Mar 02 2022

NVIDIA discloses data breach after the recent ransomware attack

Category: Data Breach,Ransomware,Security BreachDISC @ 10:31 am
NVIDIA discloses data breach after the recent ransomware attack

Chipmaker giant Nvidia confirmed a data breach after the recently disclosed security incident, proprietary information stolen.

The chipmaker giant Nvidia was recentty victim of a ransomware attack that impacted some of its systems for two days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the incident.

The incident also impacted the company’s developer tools and email systems, but business and commercial activities were not affected.

“Our business and commercial activities continue uninterrupted,” Nvidia said in a statement. “We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.”

The Lapsus$ ransomware gang is claiming responsibility for this attack, the group announced to have stolen 1 TB of data from Nvidia’s network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.

The company launched an investigation into the incident to determine the extent of the intrusion that confirmed that the attackers have stolen data from the chipmaker.

NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday

The chipmaker giant discovered the intrusion on February 23, the attack also impacted its IT resources.

“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message.” the LAPSU$ ransomware gang wrote on its Telegram change. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”

Below is the statement shared by NVIDIA with some websites and published by BleepingComputer.

“On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” reads the statement. “We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.”

Big Breaches: Cybersecurity Lessons for Everyone

Tags: Big Breaches, NVIDIA data breach

Feb 07 2022

Hackers breached a server of National Games of China days before the event

Category: Security BreachDISC @ 10:25 am
Hackers breached a server of National Games of China days before the event

Researchers at cybersecurity firm Avast discovered that a Chinese-language-speaking threat actor has compromised systems at National Games of China in 2021. The event took place on September 15, 2021 in Shaanxi (China), it is a national version of the Olympics with only local athletes.

The attackers breached a web server on September 3rd and deployed multiple reverse web shells to establish a permanent foothold in the target network.

Experts noticed that the threat actors started a reconnaissance phase in August, they have done some tests to determine which type of file was possible to upload to the server. In order to perform the tests, attackers seem to have exploited a vulnerability in the webserver.

The attackers tried submitting files with different file-types and also file extensions, such as a legitimate image with different file extensions: ico, lua, js, luac, txt, html and rar.

“After gaining knowledge on blocked and allowed file types, they tried to submit executable code. Of course, they started submitting PoCs instead of directly executing a webshell because submitting PoCs is more stealthy and also allows one to gain knowledge on what the malicious code is allowed to do.” reported Avast. “For instance, one of the files uploaded was this Lua script camouflaged as an image (20210903-160250-168571-ab1c20.jpg)”

The attackers reconfigured the web server by uploading a configuration file, camouflaged as a PNG file, that allowed the execution of lua scripts. Experts found evidence that the server was configured to execute new threads in a thread pool which didn’t work for Rebeyond Behinder webshell. Then, as a final payload, the attackers uploaded and ran an entire Tomcat server properly configured and weaponized with Rebeyond Behinder.

After gaining access to the server, the attackers tried to perform lateral movements by brute-forcing services and using exploits in an automated way. Attackers were able to upload some tools (dnscrypt-proxyfscanmssql-command-toolbehinder) to the server and execute a network scanner (fscan) and a custom one-click exploitation framework written in Go and distributed as a single binary.

“The procedure followed by the attackers hacking the 14th National Games of China is not new at all. They gained access to the system by exploiting a vulnerability in the web server. This shows the need for updating software, configuring it properly and also being aware of possible new vulnerabilities in applications by using vulnerability scanners.” concludes the report. “The most fundamental security countermeasure for defenders consists in keeping the infrastructure up-to-date in terms of patching. Especially for the Internet facing infrastructure.”

Avast reported that the security breach appears to have been resolved before the beginning of the games, however, the experts were not able to determine the type of information exfiltrated by the threat actor.

Penetration Testing – Post Exploitation

Tags: Big Breaches, Hackers breached, National Games of China, Pen testing

Jan 04 2022

List of data breaches and cyber attacks in December 2021 – 219 million records breached

Category: Cyber Attack,Data Breach,data security,Information SecurityDISC @ 10:35 am
List of data breaches and cyber attacks in December 2021 – 219 million records breached

List of data breaches and cyber attacks in December 2021 – 219 million records breached

Luke Irwin  4th January 2022

2021 was a difficult year many of us, and with the hope that COVID-19 will dissipate in the spring, this is a new year more than any other where we want to look forwards, not backwards.

But before we turn our attention to 2022, we must first round out 2021 with our final monthly review of data breaches and cyber attacks. December saw 74 publicly disclosed security incidents, which accounted for 219,310,808 breached records.

You can find the full list of incidents below, with those affecting UK-based organisations listed in bold.

Additionally, we’ll also soon be publishing our latest quarterly review of security incidents, in which you can discover the latest trends and take a look back at the year as a whole.

Contents

Big Breaches: Cybersecurity Lessons for Everyone

Tags: Big Breaches, cyber attacks, data breaches

Jul 23 2021

Over 80 US Municipalities’ Sensitive Information, Including Resident’s Personal Data, Left Vulnerable in Massive Data Breach

Category: Data Breach,data securityDISC @ 12:55 pm
Over 80 US Municipalities’ Sensitive Information, Including Resident’s Personal Data, Left Vulnerable in Massive Data Breach

WizCase’s team of ethical hackers, led by Ata Hakçıl, has found a major breach exposing a number of US cities, all of them using the same web service provider aimed at municipalities.

Original post at https://www.wizcase.com/blog/us-municipality-breach-report/

What’s Happening?

Over a 100 US cities appeared to be using the same product, mapsonline.net, provided by an American company named PeopleGIS. The data of these municipalities was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline. Due to this, we believe these cities are using the same software solution. Our team reached out to the company and the buckets have since been secured.

PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.

Our scanner revealed 114 Amazon Buckets that were named after the same pattern, revealing the connection to PeopleGIS. Among these, 28 appeared to be properly configured (meaning they weren’t accessible), and 86 were accessible without any password nor encryption.

This means there are 3 options:

  • PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured;
  • The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets;
  • The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.

What Data Was Left Vulnerable?

Big Breaches

Data Breaches: Crisis and Opportunity

Tags: Big Breaches, data breaches, Massive Data Breach, Municipalities’ Sensitive Information