From the Maritime to Gun and video-making industry, nobody is safe in today’s growing threat landscape where attackers constantly look for the new gold – “personal data.” As more and more sensitive information is stored online, the consequences of a cyber attack can be catastrophic for individuals and businesses alike so the introduction of phishing protection is of vital importance. Here are this week’s phishing and data breach-related news stories.

 

Multi-Year Spear Phishing Campaign Targeting The Maritime Industry

A sophisticated spear phishing campaign managed to sneak past the maritime industry’s security solutions and deliver Formbook and Agent Tesla. The attackers maintained persistence in the network for over a year, the crew unaware. Security experts observed the campaign in October 2020 when the attackers were distributing Agent Tesla and, in mid-2022, switched to Formbook.

What Researchers found:

ElecticIQ Intelligence assessed the campaign and attributed it to a single threat cluster. The emails pretended to inform the recipients that the ship was docking at a port and asked the victim to click on the malicious attachment for further details. The spear phishing emails contain a CAB file with a maritime vessel’s name, enclosing the Agent Tesla malware. Researchers found over 20 such emails appearing to come from a Norway headquartered shipping company.

The security experts said that using commodity RATs means the group wants to obtain sensitive information like session tokens, credentials, and email lists. They can use this information in future BEC attacks or sell them on the dark web to provide initial access.

 

New Malware Targets Business Routers For Data Theft And Surveillance

An ongoing hacking campaign named ‘Hiatus’ targets DrayTek Vigor router models 2960 and 3900 to build a covert proxy network by stealing the victims’ data. Small and medium-sized businesses leverage business-class VPN routers (DrayTek Vigor) to offer remote connectivity to corporate networks.

The new hacking campaign, ongoing since July 2022, relies on a malicious bash script, the malware “HiatusRAT,” and the legitimate ‘tcpdump,’ used by DrayTek Vigor to capture network traffic flowing through the router. Attackers use the HiatusRAT component to download additional payloads, run commands on the compromised device, and convert them into a SOCKS5 proxy to pass C2 (command and control) server traffic.

 

 

Lumen’s Black Lotus Labs discovered the campaign and believes that the HiatusRAT has infected over a hundred businesses in Europe and North and South America. While the Hiatus is a small-scale campaign, it can severely impact the victims, stealing email and FTP credentials and offering further network access. Lumen’s researchers say the threat actors purposefully have a small attack volume to evade detection.

 

Cybercriminals Expose Personal Data After Targeting Police Department Of The City Of Modesto, California

Modesto confirmed that hackers executed a ransomware attack on its Police Department’s digital network on Feb. 3 and may have accessed people’s personal information, including driver’s licenses and Social Security numbers.

“Beginning next week, the City will begin notifying the impacted individuals through US mail and offer them complimentary credit monitoring services,” said a city news release.

The release mentions that the city’s investigation “concluded that attackers could access only a limited amount of information in this incident.” City spokesman Andrew Gonzales said the city would not say how many people may be impacted, if they are public members or work for the city, how the ransomware accessed the city’s Police Department network, and other details.

 

PayPal Faces A Class Action Lawsuit Over Data Breach That Impacted 35,000 Users

Online payment giant PayPal is in trouble again, this time because of a data breach that exposed the personal and financial details of almost 35,000 individuals. Plaintiffs Ashley Pillard and Destiny Rucker have filed an application in the US District Court for the Northern District of California, blaming the company for the December 2022 incident. On Jan. 19, 2023, PayPal sent a data breach notification to nearly 35,000 users, explaining that their accounts were hacked between December 6th and 8th, 2022.

 

system breach

 

While PayPal quickly identified and contained the breach, the investigation took nearly two weeks. During this time, PayPal confirmed that the attackers had gained access to the user accounts through valid credentials, although they denied that it resulted from a system breach.

According to PayPal, the evidence did not suggest that the attackers obtained the user credentials directly from them. Still, the company is taking necessary steps to ensure the security and safety of its users’ accounts. The affected users received an advisory to reset their passwords and enable 2FA (two-factor authentication) as a precautionary measure.

According to the lawsuit, PayPal failed to comply with the Federal Trade Commission guidelines, comply with industry data protection standards and implement basic security measures. As a result, sensitive information, including names, tax identification numbers, addresses, Social Security numbers, and dates of birth, were exposed. If the case proceeds as a class action, it can represent thousands of impacted individuals seeking damages from PayPal.

 

Malicious Actors Steal Gun Owners’ Personal Data From a Firearm Auction Website

Cybercriminals recently breached a website that enables people to buy and sell guns, exposing its users’ identities, TechCrunch mentioned in a blog. The breach exposed the sensitive personal data of over 550,000 users, including customers’ full names, email addresses, home addresses, plaintext passwords, and telephone numbers. Also, the stolen data allegedly enables attackers to link a specific person with the sale or purchase of a particular weapon.

Troy Hunt, a cyber expert running the data breach alerting service and repository Have I BeenPwned, said, “With the data, the attackers can take a public listing, resolve it back to the [stolen database] and extract the name, physical and email address and phone number of the seller and the location of the gun.”

At last year’s end, a security researcher (wanting to remain anonymous) discovered a server containing the data. A hacker (or group of hackers) uses it to store stolen data. The attackers did not put any limit or control over the server, so the researcher downloaded the data and scrutinized it. He discovered the data on the server was taken from GunAuction.com, a website that has allowed people to auction guns since 1998.

 

Canadian Book Giant Says That Hackers Stole Employee Data During a Ransomware Attack

Canadian bookseller Indigo denied that attackers stole customer data last month during a ransomware attack that crashed its website. However, it was not the case with the data of the multibillion-dollar company’s workers.

 

hackers

 

In a follow-up FAQ, Indigo mentioned that employee data was involved in the ransomware attack. The Toronto-based company has over 8,000 current employees at about 160 stores across Canada. Indigo did not respond to requests for comment regarding how many people were affected.

It said Cyberscout, an identity theft management company, would email the former and current employees about the incident. Those without email addresses on file will receive letters in the mail. “Our investigation concluded that there is no reason to believe customer data was improperly accessed, but hackers got hold of some employee data. We have notified law enforcement, and our team is cooperating with them.” the company said.

The notice does not specify what employee data type did the attackers access. The LockBit threat group claimed responsibility for the attack on Tuesday evening.

 

Blackfly: Espionage Group Targets The Materials Technology Industry

The Blackfly espionage group (or APT41, Bronze Atlas, Winnti Group) continues to mount attacks against Asian targets and recently targeted an Asian conglomerate‘s two subsidiaries dealing in the materials and composites sector, suggesting the threat group may be attempting to steal intellectual property.

Despite becoming the subject of a US indictment, Blackfly is continuing to launch attacks, undeterred by the publicity gathered by the group. It initially made a name for itself by targeting the gaming sector, and at present, it appears focused on targeting intellectual property in various sectors.

 

Video Marketing Platform Animker Leaks Trove of User Data

A misconfigured database exposed the personal data of over 700,000 users of the websites animaker.com (a DIY video animation software) and getshow.io (an all-in-one video marketing platform). Readers must note that Animker.com owns Getshow.io. The server in question is managed by animaker.com and registered under the domain name getshow.io.

 

data

 

The database currently contains 5.3 GB of data and continues to expand, with new data added daily. The data exposed includes the following information about unsuspecting customers: 

  •   Full names
  •   Device Type
  •   Postal Codes
  •   IP Addresses
  •   Mobile Numbers
  •   Email Addresses
  •   Animaker profile details
  •   Country/City/State/Location

However, Clouddefense.ai said no passwords were discovered in the data leak. Sen said he identified the server on Shodan while finding misconfigured cloud databases.