Search This Blog

Showing posts with label User Data. Show all posts

Republican Governors Association Targeted in Microsoft Exchange Server Attacks

 

The Republican Governors Association was one of many U.S. organizations attacked in March when a nation-state group exploited vulnerabilities in Microsoft Exchange email servers, according to a breach notification letter filed with the Maine attorney general's office this week.  

For companies worldwide, the situation became a cause of concern; nearly 500 persons linked with the RGA's personal information might have been exposed due to the assault. According to the organization's attorney, personal information includes social security numbers. 

The RGA was notified of the breach on March 10, eight days after Microsoft made the campaign public. At this time, it's highly uncertain who is to blame for the breach and what happened to the data compromised. 

Microsoft exchange server attack’s fallout: 

This incident is the latest fallout to arise from the massive breach of the Microsoft Exchange Server earlier this year. The breach was connected to hacker organizations supported by the Chinese government. A computer exploit made the vulnerabilities public, allowing opportunistic fraudsters to launch a large-scale attack. 

According to the RGA, on February 28, hackers hacked into “a small portion of [its] email work environment". It went on to say that it only discovered the hacking campaign on March 10, eight days after Microsoft made a public announcement about it. 

The RGA's spokesman declined to elaborate on specifics of the breach, such as about the offenders and the damage. It further said it was “unable to determine what personal information, if any, was impacted as a result of the incident.”

The US skeptical of China's role in the Microsoft hack

After the cyberattack, the RGA stated it upgraded its Microsoft software. China was blamed by the US government for its participation in the Microsoft Exchange attack in July. As a response, the United Kingdom and the European Union-backed the United States' condemnation of China. 

Four Chinese nationals were also charged with criminal charges by the US Department of Justice. 

As per security experts, tens of thousands of US state and local companies were using vulnerable software at the height of the Exchange Server attack. However, many companies were able to safeguard themselves by installing a software update. 

The US National Security Council has gathered numerous times since the event, urging corporations to amp up their cyber defenses. Businesses in countries other than the United States were also affected by the attack. This includes Europe, where the European Union's financial authority, the Norwegian parliament, and two German government bodies have all been attacked. 

In accordance with the country's cybersecurity body, it also affected a considerable number of companies in Australia.

Precautionary Measures: 

The Republican Governors Association states that since the assault was identified in March, it has implemented the Microsoft updates for the vulnerable versions of its on-premises Exchange server. According to the letter, law enforcement and other organizations have also been alerted. 

The credit monitoring services are also being given to the approximately 500 persons impacted by the assault. 

"Out of an abundance of caution, RGA is also offering you two years of complimentary credit monitoring and identity restoration services with Experian." 

"RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required."

Massachusetts is Investigating the Massive T-Mobile Data Breach

 

On Tuesday, Massachusetts Attorney General Maura Healey announced that she will look into the cyberattack on T-Mobile US Inc (TMUS.O), which compromised the personally identifiable information of over 53 million people.

After the third-largest U.S. cellphone carrier reported the hack on Aug. 16, Attorney General Maura Healey announced the investigation. 

The breach exposed names, birthdays, social security numbers, driver's licence information, PIN numbers, and other personal information of an estimated 13.1 million current and 40 million past, and potential T-Mobile users.

It was one of many cyberattacks in recent years that impacted banks, gas pipelines, and hospitals, among other businesses. 

Healey aims to examine whether the Bellevue, Washington-based corporation has sufficient measures in place to secure consumer information and mobile devices. Last month, the Federal Communications Commission in the United States launched an investigation into the matter. 

According to court records, consumers and other private plaintiffs have filed at least 23 lawsuits against T-Mobile as a result of the data leak. 

About the security breach

On August 16, T-Mobile US Inc (TMUS.O) admitted a data breach but said it has yet to determine if any customer information had been compromised, a day after an online forum claimed that the personal data of over 100 million of its users had been compromised. 

In a blog post, the telecom provider stated that it was certain that the entry point used to obtain the data had been shut down. It did not disclose the number of accounts impacted. 

"We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement," the company stated. 

According to a report in Vice's Motherboard, the forum post does not specify T-Mobile but the attacker informed Vice that they acquired data on over 100 million individuals from T-Mobile servers. 

Following the news, T-stock Mobile's share dropped 2.8 percent in afternoon trade.

Microsoft Alerted Azure Customers of Bug That Could Have Allowed Hackers to Access Data

 

Microsoft alerted some Azure cloud computing users that a vulnerability uncovered by security experts might have given hackers access to their data. 

In a blog post from its security response team, Microsoft stated it had patched the issue identified by Palo Alto Networks and had no sign malicious attackers had exploited the technique. It further stated that certain users have been asked to change their login passwords as a preventive measure. 

The blog post was in response to an inquiry from Reuters regarding Palo Alto's technique. Microsoft refused to respond to any of the inquiries, including whether or not it was assured that no data had been accessed. 

Palo Alto researcher Ariel Zelivansky told Reuters in a previous interview that his team had cracked Azure's widely used platform for so-called containers, which store applications for users. 

According to him, the Azure containers utilized code that had not been updated to address a known vulnerability. As a result, the Palo Alto team was finally able to gain entire authority over a group that comprised containers from other users. 

Ian Coldwater, a longtime container security expert who evaluated Palo Alto's work at the request of Reuters stated, "This is the first attack on a cloud provider to use container escape to control other accounts." 

In July, Palo Alto reported the problem to Microsoft. Zelivansky added it took his team several months to complete the project and agreed that malicious hackers were unlikely to apply a similar approach in real-world attacks. 

Nonetheless, this is the second significant issue discovered in Microsoft's fundamental Azure infrastructure in less than a month. Wiz security specialists revealed a database vulnerability in late August that would've let one client modify the data of another. 

In both situations, Microsoft's remarks were directed to customers who may have been harmed by the researchers' work, rather than everyone who was put in danger by its own code. 

Microsoft wrote, "Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher's activities."

According to Coldwater, the issue stemmed from a failure to deploy fixes on time, something Microsoft has frequently faulted on its customers. He said that certain cloud security tools would have identified malicious assaults similar to the one predicted by the security firm and that logs would also indicate evidence of such activity. 

The research emphasized that security is a collective responsibility between cloud providers and clients. Cloud architectures, according to Zelivansky, are typically safe, Microsoft and other cloud providers can make improvements themselves rather than relying on customers to do so. 

He further added, cloud attacks by well-funded opponents such as sovereign governments, are a legitimate concern.

UN Computer Networks Breached by Hackers Earlier This Year

 

Hackers breached the United Nations' computer network and stole data, according to researchers at cybersecurity firm Resecurity, 

According to Bloomberg, the theft's unknown perpetrators appear to have acquired access by simply stealing login credentials from a UN employee. 

Logging into the employee's Umoja account provided access. The enterprise resource planning system Umoja, which means "unity" in Kiswahili, was deployed by the United Nations in 2015. The login and password used in the cyber-attack are believed to have been obtained from the dark web. 

Gene Yoo, chief executive officer at Resecurity, stated, “Organizations like the UN are a high-value target for cyber-espionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.” 

Researchers discovered that hackers initially gained access to the UN's networks on April 5, 2021, and that network breaches lasted until August 7. Based on the findings, the attackers did not seem to have harmed or disrupted the UN's computer network. Instead, the hackers seem to have been motivated by a desire to gather information. 

After reporting the security issue to the UN, Resecurity stated it worked with the UN's security team to evaluate the extent of the intrusion. While the UN claims that the assault was a reconnaissance operation by hackers who just captured screenshots of the organization's vulnerable network. The breach resulted in the theft of data, as per the Resecurity experts. 

The UN discontinued interacting with Resecurity, according to Yoo, when proof of data theft was provided to the organization. 

Hackers have previously attacked the United Nations and its agencies. In 2018, Dutch and British law enforcement prevented a Russian cyberattack on the Organisation for the Prohibition of Chemical Weapons (OPCW), which was investigating the deployment of a lethal nerve agent on British territory. 

According to a Forbes article, the UN's "core infrastructure" was hacked in a cyberattack in August 2019 that targeted a known flaw in Microsoft's SharePoint platform. The breach was not made public until the New Humanitarian newsgroup published the news. 

In the context of the latest breach, UN spokesman Farhan Haq told DailyMail.com, “This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” 

“At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.” 

Haq added that the United Nations is often targeted by cyber-attacks, including sustained campaigns.

Hackers Steal Data of 40,000 Patients From a Kidney Hospital in Thailand


On Wednesday, Thirachai Chantharotsiri, director of Bhumirajanagarindra Kidney Institute Hospital lodged a complaint that the personal information of over 40,000 patients has been stolen by a hacker. The compromised data included personal details and allegedly medical history of the patients. 

While talking to local media at Phaya Thai police station, Dr. Chantharotsiri told that on Monday, the database of the patients at a hospital in the Ratchathewi district of Bangkok became inaccessible to the hospital staff. A subsequent system check was carried out which revealed that the data had been stolen. The breach damaged the data system of the hospital which resulted in an inability to access the X-ray archive. 

According to the commissioner of the CCBI, Pol Lt Gen Kornchai Kalyklueng – owing to the ambiguity regarding the criminals – the investigating agency will seek support from American authorities and other international organizations to track down the hackers. 

Dr. Thirachai told that later, the facility received a call from a foreigner claiming to have hacked the system, the English-speaking man tried to negotiate for payment in exchange for the important information belonging to the hospital. 

The director filed a police complaint along with a recording of the call, reportedly, he did not hear from the anonymous caller again. 

In an attempt to mitigate concerns, the officials at the hospital maintained that the compromised data only include the primary data of the patients, emphasizing that diagnostic or medical records were untouched. 

As per the investigation of CCIB, the group behind the hacking is probably the one that hacked the systems of Krungthai Bank exposing client information and that of a hospital in the Northeast. Although the group identified is seemingly of Indian origins using a server in Singapore, most recent findings indicate that the threat actors were operating from the US.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

Wawa Paying $9 Million in Cash, Gift Cards in Data Breach Settlement


The Wawa convenience store chain is paying out up to $9 million in cash and gift cards to customers who were affected by a previous data breach, as reimbursements for their loss and inconvenience. 

The affected customers can request gift cards or cash that Wawa is paying out to settle a lawsuit over the security incident. Here's everything you need to learn about the proposed class action settlement – who's eligible, how to submit a claim for cash or a gift card, and how to object to the deal. 

Customers who used their payments cards at any Wawa store or gas pump during the data breach, but were not impacted by the fraud, qualifies to receive a $5 gift card, as compensation. These claimants are referred to as 'Tier One Claimants'. 

However, the claimants will be required to submit proof of the purchase they conducted at a Wawa store or fuel pump between March 04, 2019, and December 12, 2019 – when the data breach occurred – in order to claim the gift card. Customers would essentially be required to provide proof of the transaction date, preferably a store receipt of a statement by the bank, or a screenshot from the concerned bank or credit card company website or app. 

The next category of claimants, referred to as 'Tier Two Claimants' could receive a gift card worth $15 if they show reasonable proof of an actual or attempted fraudulent charge on their debit or credit card post-transaction. 

The last category of claimants, referred to as 'Tier Three Claimants' qualify to receive a cash reimbursement of upto $500, if they provide reasonably documented proof of money they spent in connection with the actual or attempted fraudulent transaction on their payment card. It must be reasonably attributed to the data breach incident. 

During the 9 month span of the data breach, around 22 million class members made a financial transaction at one of the Wawa stores. Customers have been given a deadline of November 29, 2021, to submit a claim for recompensation. By doing so, they are giving up their right to sue Wawa over the 2019 security incident. 

Those who wish to retain their right to sue the company over the security incident and do not wish to receive the payment will be required to exclude themselves from the class. The deadline given for the same is November 12, 2021. 
 

What is this settlement for?


In 2019, the Wawa convenience store chain experienced a data breach wherein cybercriminals hacked their point-of-sale systems to install malware and steal customers' card info. As the fraud impacted Wawa's 850 locations along the East Coast, the U.S based convenience store company found itself buried in a series of lawsuits. One of which – filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith, of Haverford – claimed that the data breach “was the inevitable result of Wawa's inadequate data security measures and cavalier approach to data security.”

The massive data breach that lasted for nine months,
affected in-store payments and payments at fuel pumps, including “credit and debit card numbers, expiration dates, and cardholder names on payment cards.” Meanwhile, hackers also attempted to sell the stolen financial data on the dark web. 

As a result, a police investigation was called in for and the organization also conducted an internal investigation by appointing a forensics firm for the same.

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.

Autodesk Disclosed it was Targeted in SolarWinds Hack

 

Autodesk has disclosed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain assault, nearly nine months after finding that one of its servers had been compromised with Sunburst malware. 

It is an American multinational software corporation that makes software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. 

In a recent 10-Q SEC filing, Autodesk stated, "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents." 

"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations." 

While the company went on to state that there was no additional damage to its systems, the company's announcement of the breach in its most recent quarterly results serves as a reminder to the world of how widespread the SolarWinds supply chain breach was. 

An Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst backdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough before they were detected. 

The spokesperson stated, "Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were collected for forensic analysis, and the software patch was applied. Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software installation." 

One of 18000 tech firms targeted in a large-scale cyber attack

SolarWinds' infrastructure was hacked as a result of a supply-chain assault conducted by the Russian Foreign Intelligence Service's hacking division (aka APT29, The Dukes, or Cozy Bear). 

The attackers trojanized the Orion Software Platform source code and build issued between March 2020 and June 2020 after obtaining access to the company's internal systems. These malicious builds were then used to deploy the Sunburst backdoor to around 18,000 clients, but fortunately, the threat actors only chose a small number of people for second-stage exploitation. 

Before the assault was revealed, SolarWinds stated to have 300,000 clients globally, including over 425 US Fortune 500 firms and all top 10 US telecom corporations. 

A long list of government agencies was also among the company's clients (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States). 

The US Department of Justice was the latest US official agency to reveal that during last year's SolarWinds global hacking spree, 27 US Attorneys' offices were compromised. 

Although Autodesk was not the only big corporation attacked in the SolarWinds breach, other companies such as Cisco, VMware, Intel, and Nvidia revealed similar issues in December.  

T-Mobile CEO Apologizes for Hack of More Than 54 Million Users Data

 

Mike Sievert, CEO of T-Mobile, is in a spot of bother after a major data breach of the carrier’s servers. In a statement issued last week, he apologized for a data breach but also tried to paint a rosy picture of the data breach by claiming no financial details were stolen but confirmed that millions of social security numbers were compromised.

The attack on the carrier’s servers impacted more than 54 million current, former and prospective users. Leaked data included social security numbers, names, contact numbers, driver’s license information, IMEI and IMSI information, and addresses for some, but not financial details. Meanwhile, device identifiers and PINs were obtained for certain accounts. 

“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. In short, this individual’s intent was to break in and steal data, and they succeeded,” Seivert stated. 

Hacker John Binns, a US citizen living in Turkey, has taken credit for the attack, calling the carrier's security practices "awful." Binns has reportedly been scanning T-Mobile's systems for vulnerabilities since last summer, and finally discovered a vulnerable internet-exposed router in July, which provided access to T-Mobile servers in a data center near East Wenatchee, Washington state. He claimed it took him roughly a week to breach the servers storing customer data. 

The hacker said he targeted T-Mobile servers to grab the attention of the world. Last year, he filed a lawsuit against several US government agencies including the CIA and FBI, claiming that he had been blackmailed, surveilled, and tortured. 

T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger. 

T-Mobile has previously disclosed a number of data breaches over the past years, and it doesn’t seem to have learned from those incidents, something that has been mentioned in the lawsuits filed against the carrier as a result of the latest breach.

Sievert said the company has collaborated with cybersecurity firms Mandiant and KPMG LLG to strengthen security. He also apologized to the affected users for the data breach and announced that the company will offer impacted individuals two years of free identity protection services as promised to take steps to prevent these types of incidents in the future.

Chinese Android Game Developer Exposes Data of Over 1 Million Gamers

 

The Chinese developers of famous Android gaming applications exposed user information via an unprotected server. As per the report shared by vpnMentor's cybersecurity team, headed by Noam Rotem and Ran Locar, identified EskyFun as the owner of a 134GB server exposed and made public online.

Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M are among the Android games developed by EskyFun. 

According to the team on Thursday, the users of the following games were included in the data leak and altogether they have over 1.6 million downloads combined: 
-Rainbow Story: Fantasy MMORPG
-Metamorph M
-Dynasty Heroes: Legends of Samkok u 

According to the researchers, the supposed 365,630,387 records included data from June 2021 onwards, exposing user data gathered on a seven-day rolling basis. 

As per the team, when their software is downloaded and installed, the developers impose aggressive and highly troubling monitoring, analytics, and permissions settings, and as a consequence, the variety of data gathered was considerably more than one would imagine mobile games to need. 

The records constituted IP and IMEI data, device information, phone numbers, the operating system in use, mobile device event logs, whether or not a smartphone was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords, and support requests. 

vpnMentor estimates that up to or more than, one million users' information may have been compromised. 

On July 5, the unprotected server was detected, and EskyFun was approached two days later. However, after receiving no answer, vpnMentor tried again on July 27. 

Due to the continued inaction, the team was forced to contact Hong Kong CERT, and the server was safeguarded on July 28. 

The researchers commented, "Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users. Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

Private Details of 70M AT&T Users Offered For Sale on Underground Hacking Forum

 

A notorious hacking group, known as Shiny Hunters, is reportedly selling a database containing private details of 70 million AT&T customers. However, AT&T, an American telecommunication provider denied suffering from a data breach. 

Last week, ShinyHunters posted a sale for “AT&T database + 70M (SSN/DOB)” on RaidForums, a popular Darkweb marketplace. Threat actors set the bidding with a starting price of $200,000 and incremental offers of $30,000. Apart from this, there is also a flash sale where customers can buy the entire database for $1 million. 

"In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records,” Sven Taylor of RestorePrivacy, who first reported the data breach, stated. 

ShinyHunters shared a sample subset of stolen data, name, contact numbers, physical addresses, social security numbers (SSN), and dates of birth. An anonymous security expert told BleepingComputer that two of the four people in the samples were identified users in the AT&T database. The hackers are also working on decrypting the data that they believe comprises customer accounts’ PINs.

"Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T responded to the claims of ShinyHunters.

In a follow-up email to BleepingComputer, the telecom provider hedged over whether the data could have been stolen from a third party: “Given this information did not come from us, we can’t speculate on where it came from or whether it is valid,” the firm stated. 

In the past, ShinyHunters has targeted the likes of Microsoft, Mashable, Tokopedia, BigBasket, Nitro PDF, Pixlr, TeeSpring, Promo.com, Mathway, and droves of other small-to-mid-sized platforms. Its modus operandi is to steal credentials, API keys or buy large troves of data, then dump and sell it on underground platforms.

Earlier this month, a fellow Telecom provider, T-Mobile suffered a data breach that exposed the private details of tens of millions of its users. To address the issue, T-Mobile assured its users to provide free identity protection services.

Database of 70 Million AT&T Users Being Sold on a Hacker Forum

 

The same threat actor is selling 70 million AT&T customers' records just days after the T-Mobile data leak. The data leak claim was refuted by the mobile service provider, who stated that the data did not emanate from any of their systems. ShinyHunters, the same threat actors that just days ago sold T-Mobile subscribers' data, is now selling 70 million records reportedly belonging to another mobile service provider – AT&T. AT&T consumers' full names, social security numbers, email addresses, and dates of birth are among the data for sale. 

ShinyHunters is a well-known organisation that has been linked to a number of high-profile data breaches. Mashable, 123RF, Minted, Couchsurfing, Animal Jam, and other companies have been targeted, according to HackRead. 

The revelation was first reported by Restore Privacy. According to them, the hacker is seeking $1 million for the full database (direct sell) and has given them exclusive information for this report.

"In the original post that we discovered on a hacker forum, the user posted a small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," said Restore Privacy. "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid." 

AT&T denied that the data had been leaked, claiming that it was either forged or obtained through other sources. “Based on our investigation today, information that appeared in an internet chat room does not appear to have come from our systems,” MarketWatch quoted the cell phone carrier. 

 AT&T has previously experienced a data breach. For an insider breach in 2015, the company agreed to pay a $25 million fine. In fact, a threat actor was looking to hire a T-Mobile and/or AT&T employee in May, presumably to assist them in staging an insider attack on their employer. 

T-Mobile was notified late last week about accusations in an online forum that a threat actor had compromised T-Mobile systems. The company announced that it had discovered and shut down the access point that might have been utilised to obtain unauthorised access to the company's servers.

Confidential Terrorist Watchlist With 1.9Mn Records Exposed Online

 

Cyber security researcher Bob Diachenko has unearthed an unsecured ElasticSearch server containing nearly two million terrorist watchlist records, including "no-fly" list indicators, which were left exposed for a period of three weeks between July 19th and August 09th. 

Earlier this week, Diachenko posted a message and said, “On July 19, I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it." The unprotected server had a Bahrain IP address but it remains unclear whether the server was owned by the US or any other country.

Diachenko immediately reported his discovery to the US Department of Homeland Security, but the records weren't taken down until August 09. The leaked records contained passport details, full name, dates of birth, citizenship, gender, TSC watchlist, country of issuance, and no-fly indicator. 

“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI, which maintains the country's no-fly list, a subset of the larger watchlist. A typical record in the list contains full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more,” he informed. 

No-fly list

The exposed data belongs to the people who are suspected as terrorists but have not necessarily been charged with any crime. "If it falls in wrong hands, this list could be used to oppress, harass or persecute people mentioned on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list," Diachenko said. 

Prior to 2015, the terrorist watchlist was completely confidential. Then the US government modified its policy and began privately informing US citizens who were added to the list, but foreigners still often can't find out whether they're on the no-fly list until they try to board a plane. 

Several media reports suggest that the US officials are recruiting informants in exchange for keeping their names off the no-fly list. Some past or present informants' identities could have been exposed. The Terrorist Screening Center (TSC) was set up by the US Federal Bureau of Investigation (FBI) in 2003.

The discovery of the exposed records comes just a month after the DHS, the Department of Justice, and other federal agencies -- launched a new website with the sole motive of combating the threat of ransomware.

T-Mobile Acknowledged Breach of 100 Million Customers

 

T-Mobile announced a data breach on Monday after a hacking organization claimed to have gotten records of 100 million T-Mobile customers in the United States and sold some of the information on the dark web. The US wireless carrier said it couldn't say how many users were affected, but that it has started a "deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed."

T-Mobile is the brand name for the mobile communications companies of Deutsche Telekom AG, a German telecommunications firm. In the Czech Republic (T-Mobile Czech Republic), the Netherlands (T-Mobile Netherlands), Poland (T-Mobile Polska), and the United States (T-Mobile US). 

T-Mobile initially stated that it was investigating the hacker group's claim, but eventually admitted that at least some data had been acquired by the hackers. "We have determined that unauthorized access to some T-Mobile data occurred, however, we have not yet determined that there is any personal customer data involved," a company statement said. "We are confident that the entry point used to gain access has been closed."

T-Mobile said it was conducting its own investigation into the incident with the help of digital forensic experts and was collaborating with law enforcement. According to media sources citing postings on dark web forums, the enormous breach allegedly includes sensitive personal information such as social security and driver's license numbers. 

Motherboard was given access to some of the data, and the publication confirmed that it contained correct information on T-Mobile subscribers. The seller told Motherboard that they had hacked into various T-Mobile servers. A subset of the data, containing around 30 million social security numbers and driver's licenses, is being sold on the forum for six bitcoin, while the rest is being sold privately. At current exchange rates, six bitcoins are worth about $280,000. 

The seller told Motherboard, “I think they already found out because we lost access to the backdoored servers.” He was referring to T-Mobile’s potential response to the breach. T-Mobile appears to have thrown them out of the hacked systems, according to the seller, but they had already downloaded the data locally. They stated, "It's backed up in multiple places." 

The firm has also stated that once the situation is more understood, it would “proactively communicate” with customers and stakeholders, but that the investigation will “take some time.”

Nearly 2 Million Records From Terrorist Watchlist Exposed Online

 

A terrorist watchlist comprising 1.9 million data remained open and unsecured on the internet for three weeks between July 19th and August 9th. The Terrorist Screening Center (TSC), a multi-agency centre run by the Federal Bureau of Investigation, is believed to have compiled the watchlist. The list was left accessible to the public on an Elasticsearch cluster with no password. 

In July this year, Security Discovery researcher Bob Diachenko discovered various JSON documents in an unsecured Elasticsearch cluster, which grabbed his interest. 

The 1.9 million-strong record set includes sensitive information about people, such as their names, nation citizenship, gender, date of birth, passport data, and no-fly status. 

Search engines Censys and ZoomEye listed the exposed server, implying Diachenko was not the only one who came across the list. Given the nature of the open data (e.g. passport details and "no-fly indicator"), the researcher informed BleepingComputer that it seemed to be a no-fly or similar terrorist watchlist. 

“The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed,” he added.

In addition, the researcher observed specific enigmatic fields like "tag," "nomination kind," and "selectee indication" that were not understandable. Diachenko told BleepingComputer, as per the nature of the data and the presence of a specific field entitled 'TSC ID," was the only reasonable conclusion implying that the record set's source may be the Terrorist Screening Center (TSC). 

Multiple federal agencies use the FBI's TSC to manage and exchange integrated information for counterterrorism reasons. The Terrorist Screening Database, often known as the "no-fly list," is a secret watchlist managed by the agency. 

Such databases are regarded as extremely sensitive, given the critical role they play in assisting national security and law enforcement activities. Terrorists or reasonable suspicions who represent a national security threat at the government's discretion are "nominated" for inclusion on the secret watchlist. 

The list is cited by airlines and multiple agencies, like the Department of State, Department of Defense, Transportation Security Administration (TSA), and Customs and Border Protection (CBP), to check the list in order to determine whether a passenger is allowed to fly, impermissible to the United States, or to examine their risk for various activities. 

The unsecured database was discovered on July 19th on a server with a Bahrain IP address and disclosed the data leak to the US Department of Homeland Security on the same day (DHS). 

"I discovered the exposed data on the same day and reported it to the DHS. The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it," writes Diachenko in his report. 

According to Diachenko, releasing such sensitive information might affect people whose data might be included on the list. 

“The terrorist watchlist is made up of people who are suspected of terrorism, but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” he alerted.

Cyber Firm: Ransomware Group Demanding $50M in Accenture Security Breach

 

The hacking group behind a ransomware attack on global solution provider powerhouse Accenture has demanded $50 million in ransom, as per the cybersecurity firm that saw the demand. 

According to a tweet from Cyble, a dark web and cybercrime monitoring company, the threat actor is seeking $50 million in return for more than 6 TB of data. 

On Thursday, Accenture responded it had no additional information to add to its statement, pointing CRN to a statement issued on Wednesday that claimed it had "contained the matter and isolated the affected servers" and that "there was no impact on Accenture's operations, or on our clients' systems." 

The hacking group apparently used LockBit ransomware to target Accenture, which is ranked No. 1 on CRN's Solution Provider 500 for 2021, in the attack revealed on Wednesday. 

As per Emsisoft, a cybersecurity firm located in New Zealand, LockBit is a ransomware strain that stops users from accessing infected devices until a ransom payment is completed. The incident arises after a ransomware assault on Kaseya in July, which involved a $70 million ransom demand to decrypt victim files. Kaseya later stated that it had acquired a decryptor for the REvil ransomware, but it had not paid the ransom. 

“At the end of the day, paying the ransom is never a good idea,” stated Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN. 

“The majority of folks that do end up paying the ransom don’t necessarily get all of their data back. And what you do get back, you can’t trust. There could be a payload there—a ticking time bomb—that will make it easier for the perpetrators to get in again.” 

He stated that ransomware groups targeting IT service companies such as Accenture is unsurprising. “The only surprise is that it took the bad guys this long to figure out that service providers are a pretty juicy target,” he added. 

According to Grosfield, the Accenture incident serves as a reminder of the proverb, "physician, heal thyself," which states that IT service providers must verify their own systems are safe to propose security solutions to their own clients. 

Accenture claims to have contained the assault, however, this is a questionable assertion. The firm confirmed the ransomware assault in an emailed response to a request for information from CRN but stated it had no impact on the organization. 

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems,” Accenture wrote. 

However, a CNBC reporter spoke on Wednesday that the hackers behind the Accenture attack uploaded over 2,000 files to the dark web, including PowerPoint presentations and case studies. 

On Wednesday, VX Underground, which claims to possess the Internet's largest collection of malware source code, tweeted a timer allegedly from the hacking group, indicating how the time until the attack on Accenture's data would begin. The timer's timer ultimately ran out. The LockBit ransomware gang published 2,384 files for a short period, according to VX-Underground, however, those files were unavailable due to Tor domain issues, most likely due to excessive traffic. 

The LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 p.m. ET Thursday, according to the group. 

The Accenture incident, according to Ron Bradley, vice president of third-party risk management firm Shared Assessments, is "a perfect example of the distinction between business resiliency and business continuity," he told Threatpost on Wednesday. 

“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.” 

According to Hitesh Sheth, president, and CEO of cybersecurity firm Vectra, all organizations should expect such assaults, but especially a global consultancy firm with many links. 

“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he informed Threatpost on Wednesday. “It’s too soon for an outside observer to assess the damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.” 

LockBit encrypts files with AES encryption and generally asks a high-five-figure ransom to decrypt the data. LockBit's procedures are mostly automated, allowing it to operate with little human monitoring once a victim has been hacked, according to Emsisoft. It may be used as the foundation for a ransomware-as-a-service business model, in which ransomware authors can utilize it in exchange for a share of the ransom payments.

Reindeer Leak Personal Data of 3,00,000 Users In A Breach

 

WizCase's cybersecurity group discovered a prominent breach impacting Reindeer, an American marketing company that previously worked with Tiffany & Co., Patròn Tequila, and other companies. Led by Ata Hakçil, the group revealed that the breach leaked customer names, DOB, email ids, phone numbers, address, etc. The cybersecurity experts found a misconfigured Amazing S3 bucket that belonged to Reindeer.

It contained around 50,000 files and a total of 32 GB of data. Reindeer is currently a defunct American advertising company. Being a defunct company, it owns the bucket, so researchers had to contact Amazon for information about the breach as it is the only source that could provide details about the attack. The team also informed US-Cert, in hopes that it would contact the previous company owner. The misconfigured S3 bucket contained data of around 3,00,000 customers of Reindeer clients. Patròn was the top client with the highest number of customer PII (Personal Identifiable Information) leaked, however, other Reindeer clients were also affected, such as Jack Wills, a UK clothing brand. It seems that it has become an easy task to misconfigure permission/access errors in cloud-based deployments. 

The companies that are set to work on cloud-based platforms should have a robust cybersecurity system that keeps an eye on such breaches and informs about any potential error in the cloud infrastructure. The leaked information contains details of around 3,60,009 customers and profit photos of 1400 users. PPI include customer names, address, DOB, e-mail ids, Facebook Ids, and hashed passwords. As per the experts, 35 countries' users were included in the breach, the top three being Canada, the US, and Britain, having around 2,80,000 affected users. 

"The leaked data dates from May 2007-February 2012. The public cloud brings a whole host of new issues to which organizations are still adapting. The case of the Reindeer breach raises serious questions about the shared responsibility model and certainly highlights the need for a layered defense. When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration,” said Valtix CEO Douglas Murray.

Personal Information of 2,000 FOID Cardholders Compromised in ISP Website Breach

 

The Illinois State Police are notifying Firearm Owners Identification cardholders regarding a possible data breach after attackers attempted to breach the agency's Police FOID card portal.

According to ISP officials, the personal information of about 2,000 FOID cardholders, or about .0008% of the total number of FOID cardholders in the state, may have been compromised in the attempted hack. Those people will be contacted, the agency said in a news release.

“The software vendor determined that using previously stolen personal data to access existing accounts, unauthorized users may or may not have accessed additional “auto-populated” personal identifiers unique to that account and card such as the last four of a social security number. 2,067 FOID card holders, less than .0008 % of total cardholders, were possibly impacted by these attempts. In accordance with state law and out of an abundance of caution, all affected persons were sent a notice and issued a new card at no cost, according to the news release.

The ISP has strengthened its online security requirements and is limiting the use and access of personal information that FOID card applicants submit in their online FOID account that could match Illinois resident personal identification information unlawfully obtained from any number of previous cyber breaches. The personal information did not come from their systems and servers, ISP officials said after an investigation. 

The FOID website software vendor, working with ISP, recently determined unauthorized persons were attempting to use this type of previously unlawfully obtained personal information to match with and access existing FOID online account information to add further detail to their existing stolen data, the release read. 

The site is back online and is accepting applications. The residents who want to buy and own firearms and ammunition possess a Firearm Owners Identification card issued by Illinois State Police. For more than 18 months, the state has been delayed in processing applications for the required ID, with many waiting months, the agency said. 

“I’d rather there not be a database somewhere of gun owners and their addresses. It doesn’t take that much imagination to figure out how that information can be used in ways that increase the risk to those persons,” Cybersecurity consultant John Bambenek said while raising questions regarding cybersecurity.

Data of 100 Million JustDial Customers Left Unsecured for Over a Year

 

The Personally Identifiable Information (PII) of approximately 100 million users of local business listing site JustDial was at stake after an Application Programming Interface (API) was left exposed for over a year. 

JustDial is an Indian internet technology firm that offers local search for a variety of services in India via phone, Internet, and mobile apps. 

However, a fix appears to have protected the PII data, which includes users' names, gender, profile photos, email addresses, phone numbers, and birthdates. 

Rajshekhar Rajaharia, an independent internet security researcher who first tweeted about this on Tuesday, informed BusinessLine that after discovering the data breach, he contacted the organization, and it was patched and fixed promptly. 

“The company’s data was exposed since March 2020, though we can’t say yet if they have been leaked. We will only know once JustDial releases an audit report on it,” Rajaharia stated. 

Further, he added that JustDial needs an audit because the system may have other flaws. JustDial did not respond to an email requesting a statement. 

JustDial became a Mukesh Ambani group firm just ten days ago when Reliance Retail bought a 41% stake in it for $3,497 crore. Bill payments and recharge, groceries and food delivery, and reservations for restaurants, cabs, movie tickets, plane tickets, and events are among the services provided by the organization. 

This isn't the first time the information of JustDial has been leaked. In April 2019, Rajaharia discovered that a similar API was leaking user information in real-time whenever someone called or messaged JustDial via its app or website. The organization stated to have solved the issue, but it appears to have reemerged a year later. 

Rajaharia stated, JustDial never reveals the total number of people who have signed up. They disclose the count of active users and merchants, but never the total number, because every time someone dials the platform's "88888 88888" number, the caller data is saved in JustDial's database right away. This information is also in danger of being leaked. This data can also be tracked in real-time by the API in question. If an attacker gains access to it, they would be able to quickly extract and upload the data of every JustDial user to the Dark Web.

Many famous online firms and their customers have been the victims of data leaks and carelessness since the pandemic broke last year. MobiKwik, JusPay, Upstox, Bizongo, BigBasket, Dominos India, and even Air India are among them. 

As per BusinessLine, Kapil Gupta, co-founder, Volon Cyber Security stated, “Customers need to be notified about any data leak happening in companies so that they can reset accounts and change passwords to protect their data. Though users can sue, raise a complaint, and even ask for damages, under the Right to Privacy or IT Acts, these policies are still open to interpretation. The articulation is not obvious.” 

“The proposed Data Protection Bill gives more clarity on accountability of the companies facing a data breach. They have to voluntarily disclose and pay a fine if a data breach happens or they will be punished under the law. But we are still waiting for the DPB,” he added.