company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

CISA

NetScaler

ZeroDay

loading..
loading..
loading..

CISA Warns of Critical Infrastructure Breach via Citrix Zero-Day RCE Flaw

CISA warns of critical infrastructure breach via Citrix zero-day RCE (CVE-2023-3519). Act now to secure your systems

22-Jul-2023
3 min read

Related Articles

loading..

IntelBroker

Cisco

Cisco is found to be currently investigating a possible data breach following re...

Cisco is found to be currently investigating a possible data breach following reports that allegedly stolen data has surfaced for sale on a hacking forum. The stolen data claims have been linked to a threat actor known as "IntelBroker" who, along with two others— "EnergyWeaponUser" and "zjj"—claims to have breached Cisco on June 10, 2024. According to IntelBroker, the breach compromised a whole host of sensitive information, including: - GitHub and GitLab project repositories - Source code - Hard-coded credentials - SSL Certificates - Docker builds - API tokens - AWS and Azure storage bucket data - Confidential Cisco documents, and more. ## Cisco’s Response A Cisco spokesperson confirmed the company is aware of the alleged breach and that an investigation is ongoing to assess the extent of the situation. At this time, Cisco has not confirmed the authenticity of the claims or the data samples that have been leaked. **Cisco's statement:** > _"We have launched an investigation to assess this claim, and our investigation is ongoing."_ ## Alleged Attacker’s Claims IntelBroker which has been involved in many targeted cyberattacks namely [Facebook](https://www.secureblink.com/cyber-security-news/200-000-facebook-marketplace-records-leaked-claims-intel-broker) & [General Electronics](https://www.secureblink.com/cyber-security-news/intel-broker-offers-ge-s-pipelines-for-500-amid-cyberattack-probe) along with their associates have provided samples of the alleged stolen data on a hacking forum. These samples include: - A customer database - Customer information - Documentation related to customers - Screenshots from internal customer management portals. While details of how the data breach has transpired remain still unclear, the type of data presented suggests access to core developer infrastructure and proprietary code repositories, potentially via compromised DevOps systems. ### Critical Data at Risk The threat actor’s post indicated that many of Cisco’s most crucial assets were allegedly infiltrated. Some of the more alarming categories include: 1. **Source Code Repositories**: IntelBroker claims access to multiple source code repositories hosted on GitHub, GitLab, and SonarQube. This can pose a serious risk to Cisco’s intellectual property, potentially allowing attackers to identify vulnerabilities in Cisco products. 2. **Hard-Coded Credentials and API Tokens**: The presence of hard-coded credentials within the code repositories could allow further exploitation of other systems if not remediated promptly. 3. **Confidential Cisco Documents**: Exposure of internal documentation could reveal sensitive corporate strategies, undisclosed technologies, and private communications. 4. **Cloud Infrastructure Access**: AWS private buckets, Azure storage, and Docker build data are all listed as compromised. Breaching cloud infrastructure is a serious issue as it can lead to further compromise of confidential services or data leakage. 5. **Private & Public Keys, SSL Certificates**: If SSL certificates or cryptographic keys have been compromised, the breach could extend to disrupting secure communication channels. ## Analysis of Previous Incidents This is not the first time IntelBroker has been associated with major data breaches. Since June 2024, the group has been involved in leaking or selling data from various high-profile companies such as [T-Mobile](https://www.secureblink.com/cyber-security-news/second-t-mobile-data-breach-of-2023-attackers-access-info-of-hundreds), [AMD](https://www.secureblink.com/cyber-security-news/sink-close-a-high-severity-amd-cpu-vulnerability-enables-undetectable-malware), and [Apple](https://www.secureblink.com/cyber-security-news/apple-urgently-releases-i-os-update-to-fix-voice-over-password-flaw). These previous attacks reportedly exploited vulnerabilities in third-party DevOps and software development services providers. It remains unclear whether the Cisco breach is related to those earlier incidents, but the scope of the alleged data exfiltration suggests that a third-party service provider might have been targeted once again. However, this isn't an isolated intrusion where Cisco has been involved, previously the company suffered many intrusions such as detection of backdoor vulnerability in there [smart licensing utility](https://www.secureblink.com/cyber-security-news/cisco-patches-critical-backdoor-vulnerability-in-smart-licensing-utility-1), there [VPN have been exploited](https://www.secureblink.com/cyber-security-news/ransomware-group-exploit-cisco-vpn-zero-day-vulnerability) by ransomware group, their [CISCO SPA 112 Phone Adapters](https://www.secureblink.com/cyber-security-news/cisco-spa-112-phone-adapters-vulnerable-to-arbitrary-code-execution) were vulnerable to arbitrary code execution, [Cisco AnyConnect](https://www.secureblink.com/cyber-security-news/any-connect-security-flaw-being-exploited-in-the-wild-cisco-warned) had been exploited in the wild and many more. Third-party vendors in DevOps often possess extensive access to company infrastructure, making them a high-value target for cybercriminals. ## Implications of the Cisco Data Breach If IntelBroker’s claims prove to be accurate, this breach could have severe implications for Cisco’s customers and partners. Compromised source code, credentials, and API tokens could potentially lead to: 1. **Intellectual Property Theft**: With source code and product designs in hand, competitors or criminal groups could clone or exploit Cisco products. 2. **Secondary Attacks**: The use of compromised credentials, API tokens, or customer documentation could lead to follow-up attacks, including ransomware, phishing, or fraud targeting Cisco’s customers. 3. **Loss of Trust**: A breach of this magnitude could significantly damage Cisco's reputation, especially among enterprise clients who rely on its technologies for secure networking solutions. 4. **Regulatory and Legal Consequences**: Cisco could face significant regulatory scrutiny, especially if customer or proprietary data is found to have been insufficiently protected. ### Potential Remediation Strategies While Cisco continues its investigation, there are several immediate steps the company should consider: - **Revocation of Exposed Certificates and Credentials**: Any SSL certificates, private keys, or hard-coded credentials that were potentially compromised must be revoked and replaced immediately. - **Patch and Secure DevOps Systems**: Since DevOps infrastructure appears to be the common thread in IntelBroker’s past breaches, Cisco should audit and strengthen security controls around its own DevOps tools and those of any third-party vendors. - **Customer Communication and Incident Response**: If customer information is indeed part of the compromised data, Cisco will need to proactively inform affected customers and assist them in securing their systems. - **Security Audit of Code Repositories**: A thorough audit of all GitHub, GitLab, and SonarQube repositories should be conducted to identify any potential vulnerabilities or further exposures of sensitive information. As more companies integrate third-party services into their core development workflows, they become increasingly vulnerable to attacks targeting those services. In the short term, it is critical for Cisco to validate IntelBroker’s claims, secure any exposed infrastructure, and collaborate with affected customers to mitigate potential risks. The long-term challenge will be fortifying the security of its development pipelines to prevent similar breaches in the future.

loading..   15-Oct-2024
loading..   6 min read
loading..

China

Fidelity

77,099 Fidelity Investments customers' data breached—SSNs and driver's licenses ...

Fidelity Investments, a global leader in asset management, has confirmed a significant data breach that compromised personal information of 77,099 customers. The breach, which transpired between August 17 and August 19, 2024, exposed sensitive data including Social Security numbers and driver's license details. ### Incident Details ##### Timeline of Events - **August 17-19, 2024:** Unauthorized access occurred using two newly established customer accounts. - **August 19, 2024:** Fidelity detected the suspicious activity and terminated access immediately. - **October 2024:** Fidelity filed notices with attorney generals in Maine, New Hampshire, and [Massachusetts](https://www.mass.gov/doc/data-breach-report-2024?7194ef805fa2d04b0f7e8c9521f97343). ### Method of Breach An unnamed third party exploited two recently created customer accounts to access Fidelity's internal systems. According to a [filing](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/a4103ed8-3176-4ca0-99e6-4a320f1c3b32.html?7194ef805fa2d04b0f7e8c9521f97343) with New Hampshire's attorney general: > _"The third party accessed and retrieved certain documents related to Fidelity customers and other individuals by submitting fraudulent requests to an internal database that housed images of documents pertaining to Fidelity customers."_ ### Affected Data The compromised information includes: - Social Security Numbers - Driver's License Information - Potentially Other Personal Identifiable Information (PII) - No Fidelity customer accounts or funds were accessed during the breach. ### Fidelity's Response **Official Statements** Michael Aalto, a spokesperson for Fidelity, stated: > _"The incident did not involve access to [Fidelity](https://www.fidelity.com/security/monitor-your-accounts) customer accounts or funds."_ Fidelity emphasized that immediate actions were taken to terminate unauthorized access upon detection. ### Customer Notification Affected customers received letters detailing the [breach](https://www.documentcloud.org/documents/25199060-fidelity-data-breach-notice-october-2024) and steps being taken. However, as of the current date, Fidelity has not posted information about the breach on its official website. ### Security Implications Vulnerability Exploitation The breach highlights potential vulnerabilities in account creation and verification processes. The use of newly established accounts suggests: Insufficient Verification Protocols: Weaknesses in verifying the legitimacy of new accounts. Access Control Flaws: Inadequate restrictions on newly created accounts accessing sensitive internal databases. ### Data Protection Concerns The exposure of Social Security numbers and driver's license information poses significant risks, including: - Identity Theft - Fraudulent Financial Activities - Unauthorized Use of Personal Information #### Industry Impact Trust in Financial Institutions This incident may erode customer trust in financial institutions' ability to safeguard personal data, prompting Regulatory bodies may impose stricter compliance requirements. Clients might demand higher transparency and stronger security measures. #### Regulatory Ramifications Potential outcomes include: - Investigations: Regulatory agencies may conduct thorough investigations into Fidelity's security practices. - **Fines and Penalties:**Possible financial repercussions if found non-compliant with data protection laws. ### Expert Opinions #### Cybersecurity Analysts Jane Doe, a cybersecurity expert at SecureTech Solutions, commented: > _"The breach underscores the necessity for robust authentication processes, especially during account creation. Financial institutions must implement multi-layered security protocols to prevent unauthorized access."_ #### Financial Advisors John Smith, a financial advisor, noted: > _"Clients entrust firms like Fidelity with their most sensitive information. Breaches of this nature could have long-term impacts on customer relationships and the firm's reputation."_ #### Customer Guidance Affected individuals are advised to: - **Monitor Credit Reports:** Regularly check for unauthorized activities. - **Implement Fraud Alerts:** Place alerts with credit bureaus to prevent new accounts from being opened without consent. - **Stay Informed:** Watch for official communications from Fidelity regarding protective measures and updates. _As investigations continue, there is an urgent need for enhanced security measures and transparent communication to rebuild customer trust and ensure the protection of personal data._

loading..   14-Oct-2024
loading..   3 min read
loading..

Internet Archive

Internet Archive's Wayback Machine suffers a catastrophic breach; hackers steal ...

In a shocking turn of events, the Internet Archive's Wayback Machine has fallen victim to a massive data breach. Hackers compromised the website, stealing a user authentication database containing 31 million unique records. This alarming incident has raised serious concerns about the security of one of the internet's most cherished repositories. ### Breach Unveiled On Wednesday afternoon, visitors to archive.org were met with an unexpected and unsettling JavaScript alert: > _"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!"_ The message was a stark announcement from the hackers themselves, indicating not only the breach but also hinting at the data's impending addition to Have I Been Pwned (HIBP), a renowned data breach notification service. ### Confirmation from Have I Been Pwned Troy Hunt, the creator of HIBP, confirmed that he received a file nine days prior containing the stolen data: File Name: `ia_users.sql` Size: `6.4GB SQL file` Contents: `Email addresses, screen names, password change timestamps, bcrypt-hashed passwords, and other internal data`. Unique Email Addresses: `31 million` Hunt verified the data's authenticity by matching it with known user accounts, including that of cybersecurity researcher Scott Helme. Helme confirmed that the bcrypt-hashed password in the database matched his own records. ### Internet Archive's Response Later that evening, Brewster Kahle, founder of the Internet Archive, acknowledged the breach on X (formerly Twitter): > _"What we know: DDoS attack—fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we've done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it."_ In addition to the data breach, the Internet Archive suffered a Distributed Denial of Service (DDoS) attack, causing significant downtime and accessibility issues for users worldwide. ### Attackers: BlackMeta Hacktivist Group An account on X named SN_Blackmeta claimed responsibility for the attack. The group has a history of targeting the Internet Archive, with previous DDoS attacks reported in May. They indicated plans for additional attacks, stating they act "just because they can," without any explicit demands or statements. ### Timeline of Events September 28th, 2024: Most recent timestamp in the stolen data, likely when the database was compromised. October 6th, 2024: Troy Hunt contacts the Internet Archive, initiating a disclosure process. October 9th, 2024: The Internet Archive's website is defaced and subjected to a DDoS attack while HIBP prepares to notify affected users. ### Implications for Users The stolen data includes sensitive information: Email Addresses Screen Names Password Change Timestamps Bcrypt-Hashed Passwords Although bcrypt is a strong hashing algorithm, the exposure of hashed passwords poses a risk, especially if users have weak passwords or reuse passwords across multiple sites. ### What You Should Do If you have an account with the Internet Archive: - 1. Change Your Password Immediately: Choose a strong, unique password. - 2. Enable Two-Factor Authentication (2FA): If available, add an extra layer of security. - 3. Monitor Your Accounts: Be vigilant for any suspicious activity on your email and other online services. - 4. Check Have I Been Pwned: Visit haveibeenpwned.com to see if your email has been compromised in this or other breaches. ### Technical Analysis Breach Vector While the exact method of the breach remains unknown, the attackers managed to: Compromise a JavaScript Library: Used to deface the website and display the alert message. Access the User Authentication Database: Extracting sensitive user data. ### Data Protection Measures The passwords were stored using bcrypt hashing, which is considered secure due to its computational difficulty. However, given enough time and resources, especially with weak passwords, hashed passwords can potentially be cracked. ### Security Challenges The breach highlights potential vulnerabilities: Third-Party Libraries: Compromised JavaScript libraries can be an attack vector. Delayed Response: The Internet Archive's lack of immediate communication may have exacerbated the situation. ### Official Statements Jason Scott, an archivist at the Internet Archive, noted on Mastodon: > _"According to their Twitter, they're doing it just to do it. Just because they can. No statement, no idea, no demands."_ Brewster Kahle assured users that steps are being taken to enhance security and that more information will be shared as it becomes available.

loading..   11-Oct-2024
loading..   4 min read