At a glance.
- Law enforcement data leak reported in the Phillippines.
- CommScope data published by Vice Society.
- Data breach at NCR.
- Sexual assault victims' personal information compromised.
Law enforcement data leak reported in the Philippines.
Researcher Jeremiah Fowler has discovered an unprotected database containing over 1.2 million records related to individuals who were employed or applied to work in law enforcement in the Republic of the Philippines. vpnMentor reports that the compromised data include highly sensitive documents containing personally identifiable information like passports, birth and marriage certificates, drivers’ licenses, academic transcripts, and security clearance documents. Fowler added, “Based on the limited samples of records I viewed, the database also appeared to contain documents relating to internal directives addressing law enforcement officers, which may or may not be confidential.” It’s unclear exactly how long the database was exposed, but Fowler says it was available for at least six weeks after its discovery.
CommScope data published by Vice Society.
The Vice Society ransomware gang has published data stolen from CommScope, a US network infrastructure provider based out of the state of North Carolina. CommScope spokesperson Cheryl Przychodni told TechCrunch that on March 27 the company detected “unauthorized access to a portion of our IT infrastructure that we determined was the result of a ransomware incident.” The hackers apparently exfiltrated backups of data pertaining to the MyCommScope customer portal and the company’s internal intranet. The leaked data include internal documents like invoices and technical drawings, as well as personal info on thousands of CommScope employees, including full names, contact information, Social Security numbers, bank account information, and scans of employee passports and visa documentation. It’s unclear exactly how many employees were impacted. “We are working with our third-party experts to validate those claims and to understand the nature of the information at issue as a top priority,” Przychodni said. “We are undergoing a thorough review of any impacted data with all possible speed.”
(Added, 9:00 PM ET, April 18th, 2023. Tomer Bar, Director of Security Research at SafeBreach, commented on the implications of the breach. “Unfortunately attackers were able to steal very sensitive data such as social security numbers, bank accounts information, visa and passports. Besides the obvious direct sensitivity of this data, this type of information could be used for future attacks against other targets. With the current uncertainty about the attacker's access to CommScope customer data, we recommend that their customers immediately increase security checks and validate their security posture.”
Vice Society's record attracted some comment from Stephan Chenette, Co-Founder and CTO at AttackIQ. “The ransomware group Vice Society has been known to target educational and healthcare organizations and they have hit an all-in-one victim with CommScope. Vice Society has typically gained initial network access through compromised credentials or by exploiting internet-facing applications," Chenette wrote. "The actors focus efforts on exploring the victim’s network, identifying targets of opportunity, and exfiltrating data prior to deploying ransomware. Vice Society has been observed using the Hello Kitty and Zeppelin ransomware-as-a-service families. It is imperative that organizations study the common tactics, techniques, and procedures used by common threat actors to help them build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors. Organizations should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to better prepare for the next threat.”)
Data breach at NCR.
Leading American payment services firm NCR has disclosed it suffered a ransomware attack targeting a data center in Aloha, Hawaii. NCR says it suffered a system outage, and a notice released by the company on Saturday reads, “On April 13, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development, we began contacting customers, engaged third-party cybersecurity experts and launched an investigation. Law enforcement has also been notified.” The breach is tied to NCR’s Aloha restaurant point-of-sale product, but the company says the impacted restaurants are still able to serve their customers and that there has been “no impact to payment applications or on-premises systems.” That said, Infosecurity Magazine notes that there has been an increase in cyberattacks targeting the hospitality industry, and that these attacks typically cause costly disruptions to operations. Research conducted by security firm Claroty found that 51% of the food and beverage sector reported substantial disruption when hit by a ransomware attack in 2021. Claroty CRO Simon Chassar stated, “Businesses must have visibility across their entire network for all assets connected to understand their risk posture and provide patches to critical assets such as operational technology (OT) and IoT devices. It is also essential to segment their networks to restrict unnecessary connectivity and the movement of malware to mitigate the impact of cyberattacks.”
Lior Yaari, CEO and co-founder of Grip Security, took the occasion to write about the value of user credentials to threat actors.
“The ransomware attack on NCR is telling and underscores the significance of credentials for every organization. Interestingly, the ransomware gang alleged in the crime, BlackCat, stated that the data being held for ransom was — credentials. Why is that? Because in a distributed environment, identity is the ultimate control point and credentials paired with identities is like getting the golden ticket to everything else. The sensitivity and criticality of credentials is not a big surprise for attackers and cybercriminals, as credentials have remained the top target for attackers for more than a decade. The difference here is, now, organizations have increased their level of concern for credential, making them just as attractive for ransomware gangs as intellectual property. If cybercriminals can hold credentials hostage, that’s a strong indicator of just how valuable credentials are — and for digital, cloud-first, SaaS-driven enterprises, credentials are the gateway to the whole operation.
"This makes it clear that organizations need visibility to all identities and credentials, understand their distribution and usage, and where necessary shield those identities from exploit — removing dangling or unwarranted access, applying multi-factor authentication, and safeguarding credentials through centralized control with decentralized enforcement.”
Sexual assault victims' personal information compromised.
The BBC reports that data belonging to rape and sexual abuse survivors have been exposed in a ransomware attack targeting Evide, an Irish company that provides data management solutions for charities and nonprofits. The company notified the Police Service of Northern Ireland (PSNI) as soon as the attack was detected last month, and PSNI’s cyber crime investigation team is assisting with containment, recovery, and an investigation of the incident. Ireland’s Minister of State for eGovernment Ossian Smyth says two thousand residents of the Republic of Ireland have been impacted by the attack, the Journal reports. Smyth added, “For people who are the users of those services or people who have trusted to share their data with those organisations, I can understand that they would be very worried and worried that they have shared the most confidential, intimate information.”
Four organizations that work with victims of rape and sexual abuse were impacted by the attack, including a Dublin-based organization called One in Four. A One in Four spokesperson stated, "The data which was stolen included personal information. There would also have been short records of people's engagement in our services - that is stored separately. So we really don't know what the situation is with that data. We do know that any attachments, any letters, any reports for example, to child protection services, they have not been accessed." One in Four’s chief executive Maeve Lewis said that phone numbers and email addresses were among the stolen data, and that at least one thousand individuals might have been impacted. Orchardville Society, another of the impacted organizations, told Belfast Live, "Having taken advice from the ICO, we immediately contacted all our participants to make them aware of the situation and to advise them to be alert to any suspicious attempts to contact them.”
Oz Alashe MBE, CEO of CybSafe, points out that charities and not-for-profits generally also face significant exposure to third-party risk. “This disappointing news is a reminder that the charity sector and its third-party suppliers are not immune from malicious actors, despite the fantastic work they do. In 2022, it was reported 30% of UK charities had suffered a cyber attack," Alashe writes. Criminals tend to perceive charities as soft targets. "Charities and suppliers are often seen as a gold mine for cyber criminals, as they prioritize funding on frontline charitable work rather than into defenses against cyber threats. This story emphasizes charities must look beyond their front door when it comes to security, ensuring their third-party partners’ employees are taking cybersecurity seriously.” Defense is a collective effort across all partnerships, Alashe argues. “It is crucial that organizations emphasize the significance of cyber security across all of their partnerships. People are the first and last line of defense in safeguarding this crucial data. Focusing on specific security behaviors that make individuals vulnerable to attacks, and promoting positive cooperation has the potential to reduce organizational risk. Otherwise, the organizations that exist to help the most vulnerable, will continue to be vulnerable themselves.”