Industry News: ESG5

The target: Suprema, a South Korean biometrics company.

The take: Unencrypted fingerprint data, facial recognition information and images, which are used to secure sensitive physical locations, user permissions and activity logs. Further to this, an additional 27.8 million records of data which included: client dashboards, usernames, passwords, ID’s, staff security levels and clearances, home addresses and emails; business hierarchies; mobile devices and operating system information.

The attack vector: An unsecured server accessed via web browser. This weakness let attackers manipulate the URL to expose huge amounts of unprotected data. Access to this information would allow: unauthorized changes to existing security settings within organization, lock out staff from their own systems, gain access to physical facilities, set up sophisticated phishing campaigns targeting senior personnel, and alter activity logs.

Read more...

The target: Sark Technologies

The take: Personal information of over 43,000 customers including: names, addresses, phone numbers, email address, encrypted card numbers and cardholder data.

The attack vector: A vulnerability within an image upload function of Sark Technologies’s reservation and management software, SuperINN. This allowed attackers to insert malicious scripts to export customer data to their own pockets. In addition, the hackers also identified another pathway of attack through a vulnerability in a SQL injection, using this to further extract sensitive cardholder data.

Read more...

The target: Capital One Bank

The take: Highly sensitive information of 106 million customers including: 140,000 Social Security numbers, 1 million Social Insurance Numbers for Canadian credit card customers, bank account numbers, credit card application data including scores, balances, limits and payment history, and some of transaction data.

The attack vector: A misconfigured firewall in Capital One’s AWS infrastructure allowed the attacker to clone data housed in cloud storage instances. The attacker employed VPN and anonymized browsing to execute the attack surreptitiously – but was ultimately found out when they bragged about the heist in public Slack channels. Capital One was notified of the breach via an e-mail tip with directions to a public Github repository where the attacker had archived some of the exfiltrated data. 

Read more...

The target: Over 17,000 websites using Amazon’s S3 public cloud storage.

The take: Credit Card payment information and personal data.

The attack vector: MageCart Group perpetrated the hacking campaign which methodically scanned and identified 17,000 unique, misconfigured Cloud Storage buckets. After locating an unsecured cloud storage server, they focused on JavaScript files which they then downloaded, added their card skimming script, and then reuploaded the now infected files.

Read more...

The target: Bitpoint - A Tokyo based cryptocurrency exchange.

The take: 28 million USD total. 24 million were customer assets and 4 million were company assets. All of Bitpoint’s services are now suspended for customers.

The attack vector: Unauthorized access to its hot (stored/accessible online) wallet system through the mismanagement and compromise of user’s private keys. No breach of cold (offline storage) wallets were detected.

Read more...

The target: The American Land Title Association (ALTA)

The take: Usernames and passwords of insurance agents, abstracters and underwriters.

The attack vector: A threat actor claiming to be an ethical hacker who claimed they had access to over 600 records. They also enacted a phishing campaign asking members to open a PDF listing the membership directory to confirm their information.

Read more...

The target: The Georgia Institute of Technology, a public university headquartered in Atlanta

The take: The personal information of 1.3 million employees and students, including names, addresses, social security numbers and dates of birth.

The attack vector: Security failures in a web application allowed attackers to access the connected database and exfiltrate the contained data.

Read more...

The target: Attunity, a company that manages and safeguards data.

The take: Passwords and network information about Attunity as well as emails and technology designs from some of its high-profile customers.

The attack vector: Attunity's cloud storage was improperly configured so the sensitive data was publicly visible in plain text. More than a terabyte of data was left unsecured on Amazon Web Services cloud-computer servers.

Read more...

The target: Desjardins Group, a Quebec-based federation of credit unions.

The take: Personal information for more than 2.7 million individuals and more than 173,00 businesses, potentially including name, date of birth, social insurance number, address, phone number, e-mail address, and ‘details about banking habits’.

The attack vector: Desjardins announced that the breach was not the result of an external cyberattack, but was the result of ‘unauthorized and illegal use of its internal data by an employee who has since been fired.’.

Read more...

The target: United States Customs and Border Security Protection, the largest federal law enforcement agency of the US Department of Homeland Security.

The take: Photos of the faces and license plates of almost 100,000 travellers to have entered and exited the US via a single (unnamed) land border entry port.

The attack vector: A ‘malicious cyberattack’ against federal contractor ‘Perceptics’ led to the images being made available on the dark web, along with other proprietary information.

Read more...