Data Leak Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/data-leak/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 06 Feb 2024 14:05:47 +0000 en-US hourly 1 https://wordpress.org/?v=96413 200474804 Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data https://gridinsoft.com/blogs/hewlett-packard-enterprise-hacked/ https://gridinsoft.com/blogs/hewlett-packard-enterprise-hacked/#respond Tue, 06 Feb 2024 12:29:31 +0000 https://gridinsoft.com/blogs/?p=19435 On February 1, 2024, a post on a Darknet hacker forum selling Hewlett Packard Enterprise data appeared. Threat actor known as IntelBroker claims hacking into the company’s network and grabbing a whole lot of data, including access tokens and passwords. The company themselves acknowledges the breach, but cannot confirm any cybersecurity incidents happened in the… Continue reading Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data

The post Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data appeared first on Gridinsoft Blog.

]]>
On February 1, 2024, a post on a Darknet hacker forum selling Hewlett Packard Enterprise data appeared. Threat actor known as IntelBroker claims hacking into the company’s network and grabbing a whole lot of data, including access tokens and passwords. The company themselves acknowledges the breach, but cannot confirm any cybersecurity incidents happened in the recent time.

Hewlett Packard Enterprise Hacked

A post on the infamous BreachForums published on February 1 offers to purchase an extensive database, leaked from Hewlett Packard Enterprise (HPE) internal network. The seller, known under the name IntelBroker, claims hacking into the network and obtaining the said data. That means the company has suffered a new security breach, or the hacker was present in the network for quite some time.

BreachForums post Hewlett Packard hack
Forum post that offers Hewlett Packard data for sale

As it usually happens with Darknet forum posts offering to buy leaked information, there are several screenshots attached as evidence. Among the leaked data types, hacker claims CI/CD access, system logs, config files, access tokens, HPE StoreOnce files and access passwords. Albeit being representative to the types of data claimed in the leak, the screenshots do not include any data that allows identifying the time frame, e.g. there is no way to find how old this breach is.

As I’ve mentioned in the introduction, HPE knows about the data posted on the forum and investigates the case. At the same time, representatives of the company do not have any evidence of a cyberattack or a security breach over the last time.

At this time we have not found evidence of an intrusion, nor any impact to HPE products or services. There has not been an extortion attempt.Adam R. Bauer, HPE’s Senior Director for Global Communication

Data Leak, But No Ransomware

The fact that the attack that leaked extensive amounts of data may sound absurd, considering that there is typically a ransomware deployment that finalizes the attack. Though, such an approach is not new: adversaries may practice leak-only attacks to speed up the overall process or avoid possible detection. In some cases, this works as the way to get at least something from the attack, when the security manages to block malware.

Still, there is a positive part of this story – no customer data appears to be involved. Both what is claimed and things that appear on the screenshots are purely internal data. And this is good not only to the HPE customers, as the company itself has much less headache notifying the ones whose data have been leaked.

Any Relation to HPE Corporate Email Accounts Breach?

Despite the company’s representative saying that no cyberattacks were detected, there apparently was one that can be a culprit. Back in mid-January 2024, HPE reported that their corporate email accounts were hacked by APT29, a threat actor related to Russian SVR. The breach itself took place in May 2023, with the fact of the adversary having access to the environment acknowledged on December 12, 2023.

HPE SEC filing
Details regarding the previous HPE hack shared in the official SEC filing

Why can this data be sourced from this old breach? The official company note regarding the case mentions a selection of data categories, which matches with what we see in the BreachForums post. More specifically, the company talked about hackers accessing several mailboxes of employees of their cybersecurity, go-to-market, business segment and several others. Logs, configs and access tokens is a normal occurrence in those emails, though there could have also been access to customer data. Nonetheless, that won’t be much of a surprise if the ongoing investigation will lead to the past APT29 hack.

The post Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hewlett-packard-enterprise-hacked/feed/ 0 19435
23andMe Data Leak Exposes Nearly 7 Million Users’ Sensitive Data https://gridinsoft.com/blogs/23andme-data-leak/ https://gridinsoft.com/blogs/23andme-data-leak/#respond Wed, 06 Dec 2023 13:05:40 +0000 https://gridinsoft.com/blogs/?p=18173 Nearly 7 million clients of a genetic testing and biotechnology company 23andMe fell victim to a data leak in October. Hackers got unauthorized access and extracted profile data, affecting a significant portion of the company’s user base. Hackers Gain Access to Sensitive Data in 23andMe Database In a startling revelation, genetic testing and biotechnology company… Continue reading 23andMe Data Leak Exposes Nearly 7 Million Users’ Sensitive Data

The post 23andMe Data Leak Exposes Nearly 7 Million Users’ Sensitive Data appeared first on Gridinsoft Blog.

]]>
Nearly 7 million clients of a genetic testing and biotechnology company 23andMe fell victim to a data leak in October. Hackers got unauthorized access and extracted profile data, affecting a significant portion of the company’s user base.

Hackers Gain Access to Sensitive Data in 23andMe Database

In a startling revelation, genetic testing and biotechnology company 23andMe confirmed on Monday that nearly 7 million customers fell victim to a data leak in October. The expansive cybersecurity incident involved the unauthorized access and extraction of user profile data, affecting a significant portion of the company’s total customer base.

In brief, hackers targeted the data of a service called DNA Relatives, scraping information such as display names, ancestry reports, and sensitive health-related data. The compromised information includes sensitive health data, allowing for enormously wide analysis. Reports also disclose a user’s gene carrier status for diseases like cystic fibrosis, Tay-Sachs type 2 diabetes, and Parkinson’s disease.

23andMe Hacked in October

The breach began in early October when hackers could directly access 14,000 23andMe customer accounts. Crooks used credentials stolen from unrelated third-party breaches. While the source of this information is not specified (though we know what is behind all this), 23andMe clarifies that there was no indication that their systems had been compromised.

The post of 23andMe data on the BreachForums site screenshot
The post of 23andMe data on the BreachForums site

Next, hackers targeted the DNA Relatives feature, scraping information such as display names, ancestry reports, and sensitive health-related data. The total number of exposed users grew to 6.9 million. It was possible with each compromised account potentially connected to hundreds or thousands of relatives.

Who is under attack?

According to the company’s claims, an average 23andMe account had access to information from 1,500 DNA relatives. In other words, attackers used it to leverage these accounts to scrape genetic data from 5.5 million DNA relatives’ leaked profiles, and an additional 1.4 million had their Family Tree profiles exposed.

Of the nearly 7 million users affected, 1 million were of Ashkenazi Jewish descent, and 300,000 were Chinese heritage users. This suggests that these communities were explicitly targeted for their ancestral data. More reported 4.1 million leaked profiles belonged to British and German 23andMe consumers. The breach exposed customer display names, ancestry reports, and sensitive health information.

Official reaction

Upon discovering suspicious activity, 23andMe reset all user passwords on October 9th. The company is also in the process of notifying affected customers and complying with legal requirements. Moreover, they have temporarily taken steps to disable certain features within the DNA Relatives tool.

As for really effective measures, since then, multi-factor or two-factor authentication has been mandated for all accounts (isn’t such sensitive information not required this before?). The problem was that users didn’t place much importance on protecting their accounts. As a result with 14k accounts, the attackers were able to hit a jackpot of 6.9 million accounts.

23andMe Data Leak Exposes Nearly 7 Million Users’ Sensitive Data

The post 23andMe Data Leak Exposes Nearly 7 Million Users’ Sensitive Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/23andme-data-leak/feed/ 0 18173
Okta Hack Exposes Data of All Support Customers https://gridinsoft.com/blogs/okta-hack-all-customers-exposed/ https://gridinsoft.com/blogs/okta-hack-all-customers-exposed/#respond Thu, 30 Nov 2023 10:47:15 +0000 https://gridinsoft.com/blogs/?p=18030 Back in mid-October 2023 Okta, one of the world’s largest identity providers, suffered a data breach. Security vulnerabilities in its support system allowed hackers to access one of the support accounts. Formerly, it was said about a miserable amount of customers suffering from the breach. But over a month later, the company discloses that hackers… Continue reading Okta Hack Exposes Data of All Support Customers

The post Okta Hack Exposes Data of All Support Customers appeared first on Gridinsoft Blog.

]]>
Back in mid-October 2023 Okta, one of the world’s largest identity providers, suffered a data breach. Security vulnerabilities in its support system allowed hackers to access one of the support accounts. Formerly, it was said about a miserable amount of customers suffering from the breach. But over a month later, the company discloses that hackers managed to leak the info about all the Okta Help Center clients.

Okta Hack Results Into a Massive Data Breach

As it was originally expected, the data breach within Okta Help Center touched only a miserable number of users. Due to the poor session token authentication, hackers managed to log in under the guise of a legit client and spawn several additional entities. This ended up with calling for a function designed to list all the Help Center accounts, which, as it was originally believed, had not been successful. As of October 20, Okta claimed about only 134 accounts having their data exposed in this incident.

As it turned out, this number was heavily underestimated. Further investigation showed that hackers successfully dumped info about all the accounts in the system. The co shares some specific details regarding the types of data exposed in that breach:

The majority of the fields in the report [created by hackers to dump the user data] are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.
Types of data Okta hack
Types of data stored within user support profiles

Therefore, it is possible that some of the users (0.4%, or 72 people) have more than just email and name exposed. Not a lot, but this already creates some critical contrast with the original claims from the company. And, what is more important, raises questions regarding the security architecture within the company.

More Details of Okta Hack Appeared

Aside from the data exposure disclosure, the company also shared some new details regarding the hack. As it turns out, crooks put their hands on a service account, designed to work with an automated algo running on a machine. This is often needed for automated backup creation and similar scheduled tasks. Credentials to this account were stored among other data on the employee’s Google account that hackers previously managed to access.

That explains the lack of the MFA protection on the compromised account (which is not an option for a machine) and its high privileges. Before, the story sounded rather ironic. The largest identity provider does not care about using identity protection mechanisms in their own networks. Now though it makes sense – as well as raises new questions about securing similar accounts. And it still does not justify the fact that compromising the account of a single employee in fact compromised the entire service.

Okta Hack Exposes Data of All Support Customers

The post Okta Hack Exposes Data of All Support Customers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/okta-hack-all-customers-exposed/feed/ 0 18030
LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked https://gridinsoft.com/blogs/lockbit-boeing-hack-data-leak/ https://gridinsoft.com/blogs/lockbit-boeing-hack-data-leak/#respond Tue, 14 Nov 2023 08:54:55 +0000 https://gridinsoft.com/blogs/?p=17638 In a cybersecurity nightmare, Boeing, a global aerospace and defense titan, has fallen victim to the notorious LockBit ransomware group. It resulted in the exposure of a staggering 50 gigabytes of sensitive data. The breach came to light on November 15, 2023, as LockBit made good on its threat. They published Boeing’s confidential information after… Continue reading LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked

The post LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked appeared first on Gridinsoft Blog.

]]>
In a cybersecurity nightmare, Boeing, a global aerospace and defense titan, has fallen victim to the notorious LockBit ransomware group. It resulted in the exposure of a staggering 50 gigabytes of sensitive data. The breach came to light on November 15, 2023, as LockBit made good on its threat. They published Boeing’s confidential information after the aerospace giant refused to meet ransom demands.

Who is the LockBit Ransomware Gang?

LockBit, operating as a ransomware-as-a-service (RaaS) entity, has been a persistent threat for over four years. With a track record of targeting diverse sectors, including Continental, the UK Royal Mail, the Italian Internal Revenue Service, and the previously known Boeing leak from October 27th., LockBit has extorted approximately $91 million since 2020 in nearly 1,700 attacks against US organizations.

LockBit Leaks Boeing Data on the Darknet

Before the data leak unfolded, LockBit hackers issued stern warnings, accusing Boeing of neglect and threatening to expose a sample of 4GB of the most recent files. Boeing, a cornerstone in aviation and defense, stood steadfast against the ransom demands.

LockBit Leaks Boeing Data
Boeing page on LockBit data leak site

On November 10, LockBit carried out its threat, publishing over 43 GB of files from Boeing on the Darknet. The leaked data includes backups for various systems, with the most recent backups timestamped on October 22. Notably, the files encompass configuration backups for IT management software, logs for monitoring and auditing tools, and backups from Citrix appliances, raising concerns about the exploitation of the Citrix Bleed vulnerability.

Boeing Data on the Darknet
Supposedly leaked Boeing data

While Boeing confirmed the cyberattack, it has yet to divulge details on the breach’s specifics. The leaked data, however, does not compromise flight safety, according to Boeing statements. However the decision not to pay the ransom suggests that the stolen data may not hold critical relevance to Boeing’s information security or its clients.

The exposed data allegedly includes names, locations, and contact details of Boeing’s suppliers and distributors across Europe and North America. Details about the supported functions within Boeing’s structure. It including airframe manufacturing, structural mechanics, computer and electronics, are also part of the compromised information.

Navigating the Aftermath

Boeing’s breach serves as a stark reminder for organizations to reassess their cybersecurity posture continually. The imperative to implement proactive measures, including employee cybersecurity training, network fortification, and timely security patches, is underscored by the evolving tactics of ransomware groups like LockBit.

As Boeing grapples with the fallout of this unprecedented cyberattack, the incident serves as a clarion call for heightened vigilance across industries. Also the exposed vulnerabilities highlight the critical need for organizations to invest in robust cybersecurity frameworks to mitigate the ever-growing threat landscape. In the wake of LockBit’s audacious move against Boeing, the imperative for international collaboration to combat cyber threats becomes more evident than ever.

The post LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-boeing-hack-data-leak/feed/ 0 17638
US Military Emails Leaked Massively Due to the Typo https://gridinsoft.com/blogs/us-military-emails-leak-typo/ https://gridinsoft.com/blogs/us-military-emails-leak-typo/#respond Tue, 18 Jul 2023 20:56:04 +0000 https://gridinsoft.com/blogs/?p=16075 Email letters sent to the US military addresses ended up on similarly-named Mali emails because of the domain name typo. All this started as a mistake, but may transform into a typosquatting attempt for government-grade spying. Typos In Email Addresses Cause US Military Info Leak Well, the fact is here – the US military has… Continue reading US Military Emails Leaked Massively Due to the Typo

The post US Military Emails Leaked Massively Due to the Typo appeared first on Gridinsoft Blog.

]]>
Email letters sent to the US military addresses ended up on similarly-named Mali emails because of the domain name typo. All this started as a mistake, but may transform into a typosquatting attempt for government-grade spying.

Typos In Email Addresses Cause US Military Info Leak

Well, the fact is here – the US military has a huge data leak through the incorrect email routing. But how could that happen in a system like that? Well, Uncle Sam adopted the .MIL domain at the dawn of the Internet era. Actually, the Internet itself was built for the army’s needs. But with Internet expansion, the country of Mali received a top-level domain of .ML – just one letter off the military one. You may think that it is too hard to make such a mistake, but statistics stands for another. There could potentially be millions of letters that arrived to a wrong address, and confidential or even classified stuff may be among them.

The situation actually started long ago – but was never discussed publicly. Since 2013 a Dutch entrepreneur Johannes Zuurbier noticed the flow of messages going to non-existent navy.ml and army.ml domains back in 2013. And even back then, before the massive introduction of electronic paperwork, he counted over 115,000 letters in just about 6 months. The letters were mostly regular spam, though some contained sensitive information. By now, the number of such messages is over 10 million.

But how can a Dutchman view all the emails that are coming to the country’s TLD? Mr. Zuurbier is a managing director of Mali Dili B.V. The company has a contract with the Malian government for establishing and managing the Internet connections over the country. Well, while he cannot access the mailboxes and stuff, the messages that are sent to the domain zone but failed to reach the receiver remain visible.

What kind of data is exposed?

As I said, these messages are not consistently filled with content. Some are simple spam, some just do not contain any interesting things, at least without the context of the mailing. However, there were a few examples of really compromising messages. Fortunately, no classified information was found among the messages.

One example of compromising messages is the results of X-ray tomography of a soldier and his medical data. Others contained lists of staff that reside on bases, their photos, reports upon the inspections, investigations of internal accidents, and more. Some messages were disclosing the dates and staying places of top officers that were visiting other countries.

Why the US military information leak so dangerous?

Since this information is related to the US Army, the consequences for ones who gained illegal access to it could be pretty bad – regardless whether it was intended or not. Mr. Zuurbier approached the US officials several times, trying to make them react to the problem – but that did not have any effect. The problem is, as his contract with Mali ends this year, the control over the domain zone will be given to the Malian government. The latter is known for their extensive cooperation with Russia, which is not in the best relations with the US at the moment, to say the least.

Moreover, is it even pleasant to have the internal letters leaked to the third party? It is critical even for corporations, and is just unbearable for organisations like the army. Now all these things have a form of mistakes and never get to any possible adversaries. But once the contract with Mali Dili is over, it may get a very bad twist. Typosquatting is quite easy to set up and exploit, especially when the govt is interested in gathering information in such a way.

The post US Military Emails Leaked Massively Due to the Typo appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-military-emails-leak-typo/feed/ 0 16075
What is eWallet? How to Protect Your eWallet https://gridinsoft.com/blogs/what-is-ewallet/ https://gridinsoft.com/blogs/what-is-ewallet/#respond Wed, 16 Nov 2022 20:41:34 +0000 https://gridinsoft.com/blogs/?p=11892 During a time of crisis, Americans turned to digital wallets called eWallets to purchase supplies without face-to-face interaction with payment terminals or cards. These wallets make purchasing supplies faster and easier than traditional methods. A common alternative to eWallets is the physical wallet, which is less convenient for many people. In addition, clever crooks and… Continue reading What is eWallet? How to Protect Your eWallet

The post What is eWallet? How to Protect Your eWallet appeared first on Gridinsoft Blog.

]]>
During a time of crisis, Americans turned to digital wallets called eWallets to purchase supplies without face-to-face interaction with payment terminals or cards. These wallets make purchasing supplies faster and easier than traditional methods. A common alternative to eWallets is the physical wallet, which is less convenient for many people. In addition, clever crooks and hackers can steal your financial information when using an eWallet. This is because they’ve discovered an opportunity with eWallets that people only sometimes see. With a secure eWallet, you can feel more confident in your safety and security.

Even so, many people need to realize the benefits of using an eWallet. After reading this article, you can take steps to keep your wallet safe. These include using online secure software and common sense practices.

What are eWallets? What are the benefits?

Electronic wallets are similar to credit or debit cards. They enable individuals to make payments online through a computer or smartphone — for example, E-wallets link to a person’s bank account to be used for payments. A software component and an information component make up e-wallet functionality. The software component stores encrypted and secure data, while the information component stores data provided by the user.

The data used by such programs is the user’s name, address, payment method, and amount to be paid. If applicable, it also has data on the user’s credit or debit card. When setting up an E-wallet account, a person needs to install the software on their device. They then need to enter information to set up the E-wallet. After shopping online, the E-wallet automatically fills in the user’s info when submitting a payment form. Users can activate the E-wallet by entering their password. After the online payment is completed, the consumer does not need to fill out the order on any other website, as the information is stored in the database and updated automatically.

Common threats associated with eWallets

Consumers need to be aware of the security risks associated with digital wallets. Many threat actors have noticed digital wallets’ popularity and made their best to get profit from this situation. Using eWallets to secure data is the most common way to mitigate threats to data. Avoid public WiFi when possible so your personal data remains private. Users should lock their phones or digital wallets — thieves can remove information and make purchases quickly. The biggest threat to your phone is someone else stealing or breaking it. When your phone’s missing, thieves and burglars can access your bank account and withdraw money before you even notice.

How to protect your eWallet and avoid these issues

1. Lock your phone

The most significant risk of using an e-wallet is failing to protect your phone’s data. Use the provided secure options to lock your phone and perform the same operation on your electronic wallet and other essential applications containing private data. In this way, the thief cannot access your mobile phone or electronic wallet.

Lock your phone
Use strong password for security of eWallet

2. Monitor credit card and bank account activity

Constantly monitor your financial activity and understand your expenses. If you notice suspicious charges, you must contact your bank immediately and freeze your financial account.

Monitor credit card and bank account activity

3. Install secure apps

If you have to deal sensitive financial information, such as the one typically present in electronic wallet, you should protect it as much as possible. Install secure apps that are secure from being hacked. Additionally, ensure that the exact app is legitimate, and will not steal your banking data one day. The ability to remotely delete it is also helpful if you’ve lost your device and don’t want someone to get their hands on your payment details.

4. Check the sites you use eWallet on

Not each site that accept e-wallet payments is trustworthy. Aside from phishing scam sites, there are enough pages that can take your money and give nothing instead. Most of anti-malware solutions tracks these sites, but it is also recommended to stay vigilant. If the offer looks too good to be true, or there are some strange payment conditions – it is better to look for another marketplace.

The post What is eWallet? How to Protect Your eWallet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/what-is-ewallet/feed/ 0 11892
BlackCat ransomware gang publishes leaked data on the clear web site https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/ https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/#respond Wed, 15 Jun 2022 22:20:06 +0000 https://gridinsoft.com/blogs/?p=8605 BlackCat/ALPHV group recently announced on its victim shaming and extortion website that it had hacked into a luxury spa and resort in the Western United States. At one moment in the last 24 hours, ALPHV posted a website with the same victim name on the domain and their logo on the front page. The ALPHV… Continue reading BlackCat ransomware gang publishes leaked data on the clear web site

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

]]>
BlackCat/ALPHV group recently announced on its victim shaming and extortion website that it had hacked into a luxury spa and resort in the Western United States. At one moment in the last 24 hours, ALPHV posted a website with the same victim name on the domain and their logo on the front page. The ALPHV website claims to care about people’s privacy, but allows anyone to view sensitive stolen data.

BlackCat/ALPHV published the leaked data

Cybercriminal groups that practice the double extortion have tried countless ways to shame their victims into paying. The latest innovation that increased the stakes comes from the ALPHV/BlackCat ransomware group. It commonly released any stolen victim data on the Darknet page. However, these days the group has begun posting the websites of individual victims on the public Internet, and the leaked data has been made available in an easy-to-search form.

The case with the luxury resort is among the first ones, but likely not the last. Hackers’ website claims to have the personal information of 1,500 resort employees and over 2,500 residents of the facility. At the top of the page there are two “Check Yourself” buttons, one for employees and one for guests. Brett Callow, a threat analyst at security firm Emsisoft, called the ALPHV’s actions a “cunning tactic” that is sure to worry their other victims.

Cybersecurity experts are surprised with what’s happening

Callow said most of the victim-shaming blogs maintained by major ransomware groups exist on obscure, slow-loading sites on the Dark Web. Users could reach those sites only with third-party software such as Tor. But the website created by the ALPHV as part of this new pressure tactic is available in the Surface Web. Hence, everyone who wants to check the information on the certain visitor is welcome. Companies are likely to be more concerned about the prospect of their data being shared this way than just being posted on an obscure Tor site whose URL almost no one knows,” Callow said. “It will piss people off and force them to react together.” Apparently, Callow alludes to the high probability of the FBI to pay attention to the gang with such sly tricks. And that is not the single case wherethe US law enforcement were going for these crooks.

Leak site
Leak site screenshot which BlackCat gang created for Allison Resort

It’s unclear if the ALPHV plans to apply this approach to every victim, but other recent gang victims include a US school district and city. This is most likely a test run to see if it improves the results. “We are not going to stop, our leak distribution department will do everything possible to bury your business,” the victim’s website says. “At this point, you still have a chance to maintain the safety and reputation of your hotel. We strongly encourage you to be proactive in your negotiations; you don’t have much time.”

What is BlackCat/ALPHV ransomware?

Launched in November 2021, ALPHV is perhaps most notable for its programming language – Rust. Such a choice allows them to circumvent the detection from the conventional security solutions. Additionally, that made their malware cross-platform, so it can be freely launched on Windows and any of *NIX systems. ALPHV actively recruits operators from several ransomware organizations, including REvil, BlackMatter and DarkSide, offering partners up to 90% of any ransom paid by the victim organization.

BlackCat ransom note
BlackCat/ALPHV ransomware ransom note

Many security experts believe that ALPHV/BlackCat is simply a rebranding of another ransomware group, Darkside, also known as BlackMatter. That gang is responsible for the 2021 Colonial Pipeline attack. This attack lead to fuel shortages and price spikes on the U.S. East Coast. That’s why, exactly, I have mentioned that the attention from law enforcement is not new for those people. Are they fearless now?

Let’s sum the things up

The fact that the ransomware group stepped up to posting the leaked info, and in particular the information about individuals, is outrageous. Even more disgusting is that they created a page for that in the surface web. Still, such a technique can turn positive for individuals whose data is leaked. Mr. Callow I have cited above supposed there may be a silver lining to this ALPHV innovation, mentioning his wife’s conversation with Cl0p ransomware gang representatives.

“On the positive side, tricks like this mean that people can find out that their personal data has been compromised. Cl0p sent a letter to my wife last year. The company that lost her data still hasn’t made the information public or notified the affected people (at least she hasn’t heard anything from the company).”

Sure, receiving the leak notification in such a manner is not a pleasant thing. But that is way better to remain unaware at all, like it happens pretty often. Who knows, maybe that case will push the stakes and force the companies to claim about the leaks as soon as they are uncovered? What a time to be alive.

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/feed/ 0 8605
Data Breach VS. Data Leak https://gridinsoft.com/blogs/data-breach-vs-data-leak/ https://gridinsoft.com/blogs/data-breach-vs-data-leak/#respond Mon, 06 Jun 2022 13:27:33 +0000 https://gridinsoft.com/blogs/?p=8319 Data leaks and data breaches are very similar phenomena with a slight difference in the principle of action. It was a human error in one case and, in the second, a cyber attack. But in both cases, it means that someone got unauthorized access to data that should have been better protected. What is a… Continue reading Data Breach VS. Data Leak

The post Data Breach VS. Data Leak appeared first on Gridinsoft Blog.

]]>
Data leaks and data breaches are very similar phenomena with a slight difference in the principle of action. It was a human error in one case and, in the second, a cyber attack. But in both cases, it means that someone got unauthorized access to data that should have been better protected.

What is a Data Breach?

A data breach is when confidential data becomes available to an intruder – usually staff data, client data, company data, financial data, etc. The primary purpose of such a procedure is to sell confidential data on the darknet. Data breaches are achieved by several methods, such as social engineering, hacking, or malware injection. In some cases, data breaches can go undetected for a long time. One notable example was the Marriott International hack in 2014. Back then, hackers were not just able to infiltrate the system but stayed there until 2018, and that led to a data breach of up to 500 million guests. This could have been detected earlier if the company had taken security more seriously and applied at least standard security procedures.

Causes of Data Breaches

If a data breach occurs in a company, it can cause severe and irreparable consequences, so it is important to know why it can happen. Given that most of them are related to the human factor in one way or another, with proper awareness, they can be avoided. The main causes of data breaches:

  • Human error – accidentally sending an email to the wrong person, losing important documents, drives, or devices, or accidentally disclosing confidential information is why most of these breaches happen.
  • Physical theft or loss – accidentally forgetting a device in a cafe, negligent acts of employees, such as sharing passwords, or just lost documents in public transit.
  • Phishing – many people know that opening suspicious emails that contain a link or file, much less following that link or downloading a file, is dangerous. Nevertheless, quite a few people still fall for this kind of deception.
  • Not secure enough data – weak security, a simple, predictable password gives attackers a guaranteed victory over your data protection.
  • Vulnerabilities and security holes – any application that hasn’t been updated for a long time can be an open door for cybercriminals.
  • Cyberattacks – malware, ransomware, and other viruses are constantly improving and evolving, posing a threat to the data breach.
  • Social engineering – this method, like phishing, is designed for gullible people who can give the fraudster unauthorized access to confidential information.

How to Prevent Data Breaches

The next tips help minimize the chances of your organization being affected by a data breach:

  1. Comply with GDPR. Develop a clear, GDPR-compliant company policy to keep your sensitive data secure.
  2. Work on a security policy for data and equipment usage. A detailed description of data processing methods and processes and secure BYOD practices will help reduce the likelihood of a successful hack.
  3. Automation of processes will minimize the number of human errors, which are the leading cause of data breaches.
  4. Provide cybersecurity training to employees, thus reducing employee negligence and raising awareness of how to detect suspicious online activity.
  5. Encrypt your data. Even if a fraudster can get their hands on it, encryption will prevent them from taking advantage.
  6. Regulate the restriction of access to confidential information. Only employees who need it for their jobs should have access to it.
  7. Monitor access and use of data. Please keep track of data that has been sent outside your network and who sent it.
  8. Keep your system up to date. Updates include patches and improvements and fixes for vulnerabilities that cybercriminals like to exploit.
  9. Regularly analyze your system for vulnerabilities. This way, you can identify potential threats before they can do any harm.
  10. Back up your data regularly, so in case of damages, you will have a chance to recover it quickly, and the recovery process will take much fewer resources.
READ AlSO
Data loss prevention (DLP) is a method for detecting data loss and preventing a specific case, including awareness of protected content or context.

What is a Data Leak?

A data leak is also a leak of confidential information, not because of a cyber attack but an unintentional leak or system vulnerability. Also, unlike data breaches, with a data leak, you cannot say for sure whether such information is in the public domain or not. The leading causes of data leakage are flaws in security policy, improper user access to the site, or improperly designed applications. The main difference between data leakage is that it happens due to an error in processing or an internal source.

As an example, take Facebook – Cambridge Analytica, in which a whistle-blower covered the unethical practices of Banbridge Analytica. This circumstance can be classified as a data leak because an excessive amount of user data was collected, but no information was exposed to the public.

Causes of Data Leaks

Data leakage occurs because proper security measures are not followed during data transmission. Here are three main reasons why data leaks are:

  • Data transmission over the Internet without proper API protection, no port protection, or other port protocol increases the risk of data leakage. The same applies to email transmission, web browsing, and other forms of online communication.
  • Data at rest – If data is stored on insecure devices, for example, files with confidential information are stored on a drive without a password, this can also lead to data leakage.
  • Data leaks can occur if the leaked data is on removable media lost or forgotten.

How to Prevent Data Leaks

The key method to prevent data leaks is a proactive approach to the issue of cybersecurity. The approach to security must be layered to reduce the consequences of an intrusion. Here are some tips to help prevent data leaks:

  1. Use end-point protection. Data leaks are often caused by improper configuration or inefficient storage of sensitive information on end-point devices.
  2. Network monitoring. Monitoring data sent and received between your organization and others will detect unusual behavior or suspicious traffic, thus significantly reducing the chances of data leakage.
  3. Use secure storage. Storing sensitive data in clear, unprotected form would make it easy for a potential attacker to take advantage of the data. Encrypting data and regulating access to that data through automation will increase security.
  4. Develop Policy for device usage. To prevent the data leaks, it is important to develop and implement a policy for proper device usage among employees.
  5. Third-party risk management or vendor risk. Applying appropriate third-party risk management will allow you to analyze the data and determine how much of it is shared by the respective vendors.
  6. Comply with GDPR guidelines for data storage and management. This will minimize all risks of data breaches.

What is Worse?

A data leak or a data breach, what is worse? Are there improper security practices, accidental or intentional data breaches, and crooks who broke into your system and stole your data? Suppose, in the first situation, all your resentment is directed at the intruder that has infiltrated your system and the lack of effective security measures in your system. In the second case, you can only blame yourself for leaving your system unprotected without paying due attention to its security.

The situation will be unfortunate, and the headlines will be loud in both cases. Regardless of size or industry, many organizations occasionally encounter problems securing the confidentiality or integrity of collected data. In order to avoid misleading people or solving complex situations, it is important to know the differences and understand the difference between data breaches and data leaks. Even though both are very damaging to your organization’s reputation, the second scenario is more devastating.

The post Data Breach VS. Data Leak appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/data-breach-vs-data-leak/feed/ 0 8319
RaidForums shutdown as the result of Operation Tourniquet https://gridinsoft.com/blogs/raid-forums-shutdown/ https://gridinsoft.com/blogs/raid-forums-shutdown/#respond Wed, 13 Apr 2022 17:14:02 +0000 https://gridinsoft.com/blogs/?p=7305 The chain of international law enforcement agencies – Europol, FBI, NCA and others – seized the world’s largest hacker forum – RaidForums. That seems to be part of an anti-cybercrime campaign that started from the Hydra Shop shutdown. On April 12, 2022, the National Crime Agency (shorty NCA) reported on their official website about the… Continue reading RaidForums shutdown as the result of Operation Tourniquet

The post RaidForums shutdown as the result of Operation Tourniquet appeared first on Gridinsoft Blog.

]]>
The chain of international law enforcement agencies – Europol, FBI, NCA and others – seized the world’s largest hacker forum – RaidForums. That seems to be part of an anti-cybercrime campaign that started from the Hydra Shop shutdown.

On April 12, 2022, the National Crime Agency (shorty NCA) reported on their official website about the successful Operation Tourniquet. Under that process, they captured RaidForums administration and shut down the forums with the site controller seizure. The UK law enforcement, who was the host of this investigation and capturing, reports about arresting the person who is likely the chief of this outlaw organisation.

About RaidForums

RaidForums was considered the biggest online hacker forum that was active in our days. Its main activity was the Surface web rather than the Darknet. It is a very strange train for such a site, especially when we remember that the UK is a member of the 14 Eyes Surveillance. Nonetheless, the forum was present on three domains – raidforums[.]com, Raid[.]lol and rf[.]ws. There were also several Darknet mirrors, but their work was not so stable. Possibly, applying the Darknet as a place of action could prolong the lifespan of this forum, but history does not tolerate subjunctions.

RaidForums page
RaidForums page before the servers seizure

RaidForums appeared in 2015, and gained the image of a place where you can purchase the leaked data of any sort. Through the 7 years of its activity, it powered the numerous cyberattacks and blackmailing cases with that information. It hosted over 530,000 members and asked for €10 for access to the chatrooms with the specific leaked information. Such a model could already gave the creators €5.3 million, but as the NCA report says, an even bigger sum was involved.

It was obvious that one day law enforcements will put an eye on them. However, by a strange coincidence, that happened shortly after the breaking of all possible relations with Russia. Hydra Market shutdown had a more obvious connection to the post-USSR countries, but actually cybercrimes do not have any borders. More likely that some of the persons related to Hydra had some valuable information about other crooks, and were pleased to share it with men in uniform.

RaidForums shutdown

The exact shutdown of RaidForums was not a one-day event. The long-term operation lasted for almost a year, and succeeded in capturing the 21-year Diogo Santos Coelho, the founder of this forum. During the arrest process, policemen also seized about £5000 and several thousands of U.S. dollars in cash. The seized cashless equity (generally in crypto) reached ~$500,000. The stopping of this forum is rather about shutting down the ability to purchase sensitive information about the companies around the world. In particular, the NCA claims about the information about British companies that was placed for sale on this forum. The overall database accounted for over 10 billion records regarding both individuals and companies.

RaidForums shutdown
RaidForums page after the servers seizure

Besides the founder, law enforcements also managed to capture the forum administrators. They are accused of money laundering. The interesting moment is that for that purpose they used an online business that was earlier considered legitimate. This event also had a significant chronology: at the edge of January, the aforementioned founder (known by the nickname Omnipotent) disappeared from the social networks. On February 7, the first problems began happening with RaidForums. Several database outages repeated on February 12, and there were no comments from administrators. Finally, on February 25 the website on all mentioned domains was down. No one knew a thing about the fate of the forum, until the official claims from law enforcement from multiple countries.

What is next?

The latest occasions show that there is an ongoing anti-cybercrime campaign running in the world. Maybe it is related to the US-Russia cybersecurity cooperation shutdown, or the overall warfare background. Possibly, it turns into a good tradition – to begin the year with some loud cybercriminals captured. A year ago, we witnessed the capture of the chain of Emotet distributors. This trojan virus appeared as a precursor in the numerous ransomware attacks. Last year, this event lead to a huge decrease in malware activity throughout the whole spring (the exact arrest happened in February). No one knows if it will have the same impact this year, but now it does not look like that. Hydra and RaidForums shutdowns are not pleasant, but they are not the elements of critical malware spreading infrastructure.

The post RaidForums shutdown as the result of Operation Tourniquet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/raid-forums-shutdown/feed/ 0 7305
Epik hoster hack affected 15 million users, not just the company’s clients https://gridinsoft.com/blogs/epik-hoster-hack-affected-15-million-users/ https://gridinsoft.com/blogs/epik-hoster-hack-affected-15-million-users/#respond Mon, 20 Sep 2021 22:07:57 +0000 https://blog.gridinsoft.com/?p=5939 Last week, Anonymous hacktivists reported about hack of the database of the domain registrar and hoster Epik, which was previously often criticized for hosting “right-wing” sites including 8chan, Gab, Parler and The Donald. The stolen data (over 180 GB) was published in torrent format and, according to hackers, contains information for the last decade. Since… Continue reading Epik hoster hack affected 15 million users, not just the company’s clients

The post Epik hoster hack affected 15 million users, not just the company’s clients appeared first on Gridinsoft Blog.

]]>
Last week, Anonymous hacktivists reported about hack of the database of the domain registrar and hoster Epik, which was previously often criticized for hosting “right-wing” sites including 8chan, Gab, Parler and The Donald.

The stolen data (over 180 GB) was published in torrent format and, according to hackers, contains information for the last decade.

Since the company denied the fact of hacking, the hackers laughed at Epik and additionally hacked the hoster’s knowledge base, adding their own mocking edits to it.

In total, the dump published by the hackers contained 15,003,961 email addresses that belong to both Epik customers and people who had no business with the company, ArsTechnica now reports.

Reporters explain that Epik scraped the WHOIS records of domains, including those that were not owned by the company, and kept those records for themselves. As a result, the contact information of people who had never interacted directly with Epik were also kept by the company.

The data breach aggregator HaveIBeenPwned has already begun sending out warnings to millions of victims whose email addresses have been compromised. One of the victims was the founder of this service, Troy Hunt, although he never had anything to do with Epik.

In a Twitter poll, Hunt asked his followers if affected non-Epik customers would like to be notified of violations. The majority answered the question in the affirmative.

The leak revealed a huge amount of data not only about Epik customers, but also WHOIS records belonging to individuals and organizations that were not customers of the company. This data includes over 15 million unique email addresses (including anonymous ones to ensure domain privacy), names, phone numbers, physical addresses and passwords stored in a variety of formats.writes HaveIBeenPwned.

ArsTechnica reporters note that they saw part of the whois.sql file, which is approximately 16 GB in size. It is filled with email addresses, IP addresses, domains, physical addresses, and phone numbers of users. However, some WHOIS records are clearly out of date and contain incorrect information about domain owners (people no longer own these assets).

Hoster Epik hack

According to information security specialists Emily Gorchensky and Adam Sculthorpe, Epik representatives have finally admitted the fact of the hack and are now notifying their clients about “unauthorized intrusion” into their systems.

The company urges customers to remain vigilant and monitor any information they use while using the company’s services (including billing information, credit card numbers, names, usernames, email addresses and passwords).

Hoster Epik hack

Although the company does not yet know for sure whether customers’ bank card data has been compromised, users are advised to “contact the companies that issued the bank cards used for transactions with Epik and notify them of potential data compromise” as a precautionary measure.

The post Epik hoster hack affected 15 million users, not just the company’s clients appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/epik-hoster-hack-affected-15-million-users/feed/ 0 5939