Cyber Victor – a leading blog on cyber security

Geico, the second largest auto insurer in the US, has fixed a security bug that let fraudsters steal customers’ driver’s license numbers from its website.

Some Geico customers were notified in April 2021 that their personal information — specifically their drivers license number — had been compromised in a data breach caused by a security bug on the insurer’s website.

The message sent to customers said that “between January 21, 2021 and March 1, 2021, fraudsters used information about you — which they acquired elsewhere — to obtain unauthorized access to your driver’s license number through the online sales system on our website.”

Geico further said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

Geico said it has since secured its website from the vulnerability.

Read more about it here.

On April 3, 2021, Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, alerted the public via Twitter that a Facebook data leak had made 533 million personal records available online “for free.” There are records for more than 32 million accounts in the US, 11 million in the UK, and 6 million in India. Leaked details in some cases included full name, location, birthday, email addresses, phone number, and relationship status.

Facebook said the data was scraped in 2019, when malicious actors took advantage of a vulnerability with its contact importer tool. It also said it had fixed the issue in September 2019.

The scraped information did not include financial information, health information or passwords. Although the data is from 2019, it could still be of value to hackers and cyber criminals who engage in identify theft.

Following a massive data leak to the political research firm Cambridge Analytica, Facebook reached a landmark agreement with the US Federal Trade Commission in 2019, that requires the company to report breaches affecting 500 or more users within 30 days of confirming an incident.

What can you do to protect yourself ?

• Visit the web site Have I Been Pwned, and enter your email address or phone number. The site run by security researcher Troy Hunt.
• If your data has been compromised, change your password and enable two factor authentication.

Read more about it here.

Astoria Company LLC is a lead generation company with a network of websites designed to collect information on a person that may be looking for discounted car loans, different medical insurance, or even payday loans.

Users volunteer personal information to any of their lead generation sites, which is then collected and sent to a number of partner sites (such as insurance or loan agencies), that pay per lead referral.

On January 26, 2021, the threat intelligence team at Night Lion Security became aware of several new breached databases being sold on the Dark0de market by popular hacking group Shiny Hunters. The data listed for sale included 400 million Facebook users, a database allegedly containing Instagram users, and a 300 million user database dump allegedly from Astoria Company. The details of the Astoria Company data sale included 40 million U.S. social security numbers (these numbers were later proven to be inflated).

Nearly one week later, these databases were published for sale on the Dark0de forum by Shiny Hunters.

Exposed records include the following fields:

• Name
• Email address
• Date of Birth
• Mobile Phone
• Physical Address
• IP Address

In addition to the base fields, many of the different lead types included additional information, such as social security numbers, full bank account information, and even medical history.

Night Lion Security’s CEO, Vinny Troia, reported to Astoria Company on January 29, 2021 the flaw in their database and the availability of their data on Dark Web.

The company investigated the issue and discovered that a former developer from India was responsible for intentionally saving database credentials to the site. Astoria ultimately took the entire site offline.

Read more about it here.

OVH, the largest cloud hosting provider in Europe and one of the largest hosting providers in the world, suffered on March 10, 2021 a fire in its Strasbourg, France data centers. The French plant in Strasbourg includes 4 data centers: SBG1, SBG2, SBG3, and SBG4. Fire destroyed one center, SBG2, and four rooms of a second one, SBG1. The fire started in SBG2.

The fire impacted 3.6 million websites, including niche government platforms in France, Britain, Poland and the Ivory Coast. OVH urged customers to implement their disaster recovery plans.

Cybercrime groups have also been impacted. Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, revealed that 36% of 140 OVH servers used by various threat actors as Command and Control servers went offline.

Out of the 140 known C2 servers we are tracking at OVH that are used by APT and sophisticated crime groups, approximately 64% are still online. The affected 36% include several APTs: Charming Kitten, APT39, Bahamut and OceanLotus.

— Costin Raiu (@craiu) March 10, 2021

OVH has announced its plans to power servers up starting this week. SBG3 should have power starting March 17, and the other two data centers, SBG1 and SBG4, should have power starting March 19. Servers in these data centers will be powered up gradually over a few days.

Read more about it here.

According to a recent Bloomberg report, Verkada, a San Mateo, Silicon Valley security startup company that provides cloud-based security camera services, has suffered a major security breach. Hackers gained access to over 150,000 of its camera feeds, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices.

One of the hackers who claimed credit for the breach is Tillie Kottmann, who has reportedly hacked Intel Corp. and Nissan Motor Corp.

The hackers’s method to gain access was unsophisticated: Kottmann said the hackers found a user name and password for the “Super Admin” account publicly exposed on the internet. This allowed them to peer into the cameras of all of Verkada’s customers.

In a statement, a Verkada spokesperson said they had disabled all internal admin accounts, to prevent any further unauthorized access.

Kottmann said the hackers’ reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

Read more about it here.

Sequoia Capital, one of the most prominent venture capital firms in Silicon Valley, told investors on February 19, 2021 that it was hacked.

Some personal and financial information may have been accessed by a third party, after one of its employees fell victim to a successful
phishing attack.

Sequoia’s portfolio includes Airbnb, DoorDash, 23andMe, and Robinhood. It also invested in major cybersecurity firms like FireEye and Carbon Black.

Read more about it here.

In an effort to better understand why some users are more heavily targeted by phishing emails and malware than others, search giant Google teamed up with researchers at Stanford University. The study examined over a period of 5 months 1.2 billion malicious emails and their intended targets against Gmail users, to determine which factors influence the risk of attack.

The researchers discovered that each phishing and malware campaign lasted one to three days on average. In a week, such campaigns accounted for 100 million phishing and malware emails targeting Gmail users worldwide.

The researchers found that users in the US were the most popular targets (42% of all attacks), followed by the Untied Kingdom (10%) and Japan (5%).

In addition, age played a role: Users between the ages of 55 and 64 were 1.64 times more likely to be targeted when compared to 18 to 24 year-olds.

Read more about it here.

U.S. Cellular, the fourth largest wireless carrier in America, with 4.9 million customers, has suffered a data breach. A few retail store employees were scammed into downloading a software onto their computer. The software allowed the attacker to access their computers remotely. Once the employees logged into the customer relationship management (CRM) system, the hackers gained access to these records.

While on the CRM system, the attackers were able to view customers’ account, including their name, address, PIN, cell phone numbers, service plan, and billing/usage statements.

USCellular believes the attack occurred on January 4, 2021.

Read more about it here.

Giant security vendors Fidelis, Mimecast, Palo Alto Networks, Qualys confirmed this week that they were impacted by the SolarWinds supply chain attack.

Fidelis confirmed that it had installed a trojaned version of the SolarWinds Orion app in May 2020, as part of a software evaluation.

A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services had been “compromised by a sophisticated threat actor,” the email-protection company announced in mid-January. That caused speculation that the breach was related to SolarWinds, which the firm confirmed in an update this week.

Palo Alto disculsed tha 2 security incidents discovered in September and October 2020 wre linked to SolarWinds software installations.

Qualys said that its compromised certificate as installed only on test systems.

The list of impacted company keeps growing, and at this point includes Cisco, Cox and more.

Read more about it here.

Cybersecurity firm Malwarebytes said it was hacked by ‘Dark Halo’, the same group that breached SolarWinds in 2020. The company pointed out that hackers exploited another attack vector and did use SolarWinds Orion software.

The company’s blog post says: “While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”

Malwarebytes learned of the breach on December 15, 2020 from the Microsoft Security Response Center, which detected suspicious activity coming from a third party application in its Microsoft Office 365 tenant.

Malwarebytes adds to a growing list of security firms that were hit by Solarwinds attackers, after FireEye, Microsoft, and CrowdStrike.

Read more about it here.