MIT Hacked, Data Leaked in the Darknet

The post on infamous BreachForums discloses the recent data leak that happened in the #2 universities in the world. As the leak is exquisitely fresh, posted only 2 hours prior to this blog post being written, there is no reaction from MIT yet. Though it should be, as the fact of such a leak raises a lot of questions.

As I’ve mentioned in the introduction, the fact that it is posted “as is”, accessible to everyone without any pay, means that there are no really valuable things inside. But if so, maybe the hackers have got something valuable enough to just publish a lean dataset? Massachusetts university is one involved in different government-backed programs, including ones related to aerospace and defense. Hence, there is definitely enough valuable stuff to put the eye on.

Each row in the leaked database consists of 4 parts: faculty (or department), surname, name of a student, and email address. Occasionally, a “No Student” value is added, potentially meaning a graduate. Not much, sure, but already enough to arrange a phishing campaign – the typical way such data is used by frauds. As the total number of entries – 27,961 – exceeds the number of students currently studying in MIT, there could be either duplicates or data about the students from previous years.

Should Students be Worried?

If I were in the students’ hat, I would have my worries. Even though there are a lot of other ways to retrieve one’s personal information, especially things like email and name, the source is what matters here. Being a student of a certain university is a perfect identifier for further scam campaigns targeting. And be sure they will come: a free database like this pushes the margin for frauds even higher.

In the near future, I’d recommend the students present in the database to be exceptionally careful with any email messages. Even if this leak will not be used for spamming, precautions will not be excessive. Email phishing is too widespread nowadays to ignore such a threat.

The post MIT Hacked, Students’ Data Sold on the Darknet appeared first on Gridinsoft Blog.

Tipalti Hacked, Roblox and Twitch are Collateral

On Saturday, December 3, 2023, ALPHV came out with quite an unusual claim. Hacker group talked about hacking into the network of Tipalti, a payment automation and accounting software provider, back in early September 2023. The text below is the quote taken from their Darknet leak site:

Thing is – the company itself did not receive any ransom note yet. The typical practice in cyberattacks is notifying the victim via ransom notes, and only then publishing info about the hack. Though not this time – as hackers say, they doubt the co will contact them back due to some specific details they discovered while being active in the network.

Another detail the hackers uncover is the involvement of an insider. Well, this is not a rare occurrence, but threat actors rarely speak openly about this. And in the context of several companies taken as collateral, this sounds more like an attempt to ruin the company’s image. That especially contrasts with the official response of the company, given to the Israeli media Calcalist.

Roblox and Twitch Fall Victim to Tipalti Hack

The worst part about this hack is that hackers managed to compromise two client companies, namely Roblox and Twitch. Actually, Roblox is not the first time a victim of a ransom hack – the same ALPHV gang hacked them in 2022. Twitch though is mentioned only in the listing title, without any further references in the text. This may be the sign of less than significant amount of data the hackers managed to leak.

At the same time, some serious threats faced towards Roblox appear in the text. Hackers say they will publish the data of more victims (supposedly other Tipalti clients) in the months to come. To avoid this from happening, both mentioned companies should pay the ransom. They either do not specify any sums and, what is more important, types of data leaked from the game developer.

Is it that dangerous?

Despite how threatening all the situation looks, I’d take it with a grain of salt. Hackers often exaggerate the total damage, especially when it comes to collateral damage. Claims about Tipalti’s clients being hacked are most likely just the attempts to scare all the involved parties and make them pay.

What is out of doubt though is hackers’ access to some of the data. In particular, they are not likely to lie about their access to the major amount of Tipalti’s data. For other companies though it is most likely some data about financial transactions – things they actually delegated to Tipalti. However, this is still not great, as such info leakage may be the reason for companies to switch to a different service.

To sum up, despite touching a whole array of companies, the hack brings the most harm to Tipalti. And mostly reputational: even if not a lot of clients’ info ended up in hackers’ hands, the fact of the leak persists. The obvious conclusion is to avoid deep integrations with such unreliable companies, just to minimize the possible damage in the case of another cyberattack.

UPD 12/05/2023

The original listing you could have seen above was changed for a more classic one, that claims Tipalti hack. However, threat actors still use the text note as a place for a post-scriptum note. Criminals disprove Roblox’ claims regarding absence of any signs of network compromise saying that they will contact them later.

At the moment, ALPHV hackers claim to be contacting the first group of Tipalti clients who got their info leaked during the hack. Though they do not contact the company itself, saying they are going to reach out to the clients first. Another interesting detail unveiled after the re-listing is the fact that no ransomware was used – they just leaked 265 gigabytes of data.

The post Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat appeared first on Gridinsoft Blog.

Okta Hack Results Into a Massive Data Breach

As it was originally expected, the data breach within Okta Help Center touched only a miserable number of users. Due to the poor session token authentication, hackers managed to log in under the guise of a legit client and spawn several additional entities. This ended up with calling for a function designed to list all the Help Center accounts, which, as it was originally believed, had not been successful. As of October 20, Okta claimed about only 134 accounts having their data exposed in this incident.

As it turned out, this number was heavily underestimated. Further investigation showed that hackers successfully dumped info about all the accounts in the system. The co shares some specific details regarding the types of data exposed in that breach:

Therefore, it is possible that some of the users (0.4%, or 72 people) have more than just email and name exposed. Not a lot, but this already creates some critical contrast with the original claims from the company. And, what is more important, raises questions regarding the security architecture within the company.

More Details of Okta Hack Appeared

Aside from the data exposure disclosure, the company also shared some new details regarding the hack. As it turns out, crooks put their hands on a service account, designed to work with an automated algo running on a machine. This is often needed for automated backup creation and similar scheduled tasks. Credentials to this account were stored among other data on the employee’s Google account that hackers previously managed to access.

That explains the lack of the MFA protection on the compromised account (which is not an option for a machine) and its high privileges. Before, the story sounded rather ironic. The largest identity provider does not care about using identity protection mechanisms in their own networks. Now though it makes sense – as well as raises new questions about securing similar accounts. And it still does not justify the fact that compromising the account of a single employee in fact compromised the entire service.

The post Okta Hack Exposes Data of All Support Customers appeared first on Gridinsoft Blog.

What is American Airlines?

Among quite a few airlines in the US, American Airlines is a bit special. Not only is the company among the oldest airlines, being 97 years old, but it is also the biggest company of its sector (by passenger flow). Being a member of multiple airlines unions, it provides both regional and international (including trans-Atlantic) flights. Such a large company is a no joke, and for attacking it you should be either exceptionally brave and confident — or extraordinarily reckless.

American Airlines Hacked by Cl0p

Over the last month, Cl0p has gotten more attention than it has ever experienced before. All is due to its extensive – and successful – use of the MOVEit MFT vulnerabilities. The managed file transfer suite appeared vulnerable to multiple exploitation scenarios, which allowed for both initial access and lateral movement. We released a chain of articles on this topic – consider checking them out if you missed that mess.

But back to the Cl0p’s attack on American Airlines. Their hacks are no joke, as each their hack is commonly complemented not only with ransomware attacks, but also extensive data extraction. The gang takes whatever they find, and in the case of American Airlines, the list of possible data categories is humungous. What’s worse, the company holds a lot of records about their passengers – which is natural for any organisation that has to deal with such a large client flow. Another natural thing though is the hackers’ interest in putting their hands on this data.

Still, it’s too early for any worries and privacy concerns. It is unclear whether the company is planning to pay the ransom or ignore the requirements. Only in the case of the latter Cl0p will publish the data or offer it for sale, on their leak site or elsewhere. The company though claimed the attack through the third party – specifically, Pilot Credentials app. However, this attack is not likely related, as Cl0p did not list another victim of the Pilot Credentials – Southwest Airlines. Moreover, the app website itself is not present on leak site as well. All this points at the fact that we are spectating a new breach.

How dangerous can this hack be?

Well, as I said, Cl0p is not a hack group that plays child’s play. Their hack most likely touches internal company information, including info on its staff and financial situation. The latter may be exceptionally sensitive, as during the pandemic, the company had some serious financial strugglings. Uncovering them may not be very pleasant to the company, as well as showing the ways they have beaten these problems.

Another side of a problem, actually, a more sensitive one, touches the possibility of customers’ data leak. This brings not only problems for people who fly with American Airlines, but also the possibility of legal consequences to the company. It becomes even worse when we remember that hackers usually put an incredibly high price tag for keeping some really important data in secret. That number may sometimes even exceed the ransom sum for file decryption.

Though, those are just my guesses. Same as anyone interested in cybersecurity does, I will keep my eye on both newsletters, the company’s public claims and Cl0p’s Darknet site. It’s almost clear that all the details will appear in a week or two.

The post American Airlines Hacked by Cl0P Gang, MOVEit Involved appeared first on Gridinsoft Blog.

What is Capita?

Capita is a company for business processes outsourcing. Back office management, financial, treasury and management advisory, property and infrastructure management – that all to it. Being the biggest company of its sector in the UK, it has clients from all over the world, including large companies and even governments. According to their latest reports, the company has over £6.5 billion in contracts with governmental organisations. Despite such bright success, the company had its own story of failures – minor, but remembering ones. And it seems that we witness another case where its name will be mangled with an extra “r” letter.

Capita Hacked, Gigabytes of Data Leaked

In early April 2023, Capita’s executives claimed the “minor security incident”. Later, they disclosed that this “minor incident” involved ransomware deployment. The exact gang disclosed the successful attack by adding Capita to their list on their Darknet website. However, the company was in no haste to name the intruder and enumerate the consequences. Until April 20, when another official notification was released, the company was rejecting any claims on data leaks. However, it still states only about a minor leak – contrary to what can be found in the data samples published by hackers.

This, however, contradicts the other evidence of the attack. Black Basta is not a “hit-and-run” gang; aside from ciphering, they commonly steal a certain amount of data. On average, this gang grabs around 500GB of data from each of its victims. Then, following double extortion methods, they ask for an additional ransom to delete the leaked information. If it is not paid, the gang releases the stolen, making it accessible to everyone. Other crooks sell the data on the Darknet – i.e. receiving their profit despite the company’s ignorance.

As you could have seen in the screenshot above, the company rejects experiencing any problems. This, however, contradicts the webinar cancellations and rescheduling for later. In recent interviews with BBC, the company’s officials again stated that no data leaks happened. Meanwhile, they confirm the breach and name the approximate date of its beginning – March 22, 2023.

Capita Breach Lasted for Weeks

Several independent investigations confirmed that hackers were inside the network weeks before the incident was uncovered. Analysts found evidence of usage of a specific sample of QakBot – QBot BB20 – for initial access. This dropper trojan is a pretty common guest when it comes to attacks aimed at corporations. After getting into the network, hackers were not enrolling their main payload for the next 11 days. Most probably, this gap was used to infect as many computers as possible.

Considering the term it took to spread payloads, and the overall duration of the “incident”, claims of “limited data exfiltration from the small proportion of affected server estate” look unconvincing. Currently, Black Basta hid the Capita from its board, yet it can be accessed through a direct link. Considering changes in official meetings schedule, the problem touches not only internal documents but also a number of ones related to investments and public relations. It is hard to predict the reaction of the company’s contractors when the entire impact will be uncovered – but that will not be pleasant for both parties.

What is Black Basta ransomware group?

Black Basta group is a novice ransomware gang, which appeared in April 2022. Some evidence points to this gang being a re-branding of a ceased Conti group. Key one is the fact that several ex-Conti members continued their careers in cybercrime together with that group. Other members seem to be experienced hackers as well. Overly strong design or their software and used techniques clearly say that being attacked by Black Basta is no joke. Some analysts say it is related to the FIN7 (Carbanak) threat actor.

Over time, they developed a specific pattern of attack. First, they deploy the QakBot trojan using email spam. Crooks use a specific sample, coined BB20, controlled by themselves. Further, this malware connects to the command server and pulls the second-stage payload – Cobalt Strike Beacon. Advanced capabilities of the beacon allow hackers to perform lateral movement even before deploying the final payload. The final stage is, obviously, dropping ransomware on all the infected systems.

The post Capita Hacked, Black Basta Gang Publishes Data appeared first on Gridinsoft Blog.

Who is Linus Tech Tips?

Linus Tech Tips is a YouTube channel that belongs to Linus Sebastian, a 36-year-old Canadian who started his channel on YouTube back in 2008. Five years later, his channel grew into Linus Media Group (LMG), which conglomerate other projects led by Linus, including his other YouTube channel. Additionally, he used the company to host conferences, as well as spread apparel labeled with Linus-related merchandise. In total, Linus Tech Tips and all other projects hosted under LMG counted over 25 million subscribers, with 15 million of them going alone from the primary YouTube account.

As you can see, the YouTube channel is a serious business that Linus has been running for over a decade. People used to trust him, and he used to rely on YouTube as an image-supporting element. Losing it, and especially burying the trust of the audience and advertisers via posting scam ads is disastrous.

Linus Tech Tips Was Hacked

On March 23, 2023, strange things happened to Linus’ YouTube channel. A row of dubious streams was launched, showing footage of crypto-world stars and other celebrities. They generally concentrate around Jack Dorsey (ex Twitter CEO), Elon Musk, Cathie Wood, and a couple of other people that were participating in The ₿ World 2021 event. Stream headlines were also less than regular – featuring completely irrelevant phrases regarding GPT-4, OpenAI development and Tesla company.

The most notable thing of these streams was a QR code that was redirecting the users to a website branded with a Tesla badge. That page offered users to send their crypto to a certain wallet to receive the doubled sum back. It also assured that all things are sponsored by Elon Musk, and is done to extend the crypto popularity. But as you may already guess, it is a scam.

Aside from streams and crypto scam websites, the exact channel was modified as well. Instead of a regular @LinusTechTips label, it was changed to @teslaliveonline1, then to @temporaryhandle and @LinusTechTipsTemp – probably, after the channel was suspended. Moreover, all the videos posted since 2016 were either deleted or switched to private.

The Situation is Under Control

Linus Media Group representatives contacted the audience later the same day. They say that all the situation is working out, and they cooperate with the Google support team.

Everything should be locked down and we are getting to the bottom of the attack vector with the (hopeful) goal of hardening their security around YouTube accounts and preventing this sort of thing from happening to anyone in the future.

They yet don’t mention any timeframes, reasons, victims and guidelines to other YouTubers who were struck the same day. ThioJoe, Technique, and TechLinked – other tech tips channels – report about being hacked with similar consequences. In total, they bring up another 5 million of potential victims.

How Bad is The Linus Tech Tips Hack?

Cryptocurrency scams fronted by Elon Musk, Cathie Wood and other worldwide-known personalities is not something new. They’ve been around for at least 3 years – and possibly even longer, if we count the cases before they obtained their “pattern”. This pattern typically rolls around the offer to send a certain sum of cryptocurrency to the designated wallet. In return, the website promises to send you twice as much as you’ve sent. The multiplier may change from one case to the next, but the overall essence is the same.

The situation around Linus Tech Tips is worsened with the astonishing amount of audience. 15 million people are exposed – yet for sure not all of them fell victims. Nonetheless, the possible amount of people that could potentially be tricked into that is enormous. It is most likely comparable to similar crypto scam page advertisements spread through celebrities’ accounts on Twitter in 2021. But if we sum up users of all the channels that were hacked around this date – things go really troublesome.

How Could That Happen?

Most common tricks that target YouTube content creators (and creators from other platforms) are cookie hijacking and fake freeware ads in Google Search. We will leave aside delivering spyware or stealers via unlicensed software, as all the hacked YouTubers are least likely to use cracks.

Session hijacking is a trick that aims at grabbing the victim’s session tokens. That operation is done through a malicious link that generally arrives to the victim in an email. The latter is disguised as some routine security mailing, and supposes following the link to solve the issue. It often looks like a legit one, and hovering over it does not uncover third-party sites. However, clicking it redirects you through a chain of pages, where your session token is getting hijacked. That token gives the hackers full control over your account. That trick was around for a long time, but is used quite rarely as it requires a number of circumstances to coincide.

Malicious links in free software queries in Google Search is, on the other hand, a rather new topic. Not so long ago a wave of malicious sites started to pop up as soon as you google LibreOffice, Python, Blender, or similar programs. Following such a link will show you a page that roughly resembles the genuine downloading page of these programs. This, however, is not a big issue for users who never dealt with the original page. Moreover, people used to trust Google Ads, wherever they see them, thus will probably click without any hesitation. File downloaded from such a source generally contains Vidar or RedLine stealer.

The post Linus Tech Tips YouTube Channel Hacked appeared first on Gridinsoft Blog.

All the listed signs of failure in your smartphone indicate a technical failure or a potential hack. But there is good news; in this article, we will describe all the details about the possible pests on your device and present a list of ways to prevent the problem.

Symptoms: How to Tell If Your Phone Has a Virus?

Hackers can create a problem for you, no matter how you do it. This can happen through phishing attacks, visiting questionable websites, using untrustworthy apps, and more. In any case, hacker software can be distributed in several ways:

The Features of the Hacker Software on Your Device are as Follows:

What to Do and How Do I Know If My Phone is Being Hacked?

Free Trojan Scanner for Android smartphones is a great solution to ensure the best virus detection rate on your phone. Once installed on a PC, this program will scan your phone for malicious processes according to a set schedule. It is a free app with no in-app purchases, a powerful and fast cloud scanning solution that you can easily find on the Play Store.

The post How To Know If Your Phone is Hacked? appeared first on Gridinsoft Blog.