Every week we see the adversaries successfully stealing information through various social engineering tactics. This cycle of malicious actors accessing one’s personal and organizational networks needs to be stopped. The first step towards that is keeping yourself up-to-date with how these threat actors operate. Here are the phishing news headlines of this week.


Data Breach at Missouri’s Department of Elementary and Secondary Education (DESE)

Newspaper reporter Josh Renaud first discovered a vulnerability in the DESE certification database. As a result of this vulnerability, the sensitive information of over 620,000 present and former teachers, including their social security numbers, was compromised. Renaud first informed the DESE and waited for them to patch the vulnerability, but he published his story when the Missouri Governor accused him of hacking into the database. The controversy aside, DESE is apologetic for this security negligence.

As part of its phishing attack prevention measures, the DESE and the Office of Administration Information Technology Services Division (OA-ITSD) will send out breach notification letters to all teachers whose PII (Personally Identifiable Information) was compromised in the incident. The department realizes that teachers and educators have a lot to handle because of the pandemic and regret having caused them the trouble. To help these teachers deal with any unforeseen attack attempts triggered by this incident, the DESE provides over 620,000 present and former teachers with one year of complimentary identity theft and credit monitoring through IDX. While the free services offered to victims will cost the state over $800,000, this enables those affected to approach the IDX call center (833-325-1777) for any assistance needed.


Threat Actors Access HPE’s Aruba Central Network

The data repositories for HPE’s Aruba Central network were recently compromised, enabling adversaries to monitor devices and their locations and access and collect data. The access key to the cloud networking solution provider Aruba Central was accessed by malicious third parties for 18 days between 9th and 27th October. During that time, they could access the customer data contained in the Aruba Central environment.

The data stored in the exposed repository contains two datasets related to network analytics and Aruba Central’s ‘Contact Tracing’ feature, respectively. While the network analytics data set stored customers’ network telemetry data, the contact tracing database stored their location-oriented data. The first dataset revealed the IP and MAC addresses, hostnames, operating systems, hostname, usernames, and authenticated Wi-Fi networks. The second exposed the time, and Wi-Fi access points users were connected to. This data possibly enabled the adversaries to track the location of users.

As part of its measures for protection against phishing, HPE first revoked the adversaries’ access to their datasets and then began investigations into the access point and extent of the attack. The company’s research revealed Aruba Central’s environment is such that data is only stored for 30 days. As such, the adversaries would have accessed its network for no more than 30 days at any given time. Though the environment included personal data, it didn’t include sensitive personal data of users. Going by the nature of the attack, there is no need to change usernames, key configuration, or passwords at the user level. However, HPE is taking phishing prevention measures to ensure that such a security incident doesn’t happen again.


Ransomware Hits Stor-a-File

In another after-effect of the SolarWinds breach, the British data storage and capture enterprise Stor-a-File underwent a ransomware attack where adversaries exploited an unpatched SolarWinds‘ Serv-U FTP software.

While the organization disclosed the attack to the public, it informed its organization’s decision not to succumb to ransom demands. Stor-a-File’s clients also include medical companies whose data may have been exposed in the breach. Stor-a-File informed the police and the ICO and sent breach notifications to its clients as part of its anti-phishing measures.

The enterprise said that the attack only affected its clients and customers; all data stored in its offline servers (which comprise the primary section of its data) remains unaffected. Fortunately, the outdated version of SolarWinds’ Serv-U FTP server software and the third-party access has been removed. The organization is adopting phishing prevention best practices to prevent such an incident from happening again.


Ransomware Hits Nationwide Laboratory Services

Florida-based Nationwide Laboratory Services recently underwent a data breach that exposed the personal health information (PHI) of over 33,437 patients. A ransomware attack was detected in the laboratory‘s network on 19th May, which brought down its network and encrypted its content. In addition to hacking into their systems, the adversaries also deleted some files from Nationwide’s servers. The details compromised in the incident include patients’ names, test results, DOBs, medical record numbers, health insurance details, etc. The notice released by the lab also mentions that the social security numbers of a limited number of people were also exposed.

Fortunately, the attack did not impact all of Nationwide’s patients. So far, the lab has no evidence to prove that the data stolen in the attack was misused in any way. As part of its measures to ensure protection from phishing, the lab hired a third-party cybersecurity firm to investigate and get to the roots of the attack.

Nationwide also informed the Department of Health and Human Services for Civil Rights about the breach on 28th October. In its breach notification to patients, the lab provides them with phishing prevention best practices and asks them to monitor their financial account statements for any suspicious activity.


Hive Ransomware Attacks MediaMarkt

The Hive ransomware recently attacked the electronics retail giant MediaMarkt and demanded $240 million as a ransom for the decryption key. The attacker caused all MediaMarkt IT systems in the Netherlands and Germany to shut down. With over 1000 stores in 13 nations, MediaMarkt is quite a big retail name. The attack hit its network over the weekend, which compelled the store to shut down its IT systems to prevent the attack’s spread. The retail stores in the Netherlands underwent the highest impact.

While online shopping facilities were still functioning, the cash registers at the offline stores could not accept credit cards or give out payment receipts. This incident also disrupted the return procedure for orders as the staff could not access customers’ purchase history. MediaMarkt’s social media posts suggest that around 3100 servers were affected by the ransomware attack. As part of its phishing protection measures, the retail giant instructs its staff to refrain from using the encrypted systems and bring cash registers offline.

It is typical of ransomware gangs to demand an exorbitant amount initially, but they reduce the amount quite quickly, and as per reports, Hive too reduced the ransom amount. It is uncertain whether the encrypted data has also been stolen, but that is almost a given in Hive attacks.


UK’s Largest Fishing Store Angling Direct Undergoes Cyberattack

Angling Direct is the UK’s largest store selling fishing gear both in online and offline mode. Unfortunately, this fishing giant underwent a cyberattack over the weekend, directing its online customers to adult sites. In addition, its official Twitter account has also been compromised. It now directs visitors to a porn site and provides users with an email address to reach the adversaries for further details of the attack. The notorious threat actors behind the attack tweeted from Angling Direct stating that the organization had been sold to the adult site Pornhub.

As part of its phishing attack prevention measures, the enterprise has engaged third-party cybersecurity experts to investigate the breach and informed the concerned regulatory bodies. While the attackers have made no formal ransom demands, the attack looks like the work of an amateur adversary who is keen on driving attention. Either way, the loss to Angling Direct’s customers and its sales is irrevocable. The enterprise says that the personal or financial data of users remain unaffected. It apologized to all customers who were redirected to inappropriate sites because of this security breach and is strengthening its security infrastructure.