week-11-2021-newsletter

Here’s your weekly data breach news roundup: ​

Gab, Elara Caring, Flagstar Bank, SendGrid, European Banking Authority, Verkada, Norways Parlimen – the Storting, Nederlandse Aardolie Maatschappij (NAM)​, Polecat, Fastway Couriers, WeLeakInfo, & Automatic Call Recorder – IOS app.

Elara Caring

week-11-newsletter-elaracaring

A data breach at US healthcare provider Elara Caring has potentially exposed the personal details of more than 100,000 elderly patients.

The company, which provides home-based health services, suffered an unauthorized computer intrusion in December 2020 after a series of phishing attacks targeted employees.

The attack resulted in a potential 100,487 individuals having their data compromised, as reported to the US Department of Health and Human Services by parent company BW Homecare Holdings.

Flagstar Bank

week-11-newsletter-flagstar-bank

The Accellion incident that affected hundreds of FTA clients, including Bombardier, has just had another high-profile entity added to the list: the Michigan-based Flagstar Bank. The particular financial service provider is one of the largest residential mortgage providers and is among the top 100 banks (financial size) in the United States. Thus, this has the potential to impact a large number of Americans, which is why action to mitigate the involved risks is already being taken.

According to Flagstar’s announcement, Accellion informed them of the ongoing exploitation right after discovering it on January 22, 2021. The bank was using Accellion’s file sharing platform, inadvertently letting hackers access information on its systems.

Upon learning about the exploit, the bank discontinued the product’s use and engaged a team of third-party forensic experts to investigate and determine the scope of the incident. Reportedly, that is why it took them a while to deliver this notice to the public.

SendGrid

A new cyber campaign has come to known as a phishing attack. Outlook Web Access and Office 365 services users are being targeted. The campaign collected the credentials of thousands of customers relying on trusted domains such as SendGrid. 
 
The campaign named “Compact”, the Cyber actors behind these phishing attacks have been operating this campaign since the beginning of 2020 and it is being estimated that the campaign has successfully been able to collect over 400,000 sensitive credentials from multiple companies. 
 
The phishing campaign operators used Zoom invites as a lure along with an extensive list of email addresses and used this information in sending messages from hacked accounts on the SendGrid cloud-based email delivery platform. Since SendGrid is a trusted Simple Mail Transfer Protocol (SMTP) provider, the messages had very less chances of not reaching their destination and being blocked by email protection technology. 
 
Researchers at WMC Global, makers of the PhishFeed real-time phishing intelligence service, highlighted some mistakes of the campaign operators. Those mistakes allowed them to analyze how the data has been moved from the phishing site into the hands of the operator. 
 
Researchers analyzed that each phishing campaign successfully collected 3,700 credential addresses, which would make the total from various Compact campaigns around 400,000 unique credentials. 

European Banking Authority

week-11-2021-europeanbankingauthority

The European Banking Authority (EBA) took down all email systems after their Microsoft Exchange Servers were hacked as part of the ongoing attacks targeting organizations worldwide.

EBA is part of the European System of Financial Supervision and it oversees the integrity orderly functioning of the EU banking sector.

“The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities,” EBA said.

“The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects.”

An initial advisory published Sunday said that the attackers might have gained access to personal information stored on the email servers.

However, an update issued today added that forensic experts had found no signs of data exfiltration.

“The EBA investigation is still ongoing and we are deploying additional security measures and close monitoring in view of restoring the full functionality of the email servers,” the EU agency said.

“At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.”

Verkada

week-11-2021-verkada

Hackers have broken into Verkada, a popular surveillance and facial recognition camera company, and managed to access live feeds of thousands of cameras across the world, as well as siphon a Verkada customer list. The breach shows the astonishing reach of facial recognition-enabled cameras in ordinary workplaces, bars, parking lots, schools, stores, and more.

The spreadsheet, provided by one of the hackers to Motherboard, shows more than 24,000 unique entries in the “organization name” column. Verkada’s cameras are capable of identifying particular people across time by detecting their faces, and are also capable of filtering individuals by their gender, the color of their clothes, and other attributes.

“It’s so abysmal,” Tillie Kottman, one of the hackers claiming responsibility, told Motherboard in an online chat, referring to the ease of access to the cameras once they discovered a username and password online. Bloomberg first reported the news of the breach on Tuesday, and reported that the hackers had managed to access live video feeds from companies such as Tesla and Cloudflare, as well as jails and hospitals.

The staggering list includes K-12 schools, seemingly private residences marked as “condos,” shopping malls, credit unions, multiple universities across America and Canada, pharmaceutical companies, marketing agencies, pubs and bars, breweries, a Salvation Army center, churches, the Professional Golfers Association, museums, a newspaper’s office, airports, and more.

Norway's parliament, the Storting

week-11-2021-norway-parliment

Norway’s parliament, the Storting, has suffered another cyberattack after threat actors stole data using the recently disclosed Microsoft Exchange vulnerabilities.

Last week, Microsoft released emergency security updates for Microsoft Exchange to fix zero-day vulnerabilities, known as ProxyLogon, used in attacks.

These attacks were originally attributed to a China state-sponsored hacking group known as HAFNIUM who used the vulnerabilities to compromise servers, install backdoor web shells, and gain access to internal corporate networks.

Soon after suffering a cyberattack in December, the Storting today announced a new cyberattack linked to the recent Microsoft Exchange vulnerabilities.

“The Storting has again been hit by an IT attack. The attack is linked to vulnerabilities in Microsoft Exchange, which affected several businesses.

“The Storting does not yet know the full extent of the attack. A number of measures have been implemented in our systems, and the analysis work is ongoing. The Storting has received confirmation that data has been extracted,” the Storting disclosed in a statement.

At this time, the Storting has confirmed that the threat actors have stolen data as part of the cyberattack but are still investigating.

Nederlandse Aardolie Maatschappij (NAM)

week-11-2021-Nederlandse Aardolie Maatschappij

At the Nederlandse Aardolie Maatschappij (NAM), personal data of approximately 19,000 people was leaked last week. The NAM reports this on Tuesday. In any case, it concerns personal and address data “from the period in which NAM was responsible for claims handling”. In recent years, NAM has arranged for claims handling related to earthquakes as a result of gas extraction in Groningen.

According to the NAM, one joint venture between Shell and ExxonMobil, it concerns a “large-scale data breach, in which all kinds of information from many companies and organizations worldwide has been stolen by hackers”. The hackers are said to have cracked the security software of the company Accellion, which the NAM also uses. It is unclear whether email addresses, telephone numbers and bank details have also been leaked. NAM was not immediately available for comment on Tuesday evening.

It is unclear who is behind the leak and what hackers are planning with the data. According to NAM, the leak has now been closed and reported to the Dutch Data Protection Authority. The society advises affected homeowners to be alert for suspicious messages in the coming period. The company says it “regrets the situation enormously”.

Gab

Gab, a social network that’s home to many Trump supporters, has experienced another data breach—apparently from the same hacker who stole 70GB of data from the site.

On Monday, a hacker known as “JaXpArO” hijacked the Gab account for the site’s founder, Andrew Torba, and posted a note claiming the social network was still compromised. “Dear Andrew, if you value transparency so much why do you keep lying to your despicable users?” JaXpArO wrote. “It was so easy to hack you maybe I’m not the first?”

The incident underscores how JaXpArO may have stolen more than just 70GB from the social network. Last month, the hacker shared the stolen data with a Wikileaks-style group called Distributed Denial of Secrets in an effort to expose the right-wing users on Gab. However, in JaXpArO’s note on Monday, the hacker mentions also looting 50,000 emails, 7,000 passwords, and 831 “verification documents,” which have not been publicly leaked. 

JaXpArO alludes to trying to ransom the stolen data from Gab for 8 bitcoins (US$432,000). In response, the social network briefly shut down on Monday in order to investigate the breach. 

Gab previously claimed it patched the vulnerability that allowed JaXpArO to steal data from the site. But apparently the company forgot to secure the OAuth tokens, an access control system for Gab user accounts, allowing the hacker to pull off Monday’s hijacking.  

Polecat

An unsecured server belonging to UK-based data analytics company Polecat exposed an estimated 30 terabytes of data, including 12 billion records related to social media, according to Wizcase CyberResearch Team. The server has since been secured.

Researchers found that the unsecured Polecat ElasticSearch server was accessible without any authentication and had no encryption in place, with data continuing to be put into the database after the company had been notified of the breach.

Researchers first discovered the exposed database on Oct. 29, 2020. The database was secured on Nov. 2, 2020.

The database contained 30TB of data, exposing over 12 billion records, including over 6.5 billion tweets, almost 5 billion records labeled “social” – which seemed to be all tweets – and over 1 billion posts across different blogs and websites. The data exposed included tweet content, tweet ID, author username, views/follower count, post content, URL, time it was harvested, publisher, region and post title.

Researchers found that the exposed ElasticSearch server could have been discovered and accessed by anyone with the server URL.

Fastway Couriers

week-11-021-fastwaycouriers

A MAJOR BREACH of data belonging to Irish online shoppers has been confirmed.

Fastway Couriers has contacted the Office of the Data Protection Commissioner about the incident and the data watchdog has now commenced a probe.

It is understood that the breach occurred on February 24 while the company was carrying out maintenance on a database server.

It is believed that while this was taking place some data became vulnerable and it was accessed by hackers.

The leak involves names, addresses, email accounts and phone numbers of customers.

No financial information or passwords were exposed during the breach of Fastway’s servers.

A spokesperson for the Office of the Data Protection Commissioner confirmed that they were made aware of the breach and that investigators are now “assessing” the incident.

It is understood that the customers involved in the breach were associated with inbound online purchases from across Ireland and in other countries.

A statement from Fastway Couriers confirmed the data breach and said that their system was subject of a “cyber-attack”.

WeLeakInfo

week-11-2021-weleakinfo

WeLeakInfo.com was a data breach notification service that was allowing its customers to verify if their credentials been compromised in data breaches. The service was claiming a database of over 12 billion records from over 10,000 data breaches. In early 2020, a joint operation conducted by the FBI in coordination with the UK NCA, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland resulted in the seizure of the WeLeakInfo.com domain.

After the seizure of the service in January, two men, one in the Netherlands and another in Northern Ireland, were arrested.

On January 2021, NCA arrested 21 people in the UK as part of an operation targeting customers of WeLeakInfo service that advertised stolen personal credentials.

Data breach notification services is a profitable business, visitors pay a fee to access data exposed in past data breaches. A subscription fee ranges from a $2 trial to a $70 three-month unlimited access account and allows users to search for any data in the archive managed by the companies.

This is quite different from services that only alert individuals when their data are exposed in a data breach and that for this reason are considered legal.

Data breach notification services like WeLeakInfo are a mine for threat actors that could gather information on their targets before launching a cyber attack.

Security experts from Cyble noticed that an member of a hacking forum claimed to have registered one of the domains of WeLeakInfo, wli.design, which was registered again on March 11 2021.

Automatic Call Recorder

The popular iOS app “Automatic Call Recorder” was plagued by an undiscovered bug that has resulted in the exposure of several thousands of user phone call conversations. The flaw was discovered by Indian security researcher Anand Prakash while he was casually performing a decompilation of the software package. There, he found that the S3 buckets, hostnames, and other sensitive details that should be at least obfuscated/encrypted could be seen by anyone who intercepts the app’s traffic.

This could open the way to send POST API requests to the right webpage and access any user’s recordings. For targeted access, one could use the UserID, or more comfortably, the victim’s phone number.

Using a proxy tool, an attacker could modify the network traffic that travels from and to the app, replacing their number with another person’s and accessing their recordings on their device. The proof of concept and the way to reproduce this is given below, although it won’t work anymore because the bug has been fixed.