Cybersecurity Breaches: Recent High-Profile Cases in the month of January 2025

Ransomware attack on New York Blood Center forces workarounds, drive cancellations

One of the largest independent blood centers serving over 75 million people across the U.S. has been hit by a ransomware attack, forcing officials to reschedule blood drives and implement workarounds.

New York Blood Center Enterprises said its team discovered suspicious activity affecting the organization’s IT system on Sunday, and third-party cyber security experts later confirmed it was a ransomware incident. 

Law enforcement has been contacted and New York Blood Center said it is working on containing the threat. 

Chinese hackers breach US Treasury in ‘major’ cyber attack

The US Treasury has been hacked by suspected Chinese actors that accessed government workstations and unclassified documents, officials said. 

The department made the revelation on Monday after being notified on 8 December by third-party software provider BeyondTrust that the hackers had accessed a security key to get past safety measures, The Washington Post reported. 

The Treasury notified the Senate Banking Committee of the breach in a letter viewed by several media outlets. It called the breach a “major incident”.

UK’s Smiths Group faces cybersecurity breach

Smiths Group on Tuesday reported a cybersecurity incident involving unauthorized access to its systems and said that it has taken immediate action by isolating the affected systems and implementing its business continuity plans.

The breach was detected as soon as the unauthorized activity was noticed, the company said in a press release, adding that it is taking measures to ensure compliance with all relevant regulatory requirements.

UnitedHealth says ransomware attack on Change Healthcare impacted 190m individuals

U.S. healthcare company UnitedHealth has revealed that the data security incident it suffered last year compromised the sensitive personal information of 190 million individuals.

Headquartered in Nashville, Tennessee, Change Healthcare, a subsidiary of the UnitedHealth Group, said that in February, it experienced enterprise-wide connectivity issues due to which certain applications were not functioning. The company later said the outage occurred due to a “cyber security issue” and that operational disruption could last throughout the day.

Later, in another statement, Change said the impact of the cyber attack was restricted to its internal systems and all other systems across UnitedHealth Group, its parent company, were operational.

PowerSchool data breach: Explaining how it happened

On Dec. 28, 2024, PowerSchool claimed it first discovered unauthorized access to its systems. The initial attack vector according to PowerSchool was accessed via the company’s community-focused customer support portal, PowerSource.

The breach allowed hackers to access the PowerSchool Student Information System (SIS), a central database containing a wealth of student and staff data.

PowerSchool didn’t begin to communicate with customers about the data breach until Jan. 7, 2025.

PowerSchool hired cybersecurity vendor CrowdStrike to help investigate the alleged attack. PowerSchool paid some form of fee to the attackers to keep the data from being released. By paying these threat actors to destroy the stolen data, this incident is an extortionware event.

Hackers Stolen $85 Million Worth of Cryptocurrency from Phemex

Phemex, a cryptocurrency exchange based in Singapore, suffered a significant cyberattack that resulted in the theft of $85 million worth of digital assets. 

The attack was detected at 11:30 UTC when unusual activity was observed in Phemex’s hot wallets. The attackers exploited vulnerabilities to drain assets across multiple blockchains, including Ethereum, Solana, Bitcoin, and Binance Smart Chain.

Phemex promptly suspended all deposit and withdrawal services following the breach. A Proof of Reserves (PoR) was released to assure users of the platform’s financial stability.

PayPal Hit With $2 Million Fine For Cybersecurity Failures

The New York State Department of Financial Services (NYDFS) investigation revealed multiple lapses in PayPal’s compliance with its cybersecurity framework, which includes:

  • Unqualified Cyber Security Personnel: PayPal failed to employ adequately trained personnel to oversee critical cybersecurity functions.
  • Lack of Training: Teams responsible for implementing the IRS Form 1099-K changes were not trained on PayPal’s application development processes.
  • Weak Access Controls: The company did not enforce multifactor authentication (MFA) or implement CAPTCHA or rate-limiting controls to prevent unauthorized access.
  • Policy Deficiencies: PayPal lacked robust written policies addressing access controls, identity management, and data protection.

Harris criticized PayPal for failing to implement basic protections like MFA and CAPTCHA, which could have mitigated the breach.

ICICI Bank Faces Potential Data Breach; Suspected Ransomware Group ‘BASHE’ Involved

The Bashe hacking group, known for targeting high-value businesses, allegedly accessed confidential data belonging to ICICI Bank. While the bank has not made any public acknowledgment of the breach, the claim has gained attention on the dark web forums, where Bashe operates.

The group posted a timer counting down to the deadline and offered an option for ICICI Bank to “buy the data immediately.”

Email Bombing, ‘Vishing’ Tactics Abound in Microsoft 365 Attacks

Sophos X-Ops’ Managed Detection and Response (MDR) is warning of ransomware attacks using email bombing as well as imitating tech support, otherwise known as vishing, through Microsoft Office 365.

These attacks are tied to two separate threat groups, which Microsoft began investigating in response to customer incidents in November and December 2024. The threat groups are tracked as STAC5143 and STAC5777.

STAC5777 overlaps with a group previously identified by Microsoft as Storm-1811, while STAC5143 is using tactics from an old Storm-1811 playbook.

According to Sophos MDR, there have been more than 15 incidents involving these tactics in the past three months, half of them occurring just in the last two weeks.

Hackers impersonate Ukraine’s CERT to trick people into allowing computer access

Ukrainian researchers have identified a new cyber campaign in which attackers posed as tech support from Ukraine’s computer emergency response team (CERT-UA) to gain unauthorized access to victims’ devices.

The intruders used AnyDesk, a legitimate remote desktop software, to establish remote access to their computers over the internet, according to CERT-UA’s latest report.

The hackers, whose identities remain unknown, sent connection requests via AnyDesk, claiming they were conducting a “security audit.”

CERT-UA confirmed that, in certain cases, it may use remote access tools like AnyDesk to assist victims in responding to cybersecurity incidents. However, this is done only “with prior agreement and through pre-approved communication channels,” the agency said.

“The attackers are once again using social engineering tactics that rely on trust and exploit authority,” researchers added.

CERT-UA didn’t provide many details about this campaign or the threat actor behind it, but stated that it is likely the victim’s AnyDesk identifier was previously compromised, including on other computers where such remote access was once authorized.

Chinese AI Giant DeepSeek Hit by Cyber Attack Impacting Registrations

China-based AI company DeepSeek has been hit by a cyber attack. The company confirmed the intrusion on its daily status page, with the latest update mentioning a “large-scale malicious attack” targeting its services. 

The DeepSeek security incident has temporarily halted registrations. Existing users are not affected and can log in as usual. The source of the attack and damage remains unknown at this moment.

Based on the status updates page, DeepSeek web services were unavailable on January 14. However, the issue was resolved the same day. On January 26, DeepSeek R1 API experienced issues, which were also marked resolved later that day.

Cyber incident that closed British Museum was inside job

A disgruntled insider appears to have been behind a security incident at the British Museum, which forced the 270-year-old institution to partially close its doors over the weekend of 25 and 26 January following disruption to core IT systems.

The incident shuttered two of the museum’s ongoing special exhibitions, one on the history of the ancient Silk Road trading network connecting Asia and Europe, and one on the prints of Pablo Picasso, after key systems including the museum’s ticketing platform were disrupted.

“An IT contractor who was dismissed last week trespassed into the museum and shut down several of our systems,” a spokesperson for the museum said. “Police attended and he was arrested at the scene.

“With regret, our temporary exhibitions were closed over the weekend – ticket holders were alerted and refunds offered.”

The British Museum told Computer Weekly that all of its exhibitions and facilities have now reopened.

Federal Trade Commission cracks down on GoDaddy for cybersecurity failings

GoDaddy’s failure to use industry standard security measures led to what the FTC called “several major security breaches” between 2019 and 2022. The agency also alleges that GoDaddy deceived its customers about how adequately it safeguards its web hosting product.

Consumers were sent to malicious websites and otherwise harmed after hackers broke into GoDaddy customers’ websites and accessed data, the agency said.

City Bank data breach: Client financial statements sold on underground forums

In a recent cybersecurity breach in the country, City Bank PLC has had sensitive client financial statements exposed and sold on underground hacking forums, according to a recent blog post by the Bangladesh Cyber Security Intelligence (BCSI).

According to BCSI, the breach was facilitated by technical flaws in session management. This involved Attackers bypassing weak multi-factor authentication (MFA) due to inadequate session handling. Once logged in, previously authenticated sessions could be reused to access other accounts.

With full assurance we can inform our customers that such incidents will not take place again,” mentioned City bank in their official statement regarding the issue.

Google Has Blocked 2.28 Million Malicious Apps Entering Into Play Store

Google announced today it blocked a record 2.28 million policy-violating apps from entering the Play Store in 2023, leveraging advanced machine learning, stricter developer vetting, and cross-industry collaborations to combat evolving cyberthreats. 

The milestone underscores efforts to uphold its SAFE principles (Safeguard Users, Advocate for Developer Protection, Foster Responsible Innovation, Evolve Platform Defenses), which anchor its security strategy.

Pune Retired Banker Falls Victim to Insurance Fraud, Loses Rs 2.22 Crore

A 62-year-old retired bank manager from Pune became the victim of a massive cyber fraud, losing ₹2.22 crore over several months. Scammers posing as government officials tricked the individual into purchasing multiple insurance policies by promising high returns.  

How the Fraud Took Place

The scam began in late 2023 and continued for several months. The victim received calls from individuals claiming to be officials from reputed financial and government institutions, including the Ministry of Finance, the Insurance Regulatory and Development Authority of India (IRDAI), and the National Payments Corporation of India (NPCI).  

To appear trustworthy, the fraudsters used the names of well-known personalities and fake designations. They convinced the victim that these insurance policies would offer significant maturity benefits, leading them to invest large sums of money.  

WhatsApp says journalists and civil society members were targets of Israeli spyware

Nearly 100 journalists and other members of civil society using WhatsApp, the popular messaging app owned by Meta, were targeted by spyware owned by Paragon Solutions, an Israeli maker of hacking software, the company alleged.

The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had “high confidence” that the 90 users in question had been targeted and “possibly compromised”.

It is not clear who was behind the attack. Like other spyware makers, Paragon’s hacking software is used by government clients and WhatsApp said it had not been able to identify the clients who ordered the alleged attacks.

Monthly Round Up for the month of December 2024

Deloitte UK Reportedly Cyberattacked for 1 TB of Sensitive Data by Ransomware Group

The Brain Cipher Ransomware group has reportedly claimed responsibility for a cyberattack on Deloitte UK. They allege that they have exfiltrated over 1 terabyte of data. This breach, if confirmed, could have serious implications for Deloitte’s clients and its professional reputation. However, Deloitte has not confirmed the breach, leaving the claim unverified. The group claims to have accessed more than 1 terabyte of compressed data. They also claim to have stolen sensitive client information and internal documents. Deloitte has yet to confirm the incident publicly. This situation underscores the critical need for robust cybersecurity measures in today’s digital landscape.

AWS launches a new service to tackle cybersecurity incidents

Amazon Web Services (AWS) has launched an incident response service with automated features. This service helps organizations manage security events, including data breaches and ransomware attacks. Introducing the new service, AWS said that its Security Incident Response automates the preliminary assessment and investigation of security findings. These findings come from Amazon GuardDuty, the company’s threat detection service, alongside third-party threat detection tools. It also provides 24/7 access to security experts from the AWS Customer Incident Response Team.

Telecom hit by massive cyberattack … over 400 000 files ‘leaked’ 

On 11 December 2024, Telecom Namibia fell victim to a ransomware attack. A group known as Hunters International allegedly orchestrated this attack. This ransomware-as-a-service operation exfiltrated an estimated 626.3GB of data, comprising 492,633 files. Yesterday, Communications Regulatory Authority of Namibia (Cran) CEO Emilia Nghikembua said they take cybersecurity very seriously. “Through the Namibia Cyber Security Incident Response Team (NAM-CSIRT), Cran promptly responded upon identifying the attack. They continue to support the affected operator in mitigating its impact,” she added.

Volkswagen Data Breach: 800,000 Electric Car Owners’ Data Leaked

Volkswagen has inadvertently exposed the personal information of 800,000 electric vehicle owners, including their location data and contact details.

The breach occurred due to a misconfiguration in the systems of Cariad, VW’s software subsidiary. As a result, sensitive data stored on Amazon Cloud was publicly accessible for months.

The exposed information included precise GPS data. This data allowed for the creation of detailed movement profiles of the vehicles and their owners.

This breach compromised the privacy of everyday citizens. It also affected high-profile individuals such as politicians, business leaders, and law enforcement officers.

The breach was discovered by the Chaos Computer Club (CCC), a German hacker group known for its ethical hacking practices. The CCC promptly informed Volkswagen of the vulnerability. This allowed the company to address the issue. They acted before it could be exploited maliciously.

This incident underscores the growing concerns over data privacy in the automotive industry, where connected vehicles are becoming increasingly common.

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid.

Governor Dan McKee, addressing the media, called the attack “alarming” and urged residents to take immediate precautions to protect their information. Compromised data includes Social Security numbers, banking details, addresses and dates of birth. “This breach is a stark reminder of the vulnerabilities in government IT systems,” McKee said. “We are working with Deloitte and law enforcement to contain the damage and restore public trust.”

RBI Imposes Rs51.40 Lakh Penalty on 5 Cooperative Banks

Reserve Bank of India (RBI) has imposed a penalty of Rs51.40 lakh on five cooperative banks for non-compliance with the directions issued by the banking regulator. The highest penalty of Rs36.40 lakh has been imposed on Punjab Gramin Bank.

Other banks penalised by RBI include Yavatmal Urban Cooperative Bank Ltd from Maharashtra. Other penalised banks are Kaithal Central Cooperative Bank Ltd from Haryana and Prime Cooperative Bank Ltd from Gujarat. Kolikata Mahila Cooperative Bank Ltd from West Bengal was also penalised.

These directions include limiting customers’ liability in unauthorised electronic banking transactions. They also involve implementing a basic cybersecurity framework for (UCBs). This follows a graded approach.

RBI found that the Prime Cooperative Bank failed to implement specific cybersecurity control measures as required by RBI’s prescribed framework.

SEBI Imposes INR 10 Lakh Penalty on Stockholding Services for Multiple Regulatory Violations

Market regulator Securities and Exchange Board of India (SEBI) has imposed a fine of INR 10 lakh on Stockholding Services Ltd, formerly SHCIL Services Ltd. This is due to several violations of the SEBI (Stock Brokers) Regulations and related circulars. 

Stockholding Services also failed to ensure accurate reporting of its cybersecurity framework, particularly in relation to the details of the chief information security officer (CISO) required by CERT-In. Although the firm claimed compliance, it was found to have violated SEBI circulars related to cybersecurity.

Link Intime India Fined INR 1 Lakh for Cybersecurity Lapses

Market regulator Securities and Exchange Board of India (SEBI) has imposed a penalty of INR 1 lakh on Link Intime India Pvt Ltd, a registrar to an issue and share transfer agent (RTA), for failing to comply with cybersecurity regulations. 

SEBI’s inspection revealed significant lapses in cybersecurity compliance, including 62 unresolved vulnerabilities identified in a vulnerability assessment and penetration testing (VAPT) audit. These vulnerabilities, comprising nine critical and 17 high-risk issues, were not addressed within the mandated three-month period.

Domain 1 – Cloud Computing Concepts & Architectures

Definition of Cloud Computing
NIST (SP 800-145) Defines Cloud Computing :

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Abstraction & Orchestration

Cloud environments rely on abstraction and orchestration to manage resources. For example, abstraction involves creating virtual machines (VM) from physical servers, while orchestration automates and coordinates the provisioning of these VMs and their networking to cloud service customers.

Cloud Computing Models
Cloud Characteristics

Resource Pooling – Resources are pooled, and consumers are granted access. A consumer’s access to the pools is tightly isolated from other consumers’ access. This is typically based on policies set by the provider.

Broad Network Access – Resources are hosted in a cloud environment. They are accessible from a wide range of locations and devices.

Rapid Elasticity – Ability that enables consumers to scale resources based on demand, often automatically.

Measured Service – Measured service simply means that the customer is charged for only what they use and nothing more.

On-demand self-service – On-demand services allow customers to scale their compute and/or storage needs. This requires little or no intervention from the provider. There is also no need for prior communication with the provider. The services happen in real time.

ISO/IEC list 6 characteristics of Cloud computing. 5 characteristics are same as mentioned by NIST. The 6th characteristics is Multi-tenancy

Multi-tenancy – A mode of functioning where multiple individual tenants exist. These tenants, like companies in a public cloud, operate in a shared environment. The tenants are logically isolated but physically integrated.

Types of Information

Based on Sensitivity

  1. Public Data
    • Information that is not confidential and can be freely shared.
    • Examples: Marketing materials, press releases.
  2. Internal/Private
    • Information intended for internal use within an organization.
    • Examples: Company policies, internal communications.
  3. Confidential
    • Sensitive information that requires restricted access to authorized personnel.
    • Examples: Customer data, financial records.
  4. Restricted/Highly Confidential
    • Highly sensitive information with strict access controls.
    • Examples: Trade secrets, encryption keys.

Based on Regulatory Requirements

  1. PII: Personally Identifiable Information
    • PII is that, when used alone or with other relevant data, can recognize an individual.
    • E.g. Name, DOB, SSN, Passport information, biometric information, etc.
  2. PHI/EPHI: Protected Health Information
    • PHI is for healthcare providers, health plans and insurers & businesses connected to health care organizations.
    • E.g. Health records/histories, lab or test results, prescriptions, patient forms, medical bills, and provider or patient communication records etc.
  3. Regulated, Business, Confidential, and High-Risk Data
    • Applies to organization to consider how they treat regulated data, business data, confidential data, and high-risk data .
    • E.g. Intellectual property (IP) – including trade secrets, patents, copyrights, and trademarks, financial/health data, personal information and shadow servers, or data streams

Monthly Round Up for the month of November 2024

Insurance Administrator Landmark Admin Ransomware Data Breach Impacted Over 800,000 People

Landmark Admin, a third-party insurance administrator, has confirmed a data breach. The May 2024 ransomware attack affected nearly one million customers. “The forensic investigation determined that data was encrypted and infiltrated from Landmark’s system,” the company said.

Canada faces a cybersecurity crisis with critical infrastructure at risk

From energy grids to health-care systems, our nation’s most essential assets face a growing range of sophisticated threats. These threats come from both state and non-state actors.

500,000 Ohio Residents Exposed In Data Breach

A July ransomware attack on the city of Columbus, Ohio, exposed the personal information of approximately 500,000 residents. This incident marks one of the most substantial cyber attacks involving a U.S. city. The Rhysida ransomware group is attributed to the attack. It has drawn attention due to the extent of the data stolen. It also highlights the controversial response from city officials.

Cyberattack on American Water: A warning to critical infrastructure

American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident. This incident forced the company to disconnect key systems. These systems included its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector. The sector has increasingly become a target for cyberattacks.

Hacker Behind Snowflake Data Breach Arrested in Canada

Authorities have arrested a man suspecting him to be the hacker responsible for this year’s wave of data breaches. These breaches involve Snowflake, a popular cloud-based data platform. The arrest occurred in Canada.

The arrest marks a significant breakthrough in high-profile cyberattacks affecting major companies, including AT&T, Ticketmaster, and LendingTree.

The hacker uses the pseudonyms “Judische” and “Waifu” online. Authorities believe they are linked to more than 165 breaches of Snowflake instances.

SETU Confirms Cyberattack on Waterford Campus, Classes Set to Resume with Limited Services

Ireland’s South East Technological University (SETU) has disclosed a cybersecurity incident. It affects its Waterford campus. This incident has temporarily halted classes and disrupted IT services. The university’s internal IT team is working with external cybersecurity experts. They aim to resolve issues related to the SETU cyberattack. Their goal is to minimize disruptions.

Cyber-Attack on Microlise Disrupts DHL and Serco Tracking Services

A cyber-attack targeted telematics provider Microlise. It disrupted tracking services for key clients like DHL and Serco. The attack also exposed some employee data.

The company, which supplies asset-tracking software to large corporations, announced the breach on October 31. Following the disclosure, Microlise’s stock price dropped by 16%. The company has been working to restore its systems by the end of the week.

The attack compromised “some limited employee data,” according to Microlise’s statement to the London Stock Exchange. The company has indicated that customer data was not affected.

Schneider Electric investigating cyber intrusion after threat actor gains access to platform

  • Schneider Electric said on Monday that it is investigating a cyber incident. This follows claims by a suspected threat actor who alleges gaining access to company data.
  • A spokesperson for the French multinational company reported the incident. It involved “unauthorized access to one of our internal project execution tracking platforms.” This platform is hosted within an isolated environment. The firm has extensive operations in the U.S. 
  • The company immediately mobilized its global incident response team. The spokesperson said the company’s products and services were not affected by the incident.

Newpark Resources hit by ransomware; activates cybersecurity response

Texas-based oilfield services supplier Newpark Resources detected a ransomware attack by an unauthorized party accessing internal systems. The company activated its cybersecurity response plan and began investigating with external advisors to assess and contain the threat. However, the ransomware incident disrupted access to some of the company’s information systems and business applications. Manufacturing and field operations continued using downtime procedures.

“On October 29, 2024, the Company detected a ransomware cybersecurity incident (‘Incident’). Newpark Resources disclosed the breach in an SEC filing last week. An unauthorized third party gained access to certain of the Company’s internal information systems.” “Upon detection, the Company activated its cybersecurity response plan. The Company launched an investigation internally. They received support from external advisors to assess and to contain the threat.”

Cyberattack on Microlise hits operators triggering call for stronger continuity plans

Third party cyber attacks present a challenge for all logistics operators. Europa Worldwide has warned about this issue. Even operators vigilant to security breaches face difficulties because of attacks like the one that hit Microlise services last week.

IT experts continued to secure the systems affected by the attack on Halloween. This attack left Microlise’s tracking system disabled. Europa told Motor Transport that mitigating against third-party incidents was particularly difficult. This difficulty was due to their extensive reach.

Chinese Hackers Breach Telecom Security

Experts reveal vulnerabilities exploited during attacks on personal devices of high-profile individuals

Chinese hackers have been making headlines lately, gaining notoriety for their increasingly bold operations targeting telecommunications networks around the globe. The most recent reports indicate a significant breach involving the personal devices of high-profile individuals, including former President Donald Trump. This alarming development highlights vulnerabilities within telecom infrastructure, raising concerns over the security of personal communications.

Experts have pointed out serious flaws within various telecommunications companies. This includes those operating within Australia. These companies could be susceptible to these types of breaches. The hacking attempts involved threat actors linked to the Chinese state. They did not just steal data but also aimed to monitor communications. Such tactics opened up discussions about the security protocols currently employed by telecom operators.

CrowdStrike’s massive IT outage: Wake-up call for businesses to rethink cybersecurity and insurance

In July 2024, CrowdStrike, a cybersecurity leader, conducted a routine software update. This update unexpectedly caused a massive IT outage. The outage rippled through industries worldwide. Over eight million computers were impacted, and sectors as varied as banking, healthcare, media, and aviation saw halted operations. Although this incident resulted from a software glitch, not a malicious cyberattack, it raised critical questions for businesses. How do they handle digital risks? How ready are they to recover when unforeseen disruptions strike?

CrowdStrike acted quickly to manage the issue, yet the outage highlighted a sobering reality—no system is completely immune to errors. Today’s businesses need to rethink their approach in terms of cybersecurity. They must also consider comprehensive insurance coverage that addresses the complexity of today’s digital landscape.

Nokia Security Breach Leaks Source Code, Login Credentials, Keys and More; Hacker Sells Data To Special Buyers

The threat actor claims the stolen data includes SSH keys and source code files. It also includes RSA keys, BitBucket logins, SMTP accounts, webhooks, and hardcoded credentials. The compromised repository also contained Python source code as well as JavaScript, JSON, and PHP files.

Besides exposing the company’s internal secrets, threat actors could reveal product security vulnerabilities. They could abuse exposed credentials to carry out more cyber attacks. Compromised credentials are among the top causes of potent cyber attacks, including ransomware.

Amazon Confirms Data Breach Linked to MOVEit Vulnerability

Amazon has confirmed a data breach involving employee information. A third-party vendor’s vulnerability caused this breach. The vulnerability exposed contact details like work email addresses, desk phone numbers, and building locations.

Amazon attributed the breach to the widely exploited vulnerability in the MOVEit file transfer software, developed by Progress Software. Amazon reassured customers that its internal systems, including Amazon Web Services (AWS), remained uncompromised.

Maxar Space Systems Suffers Data Breach, Hackers Gain Unauthorized Access

Maxar Space Systems is a leading provider of space technology and geospatial intelligence. It has recently fallen victim to a significant cybersecurity incident.

On October 11, 2024, the company’s information security team made a discovery. A hacker operating from a Hong Kong-based IP address had successfully targeted and accessed a Maxar system. This system contained sensitive employee data.

The breach, which is believed to have lasted for approximately one week before detection, exposed various categories of personal information.

Affected data includes home addresses, social security numbers, business contact details, employee numbers, job titles, and employment dates.

However, the company has confirmed that no bank account information or dates of birth were compromised in the incident. Besides this, researchers at IDX observed that Maxar discovered the unauthorized access. They immediately took action to prevent further intrusion and secure their systems.

T-Mobile hit by alleged Chinese cyber attack in major data breach

T-Mobile has confirmed a significant cyber attack. Chinese state-sponsored hackers allegedly carried out the attack. This marks the latest in a series of breaches targeting major telecom providers globally.

The breach was disclosed on November 16. Initial investigations reveal the attackers gained unauthorised access to the company’s systems. They exposed sensitive customer data and internal communications.

The attack has been linked to advanced persistent threat (APT) groups with alleged ties to the Chinese government.

Starbucks Hit by Ransomware Attack Via Third-party Software Supplier

A ransomware attack hit Blue Yonder. This company is a critical supply chain management software provider. The attack forced Starbucks to revert to manual processes. These processes manage employee schedules and payroll systems.

The incident, which began on November 21, 2024, has not affected customer service or store operations.

Store managers are now using pen and paper to track employee hours. The attack disrupted the company’s back-end scheduling. It also affected time management processes.

Vulnerability Management

It is not a scan or a one-time project. Vulnerability Management is a “program” which organizations might use. The goal is to continuously identify vulnerabilities. Then, they must address these vulnerabilities in appropriate ways. It can contain many different projects like:

  • Identifying Assets That Should Be Tested. Risk Assessment. Information Management. Vulnerability Assessment. Incident Response Planning. Remediating The Found Vulnerabilities. Verifying That The Vulnerabilities Has Been Fixed. Etc.

What, Why and How?

It is the process of identifying, analyzing and ranking vulnerabilities.

  • No exploitation of vulnerabilities
  • Mostly automated but can be done manually
  • Vulnerability Scanning: Vulnerability Scanning is the process of using Vulnerability Scanners. These are automated tools that scan or inspect a given system. They identify potential harmful vulnerabilities, misconfigurations, or flaws in it. Apart from identifying weaknesses, it can also predict the effectiveness of countermeasures. Of course, since it is done by using automated tools, it may sometimes give inaccurate results.
    Examples of Vulnerability Scanning software: Nessus, OpenVAS, Nexpose, etc.
  • Vulnerability Assessment: Vulnerability Assessment is not actually a scan. It is a one-time project. It has a defined start and end date. Usually, an external Information Security Consultant will review your corporate environment. They will identify a variety of potentially exploitable vulnerabilities. You are exposed to these vulnerabilities in a detailed report. The report will not only list the identified vulnerabilities, but also provide actionable recommendations for remediation. Once a final report is prepared, the vulnerability assessment ends.
    During such a project, you might do both kind of things:
    • Vulnerability Scanning (which is the Automated part)
    • Manual Vulnerability Identification (which is the Manual part)

So, as you can see, vulnerability scanning is just a part of the overall process during a vulnerability assessment project.

Basic Terms which will be used:

Vulnerability – It is a lack of a countermeasure or a weakness in a countermeasure that is in place.Asset – Anything valuable to an organization
Risk – Probability of exploiting a vulnerabilityScope – List of targets which are allowed to test
Payload – Exploit contains payload which is sent to targetExploit – method to take advantage of the vulnerability
False positiveFalse negative

Steps involved:

  • Planning
  • Testing
    • Information Gathering
    • Vulnerability analysis
    • Exploitation
    • Post exploitation
    • House Cleaning
  • Reporting

Information Gathering

  • Active Information gathering – Trying to gather information about the target by interacting with the target. Tools: ping, nslookup, nmap, durbster, wpscan, hackertarget, etc.
  • Passive information gathering – Trying to gather information about the target without directly interacting with the target. Tools: Google Dorks, exploit DB, whois, builtwith, wappalyzer, robtex.com, intodns, ssllabs, securityheaders.com, social searcher, shodan, wayback machine, source code, robots.txt, maltego, etc.

Manual VM tools

  • securityfocus
  • zerodayinitiative

Monthly Round Up for the month of September 2024

Ransomware attack forces high school in London to close and send students home

A high school in south London has announced it will be closed for the first half of this week due to a ransomware attack, leaving approximately 1,300 students in the lurch.

Students were sent home from the Charles Darwin School on Thursday, with a letter from the headteacher Aston Smith following them on Friday to warn parents that the IT issue students had been told of was “worse than hoped” and actually a ransomware incident.

The letter confirmed that the school would be “closed Monday, Tuesday and Wednesday” as “all staff devices have been removed to be cleansed” and teachers will need time to re-plan lessons, while senior staff will have to create systems to continue running the school.

“All students have had their [Microsoft] 365 accounts disabled as a precaution. If you receive an email from an unusual email address we ask that you are vigilant. We will never send any attachments or links during the recovery process,” the letter stated.

It added that the school might have to take further measures based on new information in the weeks ahead and warned “there is the potential for all information held by the school to have been accessed.”

An unnamed cyber security company is currently completing a forensic investigation, said the school, but the headteacher warned that until this is completed he would not be able to provide further details on the data breach.

Major UK stations targeted with terrorism message in cyber security incident

Manchester Piccadilly’s Wi-Fi system was compromised in a cyber security incident, sparking an immediate investigation after all 20 Network Rail-managed stations became targets.

Customers attempting to use the Wi-Fi were redirected to a webpage, which the Manchester Evening News has viewed. This page, titled ‘We love you, Europe,’ contains content on terror attacks within the UK and elsewhere, with discernible anti-Islamic undertones.

Arkansas City Responds to Cyber security Incident at Water Facility, Ensures Safe Drinking Water

Arkansas City, Kansas, experienced a cyber security incident on Sunday, September 22, 2024, involving its Water Treatment Facility. While the nature of the incident has yet to be fully disclosed, the city government emphasized that the water supply remains safe and that no disruption to service has occurred. The Arkansas City water treatment cyberattack incident prompted the city to take precautionary measures and transition the water treatment operations to manual control as part of their response.

TfL faces ‘ongoing cyber security incident’

Transport for London’s (TfL) computer systems have been targeted in an ongoing cyber attack.

It said there was no evidence customer data had been compromised and there was currently no impact on TfL services.

Insiders have told BBC London they have been asked to work at home if possible, and that it is the transport provider’s backroom systems at the corporate headquarters that are mainly affected.

TfL’s chief technology officer Shashi Verma said: “We have introduced a number of measures to our internal systems to deal with an ongoing cyber security incident.”

Monthly Round Up for the month of August 2024

ADT confirms data breach after customer info leaked on hacking forum

ADT, a leading American company in building security, has confirmed a data breach incident. The breach involved threat actors who allegedly leaked customer information on a well-known hacking forum.

ADT, a publicly traded company, focuses on providing security and smart home solutions to both residential and small business clients. With a workforce of around 14,300 employees, the company generates approximately $4.98 billion in annual revenue and serves nearly 6 million customers across 200 locations in the U.S.

Oil industry giant Halliburton confirms ‘issue’ following reported cyberattack

Halliburton, one of the largest oilfield service companies globally, has acknowledged an unspecified issue affecting its networks, following reports of a cyberattack.

According to Reuters, the attack occurred on Wednesday, primarily impacting operations at the company’s Houston headquarters. It remains unclear if the cyberattack has affected Halliburton’s other locations.

Despite the attack, Halliburton’s stock remained relatively stable on Thursday morning at the New York Stock Exchange. The company, which employs nearly 48,000 people worldwide and generated over $23 billion in revenue last year, specializes in services like locating oil and gas reserves and supporting clients in managing extraction processes.

Previously a key partner of Russian companies such as Gazprom, Rosneft, and Lukoil, Halliburton ended its operations in Russia after selling its assets in September 2022 due to the invasion of Ukraine.

Details regarding the cyberattack remain vague, though Reuters reported that some employees were advised not to access the company’s internal networks, according to a source close to the situation.

India’s Critical Infrastructure Suffers Spike in Cyberattacks

India’s rapidly digitizing critical infrastructure sectors, including finance, government systems, manufacturing, and healthcare, are now encountering a surge in cyberattacks and threats.

For instance, in April of this year, a hacking group leaked 7.5 million records containing personal data stolen from boAt, a leading Indian manufacturer of wireless audio and wearable devices. More recently, the Reserve Bank of India (RBI), the nation’s central bank, highlighted the growing risks posed by increased digitization to the country’s financial infrastructure.

According to a report by the RBI, cyber incidents targeting the financial sector have seen a significant rise. The number of incidents managed by the national CERT team surged to approximately 16 million in 2023, compared to just 53,000 in 2017.

Monthly Round Up for the month of July 2024

AT & T cyber attack

A massive AT&T Cyberattack caused Hackers to Steal Millions of Customer Records. Consequently, AT&T revealed that nearly all of its wireless customers’ call and text records were exposed. Furthermore, the hackers accessed customer data stored on a third-party cloud platform. 

Patient reports used as paper plates at Mumbai hospital

A video surfaced on social media showed patient reports being used as paper plates at King Edward Memorial (KEM) Hospital in Mumbai. The paper plates made using patient reports appeared to contain vital information like patient details and medical procedures.

995 crore passwords stolen RockYou2024.txt

A hacker, who goes by the name “ObamaCare”, has leaked 995 crore passwords, as per Forbes.  The information was released under a dataset named Rockyou2024 on Thursday, the report added.

As per researchers, it is considered the largest password data breach of all time. 

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers at Cybernews said.

WazirX crypto exchange suffers massive hack, funds worth 1965 crore reportedly moved.

WazirX, one of the leading crypto currency exchanges in India with about 1.6 crore users, faced a hacker attack on Thursday that, according to one estimate, resulted in unauthorised withdrawal of various tokens aggregating about $235 million (around Rs 1,966 crore) from its customers’ wallets.

Angel One data breach, and other recent cyberattacks in India

The Mumbai-based stock broking firm had suffered a data breach in April last year. According to a report by media company Inc42, the firm had then reported a data breach impacting an undisclosed number of customers, but maintained that information related to funds and securities were safe.

The firm said that malicious actors had gained access to the names, mobile numbers and the email addresses of the affected users.

New Snowflake Data Breach Exposes Millions of Customers

Snowflake data breach exposes 2M Advance Auto Parts customers. Sensitive info compromised due to lack of MFA. New security measures and MFA adoption urged.

BMW Hong Kong Faces Major Data Breach: 14,000 Customer Records Exposed

BMW Hong Kong has reportedly suffered a data breach affecting approximately 14,000 customers. The leak, which came to light on July 16, 2024, has exposed sensitive personal information, raising concerns about customer privacy and data security.

According to reports from cybersecurity watchdogs, the leaked data includes crucial customer details such as salutations, surnames, first names, mobile numbers, and SMS opt-out preferences. This comprehensive set of information could potentially be exploited by malicious actors for various fraudulent activities, including identity theft and targeted phishing attacks.

Windows users face huge outage due to new Crowdstrike update: ‘Laptops crashing’

Windows 10 users globally are facing massive outage owing to a new Crowdstrike update. This leading to PCs getting stuck on the recovery screen. Several users on social media shared images of their screen stuck on the recovery page with the message reading, “It looks like Windows didn’t load correctly. If you’d like to restart and try again, choose Restart my PC below.”

Monthly Round Up for the month of June 2024

Synnovis Cyber Attack:

A ransomware attack on Synnovis, a pathology laboratory in the UK, severely impacted NHS services in South East London. This attack led to the postponement of over 800 elective procedures and 700 outpatient appointments between June 3 and June 9, 2024. The recovery process is ongoing, and NHS England is working with Synnovis and the National Crime Agency to manage the fallout and restore services​ (NHS England)​​ (NHS England)​.

Boeing Cyber Incident:

Aircraft manufacturer Boeing experienced a cyber incident that affected multiple areas of its business. The LockBit ransomware gang initially claimed responsibility for the attack, although there is no evidence that Boeing paid any ransom. The incident is under investigation by law enforcement​ (Tech.co)​.

NHS Trusts Disruption:

Another cyber attack on NHS services led to the disruption of clinical services at King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trusts. The attack impacted the capacity for blood tests, transplant services, and some urgent care services. Efforts are underway to mitigate the impact and reschedule affected procedures​ (NHS England)​.

Information Security Blogs

Blogs on infosec and cyber security, writeups, latest trends, security best practices, etc.

Skip to content ↓