Cyber Victor – a leading blog on cyber security

Volkswagen and Audi have suffered a data breach affecting 3.3 million customers, after a vendor exposed unsecured data on the Internet.

Volkswagen Group of America, Inc. (VWoA) is responsible for five marques: Audi, Bentley, Bugatti, Lamborghini, and Volkswagen cars. It also controls VW Credit, Inc. (VCI), Volkswagen’s financial services and credit operations

According to data breach notifications it filed, VWGoA disclosed that a vendor left unsecured data exposed on the Internet between August 2019 and May 2021.

The data included some or all of the following contact information: first and last name, personal or business mailing address, email address, or phone number. In some cases, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.

“For approximately 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers. A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.” continues the letter.

For those customers 90,000 customers who had more sensitive information exposed, Volkswagen is offering free credit monitoring services.

Read more about it here.

CNA Financial, one of the largest US insurance companies, paid $40 million as ransom following a cyberattack that occurred in March 2021, according to a report from Bloomberg. Two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly, provided some details.

“According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. Payment was made a week later, according to the people.”

In a security incident update published on May 12, 2021, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”

CNA is not commenting on the ransom.

Read more about it here.

Personal data of 270 million Indonesians was allegedly leaked and sold on a hacker platform this month, Indonesia authorities said on May 20, 2021.

A user that goes with the handle Kotz posted on hacker forum “Raid Forums” samples of data belonging to Indonesian citizens. The leaked records include names, citizenship identity numbers, residential addresses, and phone numbers of one million Indonesian citizens. A spokesman for the Communication and Information Ministry said that it was probing 100,002 samples, far fewer than claimed. The spokesman, Mr. Dedy Permadi, also said the data, such as card numbers, family information and payment status, was allegedly “identical” to those held by the Healthcare and Social Security Agency, BPJS Kesehatan, which runs Indonesia’s universal healthcare program.

The Healthcare and Social Security Agency, BPJS Kesehatan, is investigating the possible source of the leak.

Read more about it here.

A cyberattack forced the shutdown of one of the largest pipelines in the United States, the Colonial Pipeline facility. The pipeline carries gasoline, diesel and jet fuel over 5,500 miles from Texas to New York, and moves about 45% of all fuel consumed on the East Coast. The incident did not cause immediate disruptions because of reduced energy demand due to the ongoing COVID-19 pandemic.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our I.T. operations,” reads a statement issued by the company.

Russian criminal group DarkSide is suspected to be responsible for the attack.

Read more about it here.

Android users should be wary of messages that are being circulated on WhatsApp and other major messaging apps, and promise to provide a new color theme for WhatsApp. Disguised as an official update for the ubiquitous chat app, the “WhatsApp Pink” theme is actually a variant of malware. The tainted app includes malicious code that allows attackers to fully compromise a device. Most of the infections were reported by WhatsApp users in India.

Once the app is installed on the device, when the user clicks on its icon, the app disappears, claiming that it was never installed. The victim will then receive a message, to which they will have to reply in order to unwittingly cause it to propagate further.

The good news is that Android users that have installed the WhatsApp Pink app can simply remove it from their device.

Read more about it here.

Geico, the second largest auto insurer in the US, has fixed a security bug that let fraudsters steal customers’ driver’s license numbers from its website.

Some Geico customers were notified in April 2021 that their personal information — specifically their drivers license number — had been compromised in a data breach caused by a security bug on the insurer’s website.

The message sent to customers said that “between January 21, 2021 and March 1, 2021, fraudsters used information about you — which they acquired elsewhere — to obtain unauthorized access to your driver’s license number through the online sales system on our website.”

Geico further said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

Geico said it has since secured its website from the vulnerability.

Read more about it here.

On April 3, 2021, Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, alerted the public via Twitter that a Facebook data leak had made 533 million personal records available online “for free.” There are records for more than 32 million accounts in the US, 11 million in the UK, and 6 million in India. Leaked details in some cases included full name, location, birthday, email addresses, phone number, and relationship status.

Facebook said the data was scraped in 2019, when malicious actors took advantage of a vulnerability with its contact importer tool. It also said it had fixed the issue in September 2019.

The scraped information did not include financial information, health information or passwords. Although the data is from 2019, it could still be of value to hackers and cyber criminals who engage in identify theft.

Following a massive data leak to the political research firm Cambridge Analytica, Facebook reached a landmark agreement with the US Federal Trade Commission in 2019, that requires the company to report breaches affecting 500 or more users within 30 days of confirming an incident.

What can you do to protect yourself ?

• Visit the web site Have I Been Pwned, and enter your email address or phone number. The site run by security researcher Troy Hunt.
• If your data has been compromised, change your password and enable two factor authentication.

Read more about it here.

Astoria Company LLC is a lead generation company with a network of websites designed to collect information on a person that may be looking for discounted car loans, different medical insurance, or even payday loans.

Users volunteer personal information to any of their lead generation sites, which is then collected and sent to a number of partner sites (such as insurance or loan agencies), that pay per lead referral.

On January 26, 2021, the threat intelligence team at Night Lion Security became aware of several new breached databases being sold on the Dark0de market by popular hacking group Shiny Hunters. The data listed for sale included 400 million Facebook users, a database allegedly containing Instagram users, and a 300 million user database dump allegedly from Astoria Company. The details of the Astoria Company data sale included 40 million U.S. social security numbers (these numbers were later proven to be inflated).

Nearly one week later, these databases were published for sale on the Dark0de forum by Shiny Hunters.

Exposed records include the following fields:

• Name
• Email address
• Date of Birth
• Mobile Phone
• Physical Address
• IP Address

In addition to the base fields, many of the different lead types included additional information, such as social security numbers, full bank account information, and even medical history.

Night Lion Security’s CEO, Vinny Troia, reported to Astoria Company on January 29, 2021 the flaw in their database and the availability of their data on Dark Web.

The company investigated the issue and discovered that a former developer from India was responsible for intentionally saving database credentials to the site. Astoria ultimately took the entire site offline.

Read more about it here.

OVH, the largest cloud hosting provider in Europe and one of the largest hosting providers in the world, suffered on March 10, 2021 a fire in its Strasbourg, France data centers. The French plant in Strasbourg includes 4 data centers: SBG1, SBG2, SBG3, and SBG4. Fire destroyed one center, SBG2, and four rooms of a second one, SBG1. The fire started in SBG2.

The fire impacted 3.6 million websites, including niche government platforms in France, Britain, Poland and the Ivory Coast. OVH urged customers to implement their disaster recovery plans.

Cybercrime groups have also been impacted. Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, revealed that 36% of 140 OVH servers used by various threat actors as Command and Control servers went offline.

Out of the 140 known C2 servers we are tracking at OVH that are used by APT and sophisticated crime groups, approximately 64% are still online. The affected 36% include several APTs: Charming Kitten, APT39, Bahamut and OceanLotus.

— Costin Raiu (@craiu) March 10, 2021

OVH has announced its plans to power servers up starting this week. SBG3 should have power starting March 17, and the other two data centers, SBG1 and SBG4, should have power starting March 19. Servers in these data centers will be powered up gradually over a few days.

Read more about it here.

According to a recent Bloomberg report, Verkada, a San Mateo, Silicon Valley security startup company that provides cloud-based security camera services, has suffered a major security breach. Hackers gained access to over 150,000 of its camera feeds, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices.

One of the hackers who claimed credit for the breach is Tillie Kottmann, who has reportedly hacked Intel Corp. and Nissan Motor Corp.

The hackers’s method to gain access was unsophisticated: Kottmann said the hackers found a user name and password for the “Super Admin” account publicly exposed on the internet. This allowed them to peer into the cameras of all of Verkada’s customers.

In a statement, a Verkada spokesperson said they had disabled all internal admin accounts, to prevent any further unauthorized access.

Kottmann said the hackers’ reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

Read more about it here.