Temu Hacked, Hackers Sell Leaked Data

On Monday, September 16, a hacker with the nickname smokinthashit published a post on the hacker forum BreachForums that contains Temu’s user database. The attacker claims that the database contains 87 million records. The database reportedly contains usernames, identifiers, IP addresses, full names, birth dates, phone numbers, shipping addresses, and hashed passwords. As proof, the attacker published samples of the stolen data.

Temu is a Chinese shopping platform that operates pretty much around the world. It offers a variety of goods at relatively low prices. Despite numerous jokes about the quality of goods from Temu, the price-quality ratio allows the service to enjoy great popularity among buyers. It is not surprising that such a statement by cybercriminals caused such a fuss among users of the service.

Temu’s response

Security researchers contacted Temu representatives and asked them to comment on the situation. However, the company categorically denied any data leak. Temu said they examined the samples published by the attackers and found no matches with their databases. The platform representatives also clarified that they take user data privacy seriously and have the app’s MASA certification. They also have independent security validations, a HackerOne bug bounty program, and comply with the PCI DSS payment security standard.

For their part, the attackers went on to claim that they had indeed hacked Temu. They also claimed they still had access to the company’s internal dashboards and knew of the vulnerabilities in the code. However, they provided no evidence to support this claim. In any case, as a security measure, service users are recommended to enable two-factor authentication and change their passwords. In addition, against the backdrop of the incident, astrologers announced an increase in phishing attempts related to Temu and online shopping.

May Users be in Danger?

Although such statements from hackers are not usually made without any proof, there is no reason to believe them now. According to the responses from Temu’s representatives and attackers, it appears to be a database compiled through web scraping from various sources rather than a fresh breach. However, If the data breach is confirmed, it would suggest that sensitive information like actual shipping addresses, bank card details, and purchase history has been leaked online. Still, taking preventive measures like changing your password and enabling 2FA is always a good idea.

The post Temu Allegedly Hacked, Data Put on Sale On The Darknet appeared first on Gridinsoft Blog.

Rite Aid Breach Exposes Sensitive Customer Details

In July 2024, one of the largest pharmacy chains in the United States, Rite Aid, disclosed a data breach. According to Rite Aid representatives, this “limited” cyberattack resulted in an unnamed threat actor gaining access to “certain business systems”. In less abstract terms, the attack affected 2.2 million customers. It compromised personal information, including names, addresses, dates of birth, and driver’s license numbers.

Although the company did not name the perpetrators, a group called RansomHub claimed responsibility. They stated they had stolen more than 10 GB of data, equating to about 45 million lines of personal information—far more than Rite Aid reported. RansomHub is believed to be based in Russia or a country friendly to Russia and operates on the principle of ransomware-as-a-service (RaaS). They avoid attacking CIS countries, Cuba, North Korea, and China, hinting at their origin.

Details of the Breach

According to Rite Aid, on June 6, an attacker pretended to be a company employee and used stolen credentials to access certain business systems. The incident was discovered within 12 hours, and an internal investigation was immediately launched. However, this was enough time for the data to be leaked. RansomHub stated on its Darknet site that it was in advanced negotiations with Rite Aid officials. However, at some point, the company stopped responding. While Rite Aid did not provide technical details of the attack, such as whether two-factor authentication was in place on the compromised account, information about the stolen data has been disclosed.

The attackers stole data related to purchases and attempted purchases of retail products between June 6, 2017, and July 30, 2018. This data included driver’s license numbers and other possible forms of government identification presented by shoppers during that period. However, Rite Aid claims that threat actors did not steal Social Security numbers, financial information, or patient data. Among the 2.2 million victims, 30,137 were Maine residents. Notably, this is not the first data breach incident involving Rite Aid.

Are Customers at Risk?

Breaches of any organization or company that is involved in healthcare is always a serious privacy threat. Even though some “classic” sensitive data (SSN and financials) was not leaked from Rite Aid, all other things are more than enough for data and identity theft. Moreover, as RansomHub claims having more data than what officials say, there is a possibility of other categories leaking to the public.

The worst case scenario here is, obviously, leaked info about prescriptions and medical conditions of the clients. This is just a dream of any con actor who performs targeted blackmailing or gathers data for further attacks. Having comprehensive information on an individual allows for impersonation attacks. The adversary gains trust by naming facts that are unlikely to be known to a stranger.

In any case, customers of Rite Aid should pay additional attention to any phony activity that happens around them. Strange calls, emails, or text messages containing data officially disclosed as leaked in the breach report should be considered red flags. Such communications should be treated with additional caution.

The post Rite Aid Hacked, Data of 2.2 Million Customers Leaked appeared first on Gridinsoft Blog.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

• Use spyware and keyloggers to track the victim’s behavior
• Gain access to sensitive data, including social security numbers and credit card information
• View and record video from a webcam and microphone
• Take screenshots
• Format disks
• Download, change or delete files
• Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using Remote Access Trojan

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

• Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
• Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
• Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

• Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

njRAT

NjRAT is probably the most known and the oldest among remote-access trojans. Appeared in 2012, it keeps getting updates, which adjust its functionality to the modern “standards”, which makes up for its longevity. The reason for this is probably the attention from state-sponsored threat actors – APT36 and APT41 – who use it in cyberattacks almost since its very inception.

Key functionality of njRAT is typical for pretty much any remote-access trojan – it is about providing remote access. The latter is topped up with uploading and downloading files by command, log keystrokes and capture microphone and camera inputs. Some of its variants are also capable of grabbing credentials from browsers and cryptocurrency apps.

One interesting feature of this remote access trojan is its naming. Threat analysts use its original name interchangeably with Bladabindi. The latter is a detection name that Microsoft assigned to this trojan back in its early days. Usually, Redmond changes the naming as the malware gains volume and power, but this did not happen here.

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, Dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, it’s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

• More strict firewall settings
• Safelisting IP addresses for authorized users
• Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.

What is a Data Breach?

A data breach is when confidential data becomes available to an intruder – usually staff data, client data, company data, financial data, etc. The primary purpose of such a procedure is to sell confidential data on the darknet. Data breaches are achieved by several methods, such as social engineering, hacking, or malware injection. In some cases, data breaches can go undetected for a long time. One notable example was the Marriott International hack in 2014. Back then, hackers were not just able to infiltrate the system but stayed there until 2018, and that led to a data breach of up to 500 million guests. This could have been detected earlier if the company had taken security more seriously and applied at least standard security procedures.

Causes of Data Breaches

If a data breach occurs in a company, it can cause severe and irreparable consequences, so it is important to know why it can happen. Given that most of them are related to the human factor in one way or another, with proper awareness, they can be avoided. The main causes of data breaches:

• Human error – accidentally sending an email to the wrong person, losing important documents, drives, or devices, or accidentally disclosing confidential information is why most of these breaches happen.
• Physical theft or loss – accidentally forgetting a device in a cafe, negligent acts of employees, such as sharing passwords, or just lost documents in public transit.
• Phishing – many people know that opening suspicious emails that contain a link or file, much less following that link or downloading a file, is dangerous. Nevertheless, quite a few people still fall for this kind of deception.
• Not secure enough data – weak security, a simple, predictable password gives attackers a guaranteed victory over your data protection.
• Vulnerabilities and security holes – any application that hasn’t been updated for a long time can be an open door for cybercriminals.
• Cyberattacks – malware, ransomware, and other viruses are constantly improving and evolving, posing a threat to the data breach.
• Social engineering – this method, like phishing, is designed for gullible people who can give the fraudster unauthorized access to confidential information.

How to Prevent Data Breaches

The next tips help minimize the chances of your organization being affected by a data breach:

1. Comply with GDPR. Develop a clear, GDPR-compliant company policy to keep your sensitive data secure.
2. Work on a security policy for data and equipment usage. A detailed description of data processing methods and processes and secure BYOD practices will help reduce the likelihood of a successful hack.
3. Automation of processes will minimize the number of human errors, which are the leading cause of data breaches.
4. Provide cybersecurity training to employees, thus reducing employee negligence and raising awareness of how to detect suspicious online activity.
5. Encrypt your data. Even if a fraudster can get their hands on it, encryption will prevent them from taking advantage.
6. Regulate the restriction of access to confidential information. Only employees who need it for their jobs should have access to it.
7. Monitor access and use of data. Please keep track of data that has been sent outside your network and who sent it.
8. Keep your system up to date. Updates include patches and improvements and fixes for vulnerabilities that cybercriminals like to exploit.
9. Regularly analyze your system for vulnerabilities. This way, you can identify potential threats before they can do any harm.
10. Back up your data regularly, so in case of damage, you will have a chance to recover it quickly, and the recovery process will take much fewer resources.

What is a Data Leak?

A Data Leak is also a leak of confidential information, not because of a cyber attack but an unintentional leak or system vulnerability. Also, unlike data breaches, with a data leak, you cannot say for sure whether such information is in the public domain or not. The leading causes of data leakage are flaws in security policy, improper user access to the site, or improperly designed applications. The main difference between data leakage is that it happens due to an error in processing or an internal source.

As an example, take Facebook – Cambridge Analytica, in which a whistle-blower covered the unethical practices of Banbridge Analytica. This circumstance can be classified as a data leak because an excessive amount of user data was collected, but no information was exposed to the public.

Causes of Data Leaks

Data leakage occurs because proper security measures are not followed during data transmission. Here are three main reasons why data leaks are:

• Data transmission over the Internet without proper API protection, no port protection, or other port protocol increases the risk of data leakage. The same applies to email transmission, web browsing, and other forms of online communication.
• Data at rest – If data is stored on insecure devices, for example, files with confidential information are stored on a drive without a password, this can also lead to data leakage.
• Data leaks can occur if the leaked data is on removable media lost or forgotten.

How to Prevent Data Leaks

The key method to prevent data leaks is a proactive approach to the issue of cybersecurity. The approach to security must be layered to reduce the consequences of an intrusion. Here are some tips to help prevent data leaks:

1. Use end-point protection. Data leaks are often caused by improper configuration or inefficient storage of sensitive information on end-point devices.
2. Network monitoring. Monitoring data sent and received between your organization and others will detect unusual behavior or suspicious traffic, thus significantly reducing the chances of data leakage.
3. Use secure storage. Storing sensitive data in clear, unprotected form would make it easy for a potential attacker to take advantage of the data. Encrypting data and regulating access to that data through automation will increase security.
4. Develop Policy for device usage. To prevent data leaks, it is important to develop and implement a policy for proper device usage among employees.
5. Third-party risk management or vendor risk. Applying appropriate third-party risk management will allow you to analyze the data and determine how much of it is shared by the respective vendors.
6. Comply with GDPR guidelines for data storage and management. This will minimize all risks of data breaches.

What is Worse?

A data leak or a data breach, what is worse? Are there improper security practices, accidental or intentional data breaches, and crooks who broke into your system and stole your data? Suppose, in the first situation, all your resentment is directed at the intruder that has infiltrated your system and the lack of effective security measures in your system. In the second case, you can only blame yourself for leaving your system unprotected without paying due attention to its security.

The situation will be unfortunate, and the headlines will be loud in both cases. Regardless of size or industry, many organizations occasionally encounter problems securing the confidentiality or integrity of collected data. To avoid misleading people or solving complex situations, it is important to know the differences and understand the difference between data breaches and data leaks. Even though both are very damaging to your organization’s reputation, the second scenario is more devastating.

The post Data Breach & Data Leaks appeared first on Gridinsoft Blog.

Fujitsu Hacked, Company Publishes Report

The first to discover Fujitsu hack was the company’s IT specialists who were performing the scanning. The first signs of compromised systems were noticed earlier in March 2023, which immediately raised concerns among the technical team. The company’s management was immediately notified of the possible threat, leading to an extensive internal investigation.

The said investigation is still ongoing, and is now targeted at determining the amount and types of leaked data. The company says it has not received any reports of personal information being misused as a result of the hack. However, the attack could have affected important databases containing customers’ personal data, including names, addresses, contact information and details of contractual relationships.

Initial steps taken by Fujitsu included isolating the infected systems to prevent the malware from spreading further. The company also engaged external cybersecurity experts to conduct a detailed analysis of the situation and determine the source of the attack.

Analysis of Malware

Preliminary analysis showed that the malware was specifically designed to steal sensitive information. Experts noted that it was not a “common” malware sample but a one crafted for this specific attack. The program acted selectively, targeting particularly sensitive data, such as employees’ personal data, financial information and details of internal company research.

Most interestingly, the attack targeted specific systems and used sophisticated methods to bypass standard security measures. It is a common tactic for attackers to use custom malware builds for targeted attacks on corporate networks, but it is not usual to see them using a yet unseen sample.

Fujitsu Was Hacked Before

In June 2023, Fujitsu Cloud Technologies, a subsidiary of Fujitsu Limited, received a public reprimand from Japan’s Ministry of Internal Affairs and Communications. The ministry demanded that both Fujitsu Cloud Technologies and Fujitsu Limited take immediate action to implement security measures to safeguard communications privacy and enhance cybersecurity. Fujitsu Limited is set to merge with its subsidiary in the near future.

In 2022, a breach affected Fujitsu Limited’s cloud-based internet service used by governments and large corporations. Attackers accessed the system and leaked sensitive information. Around the late 2022, the company uncovered the hack in one of their divisions, FENICS Internet.

This company was also implicated in the May 2021 supply chain attack. Its Fujitsu ProjectWEB project management suite was accessed by an unauthorized third party and the incident resulted in a data leak affecting several Japanese government agencies. The data was allegedly sold on the darknet. The company later discontinued the ProjectWEB portal/tool.

What then?

Well, despite best efforts, even technologically advanced companies like Fujitsu are not immune to cyberattacks and subsequent data breaches. Even with advanced defense systems, attackers are finding ways to bypass defenses, resulting in serious consequences for companies and their customers. Hopefully, the measures taken and lessons learned from this experience contribute to strengthening data protection.

The post Fujitsu Hacked, Warns of Data Leak Possibility appeared first on Gridinsoft Blog.

The Breach details and impact on customers

The CitrixBleed vulnerability, which resides in widely used Citrix networking devices, has been under mass-exploitation by hackers since at least late August. Despite Citrix releasing patches in early October, many organizations, including Comcast, did not apply them in time. This oversight led to unauthorized access to Comcast’s internal systems between October 16th and 19th, though the company only detected the activity on October 25th. The damage is mainly concentrated within Xfinity, one of the biggest co’s divisions.

By November 16th, Xfinity, confirmed that customer data had likely been acquired by hackers. Also, this data includes usernames, hashed passwords, names, contact information, dates of birth, partial Social Security numbers, and answers to secret questions. Comcast’s data analysis is ongoing, and further disclosures of compromised data types may emerge.

The breach’s scale is monumental. Comcast’s filing with Maine’s attorney general revealed that almost 35.8 million customers are affected. Considering Comcast’s over 32 million broadband customers, the breach potentially impacts most, if not all, Xfinity customers.

What is CitrixBleed Vulnerability?

CitrixBleed is a critical-rated security flaw, targeting Citrix devices favored by large corporations. Hackers leveraging this vulnerability have targeted notable entities, including Boeing and the Industrial and Commercial Bank of China. As Citrix products are widely used, the sole fact of such vulnerability existence is critical.

The CitrixBleed vulnerability allows hackers to leverage improper input validation to bypass security controls. This results into gaining unauthorized access to internal systems. Nevertheless, the vulnerability allows attackers to inject malicious code or commands, potentially leading to malware injection.

As of now, it is unclear whether Xfinity received a ransom demand or how the incident affected the company’s operations. Also uncertain is whether the incident has been filed with the U.S. Securities and Exchange Commission under the new data breach reporting rules. Comcast’s response has been tight-lipped regarding these aspects.

Avoiding of data loss

Customers affected by the breach should take immediate steps to secure their personal information. Also, his includes monitoring credit reports, being vigilant for phishing attempts, and ensuring all online accounts are secured with strong, unique passwords and, where available, multi-factor authentication.

It’s crucial to read about cybersecurity threats and safe practices, as human error often leads to security breaches. Implementing strong access controls and network segmentation can limit the extent of a breach if one occurs. Additionally, regular backups and encrypted data storage are essential to recover from data loss incidents.

The post Comcast’s Xfinity Breach Exposes Data of 35.8 Million Users appeared first on Gridinsoft Blog.

Mr.Cooper’s Hacked, Huge Amounts of Data Exposed

Hackers have breached Mr. Cooper’s databases, impacting 14.6 million customers in one of the most significant recent data breaches. The breach was first noticed on October 31, when Mr. Cooper’s systems unexpectedly went offline, initially attributed to an outage. However, it was later revealed to be a result of a cyberattack. This incident caused concerns about the security measures and the company’s transparency in handling such issues. Customers experienced significant disruptions, unable to access their accounts or process mortgage payments.

In a detailed report to Maine’s attorney general’s office, Mr. Cooper disclosed the extent of the breach. Hackers managed to access a wealth of personal information, including customer names, addresses, dates of birth, phone numbers, SSNs, and bank account details. This breach is far more extensive than initially reported, with the number of victims surpassing the company’s current customer base, indicating that historical data of mortgage holders was also compromised.

Uncertainties And Consequences

Despite the scale of the attack, Mr. Cooper has been reticent about the specifics of the cyberattack. Thus, the attack’s nature, the perpetrators’ identity, and whether any ransom was demanded remain unclear. As a result, the company has faced criticism for its lack of transparency and delayed response to customer concerns. However, the financial implications of the attack are severe. Mr. Cooper estimates the cost of this cyberattack to be at least $25 million, a significant increase from initial estimates of $5 to 10 million. This cost includes expenses related to providing identity protection services to affected customers for two years.

In addition, this breach has far-reaching implications for the affected individuals. The exposure of sensitive personal information raises the risk of identity theft and financial fraud. Customers whose mortgages were previously handled by Nationstar Mortgage, now known as Mr. Cooper, are particularly vulnerable. The company has notified all affected individuals and advised them to take precautionary measures.

Cooper’s Response And Mitigation Efforts

In response to the breach, Mr. Cooper has taken several steps to mitigate the damage and prevent future incidents. These include enhancing their cybersecurity infrastructure and working closely with law enforcement and cybersecurity experts. Nonetheless, the company’s delayed response and initial miscommunication have been points of criticism. For the breach of such a scale, this is simply inappropriate.

The post Mr. Cooper’s Data Breach Affects Millions appeared first on Gridinsoft Blog.

Data Breach in Zeroed-In Affects Dollar Tree

Popular discount retailer Dollar Tree has revealed that they were impacted by a data breach from a cyberattack on one of their third-party vendors, Zeroed-In Technologies. The breach is believed to have exposed the personal details of almost 2 million people. It primarily consists of current and former Dollar Tree and Family Dollar employees.

The incident first came to light on November 21, 2023. Then, the company sent notification letters to those affected on behalf of Zeroed-In. According to the letter, Zeroed-In experienced a security breach in early August 2023. This resulted in unauthorized access to internal systems containing sensitive personal information.

Zeroed-In Hack Sets Up Multiple Companies

While Zeroed-In has not confirmed which files were accessed, their investigation determined next. The accessed systems contained names, dates of birth, and SSNs belonging to individuals associated with Dollar Tree and Family Dollar. This suggests a high likelihood that this sensitive data on nearly 2 million people may have been compromised.

In response to the data breach, Zeroed-In stated that they will provide victims with 12 months of identity protection and credit monitoring services free of charge. Additionally, the company is currently undertaking efforts to enhance its security and ensure better protection of data. When reached for comment, Family Dollar representatives provided the following statement:

This indicates Dollar Tree became aware of the breach after being contacted by the vendor once the incident had already occurred. As of now, no evidence points to Dollar Tree or Family Dollar’s systems being directly compromised. Moreover, no major cybercrime groups stated about hacking Dollar Tree. Which means the breach may not have as much impact as expected.

Legal Ramifications and Investigations

At this time, the full impact of the data breach remains unclear. While Dollar Tree has confirmed receiving notice of the incident, other clients of Zero-Tech have yet to disclose whether their data was involved as well. Nonetheless, the massive scale of the breach has already garnered high-profile attention from state Attorney Generals and class-action lawsuit attorneys seeking accountability for the security lapse.

Without prompt and effective response, diminished consumer trust in Dollar Tree’s ability to safeguard data can be anticipated. Legal experts warn that companies are still responsible for vetting and auditing the data security of third-party partners handling sensitive customer or employee information. So, failure to ensure adequate protection exposes organizations to legal, financial, and reputational damages in an incident like this.

Data Breach Trends are Concerning

This marks the third major retail data breach disclosed in 2023 alone, following incidents at Walmart and Wawa earlier this year. Despite retailers increasingly transitioning to EMV chip-enabled payment systems, cybercriminals continue finding alternative methods of monetizing consumer data. Law enforcement officials continue investigating the technical details surrounding this latest breach.

In the meantime, consumers worried their personal information was exposed in the Dollar Tree/Zeroed-In breach. In addition, they can enroll in the free identity protection services being offered. They also remain vigilant for any suspicious activity on their accounts. Experts also advise setting up fraud alerts and credit freezes. This is a helpful precaution until investigations shed more light on the scope and severity of stolen data.

The post Dollar Tree Data Breach Impacting 2 Million People appeared first on Gridinsoft Blog.

What is BlackCat Ransomware Gang?

The BlackCat ransomware gang, emerging in November 2021, is believed to be a rebrand of the notorious DarkSide/BlackMatter group. The gang gained global attention after targeting Colonial Pipeline, which led to fuel supply disruptions across the entire US East Coast. The FBI has linked them to over 60 breaches globally between November 2021 and March 2022, indicating a pattern of sophisticated cybercriminal activity.

Henry Schein Attacked by ALPHV, Again

On October 15, Henry Schein reported a cyberattack that impacted its manufacturing and distribution businesses, causing operational disruptions. Two weeks later, the BlackCat/ALPHV ransomware group claimed responsibility, boasting about encrypting files and stealing a massive 35 terabytes of sensitive data, potentially including personal information, bank account details, and payment card numbers.

The situation escalated in early November when the cybercriminals declared that negotiations had stalled. In response, they threatened to re-encrypt files, a move confirmed by Henry Schein’s subsequent system restoration updates. The company informed customers on November 22 that its applications, including the e-commerce platform, were rendered unavailable due to actions by the threat actor.

Despite anticipating short-term disruptions, the latest update on November 26 assured customers that systems would soon be fully restored. As of the latest information, Henry Schein is no longer listed on the BlackCat leak website, hinting at a potential resumption of negotiations or even a ransom payment.

How to resist ransomware?

Organizations can enhance their resilience against extortionists through a multifaceted approach. First and foremost, robust cybersecurity measures are imperative. Regularly updating and patching systems can mitigate vulnerabilities, making it harder for extortionists to exploit weaknesses. Implementing strong access controls and regularly reviewing user privileges adds an extra layer of defense. Regular data backups are essential to ensure that organizations can quickly recover from ransomware attacks without succumbing to extortion demands. A well-defined incident response plan, including communication protocols and coordination with law enforcement, prepares organizations to swiftly and effectively handle extortion attempts.

Lastly, collaboration within the industry and sharing threat intelligence can strengthen collective defenses against evolving extortion tactics. By staying informed and implementing proactive measures, organizations can significantly reduce the likelihood of falling victim to extortionists.

The post Henry Schein was hacked twice by BlackCat ransomware appeared first on Gridinsoft Blog.

Welltok Data Leaked Because of MOVEit

Welltok specializes in online wellness programs, predictive analytics, and supporting healthcare needs for providers nationwide. The breach, resulting from a MOVEit software vulnerability exploited by the Cl0p ransomware gang, allowed unauthorized access to confidential patient data.

Sensitive patient information compromised during the breach includes a whole lot of information. Among them are full names, email addresses, physical addresses, telephone numbers, Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and certain health insurance information. The breach has affected healthcare institutions in multiple states, with notable providers such as:

• Blue Cross and Blue Shield
• Corewell Health
• Mass General Brigham Health Plan
• Corewell Health
• Faith Regional Health Services

Welltok’s initial estimates didn’t disclose the full scale of impacted individuals. However, recent reports confirm that 8,493,379 people have been affected, making it the second-largest MOVEit data breach after Maximus. The breach’s ripple effect extends to various healthcare plans, emphasizing the widespread consequences for patients and healthcare providers.

Implications of Welltok Data Breach

Welltok sent out data breach letters to those impacted by the data security incident on November 17, 2023. The letters contain a list of compromised information.

A review of the affected files revealed that they contained sensitive information about health plan members, including their names, dates of birth, addresses, and health records. In addition, some individuals’ Social Security numbers, Medicare/Medicaid IDs, and health insurance information were also stolen. A substitute breach notification was uploaded to the Welltok website in October. However, the page was set as no-index, meaning it wouldn’t be indexed by search engines and would only likely be found by individuals who visited the website.

How to prevent data breaches?

To prevent data breaches, organizations should prioritize a comprehensive cybersecurity strategy. Begin by conducting regular security audits and implementing strong access controls, ensuring employees have minimal access privileges. Encrypt sensitive data both in transit and at rest, utilizing robust encryption methods. Keep systems updated with the latest security patches and employ multi-factor authentication to enhance access security.

Invest in employee training to raise awareness about cybersecurity risks, particularly phishing attacks. Secure network perimeters using firewalls and intrusion detection systems, monitoring user activities for any anomalies. Regularly back up critical data and establish a solid recovery plan to minimize downtime in case of a breach.

The post Welltok Data Breach Exposes More Than 8 million Patients appeared first on Gridinsoft Blog.