Weekly Summary

SPOTLIGHT, VULNERABILITY CHAT & PRIVACY HEADLINES
Share this analysis
Toilet Breach Exposure Monitoring

We would rather “eat poop than pay a ransom.”

16 September 2024
BREACHAWARE HQ

A total of 23 breaches were found and analysed resulting in 10,466,698 leaked accounts containing a total of 30 different data types. The breaches found publicly and freely available included Lookiero, Tigo, DOJO, Grastin and OnlineGIBDD. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

Threat actors have breached one of the world’s largest cybersecurity companies, exfiltrating and releasing 440GB of data. It appears they were attempting to extort the company, which allegedly responded by saying they would rather “eat poop than pay a ransom.” The breached company sells secure networking products such as VPN devices, firewalls, and more. The stolen data was taken from a third-party cloud-based shared file drive.

One of our security researchers identified this significant data breach. The company in question operates globally and positions itself as a "leading strategic partner to companies around the world." It generates 22.5 billion euros in revenue and employs over 340,000 people across more than 50 countries. Just a few days ago, a 20GB compressed folder was dumped for free on a notorious cybercrime forum. This breach exposed a variety of sensitive data, including source code, virtual machine logs, API keys, email addresses, and some hashed passwords. The stolen data is circulating widely on the dark web, appearing in both Russian and English-speaking hacker forums.

A team member noted a recent trend of threat actors repackaging old data breaches and selling them to novice hackers (often referred to as "script kiddies") as if they were fresh breaches. These recycled breaches might seem convincing to those unfamiliar with the original incidents. In some cases, the threat actors are charging up to $500 for what is actually publicly available information.

Last week, we reported that Transport for London had suffered a data breach. The National Crime Agency released a brief statement regarding the incident, revealing that a 17-year-old male was detained on suspicion of offences under the Computer Misuse Act in relation to the attack. The teenager was arrested on September 5th. Beyond this, the statement mainly commended everyone involved in the investigation.

VULNERABILITY CHAT

Microsoft has announced fixes for numerous zero-day Windows security vulnerabilities. Meanwhile, Google has released an update to the Chrome web browser addressing four high-severity security issues. It is crucial for all Chrome users, across all platforms, to ensure they have the latest security update downloaded, installed, and activated.

Palo Alto Networks has disclosed a high-severity command injection vulnerability in its PAN-OS software, which could allow authenticated administrators to bypass system restrictions and execute arbitrary code with root privileges on the firewall. This vulnerability has been assigned a severity score of 8.6. While Palo Alto Networks is not currently aware of any malicious exploitation of this issue, it remains a serious concern.

SolarWinds, a leading provider of IT management software, has recently disclosed critical vulnerabilities in its Access Rights Manager (ARM) platform. In response, SolarWinds has released the Access Rights Manager 2024.3.1 update, which addresses these vulnerabilities and includes several bug fixes to enhance the platform’s overall security and functionality.

Ivanti has issued updates to fix multiple security flaws affecting Endpoint Manager (EPM), including 10 critical vulnerabilities that could lead to remote code execution. Although no evidence has been found of these flaws being exploited in the wild as zero-day vulnerabilities, Ivanti urges users to update to the latest version to protect against potential threats.

GitLab has rolled out critical updates to address multiple vulnerabilities, with the most severe allowing attackers to trigger pipelines as arbitrary users under certain conditions. This vulnerability is particularly dangerous due to its potential for remote exploitation, lack of required user interaction, and the low privileges needed for an attack.

A critical flaw has been identified in the multicast traceroute version 2 (Mtrace2) feature of Cisco IOS XR Software, which poses significant risks to network stability and security. The vulnerability stems from improper handling of packet memory by the Mtrace2 code, allowing attackers to send specially crafted packets that could exhaust the device’s incoming UDP packet memory.

A security vulnerability has been discovered in Crucial's MX500 SSDs, potentially leading to data leakage. A user on the TechPowerUp forums identified that the MX500 is vulnerable to a buffer overflow, which causes sensitive data to be exposed. Crucial has yet to officially confirm the vulnerability or specify which firmware versions are affected.

8 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including ImageMagick (ImageMagick). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 715 vulnerabilities last week, making the 2024 total 27,717. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Google has introduced 'Confidential Matching,' a new privacy-first solution that allows secure connections of first-party data for audience targeting and campaign measurement. This feature leverages confidential computing technology, with Trusted Execution Environments (TEEs) providing added security by default. TEEs offer technical assurances, such as transparency into the product’s code and "attestation"—proof that the data is being processed correctly.

The Irish Data Protection Commission (DPC) has launched a "cross-border statutory inquiry" into Google’s foundational artificial intelligence (AI) model. The inquiry will assess whether Google has complied with data protection regulations when processing the personal data of European users.

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AP), has announced a €290 million fine on Uber Technologies and Uber B.V. for the transfer of drivers’ personal data to the US. Press releases were issued in both Dutch and English. Uber has stated it will appeal the fine.

Meta has confirmed its plans to use public posts from UK-based adult Facebook and Instagram users to train its artificial intelligence systems. The company has committed to making it easier for users to object to having their data used, with more prominent objection forms available on Facebook and Instagram for users who wish to opt out of the program.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan

DATA CATEGORIES DISCOVERED

Communications Data, Contact Data, Socia-Demographic Data, Locational Data, Technical Data, Social Relationships Data, Financial Data, Usage Data, Documentary Data, Transactional Data.

  • Key Statistics
  • Breaches Discovered
    0
  • ACCOUNTS DISCOVERED
    0
  • DATA TYPES DISCOVERED
    0