Weekly Summary

SPOTLIGHT, VULNERABILITY CHAT & PRIVACY HEADLINES
Share this analysis
Peru Breach Exposure Monitoring

One of the largest banks in Peru is reeling after massive security breach.

04 November 2024
BREACHAWARE HQ

A total of 30 breaches were found and analysed resulting in 9,386,518 leaked accounts containing a total of 32 different data types. The breaches found publicly and freely available included Burger King - Russia, Wongnai, ExVagos 2, LionsCredit and Griffin Capital. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

One of Peru's largest banks is dealing with the fallout from a massive data breach. A 79GB dataset was leaked for free on a major dark-web cybercrime forum, with rumours suggesting this is only a fraction of the breach, potentially totalling up to 3.7 terabytes. The breach has affected approximately 3 million customers, exposing a vast amount of sensitive data. Alongside the leaked data, the attackers shared security recommendations for the bank:

1. Conduct a security audit to identify and address vulnerabilities.
2. Enhance data encryption for all sensitive information.
3. Implement multi-factor authentication (MFA) across customer services.
4. Notify affected customers and advise them on account security.
5. Increase security monitoring to detect and counter unauthorised access attempts.

In other cybersecurity news, Operation Magnus —a joint effort led by Dutch Police, the FBI, and international task forces—has made significant progress against the Redline and Meta Infostealers. These malware strains, widely used in cybercrime, are typically leased to threat actors who then collect sensitive data like credentials from infected devices. Estimates indicate Redline has exfiltrated over 170 million plain-text passwords in just the past six months. The investigation began with a tip from Dutch cybersecurity firm ESET, leading to the seizure of key servers and the arrest of a suspect, Russian national Maxdim Rudometov, although extradition may be complex as he resides in Russia.

Meanwhile, Russian ransomware group rEVIL has suffered a major setback. Four of its members were recently convicted and sentenced to a combined 21 years in prison for ransomware distribution and money laundering. The group, infamous for extorting millions from global organisations, avoided targeting Russian companies by embedding code that checks for the Russian language on victims’ systems and self-destructs if detected.

In the UK, Information Commissioner John Edwards is calling for greater accountability from organisations over data breaches. New data from the Information Commissioner’s Office reveals that nearly 30 million UK residents have experienced a data breach, with over half (55%) of adults impacted and 30% reporting emotional distress. Alarmingly, 25% of those affected received no support from the responsible organisation, and 32% only found out about the breach through media reports.

VULNERABILITY CHAT

SecurityScorecard and KPMG released a report indicating that two-thirds (67%) of third-party breaches in the energy sector were caused by software and IT vendors. Additionally, third-party risks contribute to nearly half (45%) of breaches in the energy sector, compared to a 29% global rate.

A high-severity unauthenticated privilege escalation flaw was identified and subsequently addressed in the LiteSpeed Cache plugin for WordPress. This vulnerability allowed threat actors to exploit a weak security hash check, potentially enabling brute-force attacks. With this flaw, attackers could abuse the crawler feature to simulate a logged-in user, including an administrator, thereby facilitating privilege escalation and other malicious activities.

A serious security vulnerability was discovered in qBittorrent, affecting versions 3.2.1 through 5.0.0, which allowed attackers to achieve remote code execution (RCE) through multiple attack vectors. This vulnerability stemmed from the software’s acceptance of any certificate—expired, self-signed, or malicious—making it vulnerable to man-in-the-middle (MITM) attacks.

A newly discovered zero-day vulnerability in Windows Themes files exposes users’ NTLM credentials, creating a risk for remote credential theft. This security gap allows attackers to trigger credential leaks simply by having users view a malicious theme file in Windows Explorer, as reported by researchers at ACROS Security.

The US Cybersecurity and Infrastructure Security Agency (CISA) has advised manufacturing companies to apply mitigations after vulnerabilities were identified in Rockwell Automation and Mitsubishi systems. Exploiting these flaws—such as those in Rockwell Automation’s FactoryTalk ThinManager—could enable attackers to send crafted messages that result in database manipulation or denial-of-service conditions.

Over three dozen security vulnerabilities have been disclosed in various open-source artificial intelligence (AI) and machine learning (ML) models, with some enabling remote code execution and information theft. These flaws, found in tools like ChuanhuChatGPT, Lunary, and LocalAI, were reported as part of Protect AI’s Huntr bug bounty program.

0 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week. See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 900 vulnerabilities last week, making the 2024 total 32,883. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Pixalate has released the Open Programmatic Ads and No Detected Privacy Policy Benchmarks Report for the Apple App Store, part of its series on Privacy Violation Risks in Mobile Apps. The report reveals that over 17,000 mobile apps on the Apple App Store, which are enabled for open programmatic advertising, lack detectable privacy policies. A similar report for the Google Play Store was also released by Pixalate.

Global privacy authorities have issued a follow-up joint statement on data scraping after engaging with major industry players. The Global Privacy Assembly’s International Enforcement Working Group has been in discussions with leading social media platforms, including YouTube, TikTok, Instagram, Threads, Facebook, LinkedIn, Weibo, and X.

The Cyberspace Administration of China (CAC) has introduced two draft regulations for public consultation: the Measures for Labelling Artificial Intelligence-Generated or Synthetic Content (Draft AI Labelling Measures) and the Cybersecurity Technology—Labelling Method for AI-Generated Content (Draft Labelling Method Standard). Both regulations are intended to mitigate deepfake-related risks and to ensure the credibility and authenticity of publicly accessible information.

The New Jersey Data Protection Act (NJDPA) will go into effect on January 15, 2025, making New Jersey the 19th state to adopt a comprehensive data privacy law. Impacted businesses include large online retailers, advertising platforms, social media companies, insurers, and data brokers. These entities should prioritise identifying their New Jersey consumers to ensure compliance, as the law’s forgiveness period expires on July 15, 2025.

In Milan, police have placed four individuals under house arrest and are investigating numerous others in a probe into the alleged illegal access of state security databases by a private investigative firm. The firm reportedly sold confidential data to clients or used it to blackmail businessmen and politicians, including former Milan Mayor Letizia Moratti.

Safaricom has strongly denied allegations of aiding suspected law enforcement-led abductions by sharing customer information with Kenyan police. The statement follows recent claims that the telecom company granted police unrestricted access to sensitive customer data, including Call Data Records (CDRs), allegedly used to track individuals suspected of crimes, thereby infringing on their privacy rights.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan

DATA CATEGORIES DISCOVERED

Contact Data, Technical Data, Social Relationships Data, Financial Data, Transactional Data, Socia-Demographic Data, National Identifiers, Locational Data, Usage Data, Documentary Data.

  • Key Statistics
  • Breaches Discovered
    0
  • ACCOUNTS DISCOVERED
    0
  • DATA TYPES DISCOVERED
    0