Security News > 2023 > July

While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

Accounting giant Deloitte, pizza and birthday party chain Chuck E. Cheese, government contractor Maximus, and the Hallmark Channel are among the latest victims that the Russian ransomware crew Clop claims to have compromised via the MOVEit vulnerability. The biz now joins PwC and Ernst and Young - all three big accounting firms - among the hundreds of organizations compromised by Clop via a security hole in vulnerable deployments of the file-transfer tool MOVEit.

Accounting giant Deloitte, pizza and birthday party chain Chuck E. Cheese, government contractor Maximus, and the Hallmark Channel are among the latest victims that the Russian ransomware crew Clop claims to have breached using the MOVEit file transfer hack. "Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor's security updates and performed mitigating actions in accordance with the vendor's guidance," a Deloitte Global spokesperson explained.

Two weeks after the initial disclosure, Zimbra has released security updates that patch a zero-day vulnerability exploited in attacks targeting Zimbra Collaboration Suite (ZCS) email servers. [...]

Chinese made AI-enabled products should spark similar concerns to Middle Kingdom sourced 5G equipment and therefore be regulated, said think tank Australian Strategic Policy Institute on Thursday. In a report, titled "De-risking Authoritarian AI," ASPI's Simeon Gilding argued that AI-enabled products present perhaps an even greater risk than 5G which is also more difficult to mitigate.

The problem is there was no data authentication or verification stage. The moral of the story is: Don't rely on data you can't verify.

A Ukrainian man, Vitalii Chychasov, has pleaded guilty in the United States to conspiracy to commit access device fraud and trafficking in unauthorized access devices through the now-shutdown SSNDOB Marketplace. The SSNDOB platform listed and sold the personal details of 24 million people, generating a sales revenue of over $19,000,000.

Popular WordPress form-building plugin Ninja Forms contains three vulnerabilities that could allow attackers to achieve privilege escalation and steal user data. The second and third problems, tracked as CVE-2023-38393 and CVE-2023-38386, respectively, are broken access control issues on the plugin's form submissions export feature, allowing Subscribers and Contributors to export all of the data that users have submitted on the impacted WordPress site.

U.S. government services contractor Maximus has disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks.The Clop ransomware gang added Maximus to its dark web data leak site yesterday as part of a big batch of 70 new victims, all having been breached using the MOVEit zero-day flaw.

As ransomware attacks continue, a few key groups have inflicted some of the greatest damage to their victims. Though a variety of these criminal groups litter the cyberspace landscape, a few were especially dangerous and destructive in their ransomware attacks throughout the year.