Here is the rundown of news and events that happened this week in the world of cybersecurity.
TMX Financial Reveals 4.8 Million Persons Affected By Data Breach
TMX Finance, an American consumer loan company, announced a major data breach three months ago. The Savannah, Georgia-based corporation informed the Maine Attorney General that the breach likely began in early December 2022. On February 13, 2023, the corporation discovered it. We promptly checked all potentially affected files for implicated data. On March 1, 2023, the inquiry found that the data may have been collected between February 3 and 14.
The statement said no law enforcement inquiry delayed this FBI disclosure. Personal data like phone numbers, addresses, and emails may have been involved. TMX Finance has isolated the incident, reset all employee passwords, and added endpoint protection and monitoring to its defensive security posture. The lender offers free credit monitoring and identity theft protection from Experian for a year to qualifying customers, but they must regularly check their accounts for suspicious activity. Read more
Western Digital Reveals Network Breach, My Cloud Is Unavailable
Western Digital disclosed a “network security issue” involving unlawful access to its computers on Monday. A third party gained access to “a number of the company’s systems” on March 26, 2023, according to sources. Western Digital began incident response after learning about the attack and hired forensic and cybersecurity experts to investigate. It said that the inquiry is early and that it is working with law enforcement.
The company has shut down various services and is trying to determine what data was accessed and whether the threat actor stole “any material from its servers.” Western Digital’s My Cloud status page says cloud, proxy, web, authentication, emails, and push notifications are down, but it doesn’t specify which services. Read more
Capita Cyberattack Made Its Microsoft Office 365 Programs Inaccessible
On Monday, Capita, the UK’s largest outsourcing provider, blamed “a cyber incident” for a Friday IT outage that stopped staff from accessing their accounts. Staff were wrongly told their regular passwords were “incorrect” when they tried to login, fueling rumors of a cyberattack. Not all 61,000 Capita employees were affected. Capita’s representative said it was investigating “a technical issue.”
“We suffered a cyber issue largely impacting access to internal Microsoft Office 365 apps,” the company told the Regulatory News Service on Monday. The incidence is unknown. Capita provides government services that could interest state-sponsored espionage groups, even as financially motivated ransomware assaults continue to threaten British firms. Capita has various Ministry of Defense contracts. Last year, a consortium it headed took over engineering and maintenance of the Royal Navy’s nuclear-powered ballistic missile submarine training simulators, a critical part of the UK’s nuclear deterrent. Read more
OneNote Security Tightened By Microsoft To Block 120 File Extensions
Microsoft has detailed the hazardous embedded files OneNote will soon block to safeguard users from malware-spreading phishing scams. In a Microsoft 365 roadmap piece released three weeks ago, on March 10, the company announced that OneNote will have increased security following recent and ongoing phishing attacks distributing malware.
Since Microsoft patched a MoTW bypass zero-day exploit to transmit malware via ISO and ZIP files in mid-December 2022, threat actors have used OneNote pages in spear phishing attacks. Threat actors put dangerous scripts and files in Microsoft OneNote documents and hide them with design characteristics. Word and Excel macros are now banned by default.
The corporation revealed today which file extensions will be blocked by the new OneNote security upgrades. Microsoft said OneNote will restrict the same files as Outlook, Word, Excel, and PowerPoint. After the security upgrade, dangerous extension files will be inaccessible. OneNote previously warned users that accepting attachments could damage their data while letting them open hazardous embedded files. Read more
TikTok Fined £12.7 Million For Violating Children Data Protection
The UK’s Information Commissioner’s Office (ICO) fined TikTok £12.7 million ($15.75) for frequently violating children’s data protection regulations. TikTok didn’t seek parental consent from under-13 users and didn’t check for underage users. Rules keep our kids safe online and offline. John Edwards, UK Information Commissioner, said TikTok infringed these rules. Due to inadequate reaction, TikTok gathered and used the personal information of an estimated one million under-13 children, according to the privacy watchdog.
Edwards speculated that their information may have been used to monitor and profile them, possibly delivering terrible items on the next scroll. The company did not manage UK customer data “lawfully, equitably, and transparently.” The ICO originally wanted to fine TikTok £27 million ($33 million) for misusing special category data. The ICO declined to challenge the provisional finding. Read more
Arid Viper Using Upgraded Malware In Middle East Cyberattacks
Arid Viper, a threat actor utilizing updated malware toolkits, has targeted Palestinian entities since September 2022. Symantec, which monitors Mantis, says the attacker is taking major steps to maintain a constant presence on the networks it target. In February 2015, Kaspersky claimed that the threat actors were Palestinian, Egyptian, and Turkish native Arabic speakers. Public sources have linked the group to Hamas’ cyber warfare branch.
Since 2014, APT-C-23 and Desert Falcon have operated in the Middle East as Arid Viper. Third-party reports claim it was operational as early as 2011. The group targets Israeli and Middle Eastern groups in government, military, finance, media, education, energy, and think tanks. The gang uses spear-phishing emails and false social media identities to trick individuals into downloading malware. Arid Viper spear-phished Palestinian law enforcement, military, education, and the Israel Security Agency (ISA). Several suppliers have linked the group to Hamas, but Symantec cannot confirm. Read more
Police Capture Genesis Market, Biggest Venue For Online Fraud
Authorities seized Genesis Market, a major cyber fraud platform. The FBI confiscated Genesis Market, a major online criminal business, on Tuesday. Genesis, a one-stop shop for hackers selling stolen credentials and weaponization tools, has been linked to millions of financially driven cyber incidents globally, from fraud to ransomware attacks. Genesis Market’s login pages show Operation Cookie Monster’s takedown. Its websites are gloomy and traditional.
Genesis Market allowed hackers “bots” or “browser fingerprints” to replicate victims’ web browsers, including IP addresses, session cookies, operating system information, and plugins, unlike its competitors. These fingerprints let fraudsters access Netflix, Amazon, and online banking without security warnings. Read more
Spain’s Extremely Dangerous And Evasive Hacker Now In Custody
José Luis Huertas, aka “Alcaseca,” “Mango,” and “chimichuri,” was arrested. Huertas is accused of multiple high-profile hacks and founding Udyat (the eye of Horus), a search engine that sells massive amounts of stolen sensitive data. Police arrested the “serious threat to national security” adolescent hacker in November 2022. To identify the hacker, police collected cash, documents, and computers from Huertas’ house and other registered residences. Hacking Spain’s judicial council’s computer network started the probe (CGPJ). The hacker created a database to sell 575,000 taxpayer records to other hackers. That illegal service stores account, bank, and personal data.
Impersonating Gestevisión Telecinco/Mediaset España CEO Paolo Vasile, Huertas stole EUR 300,000. Laundering and assaulting high-state institutions are charges. After each attempt, the hacker became bolder, claiming to have 90% of Spanish people’s data in a YouTube interview. Policia Nacional claims the General Information Police Station’s cyber threat investigation specialists discovered the perpetrator, a 19-year-old with an extensive criminal background, after a thorough investigation. Local media said that the Spanish authorities tracked the juvenile hacker using “Eye of Horus” server hosting money. Even though Huertas “cleaned” his cryptocurrency payments, the National Cryptological Center tracked them. Read more
Google TAG Alerts Of ARCHIPELAGO Cyberattacks Linked To North Korea
North Korea-backed threat actors have assaulted South Korean and U.S. government and military officials, think tanks, policymakers, academics, and researchers. Google’s TAG labels the cluster ARCHIPELAGO, a subset of Mandiant’s APT43. From 2012, the tech giant “saw the organization seek individuals with experience in North Korea policy concerns such as sanctions, human rights, and non-proliferation issues”. APT43 and ARCHIPELAGO’s goals mirror North Korea’s Reconnaissance General Bureau (RGB), the main foreign intelligence service, suggesting ties to Kimsuky. ARCHIPELAGO steals passwords through phishing emails that link to fake login pages.
These media and think tank messages offer North Korean interviews or information. “ARCHIPELAGO invests time and effort to build a connection with targets, generally conversing with them by email over several days or weeks before finally providing a malicious link or file,” TAG said. A browser-in-the-browser (BitB) displays rogue login sites to steal passwords. The hostile gang hosted malware payloads like BabyShark on Google Drive as blank files or ISO optical disc images in Google account security alert phishing emails. Read more
Marketplace 600K Records Leaked by Database Snafu
A database glitch leaked over 600,000 records from a popular online store. The system misconfiguration event raised concerns regarding user data security and privacy. The marketplace’s IT workers misconfigured the system during standard maintenance, leaking data. Maintenance errors exposed the data to exploitation. A security researcher discovered the issue after many hours.
Anyone who found the database may see names, addresses, phone numbers, and emails. A security researcher reported the data breach. Researchers warn that stolen data could be exploited for phishing and other harm. Cybercriminals may utilize spear-phishing or social engineering to get personal data from users. The marketplace has assured clients that no financial data was compromised. Read more
YouTube Alerts About Phishing Emails that Appear Authentic
Some people say a bogus YouTube email account has sent fraudulent emails. The email updates corporate policies. YouTube, controlled by Google, warned viewers about the phishing email surge. YouTube reports several consumers receiving fraudulent emails from a seemingly legitimate email address. Avoid it. YouTube’s email reminds viewers that its standards have changed and asks them to follow the rules to review them. Notwithstanding the email’s suggestion, don’t.
The streaming platform’s official Twitter account retweeted the tech influencer’s warning about a new phishing email wave. IT influencer Kevin Breeze tweeted the fake email. YouTube’s no-reply@youtube.com email address discusses a new money stream. Review the email-attached document’s changes. Emails contain links and passwords. Despite its authenticity, clicking on the email may put the user’s personal information and internet security at risk. Read more
Google Wants Android Apps To Have More Control Of Data Policy
Google mandated last week that Android app developers erase data in-app and online. Developers must “provide an option to commence account and data erasure from within the app and online” under Google’s new data deletion policy. Developers must report their apps’ privacy and security by year’s end. Developers must link their data safety form to a web page that enables users erase accounts and data without uninstalling the program. The new data deletion option will simplify Google Play’s data protection section. By simplifying this policy, Google intends to educate customers on data controls and increase trust in your apps and Google Play.
Under the new guideline, developers must delete accounts and data upon request. Users can remove certain data instead of their account. Developers must disclose data retention strategies for legitimate purposes like fraud prevention, security, and regulatory compliance. Google requires developers to answer additional data deletion questions in data safety forms. Deadline: December 7. Google Play listings will reflect the new rule early next year. Data safety will obtain a data destruction area and badge. The Data Deletion help center explains these changes to developers. Read more
OpenAI To Proffer Solutions To Italy’s ChatGPT Ban
On Thursday, regulators indicated that ChatGPT’s developer would submit data protection solutions. This week, the popular San Francisco-based OpenAI chatbot was told to stop processing Italian users’ personal data while Garante, the Italian data protection body, investigates a possible EU data privacy violation. Experts say it was the first democracy to ban a popular AI platform.
In a late-night video call with the watchdog’s commissioners, OpenAI executives, including CEO Sam Altman, promised to address Italy’s ChatGPT prohibition. Unspecified therapies. Although the Italian watchdog said it didn’t want to slow AI development, it stressed to OpenAI the need to follow the EU’s 27 tough privacy standards. As users’ messages and payment details were leaked, regulators banned it. Read more
Microsoft, Fortra Gains Legal Rights Against Cobalt Strike Abuse
Microsoft, Fortra, and Health-ISAC have taken legal and technical efforts to avoid Cobalt Strike abuse and Microsoft product abuse. Fortra’s adversary simulation program Cobalt Strike is legal post-exploitation. Despite the company’s efforts to prevent exploitation, threat actors have cracked older versions and utilized them for damage.
China, Russia, Iran, and Vietnam state-sponsored threat groups and ransomware hackers have abused Cobalt Strike. Since healthcare ransomware uses Cobalt Strike, Health-ISAC, Microsoft, and Fortran have participated. 68 healthcare ransomware attacks in 19 countries employed exploitation.
Threat actors have created and distributed malware using Microsoft SDKs and APIs, including Cobalt Strike. Cobalt Strike misuse and Microsoft technology affected their domains and hosting servers. A March 31 New York district court order did this. ISPs and CERTs helped Microsoft and Fortra destroy attacker infrastructure and stop hackers from compromised devices.
Attacks used US, Russian, and Chinese infrastructure. Microsoft, Fortra, and Health-ISAC sued 16 John Does. The complaint claims they are Conti, BlackCat, LockBit, Evil Corp, and early access brokers. Disrupting cracked legacy copies of Cobalt Strike misuse will make it harder for criminals to profit and slow down cyberattacks. Read more
MSI Confirms Cyberattack After Fresh Demand From Ransomware Group
In reaction to concerns that a new ransomware group had targeted Micro-Star International (MSI), a Taiwanese hardware maker, announced a cyberattack on Friday. MSI said the incident was reported to law enforcement “promptly” and that recovery attempts had begun. Money Message ransomware targeted the company this week. The organization alleges stealing the company’s source code, firmware, frameworks, and more. Cybersecurity experts said the organization launched this week.
In 2021, the New Taipei City-based company made approximately $6.6 billion from motherboards, graphics cards, desktops, and laptops. “ The affected systems are running again, unaffected by financial business. MSI urges clients to exclusively download firmware and BIOS upgrades from its official website. “The organization is committed to protecting customer, employee, and partner data security and privacy and will maintain upgrading its cybersecurity architecture and management to uphold business advancement and network security.” When the incursions were disclosed to The Taiwan Stock Exchange on Friday, the company indicated in regulatory filings that it did not expect any losses or repercussions. Read more
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.