The world’s largest ride-sharing company has suffered its third data hack in the last half a year.

According to a letter that was posted online on April 4, the Newark, New Jersey-based law firm Genova Burns LLC was the first to notice suspicious activity at the end of January. Following an investigation by outside specialists, the firm discovered that its systems had been compromised and that data on an unknown number of Uber drivers had been stolen. According to what was indicated in the letter, Uber provided the law firm with the material in conjunction with its legal representation.

Genova Burns did not react to any of the several requests for comment and did not provide an explanation as to why the law firm required personally identifiable information (PII) from drivers.

In the letter that was given out to Uber drivers, the law firm claimed the following: “Upon learning of the situation, we investigated to ascertain the extent and breadth of the breach, and we safeguarded the environment by resetting all system passwords.” “We have also informed law enforcement of the situation, and we are helping them with their investigation. We have decided to take certain further precautions in order to strengthen our security measures and make ourselves more resistant to situations of a similar kind in the future.”

Hackers have often attempted to penetrate Uber’s systems. The provider of ride-sharing services had previously suffered a data breach in May 2014, during which hackers gained access to the private information of 50,000 drivers and their license plates. This was followed by a more serious breach in October 2016, during which hackers obtained access to the private information of 57 million Uber users. Two more attempts, one of which was carried out via a third-party cloud provider, were successful in 2022 in stealing important data; one of these attacks led to the resignation of the company’s CISO.

In the most recent attack, Uber admitted to the data leak but sent all queries on the matter to its legal firm.

According to a statement released by Uber, the affected drivers “have been advised that their Social Security number and/or tax identification number have been potentially compromised and [were] provided free credit monitoring and identity protection services.” “Genova Burns has indicated that they are not aware of any actual or attempted exploitation of the information, and they have stated that they are taking extra actions to increase security and better defend against occurrences similar to those that may occur in the future.”

The law firm discovered the attack for the first time on January 31, and after the attack was investigated by an unnamed third-party forensics and data-security specialist, the law firm found out that its data had been accessed and exfiltrated during the previous week, prior to the week in which the attack was discovered.

Genova Burns said in a letter that was made public that on March 1, 2023, her team “found that information connected to you [the Uber drivers] was included in an affected file, and after making this determination, we alerted Uber.” “At this point, we do not know of any real or attempted abuse of your information as a consequence of this event,” the spokesperson said. “We apologize for any inconvenience.”

The post Uber gave sensitive driver data to a law firm for legal actions, but the law firm leaked all the data appeared first on Information Security Newspaper | Hacking News.

Twilio has confirmed that hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials.

The San Francisco-based company, which allows users to embed voice and SMS capabilities, such as two-factor authentication (2FA), into apps, said in a blog post that it realized “someone got unauthorized access to information related to some Twilio customer accounts on August 4”.

Twilio has more than 150,000 customers, including Facebook and Uber. According to the company, the as-yet-unidentified threat actor convinced several Twilio employees to hand over their credentials, which allowed access to the company’s internal systems.

The attack used phishing SMS messages purporting to come from Twilio’s IT department, suggesting that the employees’ password had expired or their schedule had changed, and advising the target to log in with a spoofed web address that controls the attacker.

Twilio said the attackers sent these messages to appear legitimate, including words like “Okta” and “SSO,” referring to single sign-on, which many companies use to secure access to their internal applications. Twilio said it worked with US carriers to stop malicious messages, as well as registrars and hosting providers to shut down malicious URLs used in the campaign.

“Despite this response, threat actors have continued to rotate between carriers and hosting providers to resume their attacks,” Twilio said. “Based on these factors, we have reason to believe that the threat actors are well organized, sophisticated, and methodical in their actions.

The same actor also created phishing pages posing as other IT outsourcing companies and a customer service provider, though the impact, if any, on these organizations is currently unknown.

When contacted, the Twilio spokeswoman declined to say how many customers were affected or what data the threat actors accessed says Twilio’s privacy policy that the information it collects includes addresses, payment details, IP addresses, and in some cases, proof of identity.

Twilio said that since the attack, it has revoked access to compromised employee accounts and increased its security training to ensure employees are on “high alert” for social engineering attacks. The company said it has begun contacting affected customers on an individual basis.

Slack

Slack reported that it reset approximately 0.5% of its users’ passwords, after fixing a bug that exposed hashes , when creating or revoking shared invite links for workspaces.

Slack says it has more than 169,000 paying customers from more than 150 countries, with 65 Fortune 100 companies using its services.

“When a user performed any of these actions, Slack would transmit an encrypted version of their password (not plain text) to other members of the workspace,”Slack. “Even though this data was shared via the new or disabled invite link, the Slack client did not store or display this data to members of that workspace.

The bug was discovered by an independent security researcher who disclosed it to Slack on July 17. The issue affected all users who created or revoked shared invite links between April 17, 2017 and July 17, 2022.

Fortunately, the encrypted passwords were not visible to Slack clients, requiring active monitoring. of encrypted network traffic from Slack servers to access this exposed information, according to Slack.

Slack also added that it has no reason to believe the bug was used to gain access to plaintext passwords before it was fixed. “However, out of an abundance of caution, we have reset Slack passwords for affected users. They will need to set a new Slack password before they can log in again.”

To make sure your account was not compromised, you can access your personal access logs. Slack also advises all users to enable two-factor authentication and create unique passwords that aren’t used with other online services.

The post TWILIO HACKED, CLIENTS’ PERSONAL DATA LEAKED. SLACK RESET PASSWORDS OF ITS USERS appeared first on Information Security Newspaper | Hacking News.

An argument that, as surprising as it may be, is still heard today to excuse the adoption of these measures is related to the costs of adopting these measures. And it is of little or no use that the cybersecurity sector diversifies its catalog of solutions to adapt to all types of budgets, even so we continue and will continue to see companies that decide not to make that investment.

For this reason, to combat this attitude that, although reduced, is still present today, reports such as the Cost of a Data Breach, published annually by IBM, and which, in addition to a complete x-ray of the current situation in terms of Referring to the security breaches that affect companies, it compiles all the necessary information to be able to offer us some very clear and forceful metrics, such as the average cost faced by the companies that have suffered them during this year.

And if the number of threats has grown, the same can be said of their cost, whose average is quantified by IBM at 4.35 million dollars, an absolute record compared to previous years. To arrive at this figure, the IBM report is based on an in-depth analysis of real-world data breaches experienced by 550 organizations worldwide between March 2021 and March 2022. The research, which was sponsored and analyzed by IBM Security, was conducted by the Ponemon Institute.

This report has become a leading reference tool, providing IT, risk management, and security leaders with insight into the factors that tend to increase, or help mitigate, the cost of data breaches.

• The average cost of a data breach increased 2.6% from $4.24 million in 2021 to $4.35 million in 2022. The average cost increased 12.7% from $3.86 million in the report. 2020.
• The proportion of organizations implementing Zero Trust grew from 35% in 2021 to 41% in 2022. Organizations not implementing Zero Trust incurred an average of $1 million more in breach costs compared to those implementing Zero Trust .
• Stolen or compromised credentials were responsible for 19% of breaches. Phishing was responsible for violations 16% of the time. Cloud misconfiguration caused 15% of violations.
• Breaches that occurred in a hybrid cloud environment cost an average of $3.80 million. This figure compares with $4.24 million for breaches in private clouds and $5.02 million for breaches in public clouds.

Some sectors are affected much more than others, although there is not a single one that can relax and think that they are out of risk. A clear example of the most threatened is the health sector, in which the average cost to be faced by a security breach is 10.1 million dollars, an increase of 42% compared to that calculated just two years ago, for the 2019-2020 financial year.

The perpetuity of cyberattacks is also shedding light on the “chaser effect” data breaches are having on businesses, as the IBM report reveals that 83% of organizations studied have experienced more than one data breach. Another factor that increases over time is the after-effects of attacks on these organizations, which linger long after they occur, with nearly 50% of incident costs occurring more than a year after they occur. that have occurred.

And what is the report referring to when it talks about the incidence of cyberattacks on the cost of living? Well, in the same report we can verify that, in many cases, the companies affected by the attacks have been forced to increase the price of their products and services in order to face the extraordinary costs caused by said attacks.

The post The average cost of a data breach increased 2.6% from $4.24 million in 2021 to $4.35 million in 2022 appeared first on Information Security Newspaper | Hacking News.

According to a report prepared by the firm Aqua Security, tens of thousands of user tokens would have been exposed through the Travis CI API, which contains more than 770 million records with multiple types of credentials belonging to users of free subscriptions.

According to the report, Travis CI did not apply sufficient protections for record numbers, which would allow the execution of an enumeration script to retrieve an undetermined number of code strings: “This is not easy with other providers since they must mention in the URL a client ID, making it difficult to execute enumeration in the records.”  

During this research a second API call was also found in a documented API system that was allowing access to another set of records in plain text that were previously unavailable. Using both methods, the researchers were able to find records dating from January 2013 to May 2022.

Aqua Security estimates that valid records are in a range of between 4.2 million and 774 million. After analyzing a sample of 8 million records, experts found nearly 73,000 sensitive strings in the form of tokens, secrets, and various credentials associated with cloud services such as GitHub, AWS, and Docker Hub.

Experts note that some of the data in the historical records was obfuscated. However, this is insufficient because Travis CI allows developers to use various naming conventions for sensitive information.

“We found that, in many cases, ‘github_token’ was masked and revealed no secrets. However, we found around 20 variations of this token that were not protected in any way by Travis CI,” the researchers add.

Travis CI received a report and while the researchers believed the bugs would be addressed soon, a message from the platform responded by mentioning that this is a design issue and probably won’t be fixed. User log exposure appears to be a recurring issue for Travis CI, as reports on this type of risk have been published in 2015, 2019, and 2021.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post More than 770 million records available through the Travis CI API: Anyone can extract tokens, secrets, and other credentials associated with services like GitHub, AWS, and Docker Hub appeared first on Information Security Newspaper | Hacking News.

Through two Twitter accounts identified as @DepaixPorteur and @B00daMooda, the attackers announced the leak of data belonging to RKP Law: “We have hacked RKPLaw (rkplawru) and leaked 1 TB of files, emails, court files, client files, backups and more. They have a very large and interesting customer list that I will post in the comments,” one of the tweets states.

Twitter accounts @YourAnonNews and @YourAnonTV, recognized as Anonymous’ official communication channels also reported the incident.

On the other hand, the journalist and co-founder of the non-profit initiative Distributed Denial of Secrets (DDoSecrets), Emma Best, confirmed that the information allegedly extracted from this legal firm would be available on DDoSecrets.

DDoSecrets reaffirmed the version of the alleged Anonymous hackers about the incident, stating that the leak of this data could critically impact the company, considering that much of their work has to do with important litigation at the national level and involving powerful industrial and government actors.  

Considering these reports, cybersecurity specialists believe it is right to take this incident as part of #OpRussia, a cyberwarfare campaign against Russia deployed by members of Anonymous in retaliation for the military invasion of Ukrainian territory.

A prestigious firm

RKP Law specializes in handling legal disputes in the real estate, construction, and commercial sectors. This law firm also resolves disputes related to the criminal defense of companies and creates systematic defense strategies for corporate managers and senior management at the various stages of criminal proceedings, in addition to collaborating on anti-corruption issues in Russia.

RKP Law’s main clients include Volkswagen Group Russia, Ikea, Toyota, Jones Lang LaSalle, Mechel PJSC, ChTPZ PJSC, Abbott Laboratories, Baker Hughes, ING Bank, Yamaha Motor, Caterpillar, Panasonic, Mars, Gilette, 2×2 Channel, VimpelCom, Citibank and Sberbank.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Major Russian law firm is hacked; terabytes of stolen data</strong> appeared first on Information Security Newspaper | Hacking News.

This malicious operation is characterized by not using malware during its intrusions, contrary to virtually any other extortion group. The ransoms demanded by Karakurt range from $25,000 to $13 million, and payment must always be made via Bitcoin.

When contacting their victims, the hackers sent screenshots or copies of stolen files to prove that the attack was real, in addition to sharing details about the intrusion method employed. Karakurt operators also harass employees, partners and customers of the affected companies, in an attempt to force the ransom payment.

In the most critical cases, hackers leak small samples of the stolen information, including sensitive details such as full names, social security numbers, phone numbers, medical records, and more sensitive records.

Karakurt had started as a grouping of leaks and auctions on the dark web, although the domain used for its operations was disconnected a couple of months ago. By early May, Karakurt’s new website contained several terabytes of data allegedly belonging to victims in North America and Europe, as well as a list of alleged victims.

Another characteristic feature of Karakurt is that they do not focus only on a specific type of victim, since they simply base their attacks on the possibility of accessing the compromised networks. For their attacks, hackers can use poorly protected mechanisms and infrastructure weaknesses, or collaborate with other cybercriminal groups to gain initial access to the target. According to CISA, hackers commonly gain access to compromised networks by exploiting SonicWall VPN or Fortinet FortiGate devices if updates or obsolete, employing popular flaws such as Log4Shell or bugs in Microsoft Windows Server.

According to a report by security firm AdvIntel, Karakurt is part of the Conti network, which operates as an autonomous group alongside Black Basta and BlackByte, two other groups that rely on data theft and extortion for monetization purposes.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Warning: New cyber criminal group Karakurt is extorting millions of companies around the world appeared first on Information Security Newspaper | Hacking News.

Even though Verizon was notified and has already acknowledged the leak, its representatives deny that the compromised information poses a security threat to its employees and customers.

The alleged hackers behind this incident claimed that it was very easy for them to access this database, as they simply had to contact a Verizon employee and pose as a co-worker in the internal support area. After fooling this unsuspecting employee, the hackers were able to connect to Verizon’s internal tool and access sensitive information.

Once in the database, the hacker reported having created a tool that allowed them to download the information stored in the company’s systems. Verizon would soon receive a ransom note threatening to expose the compromised information if a $250,000 ransom is not paid.

Not a security risk?

As mentioned above, a Verizon representative stated that the company does not consider the compromised records as confidential information, so they do not plan to negotiate any ransom with the hackers. The representative added that, for Verizon, information security is a serious matter, so the company has the best measures to protect their customer and employees’ data.

Information security specialists differ from Verizon’s stance, as while the leak does not involve passwords, bank records, or social security numbers, the stolen data could still prove useful for multiple hacking groups. Phishing campaigns, phone fraud, SIM swap, and email spam are just some of the risks to which those affected could be exposed.  

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Full names, IDs, email addresses, and phone numbers of hacked Verizon employees: Customers could experience increased SIM swap attacks appeared first on Information Security Newspaper | Hacking News.

This information would have been taken from other data breach incidents, specifically two data breaches detected a couple years ago. 10 million records posted on a hacking forum in 2020 and 142 million more exposed months later are now together available on the messaging platform.

The compromised records date back to 2017 and include sensitive details such as:

• Full names
• Addresses
• Email addresses
• Telephone numbers
• Dates of birth

As in any phishing incident, threat actors could use the compromised information for the deployment of phishing campaigns, SIM swap, identity fraud and other attack variants against the millions of affected customers. In addition, cybercriminals can easily identify older adults, who are especially vulnerable to these types of attacks.

However, because the exposed data does not appear to be up to date, the security risk is reduced. At the time of the original leaks, this data was on sale for at least $2,900 USD; that they are now available for free seems to confirm that the information is of no value or interest to hacking groups.

Although considered a low-security risk, MGM customers are advised to take steps to prevent an attempted attack; resetting passwords for your online platforms, enabling multi-factor authentication, and ignoring suspicious emails or phone calls are recommended measures.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Personal data of MGM Resorts customers leaked on Telegram for free. 142 million records exposed appeared first on Information Security Newspaper | Hacking News.

Razorpay Software Private Limited provides online payment services that allow businesses in India to collect payments via credit card, debit card, net banking, and even cryptocurrency wallets.

The malicious activity was detected when a team at Razorpay Software Private Limited was auditing the transactions. Company employees were unable to reconcile transaction files with funds in enterprise accounts.

Abhishek Abhinav Anand, in charge of legal disputes and legislative compliance at Razorpay, filed a complaint with the southeast Indian cybercrime unit earlier this week.

Authorities are trying to identify the hacker or hacker group responsible for the attack, based on recorded online transactions. Meanwhile, Razorpay also ordered an internal investigation, revealing that the attacker compromised and manipulated the transaction authorization process to complete the attack; as a result, threat actor approved a total of 831 failed transactions, which mean losses around $1 million.

Razorpay shared with law enforcement detailed information about these 831 illegitimate transactions, including date, time and IP address.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hackers steal $1 million USD from Razorpay appeared first on Information Security Newspaper | Hacking News.

The most severe vulnerability, tracked as CVE-2022-22282, was described as an unauthenticated access control evasion, while two minor security flaws were described as encrypted cryptographic key flaws and an open redirect; these flaws do not yet receive CVE tracking keys.

The company adds that, at the moment, there are no known workarounds for the vulnerability, so users of affected deployments are advised to update as soon as possible. SonicWall also mentions that no active exploitation attempts have been detected, so it’s still a good time to install official updates.

Flaws reside in the SMA Series 1000 6200, 6210, 7200, 7210 and 8000v (ESX, KVM, Hyper-V, AWS, Azure) models. SonicWall mentions that SMA Series 1000 products with versions earlier than 12.4.0 are not affected.

As mentioned above, CVE-2022-22282 is the most serious of the reported errors, as a successful attack would allow access control to be evaded and access to internal resources. This bug received a score of 8.2 according to the Common Vulnerability Scoring System (CVSS) and can be exploited remotely and without interaction from the target user.

On the other hand, encrypted cryptographic key error can also result in complex attacks: “The use of a cryptographic key increases the possibility of recovering encrypted data in the system,” reports the MITRE CWE database.

SMA Series 1000 VPN devices are used to protect remote connections on corporate networks, so it is highly likely that hacking groups will attempt to exploit these flaws. Previously, these devices have been the target of dangerous attacks; Months ago, a wave of HelloKitty ransomware attacks impacted SMA 100 versions by exploiting a zero-day vulnerability.

More than 500,000 commercial customers from 215 countries and territories around the world use SonicWall products, so the scope of exploitation is considerable.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 3 critical vulnerabilities in SonicWall SMA 1000 SSLVPN affect over 500k companies appeared first on Information Security Newspaper | Hacking News.

While it was already possible to make these requests in cases of doxing or leaking of bank details, the update will allow users to request the removal of other content that appears in search results, including personal contact information. Google will also allow the removal of additional information that may pose a risk of identity theft, such as access credentials to online platforms.

According to the report, the following records may be considered personal contact information:

• Government identification numbers, including social security numbers, tax identification keys and the like depending on the country in question
• Bank account numbers and credit cards
• Images of handwritten signatures
• Images of identity documents
• Medical records
• Physical addresses, phone numbers and email addresses

On the processes that are implemented when receiving one of these requests, Google ensures that they evaluate all the content of websites that may incur in the exposure of confidential data, trying not to limit the availability of other useful data for users. The company also looks at whether content users want to remove is part of public or government records; if so, the request is inadmissible.

Although this is undoubtedly good news, users should remember that removing this content from the results in Google Search, this will not remove the content from the Internet. To do this, it is necessary to communicate directly with the administrators of the website in question.

Google continues to implement changes to its policies in order to improve the privacy experience of its users. In recent days it was revealed the application of a new measure to allow users under the age of 18 to request the removal of any image of theirs from image search results. The parents and guardians of minors may also carry out this procedure.

Full information about these requests and other security and privacy measures implemented by Google is available on the company’s official communication channels.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Now you can ask Google to remove your phone number, email address, physical address and other personal contact data from Search Results. Learn how to do it appeared first on Information Security Newspaper | Hacking News.

First, the alert mentions ten flaws in Contrail Networking, in its versions prior to 2011. Five of these flaws are considered critical and all were tracked in 2021. The two most severe errors are buffer overflow flaws in Pillow tracked as CVE-2021-25289 and CVE-2021-34552, plus a heap overflow in Apache HTTP Server tracked as CVE-2021-26691.

The remaining flaws reside in the nginx resolution (CVE-2021-23017) and the xmlhttprequest-ssl package (CVE-2021-31597).

On the other hand, the second security alert refers to critical flaws in Contrail Networking prior to v21.3. These reports include a remote code execution bug in Git for Visual Studio tracked as CVE-2019-1349; and a denial of service (DoS) error in the pcre_compile function in pcre_compile.c in PCRE tracked as CVE-2015-8391.

This week, Juniper Networks also announced patches for 14 vulnerabilities in Junos OS and Junos OS Evolved, including 10 severe issues that could lead to DoS and remote code execution (RCE) scenarios. In its report, the firm notes that there are no reports of active exploitation.

The report was also shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), encouraging users and administrators to review the company’s reports and apply the necessary corrections as soon as possible: “Remote threat actors could exploit some of these vulnerabilities to take control of an affected system”, points out the Agency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 30 vulnerabilities in different Juniper products could allow the total takeover of the affected network. Update immediately appeared first on Information Security Newspaper | Hacking News.