Data Breach – Gridinsoft Blog

Samsung Tickets Data Leak

Stephanie Adlam — Tue, 01 Apr 2025 09:05:08 +0000

The Samsung tickets data leak involves a breach affecting Samsung Germany customer support system, managed through samsung-shop.spectos.com, operated by Spectos GmbH. The data, stolen in 2021 via infostealer malware, was recently dumped for free in March 2025 by a hacker known as “GHNA,” making it accessible to a broader audience and increasing exploitation risks.

Samsung Tickets Data Leak Contains Data, Stolen In 2021

In March 2025, a major data breach compromised approximately 270,000 customer support tickets from Samsung Germany. The breach originated from samsung-shop.spectos.com, a domain linked to Samsung’s German ticketing system. The leaked data contained personal information, purchase records, customer support interactions, and communication logs.

Samsung Tickets Data Leak offered for free on BreachForum

The incident was traced back to credentials stolen in 2021 from an employee of Spectos GmbH, a third-party vendor working with Samsung. These credentials were compromised using the Raccoon Infostealer malware. Cybercrime intelligence firm Hudson Rock had flagged the stolen credentials years earlier, raising concerns about the failure of proactive security measures.

Comprehensive Analysis of the Samsung Tickets Data Leak

As researchers say, the Samsung Tickets data leak was not the result of a sophisticated attack against Samsung’s internal systems. Instead, it is the result of a relatively simple exploitation of credentials that had been compromised years before the current incident. The credentials belonged to an employee of Spectos GmbH, the third-party company responsible for Samsung Germany’s ticketing system. The initial breach occurred in 2021 when the employee’s login information was stolen by the Raccoon Stealer malware.

Raccoon infostealer is a well-known malware designed to extract sensitive information such as login credentials, cookies, and autofill data from infected machines. Once these credentials entered cybercriminal databases, they remained dormant until 2025, when a hacker identified as “GHNA” used them to access the samsung-shop.spectos.com system. The hacker then leaked the customer support tickets online for free, exposing vast amounts of customer data.

The exposed data includes full names, email addresses, home addresses, order numbers, purchased product details, payment methods, and support interactions. This level of detail poses significant risks, including identity theft, targeted phishing attacks, and fraud. Additionally, the availability of communication logs between customers and Samsung could enable attackers to craft convincing social engineering schemes.

Snippet from the leak shows samsung-shop.spectos.com (source: infostealers.com)

Cybersecurity firm Hudson Rock had reportedly been aware of the stolen credentials for years, maintaining them in their database of over 30 million infected devices. The fact that this breach occurred despite prior intelligence suggests a critical failure in mitigating the risk of compromised credentials. Apparently, this was due to the fact that companies often neglect the necessity of regularly updating login information and monitoring unauthorized access, leaving themselves vulnerable to attacks leveraging long-compromised data.

In the end, I can’t say that Samsung itself was breached directly through a complicated hack, but its third-party vendor’s security weaknesses provided attackers with an entry point. While organizations focus on securing their main infrastructure, outdated or compromised third-party credentials remain a persistent risk.

Exploitation Risks and Criminal Opportunities

The Samsung tickets data leak doesn’t just open the door to cybercrime – it practically rolls out the red carpet. Now, not only seasoned hackers but also amateurs with a Wi-Fi connection can exploit it. One of the more immediate risks is good old-fashioned theft. With full addresses and tracking links conveniently available, criminals can effortlessly monitor deliveries and snatch high-value packages right off doorsteps.

Meanwhile, armed with names, emails, and order details, attackers can craft phishing emails so convincing that even the most cautious recipients might fall for them – because who wouldn’t click on a refund confirmation that seems perfectly legitimate? Of course, all of this is under the sauce of using an LLM, which adds even more convincing.

Then there’s the goldmine of fraudulent warranty claims. Order numbers, product models, and purchase dates give scammers everything they need to trick customer support into issuing replacements or refunds for items they never even bought. And let’s not forget the potential for account takeovers. With access to both customer and support agent emails, attackers can impersonate legitimate users, reset passwords, and waltz into accounts as if they own them. This data dump isn’t just a security risk – it’s an all-you-can-eat buffet for cybercriminals.

The post Samsung Tickets Data Leak appeared first on Gridinsoft Blog.

Oracle Cloud Breach Plausible, Experts Research Confirms

Stephanie Adlam — Thu, 27 Mar 2025 12:36:39 +0000

Recent reports indicate a potential major security incident involving Oracle Cloud, detected on March 21, 2025. Researchers claim a threat actor is selling sensitive data, while Oracle firmly denies any breach.

Alleged Oracle Cloud Breach Analysis

On March 21, 2025, CloudSEK published a blog post claiming a significant data breach in Oracle Cloud, detected through their platform. They reported that a threat actor, identified as “rose87168,” is selling 6 million records exfiltrated from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. This data includes sensitive components such as Java KeyStore (JKS) files, encrypted SSO passwords, key files, and enterprise manager Java Platform Security (JPS) keys, potentially impacting over 140,000 tenants across multiple regions and industries.

Oracle Cloud breach post

Researchers verified the breach using their XVigil platform and cyber HUMINT, publishing a TLP Green report for public awareness and a TLP RED report sent to Oracle on the same day. They also released a free tool on a specially crafted website for organizations to check if their data was exposed.

Evidence Supporting the Breach

CloudSEK provided detailed evidence to support Oracle Cloud breach. The breach likely stemmed from an exploited vulnerability in Oracle Cloud’s login endpoint, specifically login.(region-name).oraclecloud.com, with evidence suggesting the use of CVE-2021-35587, a critical vulnerability in Oracle Access Manager (OpenSSO Agent) within Oracle Fusion Middleware, last updated in 2014, with a CVSS score of 9.8, allowing unauthenticated remote code execution. This is supported by Oracle.

Further evidence includes a 10,000-line sample shared by the threat actor on March 25, 2025, containing data from 1,500+ unique organizations, including personal emails and production access indicators (tenantIDs like {tenant}-dev, {tenant}-test, {tenant}). Researchers confirmed real customer domains (e.g., sbgtv.com, nexinfo.com) matching the threat actor’s list, with system logs indicating the compromised production SSO endpoint, login.us2.oraclecloud.com, was active approximately 30 days ago and taken down by Oracle a few weeks before the breach. An archived file uploaded by the threat actor at web.archive.org contains the attacker’s email, also adding credibility.

Multiple cybersecurity outlets have analyzed this incident, supporting the researchers’ findings. Oracle Cloud breach May Impact 140000 Enterprise Customers CSO Online reports the breach’s potential to endanger 140,000 enterprise customers, with the threat actor demanding ransom and marketing data on underground forums.

Oracle’s Response and Denial

Oracle has categorically denied the breach. Oracle’s statement, as of March 21, 2025, is: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” This denial has created a significant controversy, with Oracle maintaining silence on further details.

An X/Twitter post mentions rose87168 claiming to use CVE-2021-35587 vulnerability to compromise login.us2.oraclecloud.com, with Oracle allegedly disconnecting the server, though current checks show the server is still accessible.

Impact and Remediation

The potential impacts of Oracle Cloud breach are common for this kind of incident, including mass data exposure, credential compromise if passwords are cracked, and supply chain risks due to exposed JKS and key files. Security researchers heavily recommend changing all SSO and LDAP credentials, enforcing multi-factor authentication (MFA), conducting forensic investigations, and monitoring dark web forums for leaked data discussions.

As of the time of writing, the situation remains unresolved, with no new updates beyond March 25, 2025, reports. Organizations are advised to use the researchers’ tool to check exposure and follow recommended security measures, while awaiting further official statements from Oracle and independent verifications.

The post Oracle Cloud Breach Plausible, Experts Research Confirms appeared first on Gridinsoft Blog.

Jaguar Land Rover Data Breach Involved Two Attacks

Stephanie Adlam — Tue, 18 Mar 2025 15:16:08 +0000

Jaguar Land Rover suffered a significant data breach. Two hackers are said to have exploited stolen Jira credentials, leaking sensitive information. The leaked data, including source code, employee details, and proprietary documents.

Jaguar Land Rover Breached

In early March 2025, Jaguar Land Rover (JLR), a UK-based luxury car manufacturer, reportedly suffered a significant data breach. This breach involved two distinct threat actors: the HELLCAT ransomware group, also referred to as “Rey,” and a second hacker identified as “APTS.”

Rey’s thread on a cybercrime forum in which they leaked data from Jaguar Land Rover

While the exact date of the breach is not explicitly stated, it is clear that the incident was recent. On the other hand, the credentials exploited by APTS dated back to 2021, suggesting a long-term vulnerability. For instance, a report corroborates the exposure of source code and employee details, while another website mentions the leak of 700 internal documents by Rey.

Threat Actors and Their Methods

As I said above, the breach involved two primary actors: HELLCAT (Rey) and APTS. HELLCAT employs its “infostealer-playbook” strategy, using infostealer malware to collect credentials. It focuses on Jira systems, which are integral to enterprise operations, making the stolen data highly valuable for further attacks.

Infostealer malware, such as Lumma, infects devices through phishing, malicious downloads, or compromised websites, exfiltrating login credentials that are often sold or hoarded on the Darknet. APTS followed a similar approach, exploiting the same type of credentials to access JLR’s systems.

The login credentials that were used to perform the breach, detected years ago by Hudson Rock’s Cavalier (source: infostealers.com)

The article also specifies that the credentials used were from a compromised LG Electronics employee (his email ending with «on@lge.com») with third-party access to JLR’s Jira server. These credentials, detected in Hudson Rock’s database since at least 2018, were viable as of 2021. Hudson Rock, a cybercrime intelligence provider, reported over 30,000,000 computers infected with infostealers, with thousands of companies, including JLR, having compromised Jira credentials from these infections.

Data Leaked and Scale

How about scale, the scale of the data breach is significant, with Rey leaking hundreds of internal files and gigabytes of Jira issues, though the exact size is not specified. APTS, on the other hand, leaked an additional 350 gigabytes of data, including proprietary documents, source codes, employee data, and partner information.

APTS leaking additional data from Jaguar Land Rover

This additional leak was confirmed through a screenshot of a Jira dashboard shared by APTS. Some reports mention approximately 700 internal documents leaked by Rey, including development logs and tracking data.

Implications and Broader Context

The breach has significant implications for JLR and the broader cybersecurity landscape, which is obvious. The leaked data, particularly source codes and employee details, poses risks for further attacks, such as phishing campaigns or intellectual property theft.

AI could amplify the impact of such large breaches, making stolen data more valuable for cybercriminals. And it’s all given JLR’s size, with nearly 39,000 employees and over $37 billion in revenue in the previous year. The incident also shows the vulnerability of Jira systems for enterprise operations. And it is worth holding in mind, considering how widespread it is in modern day software engineering.

Among JLR, there are previous victims of infostealer campaigns, including Telefónica, Schneider Electric, and Orange. For example, the Telefónica breach discusses similar tactics. One detail is the longevity of the exploited credentials, dating back to 2018 and remaining viable until at least 2021.

This long-term vulnerability, detected by Hudson Rock’s database, illustrates how stolen credentials can persist for years if not monitored, posing a continuous risk to organizations. This is particularly relevant for companies relying on third-party access, as seen with the LG Electronics employee’s credentials.

The post Jaguar Land Rover Data Breach Involved Two Attacks appeared first on Gridinsoft Blog.

DeepSeek AI Data Leaked, Exposing User Data

Stephanie Adlam — Fri, 31 Jan 2025 23:15:33 +0000

Wiz Research discovered a detailed DeepSeek database containing sensitive information, including user chat history, API keys, and logs. Additionally, it exposed backend data with internal details about infrastructure performance. Yes, the unprotected data was openly lying in the public domain, so it is far beyond the high-profile leak.

DeepSeek AI Data Breach: Over a Million Log Entries and Sensitive Keys Exposed

DeepSeek, a rapidly rising Chinese AI startup that has become worldwide known in just a few days for its open-source models, has found itself in hot water after a major security lapse. Researchers at Wiz discovered that DeepSeek left one of its ClickHouse databases publicly accessible on the internet, potentially allowing unauthorized access to sensitive internal data. Wouldn’t it be ironic if an AI company that claims to be smarter than humans couldn’t even secure its own database?

Plain-Text chat messages from DeepSeek (source: Wiz Research)

The exposed database contained over a million log entries, including chat history, backend details, API keys, and operational metadata—essentially the backbone of DeepSeek’s infrastructure. API secrets, in particular, are highly sensitive because they act as authentication tokens for accessing services. If compromised, attackers could exploit these keys to manipulate AI models, extract user data, or even take control of internal systems.

How Was the Data Accessed?

DeepSeek’s system ran on ClickHouse, an open-source columnar database optimized for handling large-scale data analytics. The database was hosted at oauth2callback.deepseek[.]com:9000 and dev.deepseek[.]com:9000, and required no authentication to access. This means that anyone who discovered the exposed endpoints could connect and potentially extract or alter the data at will.

ClickHouse supports an HTTP interface, which allows users to run SQL queries directly from a web browser or command line without needing dedicated database management software. Because of this, any attacker who knew the right queries could potentially extract data, delete records, or escalate their privileges within DeepSeek’s infrastructure.

Some leaked data

Wiz researcher Gal Nagli pointed out that while much of AI security discourse focuses on future risks (like AI model manipulation and adversarial attacks), the real-world threats often stem from elementary mistakes, like exposed databases.

As Nagli rationally notes, AI firms must prioritize data protection by working closely with security teams to prevent such leaks. If attackers had gained access to DeepSeek’s logs, they could have harvested API keys to exploit AI services. They could also analyze chat logs to extract user data and private interactions. Additionally, they might manipulate internal settings to alter how models operate.

So What Now?

Despite such seemingly high-profile failures, the service still works great, as evidenced by the statistics of app downloads from official app stores. However, apart from this incident, those concerned about data security have some questions for the service. Its privacy policies are under investigation, particularly in Europe, due to questions about its handling of user data. As a Chinese AI company, DeepSeek is also being examined by U.S. authorities for potential national security risks.

Additionally, OpenAI and Microsoft suspect that DeepSeek may have used OpenAI’s API without permission to train its models via distillation—a process where AI models are trained on the output of more advanced models rather than raw data. The Italian data protection authority, Garante, recently demanded information on DeepSeek’s data collection practices, leading to its apps becoming unavailable in Italy. Meanwhile, Ireland’s Data Protection Commission (DPC) has made a similar request.

The post DeepSeek AI Data Leaked, Exposing User Data appeared first on Gridinsoft Blog.

Hot Topic Data Breach Exposes of 350 Million Customers

Stephanie Adlam — Thu, 24 Oct 2024 19:33:00 +0000

Data breach of a known US retailer Hot Topic leaks a selection of personally identifiable information of 350 million chain’s customers. Such a worrying conclusion comes from the database posted for sale on one of the Darknet forums. The breach likely touches not only the company itself, but also its subsidiaries – Box Lunch and Torrid. Analysts already define this data leak as one of the biggest ones that come from a corporation.

Hot Topic Hacked, 350 Million Customers Data Exposed

In the breach published on October 21, 2024 on BreachForum by a threat actor nicknamed Satanic, personal information of 350 million customers and employees is offered for sale, at a price of just $20,000. For Hot Topic themselves, however, the price tag is 5x of that – $100,000 for deleting the forum thread completely. Hacker does not disclose the way they’ve breached into the company, but shares quite extensive examples that allow us to judge on the scale and potential impact. Spoiler – it is tremendous.

Post regarding the Hot Topic hack on BreachForum

Contrary to how it usually happens with Darknet leaks, Hot Topic breach features not just username, email and similar basic information. Leak samples offered by the hacker show complete addresses, emails, phone numbers and extensive payment information (including holder info and card details). This list goes on with account IDs and in-chain loyalty points tied to corresponding accounts. The latter may be quite handy if hackers (or someone who’d purchased the leaked DB) will try taking over the accounts.

User records with heaps of personal data, present in one of the logs

Aside from customers’ information, the data breach also contains data of employees of Hot Topic, and Torrid with BoxLunch – subdivisions of the company. This part of the breach generally touches email addresses and full names – not too much to brag about. Still, this exact part of the breach was the key for analysts to investigate the origins of the breach.

How Hot Topic Was Hacked?

Despite Satanic being (as expected) quite secretive on detailed information on how they’ve done the breach, Hudson Rock Infostealers’ analysts managed to do a pretty good job of analyzing the clues present in logs. They also communicated with the hacker on certain details, confirming their suspicions (though not trusting the hacker’s words entirely).

So, as far as analysis goes, the point of initial access was the PC of an outsource agent who’s working for big data analysis company Robling. The latter is doing data analysis for Hot Topic and its subsidiaries, eventually requiring access to the company’s cloud storages. By infecting this system with an undisclosed infostealer malware, the hacker managed to extract about 240 credentials stored in the system. Among them was login data from Hot Topic and Torrid Snowflake environments.

Accesses of a Robling employee, who was the starting point of the hack

And that is it – from now on, Satanic got access to all the internal data of the company. It apparently took some time to browse and extract all the data, but that is it – no super-fancy movie-like hacking, just an infostealer that did all the dirty job.

What should I do?

If you are a customer of one of these three companies, I’d advise you to migrate your shop accounts to a different email address. This way, you will get the loyalty points secured from someone spending them for you. With card data and other sensitive information, however, things are much more complicated.

You are unlikely to change or remove this information from the company, especially considering it was already stolen. With this information, hackers can create invoices directed to your payment card, and then get the confirmation codes through various phishing ways. If that is the case, I’d recommend you to set a low daily payment limit, and thoroughly track the codes and requests that come to your phone or email. Report all the suspicious cases to your bank security, shall they appear, and never follow any instructions that ask you to type the confirmation code, if you are not the one who called for it.

The post Hot Topic Data Breach Exposes of 350 Million Customers appeared first on Gridinsoft Blog.

Archive.org Hacked, Exposing Over 31 Million Users

Stephanie Adlam — Thu, 10 Oct 2024 12:10:58 +0000

Archive.org, a worldwide known archive of the entire Internet, suffered a huge data breach. The website was defaced, with a message from hackers saying that the site was badly secured and user data will soon be available at Have I Been Pwned service. The service already confirmed receiving the leak, with as much as 6.4GB of database uploaded to HIBP.

Internet Archive’s Wayback Machine Hacked, User Data Stolen

On October 9, 2024 the website of Wayback Machine service archive.org, led by Internet Archive organization went offline, to then get resurrected in a defaced format. Hackers who managed to break into the website’s infrastructure wiped the usual contents only to place a JavaScript pop-up stating the following:

Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!JS popup on the hacked site

Unfortunately, the attacker was not kind enough to leave any other information regarding how and why they hacked the service. The website is down at the moment, even without the aforementioned JS pop-up, which suggests that Internet Archive potentially regained control over the system. At the same time, Have I Been Pwned service already reports about receiving a huge database that allegedly consists of the Internet Archive data.

After a short browsing through this fresh upload, independent security researchers have confirmed that it is genuine and really is a database from Archive.org. Scott Helme, one of the investigators, shared his exposed record to BleepingComputer. Password hash (this lengthy mess of letters and numbers) corresponds to one he used on the website, and other data also appears correct.

9887370, internetarchive@scotthelme.co.uk,$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,internetarchive@scotthelme.co.uk,2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N



Overall, the breach does not contain any sensitive information, primarily because the service itself does not keep or ask for any. Main contents of the leaked database are emails, usernames and hashes of passwords. Not too much for the hackers to exploit, so the fuss is mostly about the huge number of affected users and the worldwide fame of the Archive.org service.
DDoS Attack of Wayback Machine
Aside from the massive impact from the attackers’ activity, the website also suffered from SN_Blackmeta hacktivists. They have launched a DDoS attack on the Internet Archive’s servers, making the site completely inaccessible for quite some time. Hackers boasted about this in their X/Twitter publication.

The motivation behind DDoS attacks and hacking of the system is not clear, at least for me. As a non-profit company, Internet Archive is unlikely to have an overwhelming amount of money, sufficient for establishing a reliable cybersecurity protection. This exact reason ruins any suggestions about the ransom demand for non-disclosure of the hack.
Archive.org Gives No Answer
Despite the massive number of affected users, Internet Archive did not come out with any comments about the situation or their further steps. And it is hard to explain by saying it is too soon to say anything: a security breach allegedly happened in late September, with the latest records from the database dating September 28, 2024. They should be aware about the issue for quite some time now, and considering the number of people exposed in that attack, the response should have been immediate.
For people who had their accounts on Archive.org, the best solution would be to track HIBP website updates. They already claimed receiving the leaked info, and say about being ready to index it and make it publicly available. With a search by either a username or an email address, you will get the information on what exact information was exposed in your case.

The post Archive.org Hacked, Exposing Over 31 Million Users appeared first on Gridinsoft Blog.



Data Breach vs Data Leaks: Differences
Stephanie Adlam — Sun, 22 Sep 2024 13:27:33 +0000
The terms “data breach” and “data leaks” are often used interchangeably, but they are not same enough for this to be a correct application. Sure they share similarities, but they still refer to different cybersecurity events.
Data breach vs. Data leaks – Are they different?
Data breaches and data leaks are events of a similar pattern — both suggest unauthorized parties gaining access to information they should not have access to. The main difference between these two terms is in the circumstances. Data breach is a deliberate disclosure of confidential information. That occurs as a result of actions intended to do so. In a data breach, attackers purposefully attack a system, gain access, and often steal or compromise data. It involves an active intrusion such as hacking, phishing, or exploiting vulnerabilities in the system.
On the other hand, data leaks usually occur unintentionally. This term refers to the accidental disclosure of sensitive information by an entity (usually an employee). There is no malicious intent or direct attack here, it usually occurs due to human error, poor security practices, or misconfiguration. I.e, a data breach occurs when information is accidentally made publicly available. For example, it could be an email accidentally sent to the wrong place containing sensitive information.
Causes of Data Breaches
As I mentioned above, data breaches are facilitated by certain actions from attackers. Typically, attackers exploit security vulnerabilities in the target systems to penetrate the network. Another popular method in such cases is brute force, which easily picks up weak or easily guessed passwords for employee accounts. And all this is accompanied by phishing emails and social engineering techniques.
In addition to “contactless” methods, attackers can use physical access. This may happen in several ways, with one of the key options being attacking through a third party company or a supply chain. Crooks hack/bribe/persuade partners, suppliers or contractors who have access to the required information to steal and pass it on to them. Another option here is to use an insider threat. The method is completely identical to the previous one, except that the person who has access to the required information comes from within the company. Most often they are employees, who are dissatisfied with something and are willing to mischief their company.
Causes of Data Leaks
As for data leaks, the most common cause is the misconfiguration of servers and cloud services. Wrong configured access settings can unintentionally expose sensitive information to someone who should not have it. The next common cause of data leak is human error. An employee may accidentally share a confidential document to the wrong recipient. They also can accidentally include all employees in a mailing, or even outsiders, expanding the leak even more.
Just like with data breach, data leaks can also happen through physical access. For example, an employee may lose/forget/leave a device (such as a flash drive, hard drive, or laptop) in a public place. If the laptop has a weak or no password, it’s a jackpot for whoever finds it. Apart from digital information, this also applies to physical documents or securities that may also be lost or left in a public place.
What is Worse?
In fact, both options are very dangerous and can lead to irreversible consequences. In a data leak, there’s a possibility that no one has detected or accessed the leaked data yet. A data breach, however, guarantees that attackers have gained access to the information. In addition, the latter case can be blamed on cunning attackers who were able to bypass security systems.
With a data leak, the company itself is primarily at fault due to inadequate security measures. While both incidents harm an organization’s reputation, a data breach tends to have more severe consequences. If the leak is confirmed, it will likely draw significant media attention and the organization, depending on the content of the data that leaked, will likely be involved in legal action.
Protect Your Data
For everyone who takes care about their privacy, data exposure of any form, amount and reason is a highly unpleasant situation. And unfortunately, not a lot of companies offer you to track or remove personal data from their servers. The most accessible protection approach here is passive reactive one. This approach means you can implement some measures beforehand, with most actions happening after the attack case.
What this means in practice is that you should apply the best possible security measures to all the accounts. 2FA/MFA, recovery emails or devices, new login notifications – all this will help staying aware about potential fishy activity. You can as well spoof some of the non-important data that the service asks you to fill. And, obviously, keep track of the latest security news: this will get you informed on the latest “security incidents”, as companies like to call cyberattacks.

The post Data Breach vs Data Leaks: Differences appeared first on Gridinsoft Blog.



Temu Allegedly Hacked, Data Put on Sale On The Darknet
Stephanie Adlam — Wed, 18 Sep 2024 22:47:31 +0000
Chinese retailer Temu allegedly suffered a huge data breach. Hackers have put a leaked database for sale on the Darknet, which contains 87 million records with customer information. The company, however, completely denies being hacked or experiencing a data leak. This suggests the possibility that the data was just scraped from other sources.
Temu Hacked, Hackers Sell Leaked Data
On Monday, September 16, a hacker with the nickname smokinthashit published a post on the hacker forum BreachForums that contains Temu’s user database. The attacker claims that the database contains 87 million records. The database reportedly contains usernames, identifiers, IP addresses, full names, birth dates, phone numbers, shipping addresses, and hashed passwords. As proof, the attacker published samples of the stolen data.
Threat actor’s post on BreachForums (Source: BleepingComputer)
Temu is a Chinese shopping platform that operates pretty much around the world. It offers a variety of goods at relatively low prices. Despite numerous jokes about the quality of goods from Temu, the price-quality ratio allows the service to enjoy great popularity among buyers. It is not surprising that such a statement by cybercriminals caused such a fuss among users of the service.
Temu’s response
Security researchers contacted Temu representatives and asked them to comment on the situation. However, the company categorically denied any data leak. Temu said they examined the samples published by the attackers and found no matches with their databases. The platform representatives also clarified that they take user data privacy seriously and have the app’s MASA certification. They also have independent security validations, a HackerOne bug bounty program, and comply with the PCI DSS payment security standard.
Temu’s security team has conducted a comprehensive investigation into the alleged data breach and can confirm that the claims are categorically false; the data being circulated is not from our systems. Not a single line of data matches our transaction records. We take any attempt to tarnish our reputation or harm our users extremely seriously and reserve the right to pursue legal action against those responsible for spreading false information and attempting to profit from such malicious activities. At Temu, the security and privacy of our users are paramount. We follow industry-leading practices for data protection and cybersecurity, ensuring that consumers can shop with peace of mind on our platform.Temu representative
For their part, the attackers went on to claim that they had indeed hacked Temu. They also claimed they still had access to the company’s internal dashboards and knew of the vulnerabilities in the code. However, they provided no evidence to support this claim. In any case, as a security measure, service users are recommended to enable two-factor authentication and change their passwords. In addition, against the backdrop of the incident, astrologers announced an increase in phishing attempts related to Temu and online shopping.
May Users be in Danger?
Although such statements from hackers are not usually made without any proof, there is no reason to believe them now. According to the responses from Temu’s representatives and attackers, it appears to be a database compiled through web scraping from various sources rather than a fresh breach. However, If the data breach is confirmed, it would suggest that sensitive information like actual shipping addresses, bank card details, and purchase history has been leaked online. Still, taking preventive measures like changing your password and enabling 2FA is always a good idea.
The post Temu Allegedly Hacked, Data Put on Sale On The Darknet appeared first on Gridinsoft Blog.



Rite Aid Hacked, Data of 2.2 Million Customers Leaked
Stephanie Adlam — Thu, 18 Jul 2024 13:36:53 +0000
In June 2024, Rite Aid, a US-based chain of pharmacy stores, experienced a cyberattack. The attack affected the company’s information systems and resulted in the leakage of customer and employee data. Threat actor known as RansomHub claims the attack and shares some details regarding the information that they’ve managed to steal.
Rite Aid Breach Exposes Sensitive Customer Details
In July 2024, one of the largest pharmacy chains in the United States, Rite Aid, disclosed a data breach. According to Rite Aid representatives, this “limited” cyberattack resulted in an unnamed threat actor gaining access to “certain business systems”. In less abstract terms, the attack affected 2.2 million customers. It compromised personal information, including names, addresses, dates of birth, and driver’s license numbers.
Although the company did not name the perpetrators, a group called RansomHub claimed responsibility. They stated they had stolen more than 10 GB of data, equating to about 45 million lines of personal information—far more than Rite Aid reported. RansomHub is believed to be based in Russia or a country friendly to Russia and operates on the principle of ransomware-as-a-service (RaaS). They avoid attacking CIS countries, Cuba, North Korea, and China, hinting at their origin.
Rite Aid’s entry on RansomHub ransomware Darknet leak site
Details of the Breach
According to Rite Aid, on June 6, an attacker pretended to be a company employee and used stolen credentials to access certain business systems. The incident was discovered within 12 hours, and an internal investigation was immediately launched. However, this was enough time for the data to be leaked. RansomHub stated on its Darknet site that it was in advanced negotiations with Rite Aid officials. However, at some point, the company stopped responding. While Rite Aid did not provide technical details of the attack, such as whether two-factor authentication was in place on the compromised account, information about the stolen data has been disclosed.
The attackers stole data related to purchases and attempted purchases of retail products between June 6, 2017, and July 30, 2018. This data included driver’s license numbers and other possible forms of government identification presented by shoppers during that period. However, Rite Aid claims that threat actors did not steal Social Security numbers, financial information, or patient data. Among the 2.2 million victims, 30,137 were Maine residents. Notably, this is not the first data breach incident involving Rite Aid.
Are Customers at Risk?
Breaches of any organization or company that is involved in healthcare is always a serious privacy threat. Even though some “classic” sensitive data (SSN and financials) was not leaked from Rite Aid, all other things are more than enough for data and identity theft. Moreover, as RansomHub claims having more data than what officials say, there is a possibility of other categories leaking to the public.
The worst case scenario here is, obviously, leaked info about prescriptions and medical conditions of the clients. This is just a dream of any con actor who performs targeted blackmailing or gathers data for further attacks. Having comprehensive information on an individual allows for impersonation attacks. The adversary gains trust by naming facts that are unlikely to be known to a stranger.
In any case, customers of Rite Aid should pay additional attention to any phony activity that happens around them. Strange calls, emails, or text messages containing data officially disclosed as leaked in the breach report should be considered red flags. Such communications should be treated with additional caution.

The post Rite Aid Hacked, Data of 2.2 Million Customers Leaked appeared first on Gridinsoft Blog.



Remote Access Trojan (RAT)
Stephanie Adlam — Thu, 16 May 2024 02:11:57 +0000
Remote Access Trojan is software that allows unauthorized access to a victim’s computer or covert surveillance. Remote Access Trojan are often disguised as legitimate programs and give the attacker unhindered access. Their capabilities include tracking user behavior, copying files, and using bandwidth for criminal activity.
What is a Remote Access Trojan (RAT)?
A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

Use spyware and keyloggers to track the victim’s behavior
Gain access to sensitive data, including social security numbers and credit card information
View and record video from a webcam and microphone
Take screenshots
Format disks
Download, change or delete files
Distribute malware and viruses

How does a Remote Access Trojan work?
Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.
Why Remote Access Trojan is Dangerous?
A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.
Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.
Ways of using Remote Access Trojan
The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.
Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples
njRAT
NjRAT is probably the most known and the oldest among remote-access trojans. Appeared in 2012, it keeps getting updates, which adjust its functionality to the modern “standards”, which makes up for its longevity. The reason for this is probably the attention from state-sponsored threat actors – APT36 and APT41 – who use it in cyberattacks almost since its very inception.
Interface of njRAT 0.7 Golden edition
Key functionality of njRAT is typical for pretty much any remote-access trojan – it is about providing remote access. The latter is topped up with uploading and downloading files by command, log keystrokes and capture microphone and camera inputs. Some of its variants are also capable of grabbing credentials from browsers and cryptocurrency apps.
One interesting feature of this remote access trojan is its naming. Threat analysts use its original name interchangeably with Bladabindi. The latter is a detection name that Microsoft assigned to this trojan back in its early days. Usually, Redmond changes the naming as the malware gains volume and power, but this did not happen here.
Sakula
Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.
KjW0rm
KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.
Havex
Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.
Agent.BTZ/ComRat
Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.
Dark Comet
Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, Dark Comet uses encryption, thereby avoiding detection by antivirus.
AlienSpy
AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.
Heseber BOT
The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.
Sub7
Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.
Back Orifice
Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.
How To Protect Against Remote Access Trojan?
As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.
Security training
Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, it’s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.
Using multi-factor authentication (MFA)
Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.
Strict access control procedures
Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

More strict firewall settings
Safelisting IP addresses for authorized users
Using more advanced antivirus solutions

Solutions for secure remote access
Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.
Zero-trust security technologies
Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.
Focus on infection vectors
Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.
Pay attention to abnormal behavior
RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.
Monitoring network traffic
An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.
Implement least privilege
The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.
Are Remote Access Trojans illegal?
Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.
The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.



Fujitsu Hacked, Warns of Data Leak Possibility
Stephanie Adlam — Tue, 19 Mar 2024 17:29:47 +0000
Fujitsu, one of the world’s leading IT companies, reports uncovering the hack in their internal network. The company discovered malware in its IT systems, which led to a massive data breach.
Fujitsu Hacked, Company Publishes Report
The first to discover Fujitsu hack was the company’s IT specialists who were performing the scanning. The first signs of compromised systems were noticed earlier in March 2023, which immediately raised concerns among the technical team. The company’s management was immediately notified of the possible threat, leading to an extensive internal investigation.
Fujitsu report on official web site (translated from Japanese)
The said investigation is still ongoing, and is now targeted at determining the amount and types of leaked data. The company says it has not received any reports of personal information being misused as a result of the hack. However, the attack could have affected important databases containing customers’ personal data, including names, addresses, contact information and details of contractual relationships.
Initial steps taken by Fujitsu included isolating the infected systems to prevent the malware from spreading further. The company also engaged external cybersecurity experts to conduct a detailed analysis of the situation and determine the source of the attack.
Analysis of Malware
Preliminary analysis showed that the malware was specifically designed to steal sensitive information. Experts noted that it was not a “common” malware sample but a one crafted for this specific attack. The program acted selectively, targeting particularly sensitive data, such as employees’ personal data, financial information and details of internal company research.
Most interestingly, the attack targeted specific systems and used sophisticated methods to bypass standard security measures. It is a common tactic for attackers to use custom malware builds for targeted attacks on corporate networks, but it is not usual to see them using a yet unseen sample.
Fujitsu Was Hacked Before
In June 2023, Fujitsu Cloud Technologies, a subsidiary of Fujitsu Limited, received a public reprimand from Japan’s Ministry of Internal Affairs and Communications. The ministry demanded that both Fujitsu Cloud Technologies and Fujitsu Limited take immediate action to implement security measures to safeguard communications privacy and enhance cybersecurity. Fujitsu Limited is set to merge with its subsidiary in the near future.
In 2022, a breach affected Fujitsu Limited’s cloud-based internet service used by governments and large corporations. Attackers accessed the system and leaked sensitive information. Around the late 2022, the company uncovered the hack in one of their divisions, FENICS Internet.
This company was also implicated in the May 2021 supply chain attack. Its Fujitsu ProjectWEB project management suite was accessed by an unauthorized third party and the incident resulted in a data leak affecting several Japanese government agencies. The data was allegedly sold on the darknet. The company later discontinued the ProjectWEB portal/tool.
What then?
Well, despite best efforts, even technologically advanced companies like Fujitsu are not immune to cyberattacks and subsequent data breaches.  Even with advanced defense systems, attackers are finding ways to bypass defenses, resulting in serious consequences for companies and their customers. Hopefully, the measures taken and lessons learned from this experience contribute to strengthening data protection.

The post Fujitsu Hacked, Warns of Data Leak Possibility appeared first on Gridinsoft Blog.



Comcast’s Xfinity Breach Exposes Data of 35.8 Million Users
Stephanie Adlam — Wed, 20 Dec 2023 14:55:37 +0000
Comcast confirms a massive security breach impacting its Xfinity division. Nearly 36 million customers of the world’s largest telecom provider were exposed as the result of CitrixBleed exploitation.
The Breach details and impact on customers
The CitrixBleed vulnerability, which resides in widely used Citrix networking devices, has been under mass-exploitation by hackers since at least late August. Despite Citrix releasing patches in early October, many organizations, including Comcast, did not apply them in time. This oversight led to unauthorized access to Comcast’s internal systems between October 16th and 19th, though the company only detected the activity on October 25th. The damage is mainly concentrated within Xfinity, one of the biggest co’s divisions.
By November 16th, Xfinity, confirmed that customer data had likely been acquired by hackers. Also, this data includes usernames, hashed passwords, names, contact information, dates of birth, partial Social Security numbers, and answers to secret questions. Comcast’s data analysis is ongoing, and further disclosures of compromised data types may emerge.
Email to main account warning that information was changed
The breach’s scale is monumental. Comcast’s filing with Maine’s attorney general revealed that almost 35.8 million customers are affected. Considering Comcast’s over 32 million broadband customers, the breach potentially impacts most, if not all, Xfinity customers.
What is CitrixBleed Vulnerability?
CitrixBleed is a critical-rated security flaw, targeting Citrix devices favored by large corporations. Hackers leveraging this vulnerability have targeted notable entities, including Boeing and the Industrial and Commercial Bank of China. As Citrix products are widely used, the sole fact of such vulnerability existence is critical.
The CitrixBleed vulnerability allows hackers to leverage improper input validation to bypass security controls. This results into gaining unauthorized access to internal systems. Nevertheless, the vulnerability allows attackers to inject malicious code or commands, potentially leading to malware injection.
As of now, it is unclear whether Xfinity received a ransom demand or how the incident affected the company’s operations. Also uncertain is whether the incident has been filed with the U.S. Securities and Exchange Commission under the new data breach reporting rules. Comcast’s response has been tight-lipped regarding these aspects.
Avoiding of data loss
Customers affected by the breach should take immediate steps to secure their personal information. Also, his includes monitoring credit reports, being vigilant for phishing attempts, and ensuring all online accounts are secured with strong, unique passwords and, where available, multi-factor authentication.
It’s crucial to read about cybersecurity threats and safe practices, as human error often leads to security breaches. Implementing strong access controls and network segmentation can limit the extent of a breach if one occurs. Additionally, regular backups and encrypted data storage are essential to recover from data loss incidents.

The post Comcast’s Xfinity Breach Exposes Data of 35.8 Million Users appeared first on Gridinsoft Blog.