Cyber Victor – a leading blog on cyber security

Researcher Viktor Markopoulos discovered a Bangladeshi government website the leaks the personal information of millions of Bangladesh citizens. He discovered this on June 27, 2023, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CIRT). The leak includes full names, phone numbers, email addresses and national ID numbers of about 50 millions of Bangladeshi citizens.

“It just appeared as a Google result and I wasn’t even intending on finding it. I was Googling an SQL error and it just popped up as the second result,” he told TechCrunch.

In response, the Bangladeshi government on July 9, 2023 took down citizens’ sensitive data that it had left exposed online.

Read more about it here.

Oil and Gas giant Shell has confirmed that it is one of the victims of a recent large scale ransomware campaign conducted by the Clop gang exploiting a MOVEit zero-day vulnerability. Shell’s data has since been published on the darknet.

Cyber criminals are actively exploiting the zero-day vulnerability, tracked as CVE-2023-34362, to steal data from organizations worldwide.

“We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers,” said Shell US spokesperson Anna Arata in a statement.

Read more about it here.

A database containing the personal information of more than 8.8 million Zacks Investment Research users has emerged on a hacking forum.

Founded in 1978, Zacks is one of the leading quantitative investment research firms. The company’s initial data breach notification stated that “sensitive” information for about 820,000 customers had been accessed during the breach window, but that it was limited to those that had subscribed to the company’s “Zacks Elite” product between November 1999 and February 2005.

However, in June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum. The most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers and passwords stored as unsalted SHA-256 hashes”, reported Have I Been Pwned. “On disclosure of the larger breach, Zacks advised that in addition to their original report “the unauthorized third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format”.

Read more about it here.

A new phishing technique, called “File Archiver In The Browser”, can be leveraged to to “emulate” a file archiver software in a web browser, when the victim visits a .zip domain. Security researcher mr.d0x detailed the new attack technique in a recent post.

In mid May 2023, Google released several new top-level domains (TLDs) including .zip and .mov. Many cybersecurity researchers expressed concerns that these TLDs can be mistaken for file extensions. The researcher showcased how these TLD’s can be used to deliver malicious content.

To carry out an attack using this technique, the attacker needs to “emulate” a file archive software through HTML/CSS. The researchers shared two samples: The first one emulates the WinRAR file archive utility. To prevent suspicion, when user clicks on the “Scan” icon, a message box reassuring them that the files are secure is displayed.

The second one emulates the Windows 11 File Explorer window

“It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used” recommended the expert.

Read more about it here.

Toyota Motor Corporation, the largest automaker in the world by sales, disclosed a data breach that exposed the car location information of 2,150,000 customers between November 6, 2013, and April 17, 2023. The data breach stemmed from human error, leading to a cloud system being set to public instead of private. Data exposed due to the decade-long data breach includes vehicle locations, vehicle identification numbers and chassis numbers by drivers who signed up for the T-Connect/G-Link/G-Link Lite/G-BOOK service. Possibly, videos taken outside the vehicle were also exposed between November 14, 2016 and April 4, 2023.

Toyota pointed out that the exposed information only impacted customer in Japan, and it cannot be used to identify the owners of the vehicles, and is unware of any abuse of the exposed data.

Read more about it here.

Mobile giant T-Mobile disclosed its second data breach so far in 2023. A hacker gained access to the personal information of 836 of T-Mobile customers between late February and March. The personal information included full names, contact information, dates of birth, addresses, government ID’s, Social Security Numbers, and T-Mobile account numbers pins.

After detecting the security breach, T-Mobile reset account PINs of impacted customers.

In January 2023, T-Mobile reported another data breach affecting 37 million customers.

Read more about it here.

Hackers have reportedly been breaking into AT&T provided email addresses, and using this access to steal large amounts of cryptocurrency. While it’s not clear how many people have been impacted, one victim claimed that hackers stole $134,000 from a Coinbase account associated with a compromised email address. Email addresses with att.net, sbcglobal.net, bellsouth.net and other AT&T domain names have all reportedly been affected.

Presumably, the hackers gained access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.

AT&T has adopted security measures to prevent similar attacks, and forced a password reset on some email accounts.

Read more about it here.

OpenAI, the company behind popular ChatGPT AI chatbot, has launched a bug bounty program in an attempt to ensure its systems are “safe and useful for everyone”.

“Security is essential to OpenAI’s mission”, said the company. “We appreciate the contributions of ethical hackers who help us uphold high privacy and security standards for our users and technology.”

The company said that ChatGPT is in scope, including ChatGPT Plus, logins, subscriptions, OpenAI-created plugins (e.g. Browsing, Code Interpreter), plugins users create themselves, and all other functionality. Plugins developed by other users are out of the scope.

The bounties range from $200 for low-severity security issues, up to $20,000 for “exceptional discoveries”.

Read more about it here.

Yum! Brands, the company that owns restaurant chains KFC, Pizza Hut Taco Bell, disclosed a data breach. On January 13, 2023, Yum! Brands suffered a ransomware attack that forced it to take its IT systems offline, closing almost 300 restaurants in the UK for one day. Back then the company said that it had no evidence that the attackers exfiltrated any customer information.

In a breach notification letter that was sent to affected customers starting April 6, Yum! Brands revealed that it has now found out the attackers stole some individuals’ personal information, including names, driver’s license numbers, and other ID numbers.

The company added that the ongoing investigation has not found evidence that the stolen data had been used for identity theft or fraud, however, such data is typically traded or shared on underground hacker forums and ultimately used in phishing and other types of attacks.

Read more about it here.

Storage giant Western Digital confirmed on April 3, 2023 that its network has been breached and an unauthorized party gained access to multiple company systems. The California based computer drive maker and provider of cloud data storage services stated that the network security incident was identified on March 26. The investigation is still ongoing and Western Digital has yet to learn how much was taken.

Since the incident, Western Digital’s consumer cloud and backup service My Cloud has experienced outages, preventing customers from accessing their files. This included My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, SanDisk Ixpand Wireless Charger. Services were restored on April 12.

While Western Digital’s customers wait for more information, they can take action. Users should assume their accounts associated with Western Digital’s services may have been compromised, and therefore they should change their service account passwords and if possible, enable Multi-Factor Authentication (MFA).

Read more about it here.