Learn more about the Shanghai National Police’s apparent data breach. Supply chain attack against NPM package manager. Marriott confirms hotel guest and employee data breach.

In one look.

  • Learn more about the Shanghai National Police’s apparent data breach.
  • Supply chain attack against NPM package manager.
  • Marriott confirms hotel guest and employee data breach.

Learn more about the Shanghai National Police’s apparent data breach.

As we noted yesterday, in what experts say may be the biggest data breach in China’s history (in fact, the biggest in anyone’s history), an anonymous hacker under the names of “HackerDan” and “ChinaDan” claims to have stolen the data of one billion Chinese residents. As CNN reports, HackerDan claims that a database belonging to the Shanghai National Police was left exposed via an unsecured backdoor link for more than a year before posting the data for sale on an underground forum. hackers. Binance CEO Changpeng Zhao wrote a post on Twitter explaining that the exposure was “likely due to a bug in elastic search.” [sic] deployment by a government agency. The Register reports that Wall Street Journal reporter Karen Hao verified the data provided in a HackerDan sample. Hao tweeted: “I was really stunned when the first person picked up – I really thought it was all wrong. By the third I was shaking – both from nervousness trying to explain why I had their extremely private information and the weight of realizing what this leak could mean to so many people.

Meanwhile, the Chinese government has been tight-lipped about the incident, having yet to issue any official statement. Gizmodo adds that posts on popular social media platforms Weibo and WeChat discussing the possible breach have been deleted, and authorities have reportedly asked at least one poster to come forward for questioning. The New York Times notes that the alleged leak demonstrates how Beijing’s rampant collection of mass surveillance data leaves the door open for potential exposure. Indeed, as ZDNet warns, if the data is real, Chinese companies should expect an increase in identity theft through smishing attacks, phone swapping and other cybercrimes. .

Moshe Zioni, vice president of security research at Apiiro, drew some lessons about supply chains from the incident:

“The recent Shanghai Police database breach is further evidence of the critical implications of inept security in the software supply chain. Secrets in code are one of the most serious threats to organizations today because they are easily extracted from code and used by adversaries without having to break into an old-fashioned organization. Factor in the ease of access to cloud services where secrets are typically stored, and you get a very good return on investment for attackers with minimal effort and low complexity.

“Proper developer training is absolutely essential to mitigate future attacks. From Apiiro’s own research, we know that developers who commit code to internal company repositories are 8 times more likely to include secrets in their code that can be immediately used by malicious actors than when dealing with the public CISOs need to take security training for developers more seriously when dealing with internal repositories.

“Overall, organizations need to adapt and understand this power imbalance. Educating developers about the dangers of using hard-coded secrets in code and the broad implications of such an occurrence is essential, as well as practicing the secure use of secrets in code that employs techniques for using, auditing, and rotating those secrets in real time.

“Secrets should be proactively monitored and analyzed by organizations’ security teams throughout the development lifecycle to detect these errors early on, as well as use tripwires and audit trails in violation of this standard.”

Gil Dabah, co-founder and CEO of Piiano, commented simply, “It’s only in China that a breach of this magnitude could happen, but the lesson learned for every organization in the world is that vaults -Personal Identifiable Information (PII) data forts should be prioritized as part of their IT Security Technology Stack.

Supply chain attack against NPM package manager.

ReversingLabs researchers detail the discovery of a widespread supply chain attack that aims to install malicious JavaScript packages delivered through the NPM package manager. The attack, which has targeted the NPM package manager since at least last December, is designed to harvest sensitive data from forms embedded in mobile apps and websites. Although the exact scope of the attack is not yet certain, researchers say the packages are potentially used by thousands of mobile and desktop apps and websites, and in one case a malicious package was downloaded over 17,000 times. The operation relies on typo-squatting, an approach in which hackers impersonate high-traffic sites using names that closely resemble the spellings of legitimate sites. The Hacker News notes that the majority of NPM modules are still available for download from the repository.

Uriel Maimon, VP of Emerging Products at PerimeterX, commented on the discovery and its implications: “This NPM incident is yet another reminder of software supply chain risks. We urge organizations to consider whether they have the tools and capabilities to notice and act on changes, potential risks and anomalies in their supply chain, and analyze user behavior on their website. Using a tiered approach that looks at the entire attack lifecycle, from theft and data collection, to validation and then to account fraud, can provide insight into the account takeover activity and prevent it, regardless of the attacker’s method of entry.

Marriott confirms hotel guest and employee data breach.

DataBreaches.net reported yesterday that it had been contacted by an anonymous international hacking group they call GNN (Group No Name) claiming it had successfully broken into the networks of hotel giant Marriott International. GNN says it infiltrated Marriott about a month ago by exfiltrating 20 GB of data, including credit card information and other confidential data belonging to hotel guests and employees. CyberScoop reports that the hotel company has confirmed the breach, with a spokesperson saying Marriott “is aware of a threat actor who used social engineering to trick an associate of a single Marriott hotel into giving him access to the ‘partner’s computer’. The associate in question reportedly works at the BWI Airport Marriott, located in the US state of Maryland, and Marriott claims that the intruder only had access to their systems for a short period over one day. After Marriott began investigating the incident, the attacker contacted the company with a ransom demand, which Marriott did not pay. The hotelier claims the exfiltrated data was ‘non-sensitive internal business files relating to the operation of the property’, and GNN screenshots show the airline’s crew member booking logs from January 2022 and credit card authorization forms. It should be noted that this is at least Marriott’s third recent serious data breach, as in November 2018 hackers stole the personal data of around 500 million customers from one of the reservation systems. of the company’s subsidiary brand, and a March 2020 breach resulted in the theft of the data of 5.2 million customers.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the role social engineering played in this incident, as in others:

“The most common method hackers use to breach data is social engineering, just like what happened in this case. The particular method, where an employee is contacted and tricked into giving a hacker access , who then accesses data files, has happened repeatedly in Organizations should ensure that all employees are made aware of this type of social engineering frequently, by receiving training at least once a month, followed by of phishing test simulations, to see how well employees understood and deployed the training this particular type of phishing attack should be forced to take longer and longer training until they have developed a natural instinct to launch these types of attacks.”

Previous Apple adds 'lockdown mode' to thwart mercenary .Gov spyware
Next The Outer Banks Voice - Salty Dawgs Lecture Series: Cooking Hatteras-Style Seafood, Sharon Peele Kennedy