Cyber Victor – a leading blog on cyber security

On December 4, 2024, hacker group Brain Cipher added Deloitte UK to its Tor-based leaked web site. The gang claimed to have stolen one terabyte of compressed data from the company.

A Deloitte spokesperson addressed these claims, stating that the source of data is a single client’s system, which is not connected to the company’s network. The company emphasized that “No Deloitte systems have been impacted”, based on their ongoing investigation.

The hackers are threatening to make the stolen files available unless a ransom is paid, and it set a deadline of December 15 for Deloitte to respond.

The Brain Cipher hacker group has been active since at least April 2024. On June 20, 2024, the group targeted an Indonesian data center, causing the disruption of around 210 critical government services, including customs and immigration. The cyber attack also caused significant airport delays. The Brain Cipher ransomware group initially demanded an $8 million ransom but later released the decryptor for free.

Read more about it here.

Ugandan officials confirmed on November 28, 2024 that the national central bank suffered a security breach by financially motivated threat actors. State minister for finance Henry Musasizi confirmed the hack and said the police’s Criminal Investigations Department and the Auditor General were probing the incident.

State-owned New Vision newspaper reported that hackers, identifying themselves as “Waste”, accessed the bank’s IT systems and illicitly transferred the funds into accounts in Japan and the UK. It is quite possible that the hack was a result of an insiders job. In total, the hackers stole 62 billion Ugandan shillings ($16.8 million) from the central bank. One batch of about $7 million was sent to a bank account in the UK; it was subsequently frozen and is now considered as recovered. A second batch of about $6 million was sent to a bank in Japan; it has not been recovered because the fraudsters on the Japanese side presented “solid and sufficient” paperwork to prove that their transaction was legit.

Read more about it here.

Wordfence researchers issued on November 14, 2024 a warning about vulnerability CVE-2024-10924, having CVSS Score of 9.8, in the Really Simple Security plugin that affects over 4 million WordPress web sites. The Really Simple Security plugin, formerly Really Simple SSL, is a popular WordPress tool that enhances website security with features like login protection, real-time vulnerability detection, and two-factor authentication. If exploited, it allows an attacker to remotely gain full administrative access to a site running the plugin. The vulnerability was discovered by Wordfence’s researcher István Márton.

The flaw is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. “Unfortunately, one of the features adding two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account, including an administrator account, with a simple request when two-factor authentication is enabled,” Márton said.

Ironically, this vulnerability only impacts WordPress sites who have enabled “Two-Factor Authentication” in the plugin settings.

CVE-2024-10924 impacts plugin versions from 9.0.0 and up to 9.1.1.1 of the “free”, “Pro” and “Pro Multisite” releases. The flaw was fixed in version 9.1.2. Security updates were released on November 12 (Pro versions) and November 14 (free version).

Read more about it here.

Amazon disclosed on November 11, 2024 a data breach that exposed employee information after the data was allegedly stolen during the May 2023 MOVEit Transfer attacks. The company said that the data was stolen from a third-party property management vendor. The MOVEit vulnerability (CVE-2023-34362), first exploited in May 2023, allowed unauthenticated attackers to gain unauthorized access to vulnerable systems. This critical SQL injection flaw enabled cybercriminals to bypass security measures and potentially steal sensitive data from thousands of organizations worldwide.

The Amazon employee information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations.

Amazon did not disclose the number of impacted employees.

A threat actor using the handle Nam3L3ss leaked over 2.8 million records containing Amazon employee data on the hacking forum BreachForums.

Read more about it here.

Interbank, one of Peru’s leading financial institutions, has confirmed a data breach after a threat actor who hacked into its systems leaked stolen data online.

Interbank disclosed a data breach after a threat actor going by the moniker ‘kzoldyck’ claimed the leak of 3.7 TB of company data. The alleged stolen data includes account IDs, birth dates, addresses, phone numbers, email addresses, and IP addresses, as well as credit card and CVV numbers, credit card expiry dates, info on bank transactions, and other sensitive information, including plaintext credentials.

Interbank announced that it had resumed its mobile and online platforms after recent outages and assured customers that their funds were not impacted by the security incident.

The threat actor confirmed that Interbank refused to pay the ransom after a two-week negotiation.

Interbank, formally known as the Banco Internacional del Perú Service Holding S.A.A., is a leading Peruvian provider of financial services and has over 2 million customers.

Read more about it here.

US based financial services giant company Fidelity Investments warns 77,099 individuals of a data breach that exposed their personal information. The company revealed via a breach notification filed with the Office of the Maine Attorney General that it was hit by a breach on August 17, 2024, which the firm detected on August 19. A letter sent to the 77,099 customers caught up in the breach confirmed that the attackers stole personal information related to them.

Fidelity said that a third party had accessed and obtained certain information without authorization by using two customer accounts they recently set up. This implies that threat actors exploited “Broken Access Control”, the number one attack vector in OWASP’s Top 10 Web Application Security Risks. One of the risks associated with this is permitting the viewing or editing of someone else’s account by providing its unique identifier. After detecting the activity, the company terminated access to those accounts and launched an investigation with help from outside security experts.

Compromised information included names, Social Security Numbers, financial account data, and drivers license information. Fidelity confirmed that financial data was not exposed and Fidelity customer accounts were not hacked.

Read more about it here.

American peer-to-peer payments and money transfer company MoneyGram confirmed on September 21, 2024 that a cyberattack caused its services to become unavailable. The company has taken some of its systems offline since September 20 to contain the attack, and services were fully restore on September 26.

MoneyGram now confirms on its web site that the cyberattack exposed customer data, including customer name, contact info (such as phone numbers, email and postal addresses), dates of birth, government IDs, Social Security numbers, and transaction details:

“The impacted information included certain affected consumer names, contact information (such as phone numbers, email and postal addresses), dates of birth, a limited number of Social Security numbers, copies of government-issued identification documents (such as driver’s licenses), other identification documents (such as utility bills), bank account numbers, MoneyGram Plus Rewards numbers, transaction information (such as dates and amounts of transactions) and, for a limited number of consumers, criminal investigation information (such as fraud). The types of impacted information varied by affected individual.”

The company said it is proactively working to contain and remediate the attack with the help of external cybersecurity experts. The company already notified law enforcement about the data breach.

Read more about it here.

Web infrastructure and security company Cloudflare has disclosed that it autonomously mitigated a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. This is the largest publicly recorded thwarted DDoS to date. The assault consisted of a “month-long” barrage in September 2024 of more than 100 hyper-volumetric DDoS attacks flooding the network infrastructure with garbage data.

The previous record-breaking volumetric DDoS attack was reported by Microsoft in November 2021, peaking at 3.47 Tbps with a packet rate of 340 million Pps (Packets per second). The largest attack previously seen by Cloudflare peaked at 2.6 Tbps.

According to Cloudflare, the infected devices were spread across the globe but many of them were located in Russia, Vietnam, the US, Brazil and Spain

A Volumetric DDoS attack aims to overwhelm the target’s network or servers by flooding them with a massive volume of data. The goal is to consume all available bandwidth or system resources, rendering the service inaccessible to legitimate users.

Read more about it here.

American peer-to-peer payments and money transfer company MoneyGram confirmed that a cyberattack caused its services to become unavailable.

On September 21, 2024, the company informed its customers that it was experiencing “a network outage impacting connectivity to a number of our systems.”

The company has taken some of its systems offline since September 20 to contain the attack.

On September 23, MoneyGram confirmed that it “recently identified a cybersecurity issue affecting certain of our systems”.

Online services were fully restored only on September 26.

The company remained largely silent about the cybersecurity incident beyond a handful of updates posted to its X account. However, the length and the severity of the outage points to ransomware. The fact that the company was spending an extended period of time restoring key systems further points to potentially its refusal to pay a ransom demand and recovery from backups.

In 2014, it was the second largest provider of money transfers in the world. MoneyGram operates in more than 200 countries and territories with a global network of about 430,000 agent offices, serving 150 million customer.

Read more about it here.

Cybersecurity giant Fortinet confirmed on September 12, 2024 that it suffered a data breach, after a threat actor claimed to steal 440GB of files from the company’s Microsoft SharePoint server. “An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers” says its blog post. The company further stated that “Fortinet’s operations, products, and services have not been impacted.”

The threat actor, known as “Fortibitch,” claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay.

Fortinet did not disclose how many customers are impacted or what kind of data has been compromised but said that it “communicated directly with customers as appropriate.”

Fortinet is one of the largest cybersecurity vendors in the industry, offering firewalls, routers, VPN devices, extended detection and response, SIEM, network management and consulting services. It employs over 13,500 employees.

Read more about it here.