November 10, 2022

Monthly Breach Report: November 2022 Edition


Despite growing awareness year over year of the dangers of cyber attacks and data breaches, the number of attacks has yet to decrease. Since organizations cannot change the number of attacks they are subjected to, the bigger challenge becomes responding quickly enough to mitigate any damage before it’s too late. Not every organization is successful, as these recent headlines show.

Mormon Church Network Breached in A State-Sponsored Attack

The Utah-based Church of Jesus Christ of Latter-day Saints (LDS Church) recently confirmed that on March 23, 2022, hackers gained access to its computer systems and stole the personal information of church members. Church officials claimed that US federal law enforcement authorities considered the incident to be a state-sponsored cyberattack, but did not name the suspected culprit. Anyone who created an online Church account or is an employee was affected by the breach. Members and employees were warned the stolen data included:

  • personal data, including home address and phone number
  • username
  • membership record number
  • gender
  • email address
  • birthdate
  • preferred language

The Church also noted that no donation history or banking information was accessed and that the seven-month delay in reporting the incident to members was due to the ongoing investigation by authorities. No specific “state actor” has been named as of press time. The LDS Church wasn’t necessarily a specific target by a government or nation state hackers, reports KSL News Radio: “The way these hacks work is that they are spreading a wide blanket to see if they can find any vulnerability to enter into.”


Chinese Espionage Hackers Infiltrate Government Agencies in Hong Kong

China-based espionage actor APT41 used malware to breach administrative government agencies in Hong Kong for up to one year. The attackers, often referred to as “Winnti,” used Spyder Loader, their own custom software. MaliciousLife reports Winnti’s infamous and prolific malware attacks are able to continue undetected for months because “the infection and deployment chain is long, complicated and interdependent—should one step go wrong, the entire chain collapses—making it somewhat vulnerable, yet at the same time provides an extra level of security and stealth for the operation.”

Researchers at Symantec report that although they could not identify the payload for the Spyder Loader malware on Hong Kong’s networks, in all likelihood the goal of Winnti was to collect intelligence and government secrets from the nation’s agencies. Spyder Loader is similar to Winnti’s infamous Operation Cuckoo Bees, related malware that went undetected for years on the networks of major global manufacturers around the world. That operation netted the attackers “thousands of gigabytes of intellectual property and sensitive proprietary data from dozens of companies,” reports Yahoo! News.

One of the main similarities among all of Winnti’s malware used for espionage is the ability to mask the payload on the victim’s network and evade detection, sometimes for years. Symantec has posted a list of indicators of compromise (IOCs) on Spyder Loader and related malware.


Microsoft Slams Threat Intelligence Firm for “Exaggerating” Severity of A Breach

In late September, SOCRadar, a threat intelligence firm, notified Microsoft of a leak in its network due to a misconfigured server which was accessible on the internet. After being alerted to the threat, Microsoft downplayed the incident, but announced that the problem may have given “unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services.” Exposed information includes:

  • name
  • email address
  • email content
  • company name
  • phone number
  • files linked to business between affected customers and Microsoft or an authorized Microsoft partner; these files include Proof-of-Execution (PoE), Statement of Work (SoW) documents, product orders/offers, project details, and documents that may reveal intellectual property

SOCRadar analysts announced in a blog that the data was stored on a misconfigured Azure Blob Storage and that the issue extended beyond Microsoft. The company named the misconfiguration “BlueBleed” and stated that the misconfiguration “can be considered one of the most significant B2B leaks, affecting more than 65,000 entities in 111 countries with sensitive data inside a single Bucket.”

Microsoft has since slammed SOCRadar for blowing the breach out of proportion, stating that there is no indication that customer accounts or systems were compromised. Microsoft also issued a statement condemning SOCRadar for releasing a search tool for organizations to determine if they were impacted by “BlueBleed.” Although SOCRadar shut down the search tool after Microsoft’s public complaints, the company stated it was justified in its actions by helping to protect and secure sensitive data.


Thomson Reuters Leaks 3TB of Data through Misconfigured Servers

In September, researchers with Cybernews warned multi-media giant Thomson Reuters that at least three of its databases were exposed for anyone to access due to misconfigured servers. Among the information exposed was Reuters 3TB public-facing ElasticSearch database, exposing data “worth millions of dollars on underground criminal forums because of the potential access it could give to other systems,” reported Cybernews. The data was exposed for several days, leaving information vulnerable to threat actors. In a public statement, Thomson Reuters publicly clarified that two of the misconfigured servers were intended for public use. The ElasticSearch database, however, was not intended for public access and holds passwords for third-party servers. “This type of information would allow threat actors to gain an initial foothold in the systems used by companies working with Thomson Reuters,” said Mantas Sasnauskas, Head of Security Research at Cybernews. Sasnauskas told a Cybernews reporter that the database is indexed by the major search engines, providing “a large attack surface for malicious actors to exploit not only internal systems but a way for supply chain attacks to get through.”

Although Reuters has downplayed the event and claimed no sensitive data was exposed, Cybernews reported this is not necessarily true, warning that several issues could arise from the database exposure:

  • Sensitive screening and compliance data were leaked, which could expose entities that “would like their wrongdoing kept in the dark”
  • Exposed email addresses could be used for phishing attacks
  • Attackers could use non-public business email addresses to pose as Thomson Reuters employees and send fake invoices
  • Logs for Thomson Reuters’ clients structured query language (SQL) searches and results were exposed, including corporate and legal information

“Information stored on the server is extremely sensitive. Cases like these raise questions about corporate data collection practices,” said Sasnauskas in the Cybernews report.


Carding Criminal Group Offers 1.2M Stolen Credit Cards for Free

In early October, the dark web stolen credit card marketplace “BidenCash” offered 1,221,551 credit cards for free as part of a marketing campaign for its carding services. Carding criminals like BidenCash obtain credit card information by using phishing and magecart attacks, point-of-sale malware, malware, and carding forums (where stolen credit card numbers are purchased). BidenCash announced the dump through several dark web sites. The stolen information includes:

  • card number
  • expiration date
  • CVV number
  • holder’s name
  • bank name
  • card type, status, and class
  • holder’s address, state, and ZIP
  • email address
  • Social Security number
  • phone number

BleepingComputer reporters reviewed the stolen data and noted that “not all the above details are available for all 1.2 million records, but most entries . . . contain over 70% of the data types.” The Italian cyber security firm D3Labs first discovered and reported the data dump. D3Labs researchers stated that about 30 percent of the credit card information is “fresh,” which means that at least 350,000 of the cards are still valid.


At PKWARE, we know we’re doing our job right when your data stays out of the hands of threat actors, and your company stays out of the headlines. Find out how we can help you find and protect all your data, no matter where it lives and moves. Request your free demo now.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024