Mar 26 2024
Eliminating SQL Injection Vulnerabilities in Software
SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Mar 20 2024
 Kyna Kosling  March 14, 2024
IT Governance USAâs research found the following for February 2024:
This month, globally, 719,366,482 records were known to be breached â 86% of them were in the USA.
This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.
This month is different due to two outlier breaches:
*The threat actor provided 100,000 records as a sample.
For a quick, one-page overview of this monthâs findings, please use our Data Breach Dashboard:
Kyna Kosling March 14, 2024
IT Governance USAâs research found the following for February 2024:
This month, globally, 719,366,482 records were known to be breached â 86% of them were in the USA.
This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.
This month is different due to two outlier breaches:
*The threat actor provided 100,000 records as a sample.
For a quick, one-page overview of this monthâs findings, please use our Data Breach Dashboard:
You can also download this and previous monthsâ Dashboards as free PDFs here.
This blog provides further analysis of the data weâve collected. We also provide an annual overview and analyze the longer-term trends in our 2024 overview of publicly disclosed data breaches and cyber attacks in the USA.
You can learn more about our research methodology here.
Note 1: Where âaround,â âabout,â etc. is reported, we record the rounded number. Where âmore than,â âat least,â etc. is reported, we record the rounded number plus one. Where âup to,â etc. is reported, we record the rounded number minus one.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we canât know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
Big Breaches: Cybersecurity Lessons for EveryoneÂ
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Mar 05 2024
In a recent unsettling development, American Express has confirmed that sensitive information related to its credit cards has been compromised due to a data breach at a third-party service provider. This incident has raised serious concerns about the security of financial data and the implications for customers worldwide.
The breach was reportedly executed by a third-party merchant processor, which inadvertently allowed the sensitive information of American Express cardholders to leak onto the dark web. This exposed data includes American Express Card account numbers, expiration dates, and possibly other personal information, putting customers at risk of fraud and identity theft.
American Express has been proactive in addressing the situation, notifying affected customers and urging them to remain vigilant for signs of unauthorized activity on their accounts. Despite the breach, American Express has emphasized that its own systems were not compromised, pointing to the external nature of the security lapse.
The exposure of credit card details in a third-party data breach is a stark reminder of the vulnerabilities that exist within the digital financial ecosystem. For customers, this incident underscores the importance of monitoring their financial statements regularly and reporting any suspicious transactions immediately.
American Express has assured its customers that it is taking the necessary steps to mitigate the impact of the breach. This includes offering free credit monitoring services to affected individuals to help protect their financial information from further misuse.
This incident is not isolated, as data breaches involving third-party service providers have become increasingly common. The reliance on external vendors for processing financial transactions and handling sensitive data introduces additional risks that companies must manage. It highlights the need for stringent security measures and continuous vigilance to protect against cyber threats.
In response to the breach, American Express and other financial institutions are likely to reassess their relationships with third-party vendors and enhance their security protocols to prevent similar incidents in the future. This may involve more rigorous vetting processes, the implementation of advanced cybersecurity technologies, and closer collaboration between companies and their service providers to ensure the highest standards of data protection.
For customers, the breach serves as a critical reminder of the need to be proactive in safeguarding their personal and financial information. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and being cautious of phishing attempts and other online scams.
The exposure of American Express credit card details in a third-party data breach is a concerning event that highlights the ongoing challenges in securing financial data. As the digital landscape evolves, so too do the tactics of cybercriminals, making it imperative for both companies and consumers to remain vigilant and proactive in their cybersecurity efforts. American Expressâs commitment to addressing the breach and supporting its customers is a positive step, but it also serves as a call to action for the industry to strengthen its defenses against future threats.
Big Breaches: Cybersecurity Lessons for Everyone
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Jan 12 2024
Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.
The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework’s CEO into sharing a spreadsheet containing customers’ personally identifiable information (PII) “associated with outstanding balances for Framework purchases.”
“On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases,” the company says in data breach notification letters sent to affected individuals.
“On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.
“Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.”
Framework says its Head of Finance notified Keating Consulting’s leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker’s emails at 8:42 AM PST on January 11th.
As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.
Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.
The company added that it only sends emails from ‘support@frame.work’ asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company’s support team about any suspicious emails they receive.
Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.
“We are also auditing their standard operating procedures around information requests,” the company added.
“We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.”
A Framework spokesperson was not immediately available for comment when BleepingComputer asked about the number of affected customers in the data breach.
Big Breaches: Cybersecurity Lessons for EveryoneÂ
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Sep 18 2023
TransUnion is an American consumer credit reporting agency. TransUnion collects and aggregates information on over one billion individual consumers in over thirty countries, including â200 million files profiling nearly every credit-active consumer in the United Statesâ.
A threat actor who goes by the moniker âUSDoDâ announced the leak of highly sensitive data allegedly stolen from the credit reporting agency. The leaked database, over 3GB in size, contains sensitive PII of about 58,505 people, all across the globe, including the America and Europe
According to researchers vx-underground who reported the leak, the archive contains data that dates back to March 2nd, 2022, which could be the data of the data breach.
This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe
vx-underground states that leaked data includes individual first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, when TransUnion first began monitoring their information.
The name USDoD is well known in the cyber security sector, it was also listed in the indictment for the notorious owner of the BreachForums cybercrime forum Pompompurin. vx-underground pointed out that they are believed to be behind many other high-profile security breaches.
Recently, The multinational aerospace corporation Airbus announced that it is investigating a data leak after cybersecurity firm Hudson Rock reported that a hacker posted information on thousands of the companyâs vendors to the dark web.
âUSDoDâ announced he had gained access to an Airbus web portal by compromising the account of a Turkish airline employee.
The hacker claimed to have details on thousands of Airbus vendors. The threat actors obtained the personal information of 3,200 individuals associated with Airbus vendors, exposed data include names, job titles, addresses, email addresses, and phone numbers.
In December 2022, the FBIâs InfraGard US Critical Infrastructure Intelligence portal was hacked and a database containing the contact details of more than 80,000 high-profile private sector individuals was offered for sale by USDoD on the Breached cybercrime forum.
After the law enforcement shutdown of âBreachedâ forum, its members, including âUSDoD,â moved to other platforms such as âBreachForums.â
âUSDoDâ posted two threads on this new forum, one to announce they have joined the notorious ransomware group Ransomed. In the second threat, the hacker exposed the personal information of 3,200 sensitive Airbus vendors. USDoD also warned that Lockheed Martin and Raytheon might be the next targets.
âThreat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, âUSDoDâ revealed they gained access to Airbusâs data by exploiting âemployee access from a Turkish Airlineâ.â reported Hudson Rock. âUsing this information, Hudson Rock researchers succeeded to trace the mentioned employee access â a Turkish computer infected with an info-stealing malware in August 2023.â
According to the researchers, the computer of the victim was likely infected with the RedLine stealer after he attempted to download a pirated version of the Microsoft .NET framework.
A Business Guide for Protecting Sensitive Information
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Sep 18 2023
Researchers find a GitHub repository belonging to Microsoft’s AI research unit that exposed 38TB of sensitive data, including secret keys and Teams chat logs â Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords âŠ
Aug 18 2023
Data breach notification requirements are complex in the US, with various federal and state laws containing different requirements for when security incidents must be disclosed.
Some even have substantially different definitions for what a âdata breachâ or âpersonal dataâ is.
As such, it can be hard to know whether you need to report an incident, let alone how you should go about it.
We address these issues in this blog, bringing some much-needed clarity to the subject.
There is no single set of data protection laws in the U.S., with the rules instead comprised of a patchwork of industry-specific federal laws and state legislation.
To complicate matters further, several states have created new laws in recent years to bolster data protection requirements. For instance, New York has created the SHIELD Act, while Colorado and California have both created data privacy legislation.
Elsewhere, the U.S. government is attempting to unify data protection requirements with its National Cybersecurity Strategy.
The decision to revise data protection laws follows the introduction of the EU GDPR (General Data Protection Regulation) in 2018, which radically shifted organizationsâ requirements.
Organizations in the U.S. that process EU residentsâ personal data are required to comply with the GDPR, and those that conduct business across state lines will face similar compliance challenges.
You can find a summary of each stateâs federal data breach notification laws on our website, along with links to the texts themselves.
The GDPR is particularly important here, because many organizations in the U.S. assume that it only applies in the EU. However, its requirements apply to any organization that processes EU residentsâ personal data, which is particularly common for organizations that have an online presence.
GDPR compliance is also helpful for managing patchwork of U.S. data protection legislations. Its requirements are far stricter than any domestic laws, so achieving GDPR compliance will cover you for a range of other requirements.
You can learn more about the GDPR and the ways it can help you meet your data protection requirements by reading General Data Protection Regulation (GDPR) â A compliance guide for the US.
This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.
Youâll also learn about the Regulationâs core principles and data subject rights, and the benefits of GDPR compliance.
We also provide tips on how to write your data privacy notice and give you tips on how to further your understanding of its compliance requirements.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog
May 29 2023
The research that was published in the German daily Handelsblatt said that customers of Tesla Inc. lodged over 2,400 complaints about difficulties with self-acceleration and 1,500 complaints regarding issues with brakes between the years of 2015 and March 2022.
According to reports, a big data dump that was based on a whistleblowerâs breach of internal Tesla papers suggests that problems with Teslaâs autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.
Particularly, in an article titled âMy autopilot almost killed me,â Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumersâ safety concerns and tales of more than 1,000 crashes.
The publisher included a note stating that the data includes the phone numbers of customers.
According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.
According to one man from Michigan, his Tesla âsuddenly braked hard, as hard as you can imagine.â When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.
The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that âthe data set does not come from IT systems belonging to or in the environment of Tesla.â
Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them âVERBALLY to the customer.â Unless attorneys are involved, written critiques should not be given.
The post quotes the instructions as saying, âDo not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,â and it is clear that this is a requirement.
An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.
According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action âfor the theft of confidential and personal data.â
According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the companyâs technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.
The stateâs data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.
âTesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.â âWe intend to initiate legal proceedings against this individual for his theft of Teslaâs confidential information and employeesâ personal data,â Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.
The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.
Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.
Data Privacy: A runbook for engineers
InfoSec tools | InfoSec services | InfoSec books
May 08 2023
BlackCat ransomware operators reportedly stole the sensitive data.
https://www.darkreading.com/application-security/1m-nextgen-healthcare-patient-records-stolen-
A database containing the personal information of more than 1 million people was stolen from NextGen Healthcare, Inc., a provider of cloud-based healthcare technology.
NextGen Heathcare provided a disclosure to the Maine Attorney General’s office that said the breach occurred on March 29 and lasted through April 14. The compromise was discovered on April 24, the company reported.
The compromise occurred due to “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen,” the healthcare technology provider said.
Samples of NextGen’s stolen data reportedly popped up on ransomware operator BlackCat’s leak site, but were later removed without explanation.
NextGen’s disclosure indicated the databased contained “name or other personal identifier in combination with Social Security Number.”
NextGen had not responded to Dark Reading’s request for comment at the time of this post.
The NextGen breach poses a major threat to its victims, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said in a statement provided to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”
In 2021, there were more data breaches of healthcare-related organizations than any other sector, accounting for 24% of all cybersecurity incidents, according to Steve Gwizdala, vice president of healthcare at ForgeRock.
“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online â across the entire supply chain,” Gwizdala said in a statement.
Research Anthology on Securing Medical Systems and Records
InfoSec tools | InfoSec services | InfoSec books
Apr 13 2023
Hackers were able to acquire access to individualsâ personal information after Hyundai announced a data breach that affected vehicle owners in Italy and France as well as those who had scheduled test drives with the automaker. According to Troy Hunt, the author of the website âHaveIBeenPwned,â the event has caused the personal data of clients  to become public.
The letter also makes it clear that the individual who hacked into Hyundaiâs database did not take any financial information or identifying numbers. It is unknown how many Hyundai customers have been impacted by this event, how long the network attack lasted, or what additional nations may be at risk. Customers of a South Korean automobile manufacturer are being cautioned to be wary of unsolicited e-mails and SMS messages that pretend to come from the company. These communications might be efforts at phishing or social engineering. In response to the incident, Hyundai claims it has enlisted the help of information technology specialists, who have taken the affected systems down while new security measures are put into place. In February of 2023, the business released emergency software patches for a number of car models that had been compromised by a simple hack with a USB cable, which had made it possible for criminals to take the vehicles.
On the other hand, the Japanese automaker Toyota has admitted that there may have been a breach of consumer data due to security flaws at its operations in Italy. Throughout the course of more than one and a half years, up until this past March, Toyota Italy carelessly disclosed confidential information. In particular, it divulged confidential information on its Salesforce Marketing Cloud and Mapbox APIs. Threat actors might utilize this information to their advantage to acquire access to the telephone numbers and email addresses of Toyota customers and then use those details to start phishing attacks on those customers. According to the findings of the research team at Cybernews, the organization exposed credentials to the Salesforce Marketing Cloud, which is a supplier of software and services related to digital marketing automation and analytics. Threat actors might get access to phone numbers and email addresses, as well as customer monitoring information, as well as the contents of email, SMS, and push-notification messages by abusing the data. Moreover, Toyota Italy exposed the application programming interface (API) tokens for the software business Mapbox. These tokens were used to access map data. Although while the data is not as sensitive as the credentials for the Salesforce Marketing Cloud, it is still possible for threat actors to misuse it in order to query a large number of queries and drive up Toyotaâs API use costs.
Toyota is not the only automaker that has lately put itself as well as its consumers in Italy in a vulnerable position. In January of this year, the Indian branch of Toyota Motor announced a data breach, claiming that it was possible that the personal information of some of its customers had been exposed.
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
Mar 20 2023
As a result of a recent data breach, the NBA notified all its fans about the fact that a significant amount of personal information was compromised.
While using the information gathered, phishing attacks can be conducted by the threat actors on the individuals who have been affected. A third-party newsletter service was said to be holding the personal information exposed in the leak.
In addition to managing five professional sports leagues, the NBA also manages a media organization. And here below, we have listed those five sports leagues:-
In over 215 countries and territories worldwide, with over 50 languages spoken, NBA programming and games are broadcast worldwide.
NBA Cyber Incident
A number of fans have been notified of the cyber security incident through an email sent out with the tag âNotice of Cybersecurity Incident.â
According to the NBA, neither its systems nor the credentials of the fans affected by the incident were compromised. But, some theft of the personal information belonged to some fans.
Further, the association reported that the names and email addresses were accessed and copied by an unauthorized third party. But, in this instance, sensitive information, such as usernames and passwords, was not exposed.
Apart from this, a third-party provider and an external cybersecurity service are being engaged by the NBA to assist in the investigation of the issue to know the extent of the impact and resolve the issue as soon as possible.
NBA warned fans of phishing attacks
NBA warned that phishing attacks and various scams could be targeted at the affected individuals due to the sensitive nature of the data involved, reported Bleeping Computer.
It was strongly recommended to the affected fans that they remain vigilant when they open any suspicious emails that they receive. In the notification emails, the NBA informs fans that it will never send them an email asking for any of this information:-
It is also recommended for fans who have been impacted verify the authenticity of any emails they receive by ensuring that the senderâs email address ends with â@nba.com.â
Check that the embedded links point to a trustworthy website, and donât open email attachments that they havenât been expecting to receive.
NBA warns fans over data breach, personal details copied
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
Mar 16 2023
A joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that multiple threat actors, including a nation-state actor, exploited a critical vulnerability in Progress Telerik to breach an unnamed US federal agency.
The three-year-old vulnerability, tracked as CVE-2019-18935 (CVSS score: 9.8), is a .NET deserialization issue that resides in the Progress Telerik UI for ASP.NET AJAX. Exploitation can result in remote code execution.
âCISA analysts determined that multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agencyâs Microsoft Internet Information Services (IIS) web server.â reads the advisory. âActors were then able to upload malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) to the C:\Windows\Temp\ directory.âÂ
Threat actors exploited the vulnerability to execute arbitrary code on a Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch (FCEB) agency.
In 2020 and 2021, this flaw was included by the US National Security Agency (NSA) in the list of the top 25 vulnerabilities exploited by Chinese state-sponsored hacking groups in attacks in the wild.
The flaw was also used in the past by the NetWalker ransomware gang in its operations.
The joint alert recommends network defenders review the Malware Analysis Report, MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server, to reference CISAâs analysis for the identified malicious files.
According to the MAR, CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency. Experts reported that 11 of the dynamic link library (DLL) files employed in the attack allows threat actors to read, create, and delete files on the target systems.
âIf the DLL contains a hardcoded Internet Protocol (IP) address, status messages will be sent to the IP. One DLL file will attempt to collect the target systemâs Transmission Control Protocol (TCP) connection table, and exfiltrate it to a remote Command and Control server (C2).â reads the MAR. âFive of the files drop and decode a reverse shell utility that can send and receive data and commands. In addition, the files drop and decode an Active Server Pages (ASPX) webshell. Two DLL files are capable of loading and executing payloads.â
US CISA has also provided Indicators of Compromise (IOCs) and YARA rules for detection in the Malware Analysis Report (MAR).
Mar 10 2023
The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.
Jai VijayanContributing Writer, Dark Reading
Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members’ personally identifiable information (PII) available for sale on the “Breached” criminal forum.
The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.
In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.
“The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web,” Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link’s plans to notify affected individuals and offer credit monitoring services for them.
Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.
A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for “an undisclosed amount in Monero cryptocurrency.” Interested parties are asked to contact the sellers via a middleman for details.
This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service.
Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.
Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. “IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware,” Strand says.
IntelBroker’s use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor’s previous tactics. It suggests either a lack of resources or inexperience on the individual’s part, Strand says.
“In addition to IntelBroker’s presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper,” he tells Dark Reading.
In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.
“Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker,” Strand says.
Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor’s reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).
The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.
“The amount tells you a great deal about who they may be thinking of in terms of buyers,” he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But “you start talking millions, they are clearly then catering to nation-state buyers,” he says.
Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. “We shouldn’t only think external nation-states that might want to purchase this,” Fier says. “Who is to say that other political parties and/or activists couldn’t weaponize it?”
Previous posts on Cyber Attacks
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
Feb 28 2023
it is not uncommon for large organizations to face cyber attacks or data breaches, and it is important for them to have strong cybersecurity measures in place to prevent such incidents and mitigate their impact if they do occur. However, If such an incident did occur, the affected companies would likely conduct a thorough investigation and take appropriate steps to address the situation and prevent similar incidents from happening in the future.
The massive media and publishing business News Corp reported a data breach in February 2022, disclosing that its journalists had been the focus of an attack on a software supply chain. The breach revealed that the journalists had been hacked. The assets owned by News Corp. include a variety of prominent news sources, such as Dow Jones, FOX News, The Sun, and MarketWatch, amongst others. It is important to note that in March of 2019, the Dow Jones made news for disclosing a âscreening listâ that included critical information on terrorists, criminals, and shady enterprises. This information included names, addresses, and phone numbers.
The leak of thirteen million data took place on the FOX News website in April of 2022. The fifty-eight terabytesâ worth of information consisted of a variety of different things, including the companyâs internal documents, the personally identifiable information (PII) of its workers, and many other things. Prior to the time when the firm was made aware of the occurrence, these documents continued to be accessible to the general public.
Today, the business has disclosed new information saying that the security breach really took place in February of 2020. This indicates that the hackers were present on the network for a period of two years before being discovered. Mandiant, which is now owned by Google, was the cybersecurity company that helped News Corp. back then. Because the perpetrators had access to the system for two years before they were discovered, it is highly likely that they were able to get away with stealing more information than was initially thought. Since no one knew it had been stolen, they would not have been on heightened alert for any potential attacks during that time.
The firm disclosed in a breach notice that the threat actors responsible for the incident gained access to its email and document storage system. This system is used by a variety of News Corp companies. The impacted workersâ personal and health information was obtained; nevertheless, the corporation has said that it does not seem that the activity was centered on exploiting personal information in any way.
The Wall Street Journal, the New York Post, and its news operations in the United Kingdom were among the News Corp publications that were compromised as a result of the security hack. Names, birth dates, social security numbers, driverâs license numbers, passport numbers, information about bank accounts, as well as information on medical and health insurance, were some of the pieces of personally identifiable information that were accessed.
News Corporation has indicated in the past that the assailants had links to China and were probably engaged in espionage operations to gather information for the benefit of Chinaâs objectives.
The New York Post admitted that it had been hacked in October 2022, after discovering that its website and Twitter account had been exploited to distribute inappropriate information that targeted a number of different politicians in the United States. The newspaper eventually disclosed that one of its own workers was responsible for the incident, and that individual was terminated once their role in the scandal was uncovered.
Feb 27 2023
Telus, a Canadian national telecommunications company is looking into whether employeesâ data as well as the source code for the system were stolen and then sold on a dark web marketplace.
Subsequently, the threat actor published screenshots that appear to depict the companyâs payroll data and private source code repositories.
âWe are investigating claims that a small amount of data related to internal Telus source code and select Telus team membersâ information has appeared on the dark web,â Richard Gilhooley, director of public affairs at Telus said in an email.
âWe can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.â
A threat actor offered what they claimed to be TELUSâ employee list (including names and email addresses) for sale on a data breach forum on February 17.
âToday weâre selling email lists of Telus employees from a very recent breach. We have over 76k unique emails and on top of this have internal information associated with each employee scraped from Telusâ APIâ, the forum post says.
The post provides what looks to be a list of email addresses for Telus employees as proof. âIt isnât known if these are the current or former staff â or even realâ.
Later on Tuesday, February 21, the same threat actor published a new forum post with an offer to sell TELUSâ private GitHub repositories, source code, and payroll data.
âIn the repositories are the backend, frontend, middleware [information,] AWS keys, Google auth keys, Source Code, Testing Apps, Staging/Prod/testing, and more!â says the sellerâs latest post.
The seller also stated that the companyâs âsim-swap-api,â which is supposed to allow attackers to conduct SIM swap attacks, was included in the stolen source code.
Despite the malicious attacker calling this a âFull breachâ and stating that they will sell âanything related to Telus,â it is still too soon to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.
âItâs important to note that itâs not clear whether the data being sold is realâ, commented Brett Callow, a British Columbia-based threat analyst for Emsisoft.
âIf it is real, this is a potentially serious incident which exposes Telusâ employees to increased risk of phishing and social engineering and, by extension, exposes the companyâs customers to riskâ.
âThe alleged exposure of the private Github repositories, supposedly including a sim-swap API, represents an additional tier of potentially significant risk.â
Jan 05 2023
According to a post on a well-known hacker forum, Volvo Cars has experienced a new data breach, with stolen information allegedly being made available for sale.
Anis Haboubi, a French cybersecurity expert, was the first to discover that a threat actor was seeking to sell data purportedly taken from Volvo Cars on a well-known hacking site.
On December 31, 2022, a forum member operating online with the moniker IntelBroker reported that VOLVO CARS had been the target of a ransomware attack. He alleges that the Endurance Ransomware gang attacked the company and stole 200GB of private information that is now being sold.
The seller mentioned that he doesnât demand a ransom because he thinks the victim wonât pay it.
âThe company has not been approached with a ransom demand. Based on the information available, the company does not currently see an impact on its business or operationsâ, according to a Volvo representative.
IntelBroker is offering the relevant data for $2500 in Monero, and he shared a number of screenshots as evidence of the hack. He forbids any escrow, which is a highly suspicious situation.
According to reports, the leak included sensitive data like access to several of the companyâs databases, WiFi logins and points, employee listings, software keys, and other private data.
âI am currently selling the following information:
Database access, CICD access, Atlassian access, domain access, WiFi points, and logins, auth bearers, API, PAC security access, employee lists, software licenses, and keys and system files.â reads the announcement on the hacking forum.
âThere is much data on âunresolvedâ reports of exploits. I have taken them all and they will also be included in this sale.â
Itâs notable that the attacker shared screenshots of allegedly stolen data that indicate details about vehicles the company sells to law enforcement agencies, especially in Europe.
Threat actors have set a relatively low price of $2,500 for the dataset, indicating that the data may not be as sensitive as the seller would want.
If genuine, this would be Volvoâs second security compromise in less than 18 months. The company claimed that a âsmall portionâ of its R&D assets had been taken during the breach in late 2021.
Hence, itâs unclear at this moment whether the seller is seeking to sell information from the 2021 data breach or if there has been a new data leak. Some users of the same hacker site said that since last week, the companyâs unsecured Citrix access has been exposed online.
Security researchers released their car hacking research discussing vulnerabilities affecting millions of vehicles, and lots of different car companies such as Kia, Toyota, BMW, Rolls Royce, Ferrari, Ford, and many more. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely. Their goal was to find vulnerabilities affecting the automotive industry. This write-up details their work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports them. Details: https://samcurry.net/web-hackers-vs-the-auto-industry/
Infosec books | InfoSec tools | InfoSec services
Jan 02 2023
Regula has presented their vision of the developments that will shape the industryâs landscape in 2023. Deepfakes, new cyber-hygiene norms, and demand for mature ID verification platforms are among some of the predictions for the next year.
While more and more industries move their customer experiences to digital, online identity verification is becoming an essential part of our life. It lets people cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice.
Still, the security of the digital IDV process is the number one concern that is forming the industryâs landscape and driving the majority of significant changes.
Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. The rising number of identity fraud cases, along with fraudstersâ hunger for personal information collected by service providers, will lead to three important changes in how data will be used and treated:
When it comes to more complex identity fraud cases related to synthetic media like deepfakes, experts expect to see a rise in amateur scam attempts along with the emergence of next-gen biometric-related fraud.
Both trends are developing in parallel and are powered by the same factor: the growing maturity and availability of machine-learning based technologies that make it possible to fake photos, videos, voices, and other characteristics previously considered unique.
Based on the opinion of Regula experts, all these trends will lead to a market that is developed enough to embrace mature end-to-end IDV solutions that are capable of not only verifying documents, but also biometric characteristics, like face, voice, and fingerprints.
âThe good news is that minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and theyâre of such a quality that thereâs no immediate danger. But thatâs a matter of how many resources fraudsters will be willing to invest. At the moment, when theyâre ready to spend significant amounts of money per deepfake, itâs a problem that requires interactive multi-layered protection. So if we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter,â notes Ihar Kliashchou, CTO at Regula.
In relation to this yearâs trending topics â digital identity and decentralized identity â the companyâs experts have their own take on that:
Infosec books | InfoSec tools | InfoSec services
Dec 15 2022
This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has not been an easy task for Microsoft.
Evidence suggests that the Cuba ransomware gang used malicious hardware drivers certified by Microsoftâs Windows Hardware Developer Program in an attempted ransomware attack.
Remember when, in 2021, a report surfaced that revealed Microsoft had signed a driver called Netfilter, and later it turned out it contained malware? Well, it has happened again, but on a larger scale.
Sophos X-Ops Rapid Response (RR) recently discovered evidence which proves that threat actors potentially belonging to the Cuba ransomware gang used malicious hardware drivers certified by Microsoftâs Windows Hardware Developer Program in an attempted ransomware attack.
Drivers â the software that allows operating systems and apps to access and communicate with hardware devices â require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before allowing the driver to load.
However, cybercriminals have long since found approaches to exploit vulnerabilities found in existing Windows drivers from legitimate software publishers. These hackers make an effort to progressively move up the trust pyramid, using increasingly well-trusted cryptographic keys to digitally sign their drivers.
Sophos along with researchers from Google-owned Mandiant and SentinelOne warned Microsoft about these signed malicious drivers which were being planted into targeted machines using a variant of the BurntCigar loader utility. These two then worked in tandem to kill processes associated with antivirus (AV) and endpoint detection and response (EDR) products.
âOngoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,â Microsoft said in an advisory published as part of its monthly scheduled release of security patches, known as Patch Tuesday.
Microsoft concluded its investigation by stating that âno compromise has been identified,â and proceeded to suspend the partnersâ seller accounts. Moreover, they released Windows security updates to revoke the abused certificates.
Mandiantâs report is available here. In SentinelOneâs blog post, the security firm reported that it had seen several attacks where a threat actor used malicious signed drivers to evade security products which usually trust components signed by Microsoft.
The threat actors were observed to be targeting organisations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors and in some instances, SIM swapping was the end goal.
Cuba Ransomware group was identified to be involved in gaining $60 million from attacks against 100 organisations globally, according to a joint advisory earlier this month from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
The advisory also included warnings regarding the ransomware group which has been active since 2019 and continues to attack US entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.
This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has not been an easy task for Microsoft.
Dec 05 2022
The 50GB worth of data is currently being sold on two clear web forums with a price tag of 1 BTC per database.
A group of hackers has posted a trove of approximately 50GB of data for sale on two online forums and a Telegram group. The data was posted on 26 and 27th November 2022. This was revealed to Hackread.com by researchers at VPNMentor.
A probe into the incident revealed that the data belonged to 29 Israeli transportation, logistics services and forwarding firms. Researchers believe that the hackers breached a software providerâs single point of failure, gained unauthorized access to these logistics firmsâ supply chains, and exfiltrated a trove of personal data and shipping records.
Hackers have posted the stolen data for sale. Visitors can buy a complete employee and customer information dataset from the targeted companies. The per-database rate is 1 BTC, which equals $17,000. An analysis of the graphics associated with these posts revealed that the data is part of a Black Friday Sale.
Previously, when some Israeli delivery firms were targeted in cyberattacks, the Israeli governmentâs cyber agencies named Iranian threat actors as the perpetrators. However, it is unclear if the same actors are responsible in this instance.
According to VPNMentorâs blog post, exposed data includes contract details and shipment information of the affected Israeli firms. The hackers have listed 1.1 million records for sale on different online forums. It seems like they have shared a small sample of data.
Whether 1 record represented 1 person or 1.1 million people were impacted in this data breach couldnât be determined. The exposed information includes full names, addresses, and contact numbers.
Researchers were unsure whether the exposed addresses were work or home addresses. Customersâ exposed data includes full names and shipping details (sender and receiverâs addresses, number of packages, contact numbers, etc.).
These records can be exploited to intercept packages or blackmail/threaten courier firmsâ employees into handing over valuable shipments. Threat actors can use personal data such as full names or contact details to target people with scams and phishing attacks.
Customers of these firms should be wary of suspicious SMS messages and calls and do not share personal information via phone. They should reveal sensitive data only to a trusted source only when necessary.
