At a glance.
- ShinyHunters hit Nitro PDF user data.
- More risks of looking for love.
- Driveline class action suit fails.
- More Blackbaud breach fallout.
- Texas health system discloses breach.
- Chimera collects airline passengers' data.
Hacker “ShinyHunters” strikes again.
BleepingComputer reports the infamous hacker known as ShinyHunters has leaked yet another stolen database for free on an underground forum. This time the victim is PDF creation app Nitro PDF, owned by Nitro Software. Containing over 77 million records, the database includes 14GB-worth of user email addresses, hashed passwords, and IP addresses. The data were presumably stolen during a security breach detected by Nitro Software in October, though at the time the company claimed no user information had been compromised. It became evident that that claim was not true when, not long after, a hacker placed a Nitro PDF database up for auction on the dark web with a starting price of $80,000. Now ShinyHunters has published the info for free viewing, charging just $3 for download. The prolific hacker has claimed responsibility for recent breaches at Homechef, Minted, and Tokopedia, just to name a few.
If only they’d just swiped left.
As if online dating wasn’t risky enough, Interpol reports that cybercriminals are using romance as bait in an online investment fraud scheme. First, the criminal meets their prey on an online dating app. Once a rapport is established, they begin to offer the victim investment “advice,” eventually luring them to a fraudulent trading website. They convince the victim to purchase various financial products, motivating them to invest more with promises of special membership status. Once the victim is in deep enough, the criminal cuts off communication and locks the victim out of the investment account...and their heart.
Driveline workers’ data breach suit denied class status.
The employees of Driveline, a retail merchandising company based in the US state of Texas, have been refused class certification in a lawsuit involving a recent phishing scam, Law360 reports. In 2016, a payroll manager at Driveline was tricked via email into sending copies of approximately 16,000 workers’ W-2s to identity thieves masquerading as Driveline employees. The lawsuit alleges that Driveline failed to properly train their staff on how to avoid such email scams, despite FBI warnings of phishing threats. US District Judge Sue Myerscough refused to certify the impacted workers’ claims as a class, stating that the employees’ claims are too individualized. While liability is evident, there is doubt surrounding causation and injury. As Myerscough stated, "The court has considerable concerns relating to individual proof required for causation and damages in this case.”
Blackbaud claims yet another casualty.
If you thought all of the victims of the Blackbaud breach had been disclosed, you would be wrong. News Channel Nebraska reports that the Wayne State Foundation, the fundraising association of Wayne State College in the US state of Nebraska, has been added to the long list of organizations who were impacted in the ransomware attack on cloud software company Blackbaud last summer. The affected individuals include donors as well as many alumni, whether they donated or not. Unfortunately, social security numbers were exposed, as the Foundation stored graduating students’ SSNs in their database in lieu of student IDs. The school has since ceased this practice, but it’s unclear if the information was already exposed.
Hendrick Health System suffers data breach.
Hendrick Health System, a not-for-profit healthcare provider based in the US state of Texas, fell victim to a cyberattack last fall, reports Becker’s Hospital Review. The breach likely began in October of last year but was not discovered by Hendrick until November. Fortunately, patient health information was not exposed, but names and social security numbers might have been compromised.
Comments on Chimera's recent data theft from airlines.
NCC Group and its FOX-IT subsidiary have found that a Chinese threat actor (CyCraft researchers called the group “Chimera” when they first described it) hitherto known for collecting against Taiwan’s semiconductor industry has a much more extensive target list. The targets are now believed to include airlines, and, where the attack on semiconductor company networks aimed at intellectual property theft, the airlines are of interest because of the personal data they hold.
Apparently the group is seeking to collect information about individuals of interest, and also to harvest such credentials as may be available to them. Chimera uses its take in credential-stuffing and password-spraying attacks against the individuals’ organizations.
We received comments on these latest discoveries from Saryu Nayyar, CEO of Gurucul, and Chloé Messdaghi, Chief Strategist at Point3 Security. Nayyar wrote:
“The revelation that advanced attackers, apparently based in China, have been targeting airline travel sites to track specific individuals is not a surprise. Tracking the travel patterns of individuals involved in certain industries or areas of research is information of great value to a State level intelligence agency. While it is the kind of specific information that might be useful to a cybercriminal going after a specific target, is guaranteed to be useful to a rival state agency.
“Victims of these attacks are not facing common cybercriminals. They are likely facing State or State Sponsored threat actors with a high degree of skill and effectively limitless resources. They will have to up their game if they want to thwart these intrusions in the future and keep their customer's data safe. They will have to follow industry best practices and deploy best in breed defenses, including security analytics tools that can help identify and remediate these intrusions before the data is compromised.”
Messdaghi finds unanswered questions of attribution interesting:
“The questions to ask are who are they, who are they watching, and why? It’s a given that this type of data stalking on a mass scale is criminal - there’s a very clear and thick legal line of privacy and data that this group is on the other side of with their data extraction.
“While we don’t know if this is state sponsored actor, a proxy for a nation state or a monetization player, we do that the Biden Administration will be tackling cybersecurity policy on these types of threats with new ferocity and historic vigor. While we all hope that the Biden Administration gets the 100-day honeymoon that most newly elected presidents get to shape and invoke policy, it appears that bad actors won’t be giving that to them. We’re optimistic that we now have a president who will evaluate and act upon trustworthy information, and is taking preemptive actions to strengthen our cybersecurity, risk mitigation and personal privacy. We are confident that this situation is on their radar.”