Search This Blog

Showing posts with label User Security. Show all posts

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System

 

Earlier this month, the personal court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The exposed data contained non-disclosure orders, criminal cases, and civil and family law records. 

According to the county’s official website, Lubbock County Defense Lawyers Association and county officials are not on the same page concerning how to define the incident.

In a news release from the County, Judge Curtis Parrish said: “On Tuesday, September 14, 2021, Lubbock County Information and Technology Department became aware that certain court records that were previously unavailable for review by the public had become viewable under Lubbock County’s new software system. Some of these records include non-disclosure orders, criminal cases, civil and family law records. This access portal has now been blocked temporarily until we can identify which court records maybe [sic] accessed by the parties, attorneys, and the general public.

This was not a data breach [sic], or an issue where the computer system was compromised. Lubbock County will continue to review policies concerning all court records, in our effort to make these documents accessible to the attorneys and the public.” 

However, an earlier release by the Lubbock County Defense Lawyers Association characterized the incident as a data breach. The association said it became aware of the situation on September 10. 

“This data includes information on individuals who have had criminal cases expunged or non-disclosure orders signed in their criminal case. This breach affected cases at all levels and in all courts in Lubbock County. Some individuals’ data have been removed from the public access system, while other individuals’ data are still available,” said Lubbock County Defense Lawyers Association in their news release. 

The attacks on local governments is a growing concern for law enforcement agencies and government officials. Due to their shoestring budget, local governments rarely have dedicated security experts and that leaves a huge hole in their security. In March 2021, a report from consumer tech information site Comparitech revealed that American government organizations suffered a loss of $18.88 billion due to cyber-attacks. 

Over the past three years, 246 ransomware attacks struck U.S. government organizations. These attacks potentially affected over 173 million people and nearly cost $52.88 billion. The motive of most of these attacks was to halt processes, interrupt services and cause disruption, not to steal data, according to the report.

City of Yonkers Refuses to Pay Ransom After Attackers Demand $10 million

 

The City of Yonkers has refused to pay the ransom after ransomware attackers demanded a ransom of $10 million to revive the disparate modules that overlay the different departments of the city.

Earlier this month, government employees at the City of Yonkers were restricted from accessing their laptops or computers after the city suffered a computer incursion by ransomware attackers. In the meantime, employees were told to restore as much data as possible manually from backups and this often means keeping pen and paper records that are transferred into databases.

The ransomware outbreak 

Ransomware attacks against the local governments are rising with each passing day. Last year, at least 2,354 governments, healthcare facilities, and schools were targeted by ransomware attackers. The local governments are the lucrative targets because they are less equipped in terms of resources and capabilities. 

A 2020 survey of state chief information security officers discovered that 70 percent listed ransomware as a top concern because of funding hurdles and lack of confidence in localities’ abilities to guard state information assets. And after a ransomware event occurs, only 45 percent of local enforcement agencies felt that they “had access to the resources” to analyze digital evidence linked to the crime. This then allows attackers to operate with more confidence, as the third way found that only 3 out of every 1,000 cybercrimes reported to the FBI result in an arrest. 

In 2019, the City of Baltimore was crippled for more than two weeks before the government’s systems were restored, in a delay that cost the city more than $18 million. Although Baltimore followed the instructions given by cyber security experts and the FBI to not pay the ransom, many people questioned the city’s strategy, given the extent of the damage.

“If we paid the ransom, there is no guarantee [the attackers] can or will unlock our system. There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future,” Mayor Bernard C. Jack Young said while responding to the critics.

“Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action,” he added. 

No more ransom payments

When three more local governments were attacked within a space of few months, it sparked a meeting of the United States Conference of Mayors. The meeting of US mayors resulted in a unanimous decision to stop paying ransom demands.

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit. The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,” the mayors wrote.

In the case of the City of Yonkers, the city confirmed that the virus was quarantined on the network, no ransom was paid and the Department of Homeland Security was notified.

Republican Governors Association Targeted in Microsoft Exchange Server Attacks

 

The Republican Governors Association was one of many U.S. organizations attacked in March when a nation-state group exploited vulnerabilities in Microsoft Exchange email servers, according to a breach notification letter filed with the Maine attorney general's office this week.  

For companies worldwide, the situation became a cause of concern; nearly 500 persons linked with the RGA's personal information might have been exposed due to the assault. According to the organization's attorney, personal information includes social security numbers. 

The RGA was notified of the breach on March 10, eight days after Microsoft made the campaign public. At this time, it's highly uncertain who is to blame for the breach and what happened to the data compromised. 

Microsoft exchange server attack’s fallout: 

This incident is the latest fallout to arise from the massive breach of the Microsoft Exchange Server earlier this year. The breach was connected to hacker organizations supported by the Chinese government. A computer exploit made the vulnerabilities public, allowing opportunistic fraudsters to launch a large-scale attack. 

According to the RGA, on February 28, hackers hacked into “a small portion of [its] email work environment". It went on to say that it only discovered the hacking campaign on March 10, eight days after Microsoft made a public announcement about it. 

The RGA's spokesman declined to elaborate on specifics of the breach, such as about the offenders and the damage. It further said it was “unable to determine what personal information, if any, was impacted as a result of the incident.”

The US skeptical of China's role in the Microsoft hack

After the cyberattack, the RGA stated it upgraded its Microsoft software. China was blamed by the US government for its participation in the Microsoft Exchange attack in July. As a response, the United Kingdom and the European Union-backed the United States' condemnation of China. 

Four Chinese nationals were also charged with criminal charges by the US Department of Justice. 

As per security experts, tens of thousands of US state and local companies were using vulnerable software at the height of the Exchange Server attack. However, many companies were able to safeguard themselves by installing a software update. 

The US National Security Council has gathered numerous times since the event, urging corporations to amp up their cyber defenses. Businesses in countries other than the United States were also affected by the attack. This includes Europe, where the European Union's financial authority, the Norwegian parliament, and two German government bodies have all been attacked. 

In accordance with the country's cybersecurity body, it also affected a considerable number of companies in Australia.

Precautionary Measures: 

The Republican Governors Association states that since the assault was identified in March, it has implemented the Microsoft updates for the vulnerable versions of its on-premises Exchange server. According to the letter, law enforcement and other organizations have also been alerted. 

The credit monitoring services are also being given to the approximately 500 persons impacted by the assault. 

"Out of an abundance of caution, RGA is also offering you two years of complimentary credit monitoring and identity restoration services with Experian." 

"RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required."

Scammers Use 'IT Support-Themed Email' to Target Organizations

 

Cybersecurity researchers at Cofense Phishing Defense Center (PDC) have unearthed a new phishing campaign that uses 'information technology (IT) support-themed email' to lure users to update their passwords. 

The email appears legitimate because it’s a common practice within organizations to send security updates to their employees on a weekly or monthly basis. IT team deploys a reset password communication mail to strengthen the employee’s email security. Therefore, it’s a smart move by the attackers to target organizations via phishing email. 

Researchers first suspected the email because the domain was only a few months old. However, the domain address “realfruitpowernepal[.]com” was identical to an organization’s internal IT department, yet a further examination of the domain led to a free web design platform. The second red flag was the opening of the email that doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly suggesting the mass-email attack.

When the user proceeds further by clicking on the “Continue” button, a Mimecast link appears, along with the now censored user email address toward the end of the URL. The users might not feel anything dubious because scammers have used the correct spelling and name, which directs users to a Mimecast web security portal that gives them two options: block the malicious link or ignore it. 

Choosing either option directs the user to the same phishing landing page that displays the session as expired. The motive of the scammers was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during the investigation, it was discovered that the URL provided does not match the authentic Mimecast URL and the footer detail was missing, researchers explained.

Scammers have employed very powerful social engineering to trick the users. The phishing page is designed in such a way that the user providing true login credentials or a random string of credentials, would still be redirected to the page displaying a successful login message.

How to safeguard against phishing emails?


• Installing security software is the first line of defense against phishing attacks. Antivirus programs, spam filters, and firewall programs are quite effective against phishing attacks. 
• Monitor: use phishing simulation tools to evaluate employee knowledge regarding phishing attacks. 
• Organizations should incorporate cyber security awareness campaigns, training, support, education, and project management as a part of their corporate culture. 
• Businesses should deploy multi-factor authentication to prevent hackers from gaining access to their systems.

Massachusetts is Investigating the Massive T-Mobile Data Breach

 

On Tuesday, Massachusetts Attorney General Maura Healey announced that she will look into the cyberattack on T-Mobile US Inc (TMUS.O), which compromised the personally identifiable information of over 53 million people.

After the third-largest U.S. cellphone carrier reported the hack on Aug. 16, Attorney General Maura Healey announced the investigation. 

The breach exposed names, birthdays, social security numbers, driver's licence information, PIN numbers, and other personal information of an estimated 13.1 million current and 40 million past, and potential T-Mobile users.

It was one of many cyberattacks in recent years that impacted banks, gas pipelines, and hospitals, among other businesses. 

Healey aims to examine whether the Bellevue, Washington-based corporation has sufficient measures in place to secure consumer information and mobile devices. Last month, the Federal Communications Commission in the United States launched an investigation into the matter. 

According to court records, consumers and other private plaintiffs have filed at least 23 lawsuits against T-Mobile as a result of the data leak. 

About the security breach

On August 16, T-Mobile US Inc (TMUS.O) admitted a data breach but said it has yet to determine if any customer information had been compromised, a day after an online forum claimed that the personal data of over 100 million of its users had been compromised. 

In a blog post, the telecom provider stated that it was certain that the entry point used to obtain the data had been shut down. It did not disclose the number of accounts impacted. 

"We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement," the company stated. 

According to a report in Vice's Motherboard, the forum post does not specify T-Mobile but the attacker informed Vice that they acquired data on over 100 million individuals from T-Mobile servers. 

Following the news, T-stock Mobile's share dropped 2.8 percent in afternoon trade.

UN Computer Networks Breached by Hackers Earlier This Year

 

Hackers breached the United Nations' computer network and stole data, according to researchers at cybersecurity firm Resecurity, 

According to Bloomberg, the theft's unknown perpetrators appear to have acquired access by simply stealing login credentials from a UN employee. 

Logging into the employee's Umoja account provided access. The enterprise resource planning system Umoja, which means "unity" in Kiswahili, was deployed by the United Nations in 2015. The login and password used in the cyber-attack are believed to have been obtained from the dark web. 

Gene Yoo, chief executive officer at Resecurity, stated, “Organizations like the UN are a high-value target for cyber-espionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.” 

Researchers discovered that hackers initially gained access to the UN's networks on April 5, 2021, and that network breaches lasted until August 7. Based on the findings, the attackers did not seem to have harmed or disrupted the UN's computer network. Instead, the hackers seem to have been motivated by a desire to gather information. 

After reporting the security issue to the UN, Resecurity stated it worked with the UN's security team to evaluate the extent of the intrusion. While the UN claims that the assault was a reconnaissance operation by hackers who just captured screenshots of the organization's vulnerable network. The breach resulted in the theft of data, as per the Resecurity experts. 

The UN discontinued interacting with Resecurity, according to Yoo, when proof of data theft was provided to the organization. 

Hackers have previously attacked the United Nations and its agencies. In 2018, Dutch and British law enforcement prevented a Russian cyberattack on the Organisation for the Prohibition of Chemical Weapons (OPCW), which was investigating the deployment of a lethal nerve agent on British territory. 

According to a Forbes article, the UN's "core infrastructure" was hacked in a cyberattack in August 2019 that targeted a known flaw in Microsoft's SharePoint platform. The breach was not made public until the New Humanitarian newsgroup published the news. 

In the context of the latest breach, UN spokesman Farhan Haq told DailyMail.com, “This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” 

“At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.” 

Haq added that the United Nations is often targeted by cyber-attacks, including sustained campaigns.

Hackers Steal Data of 40,000 Patients From a Kidney Hospital in Thailand


On Wednesday, Thirachai Chantharotsiri, director of Bhumirajanagarindra Kidney Institute Hospital lodged a complaint that the personal information of over 40,000 patients has been stolen by a hacker. The compromised data included personal details and allegedly medical history of the patients. 

While talking to local media at Phaya Thai police station, Dr. Chantharotsiri told that on Monday, the database of the patients at a hospital in the Ratchathewi district of Bangkok became inaccessible to the hospital staff. A subsequent system check was carried out which revealed that the data had been stolen. The breach damaged the data system of the hospital which resulted in an inability to access the X-ray archive. 

According to the commissioner of the CCBI, Pol Lt Gen Kornchai Kalyklueng – owing to the ambiguity regarding the criminals – the investigating agency will seek support from American authorities and other international organizations to track down the hackers. 

Dr. Thirachai told that later, the facility received a call from a foreigner claiming to have hacked the system, the English-speaking man tried to negotiate for payment in exchange for the important information belonging to the hospital. 

The director filed a police complaint along with a recording of the call, reportedly, he did not hear from the anonymous caller again. 

In an attempt to mitigate concerns, the officials at the hospital maintained that the compromised data only include the primary data of the patients, emphasizing that diagnostic or medical records were untouched. 

As per the investigation of CCIB, the group behind the hacking is probably the one that hacked the systems of Krungthai Bank exposing client information and that of a hospital in the Northeast. Although the group identified is seemingly of Indian origins using a server in Singapore, most recent findings indicate that the threat actors were operating from the US.

Microsoft Office Users Targeted in a New Zero-Day Attack

 

Microsoft issued a warning to Windows users on Tuesday that attackers are actively exploiting an unpatched remote execution zero-day vulnerability in MSHTML, a proprietary browser engine for the now-discontinued Internet Explorer using weaponized MS Office documents. 

Tracked as CVE-2021-40444, the vulnerability affects Windows Server 2008 through 2019 and Windows 8.1 through 10 and has a severity level of 8.8 out of the maximum 10.

"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said in a security advisory. 

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," it added.

ActiveX is a software framework from Microsoft that adapts its earlier Component Object Model and Object Linking and Embedding technologies for content downloaded from a network. 

Microsoft credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not provide further details about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks. 

The researchers at EXPMON stated they discovered the issue after detecting a "highly sophisticated zero-day attack" directed at Microsoft Office users, adding they shared the findings with Microsoft on Sunday. "The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous)," EXPMON researchers said. 

However, the risk can be mitigated if Microsoft Office operates with default configurations, wherein documents downloaded from the web are opened in Protected View or Application Guard for Office, which is designed to prevent untrusted files from accessing trusted resources in the compromised system. 

Microsoft, upon completion of the investigation, is expected to publish a security patch or an out-of-cycle security update as part of its Patch Tuesday monthly release cycle "depending on customer needs." In the interim, the Windows maker is advising users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential threat.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

NFT Collector Scammed into Buying Fake Banksy Bidding

 

A hacker compromised a site of famed street artist Banksy and sold an NFT (non-fungal token) of artist's art for more than $336,000. The hacker, however, returned all the stolen cash except a transaction fee. The incident, however, has sent a message to cybersecurity experts, and also a new threat is on the rise: NFTs. In this case, the hacker did an auction on the genuine Banksy website "banksy.co.uk", which is said to be the first Banksy NFT, as per BBC. If a collector buys an NFT, they don't get copyright or ownership over the image. 

An unknown collector(British) identified by BBC as 'prominent', also goes by the name "Pranksy" offered 90% more than the other bidder to https://threatpost.com/nft-collector-tricked-into-buying-fake-banksy/169179/ the Banksy NFT. According to ThreatPost, the Bolster research team also tracks emerging NFT scams and found the most popular cybercriminal tactics include setting up fake stores, the sale of fake art (Banksy is a popular lure), Airdrop scams offering free crypto and brand impersonation on social media. 

"The NFT market has surged recently, with more than $2.5 billion so far just this year. And as the market attracts money, it will draw in cybercriminals looking for a piece of the action. Consumers will have to increase their awareness around potential NFT fraud, experts predict," reports ThreatPost. When some background check was done on the hacker, he returned most of the money earlier this week, except $6,918 and transaction fees. Pranksy says that he never expected of a refund. The reason could be Pranksy tracked the hacker and followed him on Twitter, and the incident also received a lot of press coverage, which may have compelled the hacker to refund the stolen amount. He also said that others wouldn't have the same luck if they went through the same thing. 

The genuine Banksy and his team responded to the incident with a statement "the artist Banksy has not created any NFT artworks." Bolster's Young-Sae Song said that it would've been very tough for someone to notice the Banksy NFT Auction was a scam. Abhilash Garimella, Bolster researcher, had earlier predicted that "these scams will get more complex and sophisticated. Scammers will keep innovating to make sure users fall for these. Not just NFTs, when buying anything online, a buyer needs to be aware of where and to whom they are giving away their credit card or banking information."

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.

Autodesk Disclosed it was Targeted in SolarWinds Hack

 

Autodesk has disclosed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain assault, nearly nine months after finding that one of its servers had been compromised with Sunburst malware. 

It is an American multinational software corporation that makes software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. 

In a recent 10-Q SEC filing, Autodesk stated, "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents." 

"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations." 

While the company went on to state that there was no additional damage to its systems, the company's announcement of the breach in its most recent quarterly results serves as a reminder to the world of how widespread the SolarWinds supply chain breach was. 

An Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst backdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough before they were detected. 

The spokesperson stated, "Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were collected for forensic analysis, and the software patch was applied. Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software installation." 

One of 18000 tech firms targeted in a large-scale cyber attack

SolarWinds' infrastructure was hacked as a result of a supply-chain assault conducted by the Russian Foreign Intelligence Service's hacking division (aka APT29, The Dukes, or Cozy Bear). 

The attackers trojanized the Orion Software Platform source code and build issued between March 2020 and June 2020 after obtaining access to the company's internal systems. These malicious builds were then used to deploy the Sunburst backdoor to around 18,000 clients, but fortunately, the threat actors only chose a small number of people for second-stage exploitation. 

Before the assault was revealed, SolarWinds stated to have 300,000 clients globally, including over 425 US Fortune 500 firms and all top 10 US telecom corporations. 

A long list of government agencies was also among the company's clients (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States). 

The US Department of Justice was the latest US official agency to reveal that during last year's SolarWinds global hacking spree, 27 US Attorneys' offices were compromised. 

Although Autodesk was not the only big corporation attacked in the SolarWinds breach, other companies such as Cisco, VMware, Intel, and Nvidia revealed similar issues in December.  

Parliamentary Panel Advises Indian Government to Ban VPN Services

 

Citing the growing threat in cyberspace, the Parliamentary Standing Committee on Home Affairs has advised the Indian government to block the virtual private network VPN (apps), saying VPNs provide significant technological challenges to maintain the sovereignty of the nation. 

The request from the Parliamentary Standing Committee comes as 31 Members of Parliament discovered that VPNs can bypass cyber security walls and allow cybercriminals to remain anonymous online. The Committee has termed the VPN services as a threat to counter cyber attacks and other nefarious activities. 

“The Committee notes with anxiety the technological challenge posed by VPN services and Dark Web, that can bypass cyber security walls and allow criminals to remain anonymous online. As of date, VPN can easily be downloaded, as many websites are providing such facilities and advertising them,” Parliamentary Standing Committee on Home Affairs said in its report. 

“The Committee, therefore, recommends that the Ministry of Home Affairs should coordinate with the Ministry of Electronics and Information Technology to identify and permanently block such VPNs with the help of internet service providers.”

India had recorded a 671 percent rise in the first half of 2021 compared to 2020 as a result of transformational changes in the working cultures of Indian companies. “Prior to 2021, the VPN penetration rate in India hovered around 3 percent, which is near the bottom of the list globally. Yet, by far the most significant growth in the number of downloads in H1-2021 was in India,” said Atlas VPN, a free VPN app that conducted the analysis.

The Indian government must act to strengthen tracking and surveillance by improving and developing state-of-the-art technology and put a check on VPN and the Dark Web, the Parliamentary Standing Committee advised. 

Impacts of Banning VPN on Indian Citizens 

According to the National Cyber Security Coordinator, India faces around 375 cyberattacks on a daily basis. In such circumstances, banning VPN in India could cause irreparable damage for large businesses that have relied on VPNs to secure their network connections, especially as remote work continues to be a new trend. 

Additionally, internet users will be more prone to third-party attacks and malwares trying to steal private information. Also, the internet users will not be able to access content online that is otherwise not available in India or is restricted. Also not to forget, users will lose one of the most basic and easiest ways to maintain privacy online.

Do Not Use Single-Factor Authentication on Internet-Exposed Systems, CISA Warns

 

The US Cybersecurity and Infrastructure Security Agency (CISA) this week added single-factor authentication (SFA) to a very short list of "exceptionally risky" cybersecurity practices that could lead threat actors to target government organizations and the private sector entities. 

As per CISA, SFA (a low-security authentication method that only requires users to provide a username and a password) is “dangerous and significantly elevates risk to national security" when used for remote or administrative access to systems supporting the operation of critical infrastructure. 

“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety," CISA explained.

Cybercriminals can easily secure access to the systems that are shielded by single-factor authentication, as it is a well-known fact that passwords can be easily stolen or guessed via multiple techniques like phishing, keylogging, network sniffing, social engineering, malware, brute-force attacks, or credential dumping.

CISA advised to switch to multi-factor authentication (MFA) as this method makes it a lot harder or even impossible for threat actors to pull off a successful attack. Alongside single-factor authentication as a bad practice is the use of end-of-life (or out-of-support) software and default (or known) credentials, which CISA describes as “dangerous”. 

According to the joint research conducted by Google, New York University, and University of California San Diego, MFA can prevent 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks. 

"Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” Alex Weinert, Microsoft Director of Identity Security said. 

CISA has also opened a GitHub Bad Practices discussions page in an attempt to allow IT, professionals and admins, to provide feedback and share their expertise on mitigating the risks of cyber-attacks.

Furthermore, CISA is considering adding a number of other practices to the catalog, including — 

• using weak cryptographic functions or key sizes 
• flat network topologies
• mingling of IT and OT networks 
• everyone's an administrator (lack of least privilege) 
• utilization of previously compromised systems without sanitization 
• transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks 
• poor physical controls 

"Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions. CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices,” CISA added.

T-Mobile CEO Apologizes for Hack of More Than 54 Million Users Data

 

Mike Sievert, CEO of T-Mobile, is in a spot of bother after a major data breach of the carrier’s servers. In a statement issued last week, he apologized for a data breach but also tried to paint a rosy picture of the data breach by claiming no financial details were stolen but confirmed that millions of social security numbers were compromised.

The attack on the carrier’s servers impacted more than 54 million current, former and prospective users. Leaked data included social security numbers, names, contact numbers, driver’s license information, IMEI and IMSI information, and addresses for some, but not financial details. Meanwhile, device identifiers and PINs were obtained for certain accounts. 

“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. In short, this individual’s intent was to break in and steal data, and they succeeded,” Seivert stated. 

Hacker John Binns, a US citizen living in Turkey, has taken credit for the attack, calling the carrier's security practices "awful." Binns has reportedly been scanning T-Mobile's systems for vulnerabilities since last summer, and finally discovered a vulnerable internet-exposed router in July, which provided access to T-Mobile servers in a data center near East Wenatchee, Washington state. He claimed it took him roughly a week to breach the servers storing customer data. 

The hacker said he targeted T-Mobile servers to grab the attention of the world. Last year, he filed a lawsuit against several US government agencies including the CIA and FBI, claiming that he had been blackmailed, surveilled, and tortured. 

T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger. 

T-Mobile has previously disclosed a number of data breaches over the past years, and it doesn’t seem to have learned from those incidents, something that has been mentioned in the lawsuits filed against the carrier as a result of the latest breach.

Sievert said the company has collaborated with cybersecurity firms Mandiant and KPMG LLG to strengthen security. He also apologized to the affected users for the data breach and announced that the company will offer impacted individuals two years of free identity protection services as promised to take steps to prevent these types of incidents in the future.

Chinese Android Game Developer Exposes Data of Over 1 Million Gamers

 

The Chinese developers of famous Android gaming applications exposed user information via an unprotected server. As per the report shared by vpnMentor's cybersecurity team, headed by Noam Rotem and Ran Locar, identified EskyFun as the owner of a 134GB server exposed and made public online.

Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M are among the Android games developed by EskyFun. 

According to the team on Thursday, the users of the following games were included in the data leak and altogether they have over 1.6 million downloads combined: 
-Rainbow Story: Fantasy MMORPG
-Metamorph M
-Dynasty Heroes: Legends of Samkok u 

According to the researchers, the supposed 365,630,387 records included data from June 2021 onwards, exposing user data gathered on a seven-day rolling basis. 

As per the team, when their software is downloaded and installed, the developers impose aggressive and highly troubling monitoring, analytics, and permissions settings, and as a consequence, the variety of data gathered was considerably more than one would imagine mobile games to need. 

The records constituted IP and IMEI data, device information, phone numbers, the operating system in use, mobile device event logs, whether or not a smartphone was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords, and support requests. 

vpnMentor estimates that up to or more than, one million users' information may have been compromised. 

On July 5, the unprotected server was detected, and EskyFun was approached two days later. However, after receiving no answer, vpnMentor tried again on July 27. 

Due to the continued inaction, the team was forced to contact Hong Kong CERT, and the server was safeguarded on July 28. 

The researchers commented, "Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users. Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

38 Million Records Exposed Due to Microsoft Misconfiguration

 

According to experts, some 38 million records from over a thousand web apps that use Microsoft's Power Apps portals platform were left accessible online. Data from COVID-19 contact tracing operations, vaccine registrations, and employee databases, including home addresses, phone numbers, social security numbers, and vaccination status, is believed to have been included in the records. 

Major corporations and organizations were impacted by the incident, including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. While the data breaches have already been fixed, they demonstrate how a single incorrect configuration setting in a widely used platform can have far-reaching repercussions.  

Customers can use the Power Apps services to easily create their own web and mobile apps. It provides developers with application programming interfaces (APIs) to use with the data they collect. Upguard discovered, however, that accessing those APIs makes data received through Power Apps Portals public by default, necessitating manual reconfiguration to keep the information private. 

In May, researchers from the security firm Upguard began investigating the problem. They discovered that data from several Power Apps portals, which was intended to be secret, was accessible to anyone who knew where to look. According to Upguard, on June 24th, it provided a vulnerability report to the Microsoft Security Resource Center, which included links to Power Apps portal accounts with sensitive data exposed and methods to discover APIs that allowed anonymous data access. 

“The number of accounts exposing sensitive information, however, indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated,” the researchers wrote in the report. “Multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern before.” 

 On Monday, a Microsoft representative defended the product's security, noting that the firm worked directly with affected users to ensure that their data remained private and that consumers were notified if their data was made publicly available. “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs," a Microsoft spokesperson said in a statement.

Private Details of 70M AT&T Users Offered For Sale on Underground Hacking Forum

 

A notorious hacking group, known as Shiny Hunters, is reportedly selling a database containing private details of 70 million AT&T customers. However, AT&T, an American telecommunication provider denied suffering from a data breach. 

Last week, ShinyHunters posted a sale for “AT&T database + 70M (SSN/DOB)” on RaidForums, a popular Darkweb marketplace. Threat actors set the bidding with a starting price of $200,000 and incremental offers of $30,000. Apart from this, there is also a flash sale where customers can buy the entire database for $1 million. 

"In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records,” Sven Taylor of RestorePrivacy, who first reported the data breach, stated. 

ShinyHunters shared a sample subset of stolen data, name, contact numbers, physical addresses, social security numbers (SSN), and dates of birth. An anonymous security expert told BleepingComputer that two of the four people in the samples were identified users in the AT&T database. The hackers are also working on decrypting the data that they believe comprises customer accounts’ PINs.

"Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T responded to the claims of ShinyHunters.

In a follow-up email to BleepingComputer, the telecom provider hedged over whether the data could have been stolen from a third party: “Given this information did not come from us, we can’t speculate on where it came from or whether it is valid,” the firm stated. 

In the past, ShinyHunters has targeted the likes of Microsoft, Mashable, Tokopedia, BigBasket, Nitro PDF, Pixlr, TeeSpring, Promo.com, Mathway, and droves of other small-to-mid-sized platforms. Its modus operandi is to steal credentials, API keys or buy large troves of data, then dump and sell it on underground platforms.

Earlier this month, a fellow Telecom provider, T-Mobile suffered a data breach that exposed the private details of tens of millions of its users. To address the issue, T-Mobile assured its users to provide free identity protection services.

Database of 70 Million AT&T Users Being Sold on a Hacker Forum

 

The same threat actor is selling 70 million AT&T customers' records just days after the T-Mobile data leak. The data leak claim was refuted by the mobile service provider, who stated that the data did not emanate from any of their systems. ShinyHunters, the same threat actors that just days ago sold T-Mobile subscribers' data, is now selling 70 million records reportedly belonging to another mobile service provider – AT&T. AT&T consumers' full names, social security numbers, email addresses, and dates of birth are among the data for sale. 

ShinyHunters is a well-known organisation that has been linked to a number of high-profile data breaches. Mashable, 123RF, Minted, Couchsurfing, Animal Jam, and other companies have been targeted, according to HackRead. 

The revelation was first reported by Restore Privacy. According to them, the hacker is seeking $1 million for the full database (direct sell) and has given them exclusive information for this report.

"In the original post that we discovered on a hacker forum, the user posted a small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," said Restore Privacy. "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid." 

AT&T denied that the data had been leaked, claiming that it was either forged or obtained through other sources. “Based on our investigation today, information that appeared in an internet chat room does not appear to have come from our systems,” MarketWatch quoted the cell phone carrier. 

 AT&T has previously experienced a data breach. For an insider breach in 2015, the company agreed to pay a $25 million fine. In fact, a threat actor was looking to hire a T-Mobile and/or AT&T employee in May, presumably to assist them in staging an insider attack on their employer. 

T-Mobile was notified late last week about accusations in an online forum that a threat actor had compromised T-Mobile systems. The company announced that it had discovered and shut down the access point that might have been utilised to obtain unauthorised access to the company's servers.