Tag Archive for: data breaches

Cybersecurity Incidents Recap for June 2023: Breaches, Vulnerabilities, and Best Practices

Stay informed about recent cybersecurity incidents, breaches, and vulnerabilities impacting organizations and individuals. Discover the importance of proactive security measures and best practices to protect sensitive data from malicious actors.

In today’s digital landscape, the threat of cybersecurity breaches looms larger than ever before. Recent incidents and vulnerabilities have highlighted the need for organizations and individuals to remain vigilant in protecting sensitive data and systems from malicious actors. This article explores several noteworthy cybersecurity events, shedding light on the potential risks and emphasizing the importance of proactive measures.

Android Spyware Alert: Malicious Apps Detected

Android smartphone users have been alerted to a new strain of malware infecting over 100 apps. Dubbed “SpinOk” by cybersecurity experts, this spyware module operates discreetly in the background, enabling various malicious activities. While many of the infected apps have been removed from the official Play Store, some may still pose a threat to unsuspecting users. It is crucial for Android users to remain cautious when downloading apps and to promptly delete any suspicious or unnecessary applications.

Some of the involved apps that have been found to have this type of spyware include:  Noizz, a video editor with music,  Zapya, an app to easily transfer and share files, the video editing apps vFly and MVBit, Biougo, a video maker and editor, a game app called Crazy Drop,  Cashzine, an earn money rewards app, the offline reading app Fizzo Novel, CashEM, a rewards app, and Tick, another earn rewards based on watching videos.

Gmail Security Warning: Flaw in Verification System

Google, the provider of the widely used Gmail service, recently issued a security warning to its massive user base. A critical flaw was discovered in Gmail’s new checkmark system, designed to identify verified organizations and aid in detecting potential scams. However, hackers successfully bypassed this security feature, raising concerns about the overall security of Gmail. Google is actively working to address the issue, emphasizing the constant battle between security enhancements and the ever-evolving tactics employed by hackers.

JBS Cybersecurity Failings: Vulnerability in the Food Processing Industry

The 2021 ransomware attack on JBS, a major food processing company, highlighted a significant vulnerability within the industry’s cybersecurity practices. A recent evaluation revealed that JBS’s cybersecurity infrastructure was lacking compared to its peers. The complex and interconnected nature of food processing systems, often reliant on outdated control systems and connected devices, presents an attractive target for hackers. The challenge lies in the cost of updating and fortifying these systems to meet modern cybersecurity standards, making it a crucial but often neglected investment.

Intellihartx Data Breach: Exposing Personal Health Records

Earlier this year, Intellihartx, a company responsible for handling patient healthcare information, fell victim to a devastating ransomware attack. The breach resulted in the compromise of nearly half a million individuals’ personal data, including names, addresses, dates of birth, and Social Security numbers. This incident underscores the critical need for robust cybersecurity measures within the healthcare industry and the importance of vetting vendors to ensure their cybersecurity practices meet stringent standards.

The incidents and vulnerabilities discussed in this article serve as stark reminders of the ever-present cybersecurity risks faced by individuals and organizations. It is imperative to prioritize proactive security measures, including vendor vetting, system updates, and user vigilance. By staying informed and taking appropriate precautions, we can collectively mitigate the threats posed by cybercriminals and safeguard our digital world.

Widespread Attacks Exploit Critical Vulnerability in File-Transfer Program MOVEit: Data Breaches and the Emergence of Clop Crime Syndicate

Organizations worldwide, both large and small, are falling victim to a mass exploitation of a critical vulnerability in a widely used file-transfer program. The attacks, carried out by the Russian-speaking Clop crime syndicate, have resulted in data breaches at prominent companies and government agencies. Despite the relatively small number of confirmed breaches, security experts warn that the exploitation is widespread and rapidly spreading, affecting banks, government agencies, and various targets across different industries. This article delves into the details of the attacks, the impact on affected organizations, the nature of the vulnerability, and the potential for further victim disclosures and extortion attempts.

This exploitation, initiated during the Memorial Day holiday as a zero-day vulnerability, has continued for over nine days, causing significant concern within the cybersecurity community.

Notably, renowned entities such as Zellis (a payroll service), the Canadian province of Nova Scotia, British Airways, the BBC, and UK retailer Boots have all experienced data breaches due to these ongoing attacks. The common factor behind these breaches is the exploitation of a recently patched vulnerability in MOVEit, a versatile file-transfer provider offering both cloud and on-premises services. Nova Scotia and Zellis had their own instances or cloud services breached, while British Airways, the BBC, and Boots were customers of Zellis. The Clop crime syndicate, a Russian-speaking group, has been identified as the orchestrator of these hacking activities.

Although the number of confirmed breaches remains relatively small, researchers closely monitoring these attacks describe the exploitation as widespread. They liken the hacks to smash-and-grab robberies, where intruders quickly seize whatever valuable data they can before making a swift exit. Disturbingly, the targets of these attacks span various sectors, including banks, government agencies, and other organizations.

Steven Adair, President of security firm Volexity, revealed that several customers running MOVEit Transfer with open Internet access were compromised. Adair added, “Other individuals we have spoken to have encountered similar incidents.” Caitlin Condon, Senior Manager of Security Research at Rapid7, expressed that her team typically reserves the term “widespread threat” for situations involving multiple attackers and numerous targets. However, given the exploitation of high-value targets across diverse organizations worldwide, Rapid7 made an exception in this case, categorizing it as a widespread threat.

Condon pointed out that it was only the third business day since the incident became widely known, and many victims may still be unaware of their compromised status. As time progresses and regulatory requirements for reporting take effect, it is expected that a longer list of victims will come to light.

Independent researcher Kevin Beaumont also disclosed via social media that a double-digit number of organizations, including US government entities and banking organizations, have experienced data theft. This underscores the severity and scope of the attacks.

The vulnerability in MOVEit stems from a security flaw enabling SQL injection, a common and longstanding method of exploitation. SQL injection vulnerabilities occur when web applications fail to properly sanitize user input, allowing attackers to manipulate queries and retrieve confidential data, gain administrative privileges, or manipulate application behavior.

According to a post published by security firm Mandiant, the Clop exploitation spree began on May 27, with instances of data theft occurring within minutes of the installation of a custom webshell known as LemurLoot. Mandiant’s researchers noted that significant volumes of files had been stolen from victims’ MOVEit transfer systems. The webshell, cleverly disguised with filenames such as “human2.aspx” and “human2.aspx.lnk,” aimed to masquerade as the legitimate component “human.aspx” of the MOVEit Transfer service. Furthermore, Mandiant observed SQL injection attacks targeting the legitimate “guestaccess.aspx” file before interacting with the LEMURLOOT webshell.

On May 31, four days after the initial attacks, MOVEit provider Progress patched the vulnerability. However, reports emerged on social media, suggesting that threat actors were actively exploiting the vulnerability by installing a file named “human2.aspx” in the root directory of vulnerable servers. Security firms subsequently verified these reports.

MOVEit officials issued a statement acknowledging that as soon as they discovered the vulnerability, they promptly launched an investigation and informed their customers about the issue, providing them with mitigations to enhance their security. Within 48 hours, the company’s engineers disabled web access to the MOVEit cloud service, developed a security patch, and made it available to customers. They also applied the patch to the cloud implementation.

In their ongoing efforts to address the situation, MOVEit is collaborating with leading cybersecurity experts, engaging with federal law enforcement agencies, and taking comprehensive measures to combat the increasingly sophisticated tactics employed by cybercriminals. The company remains committed to securing widely used software products and actively participating in industry-wide initiatives to safeguard organizations from malicious exploits.

Formally attributing the attacks to the Clop group, Microsoft named the operation “Lace Tempest” and associated it with a ransomware campaign connected to the Clop ransomware group. Mandiant’s investigation also revealed similarities in tactics, techniques, and procedures used by the attack group FIN11, which has previously deployed Clop ransomware.

As of now, there have been no reports of victims receiving ransom demands. The Clop extortion site has remained silent about these specific attacks. However, Mandiant researchers anticipate that victim organizations may receive extortion emails in the coming days or weeks if the ultimate goal of this operation is extortion.

The incident timeline highlights the urgency and speed with which organizations must respond to critical vulnerabilities. MOVEit’s swift response in developing a patch and actively assisting customers demonstrates the importance of proactive cybersecurity measures and collaboration among stakeholders.

The widespread exploitation of the critical vulnerability in the widely used file-transfer program has posed significant challenges for organizations of all sizes. The activities orchestrated by the Clop crime syndicate have targeted valuable data across various industries, raising concerns within the cybersecurity community. The incident serves as a reminder of the ongoing threat landscape and the need for robust security measures to mitigate potential risks. Organizations must remain vigilant, promptly address vulnerabilities, and collaborate with industry experts to protect their valuable data and systems from ever-evolving cyber threats.