Cyber Victor – a leading blog on cyber security

Duolingo is one of the largest language learning sites in the world, with over 75 million monthly users worldwide. The scraped data of 2.6 million people, which was on sale in January 2023 with a starting price of $1,500, is now available on the cybercrime marketplace BreachForums for just 8 credits, worth $2.13.

The shared data contains email addresses, usernames, names, phone numbers, information about social networks, and other generic info such as language studies, experience, progress and achievements.

This data was scraped using an exposed application programming interface (API). The API allows anyone to submit a username and retrieve the user’s public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account. Scrapers can feed millions of email addresses, likely exposed in previous data breaches, into the API, and confirm if they belong to DuoLingo accounts. These email addresses can then be used to create the dataset containing public and non-public information.

Read more about it here.

The world’s most popular websites lack basic cybersecurity hygiene, an investigation by Cybernews shows.

The Cybernews research team has deep-dived into an issue that’s quite often overlooked by developers – HTTP security headers. They have analyzed the top 100 most visited websites, including Facebook, Pinterest, IMDB, PayPal, Wikipedia, and AliExpress.

The conclusion? Many developers of the most popular websites could enhance their cybersecurity practices. Not to give threat actors any ideas, the actual web sites that need some work have been omitted.

HTTP security headers are instructions on how the web browser should interact with the webpage. HTTP security headers are mostly useful for client-side attacks, aiming to exploit security flaws running on the user’s device to gain unauthorized access, steal information, and perform other malicious activities. This includes:

• X-Frame-Options
• Content-Security-Policy (CSP)
• The Referrer-Policy
• The Permissions-Policy
• The X-Content-Type-Options
• Strict-Transport-Security (HSTS)

Read more about it here.

The Open Worldwide Application Security Project (OWASP) has recently released version 1.0 of its Top 10 for LLM (Large Language Model) Applications.

OWASP’s Top 10s are community-driven lists of the most common security issue, designed to help developers implement their code safely.

“The OWASP Top 10 for LLM Applications Working Group is dedicated to developing a Top 10 list of vulnerabilities specifically applicable to applications leveraging Large Language Models (LLMs). This initiative aligns with the broader goals of the OWASP Foundation to foster a more secure cyberspace and is in line with the overarching intention behind all OWASP Top 10 lists” says their annoouncement.

The Top Ten is the result of the work of nearly 500 security specialists, AI researchers, developers, industry leaders and academics. Over 130 of these experts actively contributed to this guide.

Following is the OWASP Top 10 for LLM version 1.0, listed in order of criticality.

1. Prompt Injection
2. Insecure Output Handling
3. Training Data Poisoning
4. Model Denial of Service
5. Supply Chain Vulnerabilities
6. Sensitive Information Disclosure
7. Insecure Plugin Design
8. Excessive Agency
9. Overreliance
10. Model Theft

Read more about it here.

German news outlets Der Spiegel and Der Standard reported on July 17, 2023, that online malware scanning service VirusTotal leaked data of over 5,600 registered customers.

“On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators,” said VirusTotal. “We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.”

The 313KB leaked file contained details of accounts associated with official U.S. entities, including the US Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). The file also included accounts linked to government agencies in Germany, the Netherlands, Taiwan, and the United Kingdom.

The leaked file was only accessible to VirusTotal partners and cybersecurity analysts with a Premium account with the platform. It wasn’t acceesible to anonymous or free accounts.

Read more about it here.

US healthcare giant HCA Healthcare announced that about 11 million patients’ data has been stolen and was posted on an online forum. In an announcement made on July 10, 1023 on its web site, HCA Healthcare said that stolen data included Patient name, city, state, and zip code; Patient email, telephone number, date of birth, gender; and Patient service date, location and next appointment date. The company further confirmed that the data didn’t include client health information, payment information such as credit cards or account numbers, or personal information, such as passwords, driver’s license or social security numbers.

It’s not clear how the data was stolen. The company said the data theft was from “an external storage location exclusively used to automate the formatting of email messages.” The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support.

HCA Healthcare operates 182 hospitals and over 2,300 sites of care in 20 US states and the United Kingdom, employing 290,000 people.

Read more about it here.

Researcher Viktor Markopoulos discovered a Bangladeshi government website the leaks the personal information of millions of Bangladesh citizens. He discovered this on June 27, 2023, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CIRT). The leak includes full names, phone numbers, email addresses and national ID numbers of about 50 millions of Bangladeshi citizens.

“It just appeared as a Google result and I wasn’t even intending on finding it. I was Googling an SQL error and it just popped up as the second result,” he told TechCrunch.

In response, the Bangladeshi government on July 9, 2023 took down citizens’ sensitive data that it had left exposed online.

Read more about it here.

Oil and Gas giant Shell has confirmed that it is one of the victims of a recent large scale ransomware campaign conducted by the Clop gang exploiting a MOVEit zero-day vulnerability. Shell’s data has since been published on the darknet.

Cyber criminals are actively exploiting the zero-day vulnerability, tracked as CVE-2023-34362, to steal data from organizations worldwide.

“We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers,” said Shell US spokesperson Anna Arata in a statement.

Read more about it here.

A database containing the personal information of more than 8.8 million Zacks Investment Research users has emerged on a hacking forum.

Founded in 1978, Zacks is one of the leading quantitative investment research firms. The company’s initial data breach notification stated that “sensitive” information for about 820,000 customers had been accessed during the breach window, but that it was limited to those that had subscribed to the company’s “Zacks Elite” product between November 1999 and February 2005.

However, in June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum. The most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers and passwords stored as unsalted SHA-256 hashes”, reported Have I Been Pwned. “On disclosure of the larger breach, Zacks advised that in addition to their original report “the unauthorized third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format”.

Read more about it here.

A new phishing technique, called “File Archiver In The Browser”, can be leveraged to to “emulate” a file archiver software in a web browser, when the victim visits a .zip domain. Security researcher mr.d0x detailed the new attack technique in a recent post.

In mid May 2023, Google released several new top-level domains (TLDs) including .zip and .mov. Many cybersecurity researchers expressed concerns that these TLDs can be mistaken for file extensions. The researcher showcased how these TLD’s can be used to deliver malicious content.

To carry out an attack using this technique, the attacker needs to “emulate” a file archive software through HTML/CSS. The researchers shared two samples: The first one emulates the WinRAR file archive utility. To prevent suspicion, when user clicks on the “Scan” icon, a message box reassuring them that the files are secure is displayed.

The second one emulates the Windows 11 File Explorer window

“It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used” recommended the expert.

Read more about it here.

Toyota Motor Corporation, the largest automaker in the world by sales, disclosed a data breach that exposed the car location information of 2,150,000 customers between November 6, 2013, and April 17, 2023. The data breach stemmed from human error, leading to a cloud system being set to public instead of private. Data exposed due to the decade-long data breach includes vehicle locations, vehicle identification numbers and chassis numbers by drivers who signed up for the T-Connect/G-Link/G-Link Lite/G-BOOK service. Possibly, videos taken outside the vehicle were also exposed between November 14, 2016 and April 4, 2023.

Toyota pointed out that the exposed information only impacted customer in Japan, and it cannot be used to identify the owners of the vehicles, and is unware of any abuse of the exposed data.

Read more about it here.