DigitalOcean admits data breach exposed customers’ billing details

DigitalOcean, the popular cloud-hosting provider, has told some of its customers that their billing details were exposed due to what it described as a “flaw.”

In an email sent out to affected users, DigitalOcean explained that an unauthorised party had managed to exploit the flaw to gain access to billing information between April 9 and April 22, 2021.

The following information from profiles was accessed:

  • Billing name
  • Billing address
  • Payment card expiration date
  • Last four digitals of user’s payment card
  • Payment card bank name

The company was at pains to underline that it does not store users’ fill payment card numbers and so they were not exposed. In addition, DigitalOcean says that it has fixed the flaw that the hacker exploited, and informed data protection authorities about the breach.

As reported by TechCrunch, a statement released by DigitalOcean claimed that only 1% of billing profiles had been impacted by the breach. (A few years ago, the company was claiming to have one million users – which would put the number of exposed accounts at north of 10,000.)

It’s not the first time that DigitalOcean has suffered a data breach that exposed customer information.

In May 2020, for instance, the company advised that a DigitalOcean-owned document from 2018 containing customer details was “unintentionally made available via a public link.”

CISA & NIST Publish Recommendations for IT Admins to Defend Against the Next ‘SolarWinds’ Event

The Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) this week released an overview of supply chain threats. Its purpose: to help organizations keep themselves out of scenarios like the recent SolarWinds incident.

The 16-page Defending Against Software Supply Chain Attacks released by CISA and NIST this week provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.

The resource provides in-depth recommendations and key steps for prevention, mitigation and resilience of software supply chain attacks like the widely circulated hack on SolarWInds’ IT management platform, Orion.

“A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software can then further compromise customer data or systems,” CISA explains.

“Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix. In these cases, the compromise still occurs prior to the patch or hotfix entering the customer’s network. These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers,” the agency adds.

The document outlines how supply chains fit within the greater information and communications technology (ICT), and how software is at risk of malicious or inadvertent introduction of vulnerabilities at each phase of the ICT supply chain lifecycle. The diagram below offers several examples of supply chain attacks over the years.

CISA strongly encourages IT administrators in both camps – vendors and customers – to review Defending Against Software Supply Chain Attacks (PDF) and implement its recommendations.

Etsy-owned musical instrument marketplace Reverb suffers data breach

The online musical instrument marketplace Reverb has suffered a data breach which has exposed the personal details of 5.6 million users.

Security researcher Bob Diachenko, who has a long track record of uncovering databases left unsecured on the internet, came across an unsecured Elasticsearch server earlier this month which allowed anyone to access information about millions of Reverb’s users – no password required.

Details exposed in the database included:

  • Users’ full names
  • Users’ email addresses
  • Users’ phone numbers
  • Users’ mailing addresses
  • Users’ PayPal details
  • Information about users’ listings and orders

According to Diachenko, the exposed data included information about high profile rock musicians such as Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins, Alessandro Cortini of Nine Inch Nails.

Affected users have been informed about the security breach in an email from the company:

Disappointingly, Reverb’s email does not underline the very real risk that scammers could use the exposed information to send out scam emails and phishing attacks to customers’ inboxes. It’s even possible that a scammer could use the breached details in an attempt to gather more personal information, and defraud a customer over the telephone.

Reverb says that it does not believe that passwords or payment details have been compromised, but does suggest that users change their passwords.

Actually it says “we recommend that you change your Reverb password on a regular basis.” That’s advice with which I actually have a certain level of discomfort. As I’ve written elsewhere

Enforcing regular password changes can often lead to folks choosing weaker passwords rather than strengthening their security.

When there are good reasons to change your passwords (such as a data breach), you should definitely do it.

So, I guess in Reverb’s case, as their lax behaviour appears to have caused a privacy breach (although seemingly not one related to login credentials) it may well be right to be cautious and change your password. But please make sure it is a strong password, that’s hard to crack, and not one that you are using anywhere else on the internet.

FBI Offers Millions of Emotet Compromised Credentials to Have I Been Pwned

The FBI has offered millions of passwords obtained from seized Emotet malware domains to HIBP (Have I Been Pwned) to make it easier to alert impacted users and companies.

Law enforcement took down most of the Emotet infrastructure in one of the most significant collaborative efforts, gathering authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

Attackers used hundreds of servers across the world as command and control centers, but the efforts of the authorities and a new approach allowed them to dismantle the entire system from inside. During this process, law enforcement identified 4,324,770 compromised email addresses, which they now offer to the HIBP service.

“Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet,” said security researcher Troy Hunt, who’s running HIBP. “This isn’t the first time HIBP has been used by law enforcement in the wake of criminal activity with the Estonian Central Police using it for similar purposes a few years earlier.”

There are actually two different sets of email addresses: one used by Emoted to send spam and another of emails harvested from browsers. As usual, the security measures and possible mitigations remain the same for data breaches.

If people or companies discover that their emails have been compromised, they should change the credentials as soon as possible, along with security questions. This also applies to credentials of online services stored in compromised systems. Of course, having an up-to-date and powerful security solution running on all devices is paramount.

Threat Actor Leaks Personal Records of 250 Million American Households on Hacking Forum

A threat actor named Pompompurin has posted a treasure trove of 250 million personal records belonging to US residents.

The database containing 263 GB of personally identifiable information (PII) and household-related data was leaked on a popular hacking forum last week.

According to an analysis done by Hackread.com, the records contain 1255 CSV sub-files, each with 200,000 listings that include:

  • Full names, phone numbers, and email addresses
  • Date of birth, marital status, and gender
  • House cost, home rent, home built year
  • ZIP codes, home addresses, and Geolocation
  • Credit capacity and political affiliation
  • Salary, income details, and number of owned vehicles
  • Number of children in the household
  • Number of owned pets

For the moment, the owner or origin of the database remains unclear.

“This was dumped by me,” the threat actor said in his post description. “Took a few days to export data fully, so enjoy. Feel free to ask any questions about the data. There are 59 million unique emails in this. All data on people living in the US.” He also makes sure to specify that “there are no passwords in this leak.”

Check if your personal info has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool. 

Digital and physical security risks for victims

Given the sheer number of leaked information on individuals and their households, malicious actors can exploit the data in many ways. By combining the info, cybercriminals can deploy compelling social engineering attacks that may lead to account takeover, identify theft and fraud.

In addition to these digital threats, criminals can single out specific victims based on their income details, the number of owned vehicles and home address.

Victims should closely monitor their online interactions and inboxes. They need to be fully aware that cybercriminals and scammers can target them via any social media platform or use phone numbers to make unsolicited calls or send malicious or fraudulent links via text.

DC Police Extorted by Ransomware Gang Who Allegedly Stole Sensitive Law Enforcement Files

The Metropolitan Police Department (DC Police) has confirmed a cyberattack after ransomware operators allegedly breached their systems, leaking screenshots of stolen data.

The threat actors said they managed to steal more than 250 GB of data from the DC Police network.

According to the leaked screenshot samples obtained by BleepingComputer, potentially sensitive information about police operations, disciplinary records, gang members’ files were exfiltrated from the department’s systems.

Before this acknowledgment, the Babuk Locker ransomware gang posted a message warning to the law enforcement agency that they have three days to respond to their demands. If no contact is made until the deadline, they will continue to leak confidential data and contact DC-operating criminal gangs to warn them about potential informants.

“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon,” the ransomware gang said.

It’s not clear if the DC Police has paid the threat actors to prevent the publication of any further information online. However, the department did ask the FBI to investigate how the Russian-based ransomware operators infiltrated their computer network.

“We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter,” the Metropolitan Police Department said in a statement to BleepingComputer.

WhatsApp For What? Spammers Bomb User Inboxes With Fake Adult-Themed Opportunities

Spammers have laid down seemingly harmless traps for users in search of adult-themed fun over the Internet.

In the last month, attackers bombarded thousands of inboxes with explicit spam emails claiming to provide hookups on WhatsApp, according to Bitdefender Antispam Lab’s latest telemetry.

The perps spiced up the email header that mentions the name of the cross-platform instant messaging service, delivering lewd adverts via Microsoft SharePoint.

They add clickbait titles to entice recipients who may feel tempted to access the link out of curiosity.

“I’m a Single Girl. Need Partner. Obviously real..No drama no fake. If u interested? It’s Free. Visit Me,” reads one message. Besides the pronounced grammar mistakes, Emily’s invitation seems as if she reached the character limit, obviously.

Another WhatsApp ‘babe’ put a lot more effort into the proposition, making sure the description offers a distinct glimpse into her personality.

The links in these spam messages direct recipients to adult-themed and dating websites.

So what can happen? Anything. From malware downloads to phishing attacks, users who access these adult websites risk their financial wellbeing and privacy.

Even if the initial message doesn’t pose an immediate threat, it doesn’t rule out a possible malware infection or attempts at hijacking credit card information. More often than not, users must create an account or register on the website to view any content.

As many internet users living through Covid-19 and social distancing measures know, some online platforms have rolled out dating services. So why can’t the Facebook-owned WhatsApp have one?

WhatsApp doesn’t send users any message requests or adverts via email. Recipients should keep this in mind if they are puzzled in regards to the legitimacy of the message. 

By pairing the popularity of the instant messaging platform with Microsoft’s SharePoint, the spammers create a false sense of security to recipients.  If you receive one of these spam emails, delete it immediately without clicking the link.

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab.

Dridex Malware Returns In a New Global QuickBooks Malspam Campaign

Phishing attacks masquerading as QuickBooks invoices are targeting users of the popular accounting software in an attempt to infect victim’s devices with the infamous Dridex banking Trojan.

Spotted by Bitdefender Antispam Lab, this fresh Intuit-themed malspam campaign reels in QuickBooks users with fake payment notifications and invoices.

The ongoing phishing campaign began on April 19, targeting QuickBooks users from across the globe. Overall, 14% of the malicious emails reached the United States, 11% in South Korea, Germany, and India, 7% in the UK and France, 4% in Italy, 3% in Sweden, and 2% in Canada, Belgium, Austria, Switzerland and the Netherlands.

More than half of the spoofed emails originate from IP addresses in Italy. The perps have forged the header (‘quickbooks@xxxx.intuit.com’), making it seem like the messages are genuine. To avoid multiple detection tools, threat actors play with the subject lines and sender names.

Email Subjects such as ‘Invoice 349281’, ‘Payment Notification – Invoice 001779’ and ‘Reminder: Invoice 017854’ are just some of the variations used by malicious actors.

Attackers also tailored the emails’ body in an attempt to sneak past anti-phishing and anti-spam mechanisms. Here are some examples:

  • Here’s a copy your invoice! We appreciate your prompt payment.
  • Order will be delivered upon payment receipt.
  • The following invoice is attached for your review and processing.
  • Your invoice is attached. Please remit payment at your earliest convenience.

The emails contain a seemingly harmless Microsoft Excel Spreadsheet attachment carrying a hidden threat. A malicious macro within the .xls file will launch a Trojan dropper infecting the victim’s machine with Dridex.

Dridex is a banking Trojan, commonly delivered via phishing emails containing malicious Microsoft Word and Excel documents.

This malicious software steals confidential information from victims, including banking credentials that threat actors can use to access bank accounts and make fraudulent transactions.

Although the primary objective of this banking Trojan is to steal banking info from victims, cybercriminals have meticulously updated the malicious software over the past decade. Since 2020, Dridex has also been used to deliver ransomware to targets and maximize earnings.

Cybercriminals have often disguised their malicious phishing campaigns by using the names of legitimate and well-known companies to ensure maximum efficiency. Emails mimicking a regular QuickBooks invoice that small businesses or organizations usually receive can have severe consequences.

Careless users can end up having fraudulent charges on credit cards, unusual wire transfers from company accounts, and even data breaches that can compromise the entire network and customer base of an organization.

This developing malicious campaign, taking advantage of the popularity of the US-based accounting tool used by over 2 million small businesses worldwide, is not new. QuickBooks-themed malware campaigns usually spike during tax season in the hopes that they catch users off guard. However, for the United States, it comes short of a month away from the tax season deadline.

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab.

Apple AirDrop Flaws Could Let Hackers Grab Users’ Phone Numbers and Email Addresses

Users of Apple products have long loved the ability to wirelessly share files with each other, using AirDrop to transmit files between their iPhones and Macbooks.

But researchers at the Technical University of Darmstadt in Germany have discovered that security weaknesses could allow an attacker to obtain a victim’s phone number and even email address.

And you know what’s worse? Apple hasn’t fixed the problem almost two years after being told about it, despite 1.5 billion devices worldwide being potentially vulnerable.

The researchers’ paper, entitled “PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop”, details what it describes as “two severe privacy vulnerabilities in the underlying authentication protocol” used by AirDrop.

According to the paper, the problem lies in how AirDrop determines if a nearby device belongs to somebody the user already knows.

To discover if two devices belong to mutual contacts, AirDrop transmits a SHA-256 hash of the sending user’s email address or phone number. Other devices in the vicinity examine the hash, and compare it to entries in their own address book – if a mutual match is made, the receiver sends back their own hash.

An attacker can brute-force the hash to determine users’ phone numbers – a technique which takes just seconds because of the relatively small number of possible phone numbers.

Email addresses are more complicated to easily reverse, but the researchers believe attackers could have some success if they used dictionary attacks that use common email formats (such aas firstname.lastname@gmail.com, yahoo.com, and so forth). In addition, hashed email addresses could be derived using data from past data breaches.

Responsibly, the researchers disclosed the flaw to Apple privately in May 2019, hoping that it would be fixed. Apple responded in July 2020, saying that it did “not have any updates on new features or any changes to mitigate the underlying issue.”

It’s worth remembering that for an attack to be successful, a malicious party would need to be in close physical proximity to their victims. And yes, there are probably easier ways to determine someone’s phone number rather than through this route – but that’s no reason not to harden the security of AirDrop.

Perhaps frustrated by Apple’s response, the research team developed its own proof-of-concept solution for AirDrop’s flawed design, which they called “PrivateDrop.” However, the researchers admit that the only practical way for it to be used in place of AirDrop is if Apple themselves integrated it into their devices’ operating systems.

How to keep your Android device immune to malicious coronavirus vaccine themed apps

The bad news

Attackers are exploiting the COVID-19 vaccine apps to deploy malware to Android devices. Since the outburst of the pandemic, they haven’t missed any opportunity to spread malware via Covid19-themed emails, apps, websites and social media.

But now, Bitdefender researchers have found multiple apps taking advantage of mobile users looking for information about the vaccines or seeking an appointment to get the jab.

Sometimes disguised in or invisibly attached to legit digital products, these fake applications are ready to take over the device after just a few taps. Google has been trying to vet all vaccination-related applications properly, but some fell through the cracks.

Here’s what to pay attention to if currently you are not using a mobile protection solution, which could keep your device safe.

Hydra Bankers are part of the infamous Hydra trojan family. The Accessibility permissions let the apps record and collect what the user is typing on the device, such as credit card numbers, passwords and more. From there, it’s only a matter of time before the user’s banking data is leaked.  

Cerberus Bankers will take over the device once the victims grant the malware the requested Accessibility permissions. 

Repackaged adware. For example, Vaccinum, the version from third-party Android application markets. While this version is the same as the original app functionality-wise, it comes repackaged with adware.

Co-Win Adware. The Indian government’s COVID-19 vaccine tracking and registration platform was rapidly copied after launch. Adware and fake applications immediately followed.

The good news

You can stay away from malicious apps by being vigilant and get any COVID-19 related information from known, proper channels and official government sources.

Being wary of apps requesting access to the Accessibility Service might also help, as it’s the main access route for criminals into your mobile devices.

If you feel you need expert help to keep your smartphone safe, you are right. Mobile threats are on the rise, consistent with the growing number of people who use their Android devices for shopping, online bank services and messaging. 

Consider getting Bitdefender Mobile Security that keeps Android devices safe from all new and existing online threats. Plus, the antivirus module automatically scans each app once you install it, and immediately lets you know whether it poses any danger.

Read the complete Bitdefender Labs research here.

Posts navigation

1 2 3 4
Scroll to top