Feb 14 2025

DOGE: A National Security Cyber Breach

Category: Data Breach,Security Breachdisc7 @ 9:22 am

In a recent series of events, the U.S. government has faced significant security breaches, not from external cyberattacks, but through actions initiated by the Department of Government Efficiency (DOGE), a newly established entity led by a billionaire with an ambiguous governmental role. These breaches have profound implications for national security.

Initially, individuals associated with DOGE accessed the U.S. Treasury’s computer systems, granting them the capability to collect data on and potentially control approximately $5.45 trillion in annual federal payments. Subsequently, unauthorized DOGE personnel obtained classified information from the U.S. Agency for International Development, possibly transferring it to their own systems. Following this, the Office of Personnel Management (OPM), which maintains detailed personal data on millions of federal employees, including those with security clearances, was compromised. Additionally, Medicaid and Medicare records were breached.

In another alarming incident, partially redacted names of CIA employees were transmitted via an unclassified email account. DOGE personnel have also been reported to input Education Department data into artificial intelligence software and have commenced operations within the Department of Energy.

On February 8, a federal judge intervened, prohibiting the DOGE team from further accessing Treasury Department systems. However, given that DOGE operatives may have already copied data and altered software, the effectiveness of this injunction remains uncertain. Without strict adherence to established security protocols by federal employees, further breaches of critical government systems are anticipated.

The systems compromised by DOGE are integral to the nation’s infrastructure. For instance, the Treasury Department’s systems contain detailed blueprints of federal financial operations, while the OPM network holds comprehensive information on government personnel and contractors.

What sets this situation apart is the method of breach. Unlike traditional foreign adversaries who employ stealth and spend years infiltrating government systems, DOGE operatives, with limited experience and oversight, are openly accessing and modifying some of the United States’ most sensitive networks. This not only introduces potential new security vulnerabilities but also involves the dismantling of essential security measures, such as incident response protocols and auditing mechanisms, by replacing seasoned officials with inexperienced personnel.

A fundamental security principle, known as “separation of duties,” has been undermined in these instances. This principle ensures that no single individual has unchecked power over critical systems, requiring multiple authorized personnel to collaborate on significant actions. The erosion of this safeguard poses a substantial risk to national security.

For further details, access the article here

Elon Muskā€™s DOGE Posts Classified Data On Its New Website

Anyone Can Push Updates to the DOGE.gov Website

‘Experts left database open’: Hackers mock Elon Musk after easily defacing his DOGE site

DOGE Team Raises Major Cyber Security Concerns

Young engineers pose ā€˜the single greatest insider threat risk the Bureau has ever facedā€™ as experts warn of cybersecurity breaches

 Congressman Robert Garcia makes ‘A Minor’ Barb At DOGE

The Data Protection Guidebook: A Survey of U.S. Federal and State Laws, Statutes, and Regulations Governing Data Breach Notification, Biometric Information, Cybersecurity, and Data Privacy

Hackers are getting quickerā€”48 minutes is all it takes for a breach.

A Hackerā€™s Mind: How the Powerful Bend Societyā€™s Rules, and How to Bend them Back

New regulations and AI hacks drive cyber security changes in 2025

Hackers will use machine learning to launch attacks

VNC Is The Hackerā€™s New Remote Desktop Tool For Cyber Attacks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Cyber Intrusion, data breach, data privacy, data protection, DOGE, National security

Jan 28 2025

Why Companies Arenā€™t Held Accountable For Data Breaches

Category: Data Breachdisc7 @ 9:43 am

The article discusses the alarming rise in data breaches, with 2023 and 2024 setting a record for the number of reported incidents. A significant increase in ransomware attacks, phishing schemes, and vulnerabilities in third-party vendors has contributed to the surge. Organizations across various industries, including healthcare, finance, and government, are among the most affected, highlighting the growing sophistication of cybercriminals and the challenges in securing sensitive data.

Ransomware attacks remain a primary driver, where hackers lock organizations out of their own systems and demand payment for restoring access. These attacks are becoming more targeted and disruptive, often focusing on critical infrastructure or high-value data. Businesses have struggled to implement effective defenses, with some opting to pay ransoms despite the risks of enabling future attacks or non-recovery of stolen data.

The article also emphasizes the role of phishing, where cybercriminals deceive individuals into revealing credentials or clicking on malicious links. Such schemes exploit human behavior and are a major entry point for attacks. Coupled with the risks from third-party vendorsā€”who often lack robust security measuresā€”many organizations face heightened exposure to breaches outside their immediate control.

To address this growing problem, experts stress the importance of adopting proactive cybersecurity strategies. Businesses are encouraged to implement multi-layered defenses, including employee training, stronger identity verification, and advanced threat detection tools. Additionally, regulatory pressures are pushing companies to improve their breach reporting and response protocols, aiming to create a more secure digital environment in the face of evolving threats.

For further details, access the articleĀ here

Data Breaches: Crisis and Opportunity

Big Breaches: Cybersecurity Lessons for Everyone

Ā 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Big Breaches, data breaches

Oct 15 2024

The IBM 2024 Data Breach Report reveals a troubling trend

Category: Data Breachdisc7 @ 10:03 am

The IBM 2024 Data Breach Report reveals a troubling trend: the average cost of a data breach has reached a record high of $4.88 million, a 10% increase from the previous year. This rise is attributed to several factors, including the increasing complexity of attacks, the growing volume of sensitive data, and the rising costs of responding to and recovering from breaches. The report also highlights the significant disruption that data breaches can cause to businesses, with 70% of breached organizations reporting significant or very significant disruption.

One of the key findings of the report is that data breaches are becoming more costly over time. Breaches that take longer to detect and contain have significantly higher costs than those that are quickly identified and addressed. In fact, breaches with a lifecycle exceeding 200 days have an average cost of $5.46 million, compared to $4.54 million for breaches with a lifecycle of less than 200 days. This suggests that investing in early detection and response capabilities can be a valuable strategy for mitigating the costs of data breaches.

The report also emphasizes the importance of effective incident response planning and execution. Organizations that have well-developed incident response plans and can execute them effectively are better equipped to minimize the impact of data breaches and reduce their overall costs. This includes having a clear understanding of the incident response process, identifying and training key personnel, and having the necessary tools and technologies in place.

Approximately 40% of all data breaches involved information stored in multiple environments. Breaches that included public clouds were especially expensive, with an average cost of $5.17 million per incident, representing a 13.1% increase from the previous year.

Shadow data was a factor in 35% of data breaches, resulting in an average cost increase of 16%. Additionally, breaches that involved shadow data took 26.2% longer to detect and 20.2% longer to contain than those without shadow data.

For the 14th consecutive year, healthcare has faced the most expensive data breaches, averaging $9.77 million per incident. Although there was a slight decline from 2023, the healthcare, financial services, and energy sectors continue to be significant targets for cybercriminals.

Fifty-three percent of organizations reported notable shortages in their security workforce, leading to heightened breach-related costsā€”an additional $1.76 million compared to those with sufficient staffing. Conversely, organizations that utilized AI and automation tools achieved an average savings of $2.2 million in breach-related expenses.

Additionally, the report highlights the growing threat of ransomware attacks. Ransomware attacks are becoming increasingly sophisticated and costly, with average breach costs reaching $4.91 million in 2024. This emphasizes the importance of implementing strong security measures to protect against ransomware attacks, including regular backups, security awareness training, and patching vulnerabilities.

For more details, visit Cost of a Data Breach Report 2024

Data Breaches: Crisis and Opportunity

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: IBM 2024 Data Breach Report

Oct 10 2024

This Hacker Toolkit Can Breach Any Air-Gapped System ā€“ Hereā€™s How It Works

Category: Data Breach,Security Breachdisc7 @ 11:47 am
This Hacker Toolkit Can Breach Any Air-Gapped System ā€“ Hereā€™s How It Works

The article discusses a newly developed hacker toolkit designed to compromise air-gapped systems, which are typically isolated from external networks for security purposes. This toolkit exploits electromagnetic waves and ultrasonic sound to covertly transmit data between air-gapped machines and attacker-controlled devices nearby, bypassing the lack of direct network connections.

The toolkit specifically targets vulnerabilities in hardware components, such as CPUs, which emit electromagnetic radiation during operation. Hackers can capture and manipulate these emissions to extract sensitive information like encryption keys and passwords without direct access to the system.

It also highlights how the toolkit leverages ultrasonic waves for data transmission. These inaudible sound waves can travel through the air to communicate with nearby devices, enabling a two-way exchange of information between an isolated system and the hacker’s equipment. This sophisticated method of attack can operate without needing to install traditional malware on the air-gapped machine.

The article emphasizes the significance of this emerging threat, as it poses risks to organizations that rely heavily on air-gapped systems for critical infrastructure protection. Even advanced security measures may not fully mitigate the risk from such unconventional attack vectors, underscoring the need for continuous adaptation in cybersecurity defenses.

For more details, visit Security Newspaper.

European govt air-gapped systems breached using custom malware

Mind The Gap: Can Air-Gaps Keep Your Private Data Secure?

The Black Box Hacker’s Toolkit: Techniques for Successful Pen Testing

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Air-Gapped System, Hacker Toolkit

Sep 18 2024

Azure Storage Explorer: The Tool Hackers Use to Steal Your Data ā€“ Hereā€™s How!

Category: Cloud computing,Data Breachdisc7 @ 12:43 pm
Azure Storage Explorer: The Tool Hackers Use to Steal Your Data ā€“ Here’s How!

The article highlights how ransomware groups like BianLian and Rhysida are exploiting Microsoft Azure Storage Explorer for data exfiltration. Originally designed for managing Azure storage, this tool is now being repurposed by hackers to transfer stolen data to cloud storage. Attackers use Azure’s capabilities, such as AzCopy, to move large amounts of sensitive information. Security teams are advised to monitor logs for unusual activity, particularly around file transfers and Azure Blob storage connections, to detect and prevent such breaches.

For more details, visit Security Newspaper.

How to implement Principle of Least Privilege(Cloud Security) in AWS, Azure, and GCP cloud

Azure Storage Background

To understand the implications of using Azure Storage Explorer for data exfiltration, it is essential to grasp the basics of Azure Blob Storage. It consists of three key resources:

  1. Storage Account: The overarching entity that provides a namespace for your data.
  2. Container: A logical grouping within the storage account that holds your blobs.
  3. Blob: The actual data object stored within a container.

This structure is similar to storage systems used by other public cloud providers, like Amazon S3 and Google Cloud Storage.

AzCopy Logging and Analysis ā€“ The Key to Detecting Data Theft

Azure Storage Explorer uses AzCopy, a command-line tool, to handle data transfers. It generates detailed logs during these transfers, offering a crucial avenue for incident responders to identify data exfiltration attempts.

By default, Azure Storage Explorer and AzCopy use the ā€œINFOā€ logging level, which captures key events such as file uploads, downloads, and copies. The log entries can include:

  • UPLOADSUCCESSFUL and UPLOADFAILED: Indicate the outcome of file upload operations.
  • DOWNLOADSUCCESSFUL and DOWNLOADFAILED: Reveal details of files brought into the network from Azure.
  • COPYSUCCESSFUL and COPYFAILED: Show copying activities across different storage accounts.

The logs are stored in the .azcopy directory within the userā€™s profile, offering a valuable resource for forensic analysis.

Logging Settings and Investigation Challenges

Azure Storage Explorer provides a ā€œLogout on Exitā€ setting, which is disabled by default. This default setting retains any valid Azure Storage sessions when the application is reopened, potentially allowing threat actors to continue their activities even after initial investigations.

At the end of the AzCopy log file, investigators can find a summary of job activities, providing an overview of the entire data transfer operation. This final summary can be instrumental in understanding the scope of data exfiltration carried out by the attackers.

Indicators of Compromise (IOCs)

Detecting the use of Azure Storage Explorer by threat actors involves recognizing certain Indicators of Compromise (IOCs) on the system. The following paths and files may suggest the presence of data exfiltration activities:

  • File Paths:
    • %USERPROFILE%\AppData\Local\Programs\Microsoft Azure Storage Explorer
    • C:\Program Files\Microsoft Azure Storage Explorer
  • Executables:
    • StorageExplorer.exe
    • azcopy_windows_amd64.exe
  • AzCopy Log File Location:
    • %USERPROFILE%\.azcopy
  • Network Indicator:
    • .blob.core.windows.net
Azure Storage Explorer ā€“ The Tool for Data Theft

Data Engineering on Azure

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Azure data, Azure Hacking, Azure Storage Explorer

Jun 05 2024

Unauthorized AI is eating your company data, thanks to your employees

Category: AI,Data Breach,data securitydisc7 @ 8:09 am
https://www.csoonline.com/article/2138447/unauthorized-ai-is-eating-your-company-data-thanks-to-your-employees.html

Legal documents, HR data, source code, and other sensitive corporate information is being fed into unlicensed, publicly available AIs at a swift rate, leaving IT leaders with a mounting shadow AI mess.

Employees at many organizations are engaging in widespread use of unauthorized AI models behind the backs of their CIOs and CISOs, according to a recent study.

Employees are sharing company legal documents, source code, and employee information with unlicensed, non-corporate versions of AIs, including ChatGPT and Google Gemini, potentially leading to major headaches for CIOs and other IT leaders, according to research from Cyberhaven Labs.

About 74% of the ChatGPT use at work is through non-corporate accounts, potentially giving the AI the ability to use or train on that data, says the CyberhavenĀ Q2 2024 AIĀ Adoption and Risk Report, based on actual AI usage patterns of 3 million workers. More than 94% of workplace use of Google AIs Gemini and Bard are from non-corporate accounts, the study reveals.

Nearly 83% of all legal documents shared with AI tools go through non-corporate accounts, the report adds, while about half of all source code, R&D materials, and HR and employee records go into unauthorized AIs.

The amount of data put into all AI tools saw nearly a five-fold increase between March 2023 and March 2024, according to the report. ā€œEnd users are adopting new AI tools faster than IT can keep up, fueling continued growth in ā€˜shadow AI,ā€™ā€ the report adds.

Where does the data go?

At the same time, many users may not know what happens to their companiesā€™ data once they share it with an unlicensed AI. ChatGPTā€™s terms of use, for example, say the ownership of the content entered remains with the users. However, ChatGPT may use that content to provide, maintain, develop, and improve its services, meaning it could train itself using shared employee records. Users can opt out of ChatGPT training itself on their data.

So far, there have been no high-profile reports about major company secrets spilled by large public AIs, but security experts worry about what happens to company data once an AI ingests it. On May 28,Ā OpenAI announcedĀ a new Safety and Security Committee to address concerns.

Itā€™s difficult to assess the risk of sharing confidential or sensitive information with publicly available AIs, says Brian Vecci, field CTO at Varonis, a cloud security firm. It seems unlikely that companies like Google or ChatGPT developer OpenAI will allow their AIs to leak sensitive business data to the public, given the headaches such disclosures would cause them, he says.

Still, there arenā€™t many rules governing what AI developers can do with the data users provide them, some security experts note. Many more AI models will be rolled out in the coming years, Vecci says.

ā€œWhen we get outside of the realm of OpenAI and Google, there are going to be other tools that pop up,ā€ he says. ā€œThere are going to be AI tools out there that will do something interesting but are not controlled by OpenAI or Google, which presumably have much more incentive to be held accountable and treat data with care.ā€

The coming wave of second- and third-tier AI developers may be fronts for hacking groups, may see profit in selling confidential company information, or may lack the cybersecurity protections that the big players have, Vecci says.

ā€œThereā€™s some version of an LLM tool thatā€™s similar to ChatGPT and is free and fast and controlled by who knows who,ā€ he says. ā€œYour employees are using it, and theyā€™re forking over source code and financial statements, and that could be a much higher risk.ā€

Risky behavior

Sharing company or customer data with any unauthorized AI creates risk, regardless of whether the AI model trains on that data or shares it with other users, because that information now exists outside company walls, adds Pranava Adduri, CEO of Bedrock Security.

Adduri recommends organizations sign licensed deals, containing data use restrictions, with AI vendors so that employees can experiment with AI.

ā€œThe problem boils down to the inability to control,ā€ he says. ā€œIf the data is getting shipped off to a system where you donā€™t have that direct control, usually the risk is managed through legal contracts and legal agreements.ā€

AvePoint, a cloud data management company, has signed an AI contract to head off the use of shadow AI, says Dana Simberkoff, chief risk, privacy, and information security officer at the company. AvePoint thoroughly reviewed the licensing terms, including the data use restrictions, before signing.

A major problem with shadow AI is that users donā€™t read the privacy policy or terms of use before shoveling company data into unauthorized tools, she says.

ā€œWhere that data goes, how itā€™s being stored, and what it may be used for in the future is still not very transparent,ā€ she says. ā€œWhat most everyday business users donā€™t necessarily understand is that these open AI technologies, the ones from a whole host of different companies that you can use in your browser, actually feed themselves off of the data that theyā€™re ingesting.ā€

Training and security

AvePoint has tried to discourage employees from using unauthorized AI tools through a comprehensive education program, through strict access controls on sensitive data, and through other cybersecurity protections preventing the sharing of data. AvePoint has also created an AI acceptable use policy, Simberkoff says.

Employee education focuses on common employee practices like granting wide access to a sensitive document. Even if an employee only notifies three coworkers that they can review the document, allowing general access can enable an AI to ingest the data.

ā€œAI solutions are like this voracious, hungry beast that will take in anything that they can,ā€ she says.

Using AI, even officially licensed ones, means organizations need to have good data management practices in place, Simberkoff adds. An organizationā€™s access controls need to limit employees from seeing sensitive information not necessary for them to do their jobs, she says, and longstanding security and privacy best practices still apply in the age of AI.

Rolling out an AI, with its constant ingestion of data, is a stress test of a companyā€™s security and privacy plans, she says.

ā€œThis has become my mantra: AI is either the best friend or the worst enemy of a security or privacy officer,ā€ she adds. ā€œIt really does drive home everything that has been a best practice for 20 years.ā€

Simberkoff has worked with several AvePoint customers that backed away from AI projects because they didnā€™t have basic controls such as an acceptable use policy in place.

ā€œThey didnā€™t understand the consequences of what they were doing until they actually had something bad happen,ā€ she says. ā€œIf I were to give one really important piece of advice itā€™s that itā€™s okay to pause. Thereā€™s a lot of pressure on companies to deploy AI quickly.ā€

Credit: Moon Safari / Shutterstock

Artificial Intelligence for CybersecurityĀ 

ChatGPT for Cybersecurity Cookbook: Learn practical generative AI recipes to supercharge your cybersecurity skills

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Artificial Intelligence for Cybersecurity, ChatGPT for Cybersecurity

May 03 2024

2024 Data Breach Investigations Report: Most breaches involve a non-malicious human element

Category: Data Breachdisc7 @ 7:19 am
2024 Data Breach Investigations Report: Most breaches involve a non-malicious human element

This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransomware actors. TheĀ MOVEit software breachĀ was one of the largest drivers of these cyberattacks, first in the education sector and later spreading to finance and insurance industries.

ā€œThe exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,ā€ saidĀ Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business.

In a possible relief to some anxieties, the rise of AI was less of a culprit vs challenges in large-scaleĀ vulnerability management. ā€œWhile the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,ā€ Novak said.

Analysis of the CISA Known Exploited Vulnerabilities (KEV) catalog revealed that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting the mass exploitations of the CISA KEV on the internet is five days.

ā€œThis yearā€™s DBIR findings reflect the evolving landscape that todayā€™s CISOā€™s must navigate ā€“ balancing the need to address vulnerabilities quicker than ever before while investing in the continued employee education as it relates to ransomware and cybersecurity hygiene,ā€ saidĀ Craig Robinson, Research VP, Security Services at IDC. ā€œThe breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises.ā€

Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metricā€”new for the 2024 DBIR ā€” shows a 68% increase from the previous period described in the 2023 DBIR.

The human factor remains the primary entry point for cybercriminals

68% of breaches, whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to aĀ social engineeringĀ attack. This percentage is about the same as last year. One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.

ā€œThe persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,ā€ Novak added.

Other key findings from this yearā€™s report include:

  • 32% of all breaches involved some type of extortion technique, including ransomware
  • Over the past two years, roughly a quarter (between 24% and 25%) of financially motivated incidents involved pretexting
  • Over the past 10 years, the Use of stolen credentials has appeared in almost one-third (31%) of all breaches
  • Half of the reaches in EMEA are internal
  • Espionage attacks continue to dominate in APAC region

ā€œThe Verizon 2024 Data Breach Investigations Report shows itā€™s the still the basics security errors putting organizations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams. This needs to change as a priority because no business can afford to gamble or take chances with cyber hygiene. Just look at Change Healthcare, the breach was executed via an unsecured employee credential and the organization is now facing over a billion in losses. No other organisation wants to find itself in this position,ā€Ā William Wright, CEO of Closed Door Security, told Help Net Security.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: 2024 DBIR, data breaches, Verizon data breach report

Mar 26 2024

Eliminating SQL Injection Vulnerabilities in Software

Category: Data Breach,data security,Information Securitydisc7 @ 8:37 am

Eliminating SQL Injection Vulnerabilities in Software

Eliminating-SQL-Injection-VulnerabilitiesDownload

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: SQL Injection Vulnerabilities

Mar 20 2024

Data Breaches and Cyber Attacks in the USA in February 2024 ā€“ 621,095,066 Records Breached

Category: Data Breachdisc7 @ 7:16 am
https://www.itgovernanceusa.com/blog/data-breaches-and-cyber-attacks-in-the-usa-in-february-2024-621095066-records-breached?

Data Breaches and Cyber Attacks in the USA in February 2024 ā€“ 621,095,066 Records Breached

Ā Kyna KoslingĀ Ā March 14, 2024

IT Governance USAā€™s research found the following for February 2024:

  • 322Ā publicly disclosed security incidents (45% of all incidentsĀ globally)
  • 621,095,066 records known to be breached

This month, globally, 719,366,482 records were known to be breached ā€“ 86% of them were in the USA.

This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.

This month is different due to two outlier breaches:

  1. Zenlayerā€™s publicly exposed database, which contained 384,658,212 records
  2. Pure Incubation Ventures, which allegedly* had 183,754,481 records go up for sale

*The threat actor provided 100,000 records as a sample.

Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this monthā€™s findings, please use ourĀ Data Breach Dashboard:

Data Breaches and Cyber Attacks in the USA in February 2024 ā€“ 621,095,066 Records Breached

 Kyna Kosling  March 14, 2024

IT Governance USAā€™s research found the following for February 2024:

  • 322 publicly disclosed security incidents (45% of all incidents globally)
  • 621,095,066 records known to be breached

This month, globally, 719,366,482 records were known to be breached ā€“ 86% of them were in the USA.

This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.

This month is different due to two outlier breaches:

  1. Zenlayerā€™s publicly exposed database, which contained 384,658,212 records
  2. Pure Incubation Ventures, which allegedly* had 183,754,481 records go up for sale

*The threat actor provided 100,000 records as a sample.

Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this monthā€™s findings, please use our Data Breach Dashboard:

You can also download this and previous monthsā€™ Dashboards as free PDFsĀ here.

This blog provides further analysis of the data weā€™ve collected. We also provide an annual overview and analyze the longer-term trends in ourĀ 2024 overviewĀ of publicly disclosed data breaches and cyber attacks in the USA.

You can learn more about our research methodologyĀ here.

Note 1: Where ā€˜around,ā€™ ā€˜about,ā€™ etc. is reported, we record the rounded number. Where ā€˜more than,ā€™ ā€˜at least,ā€™ etc. is reported, we record the rounded number plus one. Where ā€˜up to,ā€™ etc. is reported, we record the rounded number minus one.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we canā€™t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

Big Breaches: Cybersecurity Lessons for EveryoneĀ 

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: Cyber Attacks in the USA

Mar 05 2024

ARE YOU AFFECTED? AMERICAN EXPRESS CREDIT CARDS COMPROMISED IN MASSIVE DATA LEAK

Category: Data Breach,pci dssdisc7 @ 7:26 am
Are You Affected? American Express Credit Cards Compromised in Massive Data Leak

In a recent unsettling development, American Express has confirmed that sensitive information related to its credit cards has been compromised due to a data breach at a third-party service provider. This incident has raised serious concerns about the security of financial data and the implications for customers worldwide.

THE BREACH EXPLAINED

The breach was reportedly executed by a third-party merchant processor, which inadvertently allowed the sensitive information ofĀ American ExpressĀ cardholders to leak onto the dark web. This exposed data includes American Express Card account numbers, expiration dates, and possibly other personal information, putting customers at risk of fraud and identity theft.

American Express has been proactive in addressing the situation, notifying affected customers and urging them to remain vigilant for signs of unauthorized activity on their accounts. Despite the breach, American Express has emphasized that its own systems were not compromised, pointing to the external nature of the security lapse.

IMPACT ON CUSTOMERS

The exposure of credit card details in a third-party data breach is a stark reminder of the vulnerabilities that exist within the digital financial ecosystem. For customers, this incident underscores the importance of monitoring their financial statements regularly and reporting any suspicious transactions immediately.

Hackers leak banking details of American Express, Santander and Citibanamex customers. Account holders in Mexico must contact their bank and get new payment cards

American Express has assured its customers that it is taking the necessary steps to mitigate the impact of the breach. This includes offering free credit monitoring services to affected individuals to help protect their financial information from further misuse.

INDUSTRY-WIDE CONCERNS

This incident is not isolated, as data breaches involving third-party service providers have become increasingly common. The reliance on external vendors for processing financial transactions and handling sensitive data introduces additional risks that companies must manage. It highlights the need for stringent security measures and continuous vigilance to protect against cyber threats.

MOVING FORWARD

In response to the breach, American Express and other financial institutions are likely to reassess their relationships with third-party vendors and enhance their security protocols to prevent similar incidents in the future. This may involve more rigorous vetting processes, the implementation of advanced cybersecurity technologies, and closer collaboration between companies and their service providers to ensure the highest standards of data protection.

For customers, the breach serves as a critical reminder of the need to be proactive in safeguarding their personal and financial information. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and being cautious of phishing attempts and other online scams.

The exposure of American Express credit card details in a third-party data breach is a concerning event that highlights the ongoing challenges in securing financial data. As the digital landscape evolves, so too do the tactics of cybercriminals, making it imperative for both companies and consumers to remain vigilant and proactive in their cybersecurity efforts. American Expressā€™s commitment to addressing the breach and supporting its customers is a positive step, but it also serves as a call to action for the industry to strengthen its defenses against future threats.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: CREDIT CARDS COMPROMISED

Jan 12 2024

Framework discloses data breach after accountant gets phished

Category: Data Breach,Phishingdisc7 @ 10:21 am

https://www.bleepingcomputer.com/news/security/framework-discloses-data-breach-after-accountant-gets-phished/

Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.

The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework’s CEO into sharing a spreadsheet containing customers’ personally identifiable information (PII) “associated with outstanding balances for Framework purchases.”

“On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases,” the company says inĀ data breach notification lettersĀ sent to affected individuals.

“On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.

“Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.”

Framework says its Head of Finance notified Keating Consulting’s leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker’s emails at 8:42 AM PST on January 11th.

As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.

Affected customers warned of phishing risks

Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.

The company added that it only sends emails from ‘support@frame.work’ asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company’s support team about any suspicious emails they receive.

Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.

“We are also auditing their standard operating procedures around information requests,” the company added.

“We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.”

A Framework spokesperson was not immediately availableĀ for comment when BleepingComputer asked about the number of affected customers in the data breach.

Big Breaches: Cybersecurity Lessons for EveryoneĀ 

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: data breach

Sep 18 2023

FBI HACKER USDOD LEAKS HIGHLY SENSITIVE TRANSUNION DATA

Category: Data Breach,data security,Hackingdisc7 @ 11:36 am
FBI hacker USDoD leaks highly sensitive TransUnion data

Researchers fromĀ vx-undergroundĀ reported that FBI hackerĀ ā€˜USDoDā€˜ leaked sensitive data from consumer credit reporting agency TransUnion.

TransUnionĀ is an AmericanĀ consumer credit reporting agency. TransUnion collects and aggregates information on over one billion individual consumers in over thirty countries, including ā€œ200 million files profiling nearly every credit-active consumer in the United Statesā€.

A threat actor who goes by the moniker ā€œUSDoDā€ announced the leak of highly sensitive data allegedly stolen from the credit reporting agency. The leaked database, over 3GB in size, contains sensitive PII of about 58,505 people, all across the globe, including the America and Europe

According to researchersĀ vx-undergroundĀ who reported the leak, the archive contains data that dates back to March 2nd, 2022, which could be the data of the data breach.

This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe

vx-undergroundĀ states that leaked data includes individual first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, when TransUnion first began monitoring their information.

The name USDoD is well known in the cyber security sector, it was also listed in the indictment for the notorious owner of the BreachForums cybercrime forumĀ Pompompurin.Ā vx-undergroundĀ pointed out that they are believed to be behind many other high-profile security breaches.

Recently, The multinationalĀ aerospaceĀ corporation AirbusĀ announced that it is investigating a data leakĀ after cybersecurity firm Hudson Rock reported that a hacker posted information on thousands of the companyā€™s vendors to the dark web.

ā€œUSDoDā€ announced he had gained access to an Airbus web portal by compromising the account of a Turkish airline employee.

The hacker claimed to have details on thousands of Airbus vendors. The threat actors obtained the personal information of 3,200 individuals associated with Airbus vendors, exposed data include names, job titles, addresses, email addresses, and phone numbers. 

In December 2022, the FBIā€™s InfraGard US Critical Infrastructure Intelligence portalĀ was hackedĀ and a database containing the contact details of more than 80,000 high-profile private sector individuals was offered for sale by USDoD on the Breached cybercrime forum.

After the law enforcement shutdown of ā€œBreachedā€ forum, its members, including ā€œUSDoD,ā€ moved to other platforms such as ā€œBreachForums.ā€

ā€œUSDoDā€ posted two threads on this new forum, one to announce they have joined the notorious ransomware group Ransomed. In the second threat, the hacker exposed the personal information of 3,200 sensitive Airbus vendors. USDoD also warned that Lockheed Martin and Raytheon might be the next targets.

ā€œThreat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, ā€œUSDoDā€ revealed they gained access to Airbusā€™s data by exploitingĀ ā€œemployee access from a Turkish Airlineā€.ā€Ā reported Hudson Rock. ā€œUsing this information, Hudson Rock researchers succeeded to trace the mentioned employee access ā€” a Turkish computer infected with an info-stealing malware in August 2023.ā€

According to the researchers, the computer of the victim was likely infected with theĀ RedLine stealerĀ after he attempted to download a pirated version of the Microsoft .NET framework.

A Business Guide for Protecting Sensitive Information

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: SENSITIVE TRANSUNION DATA

Sep 18 2023

Microsoft AI researchers accidentally exposed terabytes of internal sensitive data

Category: AI,Data Breachdisc7 @ 8:46 am

Researchers find a GitHub repository belonging to Microsoft’s AI research unit that exposed 38TB of sensitive data, including secret keys and Teams chat logs ā€” Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords ā€¦

Microsoft AI researchers accidentally exposed terabytes of internal sensitive data

Aug 18 2023

What Are Your Data Breach Notification Requirements?

Category: Data Breachdisc7 @ 9:47 am
What Are Your Data Breach Notification Requirements?

Data breach notification requirements are complex in the US, with various federal and state laws containing different requirements for when security incidents must be disclosed.

Some even have substantially different definitions for what a ā€˜data breachā€™ or ā€˜personal dataā€™ is.

As such, it can be hard to know whether you need to report an incident, let alone how you should go about it.

We address these issues in this blog, bringing some much-needed clarity to the subject.

State laws on data breach notification

There is no single set of data protection laws in the U.S., with the rules instead comprised of a patchwork of industry-specific federal laws and state legislation.

To complicate matters further, several states have created new laws in recent years to bolster data protection requirements. For instance, New York has created the SHIELD Act, while Colorado and California have both created data privacy legislation.

Elsewhere, the U.S. government is attempting to unify data protection requirements with its National Cybersecurity Strategy.

The decision to revise data protection laws follows the introduction of the EU GDPR (General Data Protection Regulation) in 2018, which radically shifted organizationsā€™ requirements.

Organizations in the U.S. that process EU residentsā€™ personal data are required to comply with the GDPR, and those that conduct business across state lines will face similar compliance challenges.

You can find aĀ summary of each stateā€™s federal data breach notification lawsĀ on our website, along with links to the texts themselves.

The GDPR is particularly important here, because many organizations in the U.S. assume that it only applies in the EU. However, its requirements apply to any organization that processes EU residentsā€™ personal data, which is particularly common for organizations that have an online presence.

GDPR compliance is also helpful for managing patchwork of U.S. data protection legislations. Its requirements are far stricter than any domestic laws, so achieving GDPR compliance will cover you for a range of other requirements.

You can learn more about the GDPR and the ways it can help you meet your data protection requirements by reading General Data Protection Regulation (GDPR) ā€“ A compliance guide for the US.

This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.

Youā€™ll also learn about the Regulationā€™s core principles and data subject rights, and the benefits of GDPR compliance.

We also provide tips on how to write your data privacy notice and give you tips on how to further your understanding of its compliance requirements.

Download now

Data Privacy Solutions

CISSP training course

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blog

Tags: CPRA, Data Breach Notification Requirements, Data Privacy Solutions, gdpr, hipaa

May 29 2023

WANT TO OWN A TESLA OR ALREADY OWN ONE, CHECK THIS MASSIVE CONFIDENTIAL DATA BREACH OF TESLA

Category: Data BreachDISC @ 10:43 am
Want to own a tesla or already own one, check this massive confidential data breach of Tesla

The research that was published in the German daily Handelsblatt said that customers of Tesla Inc. lodged over 2,400 complaints about difficulties with self-acceleration and 1,500 complaints regarding issues with brakes between the years of 2015 and March 2022.

According to reports, a big data dump that was based on a whistleblowerā€™s breach of internal Tesla papers suggests that problems with Teslaā€™s autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.

According to information that was taken from Teslaā€™s information technology (IT) system, complaints against these Full Self Driving (FSD) capabilities originated from all over the globe, including the United States of America, Europe, and Asia.

Particularly, in an article titled ā€œMy autopilot almost killed me,ā€ Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumersā€™ safety concerns and tales of more than 1,000 crashes.

The publisher included a note stating that the data includes the phone numbers of customers.

According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.

According to one man from Michigan, his Tesla ā€œsuddenly braked hard, as hard as you can imagine.ā€ When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.

The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that ā€œthe data set does not come from IT systems belonging to or in the environment of Tesla.ā€

Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them ā€œVERBALLY to the customer.ā€ Unless attorneys are involved, written critiques should not be given.

The post quotes the instructions as saying, ā€œDo not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,ā€ and it is clear that this is a requirement.

An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.

According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action ā€œfor the theft of confidential and personal data.ā€

How to hack a Tesla Model X with a mini projector and drone

According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the companyā€™s technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.

The stateā€™s data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.

ā€œTesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.ā€ ā€œWe intend to initiate legal proceedings against this individual for his theft of Teslaā€™s confidential information and employeesā€™ personal data,ā€ Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.

The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.

Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.

Data Privacy: A runbook for engineers

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec books

Tags: data privacy, TESLA, Tesla Remotely Hacked

May 08 2023

1M NextGen Patient Records Compromised in Data Breach

Category: Data Breach,hipaa,Ransomwaredisc7 @ 1:44 pm

BlackCat ransomware operators reportedly stole the sensitive data.

Source: Kristoffer Tripplaar via Alamy Stock Photo

https://www.darkreading.com/application-security/1m-nextgen-healthcare-patient-records-stolen-

A database containing the personal information of more than 1 million people was stolen from NextGen Healthcare, Inc., a provider of cloud-based healthcare technology.

NextGen Heathcare provided a disclosure to the Maine Attorney General’s office that said the breach occurred on March 29 and lasted through April 14. The compromise was discovered on April 24, the company reported.

The compromise occurred due to “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen,” the healthcare technology provider said.

Samples of NextGen’s stolen data reportedly popped up on ransomware operator BlackCat’s leak site, but were later removed without explanation.

NextGen’s disclosure indicated the databased contained “name or other personal identifier in combination with Social Security Number.”

NextGen had not responded to Dark Reading’s request for comment at the time of this post.

NextGen Breach Follow-on Attacks Likely

The NextGen breach poses a major threat to its victims, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said in a statement provided to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”

In 2021, there were more data breaches of healthcare-related organizations than any other sector, accounting for 24% of all cybersecurity incidents, according to Steve Gwizdala, vice president of healthcare at ForgeRock.

“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online ā€” across the entire supply chain,”Ā Gwizdala said in a statement.

Research Anthology on Securing Medical Systems and Records

  InfoSec tools | InfoSec services | InfoSec books

Tags: Patient Records Compromised

Apr 13 2023

AGAIN HYUNDAI AND TOYOTA LEAK CUSTOMER PERSONAL DATA

Category: Data Breach,data security,PIIDISC @ 8:22 am
One again Hyundai and Toyota leak customer personal data

Hackers were able to acquire access to individualsā€™ personal information after Hyundai announced a data breach that affected vehicle owners in Italy and France as well as those who had scheduled test drives with the automaker. According to Troy Hunt, the author of the website ā€œHaveIBeenPwned,ā€ the event has caused the personal data of clientsĀ Ā to become public.

The letter also makes it clear that the individual who hacked into Hyundaiā€™s database did not take any financial information or identifying numbers. It is unknown how many Hyundai customers have been impacted by this event, how long the network attack lasted, or what additional nations may be at risk. Customers of a South Korean automobile manufacturer are being cautioned to be wary of unsolicited e-mails and SMS messages that pretend to come from the company. These communications might be efforts at phishing or social engineering. In response to the incident, Hyundai claims it has enlisted the help of information technology specialists, who have taken the affected systems down while new security measures are put into place. In February of 2023, the business released emergency software patches for a number of car models that had been compromised by a simple hack with a USB cable, which had made it possible for criminals to take the vehicles.

How to hack any Hyundai, Toyota or Kia cars to steal them

On the other hand, the Japanese automaker Toyota has admitted that there may have been a breach of consumer data due to security flaws at its operations in Italy. Throughout the course of more than one and a half years, up until this past March, Toyota Italy carelessly disclosed confidential information. In particular, it divulged confidential information on its Salesforce Marketing Cloud and Mapbox APIs. Threat actors might utilize this information to their advantage to acquire access to the telephone numbers and email addresses of Toyota customers and then use those details to start phishing attacks on those customers. According to the findings of the research team at Cybernews, the organization exposed credentials to the Salesforce Marketing Cloud, which is a supplier of software and services related to digital marketing automation and analytics. Threat actors might get access to phone numbers and email addresses, as well as customer monitoring information, as well as the contents of email, SMS, and push-notification messages by abusing the data. Moreover, Toyota Italy exposed the application programming interface (API) tokens for the software business Mapbox. These tokens were used to access map data. Although while the data is not as sensitive as the credentials for the Salesforce Marketing Cloud, it is still possible for threat actors to misuse it in order to query a large number of queries and drive up Toyotaā€™s API use costs.

ToyotaĀ is not the only automaker that has lately put itself as well as its consumers in Italy in a vulnerable position. In January of this year, the Indian branch of Toyota Motor announced a data breach, claiming that it was possible that the personal information of some of its customers had been exposed.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hyundai, LEAK CUSTOMER PERSONAL DATA, Toyota

Mar 20 2023

NBA Cyber Incident ā€“ Fansā€™ Personal Information Exposed

Category: Data Breach,PII,Security BreachDISC @ 12:05 pm
NBA Cyber Incident – Fans’ Personal Information Exposed

As a result of a recent data breach, the NBA notified all its fans about the fact that a significant amount of personal information was compromised.

While using the information gathered, phishing attacks can be conducted by the threat actors on the individuals who have been affected. A third-party newsletter service was said to be holding the personal information exposed in the leak.

In addition to managing five professional sports leagues, the NBA also manages a media organization. And here below, we have listed those five sports leagues:-

  • NBA
  • WNBA
  • Basketball Africa League
  • NBA G League
  • NBA 2K League

In over 215 countries and territories worldwide, with over 50 languages spoken, NBA programming and games are broadcast worldwide.

NBA Cyber Incident

A number of fans have been notified of the cyber security incident through an email sent out with the tag ā€œNotice of Cybersecurity Incident.ā€

According to the NBA, neither its systems nor the credentials of the fans affected by the incident were compromised. But, some theft of the personal information belonged to some fans.

Further, the association reported that the names and email addresses were accessed and copied by an unauthorized third party. But, in this instance, sensitive information, such as usernames and passwords, was not exposed.

Apart from this, a third-party provider and an external cybersecurity service are being engaged by the NBA to assist in the investigation of the issue to know the extent of the impact and resolve the issue as soon as possible.

NBA warned fans of phishing attacks

NBA warned that phishing attacks and various scams could be targeted at the affected individuals due to the sensitive nature of the data involved, reported Bleeping Computer.

It was strongly recommended to the affected fans that they remain vigilant when they open any suspicious emails that they receive. In the notification emails, the NBA informs fans that it will never send them an email asking for any of this information:-

  • Other account information
  • Usernames
  • Passwords

It is also recommended for fans who have been impacted verify the authenticity of any emails they receive by ensuring that the senderā€™s email address ends with ā€œ@nba.com.ā€ 

Check that the embedded links point to a trustworthy website, and donā€™t open email attachments that they havenā€™t been expecting to receive.

NBA Cyber Incident

NBA warns fans over data breach, personal details copied

InfoSec ThreatsĀ |Ā InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: NBA Cyber Incident

Mar 16 2023

Multiple threat actors exploited Progress Telerik bug to breach U.S. federal agency

Category: Data Breach,Security BreachDISC @ 9:00 am
Multiple threat actors exploited Progress Telerik bug to breach U.S. federal agency

Multiple threat actors exploited a critical flaw in Progress Telerik to breach an unnamed US federal agency, said the US government.

joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that multiple threat actors, including a nation-state actor, exploited a critical vulnerability in Progress Telerik to breach an unnamed US federal agency.

The three-year-old vulnerability, tracked asĀ CVE-2019-18935Ā (CVSS score: 9.8), is a .NET deserialization issue that resides in the Progress Telerik UI for ASP.NET AJAX. Exploitation can result in remote code execution.

ā€œCISA analysts determined that multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agencyā€™s Microsoft Internet Information Services (IIS) web server.ā€ reads theĀ advisory. ā€œActors were then able to upload malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) to the C:\Windows\Temp\ directory.ā€Ā 

Threat actors exploited the vulnerability to execute arbitrary code on a Microsoft Internet Information Services (IIS) web server used by a federal civilian executive branch (FCEB) agency.

In 2020 and 2021, this flaw was included by the US National Security Agency (NSA) in the list of the top 25 vulnerabilities exploited by Chinese state-sponsored hacking groups in attacks in the wild.

The flaw was alsoĀ usedĀ in the past by theĀ NetWalker ransomware gangĀ in its operations.

The joint alert recommends network defenders review the Malware Analysis Report,Ā MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server, to reference CISAā€™s analysis for the identified malicious files.

According to the MAR, CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency. Experts reported that 11 of the dynamic link library (DLL) files employed in the attack allows threat actors to read, create, and delete files on the target systems.

ā€œIf the DLL contains a hardcoded Internet Protocol (IP) address, status messages will be sent to the IP. One DLL file will attempt to collect the target systemā€™s Transmission Control Protocol (TCP) connection table, and exfiltrate it to a remote Command and Control server (C2).ā€ reads the MAR. ā€œFive of the files drop and decode a reverse shell utility that can send and receive data and commands. In addition, the files drop and decode an Active Server Pages (ASPX) webshell. Two DLL files are capable of loading and executing payloads.ā€

US CISA has also provided Indicators of Compromise (IOCs) and YARA rules for detection in the Malware Analysis Report (MAR).

CISA Known Exploited Vulnerabilities Catalog Progress Telerik bug

Tags: Telerik bug, U.S. federal agency

Mar 10 2023

US Lawmakers Face Cyberattacks, Potential Physical Harm After DC Health Link Breach

Category: Cyber Attack,Data Breach,Information Security,Security BreachDISC @ 12:24 pm

The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.

Jai VijayanContributing Writer, Dark Reading

US House of Representatives seal
Source: Ron Adar via Shutterstock

Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members’ personally identifiable information (PII) available for sale on the “Breached” criminal forum.

The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.

DC Health Link: A Significant Breach

In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.

“The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web,” Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link’s plans to notify affected individuals and offer credit monitoring services for them.

Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.

A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for “an undisclosed amount in Monero cryptocurrency.” Interested parties are asked to contact the sellers via a middleman for details.

IntelBroker’s Resume of Previous Breaches

This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service. 

Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.

Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. “IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware,” Strand says.

IntelBroker’s use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor’s previous tactics. It suggests either a lack of resources or inexperience on the individual’s part, Strand says. 

“In addition to IntelBroker’s presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper,” he tells Dark Reading.

In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.

“Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker,” Strand says.

Is House Members’ PII a National Security Threat?

Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor’s reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).

The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.

“The amount tells you a great deal about who they may be thinking of in terms of buyers,” he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But “you start talking millions, they are clearly then catering to nation-state buyers,” he says.

Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. “We shouldn’t only think external nation-states that might want to purchase this,” Fier says. “Who is to say that other political parties and/or activists couldn’t weaponize it?”

https://www.darkreading.com/application-security/us-lawmakers-cyberattacks-physical-harm-dc-health-link-breach

Previous posts on Cyber Attacks

InfoSec ThreatsĀ |Ā InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: Cyberattacks, US Lawmakers

Next Page »