Ensuring phishing attack prevention is challenging when some form of cyberattack happens every minute. The global cybersecurity landscape is changing with more people becoming aware of cyber threats and doing their bit to ensure protection. But with every positive phishing protection measure that emerges, there is a similar (if not greater) growth in cyberattack vectors. Therefore, one must never stop looking up the latest attack schemes and upgrading their safety measures accordingly. In that capacity, here are the headlines of this week.

Ransomware Hits Inetum Group

One week ahead of the Christmas holiday, French IT services organization Inetum Group underwent a ransomware attack. As per the editor-in-chief of the French publication LeMagIt, the BlackCat ransomware gang is responsible for this attack. With branches in over 26 countries, Inetum serves companies across sectors like defense, aerospace, energy, banking, healthcare, automotive, retail, transportation, insurance, media, telecom and public sector. Though limited in intensity, the attack disrupted Inetum services across industries and regions.

Fortunately, the attack affected Inetum operations in a few locations in France and did not impact any large infrastructure, delivery services or collaboration tools used by the customers. Inetum’s incident response team quickly took phishing prevention measures such as isolating the infected system and blocking client VPN connections. Investigation revealed that the recent attack did not exploit the existing Log4j vulnerability. Inetum Group has informed the relevant authorities and hired an external cybersecurity expert to investigate the breach as part of its anti-phishing measures.


Albanian Government Database Leaks Employee Data

Albanian Prime Minister – Edi Rama extended an apology to citizens for the unintentional leak of a government database containing details of state and private employees. Though this seems more like an inside job rather than a move by unauthorized third parties, it has exposed a lot of data. As a consequence of this incident, the salary and employment data and identity cards of over 637,000 individuals were exposed via messaging apps.

While investigations into the breach continue, Edi Rama mentioned in a statement that this is most probably an internal move to create tension between citizens and the government. Whatever may be the motive, an exposure of citizens’ private data is never good news. The government should have been stricter with its measures for protection against phishing.


Data Breach Hits Monongalia Health System

Adversaries recently used an email phishing attack scheme to compromise the Monongalia Health System. Consequently, the several email accounts of the Stonewall Jackson Memorial Hospital enterprise and the Monongalia County General Hospital enterprise in West Virginia were under the attackers’ control between 10th May 2021 to 15th August 2021. These email accounts contained confidential data related to employees, patients, providers and contractors.

An external vendor discovered the breach on 28th July 2021. After the investigations were completed on 29th October, it was revealed that the adversaries had compromised the email account of a Mon Health contractor and used that account to ask for fraudulent wire transfers from the hospital.

As part of its measures for protection from phishing attacks, Mon Health secured the contractor’s account and reset the password. It also informed law enforcement and engaged third-party security experts to investigate the incident. Fortunately, the attack did not affect Mon Health’s other branches like Mon Health Marion Neighborhood Hospital and Mon Health Preston Memorial Hospital. The hospital has sent out breach notifications to all victims and set up a toll-free number to answer all their queries regarding the incident.


Ghana NSS Exposes Citizens’ Data

The National Service Secretariat (NSS), Ghana, recently left an AWS S3 bucket misconfigured, which exposed the confidential data of over 700,000 citizens. The 55GB NSS database was left misconfigured online and discovered only on 29th September.

The NSS is a program managing the public service criterion, which is mandatory for all Ghana-based graduates. While the NSS uses AWS to store many of its program files, not all of them were password-protected. The S3 bucket itself was left public, meaning anyone on the web could have accessed the files if they wished to.

The data compromised in this incident include citizens’ professional IDs,  passport photos, program membership cards, etc. NSS is doing everything in its capacity to restore the database now and is also coordinating with the CERT to ensure anti-phishing protection in the future.


Data Breach Hits Ubisoft’s Video Game Franchise Just Dance

The renowned video game franchise of Ubisoft – Just Dance was recently hit by a cyberattack where adversaries exploited a system misconfiguration to breach user data. The data exposed in the breach includes users’ profile IDS, GamerTags, device IDs and Just Dance videos shared online.

Investigations into the breach revealed that the attackers got in through a misconfiguration, patched soon after detecting the attack. So far, there is no evidence to believe that any Ubisoft account information has been affected by the breach. Ubisoft has advised all Just Dance users to activate 2FA and reset their account passwords to protect themselves from any potential phishing attempts.


NCA Provides 585 Million Compromised Passwords to HIBP

After the US Federal Bureau of Investigations, the UK National Crime Agency (NCA) is the second law enforcement body to share compromised passwords with Have I Been Pwned (HIBP). HIBP is a platform enabling users and organizations to check whether their phone numbers or email addresses have been compromised. Recently, NCA has shared over 585 million compromised passwords with Have I Been Pwned to add to its website’s “Pwned Passwords” section. The NCA reportedly found these passwords along with email addresses from a UK cloud storage facility account. While the NCA couldn’t trace back the passwords and email accounts to any particular platform, their retrieval from a cloud storage facility suggests that these credentials have been public for a long time.

HIBP creator Troy Hunt stated that among the 585 million passwords shared by NCA, 225 million were unique and new. At present, there are over 5.5 billion entries in the HIBP Pwned Passwords collection, and over 847 million of these are unique. To enable companies to plan their anti-phishing solutions better, HIBP allows users to free copies of all these passwords to compare and check whether their passwords have been compromised.


DeFi Platform Grim Finance Loses $30M to Cyberattack

Popular decentralized finance (DeFi) protocol Grim Finance recently underwent a cyberattack that caused a loss of $30 million from its platform deposits. Grim Finance calls it an advanced attack where adversaries exploited five re-entrancy loops in its vault contract, meaning that the attackers could fake five deposits while the first one was still being processed.

Grim has paused all vaults to prevent phishing attacks and requested users to withdraw their funds at the earliest. In addition, the platform has notified all involved entities like Dai (DAI), Circle (USDC) and AnySwap to block all fund transfers for the time being.


Sennheiser Leaves Misconfigured S3 Bucket Public

Another misconfigured Amazon Web Services S3 bucket was recently left unencrypted online by the audio equipment manufacturer – Sennheiser. Consequently, the personal information of over 28,000 customers was exposed. The bucket stored data collected between 2015 and 2018 and included customers’ names, contact numbers, email addresses, home addresses, organization names, employee strength etc. The data stored was approximately 55 GB in size and contained over 407,000 files.

Researchers say that Sennheiser was ignorant about the sensitive nature of the data stored in its S3 bucket and did not use adequate measures for protection from phishing. The exposed bucket was first discovered on 26th October, and Sennheiser locked the server soon after being notified.