InForce Cyber

Threat Report November 2021

Data breach at New Mexico healthcare business impacts 62,000 state residents

The personally identifiable information of more than 62,000 US citizens may have been compromised following a cyber-attack against a New Mexico-based healthcare insurer.

True Health New Mexico offers a range of health insurance services to small and large employers across the southwestern US state.

In a recent security alert, the company said an authorized third party gained access to the organization’s IT systems in early October.

“Security professionals determined that impacted files may have contained information about current and former True Health New Mexico members, select providers, and some former members of New Mexico Health Connections,” reads the breach notification. 

GoDaddy Breach Widens to Include Reseller Subsidiaries

Customers of several brands that resell GoDaddy Managed WordPress have also been caught up in the big breach, in which millions of emails, passwords and more were stolen.

The GoDaddy breach affecting 1.2 million customers has widened – it turns out that various subsidiaries that resell GoDaddy Managed WordPress were also affected.

The additional affected companies are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost.

The world’s largest domain registrar confirmed to researchers at Wordfence that several of these brands’ customers were affected by the security incident (and Wordfence provided breach-notification notices from two of them in a Tuesday posting) 

Report: Digital Marketing Agency Exposed 92 Million Records Online Including Employee and Client Data.

Security Researcher Jeremiah Fowler in cooperation with the WebsitePlanet research team discovered a non-password protected database that contained 92 million records. Upon further investigation it appeared to belong to the Cronin digital marketing agency. The exposed server was named “Cronin-Main” and many of the records contained references to Cronin. These records included internal data such as employee and client information. Also included in the dataset was a “Master Mailing List” with direct physical names, addresses, Salesforce IDs, phone numbers, and references to where the leads came from.

WiFi software management firm exposed millions of users’ data

Brazil-based WiFi management software firm WSpot exposed extensive details of high-profile firms and millions of customers.

WSpot provides software to let businesses secure their on-premise WiFi networks and offer password-free online access to their clients. Some of the notable clients of WSpot include Sicredi, Pizza Hut, and Unimed.

According to WSpot, 5% of its customer base got impacted by this leak. However, it maintains that financial information is never collected from the clients, so financial data isn’t included in the leak. 

Python Packages Stealing Discord Tokens and More

Researchers have discovered 11 malicious Python packages stealing Discord tokens and installing shells. These malicious packages, in the Python Package Index (PyPI) repository, were downloaded by developers more than 41,000 times.

The malicious packages could be exploited to steal Discord access tokens and passwords, along with carrying out dependency confusion attacks.

Two packages (10Cent10 and importantpackage) were discovered obtaining a reverse shell on the targeted system to gain full control over an infected system.

Two other packages (ipboards and trrfab) were disguised as genuine dependencies and were created to automatically import by using a technique named dependency confusion or namespace confusion.

The dependency (importantpackage) was using a unique exfiltration mechanism to avoid network-based detection, which included the use of Fastly’s CDN to mask communications with the attacker’s server.

The other packages (ipboards and pptest) were using DNS tunneling as a data exfiltration method by using DNS requests as a communication channel between a victim machine and remote server.

GoDaddy says data breach exposed over a million user accounts

Web hosting giant GoDaddy has reported a data breach, and warns that data on 1.2 million customers may have been accessed.

In a filing with the Securities and Exchange Commission, GoDaddy’s chief information security officer Demetrius Comes said the company detected unauthorized access to its systems where it hosts and manages its customers’ WordPress servers. WordPress is a web-based content management system used by millions to set up blogs or websites. GoDaddy lets customers host their own WordPress installs on their servers.

GoDaddy said the unauthorized person used a compromised password to get access to GoDaddy’s systems around September 6. GoDaddy said it discovered the breach last week on November 17. It’s not clear if the compromised password was protected with two-factor authentication.

The filing said that the breach affects 1.2 million active and inactive managed WordPress users, who had their email addresses and customer numbers exposed. GoDaddy said this exposure could put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password created when WordPress was first installed, which could be used to access a customer’s WordPress server, was also exposed.

Hackers used this software flaw to steal credit card details from thousands of online retailers

Over 4,000 online retailers have been warned that their websites had been hacked by cybercriminals trying to steal customers’ payment information and other personal information.

In total, the National Cyber Security Centre (NCSC) has identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. They alerted the retailers to the breaches over the past 18 months.

The majority of the online shops that cybercriminals exploited for payment-skimming attacks were compromised by known vulnerabilities in the e-commerce platform Magento. Most of those affected and alerted to the compromises and vulnerabilities are small and medium-sized businesses.

Iran’s Mahan Air Says Hit by Cyberattack

„Mahan Air’s computer system has suffered a new attack,“ the company said in a statement.

„It has already been the target on several occasions due to its important position in the country’s aviation industry.“

All of its flights were on schedule, the statement added, but the company’s website was down.

„Our internet security team is thwarting the cyberattack,“ spokesman Amir-Hossein Zolanvari told state television.

According to Mehr news agency, some Mahan customers had received text messages that said: „Cyberattack against Mahan for complicity in the crimes committed by the terrorist Guardians Corps“ – a reference to Iran’s elite Revolutionary Guards.

Mahan Air is Iran’s main private airline and the second biggest after the national carrier Iran Air.

It has been on the blacklist of Iranian companies targeted by US sanctions since 2011.

Leaks and Breaches

Department for Infrastructure and Transport (Australia)mySA GOV customer accounts were accessed by a third party. Affected customers are advised to change their driver’s licence number and asked to change their passwords.2,601
JEV Plastic Surgery and Medical Aesthetics (US)An unauthorised actor had access to company systems between April 30th and June 14th, 2021. The actor may have viewed or acquired patient data. Potentially compromised information includes names, dates of birth, consultation notes, medical history, and surgical operative notes.Unknown
Machon Mor (Israel)Black Shadow leaked the medical institute’s data following the attack against Cyberserve. The compromised data reportedly contains the personal information of patients, as well as medical records.290,000
Docket (US)A security bug in the health app exposed personal information of residents in New Jersey and Utah that have been vaccinated against COVID-19. Potentially compromised information includes names, dates of birth, and vaccination status.Unknown
King’s Seafood Company (US)A cyberattack against the company began on June 4th, 2021, in which an unauthorised individual gained access to personally identifiable information stored in company directories. Potentially compromised information includes names, driver’s license information, payment card information, medical cards, telephone numbers, and partially redacted Social Security numbers.Unknown
QRS Inc (US)A cyberattack was discovered on August 26th, 2021. The attacker accessed a dedicated patient portal server and may have stolen data stored there. Potentially compromised information includes names, addresses, dates of birth, Social Security numbers, and more.Unknown
New York Psychotherapy and Counseling Center (US)An unauthorised third-party gained access to one of the company’s servers. Possibly exposed patient information includes names, dates of services, addresses, Medicaid IDs, and dates of birth.Unknown
Desert Pain Institute (US)The company suffered a data security incident on September 13th, 2021, that may have involved unauthorised access to sensitive personal information of former and current patients and employees. Potentially exposed information includes names, addresses, dates of birth, Social Security numbers, tax identification numbers, driver’s licenses, and more.Unknown
Electronic Warfare Associates (US)A data breach occured on August 2nd, 2021, after attackers hacked the company’s email system and stole files. Compromised data includes names, Social Security numbers, and driver’s licenses.Unknown
Nationwide Laboratory Services (US)Personal health information on patients may have been accessed in a ransomware attack on May 19th, 2021. Possibly compromised information includes names, dates of birth, lab test results, medical record numbers, Medicare numbers, and health insurance information, and Social Security numbers.33,437

Here’s the top 10 list of CVEs released by Microsoft for October 2021:

CVE-2021-42292Microsoft Excel Security Feature Bypass VulnerabilityImportant7.8NoYesSFB
CVE-2021-42321Microsoft Exchange Server Remote Code Execution VulnerabilityImportant8.8NoYesRCE
CVE-2021-432083D Viewer Remote Code Execution VulnerabilityImportant7.8YesNoRCE
CVE-2021-432093D Viewer Remote Code Execution VulnerabilityImportant7.8YesNoRCE
CVE-2021-38631Windows Remote Desktop Protocol (RDP) Information Disclosure VulnerabilityImportant4.4YesNoInfo
CVE-2021-41371Windows Remote Desktop Protocol (RDP) Information Disclosure VulnerabilityImportant4.4YesNoInfo
CVE-2021-42279Chakra Scripting Engine Memory Corruption VulnerabilityCritical4.2NoNoRCE
CVE-2021-42298Microsoft Defender Remote Code Execution VulnerabilityCritical7.8NoNoRCE
CVE-2021-42316Microsoft Dynamics 365 (on-premises) Remote Code Execution VulnerabilityCritical8.7NoNoRCE
CVE-2021-26443Microsoft Virtual Machine Bus (VMBus) Remote Code Execution VulnerabilityCritical9NoNoRCE

Trending Vulnerable Products

Attack type mentions in the Education Industry