Category Archives: Data Breach

Data Breach

Ferrari confirms data breach after receiving a ransom demand from an unnamed extortion group

Ferrari disclosed a data breach after receiving a ransom demand from an unnamed extortion group that gained access to some of its IT systems.

Ferrari disclosed a data breach after it received a ransom demand from an unnamed extortion group that breached its IT systems. The threat actor claims to have stolen certain client details. The company immediately launched an investigation into the incident with the support of a third-party cybersecurity firm and informed relevant authorities.

“Ferrari N.V. (NYSE/EXM: RACE) (“Ferrari”) announces that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details.” reads the noticed published by the luxury car maker. “Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.

The threat actor had access to a limited number of systems in our IT environment. According to the company the exposed data include customers’ names, addresses, email addresses, and telephone numbers. Financial data, such as payment details and, bank account info was not accessed by the attackers.

“As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.” continues the statement. “Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.”

In October 2022, the Italian luxury sports car manufacturer confirmed the availability of internal documents online, but said it has no evidence of cyber attack.

The RansomEXX ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.

At the time of this writing, the statement published by the company suggests that the two events are not linked.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ferrari)

NBA is warning fans of a data breach after a third-party newsletter service hack

The NBA (National Basketball Association) disclosed a data breach after a third-party firm providing a newsletter service was breached.

The NBA (National Basketball Association) is notifying followers of a data breach after a third-party company providing a newsletter service was breached.

The National Basketball Association (NBA) is a professional basketball league in Northern America composed of 30 teams (29 in the United States and 1 in Canada). It is one of the major professional sports leagues in the United States and Canada and is considered the premier men’s professional basketball league in the world.

NBA launched an investigation into the security breach with the support of external cybersecurity experts to determine the extent of the incident.

The NBA pointed out that its systems were not impacted, according to the data breach notification sent to the fans, the incident affected an unknown number of individuals.

BleepingComputer, which first reported the news, confirmed that some fans’ personal information was stolen.

According to the association, an unauthorized third party accessed and created copies of the names and email addresses of some of its fans. The data breach did not compromise usernames, passwords, and other information.

“We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA,” reads the data breach notification, as reported by BleepingComputer.

“There is no indication that our systems, your username, password, or any other information you have shared with us have been impacted.”

Even if credentials were not exposed as a result of this incident, fans must be vigilant for phishing attacks and other fraudulent activities that could target them by abusing the exposed information.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NBA)

Hitachi Energy breached by Clop gang through GoAnywhere Zero-Day exploitation

Hitachi Energy disclosed a data breach, the Clop ransomware gang stole the company data by exploiting the recent GoAnywhere zero-day flaw.

Hitachi Energy disclosed a data breach, the company was hacked by the Clop ransomware gang that stole its data by exploiting the recently disclosed zero-day vulnerability in the GoAnywhere MFT (Managed File Transfer).

The company was the victim of a large-scale campaign targeting GoAnywhere MFT devices worldwide by exploiting the zero-day vulnerability.

“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries.” reads the statement pblished by the company.

“Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack. Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.”

Hitachi Energy immediately launched an investigation into the incident and disconnected the compromised system. The company reported the data breach to law enforcement agencies and data protection watchdog.

The company pointed out that its network operations or the security of its customer data have not been compromised.

In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Other organizations breached by exploiting the flaw in Fortra’s GoAnywhere MFT secure file transfer are the Hatch Bank, the Community Health Systems, and the data security firm Rubrik. At this time, the Clops ransomware group only added the bank and the data security firm to the list of victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hitachi Energy)

Security Firm Rubrik breached by Clop gang through GoAnywhere Zero-Day exploitation

Data security firm Rubrik discloses a data breach, attackers exploited recent GoAnywhere zero-day to steal its data.

Cybersecurity firm Rubrik disclosed a data breach, a ransomware group stolen compeny data by exploiting the recently disclosed zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.

The company was the victim of a large-scale campaign targeting GoAnywhere MFT devices worldwide by exploiting the zero-day vulnerability.

Rubrik immediately launched an investigation into the incident with the help of third-party forensics experts.

In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”

According to a statement published by Rubrik, the breach was quickly contained and only impacted a non-production IT testing environment.

“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability. Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.” reads the statement.  

“The current investigation has determined there was no lateral movement to other environments. Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.” 

The company states that stolen data include internal sales information, certain customer and partner company information, and a limited number of purchase orders from its distributors. The company pointed out that customer data was impacted by the security breach.

“The involved data mainly consists of Rubrik internal sales information, which includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors. The third-party firm has also confirmed that no sensitive personal data such as social security numbers, financial account numbers, or payment card numbers were exposed.” continues the statement.

The company disclosed the data breach after the Clop ransomware group added Rubrik to the list of victims on the Tor leak site.

The gang also published samples of stolen documents as proof of the hack.

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Other organizations breached by exploiting the flaw in the Fortra’s GoAnywhere MFT secure file transfer are the Hatch Bank and the Community Health Systems. At this time, the Clops ransomware group only added the bank to the list of victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

Key aerospace player Safran Group leaks sensitive data

Top aviation company Safran Group left itself vulnerable to cyberattacks, likely for well over a year, underlining how vulnerable big aviation firms are to threat actors, according to research by Cybernews.

Original post at https://cybernews.com/security/key-aerospace-player-leaks-sensitive-data/

The Cybernews research team recently discovered that the French-based multinational aviation company, the eighth largest aerospace supplier worldwide, was leaking sensitive data due to a misconfiguration of its systems. The vulnerability left the company at risk from cyberattacks over an extended period of time.

According to its own estimates, Safran Group ’s revenue for 2022 was above €19 billion. It collaborates with Airbus, the second-largest aerospace company globally after Boeing, to manufacture aerospace equipment.

The Safran Group is also involved in developing cutting-edge technologies beyond aviation, such as modules currently in use in the James Webb Telescope, the world’s largest optical telescope in space. Also, the company manufactures surface-to-air defense systems and missiles.

Cybernews reached out to Safran Group regarding the leak researchers found, and at the time of writing, the misconfiguration has been fixed.

The discovery

Researchers found a publicly available environment file used by the beta deployment of the open-source video-calling app Jitsi Meet. The Cybernews team estimates that the file stayed publicly available for around a year-and-a-half, leaving Safran Group vulnerable to potential attacks throughout that time.

The leaked sensitive information included the Laravel app key, JSON Web Token (JWT) key, MySQL credentials, and Simple Mail Transfer Protocol (SMTP) credentials for the “no-reply” email.

The Cybernews researchers highlight that the exposure of these keys and credentials could have made it relatively easy for attackers to gain access to the website’s backend, employee computers, and other servers.

The Laravel app key is a token that helps to keep user browser cookies safe. If threat actors know this token, they can use it to decrypt cookies, which might contain session IDs. Knowing them, a threat actor could be able to hijack the session and therefore the account.

The leak also included the JWT secret key, another type of token, which is usually used for authentication. These tokens can be both for a user, and for an admin. If attackers had access to this key, they could create an admin account and have privileged access to a website.

“The JWT secret key is used to generate and verify JWT tokens in use on that site,” added Cybernews researcher Aras Nazarovas.

Threat actors could also have used the admin accounts to plant web shells – malicious scripts that enable them to compromise web servers and launch additional attacks.

The leaked MySQL database logins could be used to get into the company’s database stored on the same server and steal information. If hackers took control of the systems at the Safran Group, they could move around and get access to confidential documents or even damage their equipment.

If the threat actor gets access to the SMTP credentials, they can use them to send emails to trick people into giving away sensitive information. The emails would appear to all intents and purposes to be legitimate, as they would be sent from the company’s servers.

This could negatively have impacted other aviation companies, stressed Nazarovas.

“Other aviation companies would expect messages from this email, and would be the primary target of this attack, as it was for a video-conferencing application that they likely used before, for meetings with Safran employees,” he said.

Cybernews researchers advise the company to take swift action to mitigate risks and prevent future breaches by changing leaked credentials. It is crucial to ensure that leaked keys are in longer bit-lengths and encoded using secure encryption/hashing algorithms.

Additionally, the company should consider whether the platform needs to be accessible through the internet or only through a VPN, which would provide an additional layer of security.

Sensitive infrastructure a tempting target

Due to Safran Group’s position in the aviation supply chain, with only one hop between the company and the aircraft builders that use its products, a supply-chain attack could have a far-reaching impact, posing a risk to the company and its customers in the aviation sector.

As the company is developing cutting-edge technologies, it is a substantial target for advanced persistent threat (APT) groups, often associated with nation-states or state-sponsored groups and driven by political or economic motives.

Safran has already been targeted by threat actors. As reported in 2011, the company fell victim to two cyberattacks, which are suspected to be part of an espionage attempt.

The unidentified hackers allegedly attempted to map the company’s computer system between 2009 and 2010. While no serious spying activities were reported, government officials confirmed that there were attempts to do so.

In 2018, Safran is believed to have suffered a cyberattack on its internal network. According to the US government and media reports at the time, hackers believed to be linked to a state security ministry in China collaborated with six hackers and two insiders at a company’s Chinese office to steal jet engine blueprints.

While the authorities did not specifically name Safran, media reporting on the incident said they believed it was “almost certainly” the target of the espionage operation.

Tough times for aviation

The aviation industry had a rough start to the year. In January, an alerting system responsible for notifying pilots and airlines of potential dangers experienced a glitch that resulted in the temporary suspension of domestic flights throughout the US. Some media sources said over 7,800 flights were delayed, and 1,200 were canceled, while others claimed as many as 11,000 in total were disrupted.

The same month, an FBI “No-Fly” list containing around 1.5 million entries was leaked from an unprotected server at CommuteAir airlines. On February 14, Scandinavian Airlines (SAS) suffered a cyberattack that knocked the airline’s website and mobile app offline for multiple hours, with Anonymous Sudan taking responsibility for the attack.

The aviation industry is considered a prime target for cybercriminals due to its critical infrastructure. In recent years, experts have seen a substantial increase in cyberattacks against the industry, which reportedly suffers a ransomware attack every week.

A rising number of state-sponsored and organized crime syndicates are capable of large-scale targeted intrusions to disrupt operations and steal valuable intellectual property.

More on cybersecurity concerns in the aviation sector are available in the original post:

https://cybernews.com/security/key-aerospace-player-leaks-sensitive-data/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Safran Group)

LockBit Ransomware gang claims to have stolen SpaceX confidential data from Maximum Industries

The LockBit ransomware group claims to have stolen confidential data belonging to SpaceX from the systems of Maximum Industries.

The LockBit ransomware gang claims to have stolen confidential data of SpaceX after they hacked the systems of production company Maximum Industries. Maximum Industries is a full-service, piece-part production, and contract manufacturing facility.

The ransomware gang hacked the systems of the production firm, which also provides its services to SpaceX, and stole its data, including files of the American spacecraft manufacturer and a satellite communications corporation.

The group claims to have stolen roughly 3,000 “drawings certified by space-x engineers.”

“I would say we were lucky if SPACE-X contractors were more talkative. But I think this material will find its buyer as soon as possible.” reads the message published by Lockbit operators on their Tor Leak site.

“Elon Musk we will help you sell your drawings to other manufacturers – build the ship faster and fly away. and now about the numbers: about 3,000 drawings certified by space-x engineers”

The gang plans to launch an auction in a week.

SpaceX has yet to comment on Lockbit’s claims, however, it is important to highlight that SpaceX was not hacked.

The LockBit ransomware gang has been active since 2019 and it is currently one of the most active ransomware operations.

Since the beginning of 2023, LockBit3 added more than 600 victims to its leak site. Below is the list of victims added in the last couple of days:

Source DRM – Dashboard Ransomware Monitor

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit ransomware)

Acronis states that only one customer’s account has been compromised. Much ado about nothing

Acronis downplays the severity of the recent security breach explaining that only a single customer’s account was compromised.

The CISO of Acronis downplayed a recent intrusion, revealing that only one customer was impacted.

This week a threat actor, who goes online with the moniker “kernelware”, claimed the theft of data from technology firm Acronis and started leaking it on the cybercrime forum Breached Forums.

The threat actor is the same who recently offered for sale the data stolen from Taiwanese multinational hardware and electronics corporation Acer.

The Acronis leak contains multiple certificate files, command logs, system configurations, system information logs, filesystem archives, python scripts for the company’s maria.db database, backup configuration stuff, screenshots of backup operations,

“Based on our investigation so far, the credentials used by a single specific customer to upload diagnostic data to Acronis support have been compromised. We are working with that customer and have suspended account access as we resolve the issue. We also shared IOCs with our industry partners and work with law enforcement.” said Acronis CEO Kevin Reed. “No other system or credential has been affected. There is no evidence of any other successful attack, nor there is any data in the leak that is not in the folder of that one customer. Our security team is obviously on high alert and the investigation continues.”

The company added that its products were not affected by the security breach and that it is not aware of vulnerabilities affecting its systems.

The threat actors compromised the single account after having obtained its login credentials.

Kernelware pointed out that despite Acronis offers data protection services, “they have dogshit security with the slogan “All-in-one Cyber Protection”. Pretty ironic lol.” The threat actor shared a 12.2GB archive containing the stolen files.

Clearly, if the investigation will confirm that only a single account has been compromised, there is no reason to believe that the company hasn’t a good security posture.

Much ado about nothing!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Acronis)

AT&T is notifying millions of customers of data breach after a third-party vendor hack

AT&T is warning some of its customers that some of their information was exposed after the hack of a third-party vendor’s system.

AT&T is notifying millions of customers that some of their information was exposed after a third-party vendor was hacked.

CPNI is information related to the telecommunications services purchased by the customers, including the number of lines for each account or the wireless plan to which customers are subscribed.

“We recently determined that an unauthorized person breached a vendor’s system and gained access to your “Customer Proprietary Network Information” (CPNI).” reads a data breach communication sent by the company to the impacted customers. “However, please rest assured that no sensitive personal or financial information such as Social Security number or credit card information was accessed.”​

Exposed data don’t include financial information (i.e. credit card data) or sensitive data (i.e. Social Security Number, account passwords).

The vendor was hacked in January, and AT&T told its customers that vulnerability exploited by the attackers has been already fixed. The Telco giant added that its systems were not compromised.

The company has notified federal law enforcement, but the data breach notification does not provide the number of impacted customers.

“Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.​” continues the notice.

BleepingComputer reported that approximately 9 million wireless accounts were impacted.

The company recommends its customers to add an “extra security” password protection to their account at no cost.

On August 2021, ShinyHunters group claimed to have obtained a database containing private information on roughly 70 million AT&T customers, but the company denied that they have been stolen from its systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AT&T)

BMW exposes data of clients in Italy, experts warn

Cybernews researchers discovered that BMW exposed sensitive files that were generated by a framework that BMW Italy relies on.

Original post at: https://cybernews.com/security/bmw-exposes-italy-clients/

Hackers have been enjoying their fair share of the spotlight by breaching car manufacturers’ defenses. The latest Cybernews discovery showcases that popular car brands sometimes leave their doors open, as if inviting threat actors to feast on their client data.

  • BMW exposed sensitive files to the public
  • Attackers could exploit the data to steal the website’s source code and potentially access customer info
  • BMW secured the data that wasn’t meant to be public in the first place
  • BMW clients should remain vigilant, as home addresses, vehicle location data, and many other kinds of sensitive personal information are collected by the manufacturer

BMW, a German multinational manufacturer of luxury vehicles delivering around 2.5 million vehicles a year, potentially exposed its business secrets and client data.

If a malicious hacker were to discover the flaw, they could exploit it to access customer data, steal the company’s source code, and look for other vulnerabilities to exploit.

The discovery

In February, Cybernews researchers stumbled upon an unprotected environment (.env) and .git configuration files hosted on the official BMW Italy website. Environment files (.env), meant to be stored locally, included data on production and development environments.

Researchers noted that while this information is not enough for threat actors to compromise the website, they could be used for reconnaissance – covertly discovering and collecting information about a system. Data could lead to the website being compromised or point attackers towards customer information storage and the means to access it.

The .git configuration file, exposed to the public, would have allowed threat actors to find other exploitable vulnerabilities, since it contained the .git repository for the site’s source code.

“The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network. Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen,” the Cybernews research team said.

Sensitive files were generated by a framework that BMW Italy relies on – Laravel, a free open-source PHP framework designed for the development of web applications.

In 2017, a vulnerability was discovered in the aforementioned framework. It scored 7.5 out of 10 on the the Common Vulnerability Scoring System (CVSS), since attackers can obtain sensitive information such as externally usable passwords by exploiting the flaw. The company might have either used a vulnerable Laravel version or it might have been misconfigured by mistake by someone using an up-to-date version.

Recommendations for BMW

  • Reset the GitLab CI token to avoid .git repository cloning and exploitation of other potential vulnerabilities within the website
  • Reset credentials of MySQL and PostgreSQL databases, change ports and IP of the host to avoid sensitive data leakage
  • Change the ports used by the administrative portals to listen to incoming connections to avoid the exposure of the internal tools and a potential tip-off of hackers on what attacks to launch

What BMW knows about you

  • As per BMW Italy’s website, they collect a treasure trove of user information, including full names, addresses, phone numbers, and email addresses
  • BMW also knows what vehicle you own, has contract details, and your online account’s data that could be used for phishing and/or credential-stuffing attacks
  • BMW knows technical information about your vehicle,and the location of your phone if it has BMW or Mini connected apps installed. This information could even lead to the theft of your vehicle, since the attacker could figure out if you are inside your car or far away from it
  • Since the data was secured by the manufacturer, there’s no need to worry. However, we recommend you stay vigilant at all times, cautiously reviewing any suspicious emails and monitoring your banking information

If you want to know more about car hacking and which are the mistakes made by car makers give a look at the original post at

https://cybernews.com/security/bmw-exposes-italy-clients/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BMW Italia)

Acer discloses a new data breach, 160 GB of sensitive data available for sale

Taiwanese multinational hardware and electronics corporation Acer discloses a data breach after a threat actor claimed the hack of the company.

Recently a threat actor announced the availability for sale of 160 GB of data allegedly stolen from the Taiwanese multinational hardware and electronics corporation Acer.

The threat actor announced the hack on a popular cybercrime forum, he claims to have stolen about 2869 files. The stolen files include confidential product model documentation, binaries, backend infrastructure, BIOS information, and other sensitive data.

Reads the post published by the seller on Breached Forums:

The leak contains a total 160GB of 655 directories, and 2869 files. It includes:

  • Confidential slides/presentations
  • Staff manuals to various technical problems
  • Windows Imaging Format files
  • Tons of binaries (.exe, .dll, .bin, etc…)
  • Backend infrastructure
  • Confidential product model documentation and information of phones, tablets, laptops, etc…
  • Replacement Digital Product Keys (RDPK)
  • ISO files
  • Windows System Deployment Image (SDI) files
  • Tons of BIOS stuff
  • ROM files

(honestly there’s so much shit that it’ll take me days to go through the list of what was breached lol)

Acer confirmed the incident and discloses a data breach, the company said that attackers have compromised one of its servers.

“We have recently detected an incident of unauthorized access to one of our document servers for repair technicians. While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server, ” Acer’s representative told Cybernews.

The seller is a reputable member of the forum, he states that only accepts payments in Monero cryptocurrency and will only sell with the escrow.

The seller added that the data was stolen in mid-February.

In October, the tech giant was hacked twice in a week, the same threat actor (Desorden) initially breached some of its servers in India, then he claimed to have also breached some systems in Taiwan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, acer)