Major Cyberattacks in Review: August 2023

August 2023 has not passed without its share of significant cyberattacks. Among the incidents of last month, we have observed multiple data breaches involving well-known threat actors.

Specifically, the MOVEit Transfer attacks carried out by Clop ransomware persist, now reaching approximately a thousand victim organizations and affecting over 60 million individuals.

Without delay, let’s dive into the notable cyberattacks of August 2023 and examine their implications.

Operational Disruptions Follow Cryptocurrency Thefts at Exactly Protocol and Harbor Protocol 

Two cryptocurrency platforms, namely Exactly Protocol and Harbor Protocol, suffered cryptocurrency thefts, prompting them to halt operations and caution their customers.

The decentralized finance platform, Exactly Protocol, limited user activities solely to asset withdrawals during the investigation. The company also acknowledged the theft of $7.3 million worth of ETH in the attack. Additionally, a $700,000 reward is being offered for information that aids in identifying the culprits.

Concurrently, the Harbor Protocol, developed by crypto enterprise ComDex, reported fund drainage but is uncertain about the extent of their loss. They have reached out to customers for assistance in tracking the compromised funds. In an outreach to the responsible party or parties, they expressed their willingness to engage in dialogue for a resolution that safeguards users and the community without disruption. 

Data of 2.6 Million Duolingo Users Exposed on a Hacking Forum, Again

A data breach has exposed the private details of 2.6 million Duolingo users, making them vulnerable to targeted phishing attacks. Duolingo is a prominent language-learning platform boasting 74 million users per month globally. 

The scraped data, including public login names, real names, and email addresses, initially emerged on the now-defunct Breached hacking forum in January 2023 for $1,500. Although Duolingo initially confirmed the data was from public profiles, they didn’t acknowledge that private email addresses were included.

Recently, the dataset reappeared on a renewed version of the Breached hacking forum for approximately $2.13. The information was obtained through an openly shared application programming interface (API) that allowed scraping and associating email addresses with Duolingo accounts due to a vulnerability.

Discord.io Services Halted After Data Breach Exposing 760K Users 

Discord.io, a third-party service enabling custom invites to Discord channels, temporarily suspended operations due to a data breach affecting 760,000 users.

 ‘Akhirah,’ a threat actor, exposed the breach by offering the Discord.io database on the Breached hacking forum. The leaked data includes usernames, email addresses, billing addresses, salted and hashed passwords, and Discord IDs. Regarding the database sale, Akhirah emphasized a motive beyond money, citing concerns about Discord.io’s alleged connection to illegal content. They advocated for blacklisting such servers.

Discord.io confirmed the breach’s authenticity, shut down its services, and canceled paid memberships. The breach’s impact includes potential phishing attacks using exposed email addresses. 

14M Individuals’ Data Compromised Following Clop’s MOVEit Attacks on IBM and French Employment Agency

The Clop ransomware group’s MOVEit campaign has so far affected almost a thousand organizations and nearly 60 million individuals, solidifying its status as the second-largest supply chain attack according to Emsisoft. 

The Colorado Department of Health Care Policy and Financing (HCPF), entrusted with the administration of the state’s Medicaid program, officially notified on August 11 about the occurrence of a security breach stemming from the MOVEit mass hacking incident. This breach has led to the exposure of sensitive data pertaining to more than 4 million patients.

Remarkably, this breach carries wider implications. Missouri’s Department of Social Services (DSS) was also impacted, underlining the substantial reach of the breach. The unsettling incident transpired a mere week after the Department of Higher Education in Colorado experienced a similar security lapse through the MOVEit exploit, resulting in the loss of 16 years’ worth of data.

The French employment agency, Pôle emploi, has also been hit in the MOVEit campaign, potentially affecting 10 million people. The breach exposed personal data including names and social security numbers of six million recent registrants and four million former registrants. The agency’s service provider, Majorel, suffered the breach, compromising their IT systems.

Operation Tango Down: Fukushima Power Plant-Related Websites Under Siege

Claiming to be operating under Anonymous, an entity referred to as EUTNAIOA has asserted its involvement in cyber protests aimed at the Japanese government due to concerns about the release of wastewater from the Fukushima Daini Nuclear Power Plant.

The Anonymous Italia Collective has purportedly launched attacks against 21 websites linked to the Fukushima nuclear power plant as part of an operation named Tango Down.

Entities targeted by Anonymous Italia include significant organizations such as Japan’s Ministry of the Environment, Atomic Power Company, Atomic Energy Society, Nuclear Regulation Authority, Atomic Energy Commission (AEC), Science and Technology Agency, former Prime Minister Fumio Kishida, and the Foreign Press Center.

Colorado Department of Higher Education Hit by Ransomware, Exposing 13 Years of Data

The Colorado Department of Higher Education (CDHE) revealed a major data breach following a ransomware attack in June. The attackers used a double-extortion tactic, stealing data spanning 13 years and impacting students, past students, and teachers from 2004 to 2020. 

Compromised data includes full names, dates of birth, social security numbers, addresses, photocopies of government IDs, and police reports. The attack’s scale suggests a significant number of individuals were affected, but the exact count remains undisclosed. Users are urged to remain vigilant against phishing attacks and potential identity theft.

Mom’s Meals Data Breach Alert: Over 1.2M Individuals Affected

Mom’s Meals (by PurFoods), a medical meal delivery service in the US, has issued a data breach warning following a ransomware attack that exposed the personal information of customers and employees.

Suspicious network activity was detected on February 22, 2023, prompting an investigation. The cyberattack took place between January 16 and February 22, 2023, resulting in the encryption of files.

The breach, confirmed in July, affects the company’s current and former employees, as well as contractors, impacting a total of 1,237,681 individuals. Personal, health, and financial data, as well as other sensitive information like Social Security Numbers, were subjected to unauthorized access.

Cybersecurity Breach Exposes Allegheny County Residents’ Personal Data

Allegheny County in Pittsburgh has fallen victim to a global cybersecurity breach that impacted around 22 million people worldwide. The breach targeted the popular file-transfer tool MOVEit, granting cybercriminals access to personal information including driver’s licenses and Social Security numbers. 

The breach occurred on May 28-29, affecting county files. While the hackers claim they were only interested in business data and have deleted other files, the county advises affected individuals to reach out to their dedicated call center for assistance and credit monitoring.

NoName057(16) Targets Italian Institutions 

A pro-Russian hacking group known as NoName057(16) has claimed responsibility for a series of cyberattacks on Italian banks, businesses, and government agencies. The attacks, characterized by distributed denial-of-service (DDoS) techniques, overwhelmed networks, and disrupted services, affecting major banks like Intesa Sanpaolo. 

The group targeted not only banks but also an Italian water supply company, a national business newspaper, and a public transport website. The group primarily operates through Telegram and employs a DDoS attack toolkit called DDoSia. You can read more detailed information about the threat actor here.

Zero-Day Phishing Campaign Exploits Salesforce’s Email Services

A sophisticated email phishing campaign exploiting a zero-day vulnerability within Salesforce’s email services and SMTP servers has been uncovered. This targeted attack circumvents traditional detection methods by utilizing Facebook’s web games platform and Salesforce’s domain reputation. 

The well-crafted phishing emails managed to evade anti-spam measures, posing a significant threat to organizations. The attackers leveraged Salesforce’s “Email-To-Case” feature to gain control of genuine @salesforce[.]com addresses for malicious purposes. 

Upon discovery, cybersecurity experts promptly alerted Salesforce and Meta, leading to swift actions to address the issue. SOCRadar offers global phishing domain detection and real-time alerts, along with a Malware Analysis module to assess malicious content within EML files.

Sign up for SOCRadar Freemium to stay vigilant against the evolving cyber threats and enhance your overall security posture.