Social engineering attacks are an ever-present problem, and organizations worldwide are struggling to secure their systems against phishing attacks. Following are some of the most recent phishing headlines to help accelerate the process of ensuring phishing attack prevention for your organization.
Data Breach Hits South Denver Cardiology Associates
On New Year’s Day, South Denver Cardiology Associates (SDCA) was targeted by a cyberattack that was discovered only on 4th January 2022. The initial investigation revealed that adversaries accessed the SDCA network between 2nd January and 5th January. Consequently, patients’ protected health information (PHI) was compromised. These included patients’ names, social security numbers, DOBs, drivers’ license numbers, health insurance information, patient account numbers, and other clinical details.
In the breach notification posted on its website, SDCA announced that the patient portal remained unaffected by the breach along with patient medical records. SDCA believes that there has been no misuse of patient information so far. However, it has notified all the 287,652 affected patients of the unfortunate incident and extended them free credit and identity services. It is unknown whether current or former patients’ data was exposed as the notice doesn’t specify these details. Further, details of ransom demand have not been disclosed either. As SDCA’s investigations continue, patients are advised to adopt measures to protect themselves from phishing.
LockBit Targets Bridgestone Americas
The renowned manufacturer of tires, Bridgestone Americas, was recently targeted by the LockBit ransomware gang. With 55,000 employees and 50 production facilities in the Americas, Bridgestone Americas serves as a good target for ransomware operators to steal data.
The incident was first reported on 27th February when many Bridgestone employees at its LaVergne plant were sent home due to a cyber attack. Soon after detecting the attack, Bridgestone launched an investigation and hired external cybersecurity experts to evaluate the nature of the attack. Further, to ensure protection against phishing, Bridgestone shut down its manufacturing and retreading facilities in North America and Latin America. In its public statement, Bridgestone mentioned that nothing could be said about the attack with certainty till all investigations were over. The company is investing a lot of resources to stop such attacks in the future.
On the other hand, the operators of the deadly Lockbit ransomware announced that all information stolen from Bridgestone would be released publicly on 15th March 2022. It further cleared its intentions and mentioned that Lockbit is only interested in making money and has no political inclinations. It confirmed that it would never target the critical infrastructures of any country or participate in any international conflicts. No matter its intentions, Lockbit continues to be one of the most dangerous and active ransomware operations.
Cyberattack Hits The Automotive Components Supplier Denso
The renowned global automotive components supplier Denso recently underwent a cyberattack that affected its German operations. Denso claims that its technologies are widely used in all vehicles worldwide, and this recent attack probably affected its technologies developed for connectivity, autonomous vehicle features, and mobility services. It reported annual sales of $44.6 billion in the 2020-2021 fiscal year, with Honda, Toyota, Ford, and General Motors as its top clients.
Denso announced on 14th March 2022 that it had discovered that an unauthorized third party was accessing its network on 10th March. While the intrusion was detected then, the adversaries might have been into Denso’s network from much before. Soon after noticing the attack, Denso cut off the connection and launched an internal investigation. So far, no other facilities have been affected, and the manufacturing schedules are on time with no disruption to production plants.
Denso has informed the local authorities and hired external cyber forensic experts to investigate the incident as part of its measures to prevent phishing attacks. Denso regretted the unfortunate incident and apologized to all clients and associates for the inconvenience caused. The Pandora ransomware gang owned up to launching this attack on Denso, and cybersecurity experts could trace 1.4 TB of data stolen from Denso on Pandora’s leak site.
Data Breach Hits South African Credit Bureau TransUnion
TransUnion is regarded as one of the top credit bureaus in South Africa, and the company recently underwent a data breach. It announced that unauthorized third parties recently accessed its server by exploiting an authorized client’s credentials. On 11th March 2022, the adversaries demanded a ransom of $15 million, which the company has no plans of paying. A South African news site – ITWeb, mentioned that a Brazilian threat actor group called N4aughtysecTU is taking responsibility for the attack on TransUnion. The N4ughtySec hacker said on a Telegram chat with ITWeb that it has been attacking TransUnion South Africa since 2012. The group further mentioned that TransUnion used weak passwords on its network, making intrusion easier.
The adversaries claimed to have access to more than 4TB of customer data belonging to TransUnion. Reportedly, this data covers over 200 corporate companies. The news site reported that the threat actors demanded bitcoin worth about 223 million (close to $15 million).
TransUnion has notified authorities and is closely associated with law enforcement and regulators as part of its phishing prevention measures. In addition, the company addressed customer queries regarding the breach on its FAQ page in the form of Q&A.
Conti’s Source Code Leaked – Revealing Vital Information
Many pertinent details about Conti Ransomware’s organization structure and operational mechanism were revealed in a recent leak of its chat logs, source code, and other sensitive data. Cybersecurity experts from various organizations are now finding more details about Conti from this leak. Security researchers from BreachQuest have reported some details about Conti’s operators and their levels of functioning.
They report that someone named Stern is the ‘big boss’ and a certain Salamandra works in HR and takes care of the recruitment processes. The other important figures in Conti’s operations include Mango (team lead), Bio (blogger/negotiator), Revers (tech lead), Twin (training), and Bentley (system admin).
Conti was the top gainer for ransomware operations in 2021, with an estimated $180m. Conti mainly targets financial documents, clients, accounting, and projects. It usually looks for backup servers within the compromised network and encrypts them.
A source code analysis conducted by CyberArk concluded that organizations could use the leaked Conti data to ensure phishing protection for themselves. The leaked data included 12 Git repositories of internal Conti software, and most of these appeared to be open-source software. The Conti leak is a rich resource for cybersecurity researchers to track down the group and its operators.
Mobile Apps Leaking Sensitive User Data
A misconfiguration of back-end cloud databases has caused several mobile applications with millions of downloads to leak sensitive user data. The security vendor – Check Point, conducted a three-month study and found that over 2100 mobile applications had their Firebase back-end exposed owing to misconfigurations. The investigation began with a query on VirusTotal for mobile apps communicating with the Firebase cloud database (as listed on the malware scanning service).
Check Point explained the vulnerability and said that developers often overlook cloud database configuration in their endeavor to harden applications against attacks. This leaves real-time databases exposed and open to anyone to access and exploit. The study found several applications guilty of cloud database misconfiguration. These include a logo design application and a South American e-commerce app, with over 10 million downloads each. They exposed the personal details of users and API gateway credentials, respectively. Some other applications found revealing user details were a bookkeeping app, a social audio platform (over five million downloads), and a dating app.
Cloud misconfigurations are a sign of inadequate policies, lack of awareness, security training, and anti-phishing solutions. While these lousy security practices can cause immense loss to an organization and its users, these misconfigurations can be remediated by a few clicks.
FTC Asks CafePress to Pay $500,000 to Victims of 2019 Breach
The customized merchandise platform CafePress underwent a data breach in 2019, which exposed millions of users’ email addresses and passwords. The adversaries had used this stolen information to trace 180,000 unencrypted social security numbers, some of which were eventually found on the dark web. While the data breach and its after-effects seem quite typical, CafePress’s anti-phishing protection measures were inadequate. Because of that, the Federal Trade Commission (FTC) has recently asked the platform to pay $500,000 as redressal to all the victims of the attack.
Reportedly, CafePress had known and ignored the security threats which triggered the 2019 breach. Further, the company had quietly patched the vulnerability and notified customers only a month later when the breach was publicly reported. FTC remarked that despite knowing that customers’ login credentials were highly unfit for use after the breach, CafePress did not ask its consumers to change passwords and facilitated login with the same hacked credentials.
Interestingly, this wasn’t the first time CafePress hid a security incident from its customers. This, and several other security noncompliances over the years have risked the customers of CafePress. The FTC’s charges on the company aim to compensate users for this loss of personal property.