Prudential Financial data breached in cyberattack
In an 8-K filing with the U.S. Securities and Exchange Commission, the Fortune 500 financial firm disclosed that its network was breached last week. Attackers stole employee and contractor data before being blocked from compromised systems one day later. An investigation is ongoing to determine the full scope of the incident and Prudential Financial has yet to find any indication that the malicious actors gained access to customer or client data.
Facebook Marketplace user records leaked on hacking forum
A threat actor has leaked 200,000 records on a hacker forum, claiming they contained the personal information of Facebook Marketplace users. BleepingComputer verified some of the leaked data by matching the email addresses and phone numbers with sample data shared by the threat actor. A threat actor claims part of the Facebook Marketplace database was stolen after hacking the systems of a Meta contractor. The leaked database contains an array of personally identifiable information (PII), including names, phone numbers, email addresses, Facebook IDs, and Facebook profile information.
Bank of America customers at risk after third party breach
Bank of America has alerted its customers that their personal data may have been exposed as a result of a breach suffered by one of its service providers, Infosys McCamish Systems (IMS). The breach allegedly exposed names, addresses, social security numbers, dates of birth as well as account and credit card numbers. The LockBit ransomware gang claimed responsibility for the attack that occurred early last November 2023 in which they encrypted more than 2,000 systems. IMS’s breach disclosure notice indicates that approximately 57,000 individuals were affected by the breach.
Update: Integris Health says data breach impacted over 2 million patients
Following up on a story we brought to you in December on Cyber Security Headlines, Oklahoma’s largest not-for-profit healthcare network has reported that nearly 2.4 million people were impacted by the data breach it suffered last November. Integris Health confirmed the cyberattack in late December after patients began receiving extortion emails containing their stolen personal information and a link to the Tor network hosting the data. Stolen data included dates of birth, contact and demographic information, and Social Security Numbers (SSN). Visitors could pay $50 for attackers to remove their details, or pay $3 to view information belonging to any other impacted individual. The threat actor told BleepingComputer that they only exfiltrated data and did not encrypt data which allowed Integris Health to keep providing its services to patients.
Huge thanks to our sponsor, Vanta
Vanta is the leading Trust Management Platform that helps you centralize your efforts to establish trust and enable growth across your organization.
Over 6,000 companies partner with Vanta to automate compliance, strengthen security posture, streamline security reviews, and reduce third-party risk.
To learn more, go to vanta.com/ciso and watch their 3-minute product demo.
QNAP vulnerability disclosures send mixed messages
The Taiwanese network-attached storage (NAS) company has found itself at odds with security researchers after releasing fixes for two new command injection vulnerabilities. QNAP assigned both vulns a severity score of just 5.8-out-of-10. For the first bug (CVE-2023-50358), QNAP indicated that exploitation would require a high-complexity attack that would have a low impact if successful. Palo Alto Networks Unit 42 concluded just the opposite stating the RCE bugs exhibit a combination of low attack complexity and critical impact to IoT devices. The German Federal Office for Information Security (BSI) doubled down on Unit 42’s position on Tuesday, warning that successful exploits could lead to “major damage.”. In the case of the second flaw (CVE-2023-47218), which was identified by security firm Rapid7, QNAP and Rapid7 agreed to a coordinated disclosure date of February 7 for the vulns. However on January 25 QNAP told Rapid7 it had already pushed out patches. Further, QNAP’s vuln disclosure focused heavily on detailing affected devices and versions while Rapid7 provided a detailed technical breakdown showing how the vulnerability can be exploited.
New Jersey law enforcement sues data brokers
Last week 118 class action lawsuits were filed against data brokers who allegedly failed to respond to requests from roughly 20,000 New Jersey law enforcement personnel who asked for their personal information to be removed from the internet. New Jersey law prohibits the disclosure of home addresses and unpublished telephone numbers for current and retired police officers, prosecutors, and judges, along with their family members. The law also requires it be removed within 10 days of a takedown request. The law, known as Daniel’s Law, was passed after a New Jersey federal judge’s 20-year-old son was shot to death at her home in 2020 by a disgruntled attorney. The suits are seeking $1,000 for each violation plus punitive damages and attorneys fees that could cost data brokers at least $20 million and hit the industry with at least $2.3 billion in fines.
You should probably patch that (Patch Tuesday edition)
Yesterday, Microsoft released its parade of Patch Tuesday security fixes for February 2024. Microsoft addressed a total of 73 flaws and two actively exploited zero-days and five critical vulnerabilities. These issues could lead to denial of service, remote code execution, information disclosure, and elevation of privileges vulnerabilities. The two actively exploited zero-day vulnerabilities are both Security Feature Bypass bugs in Windows Smartscreen (CVE-2024-21351) and Internet Shortcut Files (CVE-2024-21412). The latter flaw could bypass Windows Mark of the Web (MoTW) warnings which Microsoft designed to help users identify malicious files.
As has become customary, a swarm of other vendors joined Microsoft by releasing their own February 2024 security advisories. The vendors include, Adobe, Cisco, ExpressVPN, Fortinet, Google, Ivanti, JetBrains, Linux, Mastodon and SAP.:
(Bleeping Computer and SecurityWeek)
OPSWAT invests $10M in cybersecurity scholarship program
On Tuesday, OPSWAT, a global leader in perimeter defense solutions announced that it’s launching a $10 million cybersecurity scholarship program. This initiative is designed to address the increasing demand for certified cybersecurity professionals, particularly within critical infrastructure industries. OPSWAT’s scholarship program will provide course content tailored to equip participants with the skills necessary to protect critical infrastructure environments from a dynamic threat landscape. OPSWAT has posted details about the Scholarship Program, including eligibility requirements and application details, on its website (https://opswatacademy.com/scholarship-program).