Cyber Victor – a leading blog on cyber security

Flagstar Bank has warned that 837,390 US customers had their personal information stolen by cybercriminals due to a breach at a third-party service provider.

Flagstar, now owned by the New York Community Bank, is a Michigan-based financial services provider that, before its acquisition in 2022, was one of the largest banks in the United States, having total assets of over $31 billion.

The breach occurred between May 27 and 31, 2023. It exposed the personal information of a substantial number of customers. It was traced back to vulnerabilities in MOVEit Transfer, a file transfer software used by Fiserv for payment processing and mobile banking services.

In June 2022, Flagstar Bank disclosed another data breach that impacted roughly 1.5 million of its customer in the US, but the company did not share details about the attack. The security breach took place in early December 2021.

On March 2021, the bank was the victim of another attack conducted by the Clop ransomware gang.

Read more about it here.

Researchers disclosed a new zero-day DDoS attack technique, called ‘HTTP/2 Rapid Reset’, that was exploited since August 2023 in record-breaking attacks. These attacks have been observed on Amazon Web Services (AWS), Cloudflare and Google.

The attack peaked at 155 million requests per second (Amazon), 201 million rps (Cloudflare), and a record-breaking 398 million rps (Google).

The attack method abuses HTTP/2’s stream cancellation feature to continuously send and cancel requests, overwhelming the target server or application and imposing a DoS state.

The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled, by sending a RST_STREAM frame. The protocol allows the client to unilaterally request a cancelation. It “makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open”, continues the Google post. This can be mitigated by having entire TCP connection needs to closed when abuse is detected.

Amazon Web Services (AWS), Cloudflare and Google said on October 10, 2023 they took steps to mitigate these record-breaking Distributed Denial-of-Service (DDoS) attacks

Read more about it here.

US consumer credit reporting agency TransUnion may have been the subject of a hacking incident leading to a data breach. Threat actor who goes by the moniker “USDoD” announced the leak of a database containing sensitive Personal Identifiable Information (PII) of 58,505 customers across North and South America and Europe.

According to Cybercriminal underworld tracker vx-underground who reported the leak, the archive contains data that dates back to March 2, 2022, which could be the data of the data breach.

vx-underground stated that leaked data includes first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, and when TransUnion first began monitoring their information.

In response, TransUnion investigated the claim, and made a statement that its systems weren’t breached, and that the data may have come from a third party. “We have found that multiple aspects of the messages – including the data, formatting, and fields – do not match the data content or formats at TransUnion”, said the statement.

Read more about it here.

The personal details of over 20,000 UK police officers have been stolen after a suspected ransomware attack on a third-party supplier.

Greater Manchester Police (“GMP”), the fourth largest police department in the UK, confirmed on September 14, 2023 that its supplier, identity card maker Digital ID, holds “some information on those employed by GMP.”

“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported.”, says the announcement.

GMP does not believe the data on the hacked systems contains financial information belonging to the police department’s employees.

Read more about it here.

Cybersecurity firm Akamai successfully detected and prevented a massive distributed denial-of-service (DDoS) attack targeting an unnamed, leading American financial institution on the Prolexic platform. The attack occurred on September 5, 2023 at approximately 19:31 UTC.

“Cybercriminals used a combination of ACK, PUSH, RESET, and SYN flood attack vectors, peaking at 633.7 gigabits per second (Gbps) and 55.1 million packets per second (Mpps). The attack was sharp but lasted for less than 2 minutes, and was proactively mitigated by our customer’s comprehensive cyberdefense posture.” reads the post published by Akamai.

During the attack, the top 10 sources for the targeted malicious traffic originated from Bulgaria, Brazil, China, India, United States, Thailand, Russia, Ukraine, Vietnam, and Japan. During the attack, the traffic from the US was more than double the volume of peacetime traffic originating from the country.

Read more about it here.

Duolingo is one of the largest language learning sites in the world, with over 75 million monthly users worldwide. The scraped data of 2.6 million people, which was on sale in January 2023 with a starting price of $1,500, is now available on the cybercrime marketplace BreachForums for just 8 credits, worth $2.13.

The shared data contains email addresses, usernames, names, phone numbers, information about social networks, and other generic info such as language studies, experience, progress and achievements.

This data was scraped using an exposed application programming interface (API). The API allows anyone to submit a username and retrieve the user’s public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account. Scrapers can feed millions of email addresses, likely exposed in previous data breaches, into the API, and confirm if they belong to DuoLingo accounts. These email addresses can then be used to create the dataset containing public and non-public information.

Read more about it here.

The world’s most popular websites lack basic cybersecurity hygiene, an investigation by Cybernews shows.

The Cybernews research team has deep-dived into an issue that’s quite often overlooked by developers – HTTP security headers. They have analyzed the top 100 most visited websites, including Facebook, Pinterest, IMDB, PayPal, Wikipedia, and AliExpress.

The conclusion? Many developers of the most popular websites could enhance their cybersecurity practices. Not to give threat actors any ideas, the actual web sites that need some work have been omitted.

HTTP security headers are instructions on how the web browser should interact with the webpage. HTTP security headers are mostly useful for client-side attacks, aiming to exploit security flaws running on the user’s device to gain unauthorized access, steal information, and perform other malicious activities. This includes:

• X-Frame-Options
• Content-Security-Policy (CSP)
• The Referrer-Policy
• The Permissions-Policy
• The X-Content-Type-Options
• Strict-Transport-Security (HSTS)

Read more about it here.

The Open Worldwide Application Security Project (OWASP) has recently released version 1.0 of its Top 10 for LLM (Large Language Model) Applications.

OWASP’s Top 10s are community-driven lists of the most common security issue, designed to help developers implement their code safely.

“The OWASP Top 10 for LLM Applications Working Group is dedicated to developing a Top 10 list of vulnerabilities specifically applicable to applications leveraging Large Language Models (LLMs). This initiative aligns with the broader goals of the OWASP Foundation to foster a more secure cyberspace and is in line with the overarching intention behind all OWASP Top 10 lists” says their annoouncement.

The Top Ten is the result of the work of nearly 500 security specialists, AI researchers, developers, industry leaders and academics. Over 130 of these experts actively contributed to this guide.

Following is the OWASP Top 10 for LLM version 1.0, listed in order of criticality.

1. Prompt Injection
2. Insecure Output Handling
3. Training Data Poisoning
4. Model Denial of Service
5. Supply Chain Vulnerabilities
6. Sensitive Information Disclosure
7. Insecure Plugin Design
8. Excessive Agency
9. Overreliance
10. Model Theft

Read more about it here.

German news outlets Der Spiegel and Der Standard reported on July 17, 2023, that online malware scanning service VirusTotal leaked data of over 5,600 registered customers.

“On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators,” said VirusTotal. “We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.”

The 313KB leaked file contained details of accounts associated with official U.S. entities, including the US Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). The file also included accounts linked to government agencies in Germany, the Netherlands, Taiwan, and the United Kingdom.

The leaked file was only accessible to VirusTotal partners and cybersecurity analysts with a Premium account with the platform. It wasn’t acceesible to anonymous or free accounts.

Read more about it here.

US healthcare giant HCA Healthcare announced that about 11 million patients’ data has been stolen and was posted on an online forum. In an announcement made on July 10, 1023 on its web site, HCA Healthcare said that stolen data included Patient name, city, state, and zip code; Patient email, telephone number, date of birth, gender; and Patient service date, location and next appointment date. The company further confirmed that the data didn’t include client health information, payment information such as credit cards or account numbers, or personal information, such as passwords, driver’s license or social security numbers.

It’s not clear how the data was stolen. The company said the data theft was from “an external storage location exclusively used to automate the formatting of email messages.” The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support.

HCA Healthcare operates 182 hospitals and over 2,300 sites of care in 20 US states and the United Kingdom, employing 290,000 people.

Read more about it here.