[Security Weekly] Samsung Suffers Second Data Breach of the Year, Customer Data Compromised
September 2022, Issue I
1. Samsung suffers second data breach of the year, customer data compromised
Consumer electronics giant Samsung disclosed a data breach on September 2 in a statement sent out to its customers, revealing that some of its systems in the US were hacked, resulting in the compromise of some customer information.
The attack took place in late July, after which Samsung discovered on August 4 that the personal data of its customers were accessed and stolen. The compromised database contained data used for marketing activities, which included names, birth dates, location, contact information, along with product registration information. Over 190 GB of data were leaked by the attackers. Nevertheless, the company reassured its customers that sensitive data such as Social Security Numbers and payment card information remained safe throughout the attack.
Although the stolen data might not be enough to serve the purpose of identity theft, the company advises customers to stay cautious of follow-up attacks involving phishing emails and text messages.
This marks Samsung’s second data breach of the year. In March, data extortion group LAPSU$ stole the source code of Samsung Galaxy devices.
Sources: Bleeping Computer, TechCrunch
2. Chile and Montenegro government agencies hit by ransomware attacks
Within a week, government agencies and critical infrastructure in both Chile and Montenegro suffered two distinct ransomware attacks launched by different threat actors.
The attack against the Parliament of Montenegro was first disclosed on August 31, when the country’s Public Administration Minister stated that the impact of the attack had continued for nearly two weeks, affecting critical state functions. A ransom of $10 million was demanded.
Although the attack was initially falsely attributed to Russia, the Cuba ransomware gang eventually claimed responsibility and published stolen documents on its leak site for free access. These included financial statements, tax documents, compensation information, and even source code.
A day later, the Chilean government also disclosed a ransomware attack that impacted a government agency. Both Windows and Linux VMWare ESXi machines were targeted. And the attackers were able to force all running virtual machines to shut down before encrypting files. The specific strain of ransomware has not been identified, with some suspecting a new strain.
Sources: Infosecurity, Bleeping Computer, The Hill
3. 0ktapus threat group behind Twilio breach, over 130 organizations compromised
Security researchers from Group-IB discovered that the threat actors behind the phishing campaign against Twilio and Cloudflare were in fact responsible for a massive range of attacks that victimized over 130 organizations and compromised 9,931 corporate accounts.
The threat group got its name “0ktapus” because it mainly targeted the identity and access management (IAM) firm Okta. According to a report published by Group-IB on August 25, the attackers began by targeting telecom companies to collect customer information and phone numbers, then sent phishing links with the owners’ names via text messages. The links led to a fake Okta authentication page controlled by the attackers, where victims were asked to enter their Okta credentials and OTP code. The attackers were able to successfully collect 5,441 OTP codes throughout the campaign.
Although OTP codes are meant to serve as a second layer of authentication, it does not stop users from manually giving out their credentials to attackers. To improve MFA security, shortening the OTP verification period can be helpful, while using a mix of knowledge-based authentication and possession-based authentication methods is always recommended.
Sources: Group-IB
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security