Search This Blog

Showing posts with label User Security. Show all posts

Audi And Volkswagen's Data Breach Affected 3.3 Million Customers

 

Volkswagen announced that a massive data breach exposed the personal information of over 3.3 million customers after one of its vendors left a cache of customer data unencrypted on the internet. In a letter to customers, Volkswagen said that the vendor utilized by Volkswagen, its subsidiary Audi, and authorized dealers in the United States and Canada had left customer data from 2014 to 2019 unsecured for two years between August 2019 and May 2021. 

Personal information about clients and potential buyers were included in the data, which was collected for sales and marketing purposes. Volkswagen Group of America, Inc. (VWGoA) is the German Volkswagen Group's North American subsidiary, responsible for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc. operations in the United States and Canada. 

Between August 2019 and May 2021, a vendor left insecure data accessible on the Internet, according to data breach notices submitted with the California and Maine Attorney General's offices. This specific vendor informed the VWGoA in March that an unauthorized person had gained access to the data and may have accessed customer information for Audi, Volkswagen, and some authorized dealers. 

According to VWGoA authorities, the hack affected 3.3 million customers, with almost 97% of those affected being Audi customers or potential buyers. The data breach appears to have exposed information ranging from contact information to more sensitive data including social security numbers and loan numbers. 

"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages," disclosed VWGoA in a data breach notification. 

"The data also included more sensitive information relating to eligibility for purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers." 

The hackers are demanding between $4,000 and $5,000 for all of the records, claiming that the database contains no social security numbers. The threat actors earlier stated that the database for a VPN service provider with various Android apps on the Google Play Store was on sale for $1,000. 

Volkswagen is offering free credit protection and monitoring services to the 90,000 customers whose personal information was exposed, as well as $1 million in identity theft insurance.

Cisco Smart Switches Detected with Vulnerabilities

 

In Cisco's Small Business 220 Series smart switches a researcher has uncovered various vulnerabilities, especially those with high severity assessments. This Monday, the networking giant advised its consumers that patches for these vulnerabilities are available. 

The impact switch runs firmware versions earlier than 1.2.0.6 and has the web-based management interface enabled. 

Cisco Systems, Inc. is a US conglomerate based in San Jose, California, in the Silicon Valley center. Cisco designs manufacture and distribute high-tech services and products for networking hardware, software, telecommunications equipment, and others. 

Security researcher Jasper Lievisse Adriaanse has identified the vulnerabilities. He discovered four kinds of safety holes on the small enterprise switch as published in a notice by Cisco. 

One can be used by a remote, unverified attacker, tracked as CVE-2021-1542, which is rated as high severity to take over the user session and obtain access to the web portal of a switch. The attacker could acquire managerial access to the management interface, based on the rights of the potential customer. 

Another high-severity problem is CVE-2021-1541, which enables a remote device attacker with admin access to perform arbitrary root-privileged commands on the operating system underneath it. 

The two other weaknesses identified by the investigator, both of which were Cisco's medium severity, might allow a remote attacker to initiate XSS (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571). 

“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Adriaanse explained. 

He added, “It should be possible, if you’re on the same L2 domain, to perform the XSS attack through CVE-2021-1543, obtain the CSRF token and perform arbitrary actions as the logged-in user. As I don’t write a lot of Javascript I didn’t attempt to write a payload to subsequently exploit CVE-2021-1541. Note however that due to lacking Content-Security-Policy headers you can use CVE-2021-1543 to include remote Javascript code. So you’re not limited by the packet size of the abused L2 protocol. I guess with enough experience and determination one could concoct a payload to do anything in the UI.” 

The XSS defect is due to inspections by the web-based management interface of the device being submitted by the user. An attacker could use this error by deceiving the victims into clicking a malicious link and accessing a certain page. The attacker may induce weakness in running arbitrary script code in connection with the affected interface or access sensitive, browser-based information. 

The HTML Injection Vulnerability is caused by faulty parameter checks on affected pages. In order to address certain vulnerabilities, Cisco has published software updates. 

Carnival Cruise Line Unveiled a New Data Breach

 

Carnival Corporation one of the biggest cruise ship operators in the world, and another major firm that reveals it is affected by data breaches. 

Carnival Corp. encountered an illegal entry to its computer networks on 19 March. According to the company, authorities have been contacted and a cybersecurity company has been employed. 

The research discovered that third parties, using a "limited number of e-mail accounts" could access personal information of clients, staff, and crew on their Carnival, Holland America, and Princess cruise lines.

The data obtained included names, addresses, telephone numbers, passport numbers, birth dates, health information, and in some cases additional information, like national identity numbers or social security. 

According to Carnival, the impacted information includes “data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or another safety testing.” The Carnival letter stated that data was exploited with "low likelihood." 

It is worth noting that ever since 2019 Carnival has been attacked by numerous cyber threat actors, including last summer's ransomware attack. Just as cruise lines start booking trips following an extended COVID-19 halt, Carnival faces yet another question mark on cyber safety, said Erich Kron, the KnowBe4 security adviser. 

Kron said that this is no surprise that they have been attacked, given the type of data and the volume it gathers, and that Carnival records some highly important information to attackers. 

The majority of large cruises prefer to visit ports abroad in their very nature so that they acquire sensitive data that is necessary for the processing of customs as well as other travel-related objectives. Such types of attacks are generally initiated by e-mail phishing and firms seeking to avoid problems like Carnival would be advised to invest in high-quality e-mail filters and a training program for employees focusing on recognizing e-mail phishing attacks and proper password hygiene. 

Cohn Bambenek, Threat Intelligence Advisor at Netenrich, stressed the necessity for the organization to ask some important questions about what it is doing to secure the sensitive information since it has been hit three times in the past few months. 

“At a certain point, they are advertising to the world that they are an easy target and can look forward to more frequent and serious attacks,” Bambenek added.

Carnival Cruise Line is a multinational cruise line with its headquarters in Doral, Florida. It is a division of Carnival Corporation & plc. The corporation operates several of the largest cruise lines, including the Princess Cruises and Carnival Cruise Line. 

Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks

 

On Thursday, researchers at email and collaboration security firm Avanan revealed that attackers are using standard tools within Google Docs/Drive that delivers malicious links aimed at stealing victims’ credentials. 

In a blog post, Avanan said attackers are bypassing link scanners and are dodging common security protections that aim to verify the links sent via email. Jeremy Fuchs, marketing content manager at Avanan, said this is the first time they have seen hackers employing these types of attacks through a Google-hosted document service. Usually, attackers lure their victims to a legitimate website before exploiting a particular website. 

According to the report published by Trend Micro, phishing remains the top threat vector in today's cybercrime scene. Of the 62.6 billion cyber-threats analyzed by Trend Micro last year, over 91% were sent via email. Previously, attackers have used the attack vector in smaller services such as MailGun, FlipSnack, and Movable Ink, according to Avanan. 

According to researchers, once the hacker publishes the lure, “Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.”

The hackers then use the phishing lure to get the victim to “Click here to download the document.” Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the “View Document” button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a “Log in” button.

 “Combining this tactic with social engineering could create a very convincing campaign where the attacker can swipe personal or corporate login credentials. Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Once the attacker has those login credentials and can log into the cloud platform, they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate,” said Hank Schless, senior manager, security solutions at Lookout.

CVS Health Database Breach Left 1 Billion User Records Exposed Online

 

Security researchers have discovered an online database belonging to CVS Health which exposed over a billion records online.

On March 21st, 2021 Website Planet research team in collaboration with independent cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database belonging to CVS health that contained over 1 billion records.

CVS Health, headquartered in Woonsocket, Rhode Island is an American healthcare firm that owns CVS Pharmacy, a retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; Aetna, a health insurance provider, among many other brands. 

The database, which was approximately 204 gigabytes in size, contained event and configuration data including production records of visitor IDs, session IDs, customer email addresses, and customer searches on CVS Pharmacy websites for COVID-19 vaccines and other medications. The leaked database had no form of authentication in place to prevent unauthorized entry, Jeremiah Fowler stated.

"Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails," Fowler wrote.

According to Website Planet, the leaked database could be used in targeted phishing by cross-referencing some of the emails also logged in the system -- likely through accidental search bar submission -- or for cross-referencing other actions. Competitors, too, may have been interested in the search query data generated and stored in the system.

WebsitePlanet sent a responsible disclosure notice to CVS Health and quickly received a response confirming the dataset belonged to the company. CVS Health said the database was managed by an unnamed vendor on behalf of the firm and public access was restricted following disclosure.

"In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata. We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We've addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter," CVS Health told ZDNet.

Emails and Passwords of Government Officials Exposed due to Data Breaches

 

Hundreds of Union government officials' emails and passwords have been exposed to hackers as a result of recent data breaches of Air India, Domino's, and Big Basket, according to the government. The Hindu obtained a copy of an internal document that stated that compromised emails on government domains such as @nic.in and @gov.in are potential cyber threats because they are being exploited by "adversaries" to send malicious emails to all government users. 

A malicious web link provided on WhatsApp and SMS days after the alert was sent on June 10 targeted many government offices, including Defence Ministry officials, requesting them to update their vaccination status. The message directed officials to https://covid19india.in to generate a digital certificate of COVID-19 inoculation, forwarding them to a page called "@gov.in," which looks similar to the government website mygov.in, and asking for their official e-mail and password. 

According to cyber expert Rajshekhar Rajaharia, the website was hosted in Pakistan in June. “The page mentioned @nic.in email IDs to make the official believe it is a government page. The purpose seemed to be getting the e-mails and passwords of only government officials and get unauthorised access to government systems, the page does not accept any other domain such as gmail.com,” said Mr. Rajaharia. 

On May 15, Air India informed passengers that its passenger service system, which is provided by multi-national IT company SITA, was the target of a sophisticated cyber-attack in the last week of February that affected nearly 45 lakh “data subjects” worldwide who registered between August 26, 2011 and February 3, 2021. Officials from the government are frequent travellers on Air India. 

The alert sent to officials said, “It is intimated that recent data breaches of Air India and other companies like Domino’s, Big Basket etc. have resulted in exposure of e-mail ID and passwords of many users, which includes lots of government email IDs as well. All such compromised gov. domain emails are potential cyber threats as they are being used by the adversaries to send out malicious mails to all gov email users. It may please be noted that largely these are name based email IDs which are available with the malicious actors.” 

On March 1, the Union Power Ministry announced that multiple Indian power centres had been targeted by “state-sponsored” Chinese cyber gangs. Recorded Future, a cyber security and intelligence organization based in the United States, determined that Chinese state-sponsored actors may have infiltrated Indian power grids and seaports with malware.

RockYou2021: The Largest Data Leak with 8.4 Billion Passwords

 

According to Cybernews, what appears to be the world's largest password collection, called RockYou 2021, has been leaked on a famous hacker site. A forum user uploaded a 100GB TXT file containing 8.4 billion password entries. 

All of the passwords in the leak, according to the author, are 6-20 characters long, with non-ASCII characters and white spaces eliminated. According to the same individual, the collection has 82 billion passwords. However, Cybernews discovered that the actual figure was roughly ten times lower, at 8,459,060,239 entries, after conducting its own testing. 

The forum member has named the compilation ‘RockYou2021,' probably in allusion to the historic RockYou data breach that occurred in 2009 when threat actors hacked into the social app website's servers and obtained over 32 million user passwords stored in plain text. 

This leak is equivalent to the Compilation of Many Breaches (COMB), the greatest data breach compilation ever, with a collection that exceeds its 12-year-old namesake by more than 262 times. The RockYou2021 compilation, which has been accumulated by the individual behind the compilation over several years, contains its 3.2 billion hacked credentials, as well as credentials from numerous other hacked databases. Given that only roughly 4.7 billion people are online, the RockYou2021 compilation might theoretically contain the passwords of the entire global online population almost two times over. 

“By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts,” CyberNews notes.

“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if you feel one or more of your passwords may have been exposed as a result of the RockYou2021 incident, you should change your passwords for all of your online accounts right away. A password manager, according to Cybernews, can help you build strong, complex passwords that aren't easy to remember. You may also set up two-factor authentication (2FA) across all of your accounts. Finally, as always, carefully check all unsolicited spam emails, phone calls, and text messages for signs of phishing.

Cybercrime Forum Publishes Alleged Database, Source Code From Russian Firm That Helped Parler

 

A seller on a famous cybercrime website claims to be selling source code and a database that they claim belongs to DDoS-Guard, the Russia-based hosting firm that helped social media company Parler relaunch after Amazon Web Services banned it. 

DDoS-Guard also offers computing capacity and restricts the recognition of website owners of hundreds of shady resources involved in unlawful goods sales, gambling, and copyright infringements, according to Group-IB research on online piracy. 

On May 26, Group-IB, a global threat hunting, and adversary-centric cyber intelligence firm specialized in investigating and combating high-tech cybercrime, uncovered a database supposedly connected to bulletproof hosting provider DDoS-Guard that was placed for sale on a cybercrime website. 

Customers' names, IP addresses, and payment details are allegedly stored in the database. In addition to the database, the threat actor claims to possess the DDoS-Guard infrastructure's source code. The entire collection is currently up for auction, with a starting bid of $350,000. Since the threat actor did not offer a sample, it is impossible to verify the legitimacy of the allegedly stolen material. 

DDoS-Guard also offers computing capacity and restricts the recognition of website owners of hundreds of shady resources involved in unlawful goods sales, gambling, and copyright infringements, according to Group-IB research on online piracy.

“Initially, the threat actor was auctioning off the lot with a starting price of $500,000. Shortly after the amount was reduced to $350,000,” stated Oleg Dyorov, Threat Intelligence analyst at Group-IB. “The threat actor didn’t provide a sample of the database, which makes it impossible to verify the authenticity of the reported stolen database and the source code. The seller registered this account on exploit in January 2021 and has been looking to buy access to different corporate networks ever since. It is only the second time that they are trying to sell data on the forum. Despite the regular activity, the threat actor has no reputation on the forum and has made no deposits yet.” 

According to the Group-IB Threat Intelligence & Attribution system, this user had an account on exploit[.]in before being barred by the forum administrators for refusing to use the escrow service. DDoS-Guard provides DDoS prevention, CDN, and hosting services, and its data is allegedly being traded on a hacker site. 

“As an international certified emergency response team, we get to interact with dozens of hosting providers around the world every day to ensure violations are removed promptly,” says Reza Rafati, a senior analyst at CERT-GIB in Amsterdam. 

“Whenever we establish a connection with this company, it immediately reflects a red flag. We’ve seen a number of rogue websites hosted by DDoS-Guard. They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn’t do any good for the global effort against cybercrime.”

Data of 6 Million Battle for the Galaxy Players Leaked

 

WizCase security experts recently uncovered an unsecured ElasticSearch server owned by AMT Games, a Chinese mobile and browser game company, that exposed 5.9 million Battle for the Galaxy users' accounts, as well as 2 million transactions and 587,000 feedback messages. 

Despite the fact that AMT Games used the server to store profile information, payment history, and feedback messages for millions of Battle for the Galaxy players, the researchers discovered that data stored in the ElasticSearch server was not encrypted and the server was not secured with a password. 

AMT Games, which has a slew of mobile and social games with tens of millions of downloads, exposed 1.5TB of data through an Elasticsearch server. AMT Games Ltd. is a renowned mobile and browser-based online game company based in China. It creates games for Android, iPhone, Steam, and web browsers. Battle for the Galaxy, Heroes of War: WW2 Idle RPG, Epic War TD2, and Trench Assault are among of the company's most popular games. 

Player IDs, usernames, country, total money spent on the game, and data from Facebook, Apple, or Google accounts if the user linked them to their gaming account are often included in profiles. Account IDs, feedback ratings, and users' email addresses are all included in feedback messages. 

According to WizCase, transaction data includes price, item purchased, time of purchase, payment provider, and occasionally buyer IP addresses. Users who had their data exposed were advised that it could have been snatched up by opportunistic cyber-criminals looking for misconfigured databases. It went on to say that information on how much money people have spent on the site might help fraudsters target the biggest spenders. 

WizCase warned that "it is common for unethical hackers and criminals on the internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look." Bad actors could utilize personal information like email addresses and user difficulties with the service to "pose as game support and send users to fraudulent websites where their credit card credentials can be stolen," according to the report. 

The company advised players to enter as little personal information as possible when purchasing or setting up an account, and parents not to lend their credit cards to their children. WizCase stated that it notified AMT Games of the data breach but received no response. Access to the database was later disabled by the company.

Threat Actors Release Patient Data Stolen from New Zealand Hospitals to the Local Media

 

Cybercriminals who targeted hospitals in New Zealand’s Waikato district have published the stolen patient data to the local media outlets, with the outlets declining to publish the details as health systems struggled to come back online more than a week after the ransomware attack. According to the local media, the leaked data includes official-looking records and documents containing names, phone numbers, and addresses of patients and staff. 

The release of the information comes a week after the health system’s information services were entirely shut down by hackers, impacting clinical service, disrupting the treatment of patients and the payroll process of staff members. As a result, hospitals shifted to manual processes to support a backlog of patients while the public was asked to look for alternative avenues for treatment for non-critical conditions.

The breach comes after Ireland’s hospitals suffered a ransomware attack which was quite similar to the Waikato ransomware attack. Officials were forced to shut down many of their computers after hackers secured access to the health service’s systems. Also, hospitals had to cancel services and staff had to rely on pen and paper rather than PCs. 

The Federal Bureau of Investigation (FBI) stated this week that the hackers who targeted the Irish hospitals call themselves the ContiLocker Team and use a strain of ransomware known as Conti to break into victims’ machines and extort payments. When Waikato hospitals first had to shut down, the head of New Zealand’s doctors’ association, Deborah Powell, said the attack appeared to be of the same type. 

“This is a criminal investigation and we have every confidence that it is being dealt with by NZ Police and cybersecurity experts. Care and safety of patients remain our highest priority, and we must concentrate on health services and supporting our staff to do their job,” Waikato DHB Chief Executive Kevin Snee said in a statement.

Andrew Little, the health minister and the minister responsible for New Zealand’s intelligence agencies, said he could not give anxious patients any assurance that their personal data hadn’t been compromised. 

The New Zealand government’s cyber agency refused to comment on the collaboration with Irish authorities regarding the incident. “The NCSC knows from its involvement in other significant cyberattacks that malicious actors can monitor what is being said in the media, and this can influence their behavior,” the National Cyber Security Centre said in a statement.

Fearing Data Breach, BBMP Shuts Down COVID-19 Test Data Collection Portal

 

The Bruhat Bengaluru Mahanagara Palike (BBMP) has shut down its COVID-19 test data collection portal after a possible data breach, which allows hackers to access the health information of citizens. The incident was flagged by the Free Software Movement of India after they showed how the data could be easily accessed just with the phone numbers.

BBMP was collecting the health records of the citizens for its Public Health Activities, Surveillance, and Tracking (PHAST) portal which included name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/negative), the sample collected and received date, sample type, hospital name (if the patient is hospitalized) and status of symptoms. 

The Free Software Movement of India has requested the local authorities to not only conduct a security audit but to also take action against the software company for its complacency in designing software without any security. 

Kiran Chandra, general secretary of the Free Software Movement of India wrote about the breach to BBMP Special Commissioner (Health and Information technology) Rajendra Cholan P and said it was not hard for a data broker to harness these details by writing an automated script. 

“The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by ‘Reasonable security practices and procedures. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data. The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall,” the letter read. 

However, BBMP Chief Commissioner Gaurav Gupta clarified on Friday that no data has been leaked from the portal. “While one could enter the phone number provided at the time of Covid-19 testing to get details including test result among others, the portal will now seek an OTP before allowing access to the information. The updated version of the portal would be made available soon,” he said on Friday. 

Unfortunately, this is the second instance when the data of COVID-19 patients has been compromised. In November last year, a Bengaluru resident accidentally discovered a massive loophole in the Karnataka government’s website where people could check their COVID-19 results. At the time, resident Shashi Kumar put out a series of tweets explaining how sensitive information could be obtained just with the SRF number issued at the time of testing.

Canada Post's Data Breach Affected 950K Customers

 

The state-owned postal service, Canada Post has reported that a cyber-attack on a third-party provider resulted in a data breach affecting 950,000 parcel recipients. Canada Post Corporation, also known as Canada Post, is a Crown corporation that serves as the country's major postal operator. 

Canada Post claimed in a press release on May 26 that it had notified 44 "major business customers" that they may have been compromised by "a malware assault" targeting Commport Communications, a supplier of electronic data interchange (EDI) services. 

On May 19, the supplier informed Canada Post that “manifest data housed in their systems, which was related with some Canada Post customers, had been compromised.” 

It stated that the data was compromised between July 2016 and March 2019, with 97% of it containing the names and addresses of receiving consumers. According to the firm, the remaining 3% contained email addresses and/or phone numbers. The Crown corporation has already "taken preventive measures and will continue to take all required efforts to mitigate the repercussions," according to the statement. 

“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue,” the statement further read.

According to Canada Post, a thorough forensic investigation was conducted, but “no evidence” of financial information being compromised was found. Despite the fact that the breach was caused by a supplier, Canada Post claimed in a statement on Wednesday that they “sincerely regret the difficulty this may cause our valued customers. Canada Post respects customer privacy and takes matters of cybersecurity very seriously.”

“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” the company said.
 
The postal service is currently "proactively alerting" impacted business clients, as well as providing the required support and information "to help them select their future steps." “The Office of the Privacy Commissioner has been notified,” Canada Post said.

In November 2020, Canada Post mentioned: "a potential ransomware issue" reported by Commport Communications to its IT division, Innovapost. However, “Commport Communications advised there was no evidence to imply any customer data had been hacked at that time,” according to the report.

WhatsApp's New Privacy Policy: A Quick Look

 



With the advent of its latest privacy policy, the Facebook-owned messaging app is all set to block certain features if the users won't agree to the new privacy policy.

The update that was initially set to be rolled out by February 8 – making new privacy regulations applicable for all its users, got delayed till May 15 as WhatsApp faced strong contempt from the public, which allowed its competitors namely Telegram and Signal to solidify their repute with the public.

Earlier, as per the ultimatum given by WhatsApp: if the users do not accept the updated privacy policy on May 15, they won't be able to use the app. However, later on, it was said that no accounts will be deleted in case the aforementioned does not happen. 

Giving insights into the new Privacy Policy, a WhatsApp spokesperson said, “Requiring messaging apps to “trace” chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy.”

“We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users. In the meantime, we will also continue to engage with the Government of India on practical solutions aimed at keeping people safe, including responding to valid legal requests for the information available to us,” the Spokesperson added.

WhatsApp told that it is not imposing its new policy on the users and that they are free to not do so. However, it might involve users deleting their WhatsApp account on their own as the other option than to accept the 2021 update, because they won't be able to access their chat lists or call their contacts via WhatsApp. 

As per WhatsApp's statements, we can deduce that whenever users will access the app, they will be constantly reminded to accept the updated privacy policy to access all its features – eventually making the platform more or less unserviceable to them. 

The users who do accept the updated privacy policy won't witness any key changes in their experience, however, those who continue to have the app installed on their device without accepting the new policy might eventually end up saying goodbye to the app due to its limited serviceability or “inactivity”. 




Scammers Employ 'Vishing' Technique to Steal Personal Details of Online Shoppers

 

Scammers are using a unique methodology called ‘vishing’ to trick online customers. In a vishing attack, the fraudster impersonates someone from Amazon but uses a phone call as the weapon of choice. Another tactic employed by the cybercriminal is via email with a contact number and requesting the receiver to call that number. 

Recently, cybersecurity firm Armorblox discovered two distinct email campaigns posing as Amazon. Both emails were identical with a similar Amazon branding and followed a pattern similar to real order confirmation emails from Amazon but, if one knows where to look, there are many indications that the emails are fraudulent.

The first indication is that the emails are sent from a Gmail address or one that looks like it “might” belong to Amazon (no-reply@amzeinfo[.]com) and the recipient is not addressed by their name (a piece of information Amazon would know).

Armorblox researchers noted that scammers are not using the old taction of including a malicious attachment or URL / link, which allowed them to bypass any detection controls that block known bad links. They also made other choices that allowed them to slip past any deterministic filters or blocklists that check for brand names being impersonated (e.g., by writing AMAZ0N – with a zero instead of an “O”). 

What you can do to prevent yourself from these fraudulent schemes? 

With online shopping becoming the new normal, fraudsters will continue targeting this global and immense pool of potential victims. Scammers are using a combination of social engineering, brand imitation, and emotive trigger to lure victims into their trap. If successful, victims could end up handing over their personal data and credit card details, leading to consequences such as identity theft or fraudulent payments made on their behalf. 

The first thing you have to learn is not to open attachments and follow links from unknown emails, and not to call on included phone numbers which may cost you thousands of rupees. If you’re worried that you might be billed for an order you did not make, go to the shop’s website and find the correct phone number yourself.

Secondly, do not share your personal details on a phone call. If you feel the urgency to call back, don't contact the person through any phone number listed in the message. Instead, run a search for a publicly available number for the company.

Lastly, but most importantly use multi-factor authentication (MFA) on all accounts and for all sites. Don't use the same password across multiple accounts and use a password manager to store your passwords.

Beware of eCh0raix Ransomware Attacks, QNAP Warns Customers

 

QNAP warned its users of an actively exploited Roon Server zero-day vulnerability and eCh0raix ransomware attacks that are targeting its Network Attached Storage (NAS). The Taiwanese vendor claimed that it has received reports of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

" The eCh0raix ransomware has been reported to affect QNAP NAS devices," the company said. Devices using weak passwords may be susceptible to attack. QNAP urged customers to "act immediately" to protect their data from potential eCh0raix attacks by: 

• Using stronger passwords for your administrator accounts. 

• Enabling IP Access Protection to protect accounts from brute force attacks. 

• Avoiding using default port numbers 443 and 8080. 

However, QNAP didn't mention how many reports it received from users directly affected by eCh0raix ransomware in the last weeks. QNAP also issued another security advisory to warn of an actively exploited zero-day vulnerability impacting Roon Labs’ Roon Server 2021-02-01 and earlier versions. 

“The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack: Roon Server 2021-02-01 and earlier. We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible,” reads the advisory.

QNAP also provided the necessary safety measures by which users can disable Roon Server on their NAS:

1. Log on to QTS as administrator and open the app Center and then click. A search box appears.

2. Type "Roon Server" and then press ENTER. Roon Server appears in the search results.

3. Click the arrow below the Roon Server icon. 

4.  Select Stop. The application is disabled.

Unfortunately, QNAP has been on the target list of threat actors for quite some time. QNAP devices were previously targeted by eCh0raix ransomware (also known as QNAPCrypt) in June 2019 and June 2020. 

A massive Qlocker ransomware campaign also hit QNAP devices starting mid-April, with the threat actors behind the attacks making $260,000 in just five days by remotely encrypting data using the 7zip archive program.

Flipkart Users to Reset Passwords to Avoid Fraud: Cyber Expert

 

A data breach occurred recently at the e-commerce sites Flipkart and BigBasket. According to reports, BigBasket's latest data breach revealed the personal information of some Flipkart customers as well. Seven months after it was first discovered, the matter has resurfaced. 

According to an independent cybersecurity expert, an alleged leaked database may lead to unauthorized transactions from accounts of Flipkart customers who also used grocery platform BigBasket with the same user ID and passwords. 

In November, BigBasket was involved in a major data breach that exposed the personal information of over 2 crore users. Some users who shared the same credentials for Flipkart and BigBasket have complained that their accounts have been compromised as a result of the leak. As of now, this is just affecting Flipkart users. 

Cybercriminals are selling sets of email addresses and passwords of customers from allegedly leaked databases of BigBasket that match with accounts of e-commerce company Flipkart and Amazon, according to expert Rajashekhar Rajaharia. However, he said Amazon sends OTP for login when there is a change in the browser. 

'It seems, some people are selling Bigbasket Email: Password combinations as Flipkart data. People are using the same password for all websites. Almost all emails are matching with Bigbasket DB (database). Change your Flipkart Passwords asap,' Rajaharia tweeted. 

He also mentioned that Flipkart's accounts should be secured and posted account details being sold on Telegram. 

'Anyone with a combination of leaked email and password can easily log in from anywhere including VPN/TOR to Flipkart. Please mandatory 2FA ( two-factor authentication) for all accounts,' Rajaharia said. 

When contacted, a Flipkart spokesperson said that the company is absolutely dedicated to ensuring the safety and protection of customer data and that the company has "robust information security systems and controls in place." 

A Flipkart spokesperson told Inc42 in response to the data breach, “In addition, we run awareness campaigns through different media and social networks to raise awareness about fraudulent activities, educating consumers on best practices for a secure online experience and keeping their accounts safe from unscrupulous cyber elements.”

Apple App Store Saved Users $1.5 Billion Worth in Fraud Transactions

 

Tech giant Apple claimed that the measures taken to detect malicious apps and actions by developers on the App Store saved users as much as $1.5 billion in potentially fraudulent transactions in 2020. 

The company published detailed statistics on fraud prevention, which prevented more than a million risky and vulnerable apps off the App Store. There are more than 1.8 million apps on the Apple App Store for the iPhone, iPad, and Mac devices. The company has highlighted that the measures in place prevented stolen cards from making transactions, apps that switch functionality after initial review for App Store listing, account frauds by users and developers as well as verified fraudulent reviews.

Apple says that more than 48,000 apps were rejected for containing hidden or undocumented features. The App Review team also rejected more than 1,50,000 apps for spam– copying other popular apps or misleading users with regards to functionality. While over 2,15,000 apps were also rejected for violating the privacy policy guidelines.

The company also had security measures in place for payment methods and didn’t permit more than 3 million stolen credit and debit cards from purchasing on the App Store. In these wide-ranging measures in place, as many as 1 million user accounts were banned from any transactions, 244 million customer accounts were deactivated, 424 million account creation attempts were rejected, and 470,000 developer accounts were terminated for various violations.

“Apple has rejected or removed apps that switched functionality after initial review to become real-money gambling apps, predatory loan issuers, and pornography hubs; used in-game signals to facilitate drug purchasing; and rewarded users for broadcasting illicit and pornographic content via video chat,” says Apple. 

Additionally, 95,000 apps were also removed because they asked users for more data than they needed or mishandled the data that was collected. Apple has repeatedly insisted that privacy is a fundamental right, something that Apple CEO Tim Cook has also asserted, time and again, ahead of the rollout of the new Privacy Labels for all apps on the App Store and the addition of the App Tracking Transparency feature in iOS 14.5 for the iPhone.

City of Chicago Emails Compromised During Data Transfer To Law Firm

 

The city of Chicago on Friday said that employee emails were stolen in a Jones Day data breach during a data transfer to Accellion’s FTA file sharing service. 

The cyber-attack was initially traced back to December 2020, when security researchers discovered a critical flaw in the 20-year-old large file transfer service that reached end-of-life on April 30, 2021. Approximately, 50 customers were still using FTA when the security incident took place, but only a few of them noticed significant data loss, Accellion claimed. 

In February 2021, the major U.S.-based law firm Jones Day acknowledged that it was affected by the attack, after threat actors responsible for Clop ransomware published documents allegedly stolen from the company on their Tor-based website. On Friday, the city of Chicago revealed that some employee emails that were given to Jones Day “as part of an independent inquiry being conducted by the firm” were compromised in the incident.

The data breach only impacted the Accellion FTA service and involved “emails sent or received from four former City employees over a two-year time period,” the city said. 

Chicago officials notified the FBI and the Illinois Attorney General's office of the breach, which is usual in hacking incidents. While no documents have been released from the recent breach, the city warned residents that "hackers of government-related materials are known to manipulate and alter illegally obtained emails and documents.” However, it was unclear when the breach occurred and how many records were involved.

“The city of Chicago, the mayor’s office, and related agencies or departments will not respond to any media inquiries stemming from information obtained through illegal ransomware attacks. Reporting on materials compromised during a third-party vendor data transfer makes all of us less safe and encourages future bad actors to use nefarious means to gain information,” the city said in a statement. 

Furthermore, the city says it was able to determine the number of impacted people and that it has already taken steps to inform the individuals who might have had personal information included in the compromised email files, either directly or through a notice on its website and a state-wide media alert.

Vulnerabilities Exposed Pelton User Data

 

Special security research published this week, states that unauthorized users might have been able to access confidential user information through recently patched vulnerabilities in Peloton's bike software. The same week, Peloton revealed that two of its treadmills were voluntarily recalled because of significant security concerns and vulnerability problems. 

Pen Test Partners, a cybersecurity organization, said it found loopholes earlier this year that enable unauthenticated users to use Peloton's API, a platform that allows bikes-to-server communications. 

The bugs could enable untrusted users, even when personal mode settings have been selected for their account profiles, to access confidential material for all Peloton users, even Live-class information, says Pen Test Partners. 

Pen Test Partners has informed Peloton, which gives the company 90 days until publication to fix the vulnerabilities. However, Peloton has "acknowledged the disclosure," but hasn't "fix the vulnerability," as per a blog posted by Pen Test Partners on Wednesday 5th of May 2021. 

TechCrunch first revealed the bugs, that were publicly disclosed the same week. After the death of a child and hundreds of users reported accidents, Peloton had to withdraw all its treadmills. The workpieces have had the same insecure API. 

A Peloton spokesman denied the idea that confidential information might have been infringed, saying that through an e-mail address to The Hill, “the identification of vulnerabilities by itself does not constitute a breach.” 

“No software is immune from bugs, and we aim to responsibly investigate reported vulnerabilities that we deem legitimate,” the spokesperson added. “Our security team is continuing their work to monitor attempts at unauthorized access by exploitation of these vulnerabilities.” 

Peloton also noted that when the Pen Test partners eventually approached, but it was “slow to update the researcher about our remediation efforts,” he acted and addresses the vulnerabilities. 

The organization also praised Pen Test Partner creator Ken Munro for sending and collaborating with them on the vulnerability studies. Pen Test Partners later proposed that the cyber vulnerabilities had been resolved by Peloton.

Qakbot Malware is Targeting the Users Via Malicious Email Campaign

 

Qakbot, also known as QBot or Pinkslipbot, is a banking trojan that has been active since 2007. It has been primarily used by financially motivated actors, initially it was known as a banking Trojan and a loader using C2 servers for payload delivery; however, over time as the scope widened, its use also expanded beyond strictly being a banking trojan. 

Security researchers at Alien Labs have noticed a newly emerged campaign in which victims are targeted with malicious email lures that appear to be in response to, or modified versions of, legitimate business communications between two parties. 

The use of an existing legitimate email, aside from making the lure appear far more convincing to a recipient recognizing their own message and possibly the purported sender, is consistent with previously identified Qakbot behavior in which email accounts are compromised and message threads hijacked. This tactic effectively creates a 'snowball effect' in which more and more organizations can be targeted with lures derived from legitimate email messages obtained from previously compromised victims.

The malicious Office document, when opened, it poses as a DocuSign file – a popular software for signing digital documents. The malicious documents take advantage of Excel 4.0 macros (XML macros) stored in hidden sheets that download the QakBot 2nd stage payload from the Internet – malicious servers compromised by criminals. 

Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. The QakBot loader is responsible for checking its environment to include whether it is running on a Virtual Machine, identifying any installed and running security and monitoring tools such as Antivirus products or common security researcher tools. 

To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. The hallmarks of a QakBot infection chain consist of a phishing lure (T1566) delivered via email chain hijacking or spoofed emails that contain context-aware information such as shipping, work orders, urgent requests, invoices, claims, etc. The phishing emails alternate between file attachments (T1566.001) and links (T1566.002). QakBot is often used as a gateway entry, similar to TrickBot or Emotet, that leads to post-exploitation operations leveraging frameworks such as Cobalt Strike as well as delivering Ransomware.