In today’s constantly evolving threat landscape, attackers are always on the lookout for the next opportunity to obtain valuable personal data, making everyone vulnerable to phishing attacks regardless of their industry or sector. In this week’s update, we bring you the latest news stories related to phishing and data breaches.
Saks Fifth Avenue Claims Mock Datannousmentsa Stolen in Clopannousments Ransomware Attack
Saks Fifth Avenue, a well-known Luxury retail brand, was the target of the notorious ransomware gang Clop Ransomware.
Clop ransomware added Saks Fifth Avenue as a victim on its dark web leak site as a part of its ongoing Clop campaign targeting organizations and businesses vulnerable to GoAnywhere MFT servers. Saks has clarified that the data breach impacted no actual customer data but has not clarified employee or corporate data details.
The organization was founded by Andrew Saks in 1867 and is headquartered in New York. Saks is considered one of the top luxury brand retailers in Canada, the Middle East, and the US, which makes this attack a significant one that could affect thousands.
The Clop ransomware gang exploited the CVE-2023-0669, which allowed them to gain server access using RCE (Remote Code Execution) on unpatched organizational systems. The GoAnywhere MFT vulnerability has already resulted in multiple data breaches. Clop ransomware claims they have breached over 130 global organizations in just ten days by exploiting the same vulnerability.
The developer behind GoAnywhere MFT, Fortra, urges individuals worldwide to download the latest patches. Another significant victim of Clop’s GoAnywhere Ransomware attacks is the famous Hitachi Energy.
NBA Notifies Fans of Data Breach Exposing Personal Information
The NBA (National Basketball Association) has announced that an unauthorized threat actor may have accessed its users’ confidential data.
The stolen data that the threat actors had access to included names and email addresses that were supposedly “held” by a third-party service provider. NBA shared the event details and highlighted that none of the organization’s systems were breached, and the credentials of its fans were not affected.
Since the stolen data is sensitive, the NBA has warned that the individuals who have been affected by the breach open them up to phishing attacks and scams, which is why they need to stay vigilant. NBA sent a notice to all affected fans, urging them to be wary of unsolicited or suspicious email messages that come from NBA or its partners. It is important for them to remain alert and employ phishing protection measures to prevent further harm.
NBA has encouraged its fans to verify the emails sent to them and check all embedded links in the emails before clicking on them. NBA has hired external cybersecurity experts and is working with third-party service providers to uncover the incident.
NBA is broadcasted around the world in over 50 languages and 200 countries. The organization has stated that individuals should look out for emails requesting information and report them, as NBA would never ask for or exchange the account information of their fans in this manner.
Latitude Cyberattack Results in Data Theft at Two Service Providers
There has been a significant cyberattack on one of the largest credit lenders in Australia. Latitude was attacked, where the threat actors breached the internal systems of the organization and made away with over 300,000 customer records.
Latitude is an Australian financial institution that provides credit, loan, and finance services to its citizens. Latitude was the victim of a data breach where the threat actor breached its internal systems using stolen employee credentials.
Once inside the system, the threat actor interacted with two of its service providers and stole nearly 103,000 documents from one and over 225,000 customer records from the second one. If the data was the same on both servers is a question that Latitude has not yet answered. However, the organization has urged its customers to stay protected against cyberattacks such as spear phishing and social engineering following the data breach.
There is no immediate plan of action that Latitude customers need to follow as the organization has shut down multiple systems and is working to contain the breach. It is recommended that individuals avoid unsolicited emails and invest in anti-phishing measures to protect themselves.
Rubrik Confirms Data Theft in GoAnywhere Zero-Day Attack
Rubrik has confirmed that it was also a part of the Clop ransomware gang that stole data using the GoAnywhere MFT device vulnerability.
The organization has said that the customer data was not accessed during the breach, with Michael Mestrovichon, the organization CISO (Chief Information Security Officer), issuing a statement outlining that the threat actors utilized a zero-day vulnerability Fortra GoAnywhere secure file transfer platform for initial access on one of the organization’s non-production IT testing environments.
Rubrik is investigating the incident and has hired third-party forensic experts to handle the data breach. Michael also highlighted that the threat actors were unsuccessful in breaching the organization’s internal systems and that Rubrik has taken its testing environment offline to prevent further intrusions.
On the other hand, the Clop ransomware gang claimed responsibility for the attack by adding Rubrik’s name on their data leak side and sharing samples of the stolen files, warning that they would release the data to the public soon. The stolen data includes the names, email addresses, and geographical locations of Rubrik’s employees.
Dole Discloses Employee Data Breach Following Ransomware Attack
The Dole food enterprise confirmed that threat actors accessed the personal information of multiple employees following a ransomware attack in February this year.
The organization discovered the attack, notified law enforcement, and took multiple steps to contain it, hiring third-party cybersecurity experts to aid the investigation. Dole disclosed that its operations were minimally impacted. Oppositely, Dole’s customers reported product shortages and delays that lasted nearly seven days, prompting Dole’s crisis management protocol, the “Manual Backup Program.”
Dole highlighted that it would take time to investigate the data breach but has assured its customers that it is doing everything to minimize the impact.
Since the breach’s impact is not yet known, customers can expect further disruptions in the operations going forward.
Breached Hacking Forum Closes Amid Safety Concerns About FBI
Breached, one of the most notorious hacking and data leak forums, is shutting down. The only remaining admin of the forum, Baphomet, has disclosed that they believe the site’s servers are under the eye of law enforcement agencies.
Breached had an entire community attracting multiple cybercriminals such as data extortionists, ransomware gangs, security researchers, and more. Breached was the successor of RaidForums, another data leak website seized by the FBI (Federal Bureau of Investigation) in April last year after its founder was arrested in the UK.
Baphomet has decided to shut down the breach forum and informed the community members that they are free to go to any channel they choose for future activities. The Telegram channel of Breached will remain open for some time, with Baphomet outlining that they would continue to maintain a digital presence and will look into building something new.
As more and more threat actors are arrested, and malicious forums are closed, threat actors have been using Telegram as their primary channel, with the application becoming a hotbed of criminal activity. However, cybercriminals running scared is definitely good news.
Free Decryptor Released for Conti-Based Ransomware “MeowCorp”
Kaspersky has discovered a new decryption tool for a version of the Conti ransomware that could help a significant number of victims recover lost files.
The tool works with a strain of the ransomware from the Conti source code leaked in March last year. Kaspersky’s researchers found a cache of 258 private keys released by the threat actors and highlights that the modified Conti strain was used to encrypt 257 victims, with 14 of these succumbing to the ransomware demands.
However, now that Kaspersky has created the decryption tool, things will be much easier for the victims whose data was accessed and encrypted. Kaspersky said that the decryptor could recover the files and added the decryption code and the 258 keys to its RakhniDecryptor.
Kaspersky’s achievement will surely bring relief to innocent individuals after Conti’s attack. Conti ransomware was one of the most lucrative and active RaaS (Ransomware as a Service) models for nearly three years and targeted massive organizations worldwide before its fall in 2022.
RAT Creator Captured for Spreading Malware to 10,000 PCs
Ukraine’s cybercrime division detained the developer behind a RAT (Remote Access Trojan) malware that infected over 10,000 computers. The threat actor behind the RAT disguised the malware as a gaming application.
The police released an official announcement, highlighting that the 25-year-old developer behind the RAT crafted malicious software that caused harm to innocent individuals worldwide. At the time of the arrest, the threat actor had access to the real-time activity of nearly 600 infected systems, allowing the threat actor to exfiltrate information, capture screens, and access the connected devices and cameras.
The threat actor used the collected data to gain access to the accounts of these individuals. However, whether the threat actor stole assets like crypto holdings or bank deposits must be clarified.
Ukrainian police confiscated the threat actor’s equipment, who now faces charges under Article 361 of Ukraine’s criminal law, which means the threat actor faces up to 15 years in prison.