Jun 05 2024

Unauthorized AI is eating your company data, thanks to your employees

Category: AI,Data Breach,data securitydisc7 @ 8:09 am

Legal documents, HR data, source code, and other sensitive corporate information is being fed into unlicensed, publicly available AIs at a swift rate, leaving IT leaders with a mounting shadow AI mess.

Employees at many organizations are engaging in widespread use of unauthorized AI models behind the backs of their CIOs and CISOs, according to a recent study.

Employees are sharing company legal documents, source code, and employee information with unlicensed, non-corporate versions of AIs, including ChatGPT and Google Gemini, potentially leading to major headaches for CIOs and other IT leaders, according to research from Cyberhaven Labs.

About 74% of the ChatGPT use at work is through non-corporate accounts, potentially giving the AI the ability to use or train on that data, says the Cyberhaven Q2 2024 AI Adoption and Risk Report, based on actual AI usage patterns of 3 million workers. More than 94% of workplace use of Google AIs Gemini and Bard are from non-corporate accounts, the study reveals.

Nearly 83% of all legal documents shared with AI tools go through non-corporate accounts, the report adds, while about half of all source code, R&D materials, and HR and employee records go into unauthorized AIs.

The amount of data put into all AI tools saw nearly a five-fold increase between March 2023 and March 2024, according to the report. “End users are adopting new AI tools faster than IT can keep up, fueling continued growth in ‘shadow AI,’” the report adds.

Where does the data go?

At the same time, many users may not know what happens to their companies’ data once they share it with an unlicensed AI. ChatGPT’s terms of use, for example, say the ownership of the content entered remains with the users. However, ChatGPT may use that content to provide, maintain, develop, and improve its services, meaning it could train itself using shared employee records. Users can opt out of ChatGPT training itself on their data.

So far, there have been no high-profile reports about major company secrets spilled by large public AIs, but security experts worry about what happens to company data once an AI ingests it. On May 28, OpenAI announced a new Safety and Security Committee to address concerns.

It’s difficult to assess the risk of sharing confidential or sensitive information with publicly available AIs, says Brian Vecci, field CTO at Varonis, a cloud security firm. It seems unlikely that companies like Google or ChatGPT developer OpenAI will allow their AIs to leak sensitive business data to the public, given the headaches such disclosures would cause them, he says.

Still, there aren’t many rules governing what AI developers can do with the data users provide them, some security experts note. Many more AI models will be rolled out in the coming years, Vecci says.

“When we get outside of the realm of OpenAI and Google, there are going to be other tools that pop up,” he says. “There are going to be AI tools out there that will do something interesting but are not controlled by OpenAI or Google, which presumably have much more incentive to be held accountable and treat data with care.”

The coming wave of second- and third-tier AI developers may be fronts for hacking groups, may see profit in selling confidential company information, or may lack the cybersecurity protections that the big players have, Vecci says.

“There’s some version of an LLM tool that’s similar to ChatGPT and is free and fast and controlled by who knows who,” he says. “Your employees are using it, and they’re forking over source code and financial statements, and that could be a much higher risk.”

Risky behavior

Sharing company or customer data with any unauthorized AI creates risk, regardless of whether the AI model trains on that data or shares it with other users, because that information now exists outside company walls, adds Pranava Adduri, CEO of Bedrock Security.

Adduri recommends organizations sign licensed deals, containing data use restrictions, with AI vendors so that employees can experiment with AI.

“The problem boils down to the inability to control,” he says. “If the data is getting shipped off to a system where you don’t have that direct control, usually the risk is managed through legal contracts and legal agreements.”

AvePoint, a cloud data management company, has signed an AI contract to head off the use of shadow AI, says Dana Simberkoff, chief risk, privacy, and information security officer at the company. AvePoint thoroughly reviewed the licensing terms, including the data use restrictions, before signing.

A major problem with shadow AI is that users don’t read the privacy policy or terms of use before shoveling company data into unauthorized tools, she says.

“Where that data goes, how it’s being stored, and what it may be used for in the future is still not very transparent,” she says. “What most everyday business users don’t necessarily understand is that these open AI technologies, the ones from a whole host of different companies that you can use in your browser, actually feed themselves off of the data that they’re ingesting.”

Training and security

AvePoint has tried to discourage employees from using unauthorized AI tools through a comprehensive education program, through strict access controls on sensitive data, and through other cybersecurity protections preventing the sharing of data. AvePoint has also created an AI acceptable use policy, Simberkoff says.

Employee education focuses on common employee practices like granting wide access to a sensitive document. Even if an employee only notifies three coworkers that they can review the document, allowing general access can enable an AI to ingest the data.

“AI solutions are like this voracious, hungry beast that will take in anything that they can,” she says.

Using AI, even officially licensed ones, means organizations need to have good data management practices in place, Simberkoff adds. An organization’s access controls need to limit employees from seeing sensitive information not necessary for them to do their jobs, she says, and longstanding security and privacy best practices still apply in the age of AI.

Rolling out an AI, with its constant ingestion of data, is a stress test of a company’s security and privacy plans, she says.

“This has become my mantra: AI is either the best friend or the worst enemy of a security or privacy officer,” she adds. “It really does drive home everything that has been a best practice for 20 years.”

Simberkoff has worked with several AvePoint customers that backed away from AI projects because they didn’t have basic controls such as an acceptable use policy in place.

“They didn’t understand the consequences of what they were doing until they actually had something bad happen,” she says. “If I were to give one really important piece of advice it’s that it’s okay to pause. There’s a lot of pressure on companies to deploy AI quickly.”

Credit: Moon Safari / Shutterstock

Artificial Intelligence for Cybersecurity 

ChatGPT for Cybersecurity Cookbook: Learn practical generative AI recipes to supercharge your cybersecurity skills

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Artificial Intelligence for Cybersecurity, ChatGPT for Cybersecurity

May 03 2024

2024 Data Breach Investigations Report: Most breaches involve a non-malicious human element

Category: Data Breachdisc7 @ 7:19 am

This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransomware actors. The MOVEit software breach was one of the largest drivers of these cyberattacks, first in the education sector and later spreading to finance and insurance industries.

“The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,” said Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business.

In a possible relief to some anxieties, the rise of AI was less of a culprit vs challenges in large-scale vulnerability management. “While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” Novak said.

Analysis of the CISA Known Exploited Vulnerabilities (KEV) catalog revealed that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting the mass exploitations of the CISA KEV on the internet is five days.

“This year’s DBIR findings reflect the evolving landscape that today’s CISO’s must navigate – balancing the need to address vulnerabilities quicker than ever before while investing in the continued employee education as it relates to ransomware and cybersecurity hygiene,” said Craig Robinson, Research VP, Security Services at IDC. “The breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises.”

Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metric—new for the 2024 DBIR — shows a 68% increase from the previous period described in the 2023 DBIR.

The human factor remains the primary entry point for cybercriminals

68% of breaches, whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack. This percentage is about the same as last year. One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.

“The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,” Novak added.

Other key findings from this year’s report include:

  • 32% of all breaches involved some type of extortion technique, including ransomware
  • Over the past two years, roughly a quarter (between 24% and 25%) of financially motivated incidents involved pretexting
  • Over the past 10 years, the Use of stolen credentials has appeared in almost one-third (31%) of all breaches
  • Half of the reaches in EMEA are internal
  • Espionage attacks continue to dominate in APAC region

“The Verizon 2024 Data Breach Investigations Report shows it’s the still the basics security errors putting organizations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams. This needs to change as a priority because no business can afford to gamble or take chances with cyber hygiene. Just look at Change Healthcare, the breach was executed via an unsecured employee credential and the organization is now facing over a billion in losses. No other organisation wants to find itself in this position,” William Wright, CEO of Closed Door Security, told Help Net Security.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 2024 DBIR, data breaches, Verizon data breach report

Mar 26 2024

Eliminating SQL Injection Vulnerabilities in Software

Category: Data Breach,data security,Information Securitydisc7 @ 8:37 am

Eliminating SQL Injection Vulnerabilities in Software

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SQL Injection Vulnerabilities

Mar 20 2024

Data Breaches and Cyber Attacks in the USA in February 2024 – 621,095,066 Records Breached

Category: Data Breachdisc7 @ 7:16 am

Data Breaches and Cyber Attacks in the USA in February 2024 – 621,095,066 Records Breached

 Kyna Kosling  March 14, 2024

IT Governance USA’s research found the following for February 2024:

  • 322 publicly disclosed security incidents (45% of all incidents globally)
  • 621,095,066 records known to be breached

This month, globally, 719,366,482 records were known to be breached – 86% of them were in the USA.

This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.

This month is different due to two outlier breaches:

  1. Zenlayer’s publicly exposed database, which contained 384,658,212 records
  2. Pure Incubation Ventures, which allegedly* had 183,754,481 records go up for sale

*The threat actor provided 100,000 records as a sample.

Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:

Data Breaches and Cyber Attacks in the USA in February 2024 – 621,095,066 Records Breached

 Kyna Kosling  March 14, 2024

IT Governance USA’s research found the following for February 2024:

  • 322 publicly disclosed security incidents (45% of all incidents globally)
  • 621,095,066 records known to be breached

This month, globally, 719,366,482 records were known to be breached – 86% of them were in the USA.

This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.

This month is different due to two outlier breaches:

  1. Zenlayer’s publicly exposed database, which contained 384,658,212 records
  2. Pure Incubation Ventures, which allegedly* had 183,754,481 records go up for sale

*The threat actor provided 100,000 records as a sample.

Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:

You can also download this and previous months’ Dashboards as free PDFs here.

This blog provides further analysis of the data we’ve collected. We also provide an annual overview and analyze the longer-term trends in our 2024 overview of publicly disclosed data breaches and cyber attacks in the USA.

You can learn more about our research methodology here.

Note 1: Where ‘around,’ ‘about,’ etc. is reported, we record the rounded number. Where ‘more than,’ ‘at least,’ etc. is reported, we record the rounded number plus one. Where ‘up to,’ etc. is reported, we record the rounded number minus one.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

Big Breaches: Cybersecurity Lessons for Everyone 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Attacks in the USA

Mar 05 2024


Category: Data Breach,pci dssdisc7 @ 7:26 am

In a recent unsettling development, American Express has confirmed that sensitive information related to its credit cards has been compromised due to a data breach at a third-party service provider. This incident has raised serious concerns about the security of financial data and the implications for customers worldwide.


The breach was reportedly executed by a third-party merchant processor, which inadvertently allowed the sensitive information of American Express cardholders to leak onto the dark web. This exposed data includes American Express Card account numbers, expiration dates, and possibly other personal information, putting customers at risk of fraud and identity theft.

American Express has been proactive in addressing the situation, notifying affected customers and urging them to remain vigilant for signs of unauthorized activity on their accounts. Despite the breach, American Express has emphasized that its own systems were not compromised, pointing to the external nature of the security lapse.


The exposure of credit card details in a third-party data breach is a stark reminder of the vulnerabilities that exist within the digital financial ecosystem. For customers, this incident underscores the importance of monitoring their financial statements regularly and reporting any suspicious transactions immediately.

American Express has assured its customers that it is taking the necessary steps to mitigate the impact of the breach. This includes offering free credit monitoring services to affected individuals to help protect their financial information from further misuse.


This incident is not isolated, as data breaches involving third-party service providers have become increasingly common. The reliance on external vendors for processing financial transactions and handling sensitive data introduces additional risks that companies must manage. It highlights the need for stringent security measures and continuous vigilance to protect against cyber threats.


In response to the breach, American Express and other financial institutions are likely to reassess their relationships with third-party vendors and enhance their security protocols to prevent similar incidents in the future. This may involve more rigorous vetting processes, the implementation of advanced cybersecurity technologies, and closer collaboration between companies and their service providers to ensure the highest standards of data protection.

For customers, the breach serves as a critical reminder of the need to be proactive in safeguarding their personal and financial information. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and being cautious of phishing attempts and other online scams.

The exposure of American Express credit card details in a third-party data breach is a concerning event that highlights the ongoing challenges in securing financial data. As the digital landscape evolves, so too do the tactics of cybercriminals, making it imperative for both companies and consumers to remain vigilant and proactive in their cybersecurity efforts. American Express’s commitment to addressing the breach and supporting its customers is a positive step, but it also serves as a call to action for the industry to strengthen its defenses against future threats.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Jan 12 2024

Framework discloses data breach after accountant gets phished

Category: Data Breach,Phishingdisc7 @ 10:21 am


Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.

The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework’s CEO into sharing a spreadsheet containing customers’ personally identifiable information (PII) “associated with outstanding balances for Framework purchases.”

“On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases,” the company says in data breach notification letters sent to affected individuals.

“On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.

“Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.”

Framework says its Head of Finance notified Keating Consulting’s leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker’s emails at 8:42 AM PST on January 11th.

As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.

Affected customers warned of phishing risks

Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.

The company added that it only sends emails from ‘support@frame.work’ asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company’s support team about any suspicious emails they receive.

Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.

“We are also auditing their standard operating procedures around information requests,” the company added.

“We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.”

A Framework spokesperson was not immediately available for comment when BleepingComputer asked about the number of affected customers in the data breach.

Big Breaches: Cybersecurity Lessons for Everyone 

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: data breach

Sep 18 2023


Category: Data Breach,data security,Hackingdisc7 @ 11:36 am

Researchers from vx-underground reported that FBI hacker ‘USDoD‘ leaked sensitive data from consumer credit reporting agency TransUnion.

TransUnion is an American consumer credit reporting agency. TransUnion collects and aggregates information on over one billion individual consumers in over thirty countries, including “200 million files profiling nearly every credit-active consumer in the United States”.

A threat actor who goes by the moniker “USDoD” announced the leak of highly sensitive data allegedly stolen from the credit reporting agency. The leaked database, over 3GB in size, contains sensitive PII of about 58,505 people, all across the globe, including the America and Europe

According to researchers vx-underground who reported the leak, the archive contains data that dates back to March 2nd, 2022, which could be the data of the data breach.

This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe

vx-underground states that leaked data includes individual first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, when TransUnion first began monitoring their information.

The name USDoD is well known in the cyber security sector, it was also listed in the indictment for the notorious owner of the BreachForums cybercrime forum Pompompurinvx-underground pointed out that they are believed to be behind many other high-profile security breaches.

Recently, The multinational aerospace corporation Airbus announced that it is investigating a data leak after cybersecurity firm Hudson Rock reported that a hacker posted information on thousands of the company’s vendors to the dark web.

USDoD” announced he had gained access to an Airbus web portal by compromising the account of a Turkish airline employee.

The hacker claimed to have details on thousands of Airbus vendors. The threat actors obtained the personal information of 3,200 individuals associated with Airbus vendors, exposed data include names, job titles, addresses, email addresses, and phone numbers. 

In December 2022, the FBI’s InfraGard US Critical Infrastructure Intelligence portal was hacked and a database containing the contact details of more than 80,000 high-profile private sector individuals was offered for sale by USDoD on the Breached cybercrime forum.

After the law enforcement shutdown of “Breached” forum, its members, including “USDoD,” moved to other platforms such as “BreachForums.”

“USDoD” posted two threads on this new forum, one to announce they have joined the notorious ransomware group Ransomed. In the second threat, the hacker exposed the personal information of 3,200 sensitive Airbus vendors. USDoD also warned that Lockheed Martin and Raytheon might be the next targets.

“Threat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, “USDoD” revealed they gained access to Airbus’s data by exploiting “employee access from a Turkish Airline”.” reported Hudson Rock. “Using this information, Hudson Rock researchers succeeded to trace the mentioned employee access — a Turkish computer infected with an info-stealing malware in August 2023.”

According to the researchers, the computer of the victim was likely infected with the RedLine stealer after he attempted to download a pirated version of the Microsoft .NET framework.

A Business Guide for Protecting Sensitive Information

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Sep 18 2023

Microsoft AI researchers accidentally exposed terabytes of internal sensitive data

Category: AI,Data Breachdisc7 @ 8:46 am

Researchers find a GitHub repository belonging to Microsoft’s AI research unit that exposed 38TB of sensitive data, including secret keys and Teams chat logs — Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords …

Aug 18 2023

What Are Your Data Breach Notification Requirements?

Category: Data Breachdisc7 @ 9:47 am

Data breach notification requirements are complex in the US, with various federal and state laws containing different requirements for when security incidents must be disclosed.

Some even have substantially different definitions for what a ‘data breach’ or ‘personal data’ is.

As such, it can be hard to know whether you need to report an incident, let alone how you should go about it.

We address these issues in this blog, bringing some much-needed clarity to the subject.

State laws on data breach notification

There is no single set of data protection laws in the U.S., with the rules instead comprised of a patchwork of industry-specific federal laws and state legislation.

To complicate matters further, several states have created new laws in recent years to bolster data protection requirements. For instance, New York has created the SHIELD Act, while Colorado and California have both created data privacy legislation.

Elsewhere, the U.S. government is attempting to unify data protection requirements with its National Cybersecurity Strategy.

The decision to revise data protection laws follows the introduction of the EU GDPR (General Data Protection Regulation) in 2018, which radically shifted organizations’ requirements.

Organizations in the U.S. that process EU residents’ personal data are required to comply with the GDPR, and those that conduct business across state lines will face similar compliance challenges.

You can find a summary of each state’s federal data breach notification laws on our website, along with links to the texts themselves.

The GDPR is particularly important here, because many organizations in the U.S. assume that it only applies in the EU. However, its requirements apply to any organization that processes EU residents’ personal data, which is particularly common for organizations that have an online presence.

GDPR compliance is also helpful for managing patchwork of U.S. data protection legislations. Its requirements are far stricter than any domestic laws, so achieving GDPR compliance will cover you for a range of other requirements.

You can learn more about the GDPR and the ways it can help you meet your data protection requirements by reading General Data Protection Regulation (GDPR) – A compliance guide for the US.

This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.

You’ll also learn about the Regulation’s core principles and data subject rights, and the benefits of GDPR compliance.

We also provide tips on how to write your data privacy notice and give you tips on how to further your understanding of its compliance requirements.

Download now

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: CPRA, Data Breach Notification Requirements, Data Privacy Solutions, gdpr, hipaa

May 29 2023


Category: Data BreachDISC @ 10:43 am

The research that was published in the German daily Handelsblatt said that customers of Tesla Inc. lodged over 2,400 complaints about difficulties with self-acceleration and 1,500 complaints regarding issues with brakes between the years of 2015 and March 2022.

According to reports, a big data dump that was based on a whistleblower’s breach of internal Tesla papers suggests that problems with Tesla’s autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.

According to information that was taken from Tesla’s information technology (IT) system, complaints against these Full Self Driving (FSD) capabilities originated from all over the globe, including the United States of America, Europe, and Asia.

Particularly, in an article titled “My autopilot almost killed me,” Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumers’ safety concerns and tales of more than 1,000 crashes.

The publisher included a note stating that the data includes the phone numbers of customers.

According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.

According to one man from Michigan, his Tesla “suddenly braked hard, as hard as you can imagine.” When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.

The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that “the data set does not come from IT systems belonging to or in the environment of Tesla.”

Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them “VERBALLY to the customer.” Unless attorneys are involved, written critiques should not be given.

The post quotes the instructions as saying, “Do not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,” and it is clear that this is a requirement.

An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.

According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action “for the theft of confidential and personal data.”

According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the company’s technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.

The state’s data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.

“Tesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.” “We intend to initiate legal proceedings against this individual for his theft of Tesla’s confidential information and employees’ personal data,” Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.

The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.

Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.

Data Privacy: A runbook for engineers

InfoSec tools | InfoSec services | InfoSec books

Tags: data privacy, TESLA, Tesla Remotely Hacked

May 08 2023

1M NextGen Patient Records Compromised in Data Breach

Category: Data Breach,hipaa,Ransomwaredisc7 @ 1:44 pm

BlackCat ransomware operators reportedly stole the sensitive data.

Source: Kristoffer Tripplaar via Alamy Stock Photo


A database containing the personal information of more than 1 million people was stolen from NextGen Healthcare, Inc., a provider of cloud-based healthcare technology.

NextGen Heathcare provided a disclosure to the Maine Attorney General’s office that said the breach occurred on March 29 and lasted through April 14. The compromise was discovered on April 24, the company reported.

The compromise occurred due to “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen,” the healthcare technology provider said.

Samples of NextGen’s stolen data reportedly popped up on ransomware operator BlackCat’s leak site, but were later removed without explanation.

NextGen’s disclosure indicated the databased contained “name or other personal identifier in combination with Social Security Number.”

NextGen had not responded to Dark Reading’s request for comment at the time of this post.

NextGen Breach Follow-on Attacks Likely

The NextGen breach poses a major threat to its victims, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said in a statement provided to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”

In 2021, there were more data breaches of healthcare-related organizations than any other sector, accounting for 24% of all cybersecurity incidents, according to Steve Gwizdala, vice president of healthcare at ForgeRock.

“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online — across the entire supply chain,” Gwizdala said in a statement.

Research Anthology on Securing Medical Systems and Records

  InfoSec tools | InfoSec services | InfoSec books

Tags: Patient Records Compromised

Apr 13 2023


Category: Data Breach,data security,PIIDISC @ 8:22 am

Hackers were able to acquire access to individuals’ personal information after Hyundai announced a data breach that affected vehicle owners in Italy and France as well as those who had scheduled test drives with the automaker. According to Troy Hunt, the author of the website “HaveIBeenPwned,” the event has caused the personal data of clients  to become public.

The letter also makes it clear that the individual who hacked into Hyundai’s database did not take any financial information or identifying numbers. It is unknown how many Hyundai customers have been impacted by this event, how long the network attack lasted, or what additional nations may be at risk. Customers of a South Korean automobile manufacturer are being cautioned to be wary of unsolicited e-mails and SMS messages that pretend to come from the company. These communications might be efforts at phishing or social engineering. In response to the incident, Hyundai claims it has enlisted the help of information technology specialists, who have taken the affected systems down while new security measures are put into place. In February of 2023, the business released emergency software patches for a number of car models that had been compromised by a simple hack with a USB cable, which had made it possible for criminals to take the vehicles.

On the other hand, the Japanese automaker Toyota has admitted that there may have been a breach of consumer data due to security flaws at its operations in Italy. Throughout the course of more than one and a half years, up until this past March, Toyota Italy carelessly disclosed confidential information. In particular, it divulged confidential information on its Salesforce Marketing Cloud and Mapbox APIs. Threat actors might utilize this information to their advantage to acquire access to the telephone numbers and email addresses of Toyota customers and then use those details to start phishing attacks on those customers. According to the findings of the research team at Cybernews, the organization exposed credentials to the Salesforce Marketing Cloud, which is a supplier of software and services related to digital marketing automation and analytics. Threat actors might get access to phone numbers and email addresses, as well as customer monitoring information, as well as the contents of email, SMS, and push-notification messages by abusing the data. Moreover, Toyota Italy exposed the application programming interface (API) tokens for the software business Mapbox. These tokens were used to access map data. Although while the data is not as sensitive as the credentials for the Salesforce Marketing Cloud, it is still possible for threat actors to misuse it in order to query a large number of queries and drive up Toyota’s API use costs.

Toyota is not the only automaker that has lately put itself as well as its consumers in Italy in a vulnerable position. In January of this year, the Indian branch of Toyota Motor announced a data breach, claiming that it was possible that the personal information of some of its customers had been exposed.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services


Mar 20 2023

NBA Cyber Incident – Fans’ Personal Information Exposed

Category: Data Breach,PII,Security BreachDISC @ 12:05 pm

As a result of a recent data breach, the NBA notified all its fans about the fact that a significant amount of personal information was compromised.

While using the information gathered, phishing attacks can be conducted by the threat actors on the individuals who have been affected. A third-party newsletter service was said to be holding the personal information exposed in the leak.

In addition to managing five professional sports leagues, the NBA also manages a media organization. And here below, we have listed those five sports leagues:-

  • NBA
  • WNBA
  • Basketball Africa League
  • NBA G League
  • NBA 2K League

In over 215 countries and territories worldwide, with over 50 languages spoken, NBA programming and games are broadcast worldwide.

NBA Cyber Incident

A number of fans have been notified of the cyber security incident through an email sent out with the tag “Notice of Cybersecurity Incident.”

According to the NBA, neither its systems nor the credentials of the fans affected by the incident were compromised. But, some theft of the personal information belonged to some fans.

Further, the association reported that the names and email addresses were accessed and copied by an unauthorized third party. But, in this instance, sensitive information, such as usernames and passwords, was not exposed.

Apart from this, a third-party provider and an external cybersecurity service are being engaged by the NBA to assist in the investigation of the issue to know the extent of the impact and resolve the issue as soon as possible.

NBA warned fans of phishing attacks

NBA warned that phishing attacks and various scams could be targeted at the affected individuals due to the sensitive nature of the data involved, reported Bleeping Computer.

It was strongly recommended to the affected fans that they remain vigilant when they open any suspicious emails that they receive. In the notification emails, the NBA informs fans that it will never send them an email asking for any of this information:-

  • Other account information
  • Usernames
  • Passwords

It is also recommended for fans who have been impacted verify the authenticity of any emails they receive by ensuring that the sender’s email address ends with “@nba.com.” 

Check that the embedded links point to a trustworthy website, and don’t open email attachments that they haven’t been expecting to receive.

NBA Cyber Incident

NBA warns fans over data breach, personal details copied

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: NBA Cyber Incident

Mar 16 2023

Multiple threat actors exploited Progress Telerik bug to breach U.S. federal agency

Category: Data Breach,Security BreachDISC @ 9:00 am

Multiple threat actors exploited a critical flaw in Progress Telerik to breach an unnamed US federal agency, said the US government.

joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that multiple threat actors, including a nation-state actor, exploited a critical vulnerability in Progress Telerik to breach an unnamed US federal agency.

The three-year-old vulnerability, tracked as CVE-2019-18935 (CVSS score: 9.8), is a .NET deserialization issue that resides in the Progress Telerik UI for ASP.NET AJAX. Exploitation can result in remote code execution.

“CISA analysts determined that multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.” reads the advisory. “Actors were then able to upload malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) to the C:\Windows\Temp\ directory.” 

Threat actors exploited the vulnerability to execute arbitrary code on a Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch (FCEB) agency.

In 2020 and 2021, this flaw was included by the US National Security Agency (NSA) in the list of the top 25 vulnerabilities exploited by Chinese state-sponsored hacking groups in attacks in the wild.

The flaw was also used in the past by the NetWalker ransomware gang in its operations.

The joint alert recommends network defenders review the Malware Analysis Report, MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server, to reference CISA’s analysis for the identified malicious files.

According to the MAR, CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency. Experts reported that 11 of the dynamic link library (DLL) files employed in the attack allows threat actors to read, create, and delete files on the target systems.

“If the DLL contains a hardcoded Internet Protocol (IP) address, status messages will be sent to the IP. One DLL file will attempt to collect the target system’s Transmission Control Protocol (TCP) connection table, and exfiltrate it to a remote Command and Control server (C2).” reads the MAR. “Five of the files drop and decode a reverse shell utility that can send and receive data and commands. In addition, the files drop and decode an Active Server Pages (ASPX) webshell. Two DLL files are capable of loading and executing payloads.”

US CISA has also provided Indicators of Compromise (IOCs) and YARA rules for detection in the Malware Analysis Report (MAR).

CISA Known Exploited Vulnerabilities Catalog Progress Telerik bug

Tags: Telerik bug, U.S. federal agency

Mar 10 2023

US Lawmakers Face Cyberattacks, Potential Physical Harm After DC Health Link Breach

The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.

Jai VijayanContributing Writer, Dark Reading

US House of Representatives seal
Source: Ron Adar via Shutterstock

Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members’ personally identifiable information (PII) available for sale on the “Breached” criminal forum.

The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.

DC Health Link: A Significant Breach

In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.

“The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web,” Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link’s plans to notify affected individuals and offer credit monitoring services for them.

Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.

A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for “an undisclosed amount in Monero cryptocurrency.” Interested parties are asked to contact the sellers via a middleman for details.

IntelBroker’s Resume of Previous Breaches

This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service. 

Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.

Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. “IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware,” Strand says.

IntelBroker’s use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor’s previous tactics. It suggests either a lack of resources or inexperience on the individual’s part, Strand says. 

“In addition to IntelBroker’s presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper,” he tells Dark Reading.

In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.

“Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker,” Strand says.

Is House Members’ PII a National Security Threat?

Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor’s reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).

The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.

“The amount tells you a great deal about who they may be thinking of in terms of buyers,” he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But “you start talking millions, they are clearly then catering to nation-state buyers,” he says.

Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. “We shouldn’t only think external nation-states that might want to purchase this,” Fier says. “Who is to say that other political parties and/or activists couldn’t weaponize it?”


Previous posts on Cyber Attacks

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Cyberattacks, US Lawmakers

Feb 28 2023


Category: Data Breach,data securityDISC @ 9:44 am

it is not uncommon for large organizations to face cyber attacks or data breaches, and it is important for them to have strong cybersecurity measures in place to prevent such incidents and mitigate their impact if they do occur. However, If such an incident did occur, the affected companies would likely conduct a thorough investigation and take appropriate steps to address the situation and prevent similar incidents from happening in the future.

The massive media and publishing business News Corp reported a data breach in February 2022, disclosing that its journalists had been the focus of an attack on a software supply chain. The breach revealed that the journalists had been hacked. The assets owned by News Corp. include a variety of prominent news sources, such as Dow Jones, FOX News, The Sun, and MarketWatch, amongst others. It is important to note that in March of 2019, the Dow Jones made news for disclosing a “screening list” that included critical information on terrorists, criminals, and shady enterprises. This information included names, addresses, and phone numbers. 

The leak of thirteen million data took place on the FOX News website in April of 2022. The fifty-eight terabytes’ worth of information consisted of a variety of different things, including the company’s internal documents, the personally identifiable information (PII) of its workers, and many other things. Prior to the time when the firm was made aware of the occurrence, these documents continued to be accessible to the general public.

Today, the business has disclosed new information saying that the security breach really took place in February of 2020. This indicates that the hackers were present on the network for a period of two years before being discovered. Mandiant, which is now owned by Google, was the cybersecurity company that helped News Corp. back then. Because the perpetrators had access to the system for two years before they were discovered, it is highly likely that they were able to get away with stealing more information than was initially thought. Since no one knew it had been stolen, they would not have been on heightened alert for any potential attacks during that time.

The firm disclosed in a breach notice that the threat actors responsible for the incident gained access to its email and document storage system. This system is used by a variety of News Corp companies. The impacted workers’ personal and health information was obtained; nevertheless, the corporation has said that it does not seem that the activity was centered on exploiting personal information in any way.
The Wall Street Journal, the New York Post, and its news operations in the United Kingdom were among the News Corp publications that were compromised as a result of the security hack. Names, birth dates, social security numbers, driver’s license numbers, passport numbers, information about bank accounts, as well as information on medical and health insurance, were some of the pieces of personally identifiable information that were accessed.

News Corporation has indicated in the past that the assailants had links to China and were probably engaged in espionage operations to gather information for the benefit of China’s objectives.

The New York Post admitted that it had been hacked in October 2022, after discovering that its website and Twitter account had been exploited to distribute inappropriate information that targeted a number of different politicians in the United States. The newspaper eventually disclosed that one of its own workers was responsible for the incident, and that individual was terminated once their role in the scandal was uncovered.


Feb 27 2023

Hacker Claim Telecom Provider Data Including Source Code, Employee Data Stolen

Category: Data Breach,HackingDISC @ 11:29 am

Telus, a Canadian national telecommunications company is looking into whether employees’ data as well as the source code for the system were stolen and then sold on a dark web marketplace.

Subsequently, the threat actor published screenshots that appear to depict the company’s payroll data and private source code repositories.

“We are investigating claims that a small amount of data related to internal Telus source code and select Telus team members’ information has appeared on the dark web,” Richard Gilhooley, director of public affairs at Telus said in an email. 

“We can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.”

Source Code, Employee Data Stolen

A threat actor offered what they claimed to be TELUS’ employee list (including names and email addresses) for sale on a data breach forum on February 17.

“Today we’re selling email lists of Telus employees from a very recent breach. We have over 76k unique emails and on top of this have internal information associated with each employee scraped from Telus’ API”, the forum post says.

The post provides what looks to be a list of email addresses for Telus employees as proof. “It isn’t known if these are the current or former staff — or even real”.

Later on Tuesday, February 21, the same threat actor published a new forum post with an offer to sell TELUS’ private GitHub repositories, source code, and payroll data.

“In the repositories are the backend, frontend, middleware [information,] AWS keys, Google auth keys, Source Code, Testing Apps, Staging/Prod/testing, and more!” says the seller’s latest post.

Forum post with TELUS sample data set
The claimed TELUS data and source code are posted in a second forum post

The seller also stated that the company’s “sim-swap-api,” which is supposed to allow attackers to conduct SIM swap attacks, was included in the stolen source code.

Despite the malicious attacker calling this a “Full breach” and stating that they will sell “anything related to Telus,” it is still too soon to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.

“It’s important to note that it’s not clear whether the data being sold is real”, commented Brett Callow, a British Columbia-based threat analyst for Emsisoft. 

“If it is real, this is a potentially serious incident which exposes Telus’ employees to increased risk of phishing and social engineering and, by extension, exposes the company’s customers to risk”. 

“The alleged exposure of the private Github repositories, supposedly including a sim-swap API, represents an additional tier of potentially significant risk.”

Tags: data breach, telecom security incidents

Jan 05 2023

Volvo Cars Suffered A New Data Breach? Data Published On Hacking Forum

Category: cyber security,Data BreachDISC @ 11:19 am

According to a post on a well-known hacker forum, Volvo Cars has experienced a new data breach, with stolen information allegedly being made available for sale.

Anis Haboubi, a French cybersecurity expert, was the first to discover that a threat actor was seeking to sell data purportedly taken from Volvo Cars on a well-known hacking site.

On December 31, 2022, a forum member operating online with the moniker IntelBroker reported that VOLVO CARS had been the target of a ransomware attack. He alleges that the Endurance Ransomware gang attacked the company and stole 200GB of private information that is now being sold.

The seller mentioned that he doesn’t demand a ransom because he thinks the victim won’t pay it.

“The company has not been approached with a ransom demand. Based on the information available, the company does not currently see an impact on its business or operations”, according to a Volvo representative.

Volvo breach

IntelBroker is offering the relevant data for $2500 in Monero, and he shared a number of screenshots as evidence of the hack. He forbids any escrow, which is a highly suspicious situation.

According to reports, the leak included sensitive data like access to several of the company’s databases, WiFi logins and points, employee listings, software keys, and other private data.

“I am currently selling the following information:

Database access, CICD access, Atlassian access, domain access, WiFi points, and logins, auth bearers, API, PAC security access, employee lists, software licenses, and keys and system files.” reads the announcement on the hacking forum.

“There is much data on “unresolved” reports of exploits. I have taken them all and they will also be included in this sale.”

It’s notable that the attacker shared screenshots of allegedly stolen data that indicate details about vehicles the company sells to law enforcement agencies, especially in Europe.

Threat actors have set a relatively low price of $2,500 for the dataset, indicating that the data may not be as sensitive as the seller would want.

If genuine, this would be Volvo’s second security compromise in less than 18 months. The company claimed that a “small portion” of its R&D assets had been taken during the breach in late 2021.

Hence, it’s unclear at this moment whether the seller is seeking to sell information from the 2021 data breach or if there has been a new data leak. Some users of the same hacker site said that since last week, the company’s unsecured Citrix access has been exposed online.

Security researchers released their car hacking research discussing vulnerabilities affecting millions of vehicles, and lots of different car companies such as Kia, Toyota, BMW, Rolls Royce, Ferrari, Ford, and many more. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely. Their goal was to find vulnerabilities affecting the automotive industry. This write-up details their work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports them. Details: https://samcurry.net/web-hackers-vs-the-auto-industry/

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
Details: https://samcurry.net/web-hackers-vs-the-auto-industry/

Infosec books | InfoSec tools | InfoSec services

Tags: Volvo data breach

Jan 02 2023

3 important changes in how data will be used and treated

Category: Data Breach,Data mining,data securityDISC @ 11:51 am

Regula has presented their vision of the developments that will shape the industry’s landscape in 2023. Deepfakes, new cyber-hygiene norms, and demand for mature ID verification platforms are among some of the predictions for the next year.

While more and more industries move their customer experiences to digital, online identity verification is becoming an essential part of our life. It lets people cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice.

Still, the security of the digital IDV process is the number one concern that is forming the industry’s landscape and driving the majority of significant changes.

Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. The rising number of identity fraud cases, along with fraudsters’ hunger for personal information collected by service providers, will lead to three important changes in how data will be used and treated:

  • Even industries that are not so heavily regulated will invest more in the ID verification process, adding extra security layers. There will be more checks with increased complexity and additional steps in the verification process: biometric checks, verifying IDs, SMSs, and passwords, checking recent transactions, etc.
  • This will lead to prioritization of comprehensive liveness checks to make sure that submitted documents are valid and really exist. An ID document contains various security features: holograms, elements printed with optical variable inks, and biometric data, to name a few, and an image of it should be taken using methods so that these elements can be captured and verified.
  • Regula experts expect to see a push from users for more data protection rules, and for more transparency from online businesses. In the wake of multiple public disclosures of data leaks, users are gradually losing trust in how their data is treated and becoming more cautious about what they share with third parties and how. Addressing this trend, companies will attempt to bring that trust back via increased investments in customer data protection measures.

When it comes to more complex identity fraud cases related to synthetic media like deepfakes, experts expect to see a rise in amateur scam attempts along with the emergence of next-gen biometric-related fraud.

Both trends are developing in parallel and are powered by the same factor: the growing maturity and availability of machine-learning based technologies that make it possible to fake photos, videos, voices, and other characteristics previously considered unique.

Based on the opinion of Regula experts, all these trends will lead to a market that is developed enough to embrace mature end-to-end IDV solutions that are capable of not only verifying documents, but also biometric characteristics, like face, voice, and fingerprints.

“The good news is that minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and they’re of such a quality that there’s no immediate danger. But that’s a matter of how many resources fraudsters will be willing to invest. At the moment, when they’re ready to spend significant amounts of money per deepfake, it’s a problem that requires interactive multi-layered protection. So if we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter,” notes Ihar Kliashchou, CTO at Regula.

In relation to this year’s trending topics — digital identity and decentralized identity — the company’s experts have their own take on that:

  • In the ideal world, a universal digital identity would help eliminate most of the issues with fake identities. However, in reality, creating and gaining broad acceptance and implementation of a secure single source of truth is going to take a significant amount of time. Still, we’re already seeing more different local and even company-based digital identities trying to become a single source of truth on a local level.
  • The idea of decentralized identity is going to be held back for some time. With the benefit of being built on blockchains and allowing users to control their digital identifiers, this system still comes with weaknesses. Since no one controls it centrally, no one will be responsible for it in case of any problems. Additionally, there is the matter of trust. Blockchain is strongly associated in people’s minds with crypto, and the FTX crash that has happened in the last couple of months has undermined people’s trust in it.

Infosec books
 | InfoSec tools | InfoSec services

Tags: data security

Dec 15 2022

Microsoft-Signed Drivers Helped Hackers Breach System Defenses

Category: Data Breach,Hacking,Security BreachDISC @ 10:12 am

This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has not been an easy task for Microsoft.

Evidence suggests that the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack.

Remember when, in 2021, a report surfaced that revealed Microsoft had signed a driver called Netfilter, and later it turned out it contained malware? Well, it has happened again, but on a larger scale.

Sophos X-Ops Rapid Response (RR) recently discovered evidence which proves that threat actors potentially belonging to the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack. 

Drivers — the software that allows operating systems and apps to access and communicate with hardware devices — require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before allowing the driver to load.

However, cybercriminals have long since found approaches to exploit vulnerabilities found in existing Windows drivers from legitimate software publishers. These hackers make an effort to progressively move up the trust pyramid, using increasingly well-trusted cryptographic keys to digitally sign their drivers. 

Sophos along with researchers from Google-owned Mandiant and SentinelOne warned Microsoft about these signed malicious drivers which were being planted into targeted machines using a variant of the BurntCigar loader utility. These two then worked in tandem to kill processes associated with antivirus (AV) and endpoint detection and response (EDR) products. 

“Ongoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” Microsoft said in an advisory published as part of its monthly scheduled release of security patches, known as Patch Tuesday.

Microsoft approved Driver Malware Used To Bypass System Security
On left is a valid signature identified by Mandiant – On the right is a valid signature identified by Sophos

Microsoft concluded its investigation by stating that “no compromise has been identified,” and proceeded to suspend the partners’ seller accounts. Moreover, they released Windows security updates to revoke the abused certificates. 

Mandiant’s report is available here. In SentinelOne’s blog post, the security firm reported that it had seen several attacks where a threat actor used malicious signed drivers to evade security products which usually trust components signed by Microsoft.

The threat actors were observed to be targeting organisations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors and in some instances, SIM swapping was the end goal.

Microsoft approved Driver Malware Used To Bypass System Security
Code signing overview

Cuba Ransomware group was identified to be involved in gaining $60 million from attacks against 100 organisations globally, according to a joint advisory earlier this month from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

The advisory also included warnings regarding the ransomware group which has been active since 2019 and continues to attack US entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.

This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has not been an easy task for Microsoft.

Tags: Microsoft-Signed Drivers

Next Page »