Skip to content

23.11.2 ‘Saturn’ released

Changes compared to 23.11.1 

Bug Fixes

  • Fixed an issue with remote registration failing to authenticate users when being used by a tenant admin

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Comet
We are a team of dedicated professionals committed to developing reliable and secure backup solutions for MSP’s, Businesses and IT professionals. With over 10 years of experience in the industry, we understand the importance of having a reliable backup solution in place to protect your valuable data. That’s why we’ve developed a comprehensive suite of backup solutions that are easy to use, scalable and highly secure.

Understanding defense in depth: A comprehensive guide

Navigating digital security threats can sometimes feel like crossing a minefield. With new dangers arising, it’s not enough to rely on a single tool to keep all sensitive data in an organization secure. That’s where defense in depth comes in – an approach that combines physical and digital security measures for an all-encompassing protection strategy.

However, this approach doesn’t mean using random tools – there’s a system to how each defense layer is implemented. Let’s see how setting up a defense in depth strategy benefits organizations.

What is defense in depth?

Defense in depth (DiD) is the strategy of layering different physical and digital resources to reinforce the security measures in an organization. It’s a preventative approach aiming to decrease the odds that sensitive data will be breached or stolen.

Defense in depth shares its name with a Roman military strategy. This tactic saw the Roman military taking a defensive approach rather than going after targets themselves. If the enemies reached the Roman Empire’s borders, the Romans would allow them to cross. Once on their native soil, the Roman military would attack the enemy from within the border provinces. This made it more difficult for enemy forces to reach cities and cause significant damage to land.

Centuries later, this layered strategy has become what we now know as defense in depth cybersecurity. The principle is simple — an organization sets up a range of digital and physical protective barriers that discourage attackers from striking in the first place. Even if a hacker manages to crack one of the layers, they still have to face the rest of the defensive system. With enough varied layers, an organization may establish an impenetrable line of defense.

You might be eager to cut into this defensive cake and see each of its layers. So let’s take a closer look at how this approach works in practice.

Defense in depth architecture

To visualize the concept of defense in depth, you can think of concentric castles – medieval structures that were fortified with multiple inner and outer walls. Each wall added challenge to attacking forces and helped fend off threats longer. At its core, defense in depth works the same – each layer makes it more difficult to breach the system.

Defense in depth mechanisms are generally grouped into three categories:

  • Administrative controls

  • Physical controls

  • Technical controls

Each of the categories consists of different tools and strategies. The range of tools used in defense in depth varies based on the needs and resources available to an organization. Typically, technical controls make up half the architecture, with physical and administrative controls accounting for the rest.

Administrative controls concern the procedures and policies that your company employs. This encompasses processes in practically all areas of the organizational structure. The processes of hiring and how much information is revealed to a candidate, onboarding and offboarding, and data processing regulations all contribute to administrative controls. You can also think of company-wide initiatives such as safety training or protocols that are set in place in case of a data-related incident.

Physical controls refer to a hands-on approach to security. The security guards patrolling the building, cameras installed on the premises, and the locks protecting the entrances and exits all count as physical security measures in a defense in depth infrastructure. Remember that while many attacks occur exclusively online, it doesn’t mean that someone won’t try to break in or snoop around the headquarters. Protecting your physical data storage is as crucial as the digital side.

Finally, technical controls encompass a broad range of digital tools that help ensure the protection of your sensitive information. When we talk about technical controls, we typically discuss software, although hardware storage can also be used for data storage and protection. Antivirus and anti-spyware tools, cloud storage, virtual private networks, password managers – anything that can act as an extra layer of security works.

Essential principles of the defense in depth security strategy

There’s a philosophy behind every strategy. At their core, the defense in depth principles are simple – layering different security measures to optimize the protection of a database. The more layers a system encompasses, the more discouraged malicious attackers are from striking it. If they manage to rip off one security layer, they encounter a new one deeper down.

The goal of defense in depth is to account for potential failures in all areas and minimize loss if a successful breach were to occur. While software breaches and corrupt hardware can be the culprits of a vulnerable system, the weakest link is often the employees themselves.

Negligent behavior, such as insecure file sharing, use of weak passwords, and reuse of the same login credentials for different accounts, can lead to easy targeting and subsequent damage. As such, combining the three types of defense in depth controls aims to protect the company from attackers as much as from human error.

The power of layered security in cyber defense

Despite an overlap and the tendency to use both terms interchangeably, defense in depth and layered security aren’t the same. While defense in depth is an all-encompassing structure that aims to protect the security of all crucial data in your organization, layered security is focused on using different measures to withhold a particular threat or protect one area of the organizational structure.

As you can imagine, setting up layered security or defense in depth layers is an intricate process. After all, you’re essentially building defensive walls to protect sensitive data at your company’s core. It’s about finding the right people and tools for your company, dedicating your resources to keeping things running smoothly, and blocking attackers before they even strike.

Defense in depth – in practice

Hypothetically, here’s what defense in depth cybersecurity infrastructure can look like in an organization:

  • The physical headquarters of a company are patrolled by on-site security 24/7.

  • Each employee is issued a unique keycard to access the premises.

  • All employee accounts are protected by login credentials.

  • All passwords are changed at regular intervals according to company policy.

  • All employees must use a password manager and enable two-factor authentication.

  • Remote employees connect to the company’s virtual private network to avoid using insecure public Wi-Fi.

  • All computers are equipped with antivirus software.

  • All operating systems and software must be kept up to date.

  • All employees should complete digital safety training.

  • The company should undergo regular auditing to ensure all security measures are in place.

  • All sensitive company and client data must be stored in secure servers.

  • A dedicated team should have an established action plan in case of a data breach.

  • A support team should be on call in case of an emergency.

Notice which of these measures fall under technical, administrative, and physical controls. As you implement your own strategy, you’ll see that, in some instances, the strategies and tools overlap and support each other, reinforcing the effectiveness of your layered defense mechanism.

Best practices of defense in depth implementation

The key tip for maintaining a successful defense in depth approach is keeping everything up to date. After all, cyber crooks are working on new strategies and tools to get past your defenses, and you want to ensure you stay ahead of the threats.

Ensure that all software you’re using is regularly updated. Outdated software often contains security gaps that hackers can exploit, so make sure the patches are installed. This also goes for online platforms – if services you rely on are breached or become obsolete, you need to relocate your data securely.

Don’t forget hardware – have an action plan if your devices are damaged or stolen. The same goes for in-house security and measures like setting up protocols in case an employee’s or guest’s entrance card is stolen or lost.

Of course, updating your own knowledge is essential. Hold regular training sessions, follow the latest data breach news, keep yourself informed about lurking threats, and learn the strategies that you can implement to fend off the attacks.

How NordPass can help

As we’ve seen, the technical layer holds the most weight in a successfully resilient defense in depth structure. That means amping up your technical toolkit is priority number one for your organization. Improving the company’s password protection is not something to overlook.

Human error is among the leading causes of data breaches. Whether it’s negligence, bad password management, or malicious intent, humans are usually at fault. As such, organizations need to work on policies and tools to reduce the risk of incidents caused by employees. Despite the growing popularity of passkeys, passwords are still the most common security tool that each member of the organization relies on, making them equally vulnerable and valuable.

Here’s where NordPass comes in. As a business-optimized password manager, it helps you keep all of your organization’s sensitive information secure, whether it’s login credentials, company bank accounts, or client information. With NordPass, you can create, store, and manage strong passwords that are difficult to crack. Two-factor authentication ensures that you’re the only one who can access your password vault.

Secure password sharing can often be a point of contention because people use the easy yet insecure option to pass along login credentials via email, non-encrypted messages, or Post-It notes. NordPass eliminates this risk, allowing you to share your saved items with your colleagues in-app securely. Additionally, administrators can set up company-wide password policies that require all employees to update their passwords at regular intervals, bringing the best practices of technical and administrative controls into one.

Bottom line

Setting up defense in depth for your organization might take some time, but the rewards are long term – you can rest assured that your sensitive data is under lock and key and incredibly difficult for unwanted actors to access.

If you’re unsure where to start, setting up NordPass for your organization is the perfect first step. Have your team follow secure password practices and keep their credentials updated. You won’t have to worry about coming up with new, unique ideas for each reset – simply use our Password Generator and autofill the details whenever you log in to an account. There’s no easier way to start building the defense walls around your data.

New to NordPass?

You don’t need to be a rocket scientist to start using NordPass on a desktop device. Just add the standalone extension and you’re all set — no need to download or install the app!

Check out our detailed support guide for getting started with NordPass quickly and easily.

Once you have the new extension running on your browser, you can start using NordPass to its fullest extent.

If you have any further questions regarding the changes or NordPass in general, do not hesitate to contact our tech-minded support team at support@nordpass.com — they’re ready to take care of any issues you might have. Also, if you have any suggestions or feedback, simply submit a request for our team — we’re all ears, all the time.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Predatory SpyLoan apps — loan sharks expand their range to Android, ESET Research finds

  • Deceptive SpyLoan apps analyzed by ESET researchers request various kinds of sensitive information from their users and exfiltrate it to the attackers’ servers. 
  • This data is then used to harass and blackmail users of these apps and, according to user reviews, was used even where a loan was not provided.
  • ESET telemetry shows a discernible growth in these apps across unofficial third-party app stores, Google Play, and websites since the beginning of 2023.
  • Malicious loan apps focus on potential borrowers based in Southeast Asia, Africa, and Latin America.

BRATISLAVA, KOŠICE — December 5, 2023 — This year, ESET researchers have observed alarming growth in deceptive Android loan apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds. Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims’ personal and financial information in order to blackmail them. ESET products therefore recognize these apps using the detection name SpyLoan, which directly refers to their spyware functionality combined with loan claims. SpyLoan apps are marketed through social media and SMS messages, and are available for download from dedicated scam websites, third-party app stores, and also Google Play.

ESET is a member of the App Defense Alliance (ADA) and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications and stop them before they ever make it onto Google Play. As an ADA member, ESET identified 18 SpyLoan apps and reported them to Google, who subsequently removed 17 of these apps from their platform. These apps had a total of more than 12 million downloads from Google Play before their removal. The final app listed changed its behavior; ESET therefore no longer detects it as a SpyLoan app.

Every instance of a particular SpyLoan app, regardless of its source, behaves identically due to its identical underlying code. It doesn’t matter whether the download came from a suspicious website, a third-party app store, or even Google Play — the users will experience the same functions and face the same risks, regardless of where they got the app.

According to ESET telemetry, the enforcers of these apps, who blackmail and harass their victims, even with death threats, operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore. ESET researchers believe that any detections outside of these countries are related to smartphones that have, for various reasons, access to a phone number registered in one of these countries. There are currently no active campaigns targeting European countries, the USA, or Canada.

Apart from data harvesting and blackmail, these services present a form of modern-day digital usury, which refers to the charging of excessive interest rates on loans, taking advantage of vulnerable individuals. Victims of these apps claim the total annual cost (TAC) of such loans is much higher than stated, and the loan tenure is much shorter than stated. In some cases, borrowers were pressured to pay off their loans in five days, instead of the stated 91 days, and the TAC of a loan was anywhere between 160% and 340%.

“These malicious applications exploit the trust that users place in legitimate loan providers, using sophisticated techniques to deceive people and steal a very wide range of personal information,” says ESET researcher Lukáš Štefanko, who uncovered many of the SpyLoan apps. “It is crucial for individuals to exercise caution, validate the authenticity of any financial app or service, and rely on trusted sources. By staying informed and vigilant, users can better protect themselves from falling victim to such deceptive schemes,” he adds.

ESET Research has traced the origins of the SpyLoan scheme back to 2020. Once a user installs a SpyLoan app, they are prompted to accept the terms of service and grant extensive permissions to access sensitive data stored on the device. According to the privacy policies of these apps, if those permissions are not granted, the loan will not be provided. To complete the loan application process, users are also compelled to provide extensive personal information.

The data that is usually exfiltrated to the Command and Control (C&C) server includes the user’s list of accounts, call logs, calendar events, device information, lists of installed apps, local Wi-Fi network information, and even information about files on the device. Additionally, contact lists, location data, and SMS messages are vulnerable. To protect their activities, the perpetrators encrypt all the stolen data before transmitting it to the C&C server. While legitimate financial institutions are required to collect personal information about their customers, identity verification and risk assessment can be done using much less intrusive data collection methods. ESET Research believes the real purpose of the permissions requested by SpyLoan apps is to spy on their users and harass and blackmail them and their contacts

After such an app is installed and personal data is collected, the app’s enforcers start to pressure their victims into making payments, even if — according to the reviews — the user didn’t apply for a loan or applied but the loan wasn’t approved. Such practices have been described in the reviews of these apps on Facebook and on Google Play.

“There are several reasons behind the rapid growth of SpyLoan apps. One is that the developers of these apps take inspiration from successful FinTech — financial technology — services, which leverage technology to provide streamlined and user-friendly financial services,” explains Štefanko.

For more technical information about deceptive SpyLoan apps, check out the blog post “Beware of predatory fin(tech): Loan sharks use Android apps to reach new depths.” Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Heatmap of SpyLoan detections seen in ESET telemetry between January 1 and November 30, 2023

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Breakdown of the 11 most significant 2023 data breaches

2023 witnessed a series of impactful data breaches, each leaving a unique mark on cybersecurity. This retrospective dives into these incidents, offering insights and underscoring the evolving challenges in data security.

This article will overview the most intriguing and widely escalated data breaches of every month of 2023. We will also look at the tendencies of cyber-attacks and the forecast for the next year (spoiler alert: it’s going to be hot!).

Key facts of 2023’s data breaches we know so far

The year still has a few weeks to go, but everyone is already busy thinking about the holiday season and next year’s plans. Hopefully, malicious actors are also humans and as busy with end-of-the-year errands as possible, leaving businesses some space to breathe and relax, not thinking about cyber-attacks (unlikely, but we all can dream).

KonBriefing Research does a colossal job of collecting information about ransomware and cyber-attacks on businesses worldwide. The data they have so far reveal the scope and impact that follows every month.

Looking into data breach statistics specifically, the total number of breached accounts since 2004 reached a number of over 16.5 billion. According to this Surfshark research, a single email address is breached approximately 3 times.

The average cost of a data breach worldwide continues to rise steadily, reaching 4.45 million U.S. dollars in 2023. According to Statista, the healthcare sector has the highest average cost of a data breach.

IBM Cost of a Data Breach research revealed that the healthcare industry had been the leading sector in data breach costs for 12 years in a row. In 2022, the average cost of a data breach was $10.10 million. Notably, the overall global cost of such breaches has increased by 15% over 3 years.

The United States is at the top of the list of countries most affected by data breach costs, with an average total cost of  $9.48 million per breach. The Middle East follows second with $8.07 million per data breach.

1 U.S. dollar—this is how much higher the average data breach per record cost will be in 2023, reaching $165/record compared to last year’s average cost.

The same IBM research suggests that, on average, companies with incorporated AI and automation solutions save $1.76 million compared to organizations that don’t apply similar measures to mitigate data breach risks.

Organizations that don’t follow compliance requirements tend to pay a 12.6% higher average cost than companies that have a high level of compliance.

Verizon’s 2023 Data Breach Investigations Report revealed that financially motivated external actors induced 83% of breaches. Human error, the most common reason behind successful cyber-attacks, remains a consistent factor in 2023, with a human element present in 74% of breaches.

Verizon research also listed system intrusion as the most popular pattern of breaches. Basic web application attacks, social engineering, miscellaneous errors, privilege misuse, and lost and stolen assets follow it.

Let’s dive into the latest data breach news that happened in 2023. This overview is based on publicly available information about data breaches and is subject to change as more new findings are discovered and revealed over time.

January 2023

MailChimp data breach

01 Data-breach-profiles 1400x1036

MailChimp, an Intuit-owned email marketing platform, suffered a data breach. The breach occurred on January 11, 2023, when an unauthorized actor accessed Mailchimp’s tools used by teams interacting with customers.

  • The actor gained access to a tool used for internal customer service and account management, compromising the data of 133 customers​​.

  • The breach was executed through a social engineering attack on MailChimp employees and contractors, enabling attackers to obtain employee credentials.

  • This incident was first detected when MailChimp noticed an unauthorized person accessing their support tools on January 11. MailChimp temporarily suspended access for accounts exhibiting detected suspicious activity to protect users’ data.

  • MailChimp notified the primary contacts for all affected accounts on January 12, less than 24 hours after the initial discovery​​​​.

  • MailChimp assured that no credit card or password information was compromised in this incident.

One of the notable customers affected by this breach was WooCommerce, a popular eCommerce plugin for WordPress. WooCommerce informed its customers that the breach exposed their names, store URLs, and email addresses.

Although there was no indication that the data stolen had been misused, there was a concern. Such data could be used for targeted phishing attacks to steal credentials or install malware​​​​.

February 2023

Activision data breach

Activision, a video game publisher known for games like Call of Duty and World of Warcraft, experienced a data breach in early December 2022, which surfaced only in February 2023.

  • Attackers gained access to the company’s internal systems through an SMS phishing attack on an employee. Supposedly, the targeted employee belonged to the Human Resources department and had access to a significant amount of sensitive employee information​​.

  • Bad actors were able to obtain sensitive employee information, such as full names, email addresses, phone numbers, and financial data like salaries, work locations, and more. The compromised data also included details about upcoming content for the Call of Duty Modern Warfare II franchise.

  • This breach was not publicly or internally disclosed until screenshots of the stolen data, including the schedule of planned content for Call of Duty, were shared by the cybersecurity and malware research group vx-underground several months after the accident​​​​.

  • Activision’s response to the breach involved swiftly addressing the SMS phishing attempt and conducting a thorough investigation.

The company initially asserted that no sensitive employee data, game code, or player data was accessed. However, the evidence provided by vx-underground and ‘Insider Gaming’ contradicted this claim, showing that sensitive workplace documents and employee information had indeed been exfiltrated​​.

This delay in notification raised questions about whether Activision complied with data breach notification laws. This is particularly relevant as California, where Activision is headquartered, has specific laws requiring companies to notify victims of data breaches when a significant number of state residents are affected​​.

March 2023

ChatGPT data breach

In March 2023, ChatGPT, an AI-driven chatbot developed by OpenAI, experienced a significant data breach.

  • The data breach was caused by a bug in the Redis open-source library, which led to the exposure of other users’ personal information and chat titles. This bug allowed certain users to view brief descriptions of other users’ conversations from the chat history sidebar.

  • The breach wasn’t directly caused by a threat actor but resulted from a vulnerability in the Redis open-source library. This vulnerability was inadvertently exploited due to a server-side change introduced by OpenAI. This changed to a surge in request cancellations and increased the error rate.

  • The breach potentially revealed information about 1.2% of ChatGPT Plus subscribers. It included the active user’s first and last name, email address, payment address, the last four digits of a credit card number, and the expiration date. However, it’s emphasized that full credit card numbers were not exposed.

  • The first message of a newly-created conversation might have been visible in someone else’s chat history if both users were active around the same time. Additionally, viewing other users’ chat history and conversation titles was possible.

OpenAI promptly addressed the bug soon after its discovery and temporarily shut down the ChatGPT service to manage the issue. The company announced a bug bounty program in April to help detect future issues and prevent similar incidents.

The incident highlighted the potential risks for chatbots and AI technologies and the importance of robust security measures, especially when using open-source libraries.

April 2023

Shields Healthcare Group data breach

Shields Healthcare Group is a Massachusetts-based medical services provider. It specializes in MRI and PET/CT diagnostic imaging, radiation oncology, and ambulatory surgical services. In 2023, the company experienced a significant data breach.

  • The data breach involved unauthorized access to Shields’ systems. The breach was detected when suspicious activity suggesting a data compromise was observed.

  • The exact method used by the attackers to gain access is unclear, but possibilities include exploiting a network software weakness or using a phishing attack to compromise an employee account​

  • The attackers accessed a wide range of sensitive patient information and confidential data. This included full names, Social Security numbers, dates of birth, home addresses, provider information, diagnoses, billing information, health insurance information, medical record numbers, patient IDs, and other medical or treatment information.

  • Approximately 2.3 million people were affected by this breach. Shields’ business model, which involves partnerships with hospitals and medical centers, meant the breach had far-reaching consequences, impacting 56 facilities and their patients.

Upon discovering the breach, the healthcare provider took immediate steps to contain the incident. They initiated a thorough investigation with the help of third-party forensic specialists. They secured their systems, including rebuilding certain systems, to prevent further unauthorized access.

Shields has continued reviewing the potentially impacted information and notifying individuals and regulators. Additionally, they have committed to enhancing their data security measures and protections.

May 2023

MOVEit data breach

05 Data-breach-profiles 1400x1036

MOVEit Transfer software, a file transfer tool developed by Progress Software, transfers large amounts of often-sensitive data over the internet. It’s employed by organizations worldwide to manage file transfers, including pension information, social security numbers, medical records, and billing data. The MOVEit data breach of May 2023 was a significant cybersecurity incident.

  • The breach involved a zero-day vulnerability in MOVEit Transfer. This critical-rated vulnerability allowed attackers, particularly the “cl0p”, a ransomware and extortion gang, to raid MOVEit Transfer servers and steal customers’ sensitive data stored within​.

  • The attackers, identified as the group “cl0p”, exploited the MOVEit software vulnerability starting around May 27, 2023. Progress Software became aware of the compromise in the computer systems the next day after a customer noticed strange activity.

  • As of August 2023, over 1,000 victim organizations and more than 60 million individuals were impacted by this high-profile data breach.

  • Victims ranged from New York public school students to Louisiana drivers to California retirees, indicating the vast variety of data compromised​​. Other significant victims included the French government’s unemployment agency, Pôle emploi, multiple federal agencies, and U.S. state departments.

  • Approximately one-third of hosts running vulnerable MOVEit servers belonged to financial service-related organizations, with significant percentages in the healthcare, IT, government, and military sectors.

  • The estimated total cost of the MOVEit mass-attacks so far is about $9.9 billion, based on the average cost of data breaches and the number of individuals affected. This figure could potentially scale to at least $65 billion.

Progress Software acknowledged the cyber-attack and focused on supporting its customers. They issued a patch to fix the vulnerability and alerted users to the issue​​.

Not all organizations could deploy the patch in time, resulting in varying levels of data compromise​. The breach is notable for its scale and the variety of victims affected, demonstrating how a flaw in a single piece of software can trigger a global privacy disaster​.

June 2023

JumpCloud data breach

JumpCloud, an identity and access management firm, experienced a data breach incident in June 2023. The company offers a directory platform that enables enterprises to authenticate, authorize, and manage users and devices.

  • The breach was the result of a sophisticated nation-state actor’s intrusion. The attackers gained access to JumpCloud’s systems to target a small and specific set of customer accounts. The attack vector was a data injection into the commands framework, and it was highly targeted.

  • The exact number of affected customers and the types of organizations targeted have not been disclosed. However, JumpCloud provides its software to more than 180,000 organizations and counts over 5,000 paying customers, indicating a potentially large impact.

  • The initial attack was traced back to a spear-phishing campaign initiated on June 22, 2023. The adversaries leveraged domains such as nomadpkg[.]com and nomadpkgs[.]com, likely related to a Go-based workload orchestrator used to deploy and manage containers.

  • The extent of the damage and the specific details about the customers impacted have not been fully disclosed, but the breach highlights the importance of robust cybersecurity measures against sophisticated and persistent nation-state actors​

JumpCloud reset customers’ API keys as a precaution. The company took security steps to shield its network, rotating credentials and rebuilding systems. After detecting unusual activity, JumpCloud forced the rotation of all admin API keys and started notifying affected customers​​​​.

The company has published a list of indicators of compromise (IoCs) to help other organizations identify similar attacks and is enhancing its own security measures​

July 2023

Indonesian Immigration Directorate General data breach

The Indonesian Immigration Directorate General is responsible for managing immigration-related matters in Indonesia, including issuing and managing passports. In July of 2023, the institution fell victim to a major data breach.

  • The data breach involved the unauthorized access and leakage of passport data of more than 34 million Indonesian citizens. The leaked data included the full names, passport numbers, expiry dates, dates of birth, and genders of the passport holders​.

  • The breached data of 34.9 million Indonesian passport holders was offered for sale for $10,000. A sample of the stolen data was also made available on a hacker platform, showcasing passport data from 2009 to 2020. The data is considered valid based on the given sample.

  • The leaked data potentially included National Identity Community Identity Card (NIKIM) information, a digital identity used to secure electronic passports containing personal data such as names, addresses, and identity numbers​.

  • The specifics of how the breach was achieved were not detailed in the available sources. However, the data was reportedly leaked and sold on the bjork.ai website, indicating that it may have been a sophisticated cyber attack or hacking incident​.

  • The ministry noted differences in the data structure between the breached data and the data in the national data center, indicating ongoing investigations to understand the extent and nature of the breach​.

The available sources did not fully detail the outcome of the investigation and the broader impact of the breach. However, the breach underscores the importance of robust cybersecurity measures for government databases, particularly those containing sensitive personal information like passport details.

August 2023

UK Electoral Commission data breach

The Electoral Commission, an independent body overseeing elections and regulating political finance in the UK, fell victim to hostile actors in August 2023. This complex cyber-attack involved unauthorized access to internal emails, control systems, and copies of electoral registers, which contain voter data.

  • A malicious actor gained access to the Electoral Commission’s systems in August 2021, but the breach was only identified in October 2022 after suspicious activity was detected.

  • The accessed registers held the names and addresses of UK voters registered between 2014 and 2022, including those registered as overseas voters. Notably, the details of anonymous voters were not included in these registers.

  • Predicting the exact number of people impacted is challenging, but it’s estimated that the register for each year includes details of about 40 million individuals.

  • While the full extent of the damage is not conclusively known, the Electoral Commission acknowledged that they could not determine exactly what files may have been accessed.

  • The attack is considered to be sophisticated, with hostile actors attempting to use software to evade the systems.

  • In response to the breach, the Electoral Commission collaborated with the National Cyber Security Centre (NCSC), law enforcement officials, and external experts to investigate and secure its systems. Subsequently, they have made improvements to the security of their IT systems.

The outcome of this breach reiterates the vulnerability of democratic institutions to cyber threats. It emphasizes the importance of robust cybersecurity measures, especially for bodies involved in the electoral process.

September 2023

T-Mobile data breach

In September 2023, T-Mobile, one of the largest mobile carriers in the United States, experienced a significant data breach. This incident is part of a series of security lapses that have affected the company in recent years.

The breach in September 2023 involved two separate security incidents:

  • Employee data exposure: on September 21, 2023, 89 gigabytes of data primarily related to T-Mobile employees, including email addresses and partial Social Security Numbers, were posted on a hacker forum.

  • This data was tied to an earlier breach in April of Connectivity Source, a T-Mobile retailer. T-Mobile itself denied being directly hacked as part of this incident, indicating the breach occurred at a third-party service provider. The exposed employee confidential data could pose risks of identity theft or fraud.

  • Customer data exposure: the second data breach occurred later in September when a system error in the T-Mobile app exposed customer payment data of fewer than 100 customers. Users of the app inadvertently accessed other customers’ personal information, including phone numbers and billing addresses. T-Mobile attributed this to a glitch related to a technology update.

  • The glitch in the T-Mobile app exposed the personal information of several customers, including names, phone numbers, physical addresses, account balances, and partial credit card details.

  • Though the company initially claimed the breach affected fewer than 100 individuals, later reports suggested the personal information of millions could have been exposed. However, the company has not released the exact number of T-Mobile customers affected.

The September 2023 T-Mobile data breach underscores the ongoing cybersecurity challenges faced by large corporations, especially in sectors handling vast amounts of personal data. This incident, stemming from a system glitch rather than a direct hack, reveals the multifaceted nature of data security threats. It also emphasizes the importance of robust and continuously updated security measures to protect against both external attacks and internal vulnerabilities.

October 2023

23andMe data breach

The 23andMe is a genetics testing company that offers DNA testing services to help users learn more about their ancestry. Users can discover their ethnic backgrounds and connect with relatives through shared DNA. A data breach in October 2023 was a significant event, revealing vulnerabilities in the protection of sensitive genetic and personal information.

  • The breach involved unauthorized access to the “DNA Relatives” feature of 23andMe, where users can share personal data, including ancestry reports and matching DNA segments, with other users globally.

  • The breach exposed personal information, including display names, birth years, sex, and details about genetic ancestry results. Initially, data of one million users of Ashkenazi Jewish descent and another 100,000 users of Chinese descent were claimed to be stolen. This later expanded to include records of four million more general accounts. However, genetic data itself was not included in the breach.

  • Bad actors likely used a technique called ‘credential stuffing attack,’ where actors tried combinations of usernames and passwords from previous data breaches on other websites, hoping people had reused passwords.

  • 23andMe responded by requiring all customers to utilize email two-step verification (2SV), temporarily disabling some features within the DNA Relatives tool for added security, and advising users to change their login information and enable multi-factor authentication.

The company launched an investigation with third-party forensic experts. 23andMe also emphasized its commitment to security, highlighting its ISO certifications and continuous monitoring and auditing of the company’s systems. They assured us they would notify customers directly if their data were accessed without authorization.

November 2023

Idaho National Laboratory (INL) data breach

The Idaho National Laboratory (INL), a key component of the U.S. Department of Energy, suffered one of the most recent data breaches in November 2023. As part of the U.S. Department of Energy, INL is one of the country’s premier advanced nuclear energy testing labs. Its work includes research and development in nuclear and non-nuclear energy sources, national security, and related fields​.

  • The breach involved the compromise of INL’s Oracle Human Capital Management servers, which are used for human resources applications. It was executed by the SiegedSec hacking group. The attackers managed to access “hundreds of thousands of user, employee, and citizen data.”

  • The leaked data included sensitive personal information like Social Security numbers, bank account and routing numbers, health care details, marital status, and account types. This data related to current, former, and retired employees of the laboratory.

  • The attackers targeted a federally approved third-party vendor system outside INL that supports the lab’s cloud-based human resources services.

  • INL took swift action to bolster employee data protection following the breach. They also communicated with federal law enforcement agencies, including the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, to investigate the breach’s impact​.

The investigation into the breach is ongoing. INL is working with federal law enforcement to fully grasp the extent of the impacted data and implement measures to prevent similar security incidents.

December 2023

Soon to be updated.

What to expect in 2024?

The latest data breaches served as stark reminders of cyber threats’ dynamic and relentless nature for gaining access to sensitive data. They reinforced the necessity for businesses and organizations across all sectors to prioritize and continuously update their cybersecurity measures, ensuring their data protection and stakeholders’ trust.

To prevent a potential data leak or breach, think two steps ahead and implement a robust cybersecurity strategy to protect sensitive data and avoid reputational and financial consequences that follow the breach.

Comprehensive network access security solutions like NordLayer provide organizations with the best in the industry-based security frameworks and models known as Security Service Edge (SSE) and Zero Trust Network Access (ZTNA). Choose simple and effective security by design and protect your network and teams in all ways of working.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Iran-linked OilRig attacks Israeli organizations with cloud service-powered downloaders, ESET Research discovers

  • Iran-linked advanced persistent threat (APT) group OilRig actively developed and used a series of downloaders with a similar logic throughout 2022. There are three new downloaders – ODAgent, OilCheck, and OilBooster – and newer versions of the SC5k downloader.
  • The targets, all in Israel, included an organization in the healthcare sector, a manufacturing company, and a local governmental organization. All targets were previously affected by multiple OilRig campaigns. 
  • The downloaders use various legitimate cloud services for command and control communications and data exfiltration; namely, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API.

BRATISLAVA, MONTREAL — December 14, 2023 — ESET researchers analyzed a growing series of new OilRig downloaders that the group used in several campaigns throughout 2022 to maintain access to target organizations of special interest, all located in Israel. They include an organization in the healthcare sector, a manufacturing company, and a local governmental organization. OilRig is an APT group believed to be based in Iran, and its operations, as are these latest downloaders, are aimed at cyberespionage. The new lightweight downloaders – SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster – are notable for using legitimate cloud storage and cloud-based email services for command and control (C&C) communications and data exfiltration, namely, the Microsoft Graph OneDrive or Outlook Application Programming Interfaces (API), and the Microsoft Office Exchange Web Services API.

“On par with the rest of OilRig’s toolset, these downloaders are not particularly sophisticated. However, the continuous development and testing of new variants, experimentation with various cloud services and different programming languages, and the dedication to re-compromise the same targets over and over again, make OilRig a group to watch out for,” says ESET researcher Zuzana Hromcová, who analyzed the malware along with ESET researcher Adam Burgher.

ESET attributes SC5k (v1-v3), OilCheck, ODAgent, and OilBooster to OilRig with a high level of confidence. These downloaders share similarities with the MrPerfectionManager and PowerExchange backdoors – other recent additions to OilRig’s toolset that use email-based C&C protocols – with the difference that SC5k, OilBooster, ODAgent, and OilCheck use attacker-controlled cloud service accounts rather than the victim’s internal infrastructure.

The downloader ODAgent was detected in the network of a manufacturing company in Israel – interestingly, the same organization was previously affected by OilRig’s SC5k downloader, and later by another new downloader, OilCheck, between April and June 2022. SC5k and OilCheck have similar capabilities to ODAgent but use cloud-based email services for their C&C communications. Throughout 2022, ESET observed the same pattern being repeated on multiple occasions, with new downloaders being deployed in the networks of previous OilRig targets: For example, between June and August 2022, ESET detected the OilBooster, SC5k v1, and SC5k v2 downloaders and the Shark backdoor, all in the network of a local governmental organization in Israel. Later, ESET detected yet another SC5k version (v3) in the network of an Israeli healthcare organization, also a previous OilRig victim.

OilRig has used these downloaders only against a limited number of targets, according to ESET telemetry, and all of them were persistently targeted months earlier by other OilRig tools. As it is common for organizations to access Office 365 resources, OilRig’s cloud service-powered downloaders can thus blend more easily into the regular stream of network traffic – apparently also the reason why the attackers chose to deploy these downloaders to a small group of especially interesting, repeatedly victimized targets.

OilRig, also known as APT34, Lyceum, Crambus, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and is commonly believed to be based in Iran. The group targets Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications.

For more technical information about the latest OilRig downloaders, check out the blogpost “OilRig’s persistent attacks using cloud service-powered downloaders” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Timeline of OilRig’s downloaders

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×