Data breaches have become a frequent occurrence, affecting organizations of all sizes across various industries. With the vast amount of personal and sensitive information stored online, the consequences of a data breach can be devastating for both individuals and businesses. This weekly article will bring you the latest news on data breaches, including the companies and organizations affected, the causes, and the potential impact on individuals.


Roaming Mantis Infecting Victims With Mobile Malware That Targets Wi-Fi Routers’ DNS Settings

Researchers observed threat actors linked to the Roaming Mantis campaign delivering an updated version of their patent mobile malware called Wroba to infiltrate Wi-Fi routers and perform Domain Name System (DNS) hijacking. Kaspersky analyzed the malware and said cybercriminals designed the feature to target specific Wi-Fi routers in South Korea.

Roaming Mantis, also called Shaoye, is an ongoing financially motivated operation that targets Android smartphone users with malware that steals bank account credentials and harvests other sensitive information. Initially targeting Asian countries since 2018, researchers noticed that the hacking crew expanded its victim range to France and Germany in early 2022 by camouflaging the malware as a Google Chrome application.

The recent attacks leverage smishing messages as the initial vector to deliver a malicious URL that either installs a malicious APK or redirects the targets to phishing pages based on the OS installed on their mobile devices.


Cybersecurity Experts Shut Down a Massive Ad Fraud Scheme Targeting 11 Million Phones

The cybersecurity experts at HUMAN Security Inc. recently announced that they took down an organized, large-scale, and sophisticated ad fraud operation dubbed VASTFLUX. HUMAN Security is the world’s leading firm providing advanced defenses against digital attacks. Earlier, the cybersecurity services provider reported large-scale scams involving Android and iOS devices like Scylla, PARETO, Methbot, and 3ve.


Massive Ad Fraud


How did they discover the Ad Fraud?

VASTFLUX combines two terms reflecting its functionality. VAST refers to the Digital Video Ad Serving Template that hackers exploited in this operation. Furthermore, Flux refers to the Fast Flux concept, an evasion tactic used by threat actors.

HUMAN’s Team Satori discovered the operation when investigating an iOS application heavily impacted by the app spoofing attack. The researchers discovered it was a highly sophisticated scheme in which threat actors exploited the limited signal availability required by the verification partners in their targeted environment (including the iOS in-app advertising).

The ad fraud later evolved into a particular platform’s spoofing bids, allowing them to appear on another platform and making cross-platform attacks challenging to detect. HUMAN researchers collaborated with their partners to obtain further information into the ad fraud’s traffic volumes and the verification tags used in the ads.


Hackers Cripple Costa Rica’s MOPT (Ministry of Public Works And Transport) by a Ransomware Attack

Costa Rica’s government recently suffered another ransomware attack months after cybercriminals crippled several ministries in wide-ranging Conti ransomware attacks. On Tuesday, Costa Rica’s MOPT (Ministry of Public Works and Transport) issued a statement saying 12 of its servers got encrypted. As a result, all of MOPT’s systems got knocked offline, and the government informed the Ministry of Science, Innovation, Technology, and Telecommunications and the National Security Directorate.


servers got encrypted


While the government did not comment on the issue, it says that it requested international organizations for support. The government is conducting the driving tests in person, and the license issuance services are getting resumed.


Ransomware Gang Steals Data From Pizza Hut, Taco Bell, And KFC Brand Owner

Yum! Brands, the brand operator of Pizza Hut, Taco Bell, The Habit Burger Grill, and KFC fast-food restaurant chains, was recently targeted by a ransomware attack forcing the closure of 300 restaurant locations in the United Kingdom.

Yum! Brands operates over 53,000 restaurants across 155 countries, with a $1.3 billion yearly net profit and over $5 billion in total assets.

Yum! Brands issued a press statement, “Promptly after detecting the incident, we initiated response protocols, including enforcing containment measures like implementing enhanced monitoring technology and taking certain systems offline.”

Additionally, Yum! Brands notified Federal law enforcement, engaged the services of industry-leading forensics and cybersecurity professionals, and initiated an investigation into the incident. The company claims that the impacted restaurants in the UK returned to normal operations and will not face any further problems relevant to the cyberattack.

Ransomware actors steal data from breached networks to extort their victims. While Yum! Brands confirmed that cybercriminals stole data in the attack; there is no evidence that customer information was exposed.


T-Mobile Says Threat Actors Accessed Personal Information of 37 Million Customers

T-Mobile revealed in a financial filing recently that a hacker accessed a database containing information of 37 million customers.

The telecom giant said the threat actor started stealing data that includes “name, email, phone number, billing address, date of birth, T-Mobile account number and information like plan features and the number of lines on the account” since November 25.


SEC filing threat


T-Mobile said in the SEC filing that it detected the breach over a month later, on January 5, and fixed the vulnerability that the hacker was exploiting within a day.

The cybercriminals, according to T-Mobile, did not breach any organizational system but abused an API (application programming interface). “The investigation is ongoing, but we fully contained the malicious activity, and there is no evidence that the threat actor breached or compromised our systems or network,” T-Mobile said.


Paypal Suffers a Large-Scale Credential Stuffing Attack

PayPal recently sent out data breach notifications to its users whose accounts got accessed through credential stuffing attacks, which might have exposed their personal data. In credential stuffing attacks, the hackers attempt to access the victim’s account by trying username and password pairs available on dark websites.

These attacks follow an automated approach with bots trying lists of credentials to “stuff” into the login portals for numerous services. Cybercriminals target users who keep the same password for multiple accounts, known as “password recycling.”

Close to 35,000 PayPal users were impacted.

PayPal explained that the attack occurred from December 6 to December 8, 2022. While the company detected and mitigated the attack, it also launched an internal investigation to discover how the attackers accessed the accounts. PayPal concluded its investigation by December 20, 2022, and confirmed that unauthorized third parties used valid credentials to log into the accounts.


credential stuffing attacks


According to the data breach reporting, 34,942 of its users got impacted by the incident. During the two days, cybercriminals accessed the account holders’ full names, social security numbers, dates of birth, postal addresses, and individual tax identification numbers.


Mailchimp Says it Got Hacked — Again

Email marketing and newsletter services provider Mailchimp says it got hacked, exposing dozens of customers’ data. It is the second time Mailchimp got hacked in the past six months, and the latest breach appears identical to the previous incident.

The Intuit-owned company said in a blog post that its security team discovered an intruder on January 11 with unauthorized access to one of its internal tools that Mailchimp uses for customer support and account administration.

Although the company did not mention how long the attacker had access to its systems, it said the hacker targeted its contractors and employees with a social engineering attack. The cybercriminal then used the compromised employee passwords and gained access to data on 133 Mailchimp accounts, whom the company notified about the intrusion.

One of the targeted accounts is of e-commerce giant WooCommerce. In a notice to its customers, WooCommerce said that Mailchimp notified it a day later regarding the breach, which might have exposed its customers’ names, email addresses, and store web addresses.


Iranian Government Entities Targeted in a New Wave of Backdoor Diplomacy Attacks

Cybersecurity experts are linking the BackdoorDiplomacy threat actor to a new wave of attacks on Iranian government entities from July to late December 2022. Palo Alto Networks Unit 42, tracking the group’s activity, said it observed government domains attempting to connect to the malware infrastructure they previously associated with the adversary.

Also known as APT15, KeChang, Vixen Panda, and NICKEL, the Chinese APT group has a long history of cyber espionage campaigns targeting government and diplomatic entities in North America, South America, the Middle East, and Africa since 2010.


Cybersecurity experts


In June 2021, Slovak phishing protection firm ESET discovered that the hacking crew used a custom implant called Turian to execute intrusions against telecommunication companies and diplomatic entities in Africa and the Middle East. The researchers recently attributed the threat actor to an attack on a Middle East’s unnamed telecom company using Quarian, a predecessor of Turian.  Quarian allows a remote access point into the targeted networks.