because the company does not store that information online . Eurostar has yet to confirm how many people have been affected by this data breachAttack.Databreachor whether any data has been takenAttack.Databreach. The company has reported the data breachAttack.Databreachto the Information Commissioner 's Office . `` We have taken this action as a precaution because we identified what we believe to be an unauthorised automated attempt to accessAttack.Databreacheurostar.com accounts using your email address and password , '' the company told customers . `` We 've since carried out an investigation which shows that your account was logged into between the 15 and 19 October . If you did n't log in during this period , there 's a possibility your account was accessedAttack.Databreachby this unauthorised attempt . '' Customers were told to check their accounts for `` anything unusual '' and update login details on any other site where they use the same password . A Eurostar spokesman said : `` This email was sent after we identified what we believe to be an unauthorised automated attempt to access customer accounts , so as a precaution , we asked all account holders to reset their password . We deliberately never store any payment details or bank card information , so there is no possibility of those being compromisedAttack.Databreach. '' An ICO spokesman said : “ We ’ ve received data breachAttack.Databreachreport from Eurostar and are making enquiries. ” Last week , British Airways revealed that almost 200,000 further passengers may have had their personal data stolenAttack.Databreachby hackers in the September attackAttack.Databreachin what experts described as one of the biggest breachesAttack.Databreachof consumer data the UK had ever seen .
A response to a phishing email has resulted in the PHI of 2,789 Kaleida Health patients being made accessibleAttack.Databreachto cybercriminals . Kaleida Health discovered the attack on May 24 , 2017 , prompting a full investigation which involved hiring a third-party computer forensic firm . An analysis of its systems showed that by responding to the phishing email , the employee had provided accessAttack.Databreachto his/her email account . While accessAttack.Databreachto Kaleida Health ’ s EHR was not gainedAttack.Databreach, the email account contained a range of protected health information of a small subset of its patients . The types of data in the account varied for each patient , but may have included names , dates of birth , medical record numbers , diagnoses , treatment and other clinical data . However , no financial information or Social Security numbers were exposedAttack.Databreachat any time . While accessAttack.Databreachto the email account was possible , no evidence was uncovered to suggest that the emails were accessedAttack.Databreachor any protected health information was viewed or copiedAttack.Databreach. However , since the possibility of data access could not be ruled out with a high degree of certainty , all affected patients have been notified of the incident by mail . PhishingAttack.Phishinghas grown to be one of the most serious threats to healthcare organizations . As we have already seen this year , record numbers of successful W-2 phishing attacksAttack.Phishinghave been reported and many healthcare employees have fallen for these phishing scamsAttack.Phishing. Providing security awareness training to employees can help to reduce risk , although a single training session every year is no longer sufficient . Training must be an ongoing process .
A response to a phishing email has resulted in the PHI of 2,789 Kaleida Health patients being made accessibleAttack.Databreachto cybercriminals . Kaleida Health discovered the attack on May 24 , 2017 , prompting a full investigation which involved hiring a third-party computer forensic firm . An analysis of its systems showed that by responding to the phishing email , the employee had provided accessAttack.Databreachto his/her email account . While accessAttack.Databreachto Kaleida Health ’ s EHR was not gainedAttack.Databreach, the email account contained a range of protected health information of a small subset of its patients . The types of data in the account varied for each patient , but may have included names , dates of birth , medical record numbers , diagnoses , treatment and other clinical data . However , no financial information or Social Security numbers were exposedAttack.Databreachat any time . While accessAttack.Databreachto the email account was possible , no evidence was uncovered to suggest that the emails were accessedAttack.Databreachor any protected health information was viewed or copiedAttack.Databreach. However , since the possibility of data access could not be ruled out with a high degree of certainty , all affected patients have been notified of the incident by mail . PhishingAttack.Phishinghas grown to be one of the most serious threats to healthcare organizations . As we have already seen this year , record numbers of successful W-2 phishing attacksAttack.Phishinghave been reported and many healthcare employees have fallen for these phishing scamsAttack.Phishing. Providing security awareness training to employees can help to reduce risk , although a single training session every year is no longer sufficient . Training must be an ongoing process .
One of two Nigerians who admitted to being part of a conspiracy to stealAttack.Databreachpersonal information from Vermont state employees and other U.S. residents was sentenced . Tuesday in Rutland federal court to time served , or 14 months in jail . Osariemen Isibor , 32 , pleaded guilty in U.S. District Court in March to conspiracy to commit wire fraud . Another man , Eneye Dania , 31 , also pleaded guilty in March to being part of the same conspiracy . Last week , Dania was sentenced to serve 17 months in jail . Dania has been held in jail for about 14 months . While Isibor 's prison sentence on the charge is complete and Dania 's will be soon , neither is expected to be released . Instead , both are expected to be turned over to the custody of Immigration and Customs Enforcement before being deported to Nigeria . According to court records , the goal of the conspiracy was “ foolingAttack.PhishingUnited States residents … into sending the logon information they used to accessAttack.Databreachtheir IRS form W-2 data from their employer 's website to another website designed to look likeAttack.Phishingtheir employer 's human resources page but actually operated by the conspiracy to collect this data ” . Once people entered their information into the fake website , the conspirators attempted to trickAttack.Phishingthe IRS into sending tax refunds to the conspirators , but prosecutors said fraud detection controls put in place by the IRS “ caused most , if not all , such fraudulent tax returns to be rejected ” .
Hacker used flaw in web server to accessAttack.Databreachdata uploaded to website of holiday and travel association . Hackers used a flaw in the web server running the website of ABTA , the UK 's largest holiday and travel association , to accessAttack.Databreachthe data of as many as 43,000 people . ABTA CEO Mark Tanzer says an `` external infiltrator '' used a vulnerability in the firm 's web server to accessAttack.Databreachdata provided by its members and some of those members ' customers . ABTA is the UK 's largest travel association , representing travel agents and tour operators that sell £32bn of holidays and other travel each year . It said the unauthorised accessAttack.Databreach-- on 27 February 2017 -- may have affected 43,000 individuals . Around 1,000 of the accessed files may include personal identity information relating to customers of ABTA members , submitted in support of their complaint about an ABTA member . These files relate to complaints uploaded to ABTA after 11 January 2017 . Additionally , around 650 files may include personal identity information of ABTA members . But Tanzer said : `` We are not aware of any information being sharedAttack.Databreachbeyond the infiltrator . '' The travel trade association said the vast majority of the 43,000 were people who had registered on abta.com , with email addresses and encrypted passwords , or have filled in an online form with basic contact details `` which are types of data at a very low exposure risk to identity theft or online fraud '' . Once it became aware of the intrusion , ABTA notified the third-party suppliers of the abta.com website , who immediately fixedVulnerability-related.PatchVulnerabilitythe vulnerability , and the association hired risk consultants to assess the potential extent of the incident . It has also alerted the Information Commissioner and the police . `` It is extremely disappointing that our web server , managed for ABTA through a third party web developer and hosting company , was compromised , and we are taking every step we can to help those affected , '' said Tanzer . ABTA saidVulnerability-related.DiscoverVulnerabilityits own systems remained secure and the vulnerability was in the web server for abta.com , which is managed for ABTA through a third-party web developer and hosting company . The association said that ABTA members or members of the public who have registered on abta.com should immediately change their password and , if they used this password or any variation of it for other accounts , they should change that too . It said ABTA members who have used ABTA 's online self-service facility to upload supporting documentation relating to their membership may have had their data accessedAttack.Databreach, and `` should remain vigilant regarding online and identity fraud '' .
Hacker used flaw in web server to accessAttack.Databreachdata uploaded to website of holiday and travel association . Hackers used a flaw in the web server running the website of ABTA , the UK 's largest holiday and travel association , to accessAttack.Databreachthe data of as many as 43,000 people . ABTA CEO Mark Tanzer says an `` external infiltrator '' used a vulnerability in the firm 's web server to accessAttack.Databreachdata provided by its members and some of those members ' customers . ABTA is the UK 's largest travel association , representing travel agents and tour operators that sell £32bn of holidays and other travel each year . It said the unauthorised accessAttack.Databreach-- on 27 February 2017 -- may have affected 43,000 individuals . Around 1,000 of the accessed files may include personal identity information relating to customers of ABTA members , submitted in support of their complaint about an ABTA member . These files relate to complaints uploaded to ABTA after 11 January 2017 . Additionally , around 650 files may include personal identity information of ABTA members . But Tanzer said : `` We are not aware of any information being sharedAttack.Databreachbeyond the infiltrator . '' The travel trade association said the vast majority of the 43,000 were people who had registered on abta.com , with email addresses and encrypted passwords , or have filled in an online form with basic contact details `` which are types of data at a very low exposure risk to identity theft or online fraud '' . Once it became aware of the intrusion , ABTA notified the third-party suppliers of the abta.com website , who immediately fixedVulnerability-related.PatchVulnerabilitythe vulnerability , and the association hired risk consultants to assess the potential extent of the incident . It has also alerted the Information Commissioner and the police . `` It is extremely disappointing that our web server , managed for ABTA through a third party web developer and hosting company , was compromised , and we are taking every step we can to help those affected , '' said Tanzer . ABTA saidVulnerability-related.DiscoverVulnerabilityits own systems remained secure and the vulnerability was in the web server for abta.com , which is managed for ABTA through a third-party web developer and hosting company . The association said that ABTA members or members of the public who have registered on abta.com should immediately change their password and , if they used this password or any variation of it for other accounts , they should change that too . It said ABTA members who have used ABTA 's online self-service facility to upload supporting documentation relating to their membership may have had their data accessedAttack.Databreach, and `` should remain vigilant regarding online and identity fraud '' .
Hacker used flaw in web server to accessAttack.Databreachdata uploaded to website of holiday and travel association . Hackers used a flaw in the web server running the website of ABTA , the UK 's largest holiday and travel association , to accessAttack.Databreachthe data of as many as 43,000 people . ABTA CEO Mark Tanzer says an `` external infiltrator '' used a vulnerability in the firm 's web server to accessAttack.Databreachdata provided by its members and some of those members ' customers . ABTA is the UK 's largest travel association , representing travel agents and tour operators that sell £32bn of holidays and other travel each year . It said the unauthorised accessAttack.Databreach-- on 27 February 2017 -- may have affected 43,000 individuals . Around 1,000 of the accessed files may include personal identity information relating to customers of ABTA members , submitted in support of their complaint about an ABTA member . These files relate to complaints uploaded to ABTA after 11 January 2017 . Additionally , around 650 files may include personal identity information of ABTA members . But Tanzer said : `` We are not aware of any information being sharedAttack.Databreachbeyond the infiltrator . '' The travel trade association said the vast majority of the 43,000 were people who had registered on abta.com , with email addresses and encrypted passwords , or have filled in an online form with basic contact details `` which are types of data at a very low exposure risk to identity theft or online fraud '' . Once it became aware of the intrusion , ABTA notified the third-party suppliers of the abta.com website , who immediately fixedVulnerability-related.PatchVulnerabilitythe vulnerability , and the association hired risk consultants to assess the potential extent of the incident . It has also alerted the Information Commissioner and the police . `` It is extremely disappointing that our web server , managed for ABTA through a third party web developer and hosting company , was compromised , and we are taking every step we can to help those affected , '' said Tanzer . ABTA saidVulnerability-related.DiscoverVulnerabilityits own systems remained secure and the vulnerability was in the web server for abta.com , which is managed for ABTA through a third-party web developer and hosting company . The association said that ABTA members or members of the public who have registered on abta.com should immediately change their password and , if they used this password or any variation of it for other accounts , they should change that too . It said ABTA members who have used ABTA 's online self-service facility to upload supporting documentation relating to their membership may have had their data accessedAttack.Databreach, and `` should remain vigilant regarding online and identity fraud '' .
Yahoo , Adult Friend Finder , LinkedIn , Tumblr and Daily Motion all have something in common : in 2016 , details of massive hacks perpetrated against the companies were disclosed . The firms represent a handful of the companies and public bodies around the world that suffered at the hands of hackers last year . Data compromisedAttack.Databreachusually included names , emails , and physical addresses , and even personal bank details , ethnicity data , and phone numbers . And the hacks aren ’ t stopping anytime soon . 2017 has already been dominated by numerous data breachesAttack.Databreachand the most recent affects the Association of British Travel Agents , commonly known as ABTA . To keep you in the loop on data breachesAttack.Databreachthis year , WIRED will keep a running tally of successful hacks . The abta.com web server for the Association of British Travel Agents ( ABTA ) was recently hackedAttack.Databreachby “ an external infiltrator ” who exposedAttack.Databreachthe details of 43,000 individuals . Around 1,000 of these included files that could include personal identity information of customers of ABTA members uploaded since 11 January 2017 , while around 650 may also include personal identity information of ABTA members . As the UK ’ s largest travel association , ABTA ’ s members include travel agents and tour operators . The unauthorised accessAttack.Databreachwas said to be possible due to a system vulnerability “ that the infiltrator exploited ” to accessAttack.Databreachsome data provided by some customers of ABTA Members and by ABTA Members themselves . On immediate investigation , ABTA saidVulnerability-related.DiscoverVulnerabilityit identifiedVulnerability-related.DiscoverVulnerabilitythat although ABTA ’ s own IT systems remained secure , there was a vulnerability to the web server managed for ABTA through a third-party web developer and hosting company . “ This , unfortunately , means some documentation uploaded to the website , as well as some information provided by customers , may have been accessedAttack.Databreach, ” ABTA ’ s CEO , Mark Tanzer said . As a precautionary measure , it has taken steps to warn its members and customers of ABTA members who have the potential to be affected . The group has also alerted the relevant authorities , including the Information Commissioner ( ICO ) and the police .
New statements from Apple make it clear that they do not believe a hacker , or group of hackers , breached any of their systems . This comes after a recent report from Motherboard that a hacker gang called the `` Turkish Crime Family '' is threatening to remotely wipe up to 559 million iPhones by April 7 . The hackers claim they hold an alleged cache of stolen accounts , and their goal is to shake downAttack.Ransomthe big Apple for $ 75,000 in Bitcoin or Ethereum cryptocurrency . Alternatively , in lieu of those options , they will even acceptAttack.Ransom$ 100,000 in iTunes gift cards ( a potentially risky option for them ) . Apple responded to the allegation that the hackers breachedAttack.Databreachits systems , assuring their systems were not compromisedAttack.Databreach, but did not confirm if the hackers do in fact holdAttack.Databreachan entire collection of Apple IDs and passwords . Whatever information they do have , probably came from previously comprised third-parties . `` If the list is legitimate , it was not obtainedAttack.Databreachthrough any hackAttack.Databreachof Apple , '' an Apple spokesperson told Fortune in an email . `` There have not been any breachesAttack.Databreachin any of Apple 's systems including iCloud and Apple ID . '' Even if the data did n't come from an Apple breachAttack.Databreach, it could still mean your iCloud login details are out there . Fortune suggested that the logins could be from the LinkedIn hackAttack.Databreach, in which login info from 117 million accounts was sold on the black market site `` The Real Deal . '' Though , if the Turkish Crime Family really has 559 million accounts , well , a mere fraction of the 117 million from LinkedIn does n't really cut it . The hackers have been sending login information to media companies in an effort to gather attention to their scam . For example , The Next Web received a small fraction of the alleged data from the hackers , and cross-referenced the info with the site Have I Been Pwned , which checks to see if your email or username has been compromisedAttack.Databreachin a hack . Most of the samples provided to TNW do n't appear to have been involved in the LinkedIn hack or other hacks in the Pwned database , but TNW was able to accessAttack.Databreachthe accounts with the login information provided by the hackers , so the info looks legitimate . They ca n't test every login , so the small sample may not be indicative of the whole . The Turkish Crime Family also noted to TNW that all conversations with Apple were actually kept private and never reported to Motherboard . Instead , the conversation between the Turkish Crime Family and Motherboard were led by a member that has now been removed for his `` inaccuracy '' and `` lack of professionalism , '' an the group denies the authenticity of Motherboard 's report . Overall , the hacking team seems to have a hard time sticking to one story . Now , the hacker group is confirming Apple 's statement that its systems have not been breachedAttack.Databreach, and that the stolen data was obtainedAttack.Databreachthrough previously compromised systems over the last five years . The Turkish Crime Family is , in fact , not contradicting Apple . They did not breachAttack.Databreachthe company , nor did they ever state to Motherboard that they stoleAttack.Databreachthe info directly from Apple . Rather , after Motherboard 's breaking March 21 report , a breach was assumed by some news outlets such as BGR , though most media sites never directly stated that the hackers breached Apple . The Turkish Crime Family 's initial response to Motherboard , and the group 's only statement , was to extortAttack.RansomApple over an alleged cache of iCloud and other Apple email accounts . The group never stated where their cache of data came from until today when they contacted TNW in response to Apple .
Advanced Persistent Threat group linked to China said to be attacking companies by targeting their suppliers - scale of operation said to be unprecedented . A Chinese hacking group is thought to be behind attacks on managed service providers as a way into their client companies , to facilitate the theft of intellectual property . The hacking group , called APT10 , used custom malware and spear-phishing attacksAttack.Phishingto gain access to victims ' systems . Once inside , they used the company 's credentials to attack their client companies . The security of the supply chain has been a recognised weakness in security systems since at least 2013 when it was discovered that attackers had gained access to the Target retail chain in America through an HVAC service provider . Now it appears that APT10 is using that approach on a large scale . The group was discovered by PwC 's cyber-security practice and BAE Systems , working alongside the UK 's National Cyber Security Centre ( NCSC ) . The scale of the espionage campaign only became apparent in late 2016 , but the attack is thought to be the largest sustained global cyber-espionage campaign ever seen . PwC and BAE Systems said APT10 conducted the espionage campaign by targeting providers of managed outsourced IT services as a way in to their customers ' organisations around the world , gaining unprecedented accessAttack.Databreachto intellectual property and sensitive data . It is thought the group launched the campaign in 2014 and then significantly ramped it up in early 2016 , adding new developers and intrusion operators to continually enhance capability . The group is known to have exfiltratedAttack.Databreacha high volume of data from multiple victims and used compromised networks to stealthily move this data around the world . A number of Japanese organisations have also been targeted directly in a separate , simultaneous campaign by the same group , with APT10 masquerading asAttack.Phishinglegitimate Japanese government entities to gain access . Forensic analysis of the timings of the attack , as well as tools and techniques used , led investigators to conclude that the group may be based in China , but apart from that , it is not known precisely who is behind APT10 or why it targets certain organisations . Kris McConkey , partner for cyber-threat detection and response at PwC , said that the indirect approach of this attack highlights the need for organisations to have a comprehensive view of the threats they 're exposed to – including those of their supply chain . “ This is a global campaign with the potential to affect a wide range of countries , so organisations around the world should work with their security teams and providers to check networks for the key warning signs of compromise and ensure they respond and protect themselves accordingly , ” he said . Richard Horne , cyber-security partner at PwC , added that “ operating alone , none of us would have joined the dots to uncover this new campaign of indirect attacks . “ Together we 've been working to brief the global security community , managed service providers and known end victims to help prevent , detect and respond to these attacks , ” he added . Ilia Kolochenko , CEO of High-Tech Bridge , told SC Media UK that until there is more detail on the attacks , it would not be possible to make a reliable conclusion as to who was behind the so-called APT10 . “ Taking into consideration how careless and negligent some managed IT providers are , I would n't be surprised if all the attacks were conducted by a group of teenagers – something we have already seen in the past , ” he said . “ IT services providers should better enumerate and assess their digital risks , and implement appropriate security controls to mitigate related threats and vulnerabilities . Security standards , like ISO 27001 , can significantly help assure that the risks are continuously identified and are being duly addressed . For cyber-security service providers , accreditation by CREST is also an important factor to demonstrate the necessary standard of care around security , confidentiality and integrity for their own and client data , ” he added . “ Companies looking to secure their supply-chain can oblige their suppliers to get certified by ISO 27001 for example , or to provide solid and unconditional insurance to cover any data breachesAttack.Databreachand data leaksAttack.Databreach, including direct and consequent damages . ''
A China-based cyber gang has compromisedAttack.DatabreachUK firms as part of a `` systematic '' global hacking operation , a new report has revealed . The attacksAttack.Databreachwere found to have breachedAttack.Databreacha wide variety of secret data ranging from personal data to intellectual property , in what the report described as `` one of the largest ever sustained global cyber espionage campaigns '' . The group behind the attacks , named APT10 , was found to have used custom malware and `` spear phishingAttack.Phishing`` techniques to target managed outsourced IT service companies as stepping stones into the systems of an `` unprecedented web '' of victims according to the report 's authors . The report 's authors included the National Cyber Security Centre ( NCSC ) and cyber units at defence group BAE systems and accountancy firm PwC . The gang were found to have used the companies as a way into their customers ' systems from 2016 onwards , although there is evidence to suggest they had first employed the tactics from as early 2014 . PwC cyber security Partner Richard Horne told the Press Association the extent of the malicious campaign was still unclear . He said : `` The reason we 've gone public with this is because we can see so much and we have seen so much in several managed IT service providers ( MSPs ) and other companies compromised through it , but we do n't know how far this has gone . `` Us , together with the NCSC and BAE Systems are very keen to get this information out there so we can promote a mass response to this . '' The report behind the unmasking operation , codenamed Cloud Hopper , highlights targeted attacks against Japanese commercial firms and public bodies , but indicates further widespread operations against companies in 14 other countries including the UK , France and the United States . The report 's authors state APT10 is `` highly likely '' to be based in China , demonstrating a pattern of work in line with China Standard Time ( UTC+8 ) and the targeting of specific commercial enterprises `` closely aligned with strategic Chinese interests '' . Mr Horne said the data collectedAttack.Databreachin individual attacks spanned a plethora of sensitive categorisations . He said : `` We 've seen a number of different companies targeted for different reasons , but essentially it 's all around sensitive information they hold , whether that 's intellectual property , or personal information on people or a whole realm of other areas . `` It 's a very large-scale espionage operation . '' Spear phishing emails with bespoke malware were first sentAttack.Phishingto staff in targeted companies , and once the attackers had successfully infiltrated their systems they were free to seek outAttack.Databreacha raft of sensitive data within . Dr Adrian Nish , head of threat intelligence at BAE , told the BBC such MSPs were crucial to the nature of the campaign 's success . He said : `` Organisations large and small rely on these providers for management of core systems and as such they can have deep accessAttack.Databreachto sensitive data '' . `` It is impossible to say how many organisations might be impacted altogether at this point . '' The organisations behind operation Cloud Hopper are expected to release a further report this week into the detailed methods that ATP10 has used in its campaign in a bid to encourage firms to take a proactive approach into checking if their systems have been targeted .
Google has come upVulnerability-related.PatchVulnerabilitywith a fix for the phishing scamAttack.Phishingthat affected users . A Chrome browser update , which has been rolling outVulnerability-related.PatchVulnerabilitysince February , now issues a warning when you 've landed on an page with the scam . In your browser address bar , look out for `` not secure '' to the left of the address . Fortune reports that in the future , Google will present this warning and indicate unprotected sites more aggressively with a red triangle . According to Satnam Narang , Senior Security Response Manager at Norton by Symantec , here 's how the Gmail phishing scamAttack.Phishingworks : You 'll see an email in your inbox from one of your contacts who has already been hacked . The email looks like it contains an attachment . But if you look closely , as this Twitter user did , you 'll notice that the image preview for the attachment looks slightly fuzzy . This is because there is n't actually an attachment , just an image designed to look likeAttack.Phishingone . If you click on the image you 'll be directed to a page that looks like the standard Google sign-in page . If you log-in there , the damage is done : The hacker can read and downloadAttack.Databreachall of your emails and could also accessAttack.Databreachaccounts elsewhere . In the past , you might have recognized a scam by the language in the email . But Narang says that there are reports that these hackers are sendingAttack.Phishingemails that look realistic . In one school district , for example , team members received what looked likeAttack.Phishinga copy of a practice schedule . Still , there are things you can look out for to spot a fake . `` The best way to identify this attack is to look at the address bar . In this case , look for the words 'data : /text/html ' at the beginning of the URL , '' Narang says . `` If you see this , close the browser tab and alert your friend that their account has been compromisedAttack.Databreach. '' Narang also recommends setting up two-step verification for your Gmail account ( find out how to do so here ) . And follow these rules for boosting your password strength . In a statement about the attack , a Google spokesperson said , `` “ We 're aware of this issue and continue to strengthen our defenses against it . We help protect users from phishing attacksAttack.Phishingin a variety of ways , including : machine learning based detection of phishing messages , Safe Browsing warnings that notify users of dangerous links in emails and browsers , preventing suspicious account sign-ins , and more . Users can also activate two-step verification for additional account protection. ” Above all , think twice before clicking on something . We 're starting to see more sophisticated scams , so being vigilant will only help you in the long-run .
SAN FRANCISCO — Hackers took advantage of an Equifax security vulnerability two months after an industry group discoveredVulnerability-related.DiscoverVulnerabilitythe coding flaw and sharedVulnerability-related.PatchVulnerabilitya fix for it , raising questions about why Equifax did n't updateVulnerability-related.PatchVulnerabilityits software successfully when the danger became known . A week after Equifax revealed one of the largest breachesAttack.Databreachof consumers ' private financial data in history — 143 million consumers and accessAttack.Databreachto the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax . `` The Equifax data compromiseAttack.Databreachwas due to ( Equifax 's ) failure to install the security updates providedVulnerability-related.PatchVulnerabilityin a timely manner , '' The Apache Foundation , which oversees the widely-used open source software , said in a statement Thursday . Equifax told USA TODAY late Wednesday the criminals who gained accessAttack.Databreachto its customer data exploitedVulnerability-related.DiscoverVulnerabilitya website application vulnerability known asVulnerability-related.DiscoverVulnerabilityApache Struts CVE-2017-5638 . The vulnerability was patchedVulnerability-related.PatchVulnerabilityon March 7 , the same day it was announcedVulnerability-related.DiscoverVulnerability, The Apache Foundation said . Cybersecurity professionals who lend their free services to the project of open-source software — code that 's shared by major corporations and that 's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group , making the risk and fix known to any company using the software . Modifications were made on March 10 , according to the National Vulnerability Database . But two months later , hackers took advantage of the vulnerability to enter the credit reporting agency 's systems : Equifax said the unauthorized access began in mid-May . Equifax did not respond to a question Wednesday about whether the patches were appliedVulnerability-related.PatchVulnerability, and if not , why not . `` We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement , '' it said . It should have have acted faster to successfully deal with the problem , other cybersecurity professionals said . `` They should have patchedVulnerability-related.PatchVulnerabilityit as soon as possible , not to exceed a week . A typical bank would have patchedVulnerability-related.PatchVulnerabilitythis critical vulnerability within a few days , ” said Pravin Kothari , CEO of CipherCloud , a cloud security company . Federal regulators are now investigating whether Equifax is at fault . The Federal Trade Commission and the Consumer Financial Protection Bureau have said they 've opened probes into the hack . So far dozens of state attorneys general are investigating the breach , and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws . More than 23 class-action lawsuits against the company have also been proposed . Proof that Equifax failed to protect customers , particularly when it had the tools and information to do so , is likely to further damage Equifax 's financial outlook . Shares fell 2.5 % Thursday after news of the FTC probe and are down 33 % since it revealed the link .
Officials at a medical practice in Blue Springs say they are taking steps to strengthen privacy protections after a ransomware attackAttack.Ransomaffected nearly 45,000 patients . Blue Springs Family Care discovered in May that hackers had installed malware and ransomware encryption programs on its computer system , giving them full accessAttack.Databreachto patient records . Ransomware is a kind of malware that locks up a computer . The attackers typically demand a ransomAttack.Ransom, often in Bitcoin or other cryptocurrencies , as a condition of unlocking the computer and allowing access to the system . Melanie Peterson , Blue Springs Family Care ’ s privacy officer , says the medical practice did not pay a ransomAttack.Ransom. Rather , it was able to use backups to regain computer access . In a letter to patients , Blue Springs Family Care said it had no evidence patients ’ information had been used by unauthorized individuals . But it said it had taken steps to strengthen its defenses against similar attacks in the future . Peterson says the family medical practice has essentially rebuilt its computer system from scratch “ to make sure that no traces of any kind of virus were left in the system. ” The number of affected patients was as large as it was because the medical practice is required to keep medical records going back 10 years . Peterson says both the FBI and Blue Springs Police Department were notified of the attack . So far , the hackers have not been identified , she says . Blue Springs Family Care ’ s computer vendor discovered the ransomware attackAttack.Ransomon May 12 . In its letter to patients , Blue Springs Family Care said it hired a forensic IT company to help quarantine the affected systems and to install software to monitor whether any unauthorized person was accessing the system . The attack on Blue Springs Family Care was not an anomaly . Health care businesses in particular have been targeted by ransomware attacksAttack.Ransom. According to Beazly , a cybersecurity insurance company , 45 percent of ransomware attacksAttack.Ransomin 2017 targeted the health care industry . Financial services , which accounted for 12 percent of ransomware attacksAttack.Ransom, were a distant second . Last month , Cass Regional Medical Center in Harrisonville , Missouri , reported a ransomware attackAttack.Ransomhad briefly cut off access to its electronic health record system on July 9 . Hospital officials said there was no indication patient data was accessedAttack.Databreach. Cass Regional was just the latest of many Missouri health care institutions targeted in the last few months by cyber-attackers . Others include Children ’ s Mercy Hospital in Kansas City , Barnes Jewish Hospital in St. Louis , Barnes-Jewish St. Peters Hospital in St. Peters and John J. Pershing VA Medical Center in Poplar Bluff . In Kansas , the Cerebral Palsy Research Foundation of Kansas , the Kansas Department for Aging and Disability Services , Atchison Hospital Association and a private medical practice in McPherson have all been hit with cyberattacks since March . “ If you think about what ’ s in a health or medical record , there ’ s a lot of information that could be used to create or falsify documents on an individual , ” says Madeline Allen , an assistant vice president in the cybertech practice at Lockton Companies , a Kansas City-based insurance broker . “ So think about your medical record that contains not only your health information but also your name and address , your social security number , your date of birth , oftentimes a driver ’ s license number . “ All of those things can be used to impersonate you , whether it be to open a line of credit , apply for a loan , file a tax return – all of those things . Pretty much everything you need would be found in your health record , '' Allen says . `` If you can get a full health record on someone , it ’ s pretty valuable information to the bad guys as they ’ re looking to monetize that information. ” For health care institutions , Allen says , it ’ s not so much a question of whether they will be attacked as when . As such , she says , apart from instituting technical measures , the most important thing they can do to ward off cyberattacks is to educate their employees . “ Let them know that people are constantly trying to attack from all angles and the attacks are pretty sophisticated , ” she says . “ It ’ s very easy to click on a link thinking it ’ s legitimate or respond to an email that looks legitimate when in fact it ’ s not . So I think the education of employees and staff is perhaps the biggest step that health care facilities can take . ”
A phishing campaignAttack.Phishingis targeting customers of every major UK bank , with cybercriminals posing asAttack.Phishingcustomer support staff on Twitter in an attempt to steal users ' online banking credentials . Easy to carry out but difficult to defend against , phishingAttack.Phishingis an increasingly popular weapon of choice for hackers . That 's because , with an authentic-looking fake website , they can just sit back and scoop upAttack.Databreachdata as victims unwittingly hand over their usernames and passwords . PhishingAttack.Phishingoften relies on cybercriminals sendingAttack.Phishingtailored emails to potential victims in an effort to lureAttack.Phishingthem into giving up credentials or installing malware . However , cybersecurity researchers at Proofpoint have uncovered an Angler phishing campaignAttack.Phishingwhich , rather than being tailoredAttack.Phishingto specific users , takes advantage of how they can often be careless on social media -- specifically Twitter . In this instance , cybercriminals monitor Twitter for users approaching genuine support accounts for banks , and attempt to hijack the conversation with a fake support page . This sort of phishing attackAttack.Phishingis unlikely to provide cybercriminals with the big score they 'd hit if they targeted a corporate network , but it does enable the easy theft of credentials and small amounts of money -- and repeated success could become lucrative , and also provide criminals with accessAttack.Databreachto other types of data which can be used to commit fraud . `` In many of the examples we 've seen , the hacker is not just collectingAttack.Databreachbanking credentials . They also look for information like ATM Pin , Credit/Debit card numbers , security questions and answers , and even social security numbers . With this information , they can circumvent some security measures , make purchases/withdrawals without online access , or create entirely new bogus accounts using the customer 's information , '' says Celeste Kinswood at Proofpoint . Fortunately , there are some simple things users can do to ensure they do n't become victims of this style of social media phishing attackAttack.Phishing. For starters , a real support account will be verified with a blue tick and wo n't directly ask for login credentials . A quick search for the real account should also demonstrate if the one contacting you is fake . Users may want to see their problems solved quickly , but taking ten seconds to verify who you 're talking to will pay off in the long run .
Staff are still falling for phishing scamsAttack.Phishing, with social media friend requests and emails pretending to come fromAttack.Phishingthe HR department among the ones most likely to foolAttack.Phishingworkers into handing over usernames and passwords . Phishing scamsAttack.Phishingaim to trickAttack.Phishingstaff into handing over data -- normally usernames and passwords -- by posing asAttack.Phishinglegitimate email . It 's a technique used by the lowliest criminals as part of ransomware campaigns , right up to state-backed hackers because it continues to be such an effective method . In a review of 100 simulated attack campaigns for 48 of its clients , accounting for almost a million individual users , security company MWR Infosecurity found that sendingAttack.Phishinga bogus friend request was the best way to get someone to click on a link -- even when the email was being sentAttack.Phishingto a work email address . Almost a quarter of users clicked the link to be taken through to a fake login screen , with more than half going on to provide a username and password , and four out of five then going on to download a file . A spoof email claiming to beAttack.Phishingfrom the HR department referring to the appraisal system was also very effective : nearly one in five clicked the link , and three-quarters provided more credentials , with a similar percentage going on to download a file . Some might argue that gaining accessAttack.Databreachto a staff email account is of limited use , but the security company argues that this is a handy for an assault . A hacker could dumpAttack.Databreachentire mailboxes , accessAttack.Databreachfile shares , run programs on the compromised user 's device , and access multiple systems , warned MWR InfoSecurity . Even basic security controls , such as two-factor authentication or disabling file and SharePoint remote access , could reduce the risk . The company also reported bad news about the passwords that users handed over : while over 60 percent of passwords were found to have a length of 8 to 10 characters -- the mandatory minimum for many organizations -- the company argued that this illustrates how users stick to minimum security requirements . A third of the passwords consisted of an upper-case first letter , a series of lower-case letters , and then numbers with no symbols . It also found that 13.6 percent of passwords ended with four numbers in the range of 1940 to 2040 . Of those , nearly half ended in 2016 , which means one-in-twenty of all passwords end with the year in which they were created .
Check Point researchers today revealedVulnerability-related.DiscoverVulnerabilitya new vulnerability on WhatsApp and Telegram ’ s online platforms – WhatsApp Web & Telegram Web . By exploiting this vulnerability , attackers could completely take over user accounts , and accessAttack.Databreachvictims ’ personal and group conversations , photos , videos and other shared files , contact lists , and more . The vulnerability allows an attacker to send the victim malicious code , hidden within an innocent looking image . As soon as the user clicks on the image , the attacker can gain full accessAttack.Databreachto the victim ’ s WhatsApp or Telegram storage data , thus giving full access to the victim ’ s account . The attacker can then send the malicious file to all the victim ’ s contacts , potentially enabling a widespread attack . Check Point disclosedVulnerability-related.DiscoverVulnerabilitythis information to the WhatsApp and Telegram security teams on March 8 , 2017 . WhatsApp and Telegram acknowledgedVulnerability-related.DiscoverVulnerabilitythe security issue and developedVulnerability-related.PatchVulnerabilityfixes for worldwide web clients . “ Thankfully , WhatsApp and Telegram responded quicklyVulnerability-related.DiscoverVulnerabilityand responsibly to deploy the mitigation against exploitation of this issue in all web clients , ” said Oded Vanunu , head of product vulnerability research at Check Point . WhatsApp Web users wishing to ensure that they are using the latest version are advised to restart their browser . WhatsApp and Telegram use end-to-end message encryption as a data security measure , to ensure that only the people communicating can read the messages , and nobody in between . Yet , the same end-to-end encryption was also the source of this vulnerability . Since messages were encrypted on the side of the sender , WhatsApp and Telegram were blind to the content , and were therefore unable to prevent malicious content from being sent . After fixingVulnerability-related.PatchVulnerabilitythis vulnerability , content will now be validated before the encryption , allowing malicious files to be blocked . Both web versions mirror all messages sent and received by the user on the mobile app , and are fully synced with users ’ devices
Wishbone , the social media-based quiz app for teens and young adults , has been compromisedAttack.Databreach, leading to more than 9.4 million records going up for sale on the Dark Web . The breachAttack.Databreachgave the attackers accessAttack.Databreachto Wishbone users ’ user names , any real or nicknames provided by users during account registration , email addresses and telephone numbers , according to an email sent by the company to users , posted to Pastebin . According to independent researcher Troy Hunt , the database was a MongoDB file that may have been inadvertently left openAttack.Databreachto the internet . The leakAttack.Databreachmay have stemmed from a vulnerability in a Wishbone API , the company confirmed to Motherboard—one that the company has now closed , it said . Parents should look through the settings of Wishbone , and any other app their children are using , to see if any personal information is stored in them . And , having a talk with kids about the dangers of exposingAttack.Databreachinformation should be at the top of the to-do list . Hunt has also published the leakAttack.Databreachto his searchable HaveIBeenPwned database , so parents can find out if their child is a victim . “ Teenagers today are constantly connected and sharing all aspects of their daily life is normal as there is a lot of peer pressure to participate in social apps , ” said Sanjay Kalra , co-founder and chief product officer at Lacework , a provider of cloud security solutions . “ Being a parent of [ a ] teenager in this hyper-social environment is a scary aspect . You can not control information once exposed . Parents should be in constant communication with their teenagers , explaining the risks associated with information sharing and training them on basics of internet security . They should be educating them on how to use multiple strong passwords , anonymization of the data and identities and long-term effects of having personal aspects of life in public domain . ”
We recently became aware of unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability . Specialist technical consultants subsequently confirmed that the web server had been accessed . We are not aware of any information being sharedAttack.Databreachbeyond the infiltrator . We are actively monitoring the situation , but as a precautionary measure we are taking steps to warn both customers of ABTA Members and ABTA Members who have the potential to be affected . We are today contacting these people and providing them with information and guidance to help keep them safe from identity theft or online fraud . We have also alerted the relevant authorities , including the Information Commissioner and the Police . I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of ABTA or ABTA Member who may be affected . It is extremely disappointing that our web server , managed for ABTA through a third party web developer and hosting company , was compromised , and we are taking every step we can to help those affected . I will personally be working with the team to look at what we can learn from this situation . Outlined below , we have answered further questions , which include some guidance for customers of ABTA and ABTA Members . We recently became aware of unauthorised access to the abta.com web server by an external infiltrator . This was possible due to a system vulnerability that the infiltrator exploited to accessAttack.Databreachsome data provided by some customers of ABTA Members and by ABTA Members themselves . On immediate investigation , we identifiedVulnerability-related.DiscoverVulnerabilitythat although ABTA ’ s own IT systems remained secure , there was a vulnerability to the web server for abta.com , which is managed for ABTA through a third-party web developer and hosting company . As a precautionary measure we have taken steps to warn Members and customers of ABTA Members who have the potential to be affected . We have contacted those people and provided them with information and guidance to help keep them safe from identity theft or online fraud . These steps include two dedicated helplines , for customers of ABTA Members and for ABTA Members , and free access to an identity theft protection service offered by Experian . We have also alerted the relevant authorities , including the Information Commissioner and the Police . The unauthorised access may have affected approximately 43,000 individuals . Around 1,000 of these are files that may include personal identity information of customers of ABTA Members ( in support of their complaint about an ABTA Member ) , uploaded since 11 January 2017 ; around 650 may include personal identity information of ABTA Members . The vast majority of the 43,000 relate to people who have registered on abta.com , with email addresses and encrypted passwords , or have filled in an online form with basic contact details which are types of data at a very low exposure risk to identity theft or online fraud . We have provided specific guidance information , including contact details for a dedicated helpline to assist with any further questions . If you think you have been a victim of fraud , report it to Action Fraud online at www.actionfraud.police.uk or call 0300 123 2040 .
The recent political furor over state sponsored hacking took an ugly and dangerous turn , on the morning of December 30th when a tiny Vermont electric utility reported that Grizzly Steppe – the spear-fishing process used to accessAttack.DatabreachDNC emails – had been found on one of their systems . Vermont Governor , Peter Shumlin issued a statement accusing Vladimir Putin of attempting to hack Vermont ’ s electrical grid , and many others follow suit . And there appears to be a good chance that the malicious code found on a Burlington Electric laptop is evidence of a state sponsored cyberattack . Following the initial news cycle , some pundits dismissed the finding as a non-story . It ’ s true , the laptop was “ not connected to the power grid systems ” , and there is no proof yet that the Russians were involved . It ’ s also true that the Russian built Grizzly Steppe hacking code is widely available on the dark internet , and anyone could have put it on that laptop . According to Ukrainian energy provider Ukrenergo , a second major outage on December 17 , 2016 , may have been caused by a similar cyber-attack . Attacks on critical infrastructure typically require a long , slow , low-profile campaign , beginning with subtle , difficult to detect maneuvers , like slipping malware on laptop computers . Two years prior to the first Ukraine incident , hackers began attempting to acquireAttack.Databreachlegitimate login credentials by hackingAttack.Databreachnon-operational systems at Ukrainian utilities – systems very much like Burlington Electric ’ s laptop . According to a Booz Allen analysis , spear-phishing emails containing weaponized Microsoft Word , Excel , and PowerPoint files , exactly the type of files typically found on laptop computers , were sent toAttack.PhishingUkraine electric utility employees as early as May 2014 . Once legitimate login credentials were discovered through these seemingly minor attacks on non-operational systems , the hackers used them to access critical Industrial Control Systems ( ICS ) in order to shutoff breakers , shutdown uninterrupted power supplies ( UPS ) , destroy Human Machine Interface ( HMI ) systems , and destroy Serial-to-Ethernet devices at substations .
FBI ’ s Cyber Division has sent out another notification to healthcare organizations , alerting them to the danger of cyber criminals using their FTP servers for various malicious purposes . “ The FBI is aware of criminal actors who are actively targeting File Transfer Protocol ( FTP ) servers operating in ‘ anonymous ’ mode and associated with medical and dental facilities to accessAttack.Databreachprotected health information ( PHI ) and personally identifiable information ( PII ) in order to intimidate , harass , and blackmail business owners , ” says the notification . “ anonymous ” or “ ftp ” ) and no password , the FBI explained . In the past , cyber criminals have been known for compromisingAttack.Databreachhospitals through vulnerable JBoss servers , and other organizations through unsecured remote desktop servers . The FBI urged medical and dental healthcare organization to check their networks for or FTP servers running in anonymous mode , and to make a configuration change that would disallow that kind of access . “ If businesses have a legitimate use for operating a FTP server in anonymous mode , administrators should ensure sensitive PHI or PII is not stored on the server , ” they noted
Many people at GC are receivingAttack.Phishingone of the more popular phishing scam emails . It appears to beAttack.Phishingfrom Microsoft , a “ Security Alert ” wanting you to revalidate your account . If you did click on the email , please reset you Unify password ( and subsequent email password ) at password.gcsu.edu. We think that someone else might have accessed the Microsoft account * * * * * * * * @ gcsu.edu . When this happens we require you to verify your identity with a security challenge and then change your password the next time you sign in . If someone else has access to your account , they have your password and might be trying to accessAttack.Databreachyour personal information or send junk email
While the company was able to avoid falling victim to the ransomware , the attackers may have been able to accessAttack.Databreachpatient data . On February 6 , 2017 , an employee noticed that a virus had begun encrypting the practice 's servers . The encryption process was slowed by the company 's anti-virus software , and ABCD 's IT company was able to take its servers offline and identify the virus as Dharma Ransomware , a variant of Crysis for which decryption tools are available . `` ABCD 's IT company reported that these virus strains typically do not exfiltrateAttack.Databreach( 'remove ' ) data from the server ; however , exfiltration could not be ruled out , '' the company said in a statement . `` Also , during the analysis of ABCD 's servers and computers , suspicious user accounts were discovered suggested that hackers may have accessedAttack.Databreachportions of ABCD 's network . '' The IT company was able to remove the virus and all corrupt data from its servers , and successfully restored all affected data from a secure backup . `` As a result , no confidential information was lost or destroyed , including protected health information , '' the company said
Listed telecom operator Safaricom has become the latest corporate institution to come under a cyber attack . According to Safaricom , the hackers attempted to gain access to its system with an intention of gaining access to customer funds on its mobile money transfer platform M-Pesa . The telecom termed the breach as an elaborate cyber crime fraud attempt . Safaricom chief executive officer Bob Collymore said the firm ’ s risk management unit detected the intrusion and immediately escalated the incident to the security agencies . The Safaricom boss however sought to assure customers that there was no cause for worry as no money had been lost . “ This matter is being treated with the seriousness it deserves with the suspects due to be arraigned in court . I wish assure our customers that all their data is safe and we have no evidence of any money being removed from the system , ” Mr Collymore said in a statement to newsrooms . One method used by the hackers to accessAttack.Databreachcustomer information was through a SIM swap that gives the fraudster access to a customer ’ s SIM card . In the reported case , they managed to access Sh266,000 from one customer . Safaricom however says the funds were refunded once the breach was detected . M-Pesa is the largest mobile money transfer system in the country and has also been linked to several banks . Safaricom has partnered with the KCB Group and the Commercial Bank of Africa ( CBA ) to create mobile accounts that enable customers to deposit , transfer and request loans . In March , authorities discovered a cybercrime syndicated that had infiltrated the Kenya Revenue Authority ( KRA ) several blue chip companies as well as a supermarket chain . In the case of KRA , some Sh4 billion was said to be at risk from the cyber attack . Mr Collymore said the firm routinely and proactively implements preventative and detective controls around its information security on all its platforms
On April 14 , the company disclosed to the California attorney general that a December 2015 breachAttack.DatabreachcompromisedAttack.Databreachmore sensitive information than first thought . It also disclosed new attacksAttack.Databreachfrom earlier this year that exposedAttack.Databreachnames , contact information , email addresses and purchase histories , although the retailer says it repelled most of the attacks . The dual notifications mark the latest problems for the company , which disclosed in early 2014 that its payment systems were infected with malware that stoleAttack.Databreach350,000 payment card details . Over the past few years , retailers such as Target , Home Depot and others have battled to keep their card payments systems malware-free ( see Neiman Marcus Downsizes Breach Estimate ) . The 2015 incident started around Dec 26 . In a notification to California about a month later , the retailer said it was believed attackers cycled through login credentials that were likely obtainedAttack.Databreachthrough other data breachesAttack.Databreach. A total of 5,200 accounts were accessedAttack.Databreach, and 70 of those accounts were used to make fraudulent purchases . Although email addresses and passwords were not exposedAttack.Databreach, the original notification noted , accessAttack.Databreachto the accounts would have revealed names , saved contact information , purchase histories and the last four digits of payment card numbers . The affected websites included other brands run by Neiman Marcus , including Bergdorf Goodman , Last Call , CUSP and Horchow . According to its latest notification , however , Neiman Marcus Group now says full payment card numbers and expiration dates were exposedAttack.Databreachin the 2015 incidentAttack.Databreach. The latest attack disclosed by Neiman Marcus Group , which occurred around Jan 17 , mirrors the one from December 2015 . It affects the websites of Neiman Marcus , Bergdorf Goodman , Last Call , CUSP , Horchow and a loyalty program called InCircle . Again , the company believes that attackers recycled other stolen credentials in an attempt to see which ones still worked on its sites . It appears that some of the credentials did unlock accounts . The breachAttack.DatabreachexposedAttack.Databreachnames , contact information , email addresses , purchase histories and the last four digits of payment card numbers . It did n't specify the number of accounts affected . The attackers were also able to accessAttack.Databreachsome InCircle gift card numbers , the company says . Web services can slow down hackers when suspicious activity is noticed , such as rapid login attempts from a small range of IP addresses . Those defensive systems can be fooled , however , by slowing down login attempts and trying to plausibly geographically vary where those attempts originate . For those affected by the January incident , Neimen Marcus Group is enforcing a mandatory password reset . It 's an action that 's not undertaken lightly for fear of alienating users , but it 's a sign of how serious a service feels the risk is to users or customers . The company also is offering those affected a one-year subscription to an identity theft service .
The mysterious group that claims to have stolen digital weapons once used by the National Security Agency publishedAttack.Databreacha trove of active Microsoft Windows software exploits on Thursday . The code dumpAttack.Databreach, accompanied by a farewell message written in broken English by the enigmatic group the Shadow Brokers , confirms claims implicit in an earlier post Sunday . While the prior message showed filenames , directories and screenshots — implying the existence of these capabilities — along with an associated price tag , today ’ s download provides functional code . Of the 61 files provided in total in the newly released set , only one had ever been catalogued by anti-virus databases , based on a VirusTotal scan conducted earlier Thursday morning . The files contain user mode and kernel mode modules . Notably , the one tool effectively recognized by the virus scanner avoided detection from Malwarebytes , Panda , Comodo and Fortinet products , said Rendition Infosec founder Jake Williams . In their supposed final message , the ShadowBrokers say they are “ making [ an ] exit ” and “ going dark ” — although an associated bitcoin wallet will remain open for new bids . The group claims it will come out of hiding to provide the remaining stolen hacking tools only upon receiving 10,000 bitcoin , or $ 8.13 million worth of the anonymous currency . Cybersecurity experts tell CyberScoop the exploits are outdated because they are designed to work against old versions of Microsoft operating systems . “ This dump contains Windows Implants and not Unix tools , reinforcing the insider theory . And the outdated Windows target of those implants reinforce the opinion that Shadow Brokers only has old dirt , ” said Matt Suiche , founder of United Arab Emirates-based cybersecurity startup Comae Technologies . “ There is no reason to have all the tools of every platforms etc . The exploits can be understood as highly advanced hacking tools that were likely developed and deployed by a sophisticated adversary , like an intelligence service , explained Michael Zeberlein , director of intelligence analysis with Area 1 Security . “ They ’ re basically enterprise class IT infrastructure and systems management functions applied in an offensive fashion . They would help you get very granular control of computers and servers running in an enterprise environment , an entire organization , ” Zeberlein told CyberScoop . “ Really , these tools provide incredible capability ” . “ There ’ s no doubt that this is Equation Group ’ s stuff based on old reporting , ” said Zeberlein . A meticulous analysis associated with Sunday ’ s blog post suggests that the leaked information likely cameAttack.Databreachfrom an insider , rather than a hacker with accessAttack.Databreachto a compromised attack server , based on file configurations , CyberScoop first reported . “ Attackers and defenders around the globe will be reverse engineering these to repurpose [ attacks ] and create defenses , ” Williams said . “ This data , it ’ s a big deal … because it includes information related to client and server components , which will basically help [ intelligence analysts ] trace old breaches back to the Equation Group , ” a former U.S. intelligence official told CyberScoop on the condition of anonymity . The Shadow Brokers first emergedVulnerability-related.DiscoverVulnerabilityon social media in August by similarly dumping operational code for a cohort of old firewall exploits that targeted vulnerabilities in Cisco , Fortinet and Juniper Networks products . Because the source code for these firewall exploits was provided in a public forum , random hackers began using the tools themselves . “ While we can not surmise the attacker ’ s [ Shadow Brokers ] identity or motivation nor where or how this pilfered trove came to be , we can state that several hundred tools from the leakAttack.Databreachshare a strong connection with our previous findings from the Equation Group , ” Kaspersky Lab researchers , many of whom originally helped identify Equation Group ’ s existence in 2015 , wrote in a company blog post in August . The Equation Group is believed to have ties to the NSA
Northrop Grumman has admitted one of its internal portals was broken into , exposingAttack.Databreachemployees ' sensitive tax records to miscreants . In a letter [ PDF ] to workers and the California Attorney General 's office , the aerospace contractor said that between April 18 , 2016 and March 29 , 2017 , crooks infiltrated the website , allowing them to accessAttack.Databreachstaffers ' W-2 paperwork for the 2016 tax year . These W-2 forms can be used by identity thieves to claim tax rebates owed to employees , allowing the crims to pocket victims ' money . The corp sent out its warning letters on April 18 , the last day to file 2016 tax returns . `` The personal information that may have been accessedAttack.Databreachincludes your name , address , work email address , work phone number , Social Security number , employer identification number , and wage and tax information , as well as any personal phone number , personal email address , or answers to customized security questions that you may have entered on the W-2 online portal , '' the contractor told its employees . The Stealth Bomber maker says it will provide all of the exposed workers with three years of free identity-theft monitoring services . Northrop Grumman has also disabled access to the W-2 portal through any method other than its internal single sign-on tool . The aerospace giant said it farmed out its tax portal to Equifax Workforce Solutions , which was working with the defense giant to get to the bottom of the intrusion . `` Promptly after confirming the incident , we worked with Equifax to determine the details of the issue , '' Northrop told its teams . `` Northrop Grumman and Equifax are coordinating with law enforcement authorities to assist them in their investigation of recent incidentsAttack.Databreachinvolving unauthorized actors gaining accessAttack.Databreachto individuals ’ personal information through the W-2 online portal . '' According to Equifax , the portal was accessedAttack.Databreachnot by hackers but by someone using stolen login details . `` We are investigating alleged unauthorized accessAttack.Databreachto our online portal where a person or persons using stolen credentials accessedAttack.DatabreachW-2 information of a limited number of individuals , '' an Equifax spokesperson told El Reg on Monday . `` Based on the investigation to date , Equifax has no reason to believe that its systems were compromisedAttack.Databreachor that it was the source of the information used to gain accessAttack.Databreachto the online portal . ''
The attack was discovered when the perpetrators attempted a fraudulent wire transfer of money . A link has been posted to your Facebook feed . A phishing email attackAttack.Phishingpotentially compromised the accounts of as many as 18,000 current and former employees of media company Gannett Co. As of Tuesday there was no indication of accessAttack.Databreachto or acquisition of any sensitive personal data from employees ’ accounts , said the company . Gannett Co. ( GCI ) is the owner of USA TODAY , the publisher of this report , and 109 local news properties across the United States . The attack was discovered on March 30 and investigated by Gannett ’ s cybersecurity team . It appeared to originate in emails to human resources staff . The 18,000 current and former employees of the company will be sent notices about the incident and offer of credit monitoring via the US Postal Service . No customer account information was touchedAttack.Databreachby the phishing attackAttack.Phishing. They will be provided with an offer of credit monitoring because employee information was potentially available through some of the affected account login credentials before the accounts were locked down . Phishing attacksAttack.Phishingare a common method used by attackers to infiltrate computer networks . They typically consist of faked emails sent toAttack.Phishingan employee that enticeAttack.Phishingthem to click on a link that unleashes malicious software that can compromiseAttack.Databreachtheir computer accounts . Once in a network , attackers can then leapfrog to other accounts , working their way deeper into the system . In the Gannett attack , the infiltration was discovered when the perpetrator attempted to use a co-opted account for a fraudulent corporate wire transfer request . The attempt was identified by Gannett 's finance team as suspicious and was unsuccessful .
DocuSign , a major provider of electronic signature technology , acknowledged today that a series of recent malware phishing attacksAttack.Phishingtargeting its customers and users was the result of a data breachAttack.Databreachat one of its computer systems . The company stresses that the data stolenAttack.Databreachwas limited to customer and user email addresses , but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign . San Francisco-based DocuSign warned on May 9 that it was trackingAttack.Phishinga malicious email campaign where the subject line reads , “ Completed : docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature. ” The missives contained a link to a downloadable Microsoft Word document that harbored malware . The company said at the time that the messages were not associated with DocuSign , and that they were sent fromAttack.Phishinga malicious third-party using DocuSign branding in the headers and body of the email . But in an update late Monday , DocuSign confirmed that this malicious third party was able to sendAttack.Phishingthe messages to customers and users because it had broken in and stolenAttack.DatabreachDocuSign ’ s list of customers and users . “ As part of our ongoing investigation , today we confirmed that a malicious third party had gained temporary accessAttack.Databreachto a separate , non-core system that allows us to communicate service-related announcements to users via email , ” DocuSign wrote in an alert posted to its site . “ A complete forensic analysis has confirmed that only email addresses were accessedAttack.Databreach; no names , physical addresses , passwords , social security numbers , credit card data or other information was accessedAttack.Databreach. No content or any customer documents sent through DocuSign ’ s eSignature system was accessedAttack.Databreach; and DocuSign ’ s core eSignature service , envelopes and customer documents and data remain secure. ” The company is asking people to forward any suspicious emails related to DocuSign to spam @ docusign.com , and then to delete the missives . “ They may appear suspicious because you don ’ t recognize the sender , weren ’ t expecting a document to sign , contain misspellings ( like “ docusgn.com ” without an ‘ i ’ or @ docus.com ) , contain an attachment , or direct you to a link that starts with anything other than https : //www.docusign.com or https : //www.docusign.net , ” reads the advisory . If you have reason to expect a DocuSign document via email , don ’ t respond to an email that looks likeAttack.Phishingit ’ s from DocuSign by clicking a link in the message . When in doubt , access your documents directly by visiting docusign.com , and entering the unique security code included at the bottom of every legitimate DocuSign email . DocuSign says it will never ask recipients to open a PDF , Office document or ZIP file in an email . DocuSign was already a perennial target for phishers and malware writers , but this incident is likely to intensify attacks against its users and customers . DocuSign says it has more than 100 million users , and it seems all but certain that the criminals who stoleAttack.Databreachthe company ’ s customer email list are going to be putting it to nefarious use for some time to come .
Anonymous hackers have stolen and leakedAttack.Databreach1.9 million email addresses and some 1,700 names and active phone numbers of Bell Canada customers . The company has not shared where the stolen information was stored and how they attackers managed to accessAttack.Databreachit , because the Royal Canadian Mounted Police cyber crime unit ’ s investigation into the matter is still ongoing . But , according to a brief statement , the affected systems have been secured , the Office of the Privacy Commissioner of Canada informed , and affected users notified directly ( either via email or phone ) . “ There is no indication that any financial , password or other sensitive personal information was accessedAttack.Databreach, ” the company noted , and added that the incident is not connected to the recent global WannaCry malware attacksAttack.Ransom. They ’ ve also warned customers to be on the lookout for phishing emails or calls impersonatingAttack.Phishingthe company and asking the customers for credit card or personal information . According to The Globe and Mail , the attackers are threatening to release more of the stolen data , if the telecom company doesn ’ t co-operate with them . It ’ s unclear what they mean by co-operating , but it ’ s more than likely that they ’ ve asked to be paidAttack.Ransomin order not to release the stolen information . Bell Canada has known about the breachAttack.Databreachsince at least last Wednesday , when they notified the commissioner ’ s office of it .
OneLogin , an online service that lets users manage logins to sites and apps from a single platform , says it has suffered a security breachAttack.Databreachin which customer data was compromisedAttack.Databreach, including the ability to decrypt encrypted data . Headquartered in San Francisco , OneLogin provides single sign-on and identity management for cloud-base applications . OneLogin counts among its customers some 2,000 companies in 44 countries , over 300 app vendors and more than 70 software-as-a-service providers . A breachAttack.Databreachthat allowed intruders to decrypt customer data could be extremely damaging for affected customers . After OneLogin customers sign into their account , the service takes care of remembering and supplying the customer ’ s usernames and passwords for all of their other applications . In a brief blog post Wednesday , OneLogin chief information security officer Alvaro Hoyos wrote that the company detected unauthorized accessAttack.Databreachto OneLogin data . “ Today we detected unauthorized accessAttack.Databreachto OneLogin data in our US data region . We have since blocked this unauthorized access , reported the matter to law enforcement , and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident . We want our customers to know that the trust they have placed in us is paramount. ” “ While our investigation is still ongoing , we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented. ” OneLogin ’ s blog post includes no other details , aside from a reference to the company ’ s compliance page . The company has not yet responded to request for comment . However , Motherboard has obtained a copy of a message OneLogin reportedly sent to its customers about the incident , and that missive contains a critical piece of information : “ Customer data was compromisedAttack.Databreach, including the ability to decrypt encrypted data , ” reads the message OneLogin sent to customers . According to Motherboard , the message also directed customers to a list of required steps to minimize any damage from the breach , such as generating new API keys and OAuth tokens ( OAuth being a system for logging into accounts ) , creating new security certificates as well as credentials ; recycling any secrets stored in OneLogin ’ s Secure Notes feature ; and having end-users update their passwords . Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services , arguing that they are the digital equivalent to an organization putting all of its eggs in one basket . “ It ’ s just such a massive single point of failure , ” Litan said . “ And this breach shows that other [ cloud-based single sign-on ] services are vulnerable , too . This is a big deal and it ’ s disruptive for victim customers , because they have to now change the inner guts of their authentication systems and there ’ s a lot of employee inconvenience while that ’ s going on. ” KrebsOnSecurity will likely update this story throughout the day as more details become available . “ Our review has shown that a threat actor obtained accessAttack.Databreachto a set of AWS keys and used them to access the AWS API from an intermediate host with another , smaller service provider in the US . Evidence shows the attack started on May 31 , 2017 around 2 am PST . Through the AWS API , the actor created several instances in our infrastructure to do reconnaissance . OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it. ” “ The threat actor was able to accessAttack.Databreachdatabase tables that contain information about users , apps , and various types of keys . While we encrypt certain sensitive data at rest , at this time we can not rule out the possibility that the threat actor also obtained the ability to decrypt data . We are thus erring on the side of caution and recommending actions our customers should take , which we have already communicated to our customers . ”
A hacker that goes by the nickname of Cipher0007 has hacked the Sanctuary Dark Web marketplace . The hacker announced the breach a few hours ago and also posted proof of his intrusion . According to Cipher0007 , the hack took place after he foundVulnerability-related.DiscoverVulnerabilityan SQL injection flaw in the market 's database . The hacker claimsVulnerability-related.DiscoverVulnerabilityhe used the SQL injection flaw to upload a shell on the market 's server . He then used this backdoor to accessAttack.Databreachvarious parts of the backend and dumpedAttack.Databreachthe private key used to generate the market 's .onion URL . Cipher0007 also says he used the market 's phpMyAdmin installation to dumpAttack.Databreachdetails on the database configuration and other login information . At the time of writing , the market 's phpMyAdmin login page was still exposed to external connections . To prove his claims , the hacker posted online a screengrab while uploading the shell to the Sanctuary market 's server , the market 's 1024 bit RSA private key , and the market 's root account database login information . The Sanctuary market is a small Dark Web market , and one of the few places where digital products such as data dumps , malware , and others , are far more prevalent than drugs and weapons . The admin of the Sanctuary market did not respond to a request for comment from Bleeping Computer in time for this article 's publication . Cipher0007 has a reputation in the hacking underground already . In January , the hacker collected an unspecified Bitcoin reward for reportingVulnerability-related.DiscoverVulnerabilitya bug to the AlphaBay staff that would have allowed an attacker access to over 218,000 private messages . AlphaBay is today 's biggest Dark Web market , and access to those PMs would have allowed an attacker insight into the operations of many sellers and vendors .
Insecure backend databases and mobile apps are making for a dangerous combination , exposingAttack.Databreachan estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leakedAttack.Databreachpersonally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team calledVulnerability-related.DiscoverVulnerabilitythe vulnerability HospitalGown and saidVulnerability-related.DiscoverVulnerabilitythe culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report releasedVulnerability-related.DiscoverVulnerabilityWednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlinesVulnerability-related.DiscoverVulnerabilityin February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortionAttack.Ransomtargets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it foundVulnerability-related.DiscoverVulnerability21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessingAttack.Databreachcompany data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers saidVulnerability-related.DiscoverVulnerabilityvulnerable mobile apps it foundVulnerability-related.DiscoverVulnerabilityran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerableVulnerability-related.DiscoverVulnerabilityto possible exfiltrationAttack.Databreachby a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted accessAttack.Databreachto the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority saidVulnerability-related.DiscoverVulnerability, attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attackAttack.Phishingor brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leakedAttack.Databreachdata . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leakedAttack.DatabreachPulse customer data . AppThority notifiedVulnerability-related.DiscoverVulnerabilityPulse Workspace and its customers of the vulnerability , which have since been fixedVulnerability-related.PatchVulnerability. Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collectAttack.Databreachpersonal identifiable data that can be mined by hackers for phishingAttack.Phishingor ransomware attacksAttack.Ransom. App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .
PhishingAttack.Phishingand other hacking incidents have led to several recently reported large health data breachesAttack.Databreach, including one that UConn Health reports affected 326,000 individuals . In describing a phishing attackAttack.Phishing, UConn Health says that on Dec 24 , 2018 , it determined that an unauthorized third party illegally accessedAttack.Databreacha limited number of employee email accounts containing patient information , including some individuals ' names , dates of birth , addresses and limited medical information , such as billing and appointment information . The accounts also contained the Social Security numbers of some individuals . Several other healthcare entities also have recently reported to federal regulators data breachesAttack.Databreachinvolving apparent phishingAttack.Phishingand other email-related attacks . `` All of these incidents speak to the rampant attacks we are seeing across healthcare , and yet organizations are still not investing enough in protection or detection , '' says Mac McMillan , CEO of security consulting firm CynergisTek . UConn Health , an academic medical center , says in a media statement that it identified approximately 326,000 potentially impacted individuals whose personal information was contained in the compromisedAttack.Databreachemail accounts . For approximately 1,500 of these individuals , this information included Social Security numbers . `` It is important to note that , at this point , UConn Health does not know for certain if any personal information was ever viewed or acquiredAttack.Databreachby the unauthorized party , and is not aware of any instances of fraud or identity theft as a result of this incident , '' the statement notes . `` The incident had no impact on UConn Health 's computer networks or electronic medical record systems . '' UConn Health is offering prepaid identity theft protection services to individuals whose Social Security numbers may be impacted . The organization says it has notified law enforcement officials and retained a forensics firm to investigate the matter . Once the U.S.Department of Health and Human Services confirms the details , the attackAttack.Databreachon UConn Health could rank as the second largest health data breachAttack.Databreachreported so far this year , based on a snapshot of its HIPAA Breach Reporting Tool website on Monday . The largest health data breachAttack.Databreachrevealed so far this year , but not yet added to the tally , affected University of Washington Medicine . UW Medicine says a misconfigured database left patient data exposedAttack.Databreachon the internet for several weeks last December , resulting in a breachAttack.Databreachaffecting 974,000 individuals . Several other phishingAttack.Phishingand hacking incidents have been added to the HHS `` wall of shame '' tally in recent weeks . Among those is a hacking incident impacting 40,000 individuals reported on Feb 1 by Minnesota-based Reproductive Medicine and Infertility Associates . In a statement , the organization notes that on Dec 5 , 2018 , it discovered it had been the target of a `` criminal malware attack . '' An RMIA practice manager tells Information Security Media Group that independent computer forensics experts removed the malware , but did not definitively determine how the malware infection was launched . The practice suspects the malware was likely embedded in an email attachment , he says . RMIA 's statement notes that while the investigation did not identify any evidence of unauthorized accessAttack.Databreachto anyone 's personal information , `` we unfortunately could not completely rule out the possibility that patients ' personal information , including name , address , date of birth , health insurance information , limited treatment information and , for donors only , Social Security number , may have been accessibleAttack.Databreach. '' In the aftermath of the incident , RMIA says it 's adding another firewall , requiring changes to user credentials/passwords , implementing dual-factor authentication and providing additional staff training regarding information security . '' Also reporting a hacking incident in recent weeks was Charleston , S.C.-based Roper St.Francis Healthcare , which operates several hospitals in the region . The attack was reported as impacting nearly 35,300 individuals . In a Jan 29 statement , the entity says that on Nov 30 , 2018 , it learned that an unauthorized actor may have gained accessAttack.Databreachto some of its employees ' email accounts between Nov 15 and Dec 1 , 2018 , `` Our investigation determined that some patient information may have been contained in the email accounts , patients ' names , medical record numbers , information about services they received from Roper St.Francis , health insurance information , and , in some cases , Social Security numbers and financial information , '' the statement says . For those patients whose Social Security number was potentially exposedAttack.Databreach, the organization is offering prepaid credit monitoring and identity protection services . `` To help prevent something like this from happening again , we are continuing education with our staff on email protection and enhancing our email security , '' Roper St. Francis says . As phishingAttack.Phishingcontinues to menace healthcare entities , covered entities and business associates need to keep up with their defenses , some experts note . `` Phishing techniques have become more sophisticated than in the past , '' note Kate Borten , president of security and privacy consulting firm The Marblehead Group . `` Workforce training should include simulated phishing attacksAttack.Phishingto make people better prepared to recognize and thwart a real attack . '' To help mitigate breach risks , organizations should be deploying next-generation firewalls and multifactor authentication , plus employing advanced malware detection solutions , McMillan says . Too many organizations are overlooking the value of multifactor authentication , Borten adds . `` Two-factor user authentication was intended to be required over the internet and public networks in the proposed HIPAA Security Rule , '' she notes . `` Unfortunately , since that requirement was dropped in the final rule , healthcare is lagging on multifactor authentication , which is easier now than ever to implement . '' But McMillan advises healthcare organizations to avoid using multifactor authentication systems that use SMS to transmit a one-time password because those messages can be interceptedAttack.Databreach. `` The software- or hardware-based solutions are preferred , '' McMillan says . So what other technologies or best practices should covered entities and business associates consider to prevent falling victim to phishingAttack.Phishingand other attacks ? `` Unfortunately we have n't seen any silver bullets here yet , but one thing we might want to begin exploring is just what an attacker has accessAttack.Databreachto when they compromiseAttack.Databreacha user 's account , '' McMillan notes . `` All too often , we hear that the accounts compromisedAttack.Databreachhad incredibly large numbers of emails immediately accessibleAttack.Databreachto the attacker . The question is , are their better ways to deal with retention that mitigate risk as well ? ''
A lot of things can go wrong on your holidays , like losing luggage or missing a flight , forgetting your travel documents or getting sick at the worst possible time . But have you ever been locked out of your hotel room because of a cyberattack ? That ’ s just what happened to guests at a luxury hotel in Austria when they were left stranded outside of their rooms after a ransomware attackAttack.Ransomthat overrode electronic key systems . This concept , which can be summed up as “ if you don ’ t pay , your guests won ’ t be able to get into their rooms ” , underscores a strategy shift in ransomware . Instead of directly attackingAttack.Ransomthe hotel chain directly , cybercriminals are looking to increase profitability by compromisingAttack.Databreachthe well-being of paying customers . Infected computers and POS systems , credit card theftAttack.Databreach, accessAttack.Databreachto confidential information… in the age of the Internet of Things and smart homes , these attacksAttack.Databreachare becoming commonplace or even antiquated . Clearly the attacksAttack.Databreachthat this industry has been experiencing are not something casual or fleeting . Behind them lies a real economic interest and a preoccupation with stealthy operations . The hotel sector has become a major target for organized cybercriminals in possession of malware specifically designed to harm its running smoothly , not only in payment systems , but also by sealing off access to your room , turning lights on and off , or locking your blinds . This is , undoubtedly , a worrisome situation that could cause significant harm not only on an economic level , but also a PR level , sowing fear among clientele .
This week researchers found a piece of malware in the wild , built to stealAttack.Databreachpasswords from the macOS keychain . Named `` MacDownloader '' and posing asAttack.Phishing, what else , a fake Flash Player update , the new malware was found on the Mac of a human rights advocate and believed to originate from Iran . The malware 's code is very sloppy and appears to have been made by an amateur who took pieces of other 's code and repurposed them . The threat report mentions the following : MacDownloader seems to be poorly developed and created towards the end of 2016 , potentially a first attempt from an amateur developer . In multiple cases , the code used has been copied from elsewhere . The simple activity of downloading the remote file appears to have been sourced from a cheat sheet . The main purpose of MacDownloader seems to be to perform an initial profiling of the infected system and collectionAttack.Databreachof credentials from macOS ’ s Keychain password manager – which mirrors the focus of Windows malware developed by the same actors . At this time , it appears the malware is not a threat and the Command & Control server has been taken down . Intego VirusBarrier offers protection from this malware , detected as OSX/MacDownloader . Security researchers found that this malware was originally designed asAttack.Phishinga fake Bitdefender antivirus , but was later repackaged asAttack.Phishinga fake Flash Player update . Once installed , the malware attempts to achieve persistence by use of a poorly implemented shell script , which at the time of writing did not function due to the C & C server being offline . MacDownloader displaysAttack.Phishinga fake Flash Player update that offers an `` Update Flash-Player '' button and a `` Close '' button . Unlike other malware of its kind , clicking the Close button actually exists the installer and nothing malicious is placed on the system . If the Update button is clicked though , a malware dialog will pop-up , which is , of course , fake as well . These dialogues are also rife with basic typos and grammatical errors , indicating that the developer paid little attention to quality control . After a user clicks on OK , the software mimics the System Preferences to request the admin password in order to grab more info on the system . If the user enters their password and clicks OK , the software grabs the info , and then it tries to open a remote connection to : MacDownloader collectsAttack.Databreachuser keychain information and uploads it to said C & C server , including documents the running processes , installed applications and the username and password , which are acquired through a fake System Preferences dialog . The name and password , which in almost all cases are Administrator credentials , give the malware everything it needs to access the keychain information . With accessAttack.Databreachto the keychain the sky is the limit , because email account passwords , social network account details , and much more , are all stored in the keychain .
The toys -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The breachAttack.Databreach, which grabbed headlines on Monday , is drawing concerns from security researchers because it may have given hackers accessAttack.Databreachto voice recordings from the toy 's customers . But the company behind the products , Spiral Toys , is denying that any customers were hackedAttack.Databreach. Absolutely not , '' said Mark Meyers , CEO of the company . Security researcher Troy Hunt , who tracks data breachesAttack.Databreach, brought the incidentAttack.Databreachto light on Monday . Hackers appear to have accessedAttack.Databreachan exposed CloudPets ' database , which contained email addresses and hashed passwords , and they even sought to ransomAttack.Ransomthe information back in January , he said in a blog post . The incidentAttack.Databreachunderscores the danger with connected devices , including toys , and how data passing through them can be exposedAttack.Databreach, he added . In the case of CloudPets , the brand allegedly made the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication to access . That allowed anyone , including hackers , to view and stealAttack.Databreachthe data . On the plus side , the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed with the bcrypt algorithm , making them difficult to crack . Unfortunately , CloudPets placed no requirement on password strength , meaning that even a single character such as letter `` a '' was acceptable , according to Hunt , who was given a copy of the stolen data last week . As a result , Hunt was able to decipher a large number of the passwords , by simply checking them against common terms such as qwerty , 123456 , and cloudpets . `` Anyone with the data could crack a large number of passwords , log on to accounts and pull down the voice recordings , '' Hunt said in his blog post . Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December . However , both Gevers and Hunt said the company never responded to their repeated warnings . On Monday , California-based Spiral Toys , which operates the CloudPets brand , claimed the company never received the warnings . `` The headlines that say 2 million messages were leakedAttack.Databreachon the internet are completely false , '' Meyers said . His company only became aware of the issue after a reporter from Vice Media contacted them last week . `` We looked at it and thought it was a very minimal issue , '' he said . A malicious actor would only be able to accessAttack.Databreacha customer 's voice recording if they managed to guess the password , he said . `` We have to find a balance , '' Meyers said , when he addressed the toy maker 's lack of password strength requirements . He also said that Spiral Toys had outsourced its server management to a third-party vendor . In January , the company implemented changes MongoDB requested to increase the server 's security . Spiral Toys hasn ’ t been the only company targeted . In recent months , several hacking groups have been attackingAttack.Databreachthousands of publicly exposed MongoDB databases . They ’ ve done so by erasing the data , and then saying they can restore it , but only if victims pay a ransom feeAttack.Ransom. In the CloudPets incident , different hackers appear to have deleted the original databases , but leftAttack.Ransomransom notes on the exposed systems , Hunt said . Although the CloudPets ’ databases are no longer publicly accessible , it appears that the toy maker hasn ’ t notified customers about the breachAttack.Databreach, Hunt said . The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys . But Meyers said the company found no evidence that any hackers broke into customer accounts . To protect its users , the company is planning on a password reset for all users . `` Maybe our solution is to put more complex passwords , '' he said .
The toys -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The breachAttack.Databreach, which grabbed headlines on Monday , is drawing concerns from security researchers because it may have given hackers accessAttack.Databreachto voice recordings from the toy 's customers . But the company behind the products , Spiral Toys , is denying that any customers were hackedAttack.Databreach. Absolutely not , '' said Mark Meyers , CEO of the company . Security researcher Troy Hunt , who tracks data breachesAttack.Databreach, brought the incidentAttack.Databreachto light on Monday . Hackers appear to have accessedAttack.Databreachan exposed CloudPets ' database , which contained email addresses and hashed passwords , and they even sought to ransomAttack.Ransomthe information back in January , he said in a blog post . The incidentAttack.Databreachunderscores the danger with connected devices , including toys , and how data passing through them can be exposedAttack.Databreach, he added . In the case of CloudPets , the brand allegedly made the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication to access . That allowed anyone , including hackers , to view and stealAttack.Databreachthe data . On the plus side , the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed with the bcrypt algorithm , making them difficult to crack . Unfortunately , CloudPets placed no requirement on password strength , meaning that even a single character such as letter `` a '' was acceptable , according to Hunt , who was given a copy of the stolen data last week . As a result , Hunt was able to decipher a large number of the passwords , by simply checking them against common terms such as qwerty , 123456 , and cloudpets . `` Anyone with the data could crack a large number of passwords , log on to accounts and pull down the voice recordings , '' Hunt said in his blog post . Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December . However , both Gevers and Hunt said the company never responded to their repeated warnings . On Monday , California-based Spiral Toys , which operates the CloudPets brand , claimed the company never received the warnings . `` The headlines that say 2 million messages were leakedAttack.Databreachon the internet are completely false , '' Meyers said . His company only became aware of the issue after a reporter from Vice Media contacted them last week . `` We looked at it and thought it was a very minimal issue , '' he said . A malicious actor would only be able to accessAttack.Databreacha customer 's voice recording if they managed to guess the password , he said . `` We have to find a balance , '' Meyers said , when he addressed the toy maker 's lack of password strength requirements . He also said that Spiral Toys had outsourced its server management to a third-party vendor . In January , the company implemented changes MongoDB requested to increase the server 's security . Spiral Toys hasn ’ t been the only company targeted . In recent months , several hacking groups have been attackingAttack.Databreachthousands of publicly exposed MongoDB databases . They ’ ve done so by erasing the data , and then saying they can restore it , but only if victims pay a ransom feeAttack.Ransom. In the CloudPets incident , different hackers appear to have deleted the original databases , but leftAttack.Ransomransom notes on the exposed systems , Hunt said . Although the CloudPets ’ databases are no longer publicly accessible , it appears that the toy maker hasn ’ t notified customers about the breachAttack.Databreach, Hunt said . The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys . But Meyers said the company found no evidence that any hackers broke into customer accounts . To protect its users , the company is planning on a password reset for all users . `` Maybe our solution is to put more complex passwords , '' he said .
The most recent breachAttack.Databreachof smart teddy bears -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The company behind the products , Spiral Toys , is denying that any customers were hacked . Zach Lanier , director of research at Cylance , went through the more famous incidents involving toys and breaches and offers a tip with each case . This may have given attackers accessAttack.Databreachto voice recordings from the toy 's customers , by allegedly making the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication process . Thus anyone , including the attackers , was able to view and stealAttack.Databreachthe data . CloudPets placed no requirement on password strength , making it much easier to decipher passwords . Tip : Always create a secure password , no matter the strength requirement . Include lowercase and uppercase letter , symbols and numbers . Use a password manager to help create and store unique passwords for sites and services . A line of stuffed animals , these connected toys combine with a mobile application that was vulnerableVulnerability-related.DiscoverVulnerabilitydue to a number of weak APIs , which didn ’ t verify who sent messages . This meant that an attacker could guess usernames , or email addresses , and ask Fisher-Price for server return details about associated accounts and children ’ s profiles , which provides their name , birthdate , gender , language and toys they have played with . Tip : If the IoT device connects to a mobile app or desktop computer , it is important to examine how it connects . If the start of the URL address is http rather than https , which is the secure version of HTTP , then your device is making a less secure connection . The doll has a microphone and accesses the internet to answer your child 's questions . Moreover , criminals could have the ability collectAttack.Databreachyour personal information . Tip : If the toy does require Wi-Fi , make sure it supports modern , more secure Wi-Fi capabilities like WAP2 . Their speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings . It ’ s valuable to know how they are using your data . Don ’ t provide personal information that seems extra or unnecessary . VTech had its app store database , Learning Lodge , hacked . As a result of the breachAttack.Databreach, over 11.6 million accounts were compromisedAttack.Databreachin a cyberattackAttack.Databreach, exposingAttack.Databreachphotos of children and parents as well as chat logs . The profile data leaked included their names , genders and birth dates . Tip : Check to see if the manufacturer has had any cybersecurity issues in the past , and if so , how they responded . Alternatively , if the company is relatively new , your device is definitely at greater risk . The interactive toy has the ability to communicate and record conversations . Those conversations are sent to the company ’ s servers , analyzed and then stored in the cloud . The toy was criticized for spying on kids by recording their conversations . Through Wi-Fi , attackers can hijack the connection to spy on your children , stealAttack.Databreachpersonal information , and turn the microphone of the doll into a surveillance device . Tip : Since the device is Wi-Fi enabled , confirm if the device supports modern security protocols . If the device only uses WEP or WPA ( but not WPA2 ) security standards , it may be too risky to use . Those versions are older and over time have become almost entirely insecure from attack