Cyber Victor – a leading blog on cyber security

Giant semiconductor manufacturer Advanced Micro Devices, Inc. (AMD) has apparently been breached by IntelBroker, a notorious hacker from the Breach Forums, and is working with law enforcement to further investigate. The hack may have uncovered future product details, customer databases, and employee details. The breach emerged on June 18, 2024 at The Cyber Express.

The hacker claims to have accessed information related to the following records:

• ROMs
• Firmware
• Source code
• Property files
• Employee databases
• Customer databases
• Financial information
• Future AMD product plans
• Technical specification sheets

as well as the following sensitive personal information of AMD employees:

• User IDs
• Job functions
• Email addresses
• Employment status
• First and last names
• Business phone numbers

The hacker is selling the data exclusively for XMR (Monero) cryptocurrency, accepting a middleman for transactions.

AMD hasn’t yet confirmed the breach publicly.

Read more about it here.

British auction house Christie’s has been hit with a class action lawsuit over a May 2024 data breach that compromised the personal information of approximately 500,000 current and former customers. According to the lawsuit, an email Christie’s sent to victims on May 30, 2024 reported that the compromised data included full names, genders, dates of birth, passport numbers and expiration dates, countries of birth, ID numbers and Machine Readable Zone along the bottom of a passport’s identity page.

The lawsuit further claims that Christie’s customers are now threatened by multiple forms of identity theft. These range from the obvious, such as the prospect of bad actors opening fraudulent financial accounts and taking out loans in the names of the exposed clients, to the less intuitive, including using the exposed parties’ data to illegally secure government benefits, obtain driver’s licenses pairing Christie’s clients’ names with alternate photographs and “giving false information to police during an arrest”.

Read more about it here.

TikTok accounts of CNN, Sony, and Paris Hilton were reportedly breached on June 4, 2024. While it doesn’t appear that the hackers have posted anything to the accounts, the method reportedly didn’t include the targets doing anything more than opening a direct message.

Semafor first reported that CNN’s TikTok account had been hacked, forcing the broadcaster to take down its account for several days.

The company did not share technical details about the vulnerability exploited by the attackers.

Read more about it here.

UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that they discovered a security bug that allows anyone to remotely send commands to laundry machines run by CSC and operate laundry cycles for free.

Sherbrooke said he was sitting on the floor of his basement laundry room in January 2024, and was able to run a script of code with instructions telling the machine in front of him to start a cycle, despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating the machine was ready to wash a free load of laundry.

In another case, the students were able to add a balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as an entirely normal amount of money for a student to spend on laundry.

The two discovered that CSC’s servers could be tricked into accepting commands that modify their account balances, because any security checks are done by the CSC Go app on the user’s device and are automatically trusted by CSC’s servers.

CSC ServiceWorks is a large laundry service company, having a network of over a million laundry machines installed in hotels, university campuses and residences across the US, Canada and Europe.

Sherbrooke and Taranenko sent the company several messages through its online contact form in January 2024, but heard nothing back. A phone call to the company landed them nowhere either, they said. They first disclosed their research in a presentation at their university cybersecurity club earlier in May.

Days after the story was published, CSC provided a statement thanking the security researchers and promising to fix the bug.

Read more about it here.

Giant computer maker Dell faced a huge data breach after a cyber attacker stole information for approximately 49 million customers. Dell confirmed that the information stolen includes people’s names, postal addresses, and “Dell hardware and order information, including service tag, item description, date of order and related warranty information.” Dell did not disclose whether the incident was caused by malicious outsiders or inadvertent error.

According to Dell, the breached data did not include email addresses, telephone numbers, financial or payment information, or “any highly sensitive customer information.”

Dell seemes to have downplayed the impact of the breach in the message.

“We believe there is not a significant risk to our customers given the type of information involved,” Dell wrote in the email sent to affected customers.

As first reported by Daily Dark Web, a threat actor named Menelik tried to sell a Dell database on the Breach Forums hacking forum on April 28, 2024.

The threat actor said they stole data from Dell for “49 million customer and other information systems purchased from Dell between 2017-2024.”.

Read more about it here.

The UK Ministry of Defense (MoD) disclosed on May 7, 2024 a data breach impacting a third-party payroll system that exposed data of approximately 272,000 armed forces personnel – active, reserve and retired veterans.

In a statement to the House of Commons, Defence Secretary Grant Shapps said that the Ministry of Defence (MoD) identified the intrusion “in recent days.”

The Ministry of Defence revealed that a malicious actor gained access to part of the Armed Forces payment network, which is an external system completely separate from MoD’s core network.

The compromised information includes names and bank details, and, in a smaller number of cases, addresses of the impacted personnel.

Mr. Shapps publicly criticized the contractor, stating there was “evidence of failings” in the management of the breached system.

Read more about it here.

The MITRE Corporation revealed on April 19, 2024 that a nation-state actor compromised its systems in January 2024 by exploiting two Ivanti VPN zero-days vulnerabilities. According to a statement made by MITRE, after detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, compromise by a foreign nation-state threat actor was confirmed. In response, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and launched an investigation.

MITRE is a US non-profit organization with dual headquarters in Bedford, Massachusetts, and McLean, Virginia. It manages federally funded research and development centers (FFRDCs) supporting various US government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others. In March 2021, MITRE created the MITRE ATT&CK Defender training program to educate and certify cybersecurity professionals.

Read more about it here.

Google has agreed to delete billions of data records related to users’ browsing activities in ‘Incognito Mode’, to settle a class action lawsuit. The class action lawsuit, filed in 2020, accuses the company of collecting user browsing data without their knowledge or explicit consent. It alleges that the IT giant deceived users, leading them to believe their online activities would not be tracked while using Chrome’s Incognito mode.

In December 2023, Google agreed to settle the $5 billion privacy lawsuit. The settlement does not involve any payment from Google. Individuals will have the opportunity to seek compensation by submitting their own complaints in US state courts.

Contrary to what the name implies, Google Chrome Incognito Mode does not keep your browsing fully private, but it limits the data your browser collects about you.

To settle the case, Google has agreed to erase its collection of stored data containing details of personal browsing sessions. Google has also agreed to do a better job of disclosing which data will be collected when someone opens up a Chrome Incognito Mode tab.

In addition, users will have the option to block third-party cookies. This is an additional privacy-boosting measure that should help all users limit the data collected by the IT giant.

Read more about it here.

The OWASP (Open Web Application Security Project) Foundation disclosed on March 29, 2024 that it suffered a data breach, caused by a misconfiguration on its old Wiki server.

No joke, we did have a data breach in late March involving the resumes of our earliest members. Rest assured, all current membership data remains secure. We recognize the unfortunate irony here, and are determined to make it our last breach.

Details here: https://t.co/WUhvf3RGdX pic.twitter.com/jPzTZstIEL

— OWASP® Foundation (@owasp) April 1, 2024

“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes as part of the membership process.” said the disclosure.

Exposed resumes contained names, email addresses, phone numbers, physical addresses, and “other personally identifiable information”.

In response to the data breach, the experts at the Foundation have disabled directory browsing, reviewed the web server and Media Wiki configuration for other security issues, removed the resumes from the wiki site altogether, and purged the CloudFlare cache to prevent further access. They also requested that the information be removed from the Web Archive.

OWASP is a nonprofit organization focused on improving the security of IoT, system software and web applications. It provides free resources, tools, and documentation to help organizations develop, deploy, and maintain secure software applications. It has tens of thousands of members.

Read more about it here.

Data from over 70 million AT&T users has allegedly been leaked and is being sold in hackers’ forums. Leaked data includes names, addresses, mobile phone numbers, email addresses, birth dates and social security numbers.

The leaked sample was analyzed by researchers such as HaveIBeenPwned, Dark Web Informer, and VX-Underground. All of them concluded that AT&T data being sold on hackers’ forums is legitimate.

The data is believed to have come from a 2021 breach executed by the hacker group ShinyHunters.

AT&T said that the information does not come from their systems.

Read more about it here.