affected Italian companies, said Stefano Fratepietro, chief executive of Tesla Consulting.
- Representatives for the Lazio regional government didn’t respond to requests for more information about the attack.
After nearly 1 month of EHR downtime, UF Health says patient data was compromised during IT attack
- UF Health Central Florida recently began notifying patients that their personal information may have been exposed in a May cyberattack that shut down the Leesburg-based health system’s IT systems.
- The patient information compromised included names, Social Security numbers, addresses, birth dates, health insurance details and treatment details.
- After the cybersecurity event, UF Health’s EHR system and other IT systems were down for almost a month, during which the health system switched to paper documentation.
- The health system includes UF Health Leesburg Hospital and UF Health The Villages Hospital.
Critical Cisco bug in VPN routers allows remote takeover
- Security researchers warned that at least 8,800 vulnerable systems are open to compromise.
- The critical bug affects the vendor’s Dual WAN Gigabit VPN routers.
- According to the advisory, CVE-2021-1609 exists in the web management interface for the devices, and carries a CVSSv3 vulnerability-severity score of 9.8. It arises due to improper validation of HTTP requests.
Remote management of these devices is disabled by default according to Cisco, which would thwart such attacks.
WEEK OF AUGUST 02, 2021
Hacker downloads close to 300,000 personal ID photos
- The culprit had already obtained personal names and ID codes and was able to obtain a third component, the photos, by making individual requests from thousands of IP addresses.
- A Information System Authority RIA database holding document photos was compromised.
- Speaking at a press conference Wednesday, Oskar Gross, head of the central criminal police cyber crime office, said that: “To date, the individual who committed the attack has had the data he hacked seized and confiscated by the police,” adding that the perpetrator was a resident of Tallinn.
- The hacker had first obtained people’s personal identification codes and names from the public web, after which he or she was able to obtain photos by making individual requests.
Northern Ireland suspends vaccine passport system after data leak
- Northern Ireland’s Department of Health (DoH) has temporarily halted its COVID-19 vaccine certification online service following a data exposure incident.
- Some users of the COVIDCert NI service were presented with data of other users, under certain circumstances, says the Department.
- Additionally, the Department states certain individuals who have already filed an application for a digital certificate or are pending identity checks will not be impacted.
- This data incident, although seemingly minor, comes at a time when there’s much scrutiny and worry concerning COVID-19 vaccine passports among some members of the public.
Data Breach Cost Hits Record High of $4.24M
- The per-breach cost represents a 10% increase from the average cost per incident recorded one year prior, IBM reports.
- Of the companies that reported a breach in the last year, 17.5% said remote work was a factor.
- Customers’ personally identifiable information (PII), seen in 44% of breaches, was the most common type of data lost or stolen. It was also the most expensive: The average cost per record of customer PII was $180.
Over 6.07 lakh cyber security incidents reported in India during first half of 2021: Govt
- Minister of State for Electronics and IT Rajeev Chandrasekhar said the government has formulated a draft National Cyber Security Strategy 2021 (NCSS2021), which holistically looks at addressing the issues of security of national cyberspace.
- “CERT-In has reported that a total number of 3,94,499, 11,58,208 and 6,07,220 cyber security incidents are observed during the year 2019, 2020 and 2021 (upto June), respectively,” he added.
- The minister noted that the government has taken a number of measures to enhance the cyber security posture and prevent cyber attacks, including CERT-In issuing alerts and advisories regarding latest cyber threats/ vulnerabilities and counter-measures to protect computers, networks and data on regular basis.
DOJ says SolarWinds hack impacted 27 US attorneys’ offices
- The Russian hackers who orchestrated the SolarWinds supply chain attack pivoted to the internal network of the US Department of Justice, from where they gained access to Microsoft Office 365 email accounts belonging to employees at 27 US attorneys’ offices, the DOJ said in a statement on Friday afternoon.
- The DOJ said it believed the hackers had access to compromised Microsoft O365 accounts between May 7 to December 27, 2020.
- In April 2021, the White House issued a formal statement blaming the Russian Foreign Intelligence Service, also known as the SVR, as the perpetrator of the 2020 SolarWinds Orion supply chain attack.
- SVR hackers were blamed for breaching Texas software company SolarWinds, inserting malware in an update for the Orion IT monitoring platform, and then selecting high-profile targets where they’d pivot with additional malware for espionage purposes.
A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System
- A cyber attack that derailed websites of Iran’s transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called “Meteor.”
- The campaign — dubbed “MeteorExpress” — has not been linked to any previously identified threat group or to additional attacks, making it the first incident involving the deployment of this malware, according to researchers from Iranian antivirus firm Amn Pardaz and SentinelOne.
- On July 9, the Iranian train system was left paralyzed in the wake of a major attack, with the hackers defacing electronic displays to instruct passengers to direct their complaints to the phone number of the Iranian Supreme Leader Ayatollah Ali Khamenei’s office.
- The incident is said to have reportedly caused “unprecedented chaos” at stations with hundreds of trains delayed or canceled.
WEEK OF JULY 26, 2021
Gun owners’ fears after firearms dealer data breach
- Thousands of names and addresses belonging to UK customers of a leading website for buying and selling shotguns and rifles have been published to the dark web following a “security breach”.
- Gun ownership is tightly controlled in the UK, making guns difficult to acquire, and potentially valuable on the black market.
- Guntrader.uk said around 100,000 customer records were stolen but “no information relating to gun ownership or the location of firearms was taken”. Nevertheless, the stolen data will include many people who do own firearms, and shooting organisations are urging caution.
- The British Association for Shooting and Conservation (BASC) is urging its members “to be vigilant around home security” following the breach.
US municipalities suffer data breach due to misconfigured Amazon S3 buckets
- More than 1,000 GB of data and over 1.6 million files from dozens of municipalities in the US were left exposed.
- All of the towns and cities appeared to be connected through one product: mapsonline.net, which is owned by a Massachusetts company called PeopleGIS. The company provides information management software to local governments across Massachusetts, New Hampshire and Connecticut.
- WizCase’s team of ethical hackers, led by Ata Hakçıl, discovered more than 80 misconfigured Amazon S3 buckets holding data related to these municipalities. The data ranged from residential records like deeds and tax information to business licenses and job applications for government positions.
- Some of the vulnerable documents were redacted, but they were digitally redacted using transparent tools like a marker. This means whoever found them could change the contrast level of the document in a photo editor and see the redacted information.
FBI: Cybercriminals Eyeing Broadcast Disruption at Tokyo Olympics
- Expected cyberattacks on Tokyo Olympics likely include attempts to hijack video feeds, the Feds warn.
- The FBI added that in general, the Olympics will attract both run-of-the-mill cybercriminals and nation-state actors who want to “make money, sow confusion, increase their notoriety, discredit adversaries and advance ideological goals.”
- The same day the FBI released its warning, the personal data of volunteers and ticket purchasers for the Tokyo Olympics was leaked online.
Hackers reportedly demand $50m from Saudi Aramco over data leak
- The world’s most valuable oil producer Saudi Aramco has confirmed to the BBC that company data has leaked from one of its contractors.
- The global oil and gas industry has long been criticised for failing to invest in cyber security.
- “We confirm that the release of data was not due to a breach of our systems, has no impact on our operations and the company continues to maintain a robust cybersecurity posture,” the firm said.
- According to the Associated Press (AP), one terabyte, or 1,000 gigabytes, of Aramco’s data was being held by extortionists, citing a page on the darknet – a part of the internet within an encrypted network which is accessible only through specialised anonymity-providing tools.
16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers
- Details have emerged about a high severity security vulnerability affecting a software driver used in HP, Xerox, and Samsung printers that has remained undetected since 2005.
- Tracked as CVE-2021-3438 (CVSS score: 8.8), the issue concerns a buffer overflow in a print driver installer package named “SSPORT.SYS” that can enable remote privilege and arbitrary code execution. Hundreds of millions of printers have been released worldwide to date with the vulnerable driver in question.
- However, there is no evidence that the flaw was abused in real-world attacks.
- Specifically, the issue hinges on the fact that the printer driver doesn’t sanitize the size of the user input, potentially allowing an unprivileged user to escalate privileges and run malicious code in kernel mode on systems that have the buggy driver installed.
China accused of cyber-attack on Microsoft Exchange servers
- The UK, US and EU have accused China of carrying out a major cyber-attack earlier this year. The attack targeted Microsoft Exchange servers, affecting at least 30,000 organisations globally.
- Western security services believe it signals a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns Chinese cyber-behaviour is escalating.
- China has previously denied allegations of hacking and says it opposes all forms of cyber-crime.
WEEK OF JULY 19, 2021
Microsoft Continues Reign as Most Imitated Brand for Phishing Attempts in Q2 2021
- Check Point Research issues Q2 Brand Phishing Report, highlighting the leading brands that hackers imitated in attempts to lure people into giving up personal data.
- Forty-five percent of all brand phishing attempts were related to Microsoft in Q2 (up six points from Q1).
- Shipping company, DHL, maintained its position as the second most impersonated brand, with 26% of all phishing attempts related to it, as criminals continue to take advantage of the growing reliance on online shopping.
- In a brand phishing attack, criminals try to impersonate the official website of a well-known brand by using a similar domain name or URL and web-page design to the genuine site. The link to the fake website can be sent to targeted individuals by email or text message, a user can be redirected during web browsing, or it may be triggered from a fraudulent mobile application. The fake website often contains a form intended to steal users’ credentials, payment details or other personal information.
Mastercard: India stops payment service provider from issuing cards
- India’s central bank has barred Mastercard indefinitely from issuing new debit or credit cards to domestic customers.
- The Reserve Bank of India has accused the company of violating data storage laws.
- The bank said Mastercard had not complied with rules requiring foreign card networks to store data on Indian payments exclusively in India.
- Mastercard will be prohibited from issuing debit, credit or prepaid cards to customers in India from 22 July. However, the Reserve Bank’s decision will not have any impact on Mastercard’s existing customers.
SonicWall Warns Secure VPN Hardware Bugs Under Attack
- SonicWall issued an urgent security alert warning customers that some of its current and legacy secure VPN appliances were under active attack.
- Targeted are the company’s Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) secure VPN appliances with both unpatched and end-of-life (EoL) 8.x firmware.
- Customers are urged to upgrade firmware immediately on those appliances still supported and to “disconnect immediately” legacy products, including SRA 4600/1600 (EoL 2019), SRA 4200/1200 (EoL 2016) and SSL-VPN 200/2000/400 (EoL 2013/2014).
Fashion retailer Guess announces data breach
- The data breach compromised 1,300 people and their information, including account numbers, debit and credit card numbers, social security numbers, access codes and personal identification numbers.
- The investigation determined that there was unauthorized access to certain Guess systems between February 2, 2021 and February 23, 2021. Guess just started mailing notification letters to the individuals whose information may have been involved.
- As a result of the breach, Guess is offering a complimentary one-year membership in credit monitoring and identity theft protection services through Experian to individuals involved in the incident.
AWS CloudFront API: Research reveals ‘leak’ of partial account IDs
- Amazon Web Services (AWS), has claimed that a partial data ‘leak’ in an API, discovered by a security researcher, is not a bug but is “expected behavior”.
- According to Arkadiy Tetelman, head of application and infrastructure security at Chime, one of the APIs will return a partial AWS ID and Cloudfront distribution ID when they are associated with a domain name to allow clients to manage AWS accounts serving traffic.
- To prevent accidental information leaks, the cloud services provider requires a valid TLS certificate for the domain receiving a query.
Morgan Stanley’s Third-Party Data Breach Leaks Customers’ Sensitive Information via an Accellion Hack
- The Accellion hack leaked Morgan Stanley’s encrypted files under Guidehouse’s possession. The hackers also managed to obtain the decryption key in the third-party data breach first reported by Bleeping Computer.
- The data did not include any security credentials like passwords that could allow the hackers to access customers’ financial accounts.
- However, it included personally identifiable information (PII) like customers’ names, addresses, dates of birth, social security numbers, and company names.
- Morgan Stanley disclosed that 108 New Hampshire residents were affected by the third-party data breach. However, the investment bank did not disclose the total number of customers exposed in the Accellion hack.
WEEK OF JULY 12, 2021
British Airways agrees to pay victims of record-breaking data breach
- Case described as ‘largest group action personal data claim in UK history’
- British Airways (BA) has reached an out-of-court settlement with the victims of the data breach that exposed personal data belonging to more than 420,000 customers.
- Login credentials of BA employees and ‘Executive Club accounts were also potentially accessed.
- However, the firm acknowledged that BA has since “made considerable improvements to its IT security”.
FBI warns cryptocurrency owners, exchanges of ongoing attacks
- The FBI issued the warning via a TLP:GREEN Private Industry Notification (PIN) designed to provide cybersecurity professionals with the information required to properly defend against these ongoing attacks.
- According to the FBI, attackers are using several tactics to steal and launder cryptocurrency, including technical support fraud, SIM swapping (aka SIM hijacking), and taking control of their targets’ cryptocurrency exchange accounts via identity theft or account takeovers.
- The stolen cryptocurrency assets are commonly tedious to track once transferred to attacker-controlled crypto-wallets, making it difficult for law enforcement agents to recover the stolen funds, which leads to increased financial loss.
- The FBI advises financial organizations that could be targeted in similar attacks to check for mails coming from spoofed email addresses and keep track and monitor recently created accounts.
Insurance giant CNA reports data breach after ransomware attack
- After reviewing the files stolen during the attack, CNA discovered that they contained customers’ personal information such as names and Social Security numbers.
- “The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021,” CNA said in breach notification letters mailed to affected customers today.
- The company added that it found no evidence that the stolen information was “viewed, retained or shared.”
Healthcare data breach: Cyber-attack at Mississippi’s Coastal Family Health Center leaked patient information
- Potentially affected information includes names, addresses, Social Security numbers, medical insurance information, and health and treatment information.
- The healthcare provider said it has “no evidence” that any data has been misused.
CFHC also stated that it has changed its procedures in order to prevent a future data breach.
Classic Football Shirts warns customers of scam
- Classic Football Shirts said customers’ details had been accessed through one of its third party providers’ systems.
- The firm is now telling customers not to follow the link if they have received a cashback phishing email.
- The firm believes password data and payment information has not been compromised. But in a Twitter post, the company urged customers to be “vigilant” and contact their bank to cancel their cards if they supplied their card information on the link from the cashback form.
China puts national security protection at the center of new data privacy law
- The Data Security Law (DSL) was enacted in June this year, and comes into force on September 1. The new law sets out protect data focused on China’s national security.
- This apparent proliferation of data protection legislation is part of a multi-year approach by the Chinese government to strengthen both data protection and national security.
- The new Data Security Law will apply even to businesses outside China that either work with Chinese businesses or handle the data of Chinese citizens, so its influence will extend far beyond China’s borders.
- The new law gives companies new security obligations, including establishing data security systems, risk supervision, technical measures including protection against data breaches, and setting up security education and training program.
WEEK OF JULY 05, 2021
Android Apps with 5.8 million Installs Caught Stealing Users’ Facebook Passwords
- Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company’s Play Store after the apps were caught furtively stealing users’ Facebook login credentials.
- The latest disclosure comes days after Google announced new measures for the Play Store, including requiring developer accounts to turn on 2-Step Verification (2SV), provide an address, and verify their contact details as part of its ongoing efforts to combat scams and fraudulent developer accounts.
Data of over 700 million LinkedIn users exposed, it includes numbers, addresses and salary details
- LinkedIn user data has been exposed yet another time, possibly through the exploitation of the same vulnerability that led to the data breach of around 500 million users earlier this year.
- The data exposed this time around includes online and physical addresses, geolocation records as well as inferred salaries of the users and is now up for sale on the dark web.
- Although no passwords have been leaked, the data points are still very valuable, as these can further be used in online phishing attempts that imitate someone else.
Kentucky Healthcare System Exposes Patients’ PHI
- Patients’ PHI was put at risk when it was erroneously sent to an email address outside of the health system’s network. According to UofL, the accidental recipient of the data did not view or access any patient information.
- Patients whose data was impacted by the incident have been offered free identity protection services.
- Earlier this year, Kentucky-based Health Plan Humana was affected by a data breach that impacted 62,950 plan members. Cotiviti, one of the company’s subcontractors, inappropriately disclosed data to unapproved individuals for training purposes for three months from October 2020.
Hundreds of Businesses, From Sweden to U.S., Affected by Cyberattack
In Sweden, a grocery chain temporarily closed its doors after the attack. Some companies have been asked for $5 million in ransom.
- Security researchers said the attack may have been carried out by REvil, a Russian cybercriminal group that the F.B.I. has said was behind the hacking of the world’s largest meat processor, JBS, in May.
- Victims of the breach were hit through a Kaseya software update, Kevin Beaumont, a threat researcher, said. Instead of getting Kaseya’s latest update, they received REvil’s ransomware. Kaseya was initially breached through a previously unknown vulnerability in its systems — known as a “zero day” because when such vulnerabilities are discovered, software makers have zero days to fix it. In the meantime, cybercriminals and spies can use the vulnerability to wreak havoc.
- The United States Cybersecurity and Infrastructure Security Agency described the incident in a statement on its website on Friday as a “supply-chain ransomware attack.” It urged Kaseya’s customers to shut down their servers and said it was investigating.
A ‘Colossal’ Ransomware Attack Hits Hundreds Of U.S. Companies, A Security Firm Says
- The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers.
- Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.
- It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software.
New Google Scorecards Tool Scans Open-Source Software for More Security Risks
- Google has launched an updated version of Scorecards, its automated security tool that produces a “risk score” for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis.
- Scorecards aims to automate analysis of the security posture of open source projects as well as use the security health metrics to proactively improve the security posture of other critical projects. To date, the tool has been scaled up to evaluate security criteria for over 50,000 open source projects.
- Some of the new additions include checks for contributions from malicious authors or compromised accounts that can introduce potential backdoors into code, use of fuzzing (e.g., OSS-Fuzz), and static code analysis tools (e.g., CodeQL), signs of CI/CD compromise, and bad dependencies.
- The release of Scorecards v2 comes weeks after the company previewed an end-to-end framework called “Supply chain Levels for Software Artifacts” (or SLSA) to ensure the integrity of software artifacts and prevent unauthorized modifications over the course of the development and deployment pipeline.