A total of 17 breaches were found and analysed resulting in 101,638,201 leaked accounts containing a total of 22 different data types. The breaches found publicly and freely available included 1Win - Part 2, Lalafo, Creditcard Consortium, Tibber and Thuocsi. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

The Tor Network continues to face sustained mass DDoS attacks, which began earlier this year but have intensified since October. Andrew Morris, founder of Greynoise, has announced on X (formerly Twitter) that he is collaborating with the Tor Network to “triangulate the true origin of this traffic” and work to disconnect the source. In his tweet, Morris explained that the attackers are spoofing the IP addresses of Tor exit nodes.

The Tor Network relies on a community of volunteers to run relays and exit nodes, which anonymise web traffic. However, this decentralised system creates vulnerabilities, as bad actors can exploit the network by running malicious relays or spoofing IPs. In this case, the attackers are blasting TCP SYN packets indiscriminately on port 22/TCP, leading to abuse complaints. Hosting providers, unaware of the true nature of the traffic, have been blocking Tor exit nodes or banning the network’s infrastructure altogether.

Morris called the tactic a clever move by attackers, as it effectively tricks hosting providers into crippling the Tor Network without any wrongdoing on its part. To counteract this, he has advised hosting providers to ignore abuse complaints related to “SSH scanning” or “port scanning on 22/TCP” originating from Tor exit nodes. A list of IP addresses that hosting providers can safely disregard is available on Pastebin (pastebin.com/idKU0agt). The attackers, who claim their goal is to destroy the Tor Network, illustrate a calculated effort to undermine internet anonymity.

Law enforcement agencies are reportedly grappling with rumoured new security measures in Apple’s latest iPhone update. According to speculation, the update introduces code that forces an iPhone to reboot if it hasn’t connected to a cell tower or been unlocked within 24 hours. While this may seem minor, it has significant implications for evidence collection and phone security.

When an iPhone reboots, it enters a “Before First Unlock” (BFU) state, where the file system remains encrypted, WiFi and apps are disabled, and biometric unlocking is unavailable. After being unlocked, the phone transitions to an “After First Unlock” (AFU) state, where the attack surface for bad actors, including law enforcement, expands significantly.

Law enforcement agencies often place seized phones in Faraday bags to prevent remote wiping or disconnection, keeping the phone charged to attempt data extraction in the AFU state. However, Detroit law enforcement has reported that seized iPhones are rebooting themselves, disrupting evidence collection efforts. On the flip side, this rumoured code could help victims of theft by making stolen phones harder to compromise.

Pro Tip: If you’re ever at risk of theft or arrest, rebooting your phone can lock it into the more secure BFU state.

Last week, we reported on the #FREEWAIFU campaign, where threat actors expressed outrage over the arrest of cybercriminal "Waifu" by releasing sensitive data with the hashtag. Unfortunately for Waifu, his extradition from Canada to the U.S. has led to an unsealed indictment charging him with 20 counts under various computer misuse laws. The charges are as serious as expected, including unauthorised access, data breaches, and other cybercrime activities. Things are not looking promising for Waifu, who faces a lengthy legal battle and potential jail time.

VULNERABILITY CHAT

A critical authentication bypass vulnerability has been identified in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress. If exploited, it could allow attackers to gain full administrative access to affected sites. Wordfence reports that the flaw, present in versions 9.0.0 to 9.1.1.1, stems from improper error handling in the `check_login_and_get_user` function. This loophole permits unauthenticated attackers to log in as arbitrary users, including administrators, particularly when two-factor authentication is enabled.

Sonatype has disclosed two major vulnerabilities in its Nexus Repository Manager 2.x versions. The company, which released a critical security update on November 13, 2024, stated there are no known active exploits but emphasised the importance of urgent patching due to the vulnerabilities’ severity.

Amazon has confirmed a data breach exposing employee information due to a vulnerability in a third-party vendor’s system. The breach compromised details such as work email addresses, desk phone numbers, and building locations. Amazon spokesperson Adam Montgomery clarified that the incident resulted from a vendor issue, not a direct failure in Amazon’s own security measures.

Ivanti has issued patches addressing over 50 vulnerabilities, including eight classified as critical, in products such as Connect Secure, Policy Secure, and Endpoint Manager. The advisory highlights several high-severity issues in Secure Access Client that could enable privilege escalation, tampering with configuration files, arbitrary folder creation, and denial-of-service (DoS) attacks. Ivanti strongly advises immediate updates to mitigate risks.

WatchTowr Labs has uncovered a new vulnerability named ‘FortiJump Higher’ during attempts to replicate the original FortiJump flaw. The new vulnerability affects FortiManager, Fortinet’s centralised administration tool for FortiGate devices. Researchers consider this issue particularly concerning and advise organisations using FortiManager to stay alert for updates or patches addressing this newly identified threat.

Google Cloud has announced a major expansion in its security transparency efforts by assigning Common Vulnerabilities and Exposures (CVE) identifiers to critical vulnerabilities in its cloud products. This initiative applies even to issues requiring no customer action. Phil Venables, Google Cloud’s CISO, underscored the importance of transparency in countering bad actors, stating, “We will continue to lead and innovate across the community of defenders.”

The cybersecurity agencies of the UK, US, Canada, Australia, and New Zealand (Five Eyes) have released a list of the 15 most exploited vulnerabilities of 2023. The report highlights an increase in attacks targeting zero-day exploits. Jeffrey Dickerson, the NSA's Cybersecurity Technical Director, noted, “Many of these vulnerabilities are new to the top 15 list, though they have been publicly known for some time.”

For more details, view the NSA’s and CISA’s advisories:
NSA Press Release (https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3961769/cisa-nsa-and-partners-issue-annual-report-on-top-exploited-vulnerabilities/) and CISA Cybersecurity Advisory (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a).

6 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Metabase. See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,125 vulnerabilities last week, making the 2024 total 34,887. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

The Federal Trade Commission (FTC) has cautioned businesses that Data Clean Rooms (DCRs) do not provide a “get-out-of-compliance-free card” for data privacy obligations. In a recent blog post, the FTC highlighted the deceptive nature of the term, stating that DCRs are not physical rooms, do not literally "clean" data, and often raise complex user privacy concerns despite their innocuous-sounding name. Businesses relying on DCRs for compliance or security must still ensure they align with applicable privacy laws. For further details, check the FTC blog post (https://www.ftc.gov/news).

The Brazilian Data Protection Authority (ANPD) has initiated a Public Consultation on Artificial Intelligence (AI) to gather insights for crafting regulations around AI and data privacy. This effort ties closely to the Brazilian General Data Protection Law (LGPD), which grants individuals the right to review automated decisions impacting their interests under Article 20. The consultation aims to balance technological innovation with privacy safeguards, reflecting global trends in AI governance.

The California Privacy Protection Agency (CPPA) has advanced new rules clarifying when insurers must comply with the California Consumer Privacy Act (CCPA) and regulating their use of Automated Decision-Making Technology (ADMT), including machine learning. Notably, the updated regulations extend to the processing of employee and job applicant data—a domain not covered by California’s insurance code. The new guidance reflects increasing scrutiny on automated systems in sensitive sectors.

A recent review by Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) revealed that approximately one-third of online travel platforms lack clear data retention policies. Conducted between February and October, the assessment examined 10 travel websites and mobile applications. The PCPD recommends platforms adopt default protective settings and assign dedicated staff to monitor compliance with privacy regulations.

The UK Information Commissioner’s Office (ICO) has approved its first sector-specific GDPR Code of Conduct, developed by the Association of British Investigators Limited (ABI). The code provides guidelines for the use of personal data in investigative and litigation support services, ensuring compliance with UK GDPR. This marks a significant step in standardising data protection practices within the investigative sector.

For the full document, visit the ICO site: ABI GDPR Code of Conduct (https://ico.org.uk/media2/ineak105/abi-data-protection-code-of-conduct-v1_0.pdf).

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan