A total of 41 breaches were found and analysed resulting in 10,337,245 leaked accounts containing a total of 33 different data types. The breaches found publicly and freely available included UUU9, SWVL, Superhry, Pankhuri and Bibo Mart. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A well-known and feared threat actor, recently involved in a spree of doxing members of the cybercrime underworld, has publicly criticised a VPS (virtual private server) company on their channels. The threat actor highlighted that the VPS provider claims, "We don’t track. Logs are off, analytics are out." However, the company was recently implicated in a phishing campaign and was compelled to provide user information to law enforcement. Details of the case were disclosed on justice.gov, a website managed by the U.S. government.

The case documentation included a heavily redacted PDF from the California district court. Notably, the VPS provider, despite its claims of not retaining logs, was required to hand over a substantial amount of data incriminating the user involved in the phishing campaign. While it's understood that logs within a certain timeframe can be retrieved by authorities, these logs reportedly span several months. The threat actor also revealed that they once accessed the VPS using their real IP address. This revelation serves as a stark reminder—not to elicit sympathy for the threat actor—but to emphasise that online trust can be easily misplaced.

Meanwhile, VX Underground has flagged a potential threat vector stemming from a new Microsoft Teams feature. This feature allows users to clone their voice, enabling them to communicate in foreign languages with their natural tone. While this is a fantastic tool for employees struggling with language barriers, it also opens the door for malicious actors. A convincing imitation of a friendly, enthusiastic entrepreneur could easily be used to gain unauthorised access to systems.

In another development, a controversial email provider has shut down, to the dismay of trolls and those with questionable yet humorous inclinations. The provider, known for domains like c*ck.li and horsef*cker.org, has long been infamous for its ties to fringe online communities such as 4chan and 8chan. Since its inception, the service has had a contentious relationship with law enforcement and mainstream users. In 2015, it gained notoriety when a user issued a “credible” threat to the LA school district, forcing a day-long closure. For years, the email provider operated on donations, maintaining its niche presence.

However, it now appears to have reached its end. A statement displayed on the site last week revealed that donations have dwindled to critical levels. The message also accused law enforcement of conducting illegal surveillance and spreading disinformation about the service.

VULNERABILITY CHAT

A severe security vulnerability has been discovered in 7-Zip, the widely-used file compression utility, which allows remote attackers to execute malicious code via specially crafted archives. When users interact with these malicious archives, attackers can execute arbitrary code within the context of the current process, posing a significant security risk.

Over 2,000 Palo Alto Networks PAN-OS firewalls have been targeted following the disclosure and patching of two critical security vulnerabilities earlier this month. Palo Alto Networks, along with its threat intelligence team Unit 42, issued a security advisory warning about active exploitation. These vulnerabilities are considered a significant threat, as attackers could exploit them to gain administrative privileges and deploy malicious payloads.

Apple has confirmed a vulnerability in its devices that allowed remote code execution via web-based JavaScript. This exploit opened an attack vector through which unsuspecting victims could be separated from their cryptocurrency holdings. Researchers from Google's Threat Analysis Group discovered the bug, which involves the processing of maliciously crafted web content and could lead to cross-site scripting attacks.

The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities in the needrestart component, installed by default on Ubuntu Server. These flaws allow local users to escalate privileges by executing arbitrary code during package installations or upgrades, as the needrestart utility often runs with root privileges.

Multiple critical vulnerabilities have also been identified in Veritas Technologies' Enterprise Vault software, allowing remote code execution on affected servers. These issues stem from vulnerabilities in the .NET Remoting service used by the application. When Enterprise Vault starts, it initialises several services that listen for commands on random TCP ports. Attackers with network access can exploit these ports to execute malicious code remotely.

A critical zero-day vulnerability has been discovered in AnyDesk, which could expose users’ IP addresses. This flaw presents significant privacy concerns, as it inadvertently reveals sensitive IP information through network traffic, potentially compromising user anonymity.

8 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Oracle (Agile Product Lifecycle Management (PLM)). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,242 vulnerabilities last week, making the 2024 total 36,129. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Australian Prime Minister Anthony Albanese has announced that social media companies will be required to destroy personal data used to verify user ages. This measure is part of a groundbreaking ban aimed at restricting under-16s from accessing social media platforms. However, critics, including Elon Musk, have argued that the legislation could serve as a backdoor for broader government control over internet access in Australia.

The Australian Privacy Commissioner has ruled that hardware retailer Bunnings breached the privacy of potentially hundreds of thousands of Australians by using facial recognition technology in stores. The technology, intended to address theft and improve store safety, scanned every customer upon entry, raising significant privacy concerns.

A new Deloitte Australia report, Privacy Index 2024: A Transparent Tomorrow, reveals a sharp decline in consumer trust regarding how organisations handle personal information. The report attributes this erosion of confidence partly to AI technologies. While 72% of Australia's top brands reference AI, Automated Decision-Making (ADM), or other innovative technologies in their annual reports, only 4% address their use in privacy policies. Read the full report here: https://www.deloitte.com/content/dam/assets-zone1/au/en/docs/services/risk-advisory/2023/deloitte-au-rad-privacy-index-report-2024-181124.pdf

The Organisation for Economic Co-operation and Development (OECD) has introduced the Cryptoasset Reporting Framework (CARF), described by some as CRS 2.0. This regulatory initiative requires Reporting Crypto-Asset Service Providers to submit annual reports on customer transactions to tax authorities in 48 participating countries, including the UK, US, and much of the EU. Critics warn this could pave the way for "ChokePoint 3.0," significantly expanding global oversight of crypto activities and holdings.

Privacy International has criticised biometric devices used by the UK Home Office to monitor migrants, calling them "intrusive and stigmatising by design." The group’s research highlights the negative impact of these non-fitted devices (NFDs) on daily life, mental health, and physical well-being, deeming the technology inhumane.

In Italy, Foodinho, an on-demand delivery app owned by Glovo, has been fined €5 million by the country’s privacy watchdog. The firm unlawfully processed data belonging to over 35,000 riders and has been prohibited from using riders’ biometric data, including facial recognition, for identity verification purposes.

Microsoft faced backlash after its Copilot tool inadvertently exposed sensitive customer information, including CEO emails and HR documents. Although designed to address oversharing and governance concerns, a Microsoft employee acknowledged, "Now when Joe Blow logs into an account and launches Copilot, they can see everything, including the CEO's emails." The incident has raised serious privacy and security concerns for the tech giant.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan