Cyber Victor – a leading blog on cyber security

The UK Ministry of Defense (MoD) disclosed on May 7, 2024 a data breach impacting a third-party payroll system that exposed data of approximately 272,000 armed forces personnel – active, reserve and retired veterans.

In a statement to the House of Commons, Defence Secretary Grant Shapps said that the Ministry of Defence (MoD) identified the intrusion “in recent days.”

The Ministry of Defence revealed that a malicious actor gained access to part of the Armed Forces payment network, which is an external system completely separate from MoD’s core network.

The compromised information includes names and bank details, and, in a smaller number of cases, addresses of the impacted personnel.

Mr. Shapps publicly criticized the contractor, stating there was “evidence of failings” in the management of the breached system.

Read more about it here.

The MITRE Corporation revealed on April 19, 2024 that a nation-state actor compromised its systems in January 2024 by exploiting two Ivanti VPN zero-days vulnerabilities. According to a statement made by MITRE, after detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, compromise by a foreign nation-state threat actor was confirmed. In response, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and launched an investigation.

MITRE is a US non-profit organization with dual headquarters in Bedford, Massachusetts, and McLean, Virginia. It manages federally funded research and development centers (FFRDCs) supporting various US government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others. In March 2021, MITRE created the MITRE ATT&CK Defender training program to educate and certify cybersecurity professionals.

Read more about it here.

Google has agreed to delete billions of data records related to users’ browsing activities in ‘Incognito Mode’, to settle a class action lawsuit. The class action lawsuit, filed in 2020, accuses the company of collecting user browsing data without their knowledge or explicit consent. It alleges that the IT giant deceived users, leading them to believe their online activities would not be tracked while using Chrome’s Incognito mode.

In December 2023, Google agreed to settle the $5 billion privacy lawsuit. The settlement does not involve any payment from Google. Individuals will have the opportunity to seek compensation by submitting their own complaints in US state courts.

Contrary to what the name implies, Google Chrome Incognito Mode does not keep your browsing fully private, but it limits the data your browser collects about you.

To settle the case, Google has agreed to erase its collection of stored data containing details of personal browsing sessions. Google has also agreed to do a better job of disclosing which data will be collected when someone opens up a Chrome Incognito Mode tab.

In addition, users will have the option to block third-party cookies. This is an additional privacy-boosting measure that should help all users limit the data collected by the IT giant.

Read more about it here.

The OWASP (Open Web Application Security Project) Foundation disclosed on March 29, 2024 that it suffered a data breach, caused by a misconfiguration on its old Wiki server.

No joke, we did have a data breach in late March involving the resumes of our earliest members. Rest assured, all current membership data remains secure. We recognize the unfortunate irony here, and are determined to make it our last breach.

Details here: https://t.co/WUhvf3RGdX pic.twitter.com/jPzTZstIEL

— OWASP® Foundation (@owasp) April 1, 2024

“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes as part of the membership process.” said the disclosure.

Exposed resumes contained names, email addresses, phone numbers, physical addresses, and “other personally identifiable information”.

In response to the data breach, the experts at the Foundation have disabled directory browsing, reviewed the web server and Media Wiki configuration for other security issues, removed the resumes from the wiki site altogether, and purged the CloudFlare cache to prevent further access. They also requested that the information be removed from the Web Archive.

OWASP is a nonprofit organization focused on improving the security of IoT, system software and web applications. It provides free resources, tools, and documentation to help organizations develop, deploy, and maintain secure software applications. It has tens of thousands of members.

Read more about it here.

Data from over 70 million AT&T users has allegedly been leaked and is being sold in hackers’ forums. Leaked data includes names, addresses, mobile phone numbers, email addresses, birth dates and social security numbers.

The leaked sample was analyzed by researchers such as HaveIBeenPwned, Dark Web Informer, and VX-Underground. All of them concluded that AT&T data being sold on hackers’ forums is legitimate.

The data is believed to have come from a 2021 breach executed by the hacker group ShinyHunters.

AT&T said that the information does not come from their systems.

Read more about it here.

The US Cybersecurity and Infrastructure Security Agency (CISA) agency hacked in February 2024 through vulnerabilities in Ivanti products. In response to the security breach, the agency had to shut down two crucial systems:

A system to facilitate the sharing of cyber and physical security assessment tools among federal, state, and local officials, and a system holding information related to the security assessment of chemical facilities. These systems are called the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT) respectively.

Ironically, CISA warned US organizations about attacks exploiting vulnerabilities in Ivanti software. On February 1, 2024, for the first time since its establishment, CISA ordered federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

On February 29, CISA warned organizations again that threat actors are exploiting multiple vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways.

A spokesperson for CISA told CNN that the security breach did not impact the operations of the agency.

Read more about it here.

The 2023 FBI Internet Crime Report states that reported cybercrime losses reached $12.5 billion in 2023, up from $10.3 billion in 2022, a 21% increase. The number of complaints rose from 800,944 in 2022 to 880,418/

Investment fraud was once again the costliest type of crime tracked by IC3. Losses to investment scams rose from $3.31 billion in 2022 to $4.57 billion in 2023 – a 38% increase. The second-costliest type of crime was business e-mail compromise (BEC), with 21,489 complaints amounting to $2.9 billion in reported losses. Tech support scams, meanwhile, were the third-costliest type of crime tracked by IC3.

In the ransomware category, Healthcare and Public Health was the heaviest hit sector, followed by Critical Manufacturing and Government Facilities.

In terms of crime types, phishing/spoofing by far received the highest number of complaints, followed by personal data breach and non-payment/non-delivery.

Read more about it here.

Bank of America revealed that the personal information of some customers was stolen in a data breach affecting a third-party services provider.

A data breach at Infosys McCamish, a financial software provider, compromised the name, address, date of birth, Social Security number, and financial information, including account and credit card numbers, of 57,028 deferred compensation customers whose accounts were serviced by Bank of America.

An unauthorized party — apparently a ransomware group known as LockBit — accessed the customers’ information through Infosys McCamish’s system, not Bank of America’s, according to a letter Infosys McCamish sent to affected customers, published by Maine’s attorney general. Bank of America provided two-year identity theft protection to the affected customers.

The breach occurred on Nov. 3, 2023, and Infosys McCamish notified Bank of America about the breach on Nov. 24. Infosys McCamish and Bank of America notified customers of the breach on Feb. 2, 2024.

Bank of America has yet to disclose how many of the 57,028 accounts were customer accounts.

Read more about it here.

Hewlett Packard Enterprise (HPE) is investigating a potential new data breach, after a hacker put allegedly stolen data up for sale on BreachForums hacking forum, claiming it contains HPE credentials and other sensitive information.

The announcement was published by a hacker who uses the moniker IntelBroker.

“Hello BreachForums Community. Today, I am selling the data I have taken from Hewlett Packard Enterprise.” reads the announcement published by IntelBroker. “More specifically, the data includes: CI/CD access , System logs , Config Files , Access Tokens , HPE StoreOnce Files (Serial numbers warrant etc) & Access passwords. (Email services are also included)”

IntelBroker is considered a reputable threat actor: It was linked to the breaches of DC Health Link and Volvo Cars.

HPE became aware of the intrusion on December 12, 2023 and immediately launched an investigation. They found that the data at issue appears to be related to information that was contained in a test environment. There is no indication these claims relate to any compromise of HPE production environments or customer information.

HPE is a multinational information technology company based in Spring, Texas.

Read more about it here.

Scammers successfully stole HK$200 million (approximately $25.6 million) from a multinational company in Hong Kong by using a deepfake video call to deceive an employee into transferring the funds. The finance employee attended a video conference call with deepfake recreations of the company’s Chief Financial Officer (CFO) and other employees who instructed him to transfer the funds. The employee initiated a series of 15 bank transfers to five different Hong Kong accounts totaling HK$200 million.

The employee discovered the scam a week later and notified the company and local authorities.

The identity of the company wasn’t revealed.

The investigation is still ongoing, the police have yet to identify the gang behind the scam

Read more about it here.