InForce Cyber

Threat Report June 2021

The month of June was the month of the Ransomware attacks. Here are some topics to support this statement:

Ransomware attack may have exposed information on over 16,000 workers, state says

Sensitive information on over 16,000 workers may have been exposed in a ransomware attack on a Renton market research company’s data system.

Pacific Market Research (PMR) “recently notified” the Washington state Department of Labor and Industries, one of its clients, about the May 22 attack, according to a Thursday L&I news release.

An unauthorized party accessed PMR’s network and encrypted their servers during the attack, affecting an L&I file with sensitive information, according to the release. 

US water company WSSC Water is investigating a ransomware attack that affected non-essential business systems in May.

WSSC Water is investigating a ransomware attack that took place on May 24 and that targeted a portion of their network that operates non-essential business systems.

According to reports from WJZ13 Baltimore, the company removed the malware just hours later and locked out the threat, however, the attackers accessed internal files. WSSC has already notified the FBI, Maryland Attorney General, and state and local homeland security officials.

The company operates filtration and wastewater treatment plants, fortunately, the attack did not impact the water quality, but the investigation is still ongoing. 

Supermarket chain Coop closes 800 stores following Kaseya ransomware attack

Coop, one of Sweden’s largest supermarket store chains, has shut down nearly 800 stores across the country after one of its contractors was hit by ransomware in the aftermath of the Kaseya security incident on Friday.

The stores were closed on Friday afternoon after cash registers and self-serving stations went down and prevented Coop employees from processing in-store payments.

REvil ransomware asks $70 million to decrypt all Kaseya attack victims

REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files.

The attack on Friday propagated through Kaseya VSA cloud-based solution used by managed service providers (MSPs) to monitor customer systems and for patch management.

Customers of multiple MSPs have been impacted by the attack, REvil ransomware encrypting networks of at least 1,000 businesses across the world.

In a post on their leak site, the threat actor says that they locked more than a million systems and are willing to negotiate for a universal decryptor, starting from $70 million.

Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software

A technical issue with DARS, the relationship management system used by the university, has allowed unauthorised Oxford Single Sign-On users to view sensitive data of Pembroke College’s alumni. The exposed data includes full names, ages, addresses, telephone numbers, and notes taken during calls held between telethon workers and the alumni. Some telethon training documentation was also compromised. 

Indian tech startup exposed Byju’s student data

India-based technology startup Salesken.ai has secured an exposed server that was spilling private and sensitive data on one of its customers, Byju’s, an education technology giant and India’s most valuable startup.

The server was left unprotected since at least June 14, according to historical data provided by Shodan, a search engine for exposed devices and databases. Because the server was without a password, anyone could access the data inside. Security researcher Anurag Sen found the exposed server, and asked TechCrunch for help in reporting it to the company.

The server was pulled offline a short time after we contacted Salesken.ai on Tuesday.

Salesken.ai provides customer relationship technology to companies like Byju’s to engage better with customers. The Bengaluru-based startup raised $8 million in Series A funding from Sequoia Capital India in 2020, two years after the company was founded. 

Hacked Data for 69K LimeVPN Users Up for Sale on Dark Web

The VPN provider known as LimeVPN has been hit with a hack affecting 69,400 user records, according to researchers.

A hacker claims to have stolen the company’s entire customer database before knocking its website offline (Threatpost confirmed that as of press time, the website was down). The stolen records consist of user names, passwords in plain text, IP addresses and billing information, according to PrivacySharks. Researchers added the attack also included public and private keys of LimeVPN users.

“The hacker informed us that they have the private keys of every user, which is a serious security issue as it means they can easily decrypt every LimeVPN user’s traffic,” the firm said in a posting. 

Data Breaches
Major South African Insurance Company Suffers Data Breach
Any QSure’s client who made any payments via debit cards may be affected by the breach. QSure enlisted the assistance of three of the leading cybersecurity firms to conduct an investigation into the security incident.The company stated that they alerted both business and the appropriate regulatory authorities. Moreover, they continue to provide assistance in this regard, while its IT platform has been reconfigured, and all relevant security measures have been implemented.
Freshly scraped LinkedIn data of 88,000 US business owners shared online
About a week after scraped data from more than 700 million LinkedIn profiles were put for sale online, it seems that threat actors have no intention of stopping their abuse of the social media platform’s scrape-friendly systems.Hours ago, a 68MB JSON database containing LinkedIn data recently collected from 88,000 US business owners was shared on a popular hacker forum.
SolarWinds hackers remained hidden in Denmark’s central bank for months
Russia-linked threat actors compromised Denmark’s central bank (Danmarks Nationalbank) and remained in its systems for months.Russia-linked threat actors infected the systems of Denmark’s central bank (Danmarks Nationalbank) and maintained access to its network for more than six months. The security breach is the result of the SolarWinds supply chain attack that was carried out by the Nobelium APT group (aka APT29, Cozy Bear, and The Dukes). The intrusion was revealed by the technology outlet Version2, which obtained official documents from the Danish central bank through a freedom of information request.
Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground
After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, it’s happened again – with big security ramifications.A new posting with 700 million LinkedIn records has appeared on a popular hacker forum, according to researchers.Analysts from Privacy Sharks stumbled across the data put up for sale on RaidForums by a hacker calling himself “GOD User TomLiner.” The advertisement, posted June 22, claims that 700 million records are included in the cache, and included a sample of 1 million records as “proof.”