Monthly Breach Report: August 2022 Edition

While cybersecurity attacks are certainly on the rise, interestingly enough, the Ransomware Task Force has found that ransomware attacks that specifically targeted public organizations like local governments, schools, and hospitals have begun to decrease in 2022. But that doesn’t mean it’s time for security teams to relax. Vigilance and preparation are key . . . as these organizations discovered the hard way.

California Gun Permit Applicants’ Personal Info Targeted

In late June, personal information on the California Department of Justice’s (DOJ) Firearms Dashboard Portal was exposed for public view. The information included the names and details of every applicant between 2012 and 2021 for a concealed and carry weapons (CCW) permit. The DOJ has also advised that personal information from the following registries may have been exposed: Assault Weapon Registry, Dealer Record of Sale, Firearm Certification System, and Gun Violence Restraining Order dashboards.

The exposed data includes:

• full name
• date of birth
• address
• gender
• race
• CCW license number
• California Information Index number (which is automatically generated during a fingerprint check)

The DOJ also admitted that other exposed information may include “driver’s license number and internal codes of the statutory reason that a person is prohibited from possessing a firearm.” The breach occurred after the relaunch of the state’s Firearms Dashboard Portal, but the DOJ asserts information was exposed for less than 24 hours. A team of forensic cyber experts has been tasked with finding out how the incident occurred. The DOJ has promised to contact each individual affected to explain what happened and offer monitoring services at no cost.

Sources

• California Department of Justice
• The Record
• The Register

Hacker Brags Online about How to Breach IBM and Stanford University

In July, a hacker bragged in an online cybercrime forum about upcoming plans to hack both IBM and Stanford University. In the post, the person claimed they would use the open-source automation server platform Jenkins—a server-based system that automates parts of software development—to take over desktop computers in both organizations. The threat actor (TA) even detailed their modus operandi: The crime would be committed using clicks on online ads.

Artificial intelligence (AI) company CloudSEK discovered the threat using its digital risk platform XVigil. CloudSEK reported that the TA had even posted a sample screenshot of their access to the Jenkins dashboard, according to Infosecurity. Infosecurity noted CloudSEK surmised that after gaining access to the Jenkins dashboard, the hacker would have used search engines like Shodan to target port 9443 of the compromised company’s public asset and then used a private script for fuzzing to get vulnerable instances to exploit rproxy misconfiguration bypass.

Experts at the AI company warned that the TA’s methods enable ransomware attacks and the criminals “move laterally, infecting the network, to maintain persistence and steal credentials.” It is not clear from news reports when the actual crimes were carried out or if any information was stolen.

Sources

• Infosecurity
• The Cybersecurity.News

Hacker Offers Personal Information of 1 Billion Chinese Citizens in One of The Largest Breaches in History

In a cybercrime that Reuters has called one of the biggest in history, a hacker claims to have stolen the personal information of over 1 billion people from the Shanghai National Police (SNP)  in China. The criminal, identified as “ChinaDan,” posted a notice on BreachForums offering to sell the data for 10 bitcoin (estimated worth of $200,000). The hacker promised that the following information is available:

• name
• birthplace
• address
• national ID number
• mobile phone number
• any criminal case details on file with the SNP

The data includes criminal reports from as far back as 1995, according to the Washington Post. “ChinaDan” released a sample of the information available. Both the Wall Street Journal and New York Times have verified that the leaked information is real after successfully calling the exposed phone numbers. Chinese authorities have not responded to requests for comments and have offered no details on the crime. CNN reports that its research revealed the data has been available for more than a year, which could be potentially devastating for victims identified in domestic and sexual abuse cases.

Sources

• Reuters
• The Washington Post
• CNN

Marriott Hotels Breached for the Third Time Since 2018

In July, the hotel chain giant Marriott International confirmed a ransomware attempt by hackers. A Marriott spokesperson reported that the criminal used social engineering to pull off the heist. An employee of the BWI Airport Marriott in Baltimore was tricked into providing the threat actor (TA) with access to a networked computer. The access was limited to one day, according to Marriott. The criminal group that has claimed responsibility for the breach has reported that 20 gigabytes of data were compromised. The criminals, who remain anonymous, also stated to the media the stolen data included credit card information and confidential information about guests and employees. Marriott asserted in an interview with CyberScoop that the stolen information is “non-sensitive internal business files regarding the operation of the property.”

The crime first came to public attention when the cybercriminals contacted cyber breach news site DataBreaches.net to report their crime. A reporter at the news site then contacted Marriott officials for confirmation. Marriott admitted that, yes, there was a breach, but it was not a significant breach and 300 – 400 individuals were going to be contacted about the crime. According to BleepingComputer, this is Mariott’s third hack since 2018.

Sources

• CyberScoop
• net
• BleepingComputer

Company Live Tweets a Cybercrime Being Committed Against It

In yet another cryptocurrency ransomware attack, hackers stole over $8 million worth of tokens from Crema Finance, a decentralized finance platform (DeFi). The cybercriminals who carried out the attack identified themselves as “white hat hackers” and returned all but $1.68 million to the DeFi company. The money was stolen through a flash loan attack, which occur when a hacker uses a fast, unsecured loan to target vulnerabilities in a project’s design. Crema Finance provided details via its Twitter account on how the hackers carried out the crime:

1. The hacker created a fake tick account, a dedicated account that stores price tick data in centralized liquidity market maker (CLMM).
2. After creating the fake tick account, the hacker circumvented Crema Finance’s routine owner check on the tick account by writing the initialized tick address of the pool into the fake account.
3. The hacker then deployed a contract and used it to lend a flash loan to add liquidity on Crema Finance to open positions.
4. The hacker then swapped the stolen fund into 69422.9SOL and 6,497,738 USDCet via Jupiter. The USDCet was then bridged to the Ethereum network via Wormhole and swapped to 6064ETH via Uniswap after that.

What was unusual about Crema Finance sharing details of the crime is that the company made the hacker’s actions public in real time, sharing the hacker’s movements and exploits on the company Twitter account. While the crime was being committed, Crema Finance offered the hacker $800,000 in exchange for the return of the stolen funds.

Sources

• Crema Finance – Twitter
• Yahoo Finance
• CoinDesk
• SoFi – What is a flash loan?
• The Register

 

Do your part to keep your organization out of the data breach headlines with help from PKWARE. Find out how we can help you uncover every place your sensitive data lives and protect it the way you need it protected. Get a personalized demo now.