Home

Information & Architecture Security Risk

Just to the Point

Home

About

Blog

Breach of the week! Data Breach news from around the World

Week 1, May, 2022

NB65 published payment’s data: Earlier this month, Network Battalion (NB) 65, an anonymous affiliated hacktivist group claimed to breach the Russian payment company Qiwi and published the list of credit card details and Card Verification Value (CVV). As per the claim, around 12.5 million credit card records and 30 million payment records were breached. The group asked the company to contact them, failing, which resulted in publishing the credit card numbers online. The group has also claimed to infect the database with a ransomware kit. However, the company has denied any breach of this volume.

The first protection against hacktivists is to be vigilant on the response side. In case of any suspension, infected devices should be quarantined and investigated for further infection. Prudent disaster recovery is also necessary to avoid a catastrophic impact on business. This could be a classic example of an all-hands-on-deck situation where Business continuity, corporate communication, IT, legal, and insurance should work together and avoid extortionists by contacting relevant authorities to remove any data deem to be critical.

Week 4, April 2022

Cloudflare blocked 15 million request per second HTTPS DDoS attack: On 27^th April 2022, Cloudflare published details of one of the largest HTTPS DDoS attacks on record at 15.3 million request-per-second (rps). The attack initiated by 6000 unique botnet networks from 112 countries targeting a Crypto Platform. Largest Layer 3 attack ever faced was 3.47 terabytes (Tbps) by Microsoft, which was meant to inundate the network layer, However, as we go up in the Open Systems Interconnection (OSI) layer, it becomes expensive for attacker and defender to protect.

Again, largest layer-7 attack, at the time of right this post was 17.2 million HTTP requests per second (rps). But in this case, it was HTTPS (here ‘S’ stands for secure) which makes it unique because TLS makes it difficult to have deep packed inspection, then to create the rule and block the malicious connection request. Sophisticated DDoS attacks are becoming more mainstream and becoming more expensive for both parties to conduct and remediate.

When it comes to Layer 7 DDoS, a detailed mitigation strategy is required. Web Application Firewall (WAF) can provide some protection but may deem limited when attacker has unlimited resources to consume. Best option is enabled cloud-based DDoS protection solution which identify and mitigates the unsolicited traffic and filters out the clean traffic.

Tags: #Layer7DDoSAttack #HTTPSDDoS

Week 3, April 2022

Git-hub repository abuse using stolen Credential: Mike Hanley, the Chief Security officer of Git-hub published a report informing targeted attack on organizations by using stolen OAuth user tokens issued to two third-party integrators Heroku and Travis-CI. Compromised accounts were used to download code repositories and other sensitive information.

Supply chain security has become an important to ensure security of trade secrets of the organization. Ensuring strong process and procedures to assess the security posture of partner organization is more critical to ensure strategic success and business viability.

Tags: #OAuth #Git-Hub #Heroku #Travis

Week 2, April 2022

Researchers revealed Crypto Ming attack on AWS Lamba: In one of its kind of attacks on AWS Lamba, an ephemeral computing environment by Amazon web Services (AWS), revelled to be susceptible to Crypto-Mining by Denonia malware. It is Go-based wrapper designed to deploy a custom XMRig (High performance, open-source miner) to compromised AWS resources for financial gains. It is believed that potential leaked AWS Access and Secret Keys lead to this compromise and lead to the bill of $ 45,000 to the account owner.

Crypto-mining is new famous or infamous trick used by cyber criminals for financial gains. Securing access to the AWS environment and ensuring safe custody of key is critical protect against large cloud bills.

Tags: #Cryptojacking #Denonia

Week 1, April 2022

Cyber Security Incident Forced Wind Turbin Manufacture to halt IT Systems: Nordex Group, Hamburg based German Manufacturer of wind turbines reported a cyber security incident and decided to shut down IT systems across multiple locations and business units. Nordex Group, one of the leading integrated, global manufacturers of innovative onshore wind turbine systems. In 2020, the company generated sales of around EUR 4.65 billion with approx. 8,500 employees. In a press release on April 2nd 2022 the Group said, it took proactive measures to contain the infection and also informed wind farm communication systems was switched to manual.

Critical infrastructure companies becoming high profile victims of cyber-attack. Supervisory control and data acquisition (SCADA) and other ICT based systems are vulnerable to new cyber threats which can have detrimental effect on nation’s energy security. Holistic approach is required from software and hardware sourcing till the end of the lifecycle of the Industrial control system / Operational Technology (ICT / OT) Systems.

Tags: #NordexGroup #SCADA

Week 4, March 2022

Politically Motivated attack on Russian Critical Infrastructure: Cyber professionals are always on the edge protecting sensitive business information. In recent, politically motivated attack against the R&D unit of Russian state-controlled pipeline transport company Transneft exposed confidential email communication.

Anonymous threat actor has published 79 GBs of data on Denial of Secrets website. The leaked information contains emails from OMEGA Company, the R&D department of Transneft. Protecting data against politically motivated threat actors has always been difficult. Transneft is the largest oil pipeline company in the world. Transneft operates over 70,000 kilometres (43,000 mi) of trunk pipelines and transports about 80% of oil and 30% of oil products produced in Russia.

Most emails are encrypted during transmission, but stored in clear text. Strong authentication mechanism is required to ensure only authorised users have access to the information. Secure Email Gateway (SEG) and email encryption solution allows to protect the important communication also threat vectors like Business Email Compromise (BEC) and other threats. And, enabling Perfect Forward Secrecy (PFS) has its own benefits.

Tags: #DenialofSecrets #PipelineAttack #Transneft

Week 3, March 2022

Distributed Reflective Denial-of-Service (DRDoS) with Amplification Ratio (AR) of 4,294,967,296:1: Earlier this month, a research consortium which includes Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, Mitel, NetScout ASERT, Team Cymru, TELUS, and The Shadow Server Foundation identified vulnerability CVE-2022-26143 in Mitel client softphones, TP240PhoneHome. Vulnerability was exploited in wild against incorrectly provisioned (Private Branch Exchange) PBX-to-internet gateways with a test mode exposed to the internet.

While reviewing DDoS attacks earlier this year, researchers observed malicious traffic on User Datagram Protocol (UDP) port 10074. Further investigation revealed a driver in Mytel system which was developed to perform stress test of status update packets and theoretically can produces 4,294,967,294 packets in 14 hours duration with a maximum size of 1,184 bytes.

Reflection/Amplification DDoS attacks thrives on vulnerable features exposed on internet and other connected systems. Vendors must incorporate “safe by default” option as baseline, and Network providers should have anti-spoofing mechanism in place. For now, provisioning DDoS mitigation solution can mitigate such attacks. Impetus is on close research collaboration like this one to identify the root cause and mitigate the vulnerability.

Tags: #DRDoS #CVE-2022-26143 #DDoSResearch

Week 2, March 2022

2.5 million requests per second (mrps.) DDoS attack: Security solutions supplier firm Imperva, published in a post declaring it has recently deterred a devastating Layer 7 DDoS attack. The campaign started with an extortion email to senior management and then threat actor immediately initiated a DDoS attack to demonstrate its capability, the attack lasted for 10 minutes with peak of 2.5 million requests per second.

Layer 7 DDoS attacks are different than Layer 3 volumetric DDoS attacks. Businesses and organizations should have Layer 7 DDoS protection solutions. Akamai, Cloudflare, Imperva etc. are key players in the market. Layer 7 DDoS mitigation require deep packet inspection to investigate broken requests and clean requests are sent to the server.

Tags: #Layer7DDoS #2.5millionrequestsperminute

Week 1, March 2022

Toyota Stops Production Due to Supply Chain Attack: On March 1^st 2022, Toyota published press release on its website highlighting a supply-chain attack which resulted in halting of regional plant in Japan. The attack resulted in direct operational loss and losing production of 13,000 unit of cars for that day.

Kojima industries, a critical supplier of plastic and electronics systems reported ransomware attack which Toyota called it "supplier system failure”. Supply chain security is matter of great concern and organizations must have processes in place to ensure minimal disruption against such attacks. Business continuity plans should address supply chain scenarios and during the procurement compliance should ensure that vendor should provide assurance for cyber hygiene.

Tags: #Toyota #Supply-Chain-Attack #Kojima

Week 4, February 2022:

Nvidia Attacked by Lapsus$: On February, 28th 2022, DEV-0537 a.k.a Lapsus$ claimed to confiscate 1 TB data of chip manufacturer Nvidia and threatened them for some demands and Ransome. The group posted in its Telegram group that it has access to sensitive files and blueprints of the new GPU planned to be released soon. Nvidia in its response said that it is investigating the incident, however denied any ransomware infection its systems.

Data exfiltration and destruction groups are becoming more common and this require organization to have highest level of security. Trade secrets or proprietary resources must require strong need to know and access must be limited to authorised individuals. Further, having MFA strengthen the security posture.

Tags: #Nvidia # Lapsus$ #DataLeak

Week 3, February 2022:

BGP Hijacking to Embezzle Cryptocurrency: Internet’s routing depends upon Border Gateway Protocol (BGP) and Autonomous Systems (ASes) to direct internet traffic in correct direction. Consider Domain Name System (DNS) as address book, BGP a Roadmap and AS Number (ASN) as Post office. In order to send data from point A to point B, IP address, should find computer understandable address from DNS and then route packets through BGP which depends on IP space published by ASes. But, what if someone in middle compromise the ASN and start publishing their own IP ranges? Well, this can happen, but it's difficult to execute and may last for a few hours.

In one interesting incident; malicious actors used this technique against KaySwap, AMM-based swap protocol that allows users to swap any KCT token (Cryptocurrency). Malicious actor published IP space it controlled, resulting routing of internet traffic trying to access developers.kakao.com to malicious landing page where they were hosting compromised KakaoTalk’s JavaScript Software Development Kit (SDK) file. Malicious actor made this application to install tracking code inside the victim’s browser. When any asset transfer is detected, like conversion, deposit or withdrawal that code transferred the funds in threat actor’s account, this resulted in embezzlement of $1.9 million. KaySwap informed that it will compensate the victims and will improve the security.

BGP security is critical for internet and Internet Engineering Task Force (IEFT) has published RFC 8205 to authenticate BGP Updates. Business owners should also track suspicious network traffic in their zone, and failed requests.

Tags: #BGPHijack #ASN #CryptoHeist

Week 2, February 2022

Spear Phishing against European Diplomats: ESET, a private company providing cyber intelligence service to various companies disclosed spear phishing attack against EU Diplomats. ESET mentioned new convincing techniques where the victim, diplomats in this case were lured by mimicking real emails. The group identified APT 29 or Fancy Bear against this attack.

Tags: #SpearPhishing #EU #Diplomats

Week 1, February 2022

Ransomware Attack on Airport Management Service: Swiss airport management service Swissport, reported a Ransomware attack on its servers. The company reported immediate action and reported immediate containment of the systems.

Most important incident recovery step is to stay prepared against such attacks. Business Continuity teams should consider contingency plans to protect organizations against Ransomware attack. Back-ups avoid the down time due to such attacks and ensure minimal interruption to the services.

Tags: #Ransomware #Swissport

Week 4, January 2022

Belarusian Railway servers compromised by hacktivist group: On January 24^th 2022, Belarusian Cyber-Partisans claimed compromise of Belarusian Railways system. Group demanded release of 50 political prisoners who are most in need of medical assistance. And also asked to deny Russian troops access to the territory of Belarus. Though, Hacktivists denied meddling with critical security systems which could affect general citizens.

Hacktivism is critical threat, usually by politically motivated groups. Critical infrastructure organization must ensure strong cyber hygiene and processes to avoid compromise of their systems.

Tags: #BelarusianRailways #Hacktivist

DDoS Attack on nobelprize.org: On 21^st January 2022, Nobel Prize foundation disclosed a distributed detail of service attack (DDoS) on the its website on the Nobel winner disclosure day. During the ceremony, the Nobel live-streamed from Oslo and Stockholm, but said it was prepared to take care of website. Below are the excepts from the website:

“During the Nobel Day, 10 December 2021, the official Nobel Prize websites were subjected to a cyberattack that has now been reported to the police by the Nobel Foundation and the Norwegian Nobel Institute. The attack was averted and did not affect website users' experience or the dissemination of content.”

DDoS is an active attack and can also be used as a smokescreen. DDoS attack is most common type of cyber-attack impacting service availability to the end users. Having redundancy, Content Delivery Network (CDN)/ Scrubbing centres, Null or Blackhole Route etc. can provide immediate protection against such attacks.

Tags: #DDoS

Week 3, January 2022

Reconnaissance attack against Renewable Energy Companies: On 16^th Jan 2022, OSINT group @BushidoToken published a potential information gathering attack on the Industry Control System / Operational Technology (ICT/OT) companies. Group assessed the threat actor was targeting specifically ICT/OT infrastructure in Bulgarian like Kardzhali Hydroelectric Power Station and other reputed vendors like Schneider Electric, Honeywell, Chinese telecommunications giant Huawei, semiconductor manufacturer HiSilicon, Telekom Romania, and US universities such as the University of Wisconsin etc.

Espionage against critical infrastructure is not new, but since last decade anomalies are exploiting ICS/OT infrastructure to disrupt public services and create havoc. Such industries are usually Ill prepared against cyber threats. Critical infrastructure companies have realised importance of cyber security after Colonial Pipeline attack and resulting reputational loss.

Employee awareness plays an important role to thwart these attacks. CISOs and Department heads should ensure regular communication to the staff to ensure they protect themselves against reconnaissance attack and report these incidents to the responsible authorities. One important metric is to track the REPORT RATE against the CLICK RATE of the simulated phishing email.

Tags: #ICTHack #CriticalInfrastucture #OSINT

Week 2, January 2022

Ransomware attack a Real-Life threat: On January 5 2022, Ransomware infected the computer systems of Bernalillo County in New Mexico State, USA. This has forced the detention centre to temporary lockdown as it affected automatic door mechanisms and also suspended visitors' entry since they couldn't access the facility cameras on infected computers. The unit responded by taking infected systems offline and containing the infection. County’s official website published they removed the infection and brought back the system online on 7^th January 2022.

Most common vector for Ransomware to establish its footprints in your environment is Phishing and software vulnerabilities. It is advisable to government and institute of critical importance to ensure up-to-date patches and back-up of data to avoid such situations.

Tags: #Ransomeware #BernalilloCounty

Week 1, January 2022

Account takeover Attack by Greek Army: Greece has long history of invasions, specially by Persians (Morden day Iran). To fight against the persistent threat of invasion, Sparta and Athens joined forces to create world's best army to achieve a common purpose. Still today, Greeks are appraised for their valour and perseverance. And, I believe this is what motivates the Powerful Greek Army (PGA) Group.

Fascinating History lesson helps us infer the group motivation. And, their past actions like compromising account of Ministry of Foreign affairs of North Macedonia, the National Bank of North Macedonia, Nigerian Ministry of Foreign Affairs and Finance, the Bank of Nigeria, the National Bank of North Macedonia, and the Azerbaijani Ministry of Defence etc., alludes hacktivist nature of the group.

Among these high-profile hacks, on 2nd January 2022, PGA compromised twitter handle @nasapk of Director of NASA Aeronautics Research Institute (NARI), Parimal Kopardekar is the inventor of the Unmanned Aircraft Systems Traffic Management (UTM). Group indicated that they have a custom exploit code to confiscate accounts.

Nevertheless, many such attacks are well planned, and require assessing old hacks, that could revel clear text password. Users should change their password frequently but its hand to maintain that discipline. Best, practice is to have 2FA in place. Twitter provides mechanism to enable 2fa for general users to protect themselves against account takeover attack.

Tags: #PowerfulGreekArmy # Parimal Kopardekar #TwitterAccountTakeover

Week 4 December 2021

Credential Stuffing Attack on LastPass: Have you ever thought about losing your master password in a breach of Password Manager that stores all your password and key to all applications in the organisation? Daunting right! On 28th December 2021, LastPass, a password manager tool, confirmed a credential surfing attack. Essentially, all such attack requires a launchpad, which means the attacker referred to passwords exposed in past breaches. But, remember reconnaissance does not mean confirmed breach.

My advice for all is to try to remember the passwords. Privileged access tools should be used to rotate passwords regularly and ensure to have multi-factor authentication in place to avoid protecting yourself against such attacks.

Belgian Defence Ministry Confirms breach: On December 20th, 2021, the Belgian defence ministry confirmed system compromise due to exploitation of the recently released Log4j vulnerability. The exact details of the breach and its impact were not confirmed by the agency. However, they mentioned containing the exploited systems and monitoring them for further infection.

Log4j is a widely used feature to log system performance-relevant information for Java-based applications. An Apache open-sourced project developed by developers for developers. US Computer Emergency Readiness Team (CERT) and Apache have published detailed guidelines to protect systems from immediate compromise. The most important of them is to identify the exposed assets and patch them and, update the YARA rules to block any exploit attempt.

Week 3 December 2021

Surveillance of Airline Sector: Last week, I published about the surveillance campaign against multiple Telecom providers. And on 15th Dec 2021, IBM Security X-Force published yet another surveillance campaign by ITG17 a.k.a. Muddy-Water, a suspected Iranian nation-state group. IBM Security X-force highlighted backdoor was deployed way back in 2019. Perpetrator created PowerShell scripts and the entire Command and Control (C2) setup using slack messaging’s Application Program Interface (API) for sending instructions and data. Attackers used free slack workspace during this entire attack lifecycle, but couldn't be detected because traffic was well blended with the legitimate one.

Attacker continuously uses inexpensive but effective strategies to evade detection and establish footholds in the target organisation. This brings us to an important aspect to allow only legitimate actions on machines, enable multi-factor authentication for collaboration tools, controlled access and log PowerShell for anomalous activities. Though, this would create a lot of noise in monitoring tools but still valuable to protect against such attacks!

Gumtree exposed seller’s information on its Platform: Pen Test Partners highlighting a case of sheer ignorance of Gumtree, a site for free classifieds ads operating in the UK. Developers of the website misconfigured the source code to such an extent that one has just to see the HTML code of the website to know the Personally Identifiable Information (PII) of sellers on its platform. Vulnerable source code exposed, seller’s complete name, ZIP code and GPS coordinates were exposed on the internet.

Such incidents can be easily avoided by peer review policy and governance of published code. Also, sellers publishing ads should ensure not to allow tracking of location on websites unless it is absolutely required for operation.

Week 2 December 2021

Mass Surveillance of Telecom Companies: On 14th Dec 2021, Symantec's threat hunter team published details of a covert operation by Iran’s Seed-worm hacking group. Tactics, Techniques, and Procedures (TTP) indicated that the group utilised A Living off the Land (LotL) strategy and existing tools to gain access to the victims' environment to ensure persistence and minimal footprint. Organisations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign. The actual objective of the group is unknown, but it seems they wanted to get access to sensitive telecom systems for surveillance.

Nation-states hire organised criminals and covert operation groups to snoop upon enemies. Private sectors have very few resources for such well-funded groups. In general, it is advised to follow a need-to-know principle to avoid additional access to the employees, install some flavour of Extended Detection and Response (EDR), Forensic tools, User Behaviour Analytics (UEBA) and well tuned Security Information and Event Management (SIEM) solution to detect such attacks.

Indian Prime minister’s Twitter account suffered an Account Takeover (ATO) attack: On 12th December 2021, Narendra Modi’s Twitter account was compromised for a short duration. Perpetrator got access to the verified profile of the head of the largest democracy in the world (@narendramodi) to spread false propaganda and financial gain. At the time of the post, PM Narendra Modi had 78 million followers. The malicious tweet was taken down and the account was secured immediately. This is not the first time when people noticed ATO attacks on the social media platform; many other celebrities and VVIPs had been victims in past.

ATO is a type of Identity theft where the perpetrator has a direct incentive to spend time and resources to crack or steal user credentials. The first major step to avoiding such types of attacks is to have a strong password and Multi Factor Authentication (MFA) in place. Also, from the platform perspective, Twitter must provide additional security features to ensure strong security for the verified profiles.

Week 1, December 2021

HomeRun Extortion: This week, a Human Resource portal provider Homerun, was breached resulting in loss of information. Homerun was acting on behalf of its clients for recruitment related activities and collected standard sensitive personal information from the applicants.

Based on the email sent by one of its clients, DEGIRO B.V., “A criminal hacker gained access to data stored at Homerun via a vulnerability in their IT environment. It concerns personal data such as name, address, date of birth, phone number, email address, as well as application data including stored attachments such as application letters, resumes, testimonials and certificates.

What happened to the data?

The perpetrator or perpetrators extorted Homerun. In return for payment of a large sum of money, they would delete the copied data. Homerun agreed and paid the amount. The perpetrators then assured Homerun that they had deleted the data.”

Interestingly, in the email, DEGIRO Europe’s as fastest growing online brokers quoted, PIM TAKKENBERG, General manager of Northwave “This is the core of their business model. We have never seen in comparable cases that a cybercriminal still passed on the stolen data after payment” providing sense of assurance to users about safety of data.

Loss of information may result in future identity theft, and can be used as a vector to initiate another attack. GDPR has provision in place to inform impacted users and also penalise organizations found to be in violation of the mandate. I believe, personal information must be handled with utmost care, data should be redacted and encrypted where so ever required, access should be appropriately controlled, and most importantly avoid paying the Ransome.

BitMart Heist: Cryptocurrency exchange with market share of 1.07% and liquidity worth of USD 770 million (at the time of writing this post) was breached on 4^th December 2021, the exchange revelled in the press release. Incident materialized in financial loss of USD 200 million and also loss of reputation. Breach occurred due to compromise of the Private Keys of BitMart’s Hot wallet. As a precaution, the exchange suspended withdrawals to prevent further exposure.

The press release indicates BitMart is reimbursing the loss occurred to its customers out of its own funding. Recently, it was reported that

BitMart is in talks with to raise USD 20 million, which puts Crypto-Exchange valuation to USD 300 million. So, in a sense the owners of the

exchange need to return two third (2/3) of its valuation,

Securing the Private keys is crucially important to protect against such attacks. NIST and FIPS has published PUB 140 stating security

requirement for cryptographic module.

Week 4, November 2021

Competitor Threat to Cryptocurrency Exchange: Vitaliy Bodnar, founder of BTC-Alpha blamed competitor for ransomware attack in latest press release this week. BTC-Alpha, a multi crypto asset trading platform was attacked on November 1, 2021 on the day of the company's 5-year anniversary. As per Bodnar, the attack resulted in exposure of user password hash, though no financial loss to users was reported. Lock-Bit, an organised ransomware group took the responsibility of attack and demanded 100 bitcoins by 1^st December 2021. Attackers claimed they were able to obtain Email addresses, Password, Name, Address, Date of Birth and Passport of 362,000 BTC-Alpha users.

Due to less regulation of cryptocurrency trading platforms, attackers leverage less secure practices at the exchange leading to loss of reputation. Such incidents can thwart users to other platform resulting liquidity risk to the exchange. Companies should have high level of security to prevent compromise of password hashes and ensure enhanced monitoring to detect and respond to attacks. Active Directories (AD) should be configured to use “Salt” and “Pepper” To avoid exposure of passwords and ensure segregation of systems to avoid compromise.

WSpot Customer Data Exposed: Misconfigured AWS S3 buckets lead to exposure of sensitive personal information of close to 2.5 million users. Brazil’s WiFi management software provider, WSpot, was informed by SafetyDetectives research team on 7^nd September 2021 about the exposed data which includes S226K files, totalling to 10GB of SMS logs and guest reports which could have been used by the perpetrators.

Security Misconfiguration is in OWASP top 10 2021 list which could have been avoided by proactive monitoring of cloud infrastructure and ensuring no data is exposed to un-intended recipient.

Week 3, November 2021

Vestas: One of the world’s largest wind turbine manufacture Vestas Wind Systems A/S, was affected by a cyber security incident on 19^th November 2021. The company confirmed about the incident in its press release on 20^th November 2021. The company reported that part of its internal IT Infrastructure is Impacted and data has been compromised. As a precaution, Vestas has shut down some of its IT systems to contain the further damage. Detailed reason behind the breach has still not been publicly revealed by the company.

Data from research company BloombergNEF (BNEF) indicates Vestas is the third largest wind turbine manufacturer in the world with market share of 12.40%. With push to green energy and binding Paris agreement between 196 parties (or countries) to limit global warming to well below 2, preferably to 1.5 degrees Celsius, such cyber incidents may have detrimental impact on the entire world against fight for climate change and may limit Operational Technology / Industry Control Systems (OT/ICS) suppliers’ ability to complete or initiate the projects on time.

OT/ICS industry is transforming with more connected systems on internet for increased efficiency and ease of use, such cyber incidents indicate, securing internal IT Sytems is equally important. NIST has published SP-800-82 guide dedicated to ICS industry. Furthermore, Data should be regularly backed up, encrypted, redacted and tokenised as per the risk-based approach to minimize the reputational, operational and financial risk to organizations.

Smoke and Mirror Attack on WordPress Sites: Last week, several WordPress site owners were tricked with a fake Ransomware note on their website. The attacker asked for ransom worth of 0.1 bitcoin to fix compromised website. Owner of one of the sites hired Sucuri (By Ben Martin) to assist with the remediation efforts. It was later identified that a fake ransom note was being appended on the site to make WordPress site owners believe that their site was compromised.

Sucuri identified that perpetrator was exploiting editor rights assigned to Wp-admin (WordPress admin) in directorist plugin and logged in with admin privileges on the website and changed the landing page with fake ransomware note. It was suspected that perpetrator acquired passwords from Dark-Web and innovatively used them to believe their WordPress site has been compromised. Affected site was restored just by removing the malicious html code and republishing the site again. Such attacks can be easily avoided by provisioning appropriate rights to users and services, enabling Two-factor authentication and last but not the least to back-up your database.

Week 2, November 2021

Robin-Hood data breach exposed PII information: On 8^th November 2021, disruptive trading platform, Robinhood, in its blog post disclosed a security breach which exposed Personally Identifiable Information of millions of its users. Information which was compromised includes list of email addresses for approximately (5) five million people, and full names for a different group of approximately two million people. This also includes full address, names and date of birth of a separate subset of users.

Such attacks work as a launch pad of subsequent attacks which utilize identity theft and Business Email Compromise (BEC) attacks for nefarious gains. For immediate protection, the platform should provide Identity theft protection to affected users and ensure all accesses to its database is protected and redact/tokenize/ encrypt data wherever possible and improve security posture across the organization.

DDoS on Telnyx: Chicago based VoiP service provider with annual revenue of $74 million was DDoSed twice on 11^th November. Company disclosed about the incident in its blogpost. The attack impacted the API, Voice, Messaging and Wireless services for the end users. As a remediation, malicious traffic was tunnelled through Cloudflare CDN for the volumetric attack.

Sometime back, Cloudflare successfully thwarted 2Tbps of attack. DDoS attacks are most common type of attacks impacting service availability to the end users. Having redundancy, CDN/ Scrubbing centres, Null or Blackhole Route etc. can provide immediate protection against such attacks.

Week 1, November 2021

Community Medical Centers, Inc: Healthcare information of 656,047 compromised in an incident, the date breach was discovered on10th October 2021. Reason of breach was highlighted as External System Breach (Hacking). Information Acquired by attackers include Name or other personal identifier in combination with Social Security Number. The medical centre has notified the customer November 2nd about the breach.

Breach of Healthcare information can have detrimental impact, such breaches can be avoided if critical systems are hardened with latest patches, Identity and Access management hygiene, 2 factor authentication and response capabilities to identify any lateral movement inside the organization’s network.

Ransomware attack on MediaMarkt: A Ransomware attack encrypted critical business files of Europe’s number one retailer, MediaMarkt. With annual revenue of €21,5 billion jeopardised with Ransome note of $240 Million which was later decreased to $50 Million. Perpetrators asked to pay Ransome in cryptocurrency.

Week 4, October 2021

Cyber Attack on Eberspaecher: Another manufacturing giant, got impacted with a cyber-attack. Company website displayed the below message to providing little information on the attack.

“Eberspächer Group was target of an organized cyberattack. The IT infrastructure is affected. To protect our customers, employees and partners, the necessary steps were taken immediately to counter the attack with targeted measures.

Our team is working at full speed with external cybersecurity specialists and data forensics experts to eliminate the threat and restore normal operations. The relevant investigative authorities have been called in.”

Amid, the current supply shortage in automotive market, the attack created more friction to the global supply chain.

Data Security Breach Centara Hotels & Resorts: Multinational hotel and resorts chain, Centara, disclosed unauthorised access of its customer information. The exposed information contains, emails IDs, booking information, phone number, address, first and last names. Such incidents act as a conduit of follow-up security attacks like password spray, social engineering.

Week 3 , October 2021

Chicago’s Ferrara Candy Co: Close to Holiday season, USA’s biggest candy manufacture Ferrara Candy Co with $3 billion in annual revenues impacted by a Ransomware Attack. Early attack was detected between 8-9th October. However, the company disclosed the details on 22nd Oct. Amid global supply crunch, the attack has potentially impacted the production and distribution supply chain. Manufacturing and supply chain business are more susceptible to such attacks considering lack of security hygiene, vulnerabilities in legacy application and propensity to pay ransom to avoid negative publicity. Such type of attack can be mitigated by preventive security controls and by restoring the backups, if impacted.

Misconfigures Elastic Server at IGBald exposed 2.6 million TikTok Users: Leaving S3 buckets open exposed personal details of millions of TikTok users. IGBald provides n-depth insights on any Instagram or TikTok accounts to its clients, giving brands the market positioning and targeting the right audience. Data was exposed for more than a month before data scraper (SafetyDetectives) Identified this incident. Exposed data includes, Full names, User Names, Profile pictures (stored as screenshots or photo links) Email addresses, Phone numbers and Location data.

Week 2 , October 2021

Largest (2.4 Tbps) DDoS attack: Microsoft mitigated largest DDoS attack ever on its Azure Cloud computing infrastructure. The software juggernaut published on its website about this attack occurred in August this year which was targeting its European customers.
Ecuador's largest bank, Banco Pichincha Breached: Bank with around $10 billion in assets breached on last weekend, the breach occurred on Saturday. However, the bank published officially about the hack on 11th October. The attack disrupted operations and taken the ATM and online banking portal offline. So far, Banco Pichincha did not revel details of this breach.

Week 1 , October 2021

Twitch Data Leak : Video Game streaming company Twitch, confirmed data Breach early this week in October. According to the company sensitive data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.
Oregon Eye Specialists Data Incident: Eye Specialist chain with presence in 6 different locations in the US, confirmed a data breach. Compromised data includes - Date of birth, date of service, medical record number, financial account information, and/or health insurance provider name/policy number. Management confirmed the accounts were accessed between June 29, 2021 and August 31, 2021