Overview of security incidents from June 26 to July 2, 2021
New attacks by hackers who hacked SolarWinds, data leaks of hundreds of millions of users, attacks with the exploitation of critical vulnerabilities in the Windows print spooler service and Cisco ASA, secret documents of the UK Department of Defense forgotten at a bus stop – about these and other high-profile events in the world of information security for the period from 26 June to July 2, 2021.
A team of security researchers found an unsecured database of over 86 GB on the Web containing over 814 million entries with usernames, display names, email addresses, and other information related to clients of managed hosting provider DreamPress. The leaked database included information about WordPress accounts hosted or installed on DreamHost servers from March 2018 to April 2021.
The data of 700 million users of the business social network LinkedIn were also publicly available. With about 756 million people currently registered on the social network, the leak potentially affects 92% of the platform’s users. The seller claims that the database is formed from data collected using the LinkedIn API to collect information uploaded by users.
Specialists from Mercedes-Benz USA discovered a data breach that affected about a thousand customers. The company evaluated 1.6 million customer records, including customer names, addresses, email, phone numbers, and some information about purchased vehicles, to determine the extent of the problem. The data breach included credit card numbers, social security numbers, and driver’s license numbers for less than 1,000 Mercedes-Benz customers and potential buyers who injected confidential information into the websites of the company and Mercedez-Benz dealers between 2014 and 2017.
The most notorious data leak of the week is the discovery at a bus stop in one of the English counties of classified documents of the British Ministry of Defense. Among the documents were e-mail printouts and PowerPoint presentations by a senior ministry official, including those concerning the scandalous manoeuvre of the 45 Defender destroyer carried out last week off the coast of Crimea. In addition, the documents discussed arms export campaigns, brief reports of the first few months of Joe Biden’s presidency, and the role of British special forces in Afghanistan after the US withdrawal.
Traditionally, it has not been without ransomware attacks. In particular, the Salvation Army, an international Christian charitable organization, has become a victim of the extortionist. The organization declined to provide any additional information, such as the name of the extortionist group or the amount and type of data the criminals gained access to.
The week also saw the return of cybercriminal group Babuk. The group has created a new site of leaks, where victims who have refused to pay the ransom are already represented. According to the ransomware themselves, they continue to attack corporate networks with a new variant of Babuk ransomware.
Operators of the REvil ransomware have acquired a new Linux device encryption tool to carry out cyberattacks against virtual machines Vmware ESXi. As businesses migrate to virtual machines to simplify backups, device management and efficient resource utilization, ransomware groups are increasingly creating their own tools to bulk encrypt storage used by virtual machines.
Microsoft has officially warned of attacks using the notorious PrintNightmare remote code execution vulnerability in the print spooler service. The vulnerability is related to incorrect processing of privileged files and can be used to execute code with system privileges.
Microsoft also reported attacks by the Nobelium hacker group on users from the United States, Britain, Canada, Germany and 32 other countries. According to the company, Nobelium is behind the acclaimed SolarWinds hack. Microsoft has informed everyone the attackers tried to hack that the hackers are active again. The corporation also claims that it itself was attacked. The program that collects the data was found on the computer of a company employee.
As it became known, the Central Bank of Denmark suffered from the attack on SolarWinds. The criminals implemented a backdoor in the bank’s network, which remained operational for seven months until it was discovered by the American information security firm Fire Eye.
A series of brute-force attacks on cloud resources of private and public organizations have been warned by the US and UK special services. According to a statement released by the US NSA, the US Cyber and Infrastructure Security Agency (CISA), the FBI and the British Center for National Cybersecurity, the attacks are the work of the Russian-affiliated hacker group APT28 (Fancy Bear) and have continued since at least mid-2019.
The US NSA’s dangerous exploit, EternalBlue, for a Microsoft Server Message Block (SMB) vulnerability continues to pose a significant threat to many organizations around the world more than four years after the patch was released. The latest example of such a threat is Indexsinas (also known as NSABuffMiner) worm-like malware. The malware was originally used to attack organizations in the Asia-Pacific region but has recently become increasingly used against North American organizations in the health, hospitality, education and telecommunications sectors.
Cybercriminals scan the Network for vulnerable Cisco ASA devices and actively exploit the vulnerability ( CVE-2020-3580 ) in real attacks after a PoC exploit for it was posted on Twitter. The vulnerability could allow an unauthorized attacker to execute arbitrary script code in the context of an interface or gain access to confidential information through a browser.
As it became known, two cybercriminal groups warring among themselves are guilty in the massive deletion of data from devices of Digital My Book from Western Digital. One of them exploited the old vulnerability CVE-2018-18472, and the second exploited the zero-day vulnerability CVE-2021-35941.
Hackers hacked into the server of one of the largest certification authorities in Mongolia, MonPass, and implemented a backdoor into the official client for installing certificates. According to Avast, the backdoor was in the application from February 8 to March 3 this year. The investigation showed that the MonPass public webserver was hacked eight times, as indicated by eight different web shells and backdoors found by experts. According to them, the attackers’ goal was to infect computers in Mongolia with malware.
Catch up on more articles here
Follow us on Twitter here