Barrick Gold Breach Exposes Thousands of Social Security Numbers

Barrick Gold, the world’s second-largest gold mining company, is the latest victim of the MOVEit Transfer bug, revealing the sensitive details of thousands of individuals.

Barrick opened the new year by contacting individuals whose data may have been exposed during a data breach last year. According to the breach notification letter the company sent out to potential victims, Barrick was one of the many organizations affected by the MOVEit Transfer attacks. The company said that attackers roamed its MOVEit Transfer server from May 28th to June 2nd, 2023.

However, Barrick completed a review of the files involved in the attack on December 20th, which revealed that the files contained sensitive data of individuals as well as their Social Security numbers (SSNs). According to the company, 2,761 individuals were exposed in the attack.

Losing SSNs poses significant risks, as impersonators can use the stolen data in tandem with names and driver’s license numbers for identity theft.

While the recent breach notification, which Barrick submitted to the Maine Attorney General, doesn’t reveal whose data was exposed, an earlier submission to the Attorney General of Montana said sensitive consumer information may have been exposed in the attack.

Barrick Gold is an Ontario-headquartered mining company operating gold, copper, and other mines throughout the globe. The company registered revenues exceeding $11 billion in 2022.

Earlier this year, the Cl0p ransomware cartel exploited a zero-day bug in the MOVEit Transfer software, allowing attackers to access and download the stored data.

According to researchers, over 2,700 organizations – mainly in the US – and over 93 million individuals have been impacted by MOVEit attacks by the Russia-linked ransomware cartel.

Taking IBM’s estimate, which puts the cost of an average data breach at $165 per leaked record, the impact of Cl0p attacks would add up to a staggering $15.4 billion.

Source – https://cybernews.com/news/barrick-gold-breach-social-security-number/#google_vignette

Mandiant’s Twitter Account Restored After Six-Hour Crypto Scam Hack

American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam. As of writing, the account has been restored on the social media platform.

It’s currently not clear how the account was breached. But the hacked Mandiant account was initially renamed to “@phantomsolw” to impersonate the Phantom crypto wallet service, according to MalwareHunterTeam and vx-underground.

Specifically, the scam posts from the account advertised an airdrop scam that urged users to click on a bogus link and earn free tokens, with follow-up messages asking Mandiant to “change password please” and “check bookmarks when you get account back.”

Mandiant, a leading threat intelligence firm, was acquired by Google in March 2022 for $5.4 billion. It is now part of Google Cloud.

When reached for comment, a Mandiant spokesperson said that it’s aware of the incident impacting the X account and that it has regained control over the account.

The development comes as it was revealed that cyber criminals are brute-forcing and hijacking verified Gold accounts on X and selling them on the dark web for up to $2,000 per account. Furthermore, threat actors have been observed to target dormant accounts associated with legitimate organizations to upgrade them to the Gold tier.

The compromised accounts are then used to post links to malicious domains, urge their followers to join random channels based on cryptocurrency, and propagate spam.

Information stealer malware has a centralized botnet network, where credentials from infected devices are harvested. These credentials are then further validated according to buyers’ requirements, such as individual or corporate accounts, number of followers, region-specific accounts, etc.

Source – https://thehackernews.com/2024/01/mandiants-twitter-account-restored.html

RIPE Account Hacking Leads to Major Internet Outage at Orange Spain

Orange Spain customers were unable to access the internet for several hours on January 3 as a result of a hacker attack that appears to have involved credentials stolen by malware.

The hacker took control of Orange Spain’s account with the RIPE Network Coordination Center (NCC). RIPE stands for Réseaux IP Européens, ‘European IP Networks’ in French. The RIPE NCC is the regional internet registry for Europe, the Middle East and parts of Central Asia, and it’s responsible for allocating and registering blocks of internet number resources to ISPs and other organizations.

The attacker, who uses the online moniker ‘Snow’, made some changes in Orange’s RIPE account, which led to a disruption in Border Gateway Protocol (BGP) routing and significant loss in traffic.

Some Orange customers complained about their internet connection being down for several hours on Wednesday.

Felipe Canizares of DMNTR Network Solutions, who described it as one of the most ingenious attacks on a major internet operator, has shared a technical description of the attack (written in Spanish) on X, formerly Twitter.

After announcing that they had gained access to Orange’s RIPE account, the hacker told the company to send a private message to get the new credentials, which Orange apparently did.

The hacker later clarified that no ransom was demanded and they did not plan on causing an outage. They claimed their goal was to “prevent an actual bad threat actor from finding the account and compromising it”.

It is believed that Orange Spain’s RIPE administrator account was compromised after an Orange employee had their computer infected with the Raccoon information stealer malware in September. The malware is believed to have stolen the credentials for the RIPE admin account from that employee’s device.

Orange Spain confirmed on X that its RIPE account had been hijacked, which affected some customers’ internet services, but said the impacted services had been restored. The company said no customer data was compromised.

Following the incident, the RIPE NCC issued a statement saying that an investigation has been launched.

“We have restored access to the legitimate account holder [ie Orange] and are working closely with them to ensure the integrity of the account. Our Information Security team is continuing to investigate whether any other accounts have been affected. Account holders who might be affected will be contacted directly by us,” the RIPE NCC said.

“We encourage account holders to please update their passwords and enable multi-factor authentication for their accounts,” it added.

Source – https://www.securityweek.com/ripe-account-hacking-leads-to-major-internet-outage-at-orange-spain/

Don’t Trust Links with Known Domains: BMW Affected by Redirect Vulnerability

Researchers uncovered a redirect vulnerability in two BMW subdomains that could be exploited to direct users to malicious websites.

This flaw, known as the SAP redirect vulnerability, affects BMW’s internal systems and could have been used for phishing or malware distribution. By manipulating URL parameters, attackers could create seemingly legitimate links that lead to harmful sites, enabling them to execute phishing attacks or prompt users to disclose sensitive information.

While not considered critical, this vulnerability provides attackers with opportunities to deceive employees or customers by sending seemingly legitimate links that could lead to malicious websites. This could potentially result in data breaches or the deployment of ransomware.

BMW emphasized its commitment to information security for employees, customers, and business partners. The company stated that no BMW Group-related systems were compromised due to this vulnerability, and no data was leaked or misused.

SAP redirect vulnerabilities, identified initially in 2012, remain a risk despite security updates. Attackers can exploit these vulnerabilities by manipulating URLs to redirect users to malicious sites while appearing trustworthy. To mitigate such risks, researchers recommended applying patches released by SAP, following secure coding practices, conducting regular security assessments, and updating security measures continuously.

Users were advised to be cautious of clicking links, even from seemingly legitimate domains, as attackers can still find ways to deliver malicious content.

Source – https://cybernews.com/security/bmw-affected-by-redirect-vulnerability-research/

Data Breach at Healthcare Tech Firm Impacts 4.5 Million Patients

HealthEC LLC, a provider of health management solutions, suffered a data breach that impacts close to 4.5 million individuals who received care through one of the company’s customers.

HealthEC provides a population health management (PHM) platform that healthcare organizations can use for data integration, analytics, care coordination, patient engagement, compliance, and reporting.

On December 22, the firm disclosed that it suffered a data breach between July 14 and 23, 2023, which resulted in unauthorized access to some of its systems.

An investigation of the incident concluded on October 24, 2023, and revealed that the intruder had stolen files from the breached systems hosting the following data types:

• Name
• Address
• Date of birth
• Social Security number
• Taxpayer Identification Number
• Medical Record number
• Medical information (diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name and location)
• Health insurance information (beneficiary number, subscriber number, Medicaid/Medicare identification)
• Billing and claims information (patient account number, patient identification number, and treatment cost information)

“In general, individuals should remain vigilant against incidents of identity theft and fraud by reviewing account statements, explanation of benefits statements, and monitoring free credit reports for suspicious activity and to detect errors,” reads HealthEC’s notification.

The company recommends that “suspicious activity should be promptly reported to relevant parties including an insurance company, health care provider, and/or financial institution.”

At the time of the cyberattack, HealthEC didn’t specify how many people were impacted by the intrusion, but a submission to Maine’s Attorney General’s office that concerned just one of the firm’s clients, MD Valuecare, set the number of affected persons to 112,005.

A new listing that appeared earlier today on the breach portal of the U.S. Department of Health and Human Services shows the larger picture, informing that the total number of affected individuals is 4,452,782.

There are 17 healthcare service providers and state-level health systems that were impacted by the cyberattack on the HealthEC tech solutions provider.

Some major organizations listed in the notice include Corewell Health, HonorHealth, Beaumont ACO, State of Tennessee – Division of TennCare, the University Medical Center of Princeton Physicians’ Organization, and the Alliance for Integrated Care of New York.

Source – https://www.bleepingcomputer.com/news/security/data-breach-at-healthcare-tech-firm-impacts-45-million-patients/

Over 900k Impacted by Data Breach at Defunct Boston Ambulance Service

Transformative Healthcare is informing more than 900,000 individuals that their personal information was stolen in a data breach at now-defunct subsidiary Fallon Ambulance Service.

The incident, Transformative says in a notification letter to the affected individuals, a copy of which was submitted to the Maine Attorney General’s Office, was detected on April 23, 2023, roughly four months after the Boston-based Fallon Ambulance Service ceased operations.

The defunct ambulance service, however, retained an archived copy of the data previously stored on its systems, and between February 17 and April 22, attackers were able to access that data, including files containing personal information.

According to Transformative, the evaluation of the compromised information and the affected individuals was completed on around December 27, 2023.

The personal information compromised during the attack includes names, addresses, Social Security numbers, driver’s license numbers, other ID numbers, medical information, COVID-19 testing or vaccination details, and information related to employment or applications for employment.

Transformative says it has no evidence that the compromised information might have been used for identity theft or fraud, but it’s offering free identity protection services to the victims and is encouraging them to remain vigilant of any suspicious activity on their accounts.

“While Fallon is no longer operational, we have taken steps to secure data that may be stored in our archives for compliance with our legal obligations. Additionally, to help further protect your information, we are providing you with free identity protection services for two years,” Transformative tells the impacted individuals.

The healthcare organization told the Maine AGO that more than 900,000 individuals were affected by the data breach.

While Transformative did not say what type of cyberattack Fallon fell victim to, the Alphv/BlackCat ransomware group claimed responsibility for the incident in late April, saying it had exfiltrated a terabyte of data from the healthcare organization.

The Alphv/BlackCat gang is believed to have hit over 1,000 entities before its operations were targeted in a law enforcement operation last month.

Source – https://www.securityweek.com/over-900k-impacted-by-data-breach-at-defunct-boston-ambulance-service/

Nearly 11 Million SSH Servers Vulnerable to New Terrapin Attacks

Almost 11 million internet-exposed SSH servers are vulnerable to the Terrapin attack that threatens the integrity of some SSH connections.

The Terrapin attack targets the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.

It manipulates sequence numbers during the handshake process to compromise the integrity of the SSH channel, particularly when specific encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC are used.

An attacker could thus downgrade the public key algorithms for user authentication and disable defenses against keystroke timing attacks in OpenSSH 9.5. A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange.

It is worth noting that threat actors often compromise networks of interest and wait for the right moment to progress their attack.

A recent report warns that there are nearly 11 million SSH servers on the public web – identified by unique IP addresses, that are vulnerable to Terrapin attacks. This constitutes roughly 52% of all scanned samples in the IPv4 and IPv6 space monitored.

Most of the vulnerable systems were identified in the United States (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000).

The significance of the report lies in highlighting that Terrapin attacks can have a widespread impact.

While not all 11 million instances are at immediate risk of being attacked, it shows that adversaries have a large pool to choose from.

Source – https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/

Xerox Confirms Data Breach at US Subsidiary Following Ransomware Attack

Printing solutions giant Xerox over the weekend confirmed that its US-based subsidiary Xerox Business Solutions experienced a data breach. The incident, the company says, was limited to Xerox Business Solutions US and was contained by its cybersecurity team.

While the attack did not affect Xerox’s corporate systems and had no impact on the company’s operations or data, the investigation launched into the matter determined that personal information was compromised.

“Our preliminary investigation indicates that limited personal information in the XBS environment may have been affected. As per our policy and standard operating procedure, we will notify all affected individuals as required,” Xerox said in an incident notice on its website.

To date, however, the company has not provided details on whether the incident impacts clients, employees, or partners.

Xerox shared no details on the type of cybersecurity incident its subsidiary fell victim to, but the ransomware gang known as Inc Ransom was quick to claim responsibility for the attack.

On December 30, the group listed Xerox on its Tor-based leak site, posting screenshots of documents allegedly stolen from the company, as proof of intrusion.

Since then, however, the entry was taken down, suggesting that Xerox might have engaged in communication with the attackers, to prevent the stolen data from being published online.

Source – https://www.securityweek.com/xerox-confirms-data-breach-at-us-subsidiary-following-ransomware-attack/

Victoria Court Recordings Exposed in Reported Ransomware Attack

Australia’s Court Services Victoria (CSV) is warning that video recordings of court hearings were exposed after suffering a reported Qilin ransomware attack. CSV is an independent statutory authority that provides services to Victoria’s court systems, including case management systems and administrative solutions.

In a statement published today on its website, CSV says it detected a cyberattack on December 21, 2023, that allowed hackers to disrupt operations and access its audio-visual archive containing sensitive hearing recordings.

The impacted system was immediately isolated and disabled, but the ensuing investigation revealed that the breach occurred at an earlier date, December 8th, 2023, with the exposed recordings going as far back as November 1, 2023.

“The cyber incident led to unauthorised access leading to the disruption of the audio visual in-court technology network, impacting video recordings, audio recordings and transcription services,” reads the CSV statement.

“Recordings of some hearings in courts between 1 November and 21 December 2023 may have been accessed. It is possible some hearings before 1 November are also affected.”

Specifically, the following courts and jurisdictions have been impacted by the security incident:

• Supreme Court – hearings from the Court of Appeal, Criminal Division, and Practice Court between December 1 and 21, and two regional hearings in November 2023.
• County Court – hearings from all criminal and civil courts from November 1 to December 21, 2023.
• Magistrates’ Court – some committals heard between November 1 and December 21, 2023.
• Children’s Court – one hearing from October 2023.
• Coroners Court – all hearings that took place between November 1 and December 21, 2023.

The above recordings contain a mix of public and confidential information, so depending on the case, they may expose sensitive information regarding court cases. Where possible, impacted courts will send out breach notices to those deemed impacted by the incident.

CSV has also notified the authorities about the potential data breach, including the Victoria Police, Victorian Department of Government Services, and Australia’s National Identity and Cyber Support Community Service (IDCARE).

Though CSV is still in the process of restructuring the impacted system with more focus on security, court operations in Victoria will not be affected, and all cases scheduled for January 2024 are expected to proceed normally.

The authority’s does not name the cybercriminals responsible for the attack, but sources speaking to ABC News report that the Qilin ransomware gang carried out the attack. The Qilin ransomware operation was launched under the name “Agenda” in August 2022 but was later rebranded as Qilin.

Since its launch, the ransomware operation has had a steady stream of victims but has seen increased activity towards the end of 2023.

Source – https://www.bleepingcomputer.com/news/security/victoria-court-recordings-exposed-in-reported-ransomware-attack/

Albanian Parliament and One Albania Telecom Hit by Cyber Attacks

The Assembly of the Republic of Albania and telecom company One Albania have been targeted by cyber attacks, the country’s National Authority for Electronic Certification and Cyber Security (AKCESK) revealed this week.

“These infrastructures, under the legislation in force, are not currently classified as critical or important information infrastructure,” AKCESK said.

One Albania, which has nearly 1.5 million subscribers, said in a Facebook post on December 25 that it had handled the security incident without any issues and that its services, including mobile, landline, and IPTV, remained unaffected.

AKCESK further noted that the intrusions did not originate from Albanian IP addresses, adding it managed to “identify potential cases in real-time.”

The agency also said that it has been focusing its efforts on identifying the source of the attacks, recovering compromised systems, and implementing security measures to prevent such incidents from happening again in the future.

What’s more, AKCESK said the incident has prompted it to review and strengthen its cybersecurity strategies.

The exact scale and scope of the attacks are currently not known, but an Iranian hacker group called Homeland Justice claimed responsibility on its Telegram channel, in addition to stating that it had breached flag carrier airline Air Albania.

In a message shared on its website on December 24, the outfit said it is “back to destroy supporters of terrorists,” alongside adding the following tags: #albania, #albaniahack, #CyberAttacks, #mek, #MKO, #ncri, #NLA, #pmoi, #Terrorists.

The development comes more than a year after Albanian government services were targeted by destructive cyber attacks in mid-July 2022.

Homeland Justice claimed responsibility for those attacks as well. The development subsequently prompted the U.S. government to sanction Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmail Khatib, for engaging in cyber-enabled activities against the U.S. and its allies.

Source – https://thehackernews.com/2023/12/albanian-parliament-and-one-albania.html

Smarttech247