Fraud Management & Cybercrime , Incident & Breach Response , Ransomware
Breach Roundup: Lumen, QNAP, NCB and Toyota ItalyPlus: There's a New Mac Info Stealer Out There; More Breaches in Australia
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between March 24 and 30, the spotlight was on Lumen Technologies, hardware vendor QNAP and debt collector NCB. Also, more data breaches occurred in Australia, there's a new Mac info stealer out there and Toyota Italy exposed customer data.
U.S. telecommunications company Lumen Technologies, which services more than 60 countries across the globe, told federal regulators Monday about two separate cybersecurity incidents. The company, previously known as CenturyLink, said it discovered ransomware on servers supporting a segmented hosting service. "This intrusion is currently degrading the operations of a small number of the company's enterprise customers," it wrote.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The second incident stemmed from a recent implementation of a security software from Lumen that led to the discovery of an intrusion into the company's internal information technology systems. Threat actor activities included "conducting reconnaissance of these systems, installing malware and extracting a relatively limited amount of data." Lumen didn't disclose the vendor of the security software.
Lumen said there is no material impact on its customers or its business, operations or financial results. The company is continuing to assess the impact of both events, including "whether any personal identifiable or other sensitive information has been exfiltrated."
QNAP Promises Patches
Taiwanese hardware vendor QNAP on Wednesday warned users that the special Linux operating systems that run some of its network-attached storage devices have a flaw in their version of sudo that attackers could use to escalate privileges. Sudo gives a system administrator the ability to delegate some types of authority to other users and groups, including the ability to run commands as the root user.
QNAP said the products at risk of being exploited via the vulnerability, designated as CVE-2023-22809, are QTS, QuTS hero, QuTScloud and QVP - aka QVR Pro - appliances. Patches are not yet available for all vulnerable operating systems or devices.
NCB Management Services Inc.
Debt collector NCB Management Services disclosed that an unauthorized party accessed confidential consumer information tied to closed Bank of America credit cards. The breach affects nearly 500,000 people, and the affected data includes first and last names, Social Security numbers, addresses, phone numbers, email addresses, birthdates, employment positions, pay amounts, driver's license numbers, account numbers and financial account information.
"NCB has obtained assurances that the third party no longer has any of the information on its systems," the company wrote without elaboration. Bank of America systems were not affected by the incident.
Crown Resorts and Meriton Suites
Add Crown Resorts, Australia's largest gaming and entertainment group, to the list of victims of ransomware hackers taking advantage of the GoAnywhere file transfer vulnerability (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations). The owner of vast casinos in Melbourne, Sydney and Perth said a ransomware group contacted it to claim it had "obtained a limited number of Crown files." A spokesperson for Crown told Information Security Media Group on Monday that the security incident had been detected late last week when a series of emails from a ransomware group were intercepted by the resort's information security team.
Another hospitality giant in Australia, Meriton Suites, disclosed Wednesday that hackers had stolen nearly 36 gigabytes of data in a Jan. 14 incident but "very little of the data was [personal identifiable data] related or sensitive information," the company said in an FAQ posted on its website. Nearly 1,900 people are affected in the incident, but there was no compromise of guest database and financial information. The company said it encrypts credit card information at all times so no such information was stolen.
The Australian pension fund NGS Super confirmed on Monday a cyberattack that occurred earlier this month, in which "some limited data" was stolen. The network intrusion did not affect member savings, which are stored on a separate platform, the company said.
NGS Super holds pensions for nearly 120,000 account holders and about 17,000 Australian employers use its services, the company said in its most recent annual report.
New Mac-Based Info Stealer
Researchers identified a novel information-stealing malware that targets Apple's macOS operating system. Uptycs "said an info stealer it dubs MacStealer uses Telegram for command and control. The malware steals documents, iCloud keychain passwords, browser cookies and more from Apple users. A threat actor is selling it for $100 on the darknet. The malware affects Catalina and all subsequent versions of macOS that use Intel M1 and M2 CPUs.
The Italian branch of Japanese car manufacturer Toyota exposed customer data such as phone numbers and email addresses for more than 18 months, reports Cybernews. Toyota Italy exposed credentials to its Salesforce Marketing Cloud, allowing threat actors to "access phone numbers and email addresses, customer tracking information, and email, SMS, and push-notification contents." The organization also exposed Mapbox API tokens - not revealing sensitive information but potentially allowing threat actors to rack up API usage costs for Toyota Italy. The company closed the vulnerabilities, it told Cybernews.
Other Coverage From Last Week
- Latitude Financial Admits 14M Customer Details Breached
- Health Plan, Mental Health Provider Hit by GoAnywhere Flaw
- Facebook Opposes Irish Data Watchdog's 265-Million-Euro Fine
- Device Maker Zoll Facing 7 Lawsuits in Wake of Breach
- NY AG Hits Law Firm With $200K Settlement in Health Breach
- GitHub Replaces Private RSA SSH Key After Public Exposure
- Stung by Free Decryptor, Ransomware Group Embraces Extortion
- How BreachForums' 'Pompompurin' Led the FBI to His Home
With reporting by ISMG's Mathew Schwartz in the United Kingdom and Jayant Chakravarti in India.