Search This Blog

Showing posts with label User Privacy. Show all posts

Data of 100 Million JustDial Customers Left Unsecured for Over a Year


The Personally Identifiable Information (PII) of approximately 100 million users of local business listing site JustDial was at stake after an Application Programming Interface (API) was left exposed for over a year. 

JustDial is an Indian internet technology firm that offers local search for a variety of services in India via phone, Internet, and mobile apps. 

However, a fix appears to have protected the PII data, which includes users' names, gender, profile photos, email addresses, phone numbers, and birthdates. 

Rajshekhar Rajaharia, an independent internet security researcher who first tweeted about this on Tuesday, informed BusinessLine that after discovering the data breach, he contacted the organization, and it was patched and fixed promptly. 

“The company’s data was exposed since March 2020, though we can’t say yet if they have been leaked. We will only know once JustDial releases an audit report on it,” Rajaharia stated. 

Further, he added that JustDial needs an audit because the system may have other flaws. JustDial did not respond to an email requesting a statement. 

JustDial became a Mukesh Ambani group firm just ten days ago when Reliance Retail bought a 41% stake in it for $3,497 crore. Bill payments and recharge, groceries and food delivery, and reservations for restaurants, cabs, movie tickets, plane tickets, and events are among the services provided by the organization. 

This isn't the first time the information of JustDial has been leaked. In April 2019, Rajaharia discovered that a similar API was leaking user information in real-time whenever someone called or messaged JustDial via its app or website. The organization stated to have solved the issue, but it appears to have reemerged a year later. 

Rajaharia stated, JustDial never reveals the total number of people who have signed up. They disclose the count of active users and merchants, but never the total number, because every time someone dials the platform's "88888 88888" number, the caller data is saved in JustDial's database right away. This information is also in danger of being leaked. This data can also be tracked in real-time by the API in question. If an attacker gains access to it, they would be able to quickly extract and upload the data of every JustDial user to the Dark Web.

Many famous online firms and their customers have been the victims of data leaks and carelessness since the pandemic broke last year. MobiKwik, JusPay, Upstox, Bizongo, BigBasket, Dominos India, and even Air India are among them. 

As per BusinessLine, Kapil Gupta, co-founder, Volon Cyber Security stated, “Customers need to be notified about any data leak happening in companies so that they can reset accounts and change passwords to protect their data. Though users can sue, raise a complaint, and even ask for damages, under the Right to Privacy or IT Acts, these policies are still open to interpretation. The articulation is not obvious.” 

“The proposed Data Protection Bill gives more clarity on accountability of the companies facing a data breach. They have to voluntarily disclose and pay a fine if a data breach happens or they will be punished under the law. But we are still waiting for the DPB,” he added.

WhatsApp CEO: US Allies' National Security Officials Targeted with NSO Malware


According to WhatsApp CEO Will Cathcart, governments used NSO group malware to target high-ranking government officials all around the world. 

Cathcart addressed the spyware assaults discovered by the Project Pegasus inquiry with The Guardian, noting they are similar to a 2019 attack against 1,400 WhatsApp users. 

Cathcart added, “The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then. This should be a wake-up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.” 

NSO Group's military-grade spyware is suspected of being utilized against heads of state, cabinet members, activists, and journalists. Over 50,000 phone numbers have been leaked from the Pegasus project's central breach. The inclusion of a person's phone number on the list, however, does not always indicate that they were efficiently targeted, according to The Guardian. 

The leak is said to have included French President Emmanuel Macron, although NSO denies that none of its clients targeted Macron. The IT company also stated that the reported 50,000 figure was overstated. 

Cathcart, on the other hand, tried to refute this portrayal, stating that his firm had documented a two-week-long attack in 2019 that affected 1,400 customers. He added, “That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high. That’s why we felt it was so important to raise the concern around this.” 

According to The Guardian, WhatsApp lodged a lawsuit against NSO in 2019, saying that the corporation had transmitted malware to its customers' phones. NSO, an Israeli firm, argued that the responsibility should be put on its customers who are the foreign government. 

“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this," Cathcart stated. "Should they stop? Should there be a discussion about which governments were paying for this software?” 

The NSO spokesperson told The Guardian, "We are doing our best to help to create a safer world. Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists, and criminals using end-to-end encryption platforms? If so, we would be happy to hear."

3.8 Billion Phone Numbers of Clubhouse Users up for Sale on Dark Web


On a hacking forum, a threat actor has begun selling the confidential database of Clubhouse, which contains 3.8 billion phone numbers. According to the threat actor, the company "saves/steals each user's phonebook" in a confidential database that it is selling. According to the seller, the secret database has 3.8 billion phone numbers (cell phones, fixed, private, and professional numbers), each of which is given a score (Number of Clubhouse users who have this phone number in their phonebook). 

The threat actor shared a link to a sample of data from the database, which included phone numbers for approximately 83.5 million Japanese consumers. Cyber News researchers revealed the personal data of 1.3 million Clubhouse users had been exposed online in April 2021. 

Clubhouse refuted these charges in a statement to news agency IANS, saying, "There are a series of bots creating billions of random phone numbers." Speaking over the alleged "secret database of Clubhouse," the company clarified saying, “in the event that one of these random numbers happens to exist on our platform due to mathematical coincidence, Clubhouse’s API returns no user identifiable information." 

Several specialists, in particular, have chimed in on the matter, dismissing the hacker's claims. According to security researcher Rajshekhar Rajaharia, a list of phone numbers, such as the one in this case, maybe easily constructed, and the data leak claim appears to be false. Sunny Nehra, another researcher, pointed out that the threat actor is very new to that forum, is the least engaged, and is prone to making such "lame claims." 

"Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum," reported CyberNews.

Clubhouse is an iOS and Android social audio app that allows users to speak in voice chat rooms with thousands of people. Live talks are held on the audio-only app, and users can engage by speaking and listening. Conversations may not be recorded, transcribed, duplicated, or disseminated without prior consent, according to Clubhouse guidelines. In a funding round in April 2021, venture capitalists valued Clubhouse at roughly $4 billion. 

1.2 Million Aussies Suffered when Uber was Breached in 2016


Uber infringed on the privacy of more than 1 million Australians in 2016, according to the Office of the Australian Information Commissioner (OAIC). Personal data of an estimated 1.2 million Australian customers and drivers was accessed from a breach in October and November 2016, Australia's Information Commissioner and Privacy Commissioner Angelene Falk said on Friday that US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to adequately protect it.

In late 2017, it was revealed that hackers had stolen data on 57 million Uber users throughout the world, as well as data on over 600,000 Uber drivers. Uber hid the breach for over a year and paid the hacker to keep it hidden instead of notifying individuals affected. OAIC said its investigation focused on whether Uber had preventative measures in place to secure Australians' data, even though Uber compelled the attackers to destroy the data so that there was no evidence of future exploitation. 

The Uber company, according to Falk, violated the Privacy Act 1988 by failing to take reasonable precautions to protect Australians' personal information from unauthorized access and destroy or de-identify the data as required. She also claimed that the tech giant failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP). 

"Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability," the determination says. "Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017." 

Falk said the case presented complicated questions about how the Privacy Act applies to firms situated overseas that outsource the handling of Australians' personal information to other companies within their corporate group. "Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group," she added. 

Uber agreed to pay $148 million in a US settlement over the incident in September 2018 and was fined over £900,000 by the UK and Dutch regulators a few months later for the 2016 data breach. In October 2019, two men pled guilty to the hack, and US authorities accused Uber's former chief security officer in August 2020 of the cover-up. "We learn from our mistakes and reiterate our commitment to continue to earn the trust of users," an Uber spokesperson said.

Olympic Ticket Data Leaked, Says Japanese Government


Following a breach, user IDs and passwords for the Tokyo Olympic ticket gateway were released on a leak website, a government official told Kyodo News on Wednesday. The leak was "not huge," according to the source, but the IDs and passwords might provide someone access to a person's name, address, bank account information, and other personal information. 

The government source, who spoke on the condition of anonymity, said the organizing body for the Games has initiated an investigation. The hack reportedly includes the names, addresses, and bank account information of individuals who purchased Paralympic tickets, as well as a volunteer portal. They did not specify how many accounts were compromised. The leak was revealed as Japanese musician Keigo Oyamada resigned this week from the team producing Friday's Olympic opening ceremony after admitting to previously bullying and abusing children with disabilities, and as organizers struggle to turn public opinion in their favor in the wake of the coronavirus pandemic. 

Some people on the internet denied the accusations of a breach. "There are no postings on any of the forums demonstrating direct information leaks," Twitter user pancak3 said after finding accounts for those registration sites on Dark Web markets. He went on to say that the data was not stolen as a consequence of a breach, but rather as a result of attacks using the RedLine virus and other data thieves. 

The announcement came just one day after the FBI issued a private industry alert warning organizations working with the Tokyo 2020 Summer Olympics to prepare for a wave of "DDoS attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics."

"Malicious activity could disrupt multiple functions, including media broadcasting environments, hospitality, transit, ticketing, or security," the FBI notice said on Tuesday. "The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments." 

The notice goes on to mention the Pyeongchang cyberattack, which occurred during the 2018 Winter Olympics in Pyeongchang, South Korea, during which Russian hackers used the OlympicDestroyer malware to disrupt web servers during the opening ceremony. According to the notice, the hackers "obfuscated the true source of the malware by emulating code used by a North Korean group, creating the potential for misattribution." Six Russian intelligence operatives were indicted by the Justice Department in October for the attack on the Pyeongchang Winter Olympics.

Russia Based Company, DDoS – Guard gets Targeted by Cybercriminals


Leaked data for sale through forums and marketplaces in cybercrime appears so frequent that it is essentially unknown, except for the choice of an individual victim. However, these leaks might show that a site or service has been compromised – possibly without the wiser being the operators. 

One such prospective victim is the apparent Russian company DDoS-Guard, which protects against distributed denial-of-service attacks. The company's supposed client data was presented on a cybercrime forum for sale. 

The DDoS Guard offers DDoS protection, network content delivery services, and Web Hosting services. It is a Russian Internet infrastructure company. 

On the 26th of May, a user put on "the full dump on the popular online DDoS-Guard service" for auction, with an opening sale price set at 500,000 dollars, or a blitz price set at 1.5 million dollars, with "buy it now." However, later on, the auction was started at $350,000. 

Singapore-based cybersecurity firm Group-IB reports that beyond DDoS defenses, "DDoS-Guard also provides computing capacities and obstructs the identification of website owners of hundreds of shady resources that are engaged in illicit goods sale, gambling and copyright infringements." "

We've seen several rogue websites hosted by DDoS-Guard," says Reza Rafati, a senior analyst at Group-IB's CERT-GIB incident response unit in Amsterdam. "They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn't do any good for the global effort against cybercrime." 

The DDoS-Guard customer database listed "all info such as name, site, real IP, payment info, etc." in the leak. The user claimed that several renowned websites, including, which is a BitTorrent Russian tracking service, are also featured on the client list. The listing says that the DDoS-Guard "infrastructure, backend, front end, and network filtering/blocking" are all included in the sale. 

A DDoS-Guard Spokesperson nevertheless rejected the claims of the seller. "We are aware that malefactors are trying to sell a certain database. Our company has not experienced any data leaks," Ruvim Shamilov, DDoS-Guard's PR manager, stated. 

SecurityTrails includes Hamas, which is the Palestinian militant party that rules Gaza, as well as enormous sites of squamous names that are potentially used by fraudsters, like "," "" and "," which are attributed to DDoS-Guard by the domain and IP Address service SecurityTtrails." 

For DDoS-Guard users, soon it would be possible to identify anyone who has been operating sites on their service, depending on who takes their hands on the client base dump. Yet legal enforcement agencies are probably already informed, says cyber-security expert Alan Woodward. 

"Anything that is done at scale, and particularly where it is crime as a service, is bound to attract the attention of the police," says Woodward. In addition to finding ways to interrupt services connected with illegal activity, law enforcement organizations have shown themselves to follow users of the service.

1.2 Million People Affected by Practicefirst's Supply Chain Ransomware Breach


One of the largest health data breaches disclosed to federal regulators so far this year is a supply chain ransomware attack that affected over 1.2 million people. Practicefirst, a medical management services company situated in Amherst, New York, disclosed a data breach to federal officials on July 1. According to the company's breach notification statement, the company paid a ransom in exchange for the attackers promising to destroy and not further expose files seized in the incident. 

The HIPAA Breach Reporting Tool, a website run by the Department of Health and Human Services that lists health data breaches impacting 500 or more people, says that Practicefirst reported the event affecting more than 1.2 million people. The Practicefirst hack was the sixth-largest health data breach reported on the HHS website so far in 2021 as of Tuesday.

According to Practicefirst's breach notification statement, on December 30, 2020, "an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied several files from our system, including files that include limited patient and employee personal information." When the corporation learned of the situation, it says it shut down its systems, changed passwords, notified law enforcement, and hired privacy and security specialists to help.

"The information copied from our system by the unauthorized actor before it was permanently deleted, included name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information," Practicefirst says. 

"We are not aware of any fraud or misuse of any of the information as a result of this incident," the company says. "The actor who took the copy has advised that the information is destroyed and was not shared." Many security experts believe that such promises made by hackers are untrustworthy. "Cybercriminals who infiltrate information systems are not reputable or reliable. By their nature, they will lie, cheat and steal," says privacy attorney David Holtzman of consulting firm HITprivacy LLC. 

"Vendors to healthcare organizations should be transparent to the public and to the organizations contracted with those providers to make clear statements as to what happened, what data may have been compromised and what steps they are taking to notify the organizations they serve of the data that was put at risk."

Chinese Hackers Stole Call Details of Nepal Telecom


China launched a destructive "cyber attack" on Nepal Telecom which resulted in Chinese hackers stealing the phone numbers of all Nepali users. 

Chinese hackers gained access to all Nepali call information by compromising the telecom company's Oracle Glass Fish Server. 

The hackers used 41 Tactics of Advanced Persistent Threat (APT) and 71 Tactics of Advanced Persistent Threat (APT) and backdoor weaponry, according to technical specialists. APT 41 and APT 71 have been spotted stealing CDR data from telecom systems. It was also discovered that the stolen data from the telecom server was being sold on the dark web. The telco's CDR call data record was put for selling on June 29. 

Several local news sources reported that Nepal Telecom has shut down its server to handle the growing threat. NTC spokesman Rajesh Joshi stated, "We have not deciphered the identity of the hackers. We switched off the server to save our data after we received information of a possible interference into our server." 

Chinese hackers reportedly obtained access to NTC's Oracle GlassFish Server and obtained Call Data Records (CDR). According to, the telecom assures that its call data is secure. NTC Managing Director Dilli Ram Adhikari reported that the company's main server is secure. 

In response to media outlets, he stated: "Hackers might have breached into a dated server of CDMA. The company's team of expert technicians are looking into the matter to trace the culprits. Our main server is protected by a highly secure firewall and remains safe." 

According to, China has frequently well-guarded the firm on a governmental level, encouraging them to initiate attacks on international companies over time. This led to the supposition that the Chinese were behind the attack on NTC. 

The famed hacker, Tag-22has hacked and even sold telecom-related data from nations like Taiwan and the Philippines. 

According to the report, China has earned the wrath of other nations on several occasions for allegedly promoting state-level breaches, which it has emphatically denied. There is no confirmation that the Chinese group was behind the group at this time, but the leads point in that direction. 

By hacking into telecom, a vast segment of consumer data becomes exposed to malicious use. In order to secure user data in the future, NTC will have to be more cautious in the coming days.

Stolen Credit Card Data Hidden in Images by Magecart Hackers for Vague Exfiltration


Magecart-affiliated cybercriminals have adopted a new approach for obfuscating malware code within comment blocks and embedding stolen credit card data into pictures and other files stored on the site, illustrating how attackers are always upgrading their infection chains to avoid detection. 

Sucuri Security Analyst, Ben Martin, stated in a write-up, "One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion. These can later be downloaded using a simple GET request at a later date." 

Magecart is an umbrella name for several gangs of hackers that attack e-commerce websites intending to steal credit card data and sell them on the black market by injecting malicious JavaScript skimmers. 

Sucuri connected the assault to Magecart Group 7 based on similarities in the threat actor's techniques, methods, and practices (TTPs). The skimmer was located in one of the PHP files involved in the checkout process in the form of a Base64-encoded compressed string in one instance of a Magento e-commerce website infection analyzed by the GoDaddy-owned security business. 

Furthermore, the attackers are claimed to have utilized a method known as concatenation, in which the code was merged with extra comment portions that "does not functionally do anything but adds a layer of obfuscation making it more difficult to detect.” 

The attacks' ultimate objective is to collect customers' payment card information in real-time on the hacked website, which is then stored to a fake style sheet file (.CSS) on the server and then downloaded by the threat actor via a GET request. 

Martin added, "Magecart is an ever-growing threat to e-commerce websites. From the perspective of the attackers: the rewards are too large and consequences non-existent, why wouldn't they? Literal fortunes are made [by] stealing and selling stolen credit cards on the black market."

Mint Mobile Suffered a Data Breach


The US-based telecommunication firm Mint Mobile has announced that it has suffered a data violation which has let several telephone numbers be transferred to other carriers and possible access to user data. 

A threat actor ported contact information for a "small" number of Mint Mobile subscribers on another carrier without authorization. An email regarding the data breach was sent to affected subscribers this weekend between 8th June to 10th June. 

In contrast to the ported number, Mint Mobile further revealed that an unauthorized individual may also have access to confidential information about the customer, including the call history, names, emails, credentials. 

"Between June 8, 2021, and June 10, 2021, a very small number of Mint Mobile subscribers' phone numbers, including yours, were temporarily ported to another carrier without permission," Mint Mobile disclosed. 

They instantaneously reversed processes and restored user service, but some information might include one's name, address, telephone number, e-mail address, login information, international details of calls. Also, subscription features must have been possibly accessed by an unauthorized individual. 

Although Mint Mobile didn't suggest how the threat actor got access to information from subscribers based on the accessed data, it becomes obvious that actors probably had hacked or compromised user accounts for the usage of a Mint Mobile app to manage customers. 

Since the threats can be exploited by the actors with a Mint Mobile password, modification in the password is strongly encouraged. 

In addition, the amount of porting attempts, including phishing, may have been leveraged by threat actors or to gain access to 2-factor authentication codes delivered by text messages. 

Furthermore, Mint Mobile is warning affected users to "protect other accounts that use your phone number for validation purposes and to reset account passwords." 

USCellular revealed a similar incident in January following threat actors scamming employees into downloading software providing remote access to devices of the organization. This remote access is exploited by hackers to obtain subscribers' details by using customer relationship management (CRM) software and port their numbers.

After a Ransomware Attack, CNA Reports a Data Breach


Following a Phoenix CryptoLocker ransomware attack in March, CNA Financial Corporation, a leading US-based insurance firm, is notifying clients of a data breach. According to the Insurance Information Institute, CNA is the seventh-largest commercial insurance company in the United States. Individuals and corporations in the United States, Canada, Europe, and Asia can purchase a wide range of insurance products from the company, including cyber insurance coverage. 

"The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said in breach notification letters mailed to affected customers on 9th July. "During this time period, the threat actor copied a limited amount information before deploying the ransomware." According to breach information filed with Maine's Attorney General's office, the data breach reported by CNA affected 75,349 people. 

CNA realized that the data stolen during the assault contained personal information such as names and Social Security numbers after evaluating them. "Having recovered the information, we have now completed our review of that information and have determined it contained some personal information including name, Social Security number and in some instances, information related to health benefits for certain individuals," CNA explained in a separate incident update.

"The majority of individuals being notified are current and former employees, contract workers, and their dependents." The corporation went on to say that there was no evidence that the stolen data was "viewed, retained, or shared." Furthermore, CNA states that there is no reason to believe that the stolen data has been or will be exploited in any way. CNA also said, "CNA will be offering 24 months of complimentary credit monitoring and fraud protection services through Experian. CNA is also providing a toll-free hotline for the individuals to call with any questions regarding the incident." 

According to sources acquainted with the incident, the Phoenix CryptoLocker operators encrypted approximately 15,000 devices on CNA's network after spreading ransomware payloads on March 21. The attackers encrypted the machines of remote workers who were logged into the company's VPN during the incident, according to BleepingComputer. 

Phoenix Locker is thought to be a new ransomware family designed by the Evil Corp hacking gang to dodge sanctions after victims of the WastedLocker ransomware refused to pay ransoms to avoid legal action or fines. "The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity," the company said.

Morgan Stanley Faces Data Breach


Morgan Stanley has revealed a data breach after attackers hacked into a third-party vendor's Accellion FTA server and stole personal information belonging to its clients. Morgan Stanley is a global financial services corporation that specializes in investment banking, securities, wealth management, and investment management. Corporations, governments, institutions, and individuals from more than 41 countries are among the company's clients. 

In May 2021, Guidehouse, a third-party vendor that offers account maintenance services to Morgan Stanley's StockPlan Connect business, told Morgan Stanley that hackers had accessed its Accellion FTA server and stolen information from Morgan Stanley stock plan participants. In January, an Accellion FTA vulnerability was exploited on the Guidehouse server, however, the vendor patched it within five days of the fix becoming available. 

The breach was detected in March, and the impact on Morgan Stanley customers was identified in May when Guidehouse notified the financial services company of the incident. No indication of the stolen data being disseminated online by the threat actors was uncovered. "There was no data security breach of any Morgan Stanley applications," Morgan Stanley said in data breach notification letters sent to impacted individuals. "The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley." 

Despite the fact that the stolen files were encrypted and stored on the compromised Guidehouse Accellion FTA server, the threat actors gained the decryption key as part of the attack. The files stolen from Guidehouse's FTA server did not contain any passwords or credentials that threat actors may use to obtain access to impacted Morgan Stanley customers' financial accounts, according to the company. 

"The protection of client data is of the utmost importance and is something we take very seriously," a Morgan Stanley spokesperson said. "We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients."

While the identity of the attackers was not revealed in Morgan Stanley's data breach notification, a joint statement released in February by Accellion and Mandiant offered more insight on the attacks, directly attributing them to the FIN11 cybercrime group. The Clop ransomware group has also stolen data from many firms by using an Accellion FTA zero-day vulnerability (disclosed in December 2020). According to Accellion, approximately 300 clients used the 20-year-old antiquated FTA software, with less than 100 of them being hacked.

MageCart Group12 Employing New Technique to Target E-Commerce Websites


MageCart Group12 is known for targeting e-commerce websites with the goal of skimming payment information from online shoppers and selling them on the dark web. The credit-card skimmer group is using PHP web shells to secure remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply installed into vulnerable sites to log the information keyed into online checkout sites.

Researchers from Sucuri have learned that the scammers are saving their stolen credit-card data in .JPG files until they could be exfiltrated from compromised e-Commerce sites running Magento. Most users are stuck in an old version of Magento and are unable to upgrade because they do not have sufficient funds to hire the developer back once their site becomes out-of-date and vulnerable. 

The cost to migrate a Magento 1 website (which had its end of life in 2020) to the more secure Magento 2 ranges from $5,000 to $50,000. Researchers believe that Magecart will continue to evolve and enhance its attacking techniques as long as its cybercrimes keep turning a profit. 

“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file. The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file,” researchers explained. 

But in this new methodology, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block because it injects the skimmer code on the server-side, rather than the client side. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit-card details for future use without gaining too much attention from the website owner,” Luke Leal, a researcher at Sucuri stated.

“The latest techniques observed in these recent Magecart attacks show how the groups themselves are staying innovative by using previous techniques with new coding and tactics. The most recent findings highlight how difficult it may be for defenders to detect skimming activity itself without employing additional code reviews or other types of blocking and inspection, Sean Nikkel, senior cyber threat intel analyst at Digital Shadows told Threatpost. 

In September 2020, Magecart Group 12 hacked nearly 2,000 e-commerce sites in an automated campaign impacting tens of thousands of customers, who had their credit cards and other information stolen. Scammers employed the classic Magecart attack technique where e-commerce sites are injected with a web skimmer, which secretly exfiltrates personal and banking information entered by users during the online checkout process.

Data Breach at Third-Party Provider Exposed Medical Information of US Healthcare Patients


A data breach at a third-party provider has potentially leaked patients' confidential medical information from Northwestern Memorial HealthCare (NMHC) providers.

Unknown attackers obtained unauthorized access to a database managed by Elekta, a cloud-based platform that manages legally mandated cancer reporting to the States of Illinois. 

The healthcare provider, located in Chicago, reported the attackers copied the datasets, which included patient names, dates of birth, Social Security numbers, health insurance information, and medical record numbers, according to a security alert. 

The database also constituted of clinical information related to cancer treatment, including medical histories, physician names, dates of service, treatment plans, diagnoses, and/or prescription information. 

Those potentially affected are patients of Northwestern Medicine Central DuPage Hospital, Northwestern Medicine Delnor Community Hospital, Northwestern Medicine Huntley Hospital, Northwestern Medicine Kishwaukee Hospital, Northwestern Medicine Lake Forest Hospital, Northwestern Medicine McHenry Hospital, Northwestern Memorial Hospital, Northwestern Medicine Valley West Hospital, and Northwestern Medicine Valley West Hospital. 

According to the NMHC, no financial information was accessed. Patients who are suspected of being impacted will be notified via post. The NMHC will also provide free credit monitoring to people whose Social Security numbers have been compromised. 

NMHC also stated it was “re-evaluating its relationship with Elekta”. 

“Patients are encouraged to review their health insurer or healthcare provider statements and to contact them immediately if they see any services they did not receive. We regret that this incident occurred and are committed to protecting the security and privacy of patient information.” the statement reads. 

According to the company, the attackers did not get access to NMHC's systems, networks, or health records. The incident served as a harsh warning of the dangers of relying on third-party software or services.

A well-known example of what might happen as a result of a cyber-attack on a service provider is the Blackbaud event. The ransomware assault, which revealed the personal information of financial donors, impacted hundreds of nonprofit organizations and fundraising campaigns.

Leaked Infrastructure Secrets Costs Companies an Average of $1.2 Million in Revenue Annually


Developers typically have to pick between speed and security in order to meet these accelerated timelines. To make it simpler to access infrastructure secrets such as API tokens, SSH keys, and private certificates, they store them in config files or close to source code. However, they are often unaware that the simpler it is for them to gain access to these secrets, the easier it is for hackers to do so as well. 

According to the report "Hiding in Plain Sight" by 1Password, the leader in corporate password management, organizations lose an average of $1.2 million each year due to stolen information, which the company's researchers refer to as "secrets." 

“Secrets are now the lifeblood for IT and DevOps as they seek to support the explosion of apps and services now required in the contemporary enterprise,” stated Jeff Shiner, CEO of 1Password. 

500 adults in the United States who work full-time in their business's IT department or in a DevOps capacity at a company with more than 500 workers were questioned about the keys, tokens, and certificates that power their digital infrastructure. 
According to the poll, ten percent of respondents lost more than $5 million as a result of a covert leak. Over 60% of respondents said their company has faced significant data leaks. 

Furthermore, two-fifths (40%) of respondents said their businesses had been harmed by a loss of brand reputation, with 29% losing clients as a result of secrets leakage. According to the research, two-thirds of IT and DevOps personnel (65%) believe their company has more than 500 secrets, and almost one-fifth (18%) believe they have more than they can count. 

IT and DevOps professionals spend an average of 25 minutes each day handling secrets, and the number is rising. Last year, more than half of IT and DevOps executives (66%) stated they spent more time managing than they had ever spent before. 

Another 61% indicated that numerous initiatives had to be postponed due to their firms' inability to effectively handle their secrets. 

Full Access to Former Employer’s systems:

API tokens, SSH keys, and private certificates are still being compromised as 77 percent of IT/DevOps employees indicate they still have access to their former employer's infrastructure secrets, with more than a third (37 percent) claiming complete access. 

According to the research, 59 percent of IT/DevOps professionals have also used email to communicate confidential information with coworkers, followed by chat services (40 percent), shared documents/spreadsheets (36%), and text messaging (26 percent ). More than 62% of respondents said team leads, managers, VPs, and others have ignored security rules due to COVID-19 demands on work. 

Jeff Shiner stated, "Our research reveals that secrets are booming, but IT and DevOps teams are not meeting rigorous standards to protect them -- and in the process are putting organizations at risk of incurring a tremendous cost. It's time for companies to take a hard look at how they manage secrets, and adopt practices and solutions to 'put the secret back into secrets' to support a culture of security.

Mongolian Certificate Authority Hacked Eight Times


The unidentified hackers attacked the website of MonPass, one of Mongolia's leading certificate authorities, to backdoor its installation software with Cobalt Strike binaries in yet another software supply chain attack. 

According to a study published on Thursday by Czech cybersecurity software provider Avast, the trojanized client was accessible for download between February 8, 2021, and March 3, 2021. 

In addition, the researchers discovered eight distinct web shells and backdoors on a public webserver hosted by MonPass, which shows that it was compromised as many as eight times. After discovering the backdoored installation and implant on one of its clients' PCs, Avast launched an inquiry into the matter. 

"The malicious installer is an unsigned [Portable Executable] file," the researchers stated. "It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the 'C:\Users\Public\' folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious." 

The installer downloads a bitmap image (.BMP) file from a remote server to extract and execute an encrypted Cobalt Strike beacon payload, which is notable for its use of steganography to send shellcode to the victim's device. 

On April 22, MonPass was informed of the situation, and the certificate authority took measures to resolve the compromised server and notify those who had downloaded the backdoored client. The incident is the second time that certificate authority software has been used to attack targets with malicious backdoors. ESET revealed a campaign called "Operation SignSight" in December 2020, in which a digital signature toolset from the Vietnam Government Certification Authority (VGCA) was modified to incorporate spyware competent in collecting system data and installing additional malware. 

The development also comes as Proofpoint's announced earlier this week that the use of the Cobalt Strike penetration testing tool in threat actor campaigns has increased by 161% year over year from 2019 to 2020. 

According to Proofpoint analysts, “"Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020."

69K Users Affected in LimeVPN Data Breach


According to analysts, the VPN provider LimeVPN has been hacked, affecting 69,400 user records. Before taking down the company's website, a hacker claims to have taken the company's entire client database. According to PrivacySharks, the stolen details include user names, plaintext passwords, IP addresses, and billing information. The attack also contained the public and private keys of LimeVPN users, according to the researchers.

“The hacker informed us that they have the private keys of every user, which is a serious security issue as it means they can easily decrypt every LimeVPN user’s traffic,” the firm said in a posting. Experts are concerned about the possibility of decryption because VPNs tunnel all of their users' internet activity, which could be a gold mine of information for cybercriminals. 

The entire alleged stockpile has been listed for sale on the hacker forum RaidForums. The hacker, who goes by the handle "slashx," initially stated that the database included 10,000 documents for $400 (on Tuesday) before increasing the number (on Wednesday). According to Slashx, the heist was carried out through a security breach, rather than an internal threat or an older attack. The site then went offline on Thursday, presumably due to a virus intrusion. “Worryingly, our access was blocked by Malwarebytes [antivirus protection] due to a potential trojan found on the site,” PrivacySharks claimed. 

LimeVPN verified the data breach, according to a PrivacySharks spokesperson, and the hacker who took the database also claimed responsibility for the site's outage. LimeVPN alerted RestorePrivacy that "our backup server has been compromised" and that it had "reset our access passwords and initiated a system audit," according to RestorePrivacy, which confirmed the leak separately. Both groups of researchers made contact with the perpetrator and examined samples of the alleged data. 

RestorePrivacy researchers observed that transaction details for users buying the service were available (as in dollar amounts and payment method), but real payment-card data or bank details were not included while evaluating the available sample data offered by slashx.“This is because the VPN uses a third-party payment processor called WHMCS,” the firm noted. “However, the hacker claims to have obtained the entire WHMCS database with the LimeVPN hack.”

“Even though LimeVPN is not a large provider like Surfshark or NordVPN, the fact that its entire database was scraped raises the question of security among VPN providers,” Cliff Durward, PrivacySharks’ head of security said. “Although most VPN companies, like LimeVPN, employ no-logs policies, identifiable data such as email addresses and payment information can still be stolen and sold if security breaches occur.”

Microsoft Adds DNS-over-HTTPS to Windows 11


DNS-over-HTTPS is a privacy feature in Windows 11 that allows users to evade censorship and Internet activity by doing encrypted DNS lookups. Your computer must first query a domain name system (DNS) server for the IP address associated with the hostname before connecting to a website or other host on the Internet. 

The method aims to improve user privacy and security by avoiding eavesdropping and DNS data modification by man-in-the-middle attacks by encrypting data between the DoH client and the DoH-based DNS resolver using the HTTPS protocol. Google and the Mozilla Foundation began testing DNS over HTTPS versions in March 2018. For users in the United States, Firefox switched to DNS over HTTPS by default in February 2020. 

The IETF published RFC 8484 (October 2018) as a proposed standard for DoH. It leverages HTTP/2 and HTTPS, and it accepts wire format DNS response data in an HTTPS payload with the MIME type application/dns-message, as returned in existing UDP responses. If HTTP/2 is implemented, the server may also communicate items that it predicts the client will find valuable in advance via HTTP/2 server push. 

As some governments and ISPs prohibit access to websites by monitoring a user's DNS traffic, DoH will help users to avoid censorship, reduce spoofing attacks, and increase privacy because their DNS requests will be more difficult to track. Microsoft has re-enabled the DoH capability in Windows 11, and users who are currently utilizing DNS servers from Cloudflare, Google, or Quad9 can begin testing it again. 

It would be preferable if the DoH server for a configured DNS server could be identified automatically, according to Microsoft, however, this would pose a privacy concern. "It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could be established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post. 

"This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates." Using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which Microsoft has submitted to the IETF ADD WG, Microsoft aims to learn about new DoH server configurations from a DNS server in the future.

Data of 700 Million LinkedIn Users Has Been Compromised


A massive breach has purportedly compromised the data of over 700 million LinkedIn users. LinkedIn has a total of 756 million users, which means that this new hack has exposed the data of more than 92 percent of its users. An anonymous hacker is reported to have gotten a fresh dataset including personal information about LinkedIn users. Reportedly, the data exposed includes phone numbers, physical addresses, geolocation data, and inferred salaries. 

The data advertised by the hacker is “both authentic and up-to-date,” according to a recent investigation by the publication, with data points ranging from 2020 to 2021. The article goes on to say that the data breached comprises a lot of information. LinkedIn reported a data breach impacting 500 million customers in April, in which personal information such as email addresses, phone numbers, workplace information, complete names, account IDs, links to social network profiles, and gender characteristics were exposed online. 

According to LinkedIn, the information was obtained through skimming the network rather than a data breach. In an emailed statement, LinkedIn said, "While we're still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected." 

The hacker has also uploaded a sample set of 1 million users for purchasers on the Dark Web, where the new dataset of 700 million users is also on sale. RestorePrivacy was the first to notice this listing on the Dark Web, and 9to5Google double-checked the sample data. 

User information such as email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username, and profile URL, inferred salaries, personal and professional experience/background, gender, and social media accounts and usernames are included in the sample dataset that has been published on the Dark Web. 

9to5Google reached out to the hacker who says that the data was obtained through hacking the LinkedIn API to gather the information that people upload to the site. Although the data does not include passwords, it is nevertheless extremely valuable and might be used in identity theft or phishing attempts.

Over 200,000 Students Data Leaked in Cyberattack


The personal information of approximately 280,000 students was leaked last week in a cyberattack that targeted the AcadeME company, which serves a variety of colleges and institutions across Israel. Hundreds of thousands of students use AcadeME to get jobs at thousands of companies. 

On June 20, a pro-Palestinian Malaysian hacker group known as "DragonForce" claimed that it hacked into AcadeME and stated in a Telegram message, "THE LARGEST AND MOST ADVANCED STUDENT AND GRADUATE RECRUITMENT NETWORK IN ISRAEL Hacked By DragonForce Malaysia." 

According to the group, emails, passwords, first and last names, addresses, and even phone numbers of students who were enrolled on AcadeME were leaked. Screenshots of code, server addresses, and a table with email addresses and names were all targeted by DragonForce. 

According to May Brooks-Kempler of the Think Safe Cyber Facebook group, the hackers exposed the information of roughly 280,000 students who have utilized the site since 2014. 

As of Monday morning, the AcadeME site had been pulled offline and was labeled as "unavailable." When attempted to visit the site, a notice stated that the site "should be back soon." 

The hackers wrote on Telegram, "This is an urgent call for all Hackers, Human Right Organizations and Activists all around the world to unite again and start a campaign against Israhell, share what is really going on there, expose their terrorist activity to the world. We will never remain silent against israhell war activity." 

The group claimed later that day that it had leaked a "massive" number of Israeli passports. On Friday, the same organization launched DDoS assaults against Bank of Israel, Bank Leumi, and Mizrahi Tefahot, among other Israeli banks. 

Israel's National Cyber Directorate's Warnings: 

Yigal Unna, the chief of Israel's National Cyber Directorate (INCD), cautioned earlier this year that if necessary precautions are not taken, cyberattacks might cripple Israeli academic institutions. 

The chief of the INCD warned that the wide connectivity between academic institutions and other bodies and organizations could constitute a threat to other bodies and result in liability. The message arrived 11 days after a cyberattack on the Ben-Gurion University of the Negev, which resulted in the compromise of several of the university's servers. 

After the breach was found, a joint team of researchers from the INCD and Ben-Technologies, Gurion's Innovation & Digital Division was formed to avoid data leaks and control the situation. 

Though the perpetrator of the attack is still unknown. 

In 2020, the National Cyber Directorate received over 11,000 inquiries on its 119 hotline, a 30 percent increase over the previous year. About 5,000 requests were made to companies to handle vulnerabilities that exposed them to assaults, and about 1,400 entities were contacted about attempted or successful attacks.