Search This Blog

Showing posts with label Users' Credential. Show all posts

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.

Kindle's E-book Vulnerability Could Have Been Exploited to Hijack a User's Device

 

Amazon patched a significant vulnerability in its Kindle e-book reader platform earlier this April, which could have been used to gain complete control of a user's device and steal sensitive data by simply deploying a malicious e-book. "By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of cyber research at Check Point, said in an emailed statement. "The security vulnerabilities allow an attacker to target a very specific audience."

In other words, if a threat actor wanted to target a certain group of individuals or demographic, the adversary could tailor and coordinate a highly targeted cyber-attack using a popular e-book in a language or dialect widely spoken among the group.

Threat actors might readily target speakers of a specific language, according to Balmas. To target Romanians, for example, they would only need to publish a bestselling book in that language as an e-book. Because the majority of people who download that book will almost certainly speak Romanian, a hacker may be confident that nearly all of the victims will be Romanian. 

“That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber-espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely,” Balmas said. 

Following a responsible disclosure of the problem to Amazon in February 2021, the retail and entertainment behemoth released a patch in April 2021 as part of its 5.13.5 edition of Kindle software. The flaw is exploited by sending a malicious e-book to an intended victim, who, upon opening the book, triggers the infection sequence without any interaction from the user, allowing the threat actor to delete the user's library, gain full access to the Amazon account, or turn the Kindle into a bot for striking other devices in the target's local network. 

The flaw is in the firmware's e-book parsing architecture, notably in the implementation of how PDF documents are opened, which allows a malicious payload to be executed on the device. 

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "These IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."

WooCommerce Patched a Bug that Threatened Databases of Prominent Sites

 

According to researchers, a significant SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been exploited as a zero-day flaw. WooCommerce released an emergency remedy for the bug late on Wednesday as a result of the exploitation. Unauthenticated cyber attackers might use the flaw to steal a slew of data from an online store's database, including customer information, payment card information, and employee credentials. 

WooCommerce, a prominent open-source e-commerce platform for WordPress websites, is used by over 5 million websites worldwide. It enables online merchants to establish storefronts with a variety of customisable features, such as accepted payment kinds, shipping options, and sales tax calculations, among others. The WooCommerce Blocks feature, which is installed on over 200,000 sites, is the linked plugin affected by the flaw. It aids retailers in displaying their goods on websites. 

“Our investigation into this vulnerability and whether data has been compromised is ongoing,” Beau Lebens, head of engineering for WooCommerce, said in an advisory. “We will be sharing more information with site owners on how to investigate this security vulnerability on their site. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.” According to Wordfence experts, there is “extremely limited evidence of [exploitation] attempts and it is likely that such attempts were highly targeted.”

However, one user commented in the WooCommerce advisory's comments section that strange activity had been seen. “Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages,” the user said. “When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.” 

The issue affects WooCommerce plugin versions 3.3 to 5.5, as well as WooCommerce Blocks 2.5 to 5.5. According to Lebens, the company developed a patch remedy “for every impacted version (90+ releases) that was automatically sent to vulnerable stores.” However, because the automatic deployment isn't instantaneous, and users in the advisory's comments section were claiming that they hadn't received the upgrades as of Thursday afternoon, WooCommerce advised that "we're urging everyone to check and manually update if needed just in case."

Interpol Arrests Moroccan Hacker Engaged in Phishing Attacks

 

As part of a global phishing and credit card fraud scheme, law enforcement authorities with Interpol apprehended a threat actor responsible for targeting thousands of unwitting victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France. According to a report published on 6th July by cybersecurity firm Group-IB, the two-year investigation, called Operation Lyrebird by the international, intergovernmental group, resulted in the arrest of a Moroccan citizen nicknamed Dr HeX.

According to the cybersecurity firm, Dr HeX has been "active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims." The cyber-attacks included the use of a phishing kit that included online pages that spoofed banking firms in the country, as well as mass emails that imitated the targeted companies and asked users to enter login credentials on the rogue website. 

The credentials submitted by unwitting victims on the phoney web page were then forwarded to the perpetrator's email address. At least three separate phishing kits were discovered, all of which were apparently created by the threat actor. The phishing kits were also "sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims," Interpol said in a statement. "These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services." 

The name Dr HeX and the individual's contact email address were included in the phishing kit scripts, which allowed the cybercriminal to be identified and deanonymized, revealing a YouTube channel as well as another name used by the adversary to register at least two fraudulent domains used in the attacks. Furthermore, Group-IB claimed it was able to link the email address to the accused's malicious infrastructure, which includes up to five email addresses, six nicknames, and accounts on Skype, Facebook, Instagram, and YouTube. 

Dr Hex's digital footprint left a tell-tale trail of malicious activities between 2009 and 2018, during which the threat actor defaced 134 web pages, as well as posts created by the attacker on various underground forums devoted to malware trading and evidence suggesting his involvement in attacks on French corporations to steal financial information.

Hackers are Remotely Erasing Western Digital Hard Drives

 

The whole goal of using a network-attached storage device is to have a hard drive where you can back up vital data and then retrieve the files when you're out and about. Unknown hackers, on the other hand, are turning Western Digital My Book NAS hard drives into nightmare backup tools by infiltrating users' computers and deleting all of their data. The My Books are controlled by WD My Book Live, an app that allows consumers to access their data and manage their NAS from anywhere. 

Last week, the drive manufacturer stated that certain owners' network-connected storage had been accessed unofficially and a complete reset had been triggered, though specifics on how seriously individuals should be concerned are still emerging. Western Digital said the WD My Book Live and WD My Book Live Duo drives are affected. They were first introduced in 2010, and the most recent firmware update was in 2015. The business has not stated how many drives are in circulation or estimated how many people are still using them. 

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a security bulletin. "In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.” 

There is currently no proof that Western Digital's cloud services, firmware update servers, or client credentials have been compromised. Rather, the My Book Live drives were left directly available over the internet, “either through direct connection or by port forwarding that was enabled either manually or automatically via UPnP,” according to the report. According to the firm, hackers employed port scanning to identify possible victims.

“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital added. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.” 

While Western Digital advises customers to disconnect hard drives from the internet for safety, Reddit users' suggestions are much more cautious. On the assumption that hackers may have already loaded a malware or other exploit on the drives, the advice is to switch them off completely. This may then be set to activate, wiping the drive even if it isn't connected at the time.

Phishing Campaign that Imitates Legitimate WeTransfer Applications

 

The Cofense Phishing Defense Center (PDC) has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways (SEG) and trick users into providing their credentials. 

WeTransfer is a file-sharing website that makes it simple for users to share files. Because of the service's popularity, it's possible that consumers may disregard the email's threat level. Threat actors have reimagined this site in order to attract unwary recipients to click on a malicious link that takes them to a phishing website, where they will be asked to pass up their credentials. 

The threat actor instructs the victim to respond to an email that says, "Pending files will be deleted shortly." The timestamps convey a sense of urgency. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the "Get your files" button. Threat actors provide a list of typical document names to make this appear more authentic. 

Another intriguing aspect is the email address's legitimacy. The threat actors have gone to great lengths to spoof the email address in order to convince recipients that the email came from the correct WeTransfer top-level domain: "@wetransfer.com." The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. The top-level domain is specified by the Message-ID: @boretvstar[.]com – has nothing to do with WeTransfer. Furthermore, analysts discovered that @boretvstar[.]com is for sale and links to an error page that reads, “This site can't be reached.”

It's evident that the threat actors went to great lengths to resemble the official "WeTransfer" page as closely as possible. However, upon closer examination, the researchers found that Apple and Google logos are missing from the login buttons, and the URL does not match the actual URL. 

When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials. The login area on the phishing landing page is prepopulated with the user's email address. The user is displayed a failed login attempt after entering the password, which is a frequent approach used by threat actors. 

In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers' settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.

RockYou2021: The Largest Data Leak with 8.4 Billion Passwords

 

According to Cybernews, what appears to be the world's largest password collection, called RockYou 2021, has been leaked on a famous hacker site. A forum user uploaded a 100GB TXT file containing 8.4 billion password entries. 

All of the passwords in the leak, according to the author, are 6-20 characters long, with non-ASCII characters and white spaces eliminated. According to the same individual, the collection has 82 billion passwords. However, Cybernews discovered that the actual figure was roughly ten times lower, at 8,459,060,239 entries, after conducting its own testing. 

The forum member has named the compilation ‘RockYou2021,' probably in allusion to the historic RockYou data breach that occurred in 2009 when threat actors hacked into the social app website's servers and obtained over 32 million user passwords stored in plain text. 

This leak is equivalent to the Compilation of Many Breaches (COMB), the greatest data breach compilation ever, with a collection that exceeds its 12-year-old namesake by more than 262 times. The RockYou2021 compilation, which has been accumulated by the individual behind the compilation over several years, contains its 3.2 billion hacked credentials, as well as credentials from numerous other hacked databases. Given that only roughly 4.7 billion people are online, the RockYou2021 compilation might theoretically contain the passwords of the entire global online population almost two times over. 

“By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts,” CyberNews notes.

“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if you feel one or more of your passwords may have been exposed as a result of the RockYou2021 incident, you should change your passwords for all of your online accounts right away. A password manager, according to Cybernews, can help you build strong, complex passwords that aren't easy to remember. You may also set up two-factor authentication (2FA) across all of your accounts. Finally, as always, carefully check all unsolicited spam emails, phone calls, and text messages for signs of phishing.

Virtual Wallet Users are Being Scammed

 

People are carrying less cash as technology advances, preferring to use debit cards, credit cards, and smartphone payment apps instead. Although using virtual wallets like Venmo, PayPal, and Cash App is easy and becoming more common, there is a risk of being scammed by someone who does not appear to be who they claim to be. Virtual wallets are applications that you can download on your Android or iPhone to make it simple to send and receive money from friends, relatives, and other people. To move money, these apps are connected to a bank account. 

Scammers are always on the lookout for their next victim, and these apps provide them with an ideal opportunity to defraud people of their hard-earned money. Fraudsters have devised a number of strategies for intercepting payments or convincing app users to pay them directly. 

Last year, the Better Business Bureau reported on a new scheme in which con artists send messages requesting the return of unintended payments after making deposits into their victims' accounts. 

When the victim checks their account and discovers these transfers, which were made with stolen credit cards, they refund the funds, by which point the scammer has replaced the stolen credit card credentials with their own. The money is then sent to the fraudster, and the victim is held responsible until the owner of the stolen card files restitution claims. 

In contrast to Cash App and Venmo, PayPal is the oldest form of virtual wallet. In a PayPal scam, the scammer asks a seller to send the things he or she "bought" to a particular address. They discover that the address is invalid after the scammer "pays" for the item and the seller sends the package, but it's too late. 

If the shipping company is unable to locate the address, the item will be marked as undeliverable. The scammer would then contact the shipping company and provide a new address in order to accept the package while claiming they did not receive it. 

The scammer would then collect the item and file a complaint with PayPal claiming that the item was never delivered. PayPal will refund the money charged to the scammer because the buyer has no evidence that the item was shipped. As a result, the seller loses both money and goods to the con artist. 

App developers should take action to protect their users from these types of scams. Multifactor authentication and secondary confirmation, such as emailed security codes, are examples of these safeguards. According to Microsoft research, multifactor authentication will prevent 99.9% of fraud attempts involving compromised login credentials.

GitHub Announced Security Key Support for SSH Git Operations

 

When using Git over SSH, GitHub, the ubiquitous host for software creation and version control (and unfortunate victim of a relentless stream of attacks targeting the same), now supports encryption keys.

GitHub security engineer Kevin Jones said in a blog post on Monday that this is the next step in improving security and usability. These portable FIDO2 fobs are used for SSH authentication to protect Git operations and avoid the havoc that can occur when private keys are misplaced or stolen, or when malware attempts to execute requests without user permission. For instance, in 2019, the TrickBot data-stealing malware was updated to include a password grabber that could attack data from OpenSSH applications. 

These security keys, which include the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are easy to carry around in your pocket and attach to computers via USB, NFC, or Bluetooth. They can be used instead of one-time passwords generated by apps or sent via SMS. SMS SSH codes sent via text can currently be intercepted.

Strong passwords are still relevant, but because of the proliferation of data breaches and cyberattacks, they are becoming less useful as a single security mechanism, prompting the development of password managers that often check for credential leakage online, biometrics, and security keys. 

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," Jones commented. "We believe passwords represent the present and past, but not the future. By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain." 

Since keys are one of the variables in multi-factor authentication (MFA), users can treat them with the same care as any other credential. You should have your security key plugged in if you're the only one that has access to it. “When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.” 

When you use a security key, neither ransomware nor unintended private-key leakage will reveal your keys, he said: “As long as you retain access to the security key, you can be confident that it can’t be used by anyone else for any other purpose.”

Microsoft Lures Populate Half of Credential-Swiping Phishing Emails

 



According to the sources nearly half of the emails, phishing attacks in the year 2020 aimed to swipe credentials using Microsoft-related lures – from the Office 365 enterprise service lineup to its Teams collaboration platform. 

As per the Tuesday report by Cofense, which has studied the numbers of emails related attacks including 57 percent of attacks which were phishing emails targeting victims’ sensitive credential information such as usernames and passwords. Additionally, 45 percent of those phishing emails were Microsoft-themed, according to the researchers: threat actors are using both methods for their targets including Microsoft-themed lures for their emails, along with, ensuing phishing landing pages that will either leverage or spoof legitimate Microsoft domains or services. 

“With the number of organizations migrating to Office 365, targeting these credentials allows the threat actor to gain access to the organization as a legitimate user to go undetected,” researchers with Cofense told the press. They added that they “highly recommend organizations enable [multi-factor authentication] along with their [Office 365] migration/ implementation.” 

Malicious actors email trap can vary; sometimes it could display straightforward “‘Joe wants to share a document with you’ SharePoint alert you would normally see from Microsoft,” researchers explained — or it could attach a file with documents that will include a link to a website asking users to login with Microsoft credentials. 

In October, a phishing campaign was reported which appeared to be an automated message from the team of Microsoft telling users that they had a missed Teams chat but in reality, it was a trap, attacking Office 365 recipients’ login credentials. 

Another attack with a different patter had occurred in December which employed embedded URLs that redirect to the fake, never-seen-before Microsoft Office 365 phishing pages. For instance, the attack displayed emails that were impersonating businesses like eFax (which allows consumers to receive faxes via email or online with help of internet service.) 

“We also see [cybercriminals] giving the user options to choose from the most commonly used email platforms. The phishing emails often contain URLs hosted on legitimate domains that maintain a broad consumer base to avoid being blocked by content rules and filters.” said, researchers. 

“Other popular brands we observed asking for credentials were other various cloud hosting services such as Adobe, Dropbox, Box, DocuSign or WeTransfer,” researchers told the press. “Threat actors have been able to scour the internet looking for file-sharing websites that are deemed ‘business related’ in order to make it past the secure email gateway controls, as well as the web proxy filters.”