Author: VictorAdmin5

Cybernews researchers discovered that Vietnam Post Corporation, a Vietnamese government-owned postal service, left its security logs and employee email addresses accessible to outside cyber snoopers for 87 days. The exposed sensitive data could spell trouble if accessed by bad actors.

Unprotected databases are common in the wild. They are usually the result of carelessness. For example, database admins may remove credentials to make it easier to connect via the internet, and then forget to put them back.

When the Cybernews team found the open database, it had more than 226 million logged events and measured 1.2 Terabytes in size. It contained device usernames with employee names or emails. This information enables potential cyber criminals to identify which employees were working at a given time and which devices they were using.

The database exposure began on July 8, 2023, and access to the database was evantually cut on October 6, 2023.

Read more about it here.

The UK division of Samsung Electronics has allegedly alerted customers of a year-long data security breach – the third such incident the South Korean giant has experienced around the world in the past two years.

A spokesperson from Samsung said that the company was “recently alerted to a security incident” that “resulted in certain contact information of some Samsung UK e-store customers being unlawfully obtained”. The incident was limited to the UK region and does not affect data belonging to customers in the US, its employees, or retailers.

In a statement posted on X (formerly Twitter), Samsung said:
“On 13 November 2023, it was determined that an unauthorised individual exploited a vulnerability in a third-party business application we use, and that some personal information of certain customers who made purchases on SEUK’s eCommerce site between July 1, 2019 and June 30, 2020, was affected”.

Samsung told affected customers that hackers may have accessed their names, phone numbers, postal addresses and email addresses. “No financial data, such as bank or credit card details or customer passwords, were impacted,” Samsung’s spokesperson said.

Read more about it here.

In early October 2023, Resecurity’s HUNTER (HUMINT) unit identified millions of personally identifiable information (PII) records, including Aadhaar card numbers, belonging to Indian residents, being offered for sale on the Dark Web.

An Aadhaar is a unique, 12-digit individual identification number issued by the Government of India. Beyond the PII found on traditional ID documents, Aadhaars include “core biometrics,” including 10 fingerprints and two iris scans. There are roughly 1.4 billion Aadhaars issued since this ID service launched in 2009.

On October 9, 2023, a threat actor going by the alias ‘pwn0001’ posted a thread on Breach Forums brokering access to 815 million “Indian Citizen Aadhaar & Passport” records. This represents about 55% of India’s total population. The entire dataset was offered for sale for $80,000.

The leak of PII data containing Aadhaar and other details of Indian residents on the Dark Web creates a significant risk of digital identity theft. Threat actors leverage stolen identity information to commit online banking theft, tax refund frauds, and other cyber-enabled financial crimes. Resecurity observed a spike in incidents involving Aadhaar IDs and their leakage on underground cybercriminal forums by threat actors looking to harm Indian nationals and residents. To mitigate this risk, Resecurity acquired the published data set on Dark Web and notified victims of the leaked identities.

Read more about it here.

Flagstar Bank has warned that 837,390 US customers had their personal information stolen by cybercriminals due to a breach at a third-party service provider.

Flagstar, now owned by the New York Community Bank, is a Michigan-based financial services provider that, before its acquisition in 2022, was one of the largest banks in the United States, having total assets of over $31 billion.

The breach occurred between May 27 and 31, 2023. It exposed the personal information of a substantial number of customers. It was traced back to vulnerabilities in MOVEit Transfer, a file transfer software used by Fiserv for payment processing and mobile banking services.

In June 2022, Flagstar Bank disclosed another data breach that impacted roughly 1.5 million of its customer in the US, but the company did not share details about the attack. The security breach took place in early December 2021.

On March 2021, the bank was the victim of another attack conducted by the Clop ransomware gang.

Read more about it here.

Researchers disclosed a new zero-day DDoS attack technique, called ‘HTTP/2 Rapid Reset’, that was exploited since August 2023 in record-breaking attacks. These attacks have been observed on Amazon Web Services (AWS), Cloudflare and Google.

The attack peaked at 155 million requests per second (Amazon), 201 million rps (Cloudflare), and a record-breaking 398 million rps (Google).

The attack method abuses HTTP/2’s stream cancellation feature to continuously send and cancel requests, overwhelming the target server or application and imposing a DoS state.

The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled, by sending a RST_STREAM frame. The protocol allows the client to unilaterally request a cancelation. It “makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open”, continues the Google post. This can be mitigated by having entire TCP connection needs to closed when abuse is detected.

Amazon Web Services (AWS), Cloudflare and Google said on October 10, 2023 they took steps to mitigate these record-breaking Distributed Denial-of-Service (DDoS) attacks

Read more about it here.

US consumer credit reporting agency TransUnion may have been the subject of a hacking incident leading to a data breach. Threat actor who goes by the moniker “USDoD” announced the leak of a database containing sensitive Personal Identifiable Information (PII) of 58,505 customers across North and South America and Europe.

According to Cybercriminal underworld tracker vx-underground who reported the leak, the archive contains data that dates back to March 2, 2022, which could be the data of the data breach.

vx-underground stated that leaked data includes first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, and when TransUnion first began monitoring their information.

In response, TransUnion investigated the claim, and made a statement that its systems weren’t breached, and that the data may have come from a third party. “We have found that multiple aspects of the messages – including the data, formatting, and fields – do not match the data content or formats at TransUnion”, said the statement.

Read more about it here.

The personal details of over 20,000 UK police officers have been stolen after a suspected ransomware attack on a third-party supplier.

Greater Manchester Police (“GMP”), the fourth largest police department in the UK, confirmed on September 14, 2023 that its supplier, identity card maker Digital ID, holds “some information on those employed by GMP.”

“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported.”, says the announcement.

GMP does not believe the data on the hacked systems contains financial information belonging to the police department’s employees.

Read more about it here.

Cybersecurity firm Akamai successfully detected and prevented a massive distributed denial-of-service (DDoS) attack targeting an unnamed, leading American financial institution on the Prolexic platform. The attack occurred on September 5, 2023 at approximately 19:31 UTC.

“Cybercriminals used a combination of ACK, PUSH, RESET, and SYN flood attack vectors, peaking at 633.7 gigabits per second (Gbps) and 55.1 million packets per second (Mpps). The attack was sharp but lasted for less than 2 minutes, and was proactively mitigated by our customer’s comprehensive cyberdefense posture.” reads the post published by Akamai.

During the attack, the top 10 sources for the targeted malicious traffic originated from Bulgaria, Brazil, China, India, United States, Thailand, Russia, Ukraine, Vietnam, and Japan. During the attack, the traffic from the US was more than double the volume of peacetime traffic originating from the country.

Read more about it here.

Duolingo is one of the largest language learning sites in the world, with over 75 million monthly users worldwide. The scraped data of 2.6 million people, which was on sale in January 2023 with a starting price of $1,500, is now available on the cybercrime marketplace BreachForums for just 8 credits, worth $2.13.

The shared data contains email addresses, usernames, names, phone numbers, information about social networks, and other generic info such as language studies, experience, progress and achievements.

This data was scraped using an exposed application programming interface (API). The API allows anyone to submit a username and retrieve the user’s public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account. Scrapers can feed millions of email addresses, likely exposed in previous data breaches, into the API, and confirm if they belong to DuoLingo accounts. These email addresses can then be used to create the dataset containing public and non-public information.

Read more about it here.

The world’s most popular websites lack basic cybersecurity hygiene, an investigation by Cybernews shows.

The Cybernews research team has deep-dived into an issue that’s quite often overlooked by developers – HTTP security headers. They have analyzed the top 100 most visited websites, including Facebook, Pinterest, IMDB, PayPal, Wikipedia, and AliExpress.

The conclusion? Many developers of the most popular websites could enhance their cybersecurity practices. Not to give threat actors any ideas, the actual web sites that need some work have been omitted.

HTTP security headers are instructions on how the web browser should interact with the webpage. HTTP security headers are mostly useful for client-side attacks, aiming to exploit security flaws running on the user’s device to gain unauthorized access, steal information, and perform other malicious activities. This includes:

• X-Frame-Options
• Content-Security-Policy (CSP)
• The Referrer-Policy
• The Permissions-Policy
• The X-Content-Type-Options
• Strict-Transport-Security (HSTS)

Read more about it here.