fbpx
week-09-2021-newsletter

Here’s your weekly data breach news roundup: ​

Source Code for Microsoft Azure, Exchange, Intune, RIPE NCC Internet Registry, Clubhouse, Cashalo, Cryptopia, Transport for New South Wales, Bombardier, University of Amsterdam, Hyundai Motor America, Stadgenoot, French Medical Data, Turkish legal advising company – Inova, Fisher-Titus Medical Center, System of Electronic Interaction of Executive Bodies (SEI EB), Npower, Harvard Business School, T-Mobile, Oxford University Lab, SuperVPN, GeckoVPN, and ChatVPN

Source Code for Microsoft Azure, Exchange, Intune

week-09-2021-newsletter-microsoft

Microsoft said it concluded its probe into the SolarWinds hack, finding that the attackers stole some source code but confirmed there’s no evidence that they abused its internal systems to target other companies or gained access to production services or customer data.

The disclosure builds upon an earlier update on December 31, 2020, that uncovered a compromise of its own network to view source code related to its products and services.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the Windows maker had previously disclosed.

Now according to the company, besides viewing few individual files by searching through the repositories, some cases involved downloading component source code related to —

  • a small subset of Azure components (subsets of service, security, identity)
  • a small subset of Intune components
  • a small subset of Exchange components

“The search terms used by the actor indicate the expected focus on attempting to find secrets,” the company said, adding a subsequent verification affirmed the fact that they did not contain any live, production credentials.

RIPE NCC Internet Registry

week-0902021-newsletter-ripencc

RIPE NCC is warning members that they suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.

RIPE NCC is a not-for-profit regional Internet registry for Europe, the Middle East, and parts of Central Asia. It is responsible for allocating blocks of IP addresses to Internet providers, hosting providers, and organizations in the EMEA region.

Membership includes over 20,000 organizations from over 75 countries who act as Local Internet Registries (LIRs) to assign IP address space to other organizations in their own country.

RIPE disclosed today that they suffered a credential stuff attack over the weekend targeting their single sign-on (SSO) service. This SSO service is used to login to all RIPE sites, including My LIR, Resources, RIPE Database, RIPE Labs, RIPEstat, RIPE Atlas, and the RIPE Meeting websites.

“Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime.

“We mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future,” RIPE NCC disclosed today in an announcement on their website.

Clubhouse

The hot audio-based social app Clubhouse has apparently suffered a data breach, as a third-party developer designed an open-source app that allowed Android smartphone users to access the invite-only, iPhone-only service.

Launched in March 2020, Clubhouse is an audio-based social app that allows users to join group chats spontaneously. It raised $100 million in funding in January. Despite being available only to Apple Inc.’s users, it has managed to gain a lot of buzz, not dissimilar to the early days of Twitter Inc.

In the case of the main Clubhouse breach, a programmer in mainland China designed and made available open-source code on GitHub, owned by Microsoft Corp. since 2018. The developer said the app was designed to allow anyone to listen to audio on Clubhouse without an invite code, with access to various personal sessions.

This app along with other forms of third-party access, some apparently originating from Hong Kong, have now been blocked. Notably, the developer of the Clubhouse Android app on GitHub writes in simplified Chinese, while Hong Kong uses traditional Chinese script.

Cashalo

week-09-2021-newsletter-cashalo

The online lending platform Cashalo has reported an “unauthorized access” to a database that contained some personal data of its customers, but assured that accounts or passwords were not compromised.

“We deeply regret that less than 48 hours ago, our IT security team discovered a potential data security incident involving a Cashalo database archive,” read a statement posted on Cashalo’s Facebook page past 12 a.m. on Saturday.

“Our encryption implementation ensured that no customer accounts or passwords were compromised,” Cashalo said, adding that it took immediate actions and reported the incident to the National Privacy Commission.

Cashalo said it is now cooperating with authorities and its partners to complete the investigation and enhance its security and safety measures.

“We apologize sincerely and unreservedly for this unfortunate incident and those impacted,” Cashalo said. “For those affected by this incident, an email has been sent to you informing you on the next steps.”

Cryptopia

week-09-2021-newsletter-cryptopia

Adding to the controversies surrounding New Zealand’s collapsed crypto exchange Cryptopia, the platform has allegedly been hacked again, allowing perpetrators to steal a further NZD 62,000 (USD 45,000) worth of crypto after a January 2019 attack captured an estimated USD 30m in cryptoassets.

The alleged theft happened a few months after it was disclosed a former employee of the exchange had been charged with stealing close to NZD 250,000 worth of cryptocurrencies and customer data, reported local news site Stuff.co.nz.

The latest attack, which happened on February 1, allowed hackers to access a wallet that was dormant since the hack in January 2019 and belongs to US blockchain business Stakenet and is now under the control of the liquidator. In total, the wallet was said to contain about NZD 2.7m worth of stakenet (XSN), which is the native token of Stakenet.

“We had no prior warning of any intended movement so naturally we immediately contacted [liquidator] Grant Thornton, who is supposed to be in control of these assets and in charge of redistributing them back to their rightful owners,” a Stakenet spokesperson was quoted as saying in the report.

Transport for New South Wales

week-09-2021-newsletter-tfnsw

Transport for New South Wales (TfNSW) has confirmed being impacted by a cyber attack on a file transfer system owned by Accellion.  

The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW, the government entity said on Tuesday afternoon.

“Before the attack on Accellion servers was interrupted, some Transport for NSW information was taken,” it wrote.

TfNSW said Cyber Security NSW is managing the state government investigation with the help of forensic specialists. 

“We are working closely with Cyber Security NSW to understand the impact of the breach, including to customer data,” it said.

It said the breach was limited to Accellion servers and no other TfNSW systems have been affected, including those related to driver’s licence information or Opal data.

“We recognise that data privacy is paramount and deeply regret that customers may be affected by this attack,” TfNSW said.

The Australian Securities and Investments Commission (ASIC) in January said one of its servers was breached earlier in the month in relation to Accellion software used by the agency to transfer files and attachments.

Bombardier

week-09-2021-bombardier

Canadian airplane manufacturer Bombardier has disclosed today a security breach after some of its data was published on a dark web portal operated by the Clop ransomware gang.

“An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network,” the company said in a press release today.

While the company did not specifically name the appliance, they are most likely referring to Accellion FTA, a web server that can be used by companies to host and share large files that can’t be sent via email to customers and employees.

In December 2020, a hacking group discovered a zero-day in the FTA software and began attacking companies worldwide. Attackers took over systems, installed a web shell, and then stole sensitive data.

In a press release yesterday, Accellion said that 300 of its customers were running FTA servers, 100 got attacked, and that data was stolen from around 25.

The attackers then attempted to extort the hacked companies, asking for ransom payments, or they’d make the stolen data public, according to security firm FireEye.

Starting earlier this month, data from some old FTA customers began appearing on a “leak site” hosted on the dark web, where the Clop ransomware gang would usually shame the companies who refused to pay its decryption fees.

University of Amsterdam

week-09-2021-uva

An unknown third party has gained access to the ICT environments of the Amsterdam University of Applied Sciences (AUAS) and the University of Amsterdam (UvA). Measures are being taken to minimise the impact and to ensure that education and research can continue to take place unimpeded.

 

Hyundai Motor America

Hackers leaked data related to Hyundai Motor America’s logistics operations on Monday and claimed responsibility for an apparent ransomware attack targeting the automaker and subsidiary Kia Motors America. 

Files posted by the DoppelPaymer ransomware gang contain information about Hyundai Glovis, the automaker’s global logistics firm, as well as documents related to a trucking partner, in addition to other data.   

Hyundai Motor America acknowledged that it had experienced an “IT outage,” but would not confirm that it had been targeted in a ransomware attack.

“Last week, Hyundai Motor America experienced an IT outage affecting a limited number of customer-facing systems and the majority of those systems are now back online,” the company said in a statement. “We would like to thank our customers for their continued patience. At this time, we can confirm that we have no evidence of Hyundai Motor America or its data being subject to a ransomware attack.”

The data leak came in the aftermath of an IT disruption that hit Kia Motors America more than a week ago. Bleeping Computer reported that Kia had been targeted by a ransomware attack by DoppelPaymer and was seeking $20 million in payment. 

Stadgenoot

The website of the Amsterdam housing corporation Stadgenoot has recently been hacked. Private data was stolen from a maximum of 30,000 people who shared their data with the corporation. Stadgenoot informed the victims by email on Wednesday. According to a spokesperson, names, addresses, e-mail addresses and in some cases license plate numbers and indications of annual salaries have been stolen.

When the hack was performed was not disclosed; it is also unclear who is responsible for it. The data breach is said to have been closed and it has been reported to the Dutch Data Protection Authority. Stadgenoot has informed all customers about the possible theft of their data and advises them to be vigilant for phishing emails, fake letters and “phone calls from scammers”. Purchase agreements concluded with Stadgenoot are on another server that has not been affected.

Stadgenoot is one of the six large housing corporations in Amsterdam. The corporation manages about 35,000 ‘units’. This mainly concerns social rental homes, but also free-sector rental homes, parking spaces and business premises. People who are looking for a home or other space can leave their details on the site .

French Medical Data

Sensitive medical data belonging to nearly half a million French people has been stolen and leaked online, according to a joint investigation by news source Libération and French cybersecurity blog Zataz.

The exposed data, which can be accessed from multiple sites, includes names, phone numbers, and postal addresses of 491,840 individuals. In some cases, it is accompanied by identifying information including Social Security number, birth date, blood type, GP, health insurance provider, medical treatments, HIV status, and pregnancy test results. 

Libération found that the data was stolen from around 30 different medical laboratories located mainly in France’s northwestern quarter. The news source said that the leaked information corresponds to samples taken between 2015 and October 2020, a period during which the laboratories were all using a particular type of medical administrative software published by the Dedalus Healthcare Systems Group.

“We are not certain that the sole reason for this incident was Dedalus software,” Dedalus COO Didier Neyrat told international news agency Agence France-Presse (AFP).

Turkish legal advising company - Inova

WizCase team uncovered a massive data leak containing private information about Turkish Citizens through a misconfigured Amazon S3 bucket. The server contained 55,000 court papers regarding over 15,000 legal cases, which affected hundreds of thousands of people.

Our online security team has uncovered a massive data breach originating from a misconfigured Amazon Bucket, which was operated by a Turkish Legal advising company, INOVA YÖNETIM & AKTÜERYAL DANIŞMANLIK. Inova is an actuarial consultancy company, which means they compile statistical analysis and calculate insurance risks and premiums. Inova has been operating since 2012 and has handled thousands of cases since then.

While Amazon offers the necessary tools to secure their services, Inova has not implemented these measures properly.

Some of the court cases had more information about the victim or involved other people. This included parties such as victims beneficiaries, other parties involved in the accident, police officers, prosecutors.

Fisher-Titus Medical Center

The personal information of patients at Fisher-Titus Medical Center was compromised after an unknown person gained access to an employee’s email account.

According to a notice from the Norwalk hospital, someone accessed an employee’s email between August 2020 and October 2020. That email account contained personal information including people’s full names, Social Security numbers, credit and debit card numbers and medical details like diagnoses, clinical information and insurance information.

“We have no evidence that any information has been misused,” the notice states. The hospital did not explain how they know information hasn’t been misused.

After learning about the breach, Fisher-Titus consulted with outside cybersecurity experts for an investigation, which concluded on Jan. 13.

System of Electronic Interaction of Executive Bodies (SEI EB)

The Ukrainian government said today that Russian hackers compromised a government file-sharing system as part of an attempt to disseminate malicious documents to other government agencies.

The target of the attack was the System of Electronic Interaction of Executive Bodies (SEI EB), a web-based portal used by Ukrainian government agencies to circulate documents between each other and public authorities.

In a statement published today, officials with Ukraine’s National Security and Defense Council said the purpose of the attack was “the mass contamination of information resources of public authorities.”

Ukrainian officials said the attackers uploaded documents on this portal that contained macro scripts. If users downloaded any of these documents and allowed the scripts to execute (usually by pressing the “Enable Editing” button inside Office apps), the macros would secretly download malware that would allow the hackers to take control of a victim’s computer.

Npower

week-09-2021-newsletter-npower

Energy firm Npower has closed down its app following an attack that exposed some customers’ financial and personal information.

Contact details, birth dates, addresses and partial bank account numbers are among details believed stolen.

The firm did not say how many accounts were affected by the breach, which was first reported by MoneySavingExpert.com.

But the affected accounts had been locked, Npower told the BBC.

“We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as ‘credential stuffing’,” the firm said in a statement.

“We’ve contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and offering advice on how to prevent unauthorised access to their online account.”

 

It also advised customers to change passwords on other accounts if using the same one.

It added that the mobile app had already been due to be shut down as part of wind-down plans following Npower’s acquisition by Eon.

Harvard Business School

week-09-2021-newsletter-hbs

Harvard Business School is working to respond to a data breach that compromised students’ personal information, including some social security numbers and exam submissions.

HBS Chief Information Officer Ronald “Ron” S. Chandler initially announced the breach in an email to school affiliates on Jan. 11.

Chandler wrote that the Business School was notified by a software vendor of unauthorized access to its files on Dec. 29, after which the school launched an investigation. The investigation found that one or more “unauthorized third parties” had downloaded “files containing personal information” between Dec. 21 and Dec. 23.

In a follow-up email to affected students on Feb. 10, HBS Information Security Officer and Managing Director of IT Compliance Christopher “Chris” W. Pringle confirmed that some affiliates’ social security numbers had been compromised, in addition to other personal information — such as names, contact information, date of birth, course enrollments, and exam submissions.

Brian C. Kenny, a spokesperson for the Business School, wrote in an emailed statement Wednesday that HBS had been informed of the software vulnerability prior to Dec. 29, and had accepted a “software patch” that the vendor provided.

The vendor also notified HBS on Jan. 20 of another vulnerability in its software “for which there was no patch available,” which may also have exposed additional files, per Kenny.

T-Mobile

w1-2021-newsletter-tmobile

American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks.

SIM swap fraud (or SIM hijacking) allows scammers to take control of targets’ phone numbers after porting them using social engineering or after bribing mobile operator employees to a SIM controlled by the fraudsters.

Subsequently, they receive the victims’ messages and calls which allows for easily bypassing SMS-based multi-factor authentication (MFA), stealing user credentials, as well taking over the victims’ online service accounts.

The criminals can then log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts.

The FBI shared guidance on how to defend against SIM swapping following an increase in the number of SIM hijacking attacks targeting cryptocurrency adopters and investors.

Oxford University Lab

week-09-2021-newsletter-oxforduniversity

Oxford University confirmed on Thursday it had detected and isolated an incident at the Division of Structural Biology (known as “Strubi”) after Forbes disclosed that hackers were showing off access to a number of systems. These included machines used to prepare biochemical samples, though the university said it couldn’t comment further on the scale of the breach. It has contacted the National Cyber Security Center (NCSC), a branch of the British intelligence agency GCHQ, which will now investigate the attack.

“We have identified and contained the problem and are now investigating further,” an Oxford University spokesperson said. “There has been no impact on any clinical research, as this is not conducted in the affected area. As is standard with such incidents, we have notified the National Cyber Security Center and are working with them.” The U.K. Information Commissioner’s Office has also been informed, according to a spokesperson, who added that the affected systems didn’t contain any patient data and there was no impact on patient confidentiality.

“We are aware of an incident affecting Oxford University and are working to fully understand its impact,” a spokesperson with the NCSC said. An ICO spokesperson added: “We have received a data breach report from Oxford University and will be assessing the information provided.”

SuperVPN, GeckoVPN, and ChatVPN

The user databases of three popular Android VPN services have reportedly been hacked, with millions of user records now put up for sale online.

Databases purportedly from SuperVPN, GeckoVPN, and ChatVPN, together containing a total of twenty one million user records, apparently include sensitive details such as the user’s authentication credentials, according to new research from CyberNews.

If the leaked databases are genuine, what’s even more worrying about the leak is the amount of information that these services log about their users, despite claiming not to do so in their respective privacy policies.

Besides the authentication information, the databases also include email addresses, payment-related data along with the expiration date of the premium accounts. Reportedly, the threat actor is also offering to sort the data by country for potential buyers.