Search This Blog

Showing posts with label data security. Show all posts

Payment API Flaws Exposed Millions of Users’ Data


Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

Nearly 2 Million Records From Terrorist Watchlist Exposed Online


A terrorist watchlist comprising 1.9 million data remained open and unsecured on the internet for three weeks between July 19th and August 9th. The Terrorist Screening Center (TSC), a multi-agency centre run by the Federal Bureau of Investigation, is believed to have compiled the watchlist. The list was left accessible to the public on an Elasticsearch cluster with no password. 

In July this year, Security Discovery researcher Bob Diachenko discovered various JSON documents in an unsecured Elasticsearch cluster, which grabbed his interest. 

The 1.9 million-strong record set includes sensitive information about people, such as their names, nation citizenship, gender, date of birth, passport data, and no-fly status. 

Search engines Censys and ZoomEye listed the exposed server, implying Diachenko was not the only one who came across the list. Given the nature of the open data (e.g. passport details and "no-fly indicator"), the researcher informed BleepingComputer that it seemed to be a no-fly or similar terrorist watchlist. 

“The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed,” he added.

In addition, the researcher observed specific enigmatic fields like "tag," "nomination kind," and "selectee indication" that were not understandable. Diachenko told BleepingComputer, as per the nature of the data and the presence of a specific field entitled 'TSC ID," was the only reasonable conclusion implying that the record set's source may be the Terrorist Screening Center (TSC). 

Multiple federal agencies use the FBI's TSC to manage and exchange integrated information for counterterrorism reasons. The Terrorist Screening Database, often known as the "no-fly list," is a secret watchlist managed by the agency. 

Such databases are regarded as extremely sensitive, given the critical role they play in assisting national security and law enforcement activities. Terrorists or reasonable suspicions who represent a national security threat at the government's discretion are "nominated" for inclusion on the secret watchlist. 

The list is cited by airlines and multiple agencies, like the Department of State, Department of Defense, Transportation Security Administration (TSA), and Customs and Border Protection (CBP), to check the list in order to determine whether a passenger is allowed to fly, impermissible to the United States, or to examine their risk for various activities. 

The unsecured database was discovered on July 19th on a server with a Bahrain IP address and disclosed the data leak to the US Department of Homeland Security on the same day (DHS). 

"I discovered the exposed data on the same day and reported it to the DHS. The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it," writes Diachenko in his report. 

According to Diachenko, releasing such sensitive information might affect people whose data might be included on the list. 

“The terrorist watchlist is made up of people who are suspected of terrorism, but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” he alerted.

Hackers Publish Classified Documents Stolen from Lithuanian Ministry of Foreign Affairs


The Lithuanian Ministry of Foreign Affairs has refused to comment regarding the credibility of e-mail files allegedly stolen from its own system and offered for sale on the RaidForums hacking platform. The archive consists of 1.6 million emails including discussions and also documentations designated as vulnerable and also highly sensitive in attributes.

To lure potential purchasers, the hacker published several documents and correspondence belonging to Lithuanian diplomatic as proof of the authenticity of the data. In a blog post yesterday, the hacker shared two files saying that they were email archives of conversations from top representatives of Lithuania’s embassy in Georgia.

The hacker claims to have a 300GB cache of 102 Outlook Data File files (PST) with some discussions related to secret negotiations against U.S. President Biden, and preparation for the war with Belarus, including a “nuclear strike”.

The leaked documents are marked as secret, top-secret, and cosmic. The seller also shared a list with names that presumably work for the Lithuanian Ministry of Foreign Affairs.

The Lithuanian Ministry of Foreign Affairs on Thursday posted a short statement declining to comment about the potential leak or even if it is legitimate.

“The Ministry of Foreign Affairs is unable to confirm the veracity of the information disseminated to the public and will not comment. We see this as an information attack by unfriendly countries” the Lithuanian Ministry of Foreign Affairs stated. 

The ministry was targeted in November 2020 and the attack was attributed to Russian actors, but the incident was not disclosed at the time. However, it remains unclear how much the vendor is asking for the cache but some forum users expressed interest in purchasing the leak. According to them, some inboxes have about 10 years of documents.

Gitanas Nausėda, the president of Lithuania said this week that there is proof suggesting that information was stolen in the November attack and that some of it is deemed classified.

"An investigation is ongoing, with no doubt, we well assess that damage done during this cyber-attack. But there are certain signs showing that certain information leaked. And that information is deemed classified," the president said in an interview with the news website.

Detecting Cobalt Strike: Cybercrime Attacks


One of the latest researches revealed that cybercriminals who employ malware often use the Cobalt Strike tool to release multiple payloads after checking a compromised network. Cobalt Strike is paid penetration testing software that provides access to cyber attackers to execute an agent named 'Beacon' into the system of targeted personality. 

Cobalt Strike sends out beacons to detect network vulnerabilities which then deliver malware to create fake command-and-control (C2) profiles that appear genuine. Beacon provides so many functions to the attackers including, keylogging, SOCKS proxying, file transfer, privilege escalation, port scanning, mimikatz, and lateral movement. 

Cobalt Strike comes with a toolkit for developing shellcode loaders, named Artifact Kit. The Cobalt Strike tool kit is used by both parties including the security community as well as cybercriminals. 

Secureworks Counter Threat Unit (CTU) researchers’ team conducted an investigation on the use of Cobalt Strike to get information like when and how the tool has been used by the threat actors. The acquired information will work in favor of organizations to secure their systems against threat actors. 

Having a comprehensive understanding of the threat actor's end goal is essential while trying to secure the system. For instance, the financially motivated GOLD LAGOON cybercriminals group employs the Qakbot botnet to drop Cobalt Strike into the victims’ machine. CTU researchers team learned that GOLD LAGOON is executing Cobalt Strike to Qakbot-infected hosts that are often identified as members of an Active Directory domain. The group that has been active since 2007 also facilitates other cybercriminal groups that drop various ransomware families in compromised networks. 

The early detection of compromised interwork helps cybersecurity communities to recover or fix the victims’ system as soon as possible as highlighted by two similar incidents. 

In the first event, Secureworks incident responders helped the victim recover from a REvil ransomware attack. In the second incident, Secureworks Taegis™ XDR countermeasures detected and alerted the malicious Qakbot and Cobalt Strike activity into the system that enabled network protectors to mitigate the intrusion before the ransomware was deployed. However, the presence of illegal Cobalt Strike versions on the dark web gives chances to threat actors to misuse it.

A Silicon Valley Venture Capital Firm Attacked by A Ransomware; Asked for Ransom

A Silicon Valley advanced technology venture capital organization was hit hard by a ransomware attack in July 2021. The firm with more than $1.8 billion possessions is going through a search operation and fixing its systems. 

According to the data, malicious actors got access into the system and stole important data including the personal information of the company’s private investors, and limited partners. 

After the findings, a letter was written to the Maine attorney general’s office, in which ATV expressed that the firm only got to know about the attack on July 09th when its servers storing financial information had been encrypted by ransomware. Along with this, on July 26th, the firm found that the data had been stolen from the servers before the files were encrypted. 

ATV mentioned that a common “double extortion” tactic was used by the group, and also, the ransomware group menaced to upload the data online if the ransom is not being paid. ATV believes that the group targets the personal data of individual investors including the names, email addresses, social security numbers, and phone numbers in the attack. 

According to a listing on the Maine attorney general’s data breach notification portal around 300 individuals were affected by the attack, including one from Maine. While ATV already informed the FBI about the attack, no further technical details have been reported. 

The venture capital organization founded in 1979, is based in Menlo Park, California with offices in Boston. The firm extensively invests in technology, software and services, communications, and healthcare technology. Venture capital is known for its secret investors. The firm does not publically disclose its investors. However, in certain circumstances, the firm discloses names of investors such as those who invest millions into a business venture. The firm always gives different reasons for this, but analysts say it is because of market competition.

The FBI and SEC Provided Guidance Against Imposter Scams


The FBI and SEC have come with new guidance for investors to fight against financial scams. Users are being suggested to reject and report fraud if they want to protect their business from scams and save their money from being paid to an imposter. 

Among various sectors, consumer markets have taken a major hit as stringent lockdowns have brought economic activity to a standstill. 

Nowadays, cyber-attackers are employing highly sophisticated tricks to carry out financial scams activity. According to the FBI's Criminal Investigative Division, and the United States Securities and Exchange Commission, fraudsters always try to mock as they are a real broker or investment adviser and trick users. Once a belief has been suspended, the fraudsters can trick investors into surrendering more information. 

The FBI and the SEC said, that cybercriminals are using very advanced technology for becoming real investors including fake social media profiles, fake websites that look exact to those of legitimate firms and are hiding their actual locations. 

In addition, cybercriminals have been falsifying legitimate documents, like public reports with a real identity and Central Registration Depository (CRD) numbers but unorganized firm names. Fraudsters who are tricking investors reportedly used poor grammar and had spelling errors. Besides the FBI and the SEC, a similar warning had been issued by FINRA last week. 

"The doctored BrokerCheck report was emailed to potential “clients” using the name and CRD number of a registered investment professional—but with a company that is not registered as a broker-dealer with FINRA..." 

"...The solicitation included other documentation and a request for investors to respond with a photo of their driver’s license and other personal information...", the group wrote. 

Safety Measures

•According to the FBI and SEC recommendation if someone is claiming that investment is legitimate then users should research their name on, and verify thoroughly. 

• Be aware of fake offers like high investment returns 

•Before going ahead with any firm, investors are advised to use FINRA's BrokerCheck to verify. 

•The FBI and SEC also highlighted that most licensed and registered investment organizations don't allow investors to use credit cards or cryptocurrencies to invest, so you are advised to think twice before making investments. 

•At the of payment, investors are advised not to send money directly without verifying the recipient. Also, one must not send personal data including date of birth, driver's license number, or any other official documents.

This Vulnerability in E-Learning Platform Moodle Could Even Modify Exam Results


Critical Security Exploit in the popular e learning platform Moodle can be compromised that lets access to student data and test papers, the vulnerability can even modify exam results. The company is an open source e learning platform, used by 1,90,000 organizations across the world. Most of these organisations are educational institutes like college or university. A PHP objection vulnerability, the bug exists in Moodle's Shibboleth authentication module, which can permit malicious hackers to use RCE (Remote Code Execution), which can lead to a complete takeover of the server. 

If this happens, the attacker can have access to anything on the server, like student data, passwords, messages and exam grades. Penetration testers Robin Peraglie and Johannes Moritz found the flaw, they were hunting bugs in Moodle because of the previous findings of 2 RCE vulnerabilities in Moodle software. 

According to them, the vulnerability only exists in the Moodle LMS server having Shibboleth sign-in authentication allowed. It is disabled by default, which is a relief to the educational institutions that use the module. But in case if it's enabled, unauthorized hackers can perform a remote execution- arbitrary system commands. If this happens, it can lead to a complete hack of the server including user data leakage. Students can also use to it tamper with the exams before it actually happens. 

As per experts, the vulnerability is very easy to exploit. "After reporting the issue to Bugcrowd and, following a lengthy disclosure process, the flaw has now been patched. It took four months for the vulnerability to be triaged, revealed Moritz, who said he had the impression it was not treated as a priority. When asked why they didn’t report it directly to Moodle, which has its own vulnerability disclosure program, the researcher said they are “quite inflexible with providing patches because of their two-month release cycle”. Moritz did, however, reveal that the team also found  a second critical Moodle pre-authentication bug – details of which will be released following a separate, ongoing coordinated disclosure process," reports the Daily Swig.

An Indian Firm Facing 1,738 Cyber Attacks A Week On Average, Claims Report

On Thursday, a report has been published that claimed that Indian organizations witnessed cyberattacks  1,738 times more compared to 757 attacks per organization globally on average per week in the last six months. 

According to the report by Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies, some of the Indian industries that have been most vulnerable in the last six months include government/military, education/research, insurance/legal, manufacturing and healthcare institutions.

Malicious actors continue to exploit the data related to the Covid-19 pandemic and ransomware attacks have been increased by 93 percent globally, said the 'Cyber Attack Trends: 2021 Mid-Year Report'.

The figure has demonstrated that the APAC region has witnessed the highest number of cyber-attacks, with around 1,338 institutions being vulnerable to cybersecurity, followed by EMEA at 777 and Americas at 688.

"In the first half of 2021, cybercriminals have continued to adapt their working practices to exploit the shift to hybrid working, targeting organizations' supply chains and network links to partners to maximum disruption," said Maya Horowitz, VP Research at Check Point Software.

"This year cyber-attacks have continued to break records and we have even seen a huge increase in the number of ransomware attacks, with high-profile incidents such as Solarwinds, Colonial Pipeline, JBS, or Kayesa," he added.

Despite the continuous efforts by various governments and law enforcement agencies, ransomware attacks are likely to grow rapidly, in the coming months of 2021.

"Ransomware attacks will continue to proliferate despite increased investment from governments and law enforcement, especially as the Joe Biden Administration makes this a priority," the report added,  

Ransomware Attempt Volume Touching Over 300 Million, Sets Record

A new investigation report has been published by SonicWall network security organization in which it stated that ransomware attacks have been increased rampantly in the first half of 2021, with 304.7 million attempted attacks observed by the organization. 

SonicWall researchers' team has discovered several attempted ransomware attacks in both April and May, however, the record of these two months was knockdown by June, which recorded 78.4 million attempted ransomware attacks. 

According to the study, the total figure of ransomware attacks that has been observed by SonicWall in the first half of 2021 has broken the record of 2020's total attempts. 

"Even if we don't record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded," the report read.

According to the 2021 SonicWall Cyber Threat Report, some world's developed counties including the US, the UK, Germany, South Africa, and Brazil topped the list of countries most hard hit by ransomware in the first half of 2021. 

This report has also mentioned the names of some of the US districts that have been impacted more was Florida, which saw 111.1 million ransomware attempts, New York had 26.4 million, Idaho saw 20.5 million, and Rhode Island, as well as Louisiana, has to face nearly 9 million ransomware attacks attempts. 

Furthermore, the report touched upon what these ransomware attacks are doing with organizations' systems. The network collects malware and IP-sensitive credentials from tens of thousands of firewalls and email security devices from all over the world. 

As per the report, in 2021, the most common targets are important governmental organizations such as financial institutions, defense, and information broadcasting institutions; Governments face more attacks than any other industry each month. By the month of June, government customers saw 10 times as many ransomware attempts and an overall spike of 917%. 

Customers in the education field have been found to be largely targeted by ransomware attempts, with an increase of 615%. SonicWall Capture Labs threat researchers have found an increased risk of ransomware attacks across healthcare (594%), as well as retail (264%) organizations.

According to data from SonicWall's Capture Labs, the three ransomware groups including Ryuk, Cerber, and SamSam are alone responsible for 64% of all attempted ransomware attacks. Ryuk attempted 93.9 million attacks, however, a new hype has been seen in 2020, tripling Ryuk attempts. 

On the other hand, Cerber attempted 52.5 million ransomware attacks in 2021 while SamSam group has increased its attempts by 49.7 in 2021, from last year's 15.7 million attempts. 

Trump's Social Media Website GETTR Hacked


An attacker leaked non-public information from GETTR, a social media platform made by former president Donald Trump's team in July 2021. The data was stored in two attempts, first on 1st July and 2nd on 5th July, the data was later leaked on a publicly accessible hacking forum called RAID. It is a forum where one can download hacking data free of cost. 

As per the leaked file copies and hacker's claims, the first batch of hacked data was retrieved via scraping the website, whereas the second batch (the heavier leak) was stolen by exploiting compromised GETTR API endpoints. The Record analyzed these samples which contained data like user names, address, profile info, website user IDs, and other public information. Besides this, the leak also contained non public info like user email IDs, date of birth, and location data. 

The dumped data contained authentic information, confirm cybersecurity experts. GETTR didn't respond to any requests sent to its website for giving comment about the hack. All in all, 90,065 users' data was included in the dump posted on RAID this Monday, i.e July 5. The API leak news comes following the website's bumpy launch. On 4th July, an attacker hacked into the GETTR website and seized multipl high profile Republican accounts, which include Georgia Rep. Marjorie Taylor Greene, former Secretary of State Mike Pompeo, Jason Miller, the former Trump spokesperson Gettr’s founder, and former Trump campaign chief Steve Bannon. Bumpy site launch are a common thing, similar incidents have happened in the past which impacted other organisations before, particularly right wing affiliations in the US political diaspora. 

Another pro-Trump social media platform, Gab, recently suffered a similar attack in March this year, the attack had exposed data of its members. The Wrap reports "the hacked profiles were all changed to include the message “@JubaBaghad was here :)”; some of the accounts also included the phrase “free Palestine.” The accounts were hacked around 8:30 a.m. ET on Sunday, according to Insider, before being restored around 10:00 a.m. ET. Miller, meanwhile, told the outlet the hack was merely a sign Gettr was onto something big."

Industrial Facilities are at Risk of Data Theft and Ransomware Attacks


Recently, multinational cybersecurity software company ‘Trend Micro’ has published a new report on cybersecurity in which it has highlighted the growing threats of downtime and sensitive credential theft from ransomware attacks targeting industrial facilities. 

“Industrial Control Systems are incredibly challenging to secure, leaving plenty of gaps in protection that threat actors are exploiting with growing determination,” said Ryan Flores, senior manager of forward-looking threat research for Trend Micro...” 

“…Given the US government is now treating ransomware attacks with the same gravity as terrorism, we hope our latest research will help industrial plant owners to prioritize and refocus their security efforts."

What happens when a threat actor targets your facility? 

In factories and other facilities, there are crucial elements of utility plants that help in monitoring and controlling industrial processes across IT-OT networks called Industrial Control Systems (ICS). However, in any case, when ransomware gets into these systems; it can stop all operations for several days and can heighten the risk of vulnerabilities. 

As per the published report, several different revised versions have been accounted for more than half of the ICS ransomware attacks in 2020 including Ryuk (20%), Nefilim (14.6%), Sodinokibi (13.5%), and LockBit (10.4%). 

Cybersecurity And Infrasture Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), jointly published a report titled ‘The Guide’, which aims at informing and enhancing network defense and reducing exposure to a ransomware attack. The two measures offered are Ransomware Prevention Best Practices and a Ransomware Response Checklist. Moreover, CISA provides various scanning and testing services to help organizations assess, identify and mitigate their exposure to threats, including ransomware, at no expense. 

The National Institute of Standards and Technology (NIST) also provides help against ransomware attacks. It offers help in detecting and responding. It is worth noting that lately, several cybersecurity agencies are coming forward for industries so that they can detect and mitigate future ransomware attacks and numerous guide reports are also being published on ransomware threats.

After Ransomware Attack AJG US Reported Data Breach


US-based global insurance brokerage and risk management firm, Arthur J. Gallagher (AJG) has reported a cyberattack on the company’s infrastructure. The company has started mailing about the breach to its potentially impacted individuals. It is worth noting that earlier, in September 2020, the company made headlines for a ransomware attack that crippled its systems. 

"Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020, and September 26, 2020," AJG reported to the press. 

As per the latest statistic, AJG stands as one of the largest insurance brokers in the world, it has more than 33,300 employees and the firm works in 49 countries remotely. Alongside, in Fortune 500 list, AJG ranked 429, and as per the information on its website this insurance company provides insurance-related services to more than 150 countries. 

Regarding the breach, the company has not given technical details, it remains unclear whether customers' or employees' credentials were accessed or stolen. However, during the investigation, the company found that sensitive information stored on systems in various forms have been breached during the attack including usernames, passwords, social security number or tax identification number, date of birth, passport details, driver's license, employee identification number, credit card information, medical records, electronic signature, claim, diagnosis, health insurance information, and biometric information.

Following the incident, the company has notified data regulatory authorities and all affected people (7,376 according to the information provided to the Office of Maine's Attorney General) as per the law. Additionally, the company has recommended affected individuals keep an eye on their bank, credit cards for any fraud cases.  

“While Gallagher is not aware of any attempted or actual misuse of the impacted information, Gallagher is providing access to credit monitoring services for twenty-four months through Kroll to individuals whose personal information was affected by this incident, at no cost to these individuals,” AJG added.

Indian Startup Exposed Byju's Compromised Server Data, an Indian-based technology secured a compromised server that was leaking out private and sensitive data on one of its clients, Byju's, a startup and one of the leading educational startups. The server was left uncompromised since June 14, says Shodan, who provide the historical data. Shodan is a search engine for compromised devices and databases. Anyone could access the server data as it was left without the password. 

The compromised server was discovered by security researcher Anurag Sen, who also asked for assistance from Tech Crunch. "WhiteHat Jr. spokesperson Sameer Bajaj said the company is currently communicating with about the incident and will take appropriate action in accordance with our rigorous security policies," reports Tech Crunch. offers companies like Byjus customer-relationship technology. It is a Bangalore-based start-up that recently raised $8 Million in Series. 
Funding from Sequoia Capital India in 2020, after two years of its founding. 

Most of the data stored in the compromised server containing information related to an online school that teaches coding to students in India and the U.S. Byjus bought Whitehat for $300 Million last year. The server had the names and addresses of the students and the email addresses and contact numbers of the parents and teachers. Besides this, the exposed server contained other data related to students, such as chat logs between parents and staff, and remarks given by teachers to their students. The compromised server also contained email copies that had reset codes for restoring accounts and other data pertaining to 

Co-founder and chief executive at, Surga Thilakan says the company is currently investigating the issue but didn't disclose any information related to what kind of data was exposed in the compromised server. "Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India-based end-of-life sales logs for a fortnight." follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device," reports Tech Crunch.

Mercedes-Benz USA: Nearly 1,000 Customers’ Data Accessible Online


Mercedes-Benz USA stated on Thursday 24th of June, that sensitive information was made inadvisably accessible on a cloud storage network for over 1,000 customers and prospective buyers. 

On 11 June 2021, Mercedes-Benz was told by a salesperson that sensitive personal data on cloud storage was mistakenly made available to fewer than 1000 Mercedes-Benz customers and interested buyers. This confirmation was made in consultation with the vendor as part of a continuing investigation. The problem was discovered through an external safety researcher's effort.

They believe that the information was entered between 01 January 2014 and 19 June 2017 by customers and interested buyers on the Mercedes-Benz websites. As a consequence of this event, no Mercedes-Benz system has been hacked and there is no sign of malpractice for any Mercedes-Benz data at this time. 

For MBUSA, data safety is a major issue. The seller stated that the problem is fixed and no replication is possible of such an event. The company will carry on its research to guarantee that this matter is addressed properly. 

The store claims that these consumers' personal information largely includes self-reported credit scores and a limited number of driver's license numbers, social security numbers, credit card details, and birth dates. To examine the information, one needs to understand the special software applications and tools – no information included in these files would be returned by an Internet search. 

The study was launched to analyze the accessibility of around 1.6 million unique documents. Amid the overwhelming bulk of those records, the names, addresses, emails, telephone, and some car details were obtained. Nevertheless, MBUSA needs to underline that the analysis of the overall data record set found that there is more personal information available in a state publicly accessible, of less than 1.000 Mercedes-Benz customers and concerned buyers. 

Mercedes-Benz, also branded as Mercedes, is both a German car brand and a subsidiary of Daimler AG, as Mercedes-Benz AG, from late 2019. Mercedes-Benz is renowned for its luxury and commercial vehicle production. It is headquartered in Stuttgart, Baden-Württemberg. 

Mercedes-Benz USA has already started reporting this incident to those who could get additional information.

Security Experts listed who responsible for leaking your data to scammers

"There are three most common types of data leakage," said Vseslav Solenik, Director of the R-Vision Center of Expertise.

Personal data of Russians become available to fraudsters due to the negligence of employees and partners of companies, hacking of IT structures of organizations, or due to the carelessness of the citizens themselves.

Mr. Solenik stressed that in most cases, data leakage is illegal. Often, scammers find out personal data from the people themselves, promising them profitable bonus programs.

"Fraudsters attract them with various bonus programs, favorable offers and other things. And in exchange, the attackers receive a full set of personal data," the expert added.

The specifics of the Russian legislation is that even when transferring the full name and phone number of the company, the subject is obliged to fill out the consent form prescribed by law, where he is forced to specify his passport data, registration address and other information that can be used later by fraudsters.

"At the same time, it is impossible to fully protect your personal data from fraudsters today. You can only observe the hygiene of information security, raise your awareness to resist phishing and attacks, be vigilant and refuse to transfer personal data in exchange for minor services from dubious companies," the expert stressed.

Solenik added that it is equally important to know the current legislation. He called on the Russians to defend their rights in the field of personal data processing: to report incidents of leakage to the regulator and to seek the responsibility of companies for this.

Earlier, the majority of Russians supported the introduction of amendments to the law on personal data. Thus, 62 percent consider it necessary to be able to withdraw consent to the use of their personal information. In this case, Internet services will have to delete it within three days.

Scripps Health Care Facility Reported Ransomware


Scripps Health care facility has reported on Tuesday that the organization has started sending alert notifications to nearly 150,000 individuals after a group of threat actors has stolen the sensitive data of people during a ransomware attack on one of its local health care facility on 01st May. 

What is Scripps Health care and how this works? 

Scripps is a nonprofit health care facility in San Diego, California, United States. The medical firm operates five hospitals and 19 outpatient facilities. The firm also treats a half-million patients around the year through 2,600 affiliated physicians. In addition, Scripps Healthcare also runs several medical education programs and research programs. 

A statement has been released by the firm in which a medical professional said, that the company has just begun notifying victims so that they can take protective measures against this attack which would allow them to safeguard their personal information from further misuse. “About 2.5 percent of those — nearly 3,700 — are said to have had their Social Security and/or driver’s license numbers taken. For those, the company said, it will provide complimentary credit monitoring and identity protection support services,” he further added. 

As per the information shared by the firm, the cybercriminals have stolen clinical credential data that includes the address of the individuals, patient account number, date of birth, medical record number, health insurance information, doctor’s name, and medical data, etc. Reportedly, the data was stolen from the system, however, the firm did not disclose which system the information came from. 

The breach has forced medical professionals at all levels of the healthcare facility to work differently because the system was at risk. Professionals have to use paper charts for their document work. Additionally, access to the important clinical data, including previous test results, was also unavailable for weeks. 

The health care facility further said that the investigation is being conducted on the attack and at present, they are unable to disclose all the technical details. “We still don’t know what the rest of the document seems to be related to. We have started an extensive manual review of these documents…”

“…This is a time-consuming process that can take months, but we will notify affected individuals and organizations as soon as possible in accordance with applicable regulatory requirements,” Scripps added.

Prometheus: Emerging Ransomware Group That Has Published Mexican Government Data For Sale


Emerging technology has changed the way we make money or hoard wealth, indeed as in the 21st century, information and data means money, and the spy groups that are compromising systems of large tech companies around the world including public and private organizations, have reached some sort of a pinnacle of sophistication. 

The last few years have witnessed a rapid surge in cyberattacks around the world and the consistency of these attacks has been growing dramatically. 

Recently, a new ransomware cyber gang identified as ‘Prometheus’ is making headlines, the group has become a threat to the Mexican Government as the threat actors published illegally compromised data on the dark web which was available for sale today itself. 

Following the aforementioned security incident, the group also became the first cyber-hacking group that has assailed the big state of Latin American at this level. 

Resecurity, a cybersecurity company out of Los Angeles while reporting about the attack said, the leaked data was compromised from the multiple e-mails handles as a result of ATO/BEC and leveraging network resources that belong to several Mexican government firms. The company also added that as of now, it is not easy to determine the extent of consequences and the end impact of the leaks. However, one thing is ascertained: it is an extortion game that has been played by malicious actors. 

As per the available data, Mexico is known as the big trading partner of the United States, the second-largest economy in Latin America, and the 17th-largest exporter around the world. In the past few years, the number of cybercrimes reported in the state has skyrocketed and in 2020, Mexico has become one of the countries with the most cybercrimes in Latin America. 

The data that has been leaked today on the website by the Prometheus group belongs to 27 victims. Some victims are from Hotel Nyack (New York, USA) Ghana National Gas, enterprises in France, and Tulsa Cardiovascular Center of Excellence (Oklahoma, USA), and others are from Switzerland, Norway, Netherlands, UAE, Brazil, and Malaysia. For the time being, The Institute for Security and Technology-coordinated Ransomware Task Force is conducting its research on the issue. 

Threat Actors Use Several New Advanced Techniques To Exploit Windows Services


According to the cybersecurity researchers, several fresh techniques, comparatively advanced — are being used by attackers, for exploiting legitimate Windows services to accelerate low-level privileges into the system (concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities, least privilege is also a foundational component of zero trust strategies) to get full control of the system. 

By the means of this recent attack, the threat actors took the same advantages, targeting similar Windows services facilities as that of previous attacks. Meanwhile, threat actors are also working on some new techniques to get access to the recent version of the operating system, as reported by Antonio Cocomazzi, a system engineer at SentinelOne. Furthermore, Antonio Cocomazzi shed light on the same in a Black Hat Asian virtual conference this week. 

For the organizations, the biggest issue dealing with these cyberattacks is that these attacks exploit services that hold a very important part of the system as well as exist by design in the windows functioning system. These services are enabled and available by default into the system as well as they play an essential part in the implementation of Web networking, mail servers, database servers, and other important services. 

Exploits, named “juicy potatoes,” has become a mainstream method for threat actors to invade into the windows systems, said Cocoazzi. Further, he added that SentinelOne has disclosed some very specific evidence against this exploit: it is being used in multiple APT campaigns. 

“Microsoft has fixed the exploit in newer versions of its software. However, JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803. Additionally, newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato.” Antonio Cocomazzi, a system engineer at SentinelOne reported. 

IT Services Remain Disrupted At Two Colleges Of Ireland After Ransomware Attacks


Two IT universities of Ireland the National College of Ireland (NCI) and the Technological University of Dublin have been hit by a cyber attack. 

Recently, both the aforementioned universities have reported ransomware attacks on their system. Currently, the National College of Ireland is working 24 hours to restore its IT services after suffering a massive cyber attack. Consequently, the institution is forced to go with an offline IT system. 

"NCI is currently experiencing a significant disruption to IT services that have impacted a number of college systems, including Moodle, the Library service, and the current students’ MyDetails service," the college reported on Saturday. 

An advisory that has been released by some press institutions said that two third-level institutions that are experiencing cyber-attacks, particularly ransomware attacks – in their regard, there is no definite timeline for when the IT services will be fully restored. 

In the wake of the attack, the two institutions have immediately notified the students, staff, and other employees, about the cyber attacks. Subsequently, NCI’s IT suspended access to the systems and the campus building was also shut down for staff as well as the students until the IT services are fully recovered from the attacks. 

NCI has also notified the important inquiries pertaining to the attack, to the authorities including the national police service of the Republic of Ireland and the Data Protection Commissioner. 

"Please note that all classes, assessments, and induction sessions planned from today Tuesday 6th until this Thursday 8th April inclusive have been postponed and will be rescheduled for a later date," NCI added in a statement issued today. 

"…The College will issue a further update on Thursday afternoon in relation to classes and other events for Friday and beyond. As well as, Students with assignments due this week were told that "no late penalties will be applied while the outage remains in place." 

Meanwhile, students were also told not to access any system of the campus until Monday, April 12. They were also advised to avoid contacting the IT staff that is at present working on restoring attacked IT systems.

Facebook Data Breach: How To Check If Your Details Were Leaked


By now you must have heard that the social network giant ‘Facebook’ has witnessed a very large-scale user data breach that has affected more than 533 million users from 100 plus states. 

Cybercriminals leaked the credentials on online serves that included Facebook IDs, addresses, photos, and other details and in certain cases email addresses. Ironically, it has been seen that the personal data of Facebook’s founder and CEO-Mark Zuckerberg, was also leaked in that breach. 

This article will guide you to check whether your personal data has been breached or not, as a part of the breach. Additionally, you also can check recent leaks or other past leaks in the post. 

The first step is to just go and visit Have I Been Pwned, it will ask for your account details such as your email address or logged-in phone number. If your email address (and the associated account) has been compromised, it will let you know, moreover, not only in regard to the recent breach but it will also give you an account of any other breaches in which your personal data may have been compromised.

"Have I Been Pwned" has been created by a security researcher named Troy Hunt, who was initially skeptical of adding a phone number option while searching breaches due to certain privacy risks, but ended up adding the feature. 

Another tool is a site called The News Each Day, wherein you can just enter your phone number, and then technical information will appear on your screen informing whether your data has been compromised or not. 

Additionally, all the users are advised to change the passwords of the compromised sites alongside, looking out for the best endpoint protection tools that are out there. Users are also recommended to verify the security of sites and apps around to keep their identity safe and secure, for which they are advised to rely on the best identity theft protection.